JP2010166189A - Ip repeater, communication system, and tcp flow control method used for them - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an IP repeater capable of providing stable communication between nodes. <P>SOLUTION: The IP repeater includes: an ALG function (ALG control unit 23) for rewriting data of FTP and SIP of part of a TCP application on an NAT when repeating communication between a terminal belonging to a private network and a terminal belonging to a global network; and an TCP session control function (TCP session control unit 22) for controlling TCP connection when the ALG function receives the required TCP packets. The IP repeater provides an order property of the TCP packets from the TCP session control function (TCP session control unit 22) to the ALG function (ALG control unit 23). <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an IP relay device, a communication system, and a TCP flow control method used therefor, and more particularly, to a TCP (Transmission Control Protocol) flow control method in an IP (Internet Protocol) relay device.

  In an IP relay device that operates a NAT (Network Address Translation) function belonging to a global network and a private network (see, for example, Non-Patent Document 1), TCP (Transmission Control Protocol) such as FTP (File Transfer Protocol) and SIP (Session Initiation Protocol). When transferring a Protocol packet, it is necessary to convert the payload of the TCP application by using an ALG (Application Level Gateway) function.

  In the basic operation of NAT, only the address in the IP header of the IP packet and the port number of the TCP / UDP (User Datagram Protocol) header are changed.

  However, some applications carry addresses and port numbers in the TCP / UDP data portion. In this case, it is necessary to rewrite the address and port number information of the TCP / UDP data portion in addition to the information of the IP header and the TCP / UDP header. Since this information is written in different locations depending on the application, it is necessary to define a rewrite rule for each application. This function is called the ALG function.

P. Srisuresh, K.M. Eggang, RFC3022, Transitional IP Network Address Translator (Traditional NAT), January 2001, URL: http: // www. ietf. org / rfc / rfc3022. txt

  However, in the relay apparatus having the above-described ALG function, there is a problem that when TCP segments do not come in order, when TCP retransmission or TCP segments are divided, normal TCP communication thereafter cannot be performed. is there. As a result, a problem that the TCP connection is interrupted, a problem that the TCP packet is retransmitted, a problem that the communication has to be restarted from the beginning, and the like occur.

  That is, in an IP relay device having a NAT function belonging to a global network and a private network, some TCP applications need to convert the payload using the ALG function, but if the TCP order is reversed, When the TCP segment is divided and the TCP segment is divided, the ALG function cannot be processed correctly and the TCP connection is interrupted.

  When the TCP order is reversed, it is necessary to manage a complicated TCP sequence number in a TCP application in which the ALG function operates, and it is necessary to manage not only the application layer but also the TCP layer.

  Also, when TCP retransmission occurs, a TCP application in which the ALG function operates cannot be determined as TCP retransmission, and duplicate resources are secured, and the previous connection is disconnected.

  Further, when the TCP segment is divided, the IP address information and the TCP port number to be rewritten by the TCP application may not be recognized, which causes a problem of packet discard or transfer as it is. This has a problem that data cannot be transferred correctly and a security problem.

  Because of these problems, it is necessary to devise a method for implementing the ALG function corresponding to TCP sequence control, retransmission control, and division control.

  Therefore, an object of the present invention is to provide an IP relay device, a communication system, and a TCP flow control method used for them, which can solve the above problems and can supply stable communication between nodes.

The IP relay device according to the present invention, when relaying communication between a terminal belonging to a private network and a terminal belonging to a global network, FTP (File Transfer Protocol) and SIP (Session Initiation) of some TCP (Transmission Control Protocol) applications. ALG (Application Level Gateway) function for rewriting protocol data on NAT (Network Address Translation);
A TCP session control function for controlling a TCP connection when a TCP packet that requires the ALG function is received;
The TCP packet order is provided from the TCP session control function to the ALG function.

  A communication system according to the present invention includes the above-described IP relay device.

