JP2011101206A - Repeater and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication address allocation technology which can collectively manage communication addresses to be allocated to each terminal device while avoiding the concentration of processing loads in a DHCP server device and further using an access destination limitation corresponding to a state of a terminal device together. <P>SOLUTION: A first address to be allocated to a terminal device that is allowed to perform communication striding over a segment and a second address to be allocated to a terminal device that is not allowed to perform the communication are stored in the DHCP server device. Meanwhile, a condition that the terminal device allowed to perform the communication should satisfy is stored in a relay device for mediating communication between the DHCP server device and the terminal device. Then, whether the transmission source satisfy the condition is determined with the reception of a request to allocate a communication address as a trigger. When the condition is satisfied, an indicator for instructing the allocation of the first address is given to the relay device, and the condition is not satisfied, an indicator for instructing the allocation of the second address is given to make the relay device perform transferring performance. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for supporting assignment of a communication address to a terminal device included in a communication system.

  In data communication via a communication network, a data transmission source and transmission destination are specified using a communication address such as an IP (Internet Protocol) address. For this reason, it is necessary to assign a different communication address to each terminal device included in the communication system. Such communication address assignment may be performed manually by a network administrator or the like (specifically, different communication addresses may be input and stored in each terminal device), but DHCP (Dynamic Host Configuration Protocol) may be used. ) Is generally used automatically.

  In a communication system using DHCP, a computer device called a DHCP server device is provided, and a set of communication addresses (hereinafter referred to as a communication address group) assigned (rented) to each terminal device is stored in advance in the DHCP server device. Then, allocation of communication addresses is realized by causing the terminal device and the DHCP server device to perform communication in the sequence shown in FIG. The terminal device broadcasts a communication message (IP lease request message (DHCPDISCOVER): see FIG. 8 for the message structure of the message) to request assignment of a communication address when power is turned on. When the DHCP server apparatus receives the IP lease request message, the DHCP server apparatus uses an unused communication address (communication addresses not assigned to other terminal apparatuses: the following) from among a group of communication addresses registered in the own apparatus. , Unused address). Then, in order to present the selected unused address to the transmission source of the IP lease request message, the DHCP server device writes back in a predetermined field of the IP lease presentation message (DHCPOFFER).

When receiving the IP lease presentation message, the terminal device returns an IP lease selection message (DCHPREQUEST) to notify that the assignment of the communication address presented by the IP lease presentation message is accepted. The DHCP server apparatus that has received this IP lease selection message returns an IP lease confirmation notification message (DHCPACK) in which the communication address presented by the IP lease presentation message and data indicating the lending period (lease period option value) are written. . When the terminal device receives the IP lease confirmation notification message, the terminal device stores the communication address written in the message as assigned to the device, and the period indicated by the lease period option written in the message. Until that time elapses, data communication can be performed using the communication address.
The above is the outline of communication address assignment using DHCP. Refer to Non-Patent Document 1 for details of DHCP.

  In this way, allocation of communication addresses by DHCP is started by broadcasting an IP lease request message, but the broadcast message is not transferred to another segment beyond a relay device such as a router. Therefore, when the communication system is composed of a plurality of segments (for example, as shown in FIG. 7B, each segment is connected to a wide area network such as the Internet via a relay device (not shown) such as a router. When a communication system is configured), it is necessary to provide one DHCP server device for each segment and assign a communication address for each segment. However, in the mode of assigning communication addresses for each segment, it becomes difficult to manage the communication address group in the entire communication system, and there is a problem that a part of the communication address group assigned to the terminal device in each segment overlaps. There is a case.

  An example of a technique for solving a problem caused by the broadcast of an IP lease request message is a DHCP relay agent. In a communication system using a DHCP relay agent, as shown in FIG. 7C, a DHCP server device is provided in any one of a plurality of segments, and a computer called a DHCP relay agent is provided in the other segments. A device is provided. In general, the relay device described above often serves as a DHCP relay agent. Therefore, hereinafter, a case will be described in which a relay device that connects a wide area network and each segment also serves as a DHCP relay agent.

  When the relay device functioning as a DHCP relay agent receives an IP lease request message broadcast by a terminal device belonging to a subordinate segment, the relay device converts the message into a unicast message addressed to the DHCP server device, and further converts the predetermined field (giaddr in FIG. 8). In the field), the communication address of the relay device is written and transferred to the DHCP server device. In the DHCP server device, a communication address group assigned to the terminal device belonging to the segment to which each DHCP relay agent is connected is registered. When receiving the IP lease request message, the DHCP server device selects one unused address from the communication address group, and returns an IP lease presentation message in which the unused address is written to the DHCP relay agent. Then, the DHCP relay agent transfers this IP lease presentation message to the terminal device that is the transmission source of the IP lease request message. Thereafter, transfer control is also performed by the DHCP agent for the IP lease selection message and the IP lease confirmation notification message, and the assignment of the communication address to the terminal device is completed. In this way, in a communication system using a DHCP relay agent, a communication address group assigned to a terminal device can be collectively managed by one DHCP server device. Therefore, one communication address group assigned to a terminal device in each segment. Problems such as overlapping of parts are less likely to occur.

