JP2009171132A - Data repeater, data repeating method, and data repeating program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform communications by reliably preventing the superimposition of a virtual address when virtually connecting LANs for one's home. <P>SOLUTION: An HGW (A) includes a virtual address information DB for storing virtual address information in association with the origination side and incoming side of call connection when a telephone set (A) is connected by call to the telephone set (B) of the LAN (B) for one's home through the use of a VOIP. When call connection is performed between the telephone set (A) and the telephone set (B), the virtual address information is acquired from the virtual address information DB, based on whether the origination side or the incoming side of the call connection. Then, the virtual address to be used in a network is determined based on the acquired virtual address information. Thus, the connection is attained by a virtual communication path with the LAN (B) for one's home with session established therein through the use of the determined virtual address, thereby communicably performing control. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention provides a virtual communication path between a network configured such that a telephone device and other communication devices are connected to another network via a data relay device, and a plurality of other networks configured similarly. The present invention relates to a data relay apparatus, a data relay method, and a data relay program that are communicably connected to each other.

  Conventionally, in a network such as the Internet using TCP / IP, a virtual address (private IP) has been used as a technology for converting a IP address to effectively use a limited IP address resource or constructing a firewall. Network Address Translation (NAT) technology for converting an address) and a global IP address is used.

  Specifically, in an in-house LAN of a company or the like, communication between terminals is performed using a virtual address that can be used only by the company or in-house. Needs to use a global IP address that is officially assigned to be unique throughout the world. Therefore, in a gateway (GW) device located at the boundary between the corporate LAN and the Internet, when a connection request to the Internet (for example, a WEB server) is received from a terminal connected to the corporate LAN, the virtual address is set to the global IP address. When converting to an address and connecting to the Internet, or receiving a response from the Internet after connection, the global IP address is converted to a virtual address and the response is transmitted to the requesting terminal.

  Further, recently, a technology for performing communication while maintaining high security by connecting bases such as an in-house LAN with a virtual communication path such as L3VPN (Layer 3 Virtual Private Network) has been used. When such bases are connected by L3VPN, the virtual address space is often used so that the network address spaces of each other may overlap. In this case, the virtual address space of the other party is known in advance. Otherwise, address translation and communication cannot be performed. That is, when bases that perform L3VPN connection use the same virtual address, there may be a terminal having the same IP address at each base, and an event in which communication cannot be performed occurs. For this reason, a method of performing communication using a virtual IP address different from the global IP address is used.

  In the case of connection between such general in-house LANs, a network administrator in advance uses VPN-NAT, static NAT, etc. in order to avoid overlapping virtual addresses and to know the virtual address space of the connection destination. By performing the setting, communication between in-house LANs can be performed. However, when connecting an in-home LAN, which has been increasing recently, to an ad hoc network using L3VPN as described above, it is assumed that an unspecified number of people are connected like a telephone connection. It is physically impossible to know the space, and there are many people who are not familiar with the network like network administrators, so it is impossible to set VPN-NAT or static NAT in advance. Therefore, although the L3VPN connection is made, there is a problem that the virtual addresses are duplicated and communication is impossible.

  Therefore, various techniques for preventing duplication of virtual addresses when connecting L3VPN between home LANs are disclosed. For example, Non-Patent Document 1 discloses a technique for performing communication by using a specific address space different from a predetermined virtual address in the case of one-to-one connection. Non-Patent Document 2 discloses a technique for performing communication between home LANs by assigning a virtual IP address to each device on each LAN from a DHCP server based on VOIP communication.

Arthur Harvey et al., “Peer-to-Peer Interconnection of Home Network”, Proceedings of the CCNC 07, 2007 Sabae et al. “Teleshare: Access control with call metaphor”, IEICE General Conference Proceedings pp113, 2005

  However, the above-described conventional technique has a problem that, when L3VPN is connected between home LANs, duplication of virtual addresses cannot be reliably prevented and communication may not be possible.

  Specifically, since Non-Patent Document 1 uses a predetermined specific address, when connecting home LANs to each other one-to-N or N-to-N, virtual addresses themselves are duplicated. In addition, there may be an event that the routing is not successful and communication cannot be performed. Non-Patent Document 2 is a technique for assigning virtual IP addresses to devices on each other's LAN from a DHCP server based on VOIP communication. When a virtual address and a real address overlap each other, An event that cannot be performed occurs.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and it is possible to reliably prevent duplication of virtual addresses when connecting home LANs virtually. It is an object to provide a data relay device, a data relay method, and a data relay program that are possible.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is configured similarly to a network configured such that a plurality of communication devices are connected to another network via a data relay device. The data relay device that connects the plurality of other networks that are communicable with each other, the session established between the data relay device and another data relay device connected to another network A virtual address information storage unit that stores virtual address information necessary to determine a virtual address to be used in the network in association with the calling side and the called side, and between the data relay device and another data relay device When the session is established, the virtual address information is recorded on the basis of whether the session is the originating side or the terminating side. The session is established using a virtual address determination unit that determines a virtual address to be used in the network based on the acquired virtual address information, and a virtual address determined by the virtual address determination unit. And a connection control unit configured to connect the other network to which the other data relay apparatus is connected and the network through a virtual communication path so as to enable communication.

  Further, in the invention according to claim 2, in the above invention, the virtual address information includes the calling side and the destination to avoid duplication and conflict of virtual addresses used in the network and other networks. The virtual address determination method on each side is ruled.

  According to a third aspect of the present invention, in the above invention, the virtual address determination means is configured to enable the other data relay device when the session is established between the data relay device and another data relay device. A virtual address or a range of virtual addresses desired to be used with each other is exchanged as virtual address information, and a virtual address that matches each other's conditions is determined.

  According to a fourth aspect of the present invention, in the above invention, the virtual address determination means is used in the other network when a session is established between the data relay device and another data relay device. Receiving a virtual address or a range of virtual addresses desired from another data relay apparatus, and determining a virtual address to be used in the network so as not to overlap with the received virtual address or virtual address range .

  Further, in the invention according to claim 5, in the above invention, the virtual address determining means determines the virtual address when determining the virtual address when there is another network that is already communicably connected. The virtual address is determined so as not to overlap with a virtual address or a range of virtual addresses used with the other network.

  Further, in the invention according to claim 6, in the above invention, the virtual address determination means can already communicate a virtual address or a virtual address range used in another network received from the other data relay apparatus. If it matches a virtual address or a range of virtual addresses used in another network connected to the network, the connection with the data relay device connected to the other network is rejected, and again the virtual address Or a range of virtual addresses is requested to another data relay device.

  The invention according to claim 7 is the above invention, wherein the data relay device establishes a session with the other data relay device using SIP, and the virtual address determining means includes When establishing a session with the other data relay apparatus, the virtual address information used in the network is added to the SDP information in the SIP and transmitted to the other data relay apparatus. The virtual address used in the network is determined as a result of the negotiation for receiving the SDP information to which the virtual address information used in is added from the other data relay device.

  The invention according to claim 8 is the above invention, wherein the data relay device establishes a session with the other data relay device using SIP, and the virtual address determining means includes , When establishing a session with the other data relay device, send SDP information or TAG information in SIP to which parameters necessary for determining a virtual address used in the network are added to the other data relay device, Receive SDP information or TAG information to which a parameter related to virtual address information determined based on the transmitted parameter is added from another data relay device, and determine a virtual address to be used in the network based on the received parameter It is characterized by doing.

  The invention according to claim 9 is the above invention, wherein the data relay device establishes a session with the other data relay device using SIP, and the virtual address determining means includes When establishing a session with the other data relay device, a Call-ID in SIP to which a parameter indicating a virtual address used in the network is added is transmitted to the other data relay device. The virtual address to be used is determined.