In the TCP flow control method according to the present invention, when a communication between a terminal belonging to a private network and a terminal belonging to a global network is relayed to an IP (Internet Protocol) relay apparatus, FTP of some TCP (Transmission Control Protocol) applications is used. (File Transfer Protocol) and SIP (Session Initiation Protocol) data are provided with an ALG (Application Level Gateway) function that rewrites data on NAT (Network Address Translation).
When the IP relay apparatus receives a TCP packet that requires the ALG function, it executes a TCP session control process that controls a TCP connection, and provides the TCP packet order from the TCP session control process to the ALG function. is doing.

  The present invention has an effect that stable communication between nodes can be supplied by adopting the above configuration and operation.

It is a block diagram which shows the structural example of the communication system by the 1st Embodiment of this invention. It is a block diagram which shows the example of a network structure by the 1st Embodiment of this invention. It is a sequence chart which shows TCP order control by the 1st Embodiment of this invention. It is a sequence chart which shows operation | movement when the TCP retransmission packet by the 1st Embodiment of this invention is received. 5 is a sequence chart showing an operation in an ALG process waiting state in FIG. 6 is a sequence chart showing an operation in an ACK response waiting state in FIG. FIG. 5 is a sequence chart showing the operation in the upper application waiting state in FIG. 4. FIG. FIG. 5 is a sequence chart showing an operation in an ACK transmission completed state in FIG. 4. It is a sequence chart which shows the division | segmentation packet control of TCP by the 1st Embodiment of this invention.

  Next, embodiments of the present invention will be described with reference to the drawings. First, an outline of a communication system according to the present invention will be described. In the communication system according to the present invention, when a terminal belonging to a private network and a terminal belonging to a global network communicate, communication is performed via an IP (Internet Protocol) relay apparatus having a NAT (Network Address Translation) function.

  Among them, FTP (File Transfer Protocol) of some TCP (Transmission Control Protocol) applications and SIP (Session Initiation Protocol) need to rewrite data on NAT, so ALG (Application Level Gateway) functions. Used.

  The communication system according to the present invention supports TCP packet sequence abnormalities, retransmission, and segmented reception by performing TCP session order control, retransmission control, and division control in an IP relay device having the ALG function. The end-to-end communication is performed accurately.

  In the communication system according to the present invention, when the ALG function of the TCP application is operated by the IP packet relay device, the TCP session control function is provided to cope with the TCP session abnormality, and the ALG function discards the packet and usesless processing. Is avoiding.

  FIG. 1 is a block diagram showing a configuration example of a communication system according to the first embodiment of the present invention, and FIG. 2 is a block diagram showing a network configuration example according to the first embodiment of the present invention. 1 and 2, the communication system according to the first embodiment of the present invention includes PCs (Personal Computers) (# 1, # 2) 1-0, 1-1 and an IP relay device 2. ing. The IP relay device 2 has an ALG function 20.

  The PC (# 1) 1-0 belongs to the private network 100 and is assigned a private network IP address. The PC (# 2) 1-1 belongs to the global network 101 and is assigned a global network IP address.

  The IP relay device 2 has a NAT function (not shown), belongs to both the private network 100 and the global network 101, and is assigned both IP addresses. The IP relay device 2 communicates with the PC (# 2) 1-1 via the Internet network 200.

  The PC (# 1) 1-0 and the PC (# 2) 1-1 are mounted with FTP or SIP of a TCP application that requires the ALG function. When FTP operates on PC (# 1) 1-0 and PC (# 2) 1-1, a TCP connection is established between PC (# 1) 1-0 and PC (# 2) 1-1. Establish and exchange FTP over TCP. At that time, the IP relay device 2 edits the FTP packet to be relayed and performs session control of the TCP packet.

  1, the IP relay device 2 includes a layer 2/3 transmission / reception control unit 21, a TCP session control unit 22, and an ALG control unit 23 in addition to the ALG function 20 shown in FIG. The TCP session control unit 22 includes a retransmission control unit 221, an order control unit 222, and a packet buffer 223.