“RFC2131“ Dynamic Host Configuration Protocol ””, Internet, <http://www.rtpo.yamaha.co.jp/RT/docs/dhcp-auth/index.html> “DHCP authentication function”, Internet, <http://www.rtpo.yamaha.co.jp/RT/docs/dhcp-auth/index.html> "QAC function", Internet, <http://jp.trendmicro.com/jp/products/sbYAMAHA/detail>

  By the way, in recent years, due to the growing interest in confidential information leakage, there are many cases where some kind of access destination restriction is provided for terminal devices. For example, only for terminal devices that are registered in advance, communication across segments (for example, communication with a WWW server device connected to a wide area network or communication with a terminal device belonging to another segment) is permitted and registered. For example, a terminal device that does not have a terminal does not allow communication across segments. Examples of the technology for realizing such access destination restriction include DHCP authentication disclosed in Non-Patent Document 2 and QAC (Qualified Access Control) disclosed in Non-Patent Document 3.

  In DHCP authentication, a terminal identifier (for example, a MAC (Media Access Control) address, etc.) that uniquely identifies a terminal device that is permitted to perform communication across segments is registered in advance in the DHCP server device and straddles the segments. The DHCP server so that a set of communication addresses (first communication address group) assigned to terminal devices that permit communication and a set of communication addresses assigned to other terminal devices (second communication address group) do not overlap. Store it in the device. When the DHCP server device receives the IP lease request message, the DHCP server device refers to the MAC address of the transmission source and determines whether or not the transmission source is permitted to execute communication across segments. Then, according to the determination result, an unused address is selected from either the first or second communication address group and is returned. Then, the relay apparatus that connects each segment to the wide area network is caused to transfer only when the transmission source address of the packet received from the subordinate segment belongs to the first communication address group (the second communication address group). If the packet belongs to the communication address group, the access restriction is realized by discarding the packet). On the other hand, QAC is a technology that realizes access destination restriction depending on the type of quarantine software (for example, virus check software) installed in a terminal device. For example, a communication address belonging to the first communication address group is assigned to a terminal device in which predetermined quarantine software is installed, and the second communication address group is assigned to a terminal device in which predetermined quarantine software is not installed. For example, a communication address belonging to the address is assigned.

  The problem here is that the DHCP authentication, QAC, and DHCP relay agent described above have low affinity and are difficult to use together. For example, when DHCP authentication and a DHCP relay agent are used in combination, it is necessary to register in advance in the DHCP server device the terminal identifier of the terminal device that permits execution of communication across segments. Since registration of such terminal identifiers is generally performed manually by a network administrator or the like, the network administrator goes to the DHCP server device whenever the number of terminal devices included in the system changes. Therefore, a very troublesome work of registering a new terminal identifier is required. In addition, when DHCP authentication (or QAC) and a DHCP relay agent are used in combination, the DHCP server device determines whether or not each terminal device is permitted to execute communication across segments. In such a case, there is a possibility that the processing load on the DHCP server device becomes excessively high.

  SUMMARY OF THE INVENTION The present invention has been made in view of the above-described problems, and collects communication addresses to be assigned to each terminal device while avoiding the concentration of processing load on the DHCP server device in the assignment processing of communication addresses to the terminal device. It is an object of the present invention to provide a technique that can be managed and that can be used together with access destination restriction according to the state of a terminal device.

  In order to solve the above problems, the present invention provides a first communication address group assigned to a terminal device that is permitted to execute communication across segments and a second communication device that is assigned to a terminal device not allowed to execute communication across segments. In a relay apparatus that relays communication between a DHCP server apparatus that stores a group of communication addresses and lends one of the communication addresses in response to a request from the terminal apparatus, and a terminal apparatus that belongs to a subordinate segment, the terminal apparatus includes: A condition table in which condition data indicating conditions for receiving assignment of communication addresses belonging to the first communication address group is written, and a lease request message, which is a communication message for requesting lending of a communication address, from the terminal device When it is received, it is determined whether or not the state of the terminal device satisfies the above condition. If it is determined that the lease request message is transferred to the DHCP server device by giving an indicator for instructing the lending of the communication addresses belonging to the first communication address group, Lease request message transfer means for transferring the lease request message to the DHCP server device by giving an indicator for instructing lending of a communication address belonging to the second communication address group, and a source of the lease request message A lease confirmation notification message, which is a communication message including a communication address lent to the client and lease period data indicating the rent period, is received from the DHCP server device, and the lease confirmation notification message is transferred to the transmission source of the IP lease request message. And having a lease confirmation notification message transfer means Relay device according to symptoms, and the computer provides a program for causing to function as each means. As a specific mode for providing such a program, a mode in which the program is written and distributed on a computer-readable recording medium such as a CD-ROM (Compact Disk-Read Only Memory), the Internet, etc. A mode of distribution by downloading via a telecommunication line is conceivable.

  A DHCP server device is provided in any one segment in a communication system composed of a plurality of segments (for example, a communication system in which each of a plurality of segments is connected to a wide area network), and one relay device is provided for each segment. Is provided, the communication address is assigned to the terminal device in the following manner. That is, in the communication system, a terminal device connected to any segment broadcasts a lease request message (more specifically, an IP lease request message) in the segment in order to receive a communication address assignment. When the relay device provided in the segment receives the lease request message, the relay device determines whether or not the terminal device is permitted to execute communication across the segment based on the state of the terminal device. Then, an indicator according to the determination result is assigned and the lease request message is transferred to the DHCP server device.

  Here, a criterion for determining whether or not execution of communication across segments is permitted is whether or not the terminal state of the transmission source of the lease request message satisfies the condition indicated by the condition data. As an example of such conditions, a specific state such as a pre-registered terminal device (for example, a terminal device having a terminal identifier that matches a pre-registered terminal identifier) or a specific quarantine software installed It is conceivable that this is a terminal device. Note that the terminal status data indicating the status of the terminal device may be stored in the relay device in advance, or may be written in an unused field of the lease request message and transmitted to the terminal device.