  According to the tenth aspect of the present invention, a network configured such that a plurality of communication devices are connected to another network via a data relay device and a plurality of other networks configured similarly are mutually connected. A data relay method suitable for the data relay device connected so as to be communicable, wherein the originating side and the terminating side of a session established between the data relay device and another data relay device connected to another network A session is established between virtual address information storage means for storing virtual address information necessary for determining a virtual address to be used in the network in association with the data relay device and another data relay device The virtual address information is retrieved from the virtual address information storage means based on whether the session is the originating side or the terminating side. A virtual address determination step for determining a virtual address to be used in the network based on the acquired virtual address information, and the session is established using the virtual address determined by the virtual address determination step And a connection control step of controlling the other network to which the data relay apparatus is connected and the network through a virtual communication path so as to be communicable.

  According to an eleventh aspect of the present invention, a network configured such that a plurality of communication devices are connected to another network via a data relay device and a plurality of other networks configured similarly are mutually connected. A data relay program to be executed by a computer as the data relay device to be communicably connected, and a session originator established between the data relay device and another data relay device connected to another network A virtual address information storage means for storing virtual address information necessary for determining a virtual address to be used in the network in association with the called side, and a session between the data relay device and another data relay device Is established, the virtual address information is determined based on whether the session is the originating side or the terminating side. Virtual address determination procedure for determining a virtual address to be used in the network based on the acquired virtual address information acquired from the virtual address information storage means, and using the virtual address determined by the virtual address determination procedure, A computer is caused to execute a connection control procedure for controlling communication by connecting another network to which another data relay apparatus with which a session is established is connected and the network through a virtual communication path. And

  According to the first, tenth, and eleventh aspects of the present invention, the network is associated with the originating side and the terminating side of the session established between the data relay device and another data relay device connected to another network. Stores virtual address information necessary to determine the virtual address to be used, and when a session is established between the data relay device and another data relay device, it is the originating side or called side of the session The virtual address information is acquired from the virtual address information storage means, the virtual address or the range of virtual addresses used in the network is determined based on the acquired virtual address information, and the determined virtual address Or, using a range of virtual addresses, the network can be connected to other networks to which other data relay devices with established sessions are connected. Since communicatively controlled by connecting a virtual communication path and click, when to connect the home LAN each other virtually, it is possible to communicate reliably prevent duplication of virtual addresses.

  For example, the data relay device can use virtual address information determined in association with the caller side or the callee side in the telephone call connection, so that even if the home LANs are connected by VPN, It is possible to perform communication while reliably preventing duplication of addresses.

  According to the second aspect of the present invention, the virtual address information is a virtual address determination on each of the calling side and the called side in order to avoid duplication and conflict of virtual addresses used in the network and other networks. Since the method is ruled, users can arbitrarily create rules so that virtual addresses such as usage and usage do not overlap. As a result, it is possible to flexibly respond to user preferences. Is possible. Further, as a result of being able to arbitrarily set a rule that can be applied only to users who are familiar with each other in advance, security can be enhanced.

  According to the invention of claim 3, when a session is established between the data relay device and another data relay device, the virtual addresses desired to use each other with the other data relay device Alternatively, the virtual address range is exchanged and the virtual address that matches each other's conditions is determined, so the virtual address information of the local network and the virtual address information of the connection destination are exchanged and overlapped with the virtual address information being connected. As a result, it is possible to reliably prevent duplication of virtual addresses even when N-to-N connection is made.

  According to the invention of claim 4, when a session is established between a data relay device and another data relay device, a virtual address or a range of virtual addresses desired to be used in another network is changed to another Since the virtual address used in the network is determined so as not to overlap with the received virtual address or the range of virtual addresses received from the data relay device, even when N-to-N VPN connections are made As a result of confirming the virtual address notified by the call connection destination side, it is possible to firmly prevent duplication of virtual addresses.

  According to the invention of claim 5, when there is another network that is already communicably connected, the virtual address used with the other network when determining the virtual address Or, since the virtual address is determined so as not to overlap with the range of the virtual address, even when connecting simultaneously with a plurality of networks, it is possible to select and use virtual addresses that do not overlap. It is possible to connect.

  According to the invention of claim 6, a virtual address or a range of virtual addresses used in another network received from another data relay apparatus is used in another network that is already connected to be communicable. If it matches the virtual address or the virtual address range, the connection with the data relay device connected to the other network is rejected, and the virtual address or the virtual address range is requested to the other data relay device again. Therefore, as a result of performing the trial and error, it is possible to avoid duplication more firmly.

  According to the invention of claim 7, when establishing a session with another data relay device, the virtual address information used in the network is added to the SDP information in SIP to the other data relay device. As a result of negotiation to transmit and receive SDP information to which virtual address information used in another network is added from another data relay device, a virtual address to be used in the network is determined. Even if it is communication, the virtual address information of the local network and the virtual address information of the connection destination can be exchanged, and it can be determined whether or not the virtual address information being connected does not overlap. It is possible to communicate while reliably preventing duplication of virtual addresses.

  According to the invention of claim 8, when establishing a session with another data relay device, SDP information or TAG information in SIP to which a parameter necessary for determining a virtual address used in the network is added. The SDP information or the TAG information to which the parameter related to the virtual address information determined based on the transmitted parameter is added is received from the other data relay device, and based on the received parameter. Since the virtual address to be used in the network is determined, even if multiple SDP information and TAG information are received after receiving multiple incoming calls, the SDP information and TAG information sent by the user are selected so as not to overlap. As a result, it is possible to firmly prevent duplication of virtual addresses and connect to enable communication. Bets are possible.

  According to the invention of claim 9, when establishing a session with another data relay apparatus, the Call-ID in SIP to which a parameter indicating a virtual address used in the network is added is transferred to another data relay. Since the virtual address used in the network is determined by sending to the device, the virtual address information determined by the device itself can be notified to the connection destination. Is possible.

  Exemplary embodiments of a data relay device, a data relay method, and a data relay program according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, the main terms used in the present embodiment, the outline and features of the HGW indicating the data relay apparatus according to the present embodiment, the configuration of the HGW and the flow of processing will be described in order, and finally various types of the present embodiment will be described. A modification will be described.

[Explanation of terms]
First, main terms used in this embodiment will be described. The network system used in this embodiment includes a home LAN (A) configured such that a telephone (A) and other devices are connected to another network via the HGW (A), a telephone (B), and Another device is configured by a home LAN (B) configured to be connected to another network via the HGW (B).

  In addition to the above-described “telephone”, there are information home appliances such as “PC (Personal Computer)” and “WebTV” as devices configured in each home LAN (home network). The “telephone (A)” and “telephone (B)” are telephones that have a numeric keypad such as an analog telephone or a VoIP telephone and specify a destination by a dial signal to establish a call connection. “WebTV” is a television that can use the Internet, and can watch the WWW (World Wide Web) and send and receive e-mails while watching the television. "PC" is a commonly used home computer that creates documents such as documents and diagrams, and connects to the Internet via HGW to download music and movies and access search sites It can be performed. These devices are merely examples. In addition to the information home appliances described above, various devices connected using protocols such as DLNA (Digital Living Network Alliance) and UPnP (Universal Plug and Play), which are home appliance standardization technologies, are used. There is a device.

  In addition, “HGW (A)” and “HGW (B)” used in this embodiment are devices that connect an external network such as a home LAN and the Internet so as to be able to communicate with each other. Etc. to interconnect information appliances. Specifically, it is disposed between the Internet and the home LAN, and includes a set-top box such as a home router, protocol conversion, firewall, firewall rule dynamic change function, and broadcast reception function. For example, a request transmitted from a WebTV installed in a home LAN, and a request for requesting information regarding a service provided to WebTV from an HDD or a PC installed in the home LAN is received. An Internet connection request is received from a WebTV installed in the internal LAN, NAT conversion is performed, and the request is transmitted to the Internet network.