  The PC (# 1) 1-0 belongs to the private network 100, and the PC (# 2) 1-1 belongs to the global network 101. The PC (# 1) 1-0 and the PC (# 2) 1-1 each implement FTP and SIP of a TCP application that requires the ALG function 20. The IP relay device 2 belongs to each of the private network 100 and the global network 101, and relays IP communication between the PC (# 1) 1-0 and the PC (# 2) 1-1.

  In the IP relay device 2, the layer 2 and 3 transmission / reception control unit 21 controls communication of layer 2 and layer 3 and performs IP routing and policy routing, thereby realizing IP packet transfer and packet transmission / reception. .

  In the IP relay device 2, the TCP session control unit 22 controls the TCP connection when a TCP packet that requires the ALG function 20 is received from the layer 2/3 transmission / reception control unit 21. The TCP session control unit 22 uses the order control unit 222 and the packet buffer 223 to realize TCP session order control and division control.

  Also, the TCP session control unit 22 uses the retransmission control unit 221 and the packet buffer 223 to control the retransmission of the TCP packet between the PC (# 1) 1-0 and the PC (# 2) 1-1. .

  TCP packets that are required by the ALG function 20 such as FTP and SIP received by the TCP session control unit 22 are notified to the ALG control unit 23. The ALG control unit 23 receives a TCP packet whose order is controlled by the TCP session control unit 22. In addition, when the segment of the received TCP packet is divided, the ALG control unit 23 buffers and reassembles until the remaining fragmented segment is received.

  The ALG control unit 23 processes each TCP application, and converts the payload of the TCP application according to the setting of the TCP application when the TCP application payload includes application data that needs to be converted such as a network address and a port number. The payload is transmitted to the TCP session control unit 22.

  When a TCP application packet transmission request is received from the ALG control unit 23, the TCP session control unit 22 checks the TCP packet checksum, sequence number, ACK (ACKnowledgement) number, IP header ID (IDentifier), packet length, check The sum is recalculated and a transmission request is sent to the layer 2/3 transmission / reception control unit 21.

  FIG. 3 is a sequence chart showing TCP sequence control according to the first embodiment of the present invention. The TCP sequence control according to the first embodiment of the present invention will be described with reference to FIGS.

  The TCP communication between the PC (# 1) 1-0 and the PC (# 2) 1-1 is not based on the order in which the PCs are transmitted, but the packets transmitted later are the first depending on the congestion status and network configuration of the Internet network 200. There is a case of arrival (S301 in FIG. 3). In this case, the TCP session control unit 22 determines the order reversal from the sequence number of the TCP packet, and holds the packet in the packet buffer 223 until the previously transmitted packet is received (S303 in FIG. 3) (FIG. 3). S302), the order is restored (S304 in FIG. 3), and the packet is transferred to the ALG control unit 23 (S305 in FIG. 3).

  After passing the packet to the ALG control unit 23, the TCP session control unit 22 confirms the sequence of the held packet (S306 in FIG. 3), and if the sequence can be passed to the ALG control unit 23, the packet Is transferred to the ALG control unit 23 (S307 in FIG. 3).

  The application data edited by the ALG control unit 23 is requested to be transmitted to the TCP session control unit 22 (S308 and S310 in FIG. 3). Here, the change in the segment length is a general operation of NAT, and is for editing by the ALG control unit 23.

  The TCP session control unit 22 requested to transmit from the ALG control unit 23 recalculates the IP packet header and the TCP packet header, and requests the transmission to the layer 2/3 transmission / reception control unit 21 (S309 and S311 in FIG. 3).

  FIG. 4 is a sequence chart showing an operation when a TCP retransmission packet is received according to the first embodiment of the present invention. The operation when a TCP retransmission packet according to the first embodiment of the present invention is received will be described with reference to FIGS.