  Upon receiving the lease request message transferred from the relay device, the DHCP server device selects an unused address from either the first or second communication address group according to the indicator attached to the lease request message. Then, a lease presentation message in which the unused address is written is returned. Thereafter, by performing communication similar to that in the conventional DHCP described above, assignment of the communication address to the terminal device is completed. Specifically, the lease presentation message is transferred by the relay device to the terminal device that is the transmission source of the lease request message, and the terminal device accepts the communication address assignment presented by the lease presentation message. Then, a lease selection message (for example, IP lease selection message) notifying that is returned. The lease selection message is transferred to the DHCP server device by the relay device, and when the DHCP server device receives the lease selection message, the communication address presented to the transmission source and the lease period option value indicating the lending period are obtained. Reply the written lease confirmation notification message. The lease confirmation notification message is transferred to the terminal device by the relay device, and the terminal device stores the communication address written in the message as assigned to the own device, and is written in the message. During the period indicated by the lease period option value, data communication can be performed using the communication address.

  As described above, in the communication system, since the determination as to whether or not to allow communication across segments for the terminal device that is the transmission source of the lease request message is performed by the relay device, the load is concentrated on the DHCP server device. Absent. In the communication system, the first and second communication address groups assigned to the terminal device can be collectively managed by the DHCP server device. In addition, in the communication system, the data indicating the conditions and the terminal state data may be stored in each relay device that performs the determination, and the data is sent to the DHCP server device for registration of the data. There is no need. And, as the above condition, if “being a pre-registered terminal device” is adopted, the aforementioned DHCP authentication can be realized, and if “specific quarantine software is installed” is adopted, The QAC described above can be realized.

  In a more preferred aspect, a terminal status table in which terminal status data indicating the status of the terminal device is written is provided in the relay device, and the lease request message transfer means includes terminal status data regarding the transmission source of the lease request message. If not stored in the terminal status table, the lease request message is forwarded with an indicator for instructing lending of the second communication address, while the corresponding terminal status data is If it is stored in the terminal state table, it is determined whether or not the condition is satisfied with reference to the terminal state data, and the received lease request message is assigned with an indicator according to the determination result. The lease confirmation notification message transfer means is caused to execute the transfer process, and the lease confirmation notification message transfer means transmits the lease period data to the shorter lease period. Possible to execute the process of transferring the lease acknowledgment message is rewritten to show a period out are considered.

  According to such a relay device, a terminal device whose terminal state data is not stored in the terminal state table (for example, a terminal device newly connected to a segment) is always assigned to the second communication address group. The communication address to which the terminal belongs is assigned, and the lease period is also set shorter than that for the terminal device whose terminal state data is stored in the terminal state table. In other words, for a terminal device in which terminal state data is not registered, execution of communication is tentatively permitted within a range that does not cross segments for a short period of time. In this way, for terminal devices whose terminal state data is not stored in the terminal state table, execution of communication across segments is not permitted, and restrictions such as a short period of time during which communication can be performed are imposed. It is possible to make the user of the terminal device feel inconvenience based on the restrictions of the terminal, and prompt registration of the terminal state.

  In a further preferred aspect, when the lease confirmation notification message transfer means of the relay device receives a lease confirmation notification message addressed to a terminal device whose terminal state data is not stored in the terminal state table, the lease confirmation notification A terminal that stores the communication address included in the notification message and then forwards it, instructs the destination to transmit terminal status data with the stored communication address as a destination, and sends a reply from the destination It is conceivable that the relay device is provided with terminal status collection means for writing status data in the terminal status table. According to such an aspect, the terminal state data is obtained from the terminal device triggered by the communication address assignment control for the terminal device whose terminal state data is not stored in the terminal state table. When assigning a communication address to a terminal device, it is possible to assign a type of communication address corresponding to the terminal state.

It is a block diagram which shows the structural example of the communication system 1 containing the relay apparatus which concerns on one Embodiment of this invention. 3 is a block diagram illustrating a configuration example of a relay device 30 included in the communication system 1. FIG. 3 is a diagram for explaining a primary network and a secondary network formed under the relay device 30. FIG. It is a figure which shows an example of the storage aspect of the communication address in the DHCP server apparatus 60 of the communication system 1. FIG. 7 is a flowchart showing a flow of lease request message transfer processing and lease confirmation notification message transfer processing executed by the control unit 310 of the relay device 30. It is a figure which shows the flow of the process which each apparatus contained in the communication system 1 performs, and the sequence of the communication message transmitted / received between apparatuses. It is a figure for demonstrating DHCP. It is a figure which shows an example of the message structure of the communication message transmitted / received between a DHCP server apparatus and a terminal device.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(A: Configuration)
FIG. 1 is a diagram illustrating a configuration example of a communication system 1 including a relay device according to an embodiment of the present invention. The communication system 1 of FIG. 1 is an in-house information system laid in a company, for example. In this communication system 1, each of an intra-site LAN (Local Area Network) 10A, 10B, 10C laid at each base of the same company and a center side LAN 20 laid at the information processing center of the same company is connected to a relay device 30A. , 30B, 30C and 30D are connected to a wide area network 40 such as the Internet. That is, in the communication system 1 shown in FIG. 1, each of the local LANs 10A, 10B, 10C and the center LAN 20 is a segment constituting the system. Hereinafter, the segment formed by the in-site LAN 10A is referred to as “segment A”, the segment formed by the in-site LAN 10B is referred to as “segment B”, and the segment formed by the in-site LAN 10C is referred to as “segment C”. In the following, when it is not necessary to distinguish each of the three local LANs, they are referred to as “local LAN 10”, and when it is not necessary to distinguish each of the four relay apparatuses, “relay apparatus” 30 ”.