  “HGW (A)” and “HGW (B)” are functions for connecting a home LAN telephone line and an external public switched telephone network PSTN network (Public Switch Telephone Networks), VoIP- In addition to having a function as a GW (Vice Over Internet Protocol-Gateway), it has an IP telephone adapter and connects a home LAN to an external VoIP network. Specifically, “HGW (A)” and “HGW (B)” receive dial numbers from IP telephones (telephone (A) and telephone (B)) connected to the home LAN, Connect to an IP phone connected to an external VoIP network. The IP telephone adapter does not necessarily have to be built in the HGW, and may be connected to the home LAN as another device.

  “HGW (A)” and “HGW (B)” correspond to the “data relay device” described in the claims, respectively. “Telephone (A)” and “Telephone (B)” This corresponds to the “communication device” recited in the claims. However, in the present embodiment, a case where a call is made from “telephone (A)” to “telephone (B)” will be described, but the present invention is not limited to this, and “telephone (B)” to “telephone” (A) "may be sent. In the present embodiment, a case where the home LAN (A) and the home LAN (B) are connected to the VOIP network will be described. However, the present invention is not limited to this, and is configured similarly. Other home LANs such as a home LAN (C) and a home LAN (D) may be connected to the VOIP network.

  Also, in this embodiment, a case will be described in which a HGW connects a VPN, which is a virtual communication path, after establishing a session between telephones connected to a home LAN. However, the present invention is not limited to this. For example, after a session between HGWs is established by another application connected to the home LAN, an external application not connected to the home LAN, an application inside the HGW, or the like, the HGWs become virtual. A VPN, which is a typical communication path, can also be connected. That is, when the HGWs connect the VPNs, it is not always necessary to establish a session between the telephones, and it is sufficient that the home LANs establish a session by some method.

[Overview and features of HGW]
Next, the outline and characteristics of a system including an HGW (Home GateWay) according to the first embodiment will be described with reference to FIG. FIG. 1 is a system configuration diagram illustrating an overall configuration of a system including an HGW according to the first embodiment.

  This system is similar to a home LAN (A) composed of a telephone (A) and an HGW (A) in which a network (private IP) address “192.168.1.0/24” is set, as well as a network (private It is composed of a telephone (B) in which an IP) address “192.168.1.0/24” is set and a home LAN (B) composed of HGW (B) and the like.

  In such a configuration, as described above, the HGW is configured such that the telephone (A) and other communication devices are connected to the other home LAN via the HGW (A). A) and a similarly configured home LAN (B) are connected to each other so that they can communicate with each other. In particular, when a home LAN is virtually connected, a virtual address is used. The main feature is that communication can be performed while reliably preventing duplication.

  This main feature will be described in detail. Each HGW is associated with the originating side and the terminating side of a session established between the data relay device and another data relay device connected to another network. Is provided with a virtual address information DB for storing virtual address information necessary for determining a virtual address to be used. To give a specific example, the HGW (A) has “departure / arrival” indicating “calling side or arrival side” and “virtual address information” indicating network information of a virtual address to be used ”as“ originating side, 192.168. It includes a virtual address information DB that stores “100.0 / 24” and “destination, 192.168.200.0/24”. Note that the HGW (B) also includes a virtual address information DB.

  Further, the virtual address information DB stores a rule for the virtual address determination method on each of the calling side and the called side in order to avoid duplication and conflict of virtual addresses used in the network and other networks. You may do it. For example, the virtual address information DB may store rules for determining a virtual address, such as “calling side, third octet is 100”, “destination side, third octet of calling side virtual address + 1”, and the like. Good.

  In such a state, when a session is established between the data relay device and another data relay device, the HGW determines whether the virtual address is based on whether the session is the originating side or the terminating side. Information is acquired from the virtual address information DB, and a virtual address to be used in the network is determined based on the acquired virtual address information (see (1) to (3) in FIG. 1).

  As a specific example, a telephone call request is transmitted from the telephone (A) to the telephone (B) via the HGW (A), and the telephone (B) calls the telephone (A) via the HGW (B). When the authorization response is transmitted, a session is established between the telephone set (A) and the telephone set (B). In other words, a session is established between HGW (A) and HGW (B).

  In this case, the HGW (A) in the home LAN (A) to which the telephone (A) that is the call connection originator is connected is the phone call originator of the call connection, that is, the session establishment originator. And “192.168.100.1/24” stored in association with “originating side” is acquired from the virtual address information DB and determined as virtual address information used in the network. Similarly, the HGW (B) in the home LAN (B) to which the telephone (B) that is the call connection destination is connected is the phone call (B) call connection destination, that is, the session establishment destination. And “192.168.200.1/24” stored in association with “destination” is acquired from the virtual address information DB and determined as virtual address information used in the network.

  Then, the HGW uses the determined virtual address information to control communication so that another network to which another data relay apparatus with which a session is established is connected is connected to the network through a virtual communication path. (Refer to (4) and (5) in FIG. 1). Specifically, in the above example, the HGW (A) establishes a session between the HGW (A) and the HGW (B), and converts the virtual address information used in the home LAN (A) to “192.168. If it is determined that “100.0 / 24”, a VPN connection request is transmitted to the HGW (B). In the HGW (B), a session is established between the HGW (A) and the HGW (B) as in the HGW (A), and virtual address information used in the home LAN (B) is set to “192.168. If it is determined as “200.0 / 24”, a permission response is transmitted as a response to the VPN connection request received from the HGW (A). In this way, a VPN, which is a virtual network, is connected between HGW (A) and HGW (B), that is, between home LAN (A) and home LAN (B).

  The HGW (A) and the HGW (B) perform NAT conversion on various requests received from devices connected to the respective home LANs, and communicate with the connected home LANs. .

  Specifically, “IP address: 192.168.200.10” which is a virtual address of a Web server connected to the home LAN (B) from the PC “IP address: 192.168.1.10” connected to the home LAN (A). When the access request is transmitted to the HGW (A), the HGW (A) accepts the access request having the transmission source IP address “192.168.1.10” and the transmission destination IP address “192.168.200.10”. Therefore, since the PC and the Web server cannot communicate with each other as it is, the HGW (A) uses the determined virtual address information “192.168.100.0/24” to set the transmission source IP address to “192.168.1.10”. "To" 192.168.100.10 "and send an access request.

Subsequently, the HGW (B) converts the destination IP address “192.168.200.10” of the received access request to “192.168.1.10” in the same manner as the HGW (A), and “192.168.1.10” is changed to “192.168.1.10”. An access request is transmitted to the assigned Web server. Thereafter, upon receiving an access response of the transmission source IP address “192.168.1.10” and the transmission destination IP address “192.168.100.10” from the Web server, the HGW (B) sets the transmission source IP address of the received access response to “192.168. 1.10 ”is converted to“ 192.168.200.10 ”and transmitted to HGW (A). Then, the HGW (A) that received the access response of the transmission source IP address “192.168.200.10” and the transmission destination IP address “192.168.100.10” changes the transmission destination IP address from “192.168.100.10” to “192.168.1.10”. After conversion, an access response is transmitted to the PC to which “192.168.1.10” is assigned.

  As described above, the HGW according to the first embodiment can perform NAT conversion using predetermined virtual address information. As a result, the HGW according to the first embodiment ensures that virtual addresses are not duplicated when connecting home LANs. It is possible to prevent and connect.