  The operation when the TCP retransmission packet is received performs retransmission control according to how far the TCP session control unit 22 and the ALG control unit 23 have processed. The state of the TCP session control unit 22 with respect to the retransmission packet is classified into the following four states.

  In the first state, the TCP session control unit 22 receives a TCP data segment (S401 in FIG. 4), and notifies the ALG control unit 23 (S402 in FIG. 4) and waits for an ALG process (FIG. 4). S403).

  In the second state, a packet transmission request is received from the ALG control unit 23 (S404 in FIG. 4), and a data segment transmission request is sent to the layer 2/3 transmission / reception control unit 21 (S405 in FIG. 4). This is the state (S406 in FIG. 4).

  In the third state, the TCP session control unit 22 receives an ACK (S407 in FIG. 4) and waits for an ALG ACK process after the packet reception is notified to the ALG control unit 23 (S408 in FIG. 4) (FIG. 4). S409).

  The fourth state is an ACK transmission completed state after receiving an ACK packet transmission request from the ALG control unit 23 (S410 in FIG. 4) and requesting transmission of an ACK packet to the layer 2/3 transmission / reception control unit 21 (S411 in FIG. 4). (S412 in FIG. 4). Next, the operation in each state will be described.

  FIG. 5 is a sequence chart showing the operation in the ALG processing wait state (S403) in FIG. The operation in the ALG process waiting state (S403) according to the first embodiment of the present invention will be described with reference to FIG. 1, FIG. 2, and FIG.

  When the TCP session control unit 22 receives a request packet of a TCP packet from the PC (# 1) 1-0 (S501 in FIG. 5), it notifies the ALG control unit 23 of packet reception (S502 in FIG. 5), and then performs an ALG process. A waiting state is entered (S503 in FIG. 5).

  After that, when receiving the retransmission packet, the TCP session control unit 22 discards the information because it has been notified to the ALG control unit 23 (S505 in FIG. 5). Since the TCP session control unit 22 discards the packet, there is an effect that the ALG control unit 23 does not perform duplicate processing.

  FIG. 6 is a sequence chart showing the operation in the ACK response waiting state (S406) in FIG. The operation in the ACK response waiting state (S406) according to the first embodiment of the present invention will be described with reference to FIGS.

  When the TCP session control unit 22 receives a TCP packet from the PC (# 1) 1-0 (S601 in FIG. 6), the TCP session control unit 22 notifies the ALG control unit 23 of the reception of the packet, and the ALG control unit 23 sends the PC (# 2). ) When there is a transmission request addressed to 1-1, a copy of the packet addressed to PC (# 2) 1-1 is held in the packet buffer 223 until an ACK is received (S604 in FIG. 6), and PC (# 2 ) Send the packet to 1-1. Here, the TCP session control unit 22 enters an ACK response waiting state (S606 in FIG. 6).

  In this state, when the TCP session control unit 22 receives a retransmission packet (S607 in FIG. 6), the TCP session control unit 22 discards the received retransmission packet and holds it in the process of S604 without sending it to the ALG control unit 23. The transmission request packet addressed to PC (# 2) 1-1 is retransmitted (S609 in FIG. 6). The packet buffer 223 holds the copied packet until an ACK is received from the PC (# 2) 1-1 (S610 in FIG. 6).

  FIG. 7 is a sequence chart showing the operation of the upper application waiting state (S409) in FIG. With reference to FIG. 1, FIG. 2, and FIG. 7, the operation in the upper application waiting state (S409) according to the first embodiment of the present invention will be described.

  When the TCP session control unit 22 receives the ACK from the PC (# 2) 1-1 (S705 in FIG. 7) and passes the ACK to the ALG control unit 23 (S706 in FIG. 7), it waits for the upper application (in FIG. 7). S707). When the TCP session control unit 22 receives the retransmission packet in S707 (S708), the TCP session control unit 22 discards the retransmission packet without transmitting it to the ALG control unit 23 (S709 in FIG. 7).