  A terminal device (for example, a personal computer or the like) used by an employee or the like who works at a base where the local LAN is laid is connected to the local LAN 10. For example, in the example shown in FIG. 1, the terminal device 50A is connected to the local LAN 10A, the terminal device 50B is connected to the local LAN 10B, and the terminal device 50C is connected to the local LAN 10C. Hereinafter, when it is not necessary to distinguish each of these three terminal devices, they are referred to as “terminal device 50”. Although FIG. 1 illustrates the case where one terminal device 50 is connected to each local LAN 10, a plurality of terminal devices 50 may naturally be connected to each local LAN 10.

  The terminal device 50 follows a predetermined communication protocol (TCP / IP in the present embodiment) with other devices (for example, another terminal device 50 or a WWW server device connected to the wide area network 40). This is for performing data communication and providing a user with an e-mail transmission / reception service, a Web page browsing service, and the like. In order to perform such data communication, a communication address (IP address) needs to be assigned to the terminal device 50, and this communication address is assigned by the DHCP server device 60 connected to the center LAN 20. . The relay device 30 in FIG. 1 is, for example, a router, and an IP packet (or from the wide area network 40 to a subordinate segment) transmitted from the connected segment (hereinafter referred to as a subordinate segment) to the wide area network 40. (IP packets to be transmitted) are relayed. The relay device 30 also functions as the above-described DHCP relay agent, and a communication message (such as the above-described IP lease request message) transmitted and received between the terminal device 50 and the DHCP server device 60 at the time of communication address assignment. Also relay.

In addition, the relay device 30 in FIG. 1 is configured to realize access destination restriction similar to DHCP authentication (see Non-Patent Document 2) and QAC (see Non-Patent Document 3). There are features of form. In this embodiment, the communication addresses assigned to each of the terminal devices 50 are classified into two types, “primary addresses” and “secondary addresses”. The primary address is a communication address assigned to a terminal device that is permitted to execute communication across segments (for example, communication with a WWW server device connected to the wide area network 40), and the second address is permitted to execute the communication. This is a communication address assigned to the terminal device 50 not to be used. The relay device 30 in FIG. 1 determines whether or not execution of communication across segments is permitted for the transmission source when receiving the IP lease request message. Specifically, the relay device 30 performs the above determination on the condition of the state of the terminal device that is the transmission source of the IP lease request message (in this embodiment, whether or not quarantine software is installed in the terminal device 50). The DHCP server device 60 is instructed to assign a communication address according to the determination result. When the IP packet transfer control described above is performed, the relay device 30 discards the IP packet when the source address of the IP packet transmitted from the subordinate local LAN 10 is a secondary address. As a result, access restriction is realized.
Hereinafter, the relay apparatus 30 that clearly shows the features of the present embodiment will be mainly described.

FIG. 2 is a block diagram illustrating a configuration example of the relay device 30.
As shown in FIG. 2, the relay device 30 includes a control unit 310, a first communication interface (hereinafter “I / F”) unit 330, a second communication I / F unit 340, a storage unit 350, and the components. A bus 360 that mediates the exchange of data is included.

  The control unit 310 is a CPU (Central Processing Unit). The control unit 310 functions as a control center of the relay device 30 by executing the communication control program 354d stored in the storage unit 350 (more precisely, the nonvolatile storage unit 354). The contents of processing executed by the control unit 310 according to the communication control program 354d will be clarified later.

  The first communication I / F unit 330 is a NIC (Network Interface Card), and is connected to the wide area network 40 of FIG. The first communication I / F unit 330 receives data transmitted from the wide area network 40 and delivers the data to the control unit 310, while sending the data delivered from the control unit 310 to the wide area network 40. Similarly to the first communication I / F unit 330, the second communication I / F unit 340 is a NIC, and is connected to a communication network different from the wide area network 40. More specifically, the second communication I / F unit 340 of the relay device 30A is connected to the local LAN 10A, the second communication I / F unit 340 of the relay device 30B is connected to the local LAN 10B, and the second communication I of the relay device 30C. The / F unit 340 is connected to the local LAN 10C, and the second communication I / F unit 340 of the relay device 30D is connected to the center LAN 20 respectively. The second communication I / F unit 340 delivers the data received from each connection destination communication network to the control unit 310, and sends the data delivered from the control unit 310 to each connection destination communication network.

  As shown in FIG. 2, the storage unit 350 includes a volatile storage unit 352 and a nonvolatile storage unit 354. The volatile storage unit 352 is, for example, a RAM (Random Access Memory), and is used by the control unit 310 as a work area when executing various programs. On the other hand, the nonvolatile storage unit 354 is a hard disk or a flash memory. The nonvolatile storage unit 354 stores various data and programs for causing the control unit 310 to execute processing that significantly shows the characteristics of the relay device 30.

  Examples of data stored in the nonvolatile storage unit 354 include a network identifier 354a, a condition table 354b, and a terminal state table 354c shown in FIG. In the nonvolatile storage unit 354, in addition to the network identifier 354a, the condition table 354b, and the terminal state table 354c, data (so-called routing table: not shown) used for IP packet transfer control and the communication address of the DHCP server device 60 are also stored. Although stored, these data (data not shown in FIG. 2) are not different from those stored in the existing routers or DHCP relay agents, and the description thereof will be omitted.

