JP2011172201A - Address translation apparatus and method of managing address translation table - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress setup faults of TCP connection, UDP connection caused by the lack of empty entries in an address translation table, with respect to an address translation apparatus. <P>SOLUTION: The address translation apparatus includes: an address translation table wherein first and second addresses are made correspond to associated times associated with a CLOSED time of TCP connection; and an address management section for retrieving a release scheduled entry of which the CLOSED time is temporally preceding to the present time, and overwrites and registers the newly corresponding first and second addresses into the release scheduled entry. In addition, the address translation table of the address translation apparatus includes a UDP connection state determining section for holding a time associated with a session generation time for UDP connection and determining whether or not the UDP connection is set up. The address management section overwrites and registers a pair of addresses into the entry being in a UDP connection non-setup state and after the lapse of a predetermined time from session generation. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to communication address conversion.

  An address translation device that mutually translates a global IP (Internet Protocol) address and a private IP address is used in an Internet service provider (ISP). An address translation device used in ISP is called LSN (Large Scale NAT), has a large number of accommodated users, and has a large number of TCP (Transmission Control Protocol) connections (also called TCP connections or TCP sessions) for each user. Therefore, the number of TCP connections to be managed is very large (Patent Document 1 below).

  Also, UDP (User Datagram Protocol) connection (also referred to as UDP connection or UDP session) needs to be managed for each user as in TCP.

  In the address translation device, for each TCP connection, an entry recording information related to the TCP connection is registered in the address translation table. Each entry of the address translation table may include a parameter relating to the time at which connection information can be deleted from the memory in addition to the global IP address and private IP address as information relating to the TCP connection. Specifically, this parameter means a period (hereinafter referred to as “memory release waiting period”) from when the TCP connection is changed to the CLOSED state after the TCP connection enters the TIME_WAIT state when the TCP connection is blocked. .

  The same applies to the UDP connection. For each UDP connection, an entry in which information related to the UDP connection is recorded is registered in the address conversion table. Each entry of the address translation table may include a parameter relating to time at which connection information can be deleted from the memory in addition to the global IP address and private IP address as information relating to the UDP connection. Specifically, this parameter means a predetermined period from entry generation to deletion (hereinafter referred to as “UDP session period”).

  An aging counter can be used to count the memory release wait period. For example, when a certain TCP connection enters the TIME_WAIT state, a predetermined count value is registered as a memory release waiting period in the corresponding entry, and thereafter, when the aging counter value decreases to 0, the TCP connection related Information is deleted. The entry from which the information related to the TCP connection is deleted is used to register information related to the new TCP connection. The update of the aging counter value is realized by searching for an entry in which a memory release waiting period is registered in the address conversion table and counting down (decrementing) the memory release waiting period of each entry in order by one unit time. .

  The UDP session period is similarly counted by the aging counter. A predetermined count value is registered at the time of entry generation, and then information on the UDP connection is deleted when the aging counter value decreases to zero. The entry from which the information related to the UDP connection is deleted is used to register information related to the new UDP connection. The update of the aging counter value is realized by searching for an entry in which the UDP session period is registered in the address conversion table and decrementing the UDP session period of each entry by one unit time in order.

JP 2009-267522 A

  Since the number of entries registered in the LSN address translation table is very large, it takes a long time (for example, 200 seconds) to decrement the memory release waiting period of all entries by one unit time. Therefore, in each LSN entry, it takes a long time for the aging counter value to become 0 after entering the TIME_WAIT state. In general, the memory release waiting period is defined as a period twice as long as the TCP segment can exist in the Internet (maximum segment valid period: MSL), and a recommended value is 120 seconds. Therefore, the conventional LSN has a problem that the memory cannot be released because the aging counter value does not become 0 even when the memory release waiting period (for example, 120 seconds) has passed and the timing at which the memory can be released comes. It was. In this case, even if there is a request for a new TCP connection, there is a possibility that the connection cannot be established because there is no empty entry in the address translation table.

  Next, in a UDP connection at the LSN, the UDP session period may be determined on the order of up to several tens of hours. As a result, in some UDP communications, although the actual communications are stopped, the corresponding UDP session remains on the address translation device without being deleted for a long time until the aging timer becomes zero. Become.