  FIG. 8 is a sequence chart showing the operation in the ACK transmission completed state (S412) in FIG. The operation in the ACK transmission completed state (S412) according to the first embodiment of the present invention will be described with reference to FIGS.

  When the TCP session control unit 22 receives an ACK from the PC (# 2) 1-1 (S805 in FIG. 8) and transmits an ACK to the PC (# 1) 1-0 (S808 in FIG. 8), the ACK has been transmitted. A state is reached (S809 in FIG. 8).

  When the TCP session control unit 22 receives the retransmission packet in S801 (S810 in FIG. 8), the TCP session control unit 22 discards the received retransmission packet without transmitting it to the ALG control unit 23 (S809 in FIG. 8). The ACK (S808) is retransmitted to the original PC (# 1) 1-0 (S812 in FIG. 8).

  FIG. 9 is a sequence chart showing TCP fragmented packet control according to the first embodiment of the present invention. TCP fragmented packet control according to the first embodiment of the present invention will be described with reference to FIG. 1, FIG. 2, and FIG.

  The TCP packet between the PC (# 1) 1-0 and the PC (# 2) 1-1 is used when the message size of the TCP application is larger than the MSS (Maximum Segment Size) or between the PC and the IP relay device 2. The TCP segment is divided by the network configuration and arrives at the IP relay device 2.

  The fragment packet (1/2) (S901 in FIG. 9) and the fragment packet (2/2) (S902 in FIG. 9) are transmitted from the PC (# 1) 1-0 to the PC (# 2) 1-1. The data segment indicates that one message is divided into two when transmitted from the PC (# 1) 1-0 and arrives at the IP relay device 2.

  When the divided packet (1/2) (S901 in FIG. 9) arrives, the TCP session control unit 22 updates the TCP session management information (S902 in FIG. 9) and passes it to the ALG control unit 23. The TCP session management information is session information of the received TCP packet, and is used for TCP order control, retransmission control, division control, recalculation of the IP header and TCP header at the time of packet transmission.

  The ALG control unit 23 receives the TCP data segment of the TCP packet (S903 in FIG. 9) from the TCP session control unit 22, but since it is divided, it holds it in the buffer of the TCP application (S904 in FIG. 9). .

  When the divided packet (2/2) arrives (S905 in FIG. 9), the TCP session control unit 22 updates the session information (S906 in FIG. 9), and passes the packet information to the ALG control unit 23 (S907 in FIG. 9). ).

  When receiving the packet information (S907 in FIG. 9), the ALG control unit 23 uses the held data to reassemble and edit the data segment (S908 in FIG. 9). The edited data segment (S909 in FIG. 9) is requested to be transmitted to the TCP session control unit 22.

  The TCP session control unit 22 calculates the IP header checksum, ID, packet length, TCP header checksum, ACK number, and sequence number, and sends a transmission request to the layer 2/3 transmission / reception control unit 21 (S911 in FIG. 9). ). Here, if it is necessary to divide the segment, it is divided and transmitted.

  As described above, in this embodiment, providing the TCP packet order from the TCP session control unit 22 to the ALG control unit 23 has an effect that the order control in the ALG control unit 23 becomes unnecessary.

  As a result, in the present embodiment, the ALG control unit 23 has only to process the segments in the order in which they are received.

  Further, in the present embodiment, by performing retransmission control, it is possible to avoid redundant processing in the ALG control unit 23 and to avoid unnecessary resource consumption. As a result, in this embodiment, double use of resources is avoided and resource mismatch is resolved, so that disconnection of connections can be prevented. Therefore, in this embodiment, a stable connection can be supplied to the TCP client and the TCP server.

  Furthermore, in this embodiment, since a stable connection can be supplied to the TCP client and the TCP server, TCP communication is performed smoothly. Therefore, in the entire system to which the IP relay apparatus 2 belongs, the packet processing load Can be reduced. Accordingly, in the present embodiment, it is possible to prevent leakage of the private IP address and private port number by smoothly performing TCP communication.