  The network identifier 354a is an identifier for uniquely identifying a logical network formed by a terminal device connected to a segment under the relay device 30. As described above, a plurality of terminal devices can be connected to the in-base LAN 10, but the communication address assigned to each terminal device is either a primary address or a secondary address. Therefore, each of the plurality of terminal devices is classified into one assigned a primary address and one assigned a secondary address, and a “primary network” is formed by the former group, and the latter group A “secondary network” is formed (see FIG. 3). The primary network and the secondary network are the logical networks. The nonvolatile storage unit 354 stores two types of network identifiers 354a that uniquely indicate the primary network and that uniquely indicate the secondary network. In the present embodiment, a so-called network address is used as the network identifier 354a. Here, the network address corresponds to a portion masked by the subnet mask in the communication address of the terminal device 50 belonging to the logical network identified by the network address.

  For example, as shown in FIG. 4, as a group of communication addresses assigned to those belonging to the primary network among terminal devices connected to the local area LAN 10A (that is, terminal devices belonging to the segment A), “192.168.1.1 ˜192.168.1.50 ”is registered in the DHCP server device 60. Similarly, it is assumed that “192.168.2.1 to 192.168.2.50” is registered in the DHCP server device 60 as a communication address group assigned to those belonging to the secondary network. In this case, if the subnet mask is “255.255.255.0”, “192.168.1.0” is stored in the nonvolatile storage unit 354 of the relay device 30A as the network identifier 354a indicating the primary network. “192.168.2.0” is stored in the nonvolatile storage unit 354 as the network identifier 354a indicating the secondary network. Although details will be described later, these network identifiers are used when instructing the DHCP server device 60 which of the primary address and the secondary address is allocated (rented) to the terminal device 50.

  The condition table 354b stores data (hereinafter referred to as condition data) indicating conditions to be included in a terminal device that permits execution of communication across segments. Examples of condition data stored in the condition table 354b include a list of terminal identifiers of terminal devices that are permitted to execute communication across segments, and types of quarantine software to be installed in the terminal devices (product names, Version), data indicating a pattern file referred to when the quarantine software is executed (data indicating the name and version of the pattern file), and the like. On the other hand, in the terminal status table 354c, the status of the terminal device that has been assigned the communication address by the DHCP server device 60 via the relay device 30 (whether or not the terminal identifier and the quarantine software are installed, and the quarantine software is installed) If there is, terminal state data indicating the type and pattern file type is stored.

Next, the program stored in the nonvolatile storage unit 354 will be described.
An example of a program stored in the nonvolatile storage unit 354 is a communication control program 354d shown in FIG. As an example of processing executed by the control unit 310 in accordance with the communication control program 354d, there are lease request message transfer processing shown in FIG. 5A and lease confirmation notification message transfer processing shown in FIG. 5B. The lease request message transfer process shown in FIG. 5A is a process executed when an IP lease request message broadcast from the terminal device 50 is transferred to the DHCP server device 60. On the other hand, the lease confirmation notification message transfer process shown in FIG. 5B is a process executed when an IP lease confirmation notification message transmitted from the DHCP server device 60 is transmitted to the transmission source of the IP lease request message. It is. Details of these processes will be clarified in an operation example in order to avoid duplication. Note that the processing executed by the control unit 310 when transferring the IP lease presentation message and the IP lease selection message is the same as the processing executed by the well-known DHCP relay agent, and thus the description thereof is omitted. As described above, the configuration of the relay device 30 according to the present embodiment is the same as that of a general computer device, and the address assignment control processing that clearly shows the features of the present embodiment is realized by software.
The above is the configuration of the relay device 30.

(B: Operation)
Hereinafter, the operation of this embodiment will be described by taking as an example the case where the terminal device 50A is first connected to the local LAN 10A. Since the terminal device 50A is connected to the local LAN 10A for the first time, the terminal state data for the terminal device 50A is not stored in the terminal state table 354c of the relay device 30A at the start of the operation described below. .

  When a user of the terminal device 50A connects the terminal device 50A to the local LAN 10A using a LAN cable or the like and turns on the power (not shown), the control unit (not shown) of the terminal device 50A sends an IP lease request message. Is broadcast to the local LAN 10A (see FIG. 6). In this way, the IP lease request message broadcast in the local LAN 10A is processed by the server device if there is a DHCP server device in the local LAN 10A, or by the DHCP relay agent if there is no such server device. In the present embodiment, since the relay device 30A serving as a DHCP relay agent is connected to the local LAN 10A, the IP lease request message is received by the relay device 30A and processed. That is, the control unit 310 of the relay device 30A executes a lease request message transfer process (see FIG. 5A) upon receiving the IP lease request message (FIG. 6: Step SA01).

  FIG. 5A is a flowchart showing a flow of lease request message transfer processing executed by control unit 310 in accordance with communication control program 354d. As shown in FIG. 5A, the control unit 310 first determines whether or not terminal state data for the transmission source of the IP lease request message is stored in the terminal state table 354c (step SA100). Specifically, the control unit 310 reads the source MAC address written in the header part of the frame used for transmitting the IP lease request message, and the terminal state data including the terminal identifier that matches the MAC address is read. It is determined whether it is stored in the terminal state table 354c. That is, if terminal state data including the corresponding terminal identifier is stored in the terminal state table 354c, the determination result in step SA100 is “Yes”. If the corresponding terminal state data is not stored, the determination in step SA100 is performed. The result is “No”.

  Since the terminal state data for the terminal device 50A is not stored in the terminal state table 354c at the start of this operation example, the determination result in step SA100 is “No”. When the determination result of step SA100 is “No”, as shown in FIG. 5A, the control unit 310 executes the process of step SA130. In step SA130, the control unit 310 converts the IP lease request message broadcast from the terminal device 50A into a unicast message addressed to the DHCP server device 60, and a predetermined field (in this embodiment) of the converted IP lease request message. , Giaddr field: refer to FIG. 8), the network identifier 354 a stored in the storage unit 350 of the relay device 30 </ b> A is written in the secondary network and transferred to the DHCP server device 60.