[Configuration of HGW]
Next, the configuration of the HGW shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating the configuration of the HGW according to the first embodiment. As shown in FIG. 2, the HGW (A) 10 includes an internal I / F unit 11, an external I / F unit 12, a storage unit 20, and a control unit 30, and the HGW (B) 40 is similarly internal. An I / F unit 41, an external I / F unit 42, a storage unit 50, and a control unit 60 are included. Note that the HGW (A) and the HGW (B) shown in FIG. 2 have the same configuration, and therefore only the HGW (A) will be described here.

  The internal I / F unit 11 controls communication with various devices connected to the home LAN (A). As a specific example, the internal I / F unit 11 accepts a telephone call using VOIP from the telephone (A) to the telephone (B), or from the PC to the web server of the home LAN (B). An access request is accepted, a connection response transmitted from the telephone (B) accepted by the external I / F unit 12 is transmitted to the telephone (A), or transmitted from a Web server accepted by the external I / F unit 12 An access response to the access request is transmitted to the PC.

  The external I / F unit 12 controls communication with another network different from the home LAN (A). For example, the external I / F unit 12 receives a connection response transmitted from the telephone (B), receives an access response to an access request received from a Web server, or receives an internal I / F. A telephone call using VOIP from the telephone set (A) received by the unit 11 to the telephone set (B) is transmitted to the telephone set (B), or the home LAN (B ) Is transmitted to the Web server, or a virtual communication path is generated with the HGW (B) 40.

  The storage unit 20 stores routing information and programs necessary for various processes performed by the control unit 30, and includes a virtual address information DB 21 particularly closely related to the present invention.

  The virtual address information DB 21 is associated with the originating side and the terminating side of the session established between the HGW (A) 10 and the HGW (B) 40 connected to the home LAN (B) which is another network. The virtual address information necessary for selecting the virtual addresses used in the network so as not to overlap each other is stored. To give a specific example, the virtual address information DB 21, as shown in FIG. 3, ““ departure / departure ”indicating whether the caller is the caller or callee and“ virtual address information ”indicating the network information of the virtual address to be used” As “calling side, 192.168.100.0/24” and “destination side, 192.168.200.0/24” are stored.

  Further, the virtual address information DB 21 does not need to store the virtual address itself used, but stores a rule as virtual address information necessary for selecting the virtual addresses used in the network so as not to overlap each other. May be. For example, the virtual address information DB 21 may store a rule for determining a virtual address, such as “calling side, third octet is 100”, “calling side, third octet of calling side virtual address + 1”, and the like. Good. Note that information including various data and parameters can be arbitrarily changed unless otherwise specified. FIG. 3 is a diagram illustrating an example of information stored in the virtual address information DB.

  The control unit 30 includes an internal memory for storing a control program such as an OS (Operating System), a program that defines various processing procedures such as routing control based on routing information stored in the virtual address information DB 21, and required data. In addition, the virtual address determination unit 31, the VPN connection unit 32, and the NAT conversion unit 33 are provided, which are particularly closely related to the present invention.

  When a session is established between the HGW (A) 10 and the HGW (B) 40, the virtual address determination unit 41 determines whether the virtual address is based on whether the session is the originating side or the terminating side. Information is acquired from the virtual address information DB and determined as virtual address information used in the network. Specifically, in the above-described example, a telephone call request is transmitted from the telephone (A) to the telephone (B) via the HGW (A) 10, and the telephone (B) transmits the telephone (B) via the HGW (B) 40. When a call permission response is transmitted to A), the telephone set (A) and the telephone set (B) are connected for a call. In that case, the virtual address determination unit 31 determines that the telephone (A) is the calling side of the call connection, and stores “192.168.100.0/24” stored in association with the “calling side” from the virtual address information DB 21. Obtained and determined as virtual address information used in the network. Similarly, the HGW (B) 40 in the home LAN (B) to which the telephone (B) that is the call connection destination is connected determines that the telephone (B) is the call connection destination and “ “192.168.200.0/24” stored in association with “destination” is acquired from the virtual address information DB 51 and determined as virtual address information used in the network.

  In addition, the private IP address of the home LAN (A) is “192.168.1.0/24” and the private IP address of the home LAN (B) is “192.168.1.0/24”. , The third octet is 100 ”,“ the third octet of the called side and the outgoing side is +1 ”, etc., and the rules for determining the virtual address are stored. A case will be described as an example. In this case, the virtual address determination unit 31 determines that the telephone set (A) is the calling side of the call connection as described above, and stores “third octet” stored in the virtual address information DB 21 in association with “calling side”. Based on “100”, the virtual address information used in the network is determined as “192.168.100.0/24” with the third octet of the private IP address “192.168.1.0/24” set to 100. Similarly, the virtual address determination unit 61 of the HGW (B) 40 in the home LAN (B) to which the telephone (B) that is the call connection destination is connected is configured such that the telephone (B) is the call connection destination. It is determined that the virtual address information used in the network is “192.168.101.0/24” based on “third octet of the calling party + 1” stored in the virtual address information DB 51 in association with “destination”. Determine as.

  The VPN connection unit 32 uses the virtual address information determined by the virtual address determination unit 31 to connect the home LAN (B) and the home LAN (A) to which the HGW (B) 40 with which the session is established is connected. Are connected to each other via a virtual communication path and controlled to be communicable. Specifically, in the above example, the VPN connection unit 32 uses the virtual address information “192.168.100.1/24” determined by the virtual address determination unit 31 to connect the home LAN (A) and the home LAN (B ) Is connected to the VPN, which is a virtual communication path, and the firewall and routing settings are changed along with the VPN connection.

  The NAT conversion unit 33 performs NAT conversion based on various settings and VPNs set by the VPN connection unit 32 and controls communication between the home LAN (B) and the home LAN (A). Specifically, in the above example, the PC “IP address: 192.168.200.10” connected to the home LAN (B) from the PC “IP address: 192.168.1.10” connected to the home LAN (A). When the access request is transmitted, the NAT conversion unit 33 accepts an access request whose source IP address is “192.168.1.10” and whose destination IP address is “192.168.200.10”. Therefore, since the PC and the Web server cannot communicate with each other as they are, the NAT conversion unit 33 sets the transmission source IP address from “192.168.1.10” based on various settings set by the VPN connection unit 32. Send an access request with “192.168.100.10”. Further, the HGW (B) 40 converts the transmission destination IP address from “192.168.200.10” to “192.168.1.10” and transfers the access request to the Web server.

  Here, an example of NAT conversion will be described with a part extracted. For example, in the HGW (A) 10, “iptable -t nat 1 -i tun0 -A PREROUTING -d 192.168.100.0/24 -j NETMAP --to 192.168.1.0/24”, “iptable” -t nat 1 -i tun0 -A PREROUTING -s 192.168.1.0/24 -j NETMAP --to 192.168.100.0/24 "

  Similarly, in the HGW (B) 40, as the setting for performing NAT conversion, “iptable -t nat 1 -i tun0 -A PREROUTING -d 192.168.200.0/24 -j NETMAP --to 192.168.1.0/24”, "Iptable -t nat 1 -i tun0 -A PREROUTING -s 192.168.1.0/24 -j NETMAP --to 192.168.200.0/24"

[Processing by HGW]
Next, the processing by the HGW will be described using FIG. 4 and FIG. FIG. 4 is a flowchart showing a flow of VPN connection processing in the HGW according to the first embodiment, and FIG. 5 is a flowchart showing a flow of communication control processing in the HGW according to the first embodiment. Since the flow of processing executed by the HGW (A) 10 and the HGW (B) 40 is the same, here, the HGW (A) 10 will be described as an example.

(Flow of VPN connection processing)
As shown in FIG. 4, when a VOIP session between the HGW (A) 10 and the HGW (B) 40 is established (Yes at Step S101), the virtual address determination unit 31 of the HGW (A) 10 In other words, it is determined whether the home LAN (A) is the calling side or the called side (step S102).