  Further, in the LSN, the number of address translation table entries that can be held for each user is limited in order to maintain user fairness. In such a case, as described above, it is impossible to accept a new UDP connection because there is no space in the address conversion table even though the actual communication is completed by continuing to hold a long UDP session. The situation can occur significantly.

  This problem can occur not only in address conversion between a global IP address and a private IP address but also in address conversion between private IP addresses. Moreover, it may occur not only when an IP address is used, but also when an arbitrary address used for communication such as an address used in IPX (Internetwork Packet eXchange) is converted.

  An object of the present invention is to suppress a TCP connection and UDP connection establishment failure due to a lack of empty entries in an address translation table in an address translation device.

  SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following forms or application examples.

  [Application Example 1] An address conversion apparatus having a plurality of entries, and each entry uses a first address, a second address, and a TCP using the first address and the second address. An address conversion table in which a related time that is related to a CLOSED time that is a time when the connection is in the CLOSED state is registered in association with each other, a time acquisition unit that acquires the current time, and the TCP connection is TIME_WAIT When a state is reached, an associated time determination unit that determines the associated time based on the acquired current time, and an address management unit, in an entry of the address conversion table corresponding to the TCP connection in the TIME_WAIT state, The determined related time is registered, and based on the address conversion request, the first address and the second address Based on the association time and the current time registered in the address conversion table, search for a release-scheduled entry in which the CLOSED time is earlier than the current time, and newly An address translation device comprising: an address management unit that overwrites and registers the associated first address and second address in one of the release-scheduled entries.

  In the address translation device according to the application example 1, when there is a new address translation request, the entry corresponding to the CLOSED time registered in the address translation table is temporally earlier than the current time (scheduled entry) is newly supported. Since the appended first address and second address are overwritten and registered, TCP connection establishment failure due to insufficient empty entries can be suppressed. For the TCP connection corresponding to the entry scheduled to be released, the period (memory release waiting period) defined as the period from when the TCP connection enters the TIME_WAIT state until it transitions to the CLOSED state has already expired or has just expired. To do. Therefore, no problem occurs even if the first address and the second address are overwritten and registered.

  Application Example 2 In the address translation device according to Application Example 1, when the address management unit newly associates the first address with the second address, whether or not there is an empty entry in the address translation table. If the empty entry exists, the first address and the second address newly associated with the empty entry are registered, and if there is no empty entry, the release entry An address translation apparatus for overwriting and registering the newly associated first address and second address in the oldest entry, which is the entry that is the earliest in time.

  With such a configuration, even if the time acquisition unit acquires a time earlier than the actual current time due to a failure of the time acquisition unit, etc., if there is an empty entry, it is newly associated with the empty entry. Since the first address and the second address are registered, it is possible to suppress erroneously overwriting and registering the first address and the second address in the entry corresponding to the TCP connection that has not reached the actual CLOSED time. . In addition, when there is an empty entry, the processing for searching for a release-scheduled entry whose CLOSED time is earlier than the current time can be omitted, so that the processing load can be reduced. Further, such a configuration can also be applied to a configuration in which the memory release waiting period is counted using an aging counter. That is, when TCP connections are established in such a number that there are empty entries, the aging counter is used to manage the period from the TIME_WAIT state to the CLOSED state, and for the TCP connection in the CLOSED state, the corresponding entry Can be changed (updated) to an empty entry. Therefore, in such a case, the period from the TIME_WAIT state to the CLOSED state can be realized by counting using an aging counter with a relatively light processing load. Therefore, the processing load of the entire address translation device can be reduced.

  [Application Example 3] The address translation device according to Application Example 2, further comprising a TCP release waiting table for registering an identifier of an entry in the address translation table corresponding to the TCP connection in the TIME_WAIT state, and the address management When the TCP connection is in a TIME_WAIT state, the unit registers an entry identifier that is an identifier of an entry corresponding to the TCP connection in the address conversion table so that a registration order is clear in the TCP release waiting table, If there is no empty entry, the oldest entry identifier which is the entry identifier registered earlier in time in the TCP release waiting table is acquired, and the entry in the address conversion table indicated by the oldest entry identifier is acquired. Registered functions Based on the time and the current time, it is determined whether or not the CLOSED time corresponding to the entry is temporally earlier than the current time, and when the temporal time is earlier than the current time Overwrites and registers the newly associated first address and second address in the entry, and if it is not earlier than the current time, the newly associated first address And an address translation device that does not register the second address in the address translation table.