  The IP lease request message transferred from the relay device 30A is appropriately routed by the relay device in the wide area network 40 and reaches the DHCP server device 60. When the control unit (not shown) of the DHCP server device 60 receives the IP lease request message, it reads the network identifier written in the predetermined field and assigns the communication address assigned to the terminal device belonging to the logical network indicated by the network identifier. Pay out unused addresses from the group. In this operation example, since the network identifier of the secondary network in segment A is written in the predetermined field, it is unused within the range of “192.168.2.1 to 192.168.2.50”. One address is paid out. Next, the control unit of the DHCP server device 60 generates an IP lease presentation message in which the communication address is written, and returns it to the transmission source of the IP lease request message.

  The IP lease presentation message is transferred by relay device 30A to terminal device 50A that is the source of the IP lease request message, and the control unit of terminal device 50A accepts the assignment of the communication address presented by the IP lease presentation message. Returns an IP lease selection message. This IP lease selection message is transferred to the DHCP server device 60 by the relay device 30A. When the DHCP server device 60 receives the IP lease selection message, the lease period indicating the communication address presented to the transmission source and the lending period thereof A lease confirmation notification message in which the option value T is written is returned. Upon receiving the IP lease confirmation notification message via the first communication I / F unit 330, the control unit 310 of the relay device 30A executes a lease confirmation notification message transfer process as shown in FIG. 6 (FIG. 6: Step SB01).

  FIG. 5B is a flowchart showing the flow of the lease confirmation notification message transfer process. As shown in FIG. 5B, in this lease confirmation notification message transfer process, the control unit 310 first stores the terminal state data for the terminal device to which the received IP lease confirmation notification message is transferred into the terminal state table 354c. Is stored (step SB100). The details of the process executed by the control unit 310 in step SB100 are the same as the process in step SA100 described above, and thus the description thereof is omitted. If the determination result in step SB100 is “Yes”, control unit 310 transfers the IP lease confirmation notification message to the destination terminal device as it is (step SB120), and conversely, the determination result in step SB100 is If “No”, the lease period option value T written in the IP lease confirmation notification message is rewritten to a value T ′ indicating a shorter lending period (step SB110), and then the process of step SB120 is executed. The reason why the lease period is shortened for the terminal device whose terminal state data is not stored in the terminal state table 354c will be clarified later.

  In this operation example, the transfer destination of the IP lease confirmation notification message is the terminal device 50A, and the terminal state data for the terminal device 50A is not stored in the terminal state table 354c, so the determination result of step SB100 Becomes “No”, and the process of step SB110 is executed. In this operation example, whether or not to shorten the lease period is determined based on whether or not the terminal state data is stored in the terminal state table 354c. However, when the IP lease confirmation notification message is transferred to the terminal device to which the network identifier of the secondary network is assigned in the lease request message transfer process, the lease period can be managed more reliably. As a condition, the lease period option value T may be rewritten to a value indicating a shorter lease period.

  When the control unit (not shown) of the terminal device 50A receives the IP lease confirmation notification message transferred from the relay device 30A, the control unit reads the communication address written in the predetermined field of the IP lease confirmation notification message, Is stored as a communication address assigned to. Thereafter, the terminal device 50A can perform data communication conforming to TCP / IP using the communication address until the lease period indicated by the lease period option value T ′ written in the message elapses. On the other hand, the control unit 310 of the relay device 30 conforms to the terminal device 50A and TCP / IP after relaying the IP lease confirmation notification message until the lease period indicated by the lease period option value T ′ elapses. The terminal state collection process (FIG. 6: step SC01) which acquires the data which shows the terminal state and writes it in the terminal state table 354c is performed. Specifically, control unit 310 requests terminal device 50A to transmit data indicating the type of installed quarantine software and the type of pattern file, and is transmitted from terminal device 50A in response to this request. The incoming data and the terminal identifier of the terminal device 50A (in this embodiment, the transmission source MAC address written in the header part of the frame used for transmission of the data) are associated and written to the terminal state table 354c. It is.

  Now, after the lease period indicated by the lease period option value T ′ elapses, the terminal device 50A cannot perform communication using the communication address. Here, the reason why the lease period is made shorter than usual is that the communication address assigned to the terminal device 50A in the above process is a provisional address that is not based on the terminal status, and the terminal status collection process is executed. This is because it is enough to secure the time required. When the elapse of the lease period is detected, the terminal device 50A broadcasts an IP lease request message again to receive a new communication address assignment. In the relay device 30A that has received the broadcast IP lease request message in this way, lease request message transfer processing is executed again (FIG. 6: step SA02). As shown in FIG. 6, at the time of execution of the lease request message transfer process executed in step SA02, the terminal status collection process in step SC01 has been executed, and the terminal status data for the terminal device 50A is stored in the terminal status table. 354c. For this reason, in the lease request message transfer process executed in step SA02, the determination result in step SA100 is “Yes” (see FIG. 5A).

  As shown in FIG. 5A, when the determination result in step SA100 is Yes, the control unit 310 transmits the terminal status of the transmission source of the IP lease request message in the condition data stored in the condition table 354b. It is determined whether or not the conditions shown are satisfied (step SA110). If the determination result in step SA110 is Yes, the control unit 310 writes the network identifier 354a of the primary network in the predetermined field of the IP lease request message and transfers it to the DHCP server device 60 (step SA120). Conversely, if the determination result in step SA110 is “No”, the processing in step SA130 described above is executed. In the DHCP server device 60 that has received the IP lease request message, either the primary address or the secondary address is selected according to the network identifier written in the predetermined field of the IP lease request message. The network identifier set in a predetermined field of the request message plays a role of an indicator for instructing whether to lend a primary address or a secondary address to the DHCP server device 60.