  When it is determined that the home LAN (A) is the calling side (Yes at Step S102), the virtual address determination unit 31 acquires the calling side virtual address information from the virtual address information DB 21, and the home LAN The virtual address information used in (A) is determined (step S103).

  On the other hand, when it is determined that the home LAN (A) is the called side (No at Step S102), the virtual address determining unit 31 acquires the called side virtual address information from the virtual address information DB 21, and the home LAN The virtual address information used in (A) is determined (step S104).

  Then, the VPN connection unit 32 uses the virtual address information determined by the virtual address determination unit 31 to connect the VPN to the HGW (B) 40, in other words, the home LAN (B) (step S105). ).

(Flow of communication control processing)
As shown in FIG. 5, a VPN is connected between the HGW (A) 10 and the HGW (B) 40 (in other words, between the home LAN (A) and the home LAN (B)), and the home When various requests from other devices connected to the internal LAN (A) are received by the internal I / F unit 11 (Yes in step S201), the NAT conversion unit 33 sets various settings set by the VPN connection unit 32. Based on the NAT conversion (step S202), various requests are transmitted to the destination HGW (B) 40 via the external I / F unit 12 (step S203).

  Thereafter, when a response is received by the external I / F unit 12 from the device that is the transmission destination of various requests (Yes in step S204), the NAT conversion unit 33 performs NAT based on the various settings set by the VPN connection unit 32. The conversion is performed (step S205), and a response is transmitted to the apparatus that is a request transmission destination (response destination) via the internal I / F unit 11 (step S206).

[Effects of Example 1]
Thus, according to the first embodiment, the HGW (A) 10 is the originator of the session established between the HGW (A) 10 and the HGW (B) 40 connected to the home LAN (B). And a virtual address information DB 21 for storing virtual address information necessary for determining a virtual address to be used in the home LAN (A) in association with the callee side, and includes HGW (A) 10 and HGW (B) 40. When the session is established between the virtual address information and the virtual address information DB 21 based on whether the session is the originating side or the terminating side, and based on the acquired virtual address information A virtual address to be used in the home LAN (A) is determined, and the home LAN (B) to which the HGW (B) 40 to which the session is established is connected is determined using the determined virtual address. And the home LAN (A) are connected to each other via a virtual communication path so that they can communicate with each other. Therefore, when the home LANs are virtually connected to each other, it is possible to reliably prevent duplication of virtual addresses. It is possible.

  Specifically, the HGW (A) 10 can use virtual address information determined in association with the calling side or called side in establishing a session by VOIP, and as a result, the home LANs are connected by VPN. Even so, it is possible to reliably prevent duplication of virtual addresses.

  Further, according to the first embodiment, the virtual address information is a virtual address determination method on each of the calling side and the called side in order to avoid duplication and conflict of virtual addresses used in the network and other networks. Since it is a rule, it can be arbitrarily ruled between users so that virtual addresses such as usage forms and uses do not overlap. As a result, it is possible to flexibly respond to user preferences. is there. Further, as a result of being able to arbitrarily set a rule that can be applied only to users who are familiar with each other in advance, security can be enhanced.

  By the way, even if it is a case where HGW is SIP-connected, this invention can determine a virtual address and can connect home LANs similarly.

  Thus, in the second embodiment, an example will be described in which, when the HGWs are connected by SIP, a virtual address used in each home LAN is determined and the home LANs are connected to each other. In the second embodiment, a case where a virtual communication path using IPsec (IP Security Protocol) is connected using IKE (Internet Key Exchange) which is an Internet key exchange protocol will be described.

  First, a processing sequence showing a flow of processing of an IPsec connection using establishment of a SIP session will be described with reference to FIG. FIG. 6 is a sequence diagram showing the flow of SIP connection processing using IKE. Here, it is assumed that the telephone number “0422-59-2222” is set for the telephone (A), and the telephone number “0422-59-1111” is set for the telephone (B). Further, the SIP server is a device that connects the telephone (A) and the telephone (B) via SIP through the respective HGWs. Like the HGW (A) 10 and the HGW (B) 40, FIG. Connected to the indicated network.

(Processing sequence)
As shown in FIG. 6, the HGW (A) 10 sends a “REGISTER” message to the SIP server via the SE (service edge). Similarly, the HGW (B) 40 also sends a “REGISTER” message to the SE. (Steps S301 and S302).

  Thereafter, when a telephone number is input from the telephone (A), the HGW (A) 10 transmits a “SIP INVITE” message to the SIP server via the SE (steps S303 and S304), and the SIP server The “SIP INVITE” message is transferred to the HGW (B) 40 via the SE (step S305).

  The HGW (B) 40 that has received the transferred “SIP INVITE” message identifies the other party by notifying the caller number, and permits connection from the other party by telephone operation or the like in advance or at every connection. A notification to that effect is received from the telephone (B), a “200 OK” message is transmitted to the SIP server via the SE (steps S306 and S307), and the SIP server that has received the “200 OK” message receives the received “ The “200 OK” message is transferred to the HGW (A) 10 (step S308).

  Then, the SIP server secures resources such as the bandwidth of the network (or VOIP network) in the SIP server and sets packet filtering (step S309), and the HGW (A) 10 performs, for example, the processing described above. The VPN connection is started to the connection partner exchanged in the flow or in advance by SDP (Session Description Protocol) or the like (step S310), and the HGW (B) 40 is connected to the connection partner exchanged by SDP or the like. On the other hand, standby for VPN is started (step S311).

  In this way, when the VPN connection with the HGW (B) 40 is started (step S312), the HGW (A) 10 sets the destination port number to “4500” and maintains the IPsec security architecture as it is as the key exchange protocol. An “IKE_SA_INIT” message that is an “IKEv2 (Internet Key Exchange version 2) request” that is an extension of IKEv1 is transmitted to the HGW (B) 40 via the SIP server (step S313). Note that IKEv2 is not necessary, and IKEv1 may be used.

  Then, the HGW (B) 40 responds to the HGW (A) 10 via the SIP server with an “IKE_SA_INIT” message that is an “IKEv2 response” as a response corresponding to this request (step S314). After that, the IKE and UDP-encapsulated ESP packet uses UDP No. 4500 declared in the SDP, and is therefore a communication control countermeasure in the network.

  After that, the HGW (A) 10 that has received the response transmits an “IKE_AUTH” message that is an “IKEv2 request” to the HGW (B) 40 via the SIP server (step S315), and the HGW (B) 40 Certificate-based partner authentication using the telephone number as an ID is performed (step S316), and as a result, an “IKE_AUTH” message that is an “IKEv2 response” is transmitted to the HGW (A) 10 via the SIP server (step S316). S317).

  Then, the HGW (A) 10 that has received the response performs certificate-based partner authentication using the telephone number as the ID (step S318). The authentication described in step S316 and step S318 is an authentication method for determining whether or not the telephone number described in the received certificate matches the telephone number of the connection destination. The authentication method is not limited to the above, and other known authentication methods may be used.

  Thereafter, NAT setting is performed in each of the HGW (A) 10 and the HGW (B) 40 (Step S319 and Step S320), and between the home LAN (A) and the home LAN (B) Then, a virtual communication path using IPsec exchanged by the UDP-encapsulated ESP packet (UDP 4500) is connected (step S321).

(Virtual address information determination method)
Next, a method for determining virtual address information in “Step S315: Message 5” and “Step S317: Message 6” in the above VPN connection processing sequence will be described. Specifically, the HGW (A) 10 transmits virtual address information used in the home LAN (A) to the home LAN (B) and receives the home LAN (B) received from the home LAN (B). As a result of the negotiation based on the virtual address information used in (1), a virtual subnet is determined as virtual address information used in the home LAN (A). That is, the HGW (A) 10 and the HGW (B) 40 determine a virtual subnet as virtual address information used in the home LAN based on the result of negotiation in the Traffic Selector exchange in IKEv2.