  With such a configuration, entry identifiers are registered in the TCP release waiting table so that the registration order is clear, so it is possible to easily find the entry whose CLOSED time is the earliest in the address translation table. In addition, by determining whether or not the CLOSED time registered in the entry whose CLOSED time is the earliest in time is before the current time, the CLOSED registered in the other entries is determined. It can be determined whether or not the time is earlier in time than the current time. Therefore, in the address conversion table, it is possible to determine in a short time whether or not there is an entry whose CLOSED time is earlier than the current time.

  Application Example 4 In the address translation device according to Application Example 3, the TCP release waiting table is provided for each of a plurality of users, and the address management unit is based on an address translation request from any user. When the first address and the second address are newly associated with each other, when there is no empty entry, the oldest entry identifier in the TCP release waiting table for the user is acquired, and the oldest entry identifier Determining whether the CLOSED time corresponding to the entry is earlier in time than the current time based on the related time and the current time registered in the entry in the address conversion table shown. If the current time is earlier than the current time, the first address and the newly associated entry are associated with the entry. If the second address is overwritten and registered, and it is not earlier than the current time, the newly associated first address and second address are not registered in the address conversion table. Conversion device.

  With such a configuration, even when setting the same number of entries that can be registered for each user and ensuring fairness among the users, the TCP connection establishment failure due to the lack of empty entries is fair for each user. Can be suppressed.

  Application Example 5 In the address translation device according to any one of Application Examples 1 to 4, the first address is a global IP address, and the second address is a private IP address. .

  With this configuration, the address translation device can be arranged at the boundary between the global network and the local network and used to translate the global IP address and the private IP address.

  Application Example 6 A method for managing an address conversion table used in an address conversion device, wherein the address conversion table has a plurality of entries, and each entry includes at least a first address and a second address. (A) When a TCP connection using the first address and the second address enters the TIME_WAIT state, the current time is acquired, and the first address and the Determining a related time that is a time related to a CLOSED time, which is a time at which a TCP connection using the second address is in the CLOSED state; and (b) storing the determined related time in the address conversion table. A registered step for registering in the entry corresponding to the TCP connection; and (c) address translation. Based on the request, when the first address and the second address are newly associated with each other, the current time is acquired, and based on the related time and the current time registered in the address conversion table, A release scheduled entry whose CLOSED time is earlier than the current time is searched, and the newly associated first address and second address are overwritten on any of the scheduled release entries. A method of managing an address conversion table.

  In the address translation table management method according to Application Example 6, when there is a new address translation request, the first newly associated with the entry (scheduled entry) whose CLOSED time is earlier than the current time in time. Since the address and the second address are overwritten and registered, TCP connection establishment failure due to insufficient empty entries can be suppressed. For the TCP connection corresponding to the entry scheduled to be released, the period (memory release waiting period) defined as the period from when the TCP connection enters the TIME_WAIT state until it transitions to the CLOSED state has already expired or has just expired. To do. Therefore, no problem occurs even if the first address and the second address are overwritten and registered.

  Application Example 7 An address translation apparatus having a plurality of entries, and each entry uses a first address, a second address, and the UDP using the first address and the second address. An address conversion table in which a related time, which is a time related to generating a session for a connection, is registered in association with each other, a time acquisition unit that acquires a current time, and communication start with respect to the UDP connection One-way communication after one-way communication has been established, or one-way communication has occurred once, or one-way communication has been performed after one-way communication has been exchanged since the start of communication. A UDP connection state determination unit that determines whether or not a UDP connection has not been established, and an address management unit that includes a first address and a second address based on an address conversion request. And the UDP connection state determination unit determines that the UDP connection has not been established, and compares the related time with the current time to determine a predetermined time from the entries in the address conversion table. An address management unit that searches for a release schedule entry that is a past entry and overwrites and registers the newly associated first address and second address in one of the release schedule entries. Address translation device.