  The IP lease request message transferred from the relay device 30A as described above is also appropriately routed by the relay device in the wide area network 40 and reaches the DHCP server device 60. When the control unit (not shown) of the DHCP server device 60 receives the IP lease request message, it reads the network identifier written in the predetermined field and assigns the communication address assigned to the terminal device belonging to the logical network indicated by the network identifier. Pay out unused addresses from the group. Then, the control unit of the DHCP server device 60 returns an IP lease presentation message in which the communication address is written. This IP lease presentation message is transferred to the terminal device 50A by the relay device 30A. When the terminal device 50A receives the IP lease presentation message, it returns an IP lease selection message. This IP lease selection message is transferred to the DHCP server device 60 by the relay device 30A. When the DHCP server device 60 receives the IP lease selection message, the lease period indicating the communication address presented to the transmission source and the lending period thereof A lease confirmation notification message in which the option value T is written is returned.

  Upon receiving the IP lease confirmation notification message, control unit 310 of relay device 30A executes a lease confirmation notification message transfer process (FIG. 6: Step SB02). At the time of execution of step SB02, since the terminal state data for the terminal device 50A is stored in the terminal state table 354c by the process of step SC01 described above, step SB100 of the lease confirmation notification message transfer process executed in step SB02. The determination result is “Yes”. As shown in FIG. 5B, when the determination result in step SB100 is Yes, the control unit 310 performs the IP lease confirmation without performing the processing in step SB110 described above (rewriting the lease period option value T). The notification message is transferred to the destination (step SB120). As described above, when the determination result in step SB100 is Yes, the IP lease confirmation notification message is transferred without rewriting the lease period option value T, which is included in the IP lease confirmation notification message. This is because the communication address is assigned according to whether the terminal state of the terminal device receiving the assignment satisfies a predetermined condition or not, and it is not necessary to limit the lease period to be short.

  Thereafter, when the terminal device 50A receives the IP lease confirmation notification message transferred from the relay device 30A, the terminal device 50A reads the communication address written in a predetermined field of the IP lease confirmation notification message and performs communication assigned to the own device. Data communication can be performed until the period indicated by the lease period option value T stored in the address and written in the message elapses. For example, if the terminal state of the terminal device 50A satisfies the condition indicated by the above condition data, the DHCP server device 60 assigns a primary address to the terminal device 50A, and the terminal device 50A has data that spans segments. Communication can be performed. On the contrary, if the terminal state of the terminal device 50A does not satisfy the condition indicated by the condition data, the DHCP server device 60 assigns a secondary address to the terminal device 50A, and the terminal device 50A Data communication can be executed only within a range that does not straddle (for example, only with a terminal device that is connected to the local LAN 10A and is assigned a secondary address). .

  As described above, in the present embodiment, the relay device 30 determines whether to assign a primary address or a secondary address to the terminal device 50 under the relay device 30. For this reason, compared with the mode in which the determination is performed by the DHCP server device 60, the processing load required to execute the determination is distributed to each relay device 30, and an excessive load is avoided on the DHCP server device 60. . In the present embodiment, the DHCP server device 60 can collectively manage the communication address group assigned to each terminal device, while the condition data indicating the primary address assignment condition and the terminal status data are determined as described above. It is sufficient to store the data in the relay device 30 (that is, work is performed at each site), and it is not necessary to go to the information processing center in which the DHCP server device 60 is installed to register these data.

(C: deformation)
While the embodiment of the present invention has been described above, it is needless to say that this embodiment may be modified as follows.
(1) In the above-described embodiment, the present invention is applied to a relay apparatus that is connected to two different communication networks and performs IP packet transfer control. However, a relay apparatus (specifically, a relay apparatus that functions only as a DHCP agent) that executes the lease request message transfer process shown in FIG. 5A and the lease confirmation notification message transfer process shown in FIG. You may make it provide in each local LAN 10 separately from the relay apparatus which performs packet transfer control.

(2) In the above-described embodiment, the following three conditions have been defined as primary address assignment conditions (that is, conditions for permitting communication across segments). That is, firstly, the terminal identifier is pre-registered (condition 1), secondly, a predetermined type of quarantine software is installed (condition 2), and thirdly, the quarantine A predetermined type of data (pattern file) to be referred to when executing the software is installed (condition 3). However, only one or two of these three conditions may be imposed. For example, in the aspect in which only the condition 1 is imposed, since either a primary address or a secondary address is assigned depending on whether or not the terminal device is registered in advance, the above-described DHCP authentication (non-patent document) 2), and if the condition 2 (or conditions 2 and 3) is imposed, the same effect as the above-mentioned QAC (Non-patent Document 3) can be obtained. .

  Of course, other conditions different from the three conditions 1 to 3 described above may be imposed as the primary address assignment conditions. Specifically, a condition that a specific type of software (for example, file exchange software represented by Winny or the like) is not installed is imposed. If this type of file exchange software is installed, various data stored in the terminal device 50 may be leaked by the file exchange software without the user's knowledge. This is because confidential information such as the above may be a cause of confidential leakage.