  The normal method of using the traffic selector is to send an address range as its own subnet information transferred by the initiator (transmission side: HGW (A) 10 in this example), and responder (reception side: HGW (B) 40 in this example). ) Selects and returns a part or all of the subnets from the list, and sends back its own subnet information. At this time, if subnets overlap, the same address is exchanged with each other. As a result, routing is not executed, and communication does not succeed even if Traffic Selector is used. Here, the initiator determines a part of the subnet space, and the Responder determines the remaining part, thereby determining a subnet space that does not overlap with subnets used by other VPNs in use with each other. it can. At that time, in order to determine whether or not there is address batting, two “TSi” are entered in step S315 and step S317.

  For example, the HGW (A) 10 as an initiator selects the upper 4 bits “1111”, that is, “11110000 (240 in decimal number)” so as not to overlap with the virtual subnet being used in another VPN connection. In step S315, "192.168.0.0-192.168.0.255" is displayed as the "TSi message" indicating its own real subnet for address batting determination, and "129.60." Is displayed as the "TSi message" indicating the upper 4 bits of the proposed virtual subnet. In addition to “240.0-129.60.255.255”, “0.0.0.0-255.255.255.255” is transmitted to the HGW (B) 40 as a “TSr message” indicating the subnet space on the Responder side.

  Then, the Responder HGW (B) 40 that has received these messages confirms that it is batting with its own subnet, performs virtual subnet exchange, that is, does not overlap with subnets used in other VPN connections. After confirming this, “0000” and “0001”, that is, “11110000 (240 in decimal number)” and “11110001 (241 in decimal number)” are selected as the lower 4 bits. The HGW (B) 40 then sets “129.60.240.0-129.60.240.255” as the “TSi message” indicating the determined initiator virtual subnet and “129.60” as the “TSr message” indicating the determined Responder virtual subnet. .241.0-129.60.241.255 "is transmitted to the HGW (A) 10.

  Then, if the HGW (A) 10 selects the first 4 bits that do not overlap with the upper 4 bits of the other VPN connections that it has, it will not overlap with the Responder address. Also, in the HGW (A) 10 and the HGW (B) 40, when the actual subnets do not overlap, the Responder only needs to notify its own subnet space as TSi, and in this case, it is not necessary to perform NAT conversion. . After the virtual subnet is determined in this way, routing is set in the HGW (A) 10 and the HGW (B) 40 as in the first embodiment.

(Effects of Example 2)
As described above, according to the second embodiment, when a session is established between the HGW (A) 10 and the HGW (B) 40, the HGW (B) 40 wishes to use each other. Virtual addresses or ranges of virtual addresses are exchanged as virtual address information, and virtual addresses that match each other's conditions are determined, so the virtual address information of the local network and the virtual address information of the connection destination are exchanged and connected As a result, it is possible to reliably prevent duplication of virtual addresses even when N-to-N connection is made.

  Further, in this example, the subnet space of 129.60.0.0/16 has been described as an example. However, the present invention is not limited to this, and may be 10.0.0.0/8. As a result of increasing the number of bits for space from 1 octet to 2 octets, it is possible to further prevent duplication. Also, the HGW (A) 10 can determine the subnet space itself of such a virtual address by exchanging (negotiation) with the HGW (B) 40.

  Further, according to the second embodiment, when there is another network that is already connected so as to be communicable, the virtual address or virtual used with the other network is determined when the virtual address is determined. Since virtual addresses are determined so that they do not overlap with the address range, even when multiple networks are connected simultaneously, it is possible to select and use virtual addresses that do not overlap. As a result, multiple networks are connected simultaneously. It is possible.

  By the way, as described in the second embodiment, the present invention can determine the virtual address information by various methods other than the negotiation between the HGWs when the telephones are SIP-connected.

  Therefore, in the third embodiment, when OpenVPN is installed in each of the HGW (A) 10 and the HGW (B) 40, as a method other than performing negotiation between HGWs, virtual address information is obtained using OpenVPN. An example of determination will be described. FIG. 7 is a sequence diagram showing a flow of virtual address determination processing by OpenVPN.

  This process corresponds to “step S313: message 3” to “step S317: message 6” shown in FIG. 6, and the process of “message 7” is newly performed. Further, the processing up to the VPN connection is the same as the processing in steps S301 to S311 described with reference to FIG. 6, and therefore the processing for determining the virtual address information will be described here. The OpenVPN is a full-function SSL (Secure Socket Layer) VPN using VPN software. In this embodiment, the client on the VPN software is called the HGW (A) 10 and the server side is called. This will be described as the HGW (B) 40 on the side.

(Processing sequence)
As shown in FIG. 7, when the VPN connection with the HGW (B) 40 is started (step S401), the HGW (A) 10 sets the destination port number to “445” and “Client Hello” that is an “SSL request”. Message is transmitted to the HGW (B) 40 via the SIP server (step S402).

  Then, the HGW (B) 40 responds to the HGW (A) 10 via the SIP server with a “Server Hello” message that is an “SSL response” as a response corresponding to this request (step S403). Then, the HGW (A) 10 performs certificate-based partner authentication using the telephone number as an ID (step S404).

  Thereafter, the HGW (A) 10 that has received the response transmits “key information” as an “SSL request” to the HGW (B) 40 via the SIP server (step S405), and the HGW (B) 40 Certificate-based partner authentication is performed using the number as an ID (step S406), and as a result, a “completion notice” is transmitted as an “SSL response” to the HGW (A) 10 via the SIP server (step S407).

  Subsequently, the HGW (B) 40 transmits network setting information (NAT address information) to the HGW (A) 10 via the SIP server (step S408), and the HGW (A) 10 that has received the network setting information, In the HGW (B) 40 that has transmitted the network setting information, NAT setting is performed (steps S409 and S410), and an SSL VPN tunnel is established between the home LAN (A) and the home LAN (B). (Step S411). The above-described authentication is an authentication method for determining whether or not the telephone number described in the received certificate matches the telephone number of the connection destination, and the authentication method is not limited to this. Other known authentication methods may be used.

(Virtual address information determination method)
Next, the above process will be described with specific examples. As described above, the OpenVPN allows the server side (HGW (B) 40) to transmit its private IP address information to the client side (HGW (A) 10).

  By starting such VPN software upon VPN connection, the HGW (B) 40 on the server side sets its own virtual address information “192.168.10.0/24” to an even number in step S408 and the client side HGW (A) 10 that is the client side, and in step S409, HGW (A) 10 that is the client side sets its own virtual subnet to the third octet of the virtual address on the server side based on the information. It is assumed that “192.168.11.0/24” is added. If such a rule is stored in the virtual address information DB 21, even if there are a plurality of incoming calls, an address design that avoids duplication on the server side (192.168.12.0 for the next call) Can be paid out.

  In addition, when multiple client connections (multiple calls) are made, there is a possibility that the virtual address notified by the server side may overlap. In such a case, the client side has notified the client side. If duplication is found by checking the virtual address, the VPN connection may be failed and the connection may be made again.

  For example, when the virtual address “192.168.11.0/24” is already used in the existing VPN connection, the server side has notified that its virtual address is “192.168.10.0/24” in the new VPN connection. In this case, if “1” is added to the third octet of the virtual address on the server side, it overlaps with “192.168.11.0/24” already used, so a connection error is returned. When a connection error occurs, the server side selects a different virtual address and notifies the client side again. In this way, duplication can be avoided by several trial and error. The processing after the virtual address is determined is the same as that in the first embodiment.