  In the address translation device of Application Example 7, when there is a new address translation request, it is determined from the address translation table that the UDP connection has not been established, and the related time is compared with the current time to determine a predetermined time Since the newly associated first address and second address are overwritten and registered in the release scheduled entry, which is an elapsed entry, it is possible to suppress a failure to establish a UDP connection due to insufficient free entries. Here, the UDP connection unestablished state means UDP communication in which bidirectional communication has never been established between communication hosts, or bidirectional communication has been completed only once. Therefore, it is possible to reuse an entry that does not cause a problem even if it is overwritten and registered, such as a communication that is completed and terminated by one-way communication (generally DNS, etc.).

  Application Example 8 In the address translation device according to Application Example 7, if the address management unit newly associates the first address with the second address, whether or not there is an empty entry in the address translation table. If the empty entry exists, the first address and the second address newly associated with the empty entry are registered, and if there is no empty entry, the release entry An address conversion device for overwriting and registering the first and second addresses newly associated with the oldest entry, which is the entry whose associated time is the earliest in time.

  With such a configuration, even if the time acquisition unit acquires a time earlier than the actual current time due to a failure of the time acquisition unit, etc., if there is an empty entry, it is newly associated with the empty entry. Since the first address and the second address are registered, the first address and the second address are erroneously overwritten on the entry corresponding to the UDP connection that has not passed the predetermined time since the UDP connection has not been established. Registration can be suppressed. In addition, when there is an empty entry, the process of searching for the entry to be released can be omitted, so that the processing load can be reduced. Further, such a configuration can also be applied to a configuration in which the memory release waiting period is counted using an aging counter. In other words, when the number of UDP connections to the extent that there is a free entry is established, the period until the session is released can be managed using the aging counter, and the corresponding entry can be changed (updated) to a free entry. . Therefore, in such a case, the period until the session is released can be realized by counting using an aging counter with a relatively light processing load. Therefore, the processing load of the entire address translation device can be reduced.

  [Application Example 9] In the address translation device according to Application Example 8, the address translation apparatus further includes a UDP release waiting table for registering an identifier of an entry in the address translation table corresponding to the UDP connection in the UDP connection unestablished state, When the UDP connection is in the UDP connection unestablished state, the address management unit registers an entry identifier that is an identifier of an entry corresponding to the UDP connection in the address conversion table in the DUP release waiting table. If there is no free entry, the oldest entry identifier, which is the entry identifier registered earlier in time in the UDP release waiting table, is acquired, and the oldest entry identifier is registered. Registered in the entry in the address conversion table indicated by The related time is compared with the current time to determine whether or not a predetermined time has elapsed, and when the predetermined time has elapsed, the first newly associated with the entry If the predetermined time has not elapsed, the newly associated first address and second address are not registered in the address conversion table. Address translation device.

  With such a configuration, entry identifiers are registered in the UDP release wait table so that the registration order is clear, so it is possible to easily find the entry with the session generation time that is the earliest in the address translation table. it can. In addition, the determination of other entries can be omitted by determining the entry whose session generation time is the earliest in time. Therefore, it is possible to determine in the address conversion table in a short time whether or not there is a release scheduled entry.

  Application Example 10 In the address translation device according to Application Example 9, the UDP release waiting table is provided for each of a plurality of users, and the address management unit is based on an address translation request from any user. When the first address and the second address are newly associated with each other, if there is no empty entry, the oldest entry identifier in the UDP release waiting table for the user is acquired, and the oldest entry identifier The related time registered in the entry in the address conversion table shown is compared with the current time to determine whether or not a predetermined time has elapsed, and when the predetermined time has elapsed The first address and the second address newly associated with the entry are overwritten and registered, and the predetermined time has not elapsed. , Said first address and a second address newly associated, not registered in the address translation table, the address translator.

  With such a configuration, even when setting the same number of entries that can be registered for each user and ensuring fairness among the users, the establishment of a UDP connection due to a shortage of empty entries is fair for each user. Can be suppressed.

  Application Example 11 In the address translation device according to any one of Application Examples 7 to 10, the first address is a global IP address and the second address is a private IP address. .

  With this configuration, the address translation device can be arranged at the boundary between the global network and the local network and used to translate the global IP address and the private IP address.