  Furthermore, in the present embodiment, when the TCP data segment is divided, the ALG control unit 23 buffers the plurality of divided segments until the ALG control unit 23 arranges the network address until it is arranged as one message. Rewrite failure and port number rewrite failure can be avoided.

  The present invention may be configured as a stateful inspection, IDS (Intrusion Detection System), or proxy server instead of using NAT in FIG. Also in the configuration, as in the first embodiment of the present invention, the IP relay device 2 can manage the TCP session and provide order control, retransmission control, and division control to the ALG.

1-0 PC (# 1)
1-1 PC (# 2)
2 IP Relay Device 20 ALG Function 21 Layer 2/3 Transmission / Reception Control Unit 22 TCP Session Control Unit 23 ALG Control Unit 100 Private Network 101 Global Network 200 Internet Network 221 Retransmission Control Unit 222 Sequence Control Unit 223 Packet Buffer

Claims (13)

When relaying communication between a terminal belonging to the private network and a terminal belonging to the global network, FTP (File Transfer Protocol) and SIP (Session Initiation Protocol) data of some TCP (Transmission Control Protocol) applications and NAT (Network) are used. ALG (Application Level Gateway) function for rewriting on Address Translation),
A TCP session control function for controlling a TCP connection when a TCP packet that requires the ALG function is received;
An IP (Internet Protocol) relay apparatus, which provides the TCP packet order from the TCP session control function to the ALG function.   The IP relay apparatus according to claim 1, wherein the TCP session control function performs TCP session order control, retransmission control, and division control. A packet buffer for temporarily holding the TCP packet;
3. The IP relay device according to claim 2, wherein the TCP session control function performs order control and division control of the TCP session using the order control and the packet buffer.   4. The IP relay apparatus according to claim 3, wherein the TCP session control function determines order reversal based on a sequence number of the TCP packet, and performs order control of the TCP session according to the determination result.   5. The IP relay according to claim 2, wherein when the TCP data segment is divided, the plurality of divided segments are buffered by the ALG function until they are arranged as one message. apparatus.   6. The IP relay according to claim 2, wherein the TCP session control function controls retransmission of the TCP packet between the terminals using the retransmission control and the packet buffer. apparatus.   A communication system comprising the IP relay device according to any one of claims 1 to 6. When relaying communication between a terminal belonging to a private network and a terminal belonging to a global network to an IP (Internet Protocol) relay apparatus, FTP (File Transfer Protocol) and SIP (Session) of some TCP (Transmission Control Protocol) applications An ALG (Application Level Gateway) function for rewriting the data of Initiation Protocol (NAT) on Network Address Translation (NAT) is provided.
When the IP relay apparatus receives a TCP packet that requires the ALG function, it executes a TCP session control process that controls a TCP connection, and provides the TCP packet order from the TCP session control process to the ALG function. A TCP flow control method characterized by:   9. The TCP flow control method according to claim 8, wherein the IP relay device performs TCP session order control, retransmission control, and division control in the TCP session control processing. The IP relay device is provided with a packet buffer for temporarily holding the TCP packet,
3. The TCP flow control according to claim 2, wherein the IP relay apparatus performs the order control and the division control of the TCP session using the order control and the packet buffer in the TCP session control process. Method.   11. The IP relay device according to claim 10, wherein in the TCP session control process, an order inversion is determined from a sequence number of the TCP packet, and the order of the TCP session is controlled according to the determination result. TCP flow control method.   The said IP relay apparatus buffers the some segmented segment by the said ALG function until it arranges as one message, when a TCP data segment is segmented | segmented, The Claims 1-9 characterized by the above-mentioned. Any one of the TCP flow control methods.   The IP relay device controls retransmission of the TCP packet between the terminals using the retransmission control and the packet buffer in the TCP session control process. Any one of the TCP flow control methods.

Images