(Effects of Example 3)
As described above, according to the third embodiment, when a session is established between the HGW (A) 10 and the HGW (B) 40, the virtual address or virtual address desired to be used in the home LAN (B). The virtual address to be used in the network is determined so as not to overlap the received virtual address or the virtual address range, so that N-to-N VPN connections are made. Even in this case, as a result of confirming the virtual address notified by the call connection destination, it is possible to firmly prevent duplication of virtual addresses.

  Further, according to the third embodiment, the virtual address or the range of virtual addresses used in the home LAN (B) received from the HGW (B) 40 is used in another network that is already communicably connected. The virtual address or the range of the virtual address is rejected, the connection with the data relay device connected to the other network is rejected, and the virtual address or the range of the virtual address is set to the HGW (B) 40 again. Therefore, it is possible to avoid duplication more firmly as a result of being able to perform trial and error.

  By the way, the present invention can determine the virtual address information by various methods other than performing negotiation between the HGWs described in the second embodiment when the telephones are SIP-connected.

  Therefore, in the fourth embodiment, various methods for determining virtual address information when the telephones are SIP-connected will be described. Here, “virtual address determination method using parameters that can be set in both directions” and “virtual address determination method using parameters that can be set in one direction” in communication up to SIP establishment will be described.

(Virtual address determination method using bidirectionally configurable parameters)
First, a method for determining a virtual address by rewriting the contents of messages transmitted and received in steps S304 and S305 and steps S307 and S308 described in FIG. 6 showing a general SIP connection processing sequence will be described. To do.

  A transaction packet in SIP (for example, SIP INVITE, 200 OK, etc.) includes a tag parameter in the From header and To header in order to identify the call. Also, since the contents of tag information are always different between From and To, in SIP UA (User Agent), lower or upper 16 bits can be set to different values, and those values can be used as virtual addresses as they are. .

  For example, when the tag information included in the From header is “a1b2”, the virtual address space can be determined as “10.161.178.0/24” because “a1 = 161, b2 = 178”. When the tag information included in To is “1234”, the virtual address space can be determined to be “10.18.52.0/24” because “12 = 18, 34 = 52”. Here, as a tag generation algorithm, if the lower 16 bits are generated differently, the From tag information may be “9876a1b2” and the To tag information may be “aabbccdd1234”.

  By doing in this way, even when multiple SDP information and TAG information are received after receiving a plurality of incoming calls, the SDP information and TAG information transmitted by the user can be selected and transmitted so as not to overlap It is possible to firmly prevent duplication of virtual addresses and connect to be communicable.

  In addition, a class C private IP address space will be described as an example. Of the lower 16 bits of “192.168.0.0”, the number of bits in a specific range is set as a virtual address space (virtual subnet space) and determined using tag information. can do. For example, when the space of “/ 24” is determined, the HGW (A) 10 that is the calling side determines “4 bits” and the HGW (B) 40 that is the receiving side determines “bit sequence” of “4 bits”. Connect to determine the address space of “192.168. (4 + 4) .0 / 24”. At this time, the HGW can prevent duplication by deciding a rule such that the one sent by the HGW is first.

  More specifically, the HGW (A) 10 that is the calling side inputs “3 = 0011” to the tag information and transmits “SIP INVITE”, and the HGW (B) that is the called side responds to this. ) 40 inputs “12 = 1100” to the tag information and responds with “200 OK”. In this case, the HGW (A) 10 determines the virtual address space of the home LAN (A) as “192.168.60.0/24” from the two tag information “00111100 = 60”, and similarly, the HGW (B) 40 Determines the virtual address space of the home LAN (B) as “192.168.95.0/24” from the two tag information “11000011 = 95”. Here, the case of determining “4 bits” of the third octet has been described. However, the present invention is not limited to this, and any number of bits may be used. For example, when “6 bit” is determined, the subnet space of the virtual address is “/ 28”. In addition, although the subnet space of “192.168.0.0/16” is assumed here, it may be “10.0.0.0/8”. In that case, the number of bits that can be exchanged can be increased to prevent duplication. It is possible.

  Also, the HGW (A) 10 can determine the subnet space itself of such a virtual address by exchanging (negotiation) with the HGW (B) 40. For example, the HGW (A) 10 transmits to the HGW (B) 40 the subnet space that the HGW (A) 10 desires to use and the subnet space that the HGW (B) 40 desires to use, and the HGW (B) 40 accepts this. In some cases, it is used as it is, and when it is not accepted, the subnet space used by each other can be determined by requesting the subnet space to the HGW (A) 10 again.

  Various methods other than the method using the tag information described above can be used as the virtual address determination method using the parameters that can be set in both directions. For example, the virtual address information can be determined by describing the address information in the SDP information given to “INVITE” or “200 OK” in SIP communication and performing bidirectional communication. In this case, the SDP information does not need to be in hexadecimal notation as in the tag information described above, and it is possible to store the address notation as a parameter as it is and transmit / receive with the SDP information in which the address notation is stored. .

  When such SDP information is used, the virtual address information can also be determined by using the method for determining the virtual address by performing the negotiation described in the second embodiment, in addition to the above method. By doing so, the virtual address information of the own network and the virtual address information of the connection destination can be exchanged, and it can be determined whether or not the virtual address information being connected does not overlap with the virtual address information being connected. It is possible to perform communication while reliably preventing duplication of addresses.

(Virtual address determination method using parameters that can be set in one direction)
Next, a method for determining a virtual address by rewriting the contents of messages transmitted and received in steps S304 and S305 and steps S307 and S308 described in FIG. 6 in the same manner as described above will be described. However, in this example, in order to use “Call-ID” included in “INVITE” in Step S304 and Step S305, “Call-ID” of “INVITE” is arbitrarily set, unlike the above-described method. Although it is possible to set, “Call-ID” of “200 OK” transmitted in step S307 and step S308 cannot be arbitrarily set, and is automatically set.

  For example, when the HGW (A) 10 includes a virtual address directly in the “Call-ID”, the “c0a8000” in which “192.168.0.0/24” is changed to the hexadecimal notation is changed to the head of the “Call-ID” or It is given to the back and transmitted to the HGW (B) 40. The HGW (B) 40 that has received this determines a virtual address according to a predetermined setting rule based on the received “c0a8000”. For example, if the setting rule is to add 1 to the third octet, the virtual address is determined as “192.168.1.0/24”. When the HGW (B) 40 receives from the HGW (A) 10 “INVITE” to which the Call-ID indicating the same virtual address information as the already used virtual address information is received, the HGW (B) 40 rejects the connection. Can do. Furthermore, the HGW (A) 10 can include not only the virtual address information but also information “/ 24” indicating the range of the subnet of the virtual network in the Call-ID. The value is changed to a decimal notation, and added to the Call-ID after the address information is transmitted to the HGW (B) 40 as “c0a800018”.

  In this way, when establishing a session with the HGW (B) 40, a Call-ID in SIP to which a parameter indicating a virtual address used in the home LAN (A) is added is transmitted to the HGW (B) 40. Since the virtual address to be used in the home LAN (A) is determined, the virtual address information determined by the HGW (A) 10 can be notified to the connection destination HGW (B) 40. It is possible to prompt the determination of virtual addresses that do not overlap on the side.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, as shown below, (1) a connection control server, (2) a VPN connection using only IPsec, (3) a system configuration, and the like, (4) different embodiments will be described separately.

(1) Connection control server For example, in the first to fourth embodiments, when there is no third-party device that performs VPN connection between the HGW (A) 10 and the HGW (B) 40, that is, the HGW (A). 10 and HGW (B) 40 have been described as being directly connected to each other by VPN, but the present invention is not limited to this, and as shown in FIG. 8, it is connected as a third-party device that performs VPN connection. A control server may be connected.