It is explanatory drawing which shows schematic structure of the network system to which the address translation apparatus of this invention is applied. It is explanatory drawing which shows an example of the setting content of the address conversion table shown in FIG. It is explanatory drawing which shows the state transition of TCP connection. It is explanatory drawing which shows an example of the setting content of the TCP release waiting table shown in FIG. It is a flowchart which shows the procedure of the entry update process of an address conversion table. FIG. 6 is an explanatory diagram illustrating an example of an address conversion table after an entry is updated in step S115 illustrated in FIG. 5. It is explanatory drawing which shows an example of the TCP release waiting table after the entry number is newly registered by step S120 shown in FIG. It is a flowchart which shows the procedure of the entry addition process of an address translation table. It is explanatory drawing which shows an example of the address conversion table after the entry is updated by step S235 shown in FIG. It is explanatory drawing which shows an example of the TCP release table updated by step S240 shown in FIG. It is explanatory drawing which shows schematic structure of the network system to which this address translation apparatus is applied. It is explanatory drawing which shows an example of the setting content of the address conversion table shown in FIG. It is explanatory drawing which shows the UDP communication state of UDP connection. It is explanatory drawing which shows an example of the setting content of the UDP release waiting table shown in FIG. It is a flowchart which shows the procedure of the entry addition process of the address translation table at the time of UDP communication start. FIG. 16 is an explanatory diagram illustrating an example of an address conversion table after an entry is overwritten and updated in step S350 illustrated in FIG. 15 and step S405 illustrated in FIG. 18; FIG. 16 is an explanatory diagram showing an example of a UDP release wait table after the entry identifier is re-registered in step S355 shown in FIG. It is a flowchart which shows the procedure of the entry update process of the address translation table at the time of UDP communication establishment state transition. It is explanatory drawing which shows an example of the UDP release waiting table after an entry identifier is deleted by step S410 shown in FIG.

A. Example:
A1. System configuration (first embodiment: TCP):
FIG. 1 is an explanatory diagram showing a schematic configuration of a network system to which the address translation device according to the first embodiment of the present invention is applied. The network system 1000 includes a local network N1, a global network N2, a plurality of terminals 21, a server 30, and an address translation device 10.

  The network system 1000 is a system in which each terminal 21 and the server 30 communicate with each other via a local network N1 and a global network N2. In such communication, a global IP (Internet Protocol) address and a private IP address (both local IP addresses) are used. Are converted into each other. In the network system 1000, IP is used as a network layer protocol in the OSI reference model, and TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), or the like is used as a transport layer protocol.

  The local network N1 is a so-called local area network (LAN) constructed by switches and routers (not shown). As the local network N1, for example, a network constructed by ISP (Internet Service Provider) can be adopted. In the local network N1, a private IP address is assigned to each device (each terminal 21 and a switch or router (not shown)). A private IP address is also assigned to a connection point of the address translation device 10 with the local network N1.

  The global network N2 is a network constructed by a switch, router, telecommunications carrier network, etc. (not shown), and a global IP is assigned to each device. As the global network N2, for example, the Internet can be employed.

  Each terminal 21 is connected to the local network N1 and configured to execute at least TCP / IP communication. As the terminal 21, for example, a personal computer, a mobile phone, a portable terminal (PDA), or the like can be adopted.

  The server 30 is connected to the global network N2, and transmits data in response to a request from the terminal 21. As the server 30, for example, a WWW (World Wide Web) server, an FTP (File Transfer Protocol) server, a mail server, or the like can be employed.

  The address translation device 10 is connected to the local network N1 and the global network N2, respectively, and a plurality of global IP addresses are pooled in advance. The address translation apparatus 10 has a so-called NAPT (Network Address and Port Translation) function, and translates a global IP address and a private IP address and converts a port number.

  The address translation device 10 includes an address translation unit 100, a first packet interface unit 200, a second packet interface unit 300, a time management unit 400, an address translation table 500, and a plurality of TCP release wait tables 600. ing.

  The address translation unit 100 is connected to the first packet interface unit 200, the second packet interface unit 300, the time management unit 400, the address translation table 500, and each TCP release waiting table 600, respectively. The address conversion unit 100 converts the IP address and the port number and manages the tables 500 and 600. The address conversion unit 100 converts the source IP address (private IP address) described in the header of the IP packet received from the first packet interface unit 200 into a global IP address and converts the port number. In the example of FIG. 1, for the IP packet received from the first packet interface unit 200, the source IP address is converted from L1 to G10, and the port number is converted from P1 to P10. The address conversion unit 100 converts the destination IP address (global IP address) described in the header of the IP packet received from the second packet interface unit 300 into a private IP address and converts the port number. In the example of FIG. 1, for the IP packet received from the second packet interface unit 300, the destination IP address is converted from G10 to L1, and the port number is converted from P10 to P1. In this embodiment, description will be made using typical values as the IP address and port number. However, an IPv4 address is used as the IP address, and a port number is within a specified range (0 to 1023: well-known port, 1024 ~ 65535) can be used in practice.