(3) In the above-described embodiment, the secondary address is always assigned to the terminal device 50 that first receives the communication address assignment by the DHCP server device 60 via the relay device 30, and the terminal is within the lease period. The control unit 310 of the relay device 30 is caused to execute processing for communicating with the device 50 and acquiring terminal state data. However, when transmitting the IP lease request message, the terminal device 50 is caused to execute processing for writing and transmitting terminal state data in the unused field, and refer to the terminal state data written in the unused field. The controller 310 may be configured to determine whether or not the condition indicated by the condition data is satisfied, assign a network identifier according to the determination result, and transfer the IP lease request message. According to such an aspect, even the terminal device 50 that first receives the communication address assignment by the DHCP server device 60 via the relay device 30 can be assigned a communication address according to the terminal state. Therefore, it is not necessary for the relay device 30 to execute the process of step SC01 in FIG. Further, even if the secondary address is provisionally assigned to the terminal device 50 that receives the communication address assignment by the DHCP server device 60 for the first time via the relay device 30, the process of step SC01 in FIG. is not. For example, instead of the process of step SC01, the control unit 310 of the relay device 30 executes a process of transmitting a notification for prompting the registration of the terminal state, and the terminal state registration is separately performed based on the self-report of the user or the like. You may do it.

  Further, the terminal status data acquired from the terminal device may have a valid period, and the terminal status data may be periodically acquired repeatedly so that the latest terminal status can be constantly monitored and the safety can be confirmed.

(4) In the above-described embodiment, the communication control program 354d that causes the CPU to execute the lease request message transfer process and the lease confirmation notification message transfer process that clearly show the features of the present invention is stored in the nonvolatile storage unit 354 of the relay device 30 in advance. Was stored. However, the communication control program may be written and distributed on a computer-readable recording medium such as a CD-ROM, or the communication control program may be distributed by downloading via an electric communication line such as the Internet. By installing the communication control program distributed in this way on a general computer and operating the computer according to the communication control program, it is possible to give the same function as the relay device 30 to the computer. Become.

  DESCRIPTION OF SYMBOLS 1 ... Communication system, 10A, 10B, 10C ... Local LAN, 20 ... Center side LAN, 30A, 30B, 30C, 30D ... Relay device, 40 ... Wide area network, 50A, 50B, 50C ... Terminal device, 60 ... DHCP server Device: 310: Control unit, 330: First communication I / F unit, 340: Second communication I / F unit, 350: Storage unit, 352: Volatile storage unit, 354: Non-volatile storage unit, 354a: Network identifier 354b ... Condition table, 354c ... Terminal status table, 354d ... Communication control program, 360 ... Bus.

Claims (4)

From the terminal device, a first communication address group assigned to a terminal device that is permitted to execute communication across segments and a second communication address group assigned to a terminal device that is not allowed to execute communication across segments are stored from the terminal device. DHCP (Dynamic Host) that lends any communication address in response to a request from
Configuration Protocol) In a relay device that relays communication between a server device and a terminal device belonging to a subordinate segment,
A condition table in which condition data indicating conditions for the terminal device to receive assignment of communication addresses belonging to the first communication address group is written;
When it is determined that the condition of the terminal device satisfies the above condition, when the lease request message that is a communication message for requesting the lending of the communication address is received from the terminal device, and it is determined that the condition is satisfied Assigns an indicator to instruct the lending of communication addresses belonging to the first communication address group and transfers the lease request message to the DHCP server device. Lease request message transfer means for transferring an indicator indicating that the communication address belonging to the communication address group is lent and transferring the lease request message to the DHCP server device;
A lease confirmation notification message which is a communication message including a communication address lent to the transmission source of the lease request message and lease period data indicating the rent period is received from the DHCP server device, and the lease confirmation notification message is received as the IP lease request. A lease confirmation notification message transfer means for transferring to a message sender;
A relay apparatus comprising: A terminal state table in which terminal state data indicating the state of the terminal device is written;
The lease request message transfer means includes:
If the terminal status data for the transmission source of the lease request message is not stored in the terminal status table, the received lease request is provided with an indicator for instructing the lending of the second communication address. While transferring the message, if the corresponding terminal state data is stored in the terminal state table, the terminal state data is referred to determine whether or not the condition is satisfied, and according to the determination result Forwarding the received lease request message with an indicator,
The lease confirmation notification message transfer means includes:
The relay apparatus according to claim 1, wherein the lease confirmation notification message is transferred by rewriting the lease period data with a data indicating a shorter rental period. The lease confirmation notification message transfer means includes:
When receiving a lease confirmation notification message addressed to a terminal device for which terminal state data is not stored in the terminal state table, the communication address included in the lease confirmation notification message is stored and then transferred.
The terminal further includes terminal state collection means for instructing transmission of terminal state data to the destination, using the stored communication address as a destination, and writing terminal state data returned from the destination to the terminal state table. The relay device according to claim 2. A terminal that stores a first communication address group that assigns a computer to a terminal device that is permitted to execute communication across segments and a second communication address group that is assigned to a terminal device that is not permitted to execute communication across segments In response to a request from the device, a lease request message, which is a communication message for requesting a DHCP server device to lend a communication address to a DHCP server device, is received from a terminal device belonging to a segment under the computer. In response to this, it is determined whether or not the transmission terminal device is permitted to execute communication across segments, and if it is determined that communication is permitted, the first communication address group The lease request message is forwarded with an indicator to instruct the lending of the communication address belonging to When the transfer is made to the DHCP server apparatus and it is determined that the request is not permitted, an indicator indicating that the communication address belonging to the second communication address group is lent is given and the lease request message is sent to the DHCP server. Lease request message transfer means for transferring to the device;
A lease confirmation notification message which is a communication message including a communication address lent to the transmission source of the lease request message and lease period data indicating the rent period is received from the DHCP server device, and the lease confirmation notification message is received as the lease request message. Lease offer transfer means to transfer to the sender of
A program characterized by functioning as

Images