  In this case, the SIP connection and VPN connection requests and their responses sent from the HGW (A) 10 or HGW (B) 40 are sent to the connection control server, and the connection control server sends them to the HGW (A) 10 or Although it will be transferred to the HGW (B) 40, even in that case, the connection destination does not change just by changing the transmission destination, so there is no problem and the method described in the first to fourth embodiments is used. Can do. FIG. 8 is a diagram showing the overall configuration of the system when a connection control server is connected.

(2) VPN connection using only IPsec In the second and third embodiments, the telephones (A) and (B) establish a VOIP session using SIP, and then the HGWs connect the VPNs. However, the present invention is not limited to this, and even if there is no VOIP session using SIP, the HGWs can make a VPN connection. For example, when the session establishment by SIP in Steps S301 to S308 shown in FIG. 6 is not used, that is, when communication by simple IPsec is performed, the HGW performs the operation by the IKE initiator or Responder described in the second embodiment. By doing so, VPN connection can be performed.

(3) System configuration etc. Also, among the processes described in the present embodiment, the processes described as being performed automatically (for example, various response processes such as 200 OK, etc., in the second to fourth embodiments) All or a part of the process of determining the virtual address according to the rules used) can also be performed manually. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters (for example, FIG. 3) shown in the above documents and drawings are arbitrarily changed unless otherwise specified. be able to.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. It can be configured by integrating (for example, integrating the VPN connection unit and the NAT conversion unit). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(4) Program The data relay method described in this embodiment can be realized by executing a prepared program on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the data relay device, the data relay method, and the data relay program according to the present invention include a network configured such that a telephone device and another communication device are connected to another network via the data relay device. It is useful for connecting a plurality of other similarly configured networks so as to be able to communicate with each other via a virtual communication path. In particular, when a home LAN is virtually connected, a virtual address It is suitable for communication with sure prevention of duplication.

1 is a system configuration diagram illustrating an overall configuration of a system including an HGW according to a first embodiment. 1 is a block diagram illustrating a configuration of an HGW according to Embodiment 1. FIG. It is a figure which shows the example of the information memorize | stored in virtual address information DB. 6 is a flowchart illustrating a flow of VPN connection processing in the HGW according to the first embodiment. 6 is a flowchart illustrating a flow of communication control processing in the HGW according to the first embodiment. It is a sequence diagram which shows the flow of a process of SIP connection using IKE. It is a sequence diagram which shows the flow of the virtual address determination process by OpenVPN. It is a figure which shows the whole structure of a system in case a connection control server is connected.

Explanation of symbols

10 HGW (A)
11 Internal I / F unit 12 External I / F unit 20 Storage unit 21 Virtual address information DB
30 Control unit 31 Virtual address determination unit 32 VPN connection unit 33 NAT conversion unit 40 HGW (B)
41 Internal I / F unit 42 External I / F unit 50 Storage unit 51 Virtual address information DB
60 Control Unit 61 Virtual Address Determination Unit 62 VPN Connection Unit 63 NAT Conversion Unit

Claims (11)

A data relay device that connects a network configured such that a plurality of communication devices are connected to another network via the data relay device and a plurality of other networks that are similarly configured to communicate with each other. There,
Necessary for determining a virtual address to be used in the network in association with the originating side and the terminating side of a session established between the data relay device and another data relay device connected to another network. Virtual address information storage means for storing virtual address information;
When a session is established between the data relay device and another data relay device, the virtual address information is stored in the virtual address information storage unit based on whether the session is the originating side or the terminating side. Virtual address determination means for determining a virtual address to be used in the network based on the acquired virtual address information,
Using the virtual address determined by the virtual address determining means, communication is possible by connecting the other network to which the other data relay apparatus with which the session is established is connected and the network through a virtual communication path. Connection control means for controlling
A data relay device comprising:   The virtual address information is a rule of a virtual address determination method on each of the calling side and the called side in order to avoid duplication and conflict of virtual addresses used in the network and other networks. The data relay apparatus according to claim 1.   The virtual address determination unit is configured to provide a virtual address or virtual address desired to be mutually used with the other data relay device when a session is established between the data relay device and the other data relay device. 2. The data relay apparatus according to claim 1, wherein a range of addresses is exchanged as virtual address information, and virtual addresses that match each other's conditions are determined.   The virtual address determination means determines whether a virtual address or a range of virtual addresses desired to be used in the other network is transferred to another data relay when a session is established between the data relay device and the other data relay device. 2. The data relay apparatus according to claim 1, wherein a virtual address used in the network is determined so as not to overlap with the received virtual address or the range of virtual addresses received from the apparatus.   The virtual address determination means uses a virtual address or a virtual address used with another network when determining the virtual address when there is another network that is already communicably connected. The data relay apparatus according to claim 3 or 4, wherein the virtual address is determined so as not to overlap with the range of the data.   The virtual address determining means is a virtual address used in another network in which a virtual address or a range of virtual addresses used in another network received from the other data relay device is already communicably connected. Or, if it matches the virtual address range, reject the connection with the data relay device connected to the other network, and request the virtual address or the virtual address range from the other data relay device again. The data relay device according to claim 4. The data relay device establishes a session with the other data relay device using SIP,
The virtual address determination means adds virtual address information used in the network to the SDP information in the SIP and establishes a session with the other data relay device, and transmits it to the other data relay device. And, as a result of negotiation for receiving the SDP information to which the virtual address information used in the other network is added from the other data relay apparatus, the virtual address used in the network is determined. The data relay device according to claim 1. The data relay device establishes a session with the other data relay device using SIP,
When establishing a session with the other data relay device, the virtual address determining means adds SDP information or TAG information in SIP to which parameters necessary for determining a virtual address used in the network are added to other data The SDP information or the TAG information to which the parameter related to the virtual address information determined based on the transmitted parameter is added is received from another data relay device, and the network is configured based on the received parameter. The data relay apparatus according to claim 1, wherein a virtual address to be used is determined. The data relay device establishes a session with the other data relay device using SIP,
When establishing a session with the other data relay device, the virtual address determination means transmits a Call-ID in SIP with a parameter indicating a virtual address used in the network to the other data relay device. The data relay apparatus according to claim 1, wherein a virtual address used in the network is determined. A network configured such that a plurality of communication devices are connected to another network via the data relay device, and a plurality of other networks configured in the same manner to be communicably connected to each other. A suitable data relay method,
Necessary for determining a virtual address to be used in the network in association with the originating side and the terminating side of a session established between the data relay device and another data relay device connected to another network. Virtual address information storage means for storing virtual address information;
When a session is established between the data relay device and another data relay device, the virtual address information is stored in the virtual address information storage unit based on whether the session is the originating side or the terminating side. And a virtual address determination step for determining a virtual address to be used in the network based on the acquired virtual address information;
Using the virtual address determined in the virtual address determination step, communication is possible by connecting another network to which the other data relay apparatus with which the session is established is connected and the network through a virtual communication path. A connection control process for controlling
The data relay method characterized by including. As the data relay device that connects a plurality of communication devices to be connected to another network via the data relay device and a plurality of other networks that are similarly configured to communicate with each other A data relay program to be executed by a computer,
Necessary for determining a virtual address to be used in the network in association with the originating side and the terminating side of a session established between the data relay device and another data relay device connected to another network. Virtual address information storage means for storing virtual address information;
When a session is established between the data relay device and another data relay device, the virtual address information is stored in the virtual address information storage unit based on whether the session is the originating side or the terminating side. And a virtual address determination procedure for determining a virtual address to be used in the network based on the acquired virtual address information,
Using the virtual address determined by the virtual address determination procedure, communication is possible by connecting another network to which the other data relay apparatus with which the session is established is connected and the network through a virtual communication path. A connection control procedure to control,
A data relay program for causing a computer to execute.

Images