  The first packet interface unit 200 is connected to the local network N1 and the address translation unit 100, respectively, and transfers the IP packet received from the local network N1 to the address translation unit 100. The second packet interface unit 300 is connected to the global network N2 and the address translation unit 100, respectively, and transfers the IP packet received from the global network N2 to the address translation unit 100.

  The time management unit 400 includes an internal clock (not shown), calculates the current time, and supplies it to the address conversion unit 100. The current time can also be determined based on a time supplied from an NTP (Network Time Protocol) server (not shown) via the local network N1 or the global network N2.

  FIG. 2 is an explanatory diagram showing an example of setting contents of the address conversion table shown in FIG. The address conversion table 500 records connection information for each connection (TCP connection, session using UDP, etc.) in association with each other. In FIG. 2, information related to connections is already recorded in the address conversion table 500 for a plurality of connections.

  The address conversion table 500 includes fields of entry number, valid flag, address conversion information, connection type, connection state, aging counter value, and CLOSED time, and the value of each field (information related to connection) is recorded in each entry. Is done.

  In the entry number field, the identification number of each entry in the address conversion table is recorded. Note that an address of a memory (not shown) in which the address conversion table 500 is stored can be used as the identification number of each entry.

  In the valid flag field, either “valid” or “invalid” is recorded. “Valid” in the valid flag field means that a valid value is recorded as information related to the connection in the corresponding entry, and the entry is not a free entry (an entry in which information related to the connection can be newly recorded). Means. “Invalid” in the valid flag field means that a valid value is not recorded as connection-related information in the entry, and indicates that the entry is an empty entry. In the example of FIG. 2, in an entry where the valid flag field is “invalid”, “−” indicating an invalid value is recorded in the other fields except the valid flag field.

  The address translation information field has a global field and a local field. The global field has a global IP address field and a global port port number field. A global IP address is recorded in the global IP address field. In the global port number field, a port number used in communication between the server 30 and the address translation device 10 is recorded. The local field has a private IP address field and a private port number field. A private IP address is recorded in the private IP address field. In the private port number field, a port number used in communication between each terminal 21 and the address translation device 10 is recorded.

  In the connection type field, the type of connection (TCP connection, session using UDP, session using ICMP, etc.) is recorded.

  In the connection state field, a value indicating the state of each connection is recorded. In the example of FIG. 2, “TIME_WAIT” is recorded as the connection state in the entry (entry number E1, E2, E102, E200) whose connection type is “TCP”. In addition, “established” is recorded as the connection state in the entry (entry number E100, E201) whose connection type is “TCP”. Further, “established” is recorded as the connection state in the entry (entry number E101) whose connection type is “UDP”.

  FIG. 3 is an explanatory diagram showing state transition of the TCP connection. The state of the TCP connection is any one of a CLOSED state ST0, a TCP connection establishment processing state ST1, a TCP connection establishment state ST2, a TCP connection blocking processing state ST3, and a TIME_WAIT state ST4.

  The CLOSED state ST0 means a state in which no TCP connection has been established and information related to the TCP connection has been deleted from the address translation table 500. The TCP connection establishment processing state ST1 means a state in which a so-called three-way handshake is performed between the terminal 21 and the server 30 prior to establishing a TCP connection. The TCP connection establishment state ST2 means a state in which a TCP connection is established. In the TCP connection establishment state ST2, information on the established TCP connection is recorded in the address conversion table 500.

  The TCP connection blocking process state ST3 means a state in which a predetermined process for blocking a TCP connection is being performed. Specifically, this means a state in which a packet with a FIN flag set in the TCP header and an ACK packet are exchanged between the terminal 21 and the server 30.

  The TIME_WAIT state ST4 is a state in which the TCP connection is blocked. However, in the TIME_WAIT state ST4, the information regarding the TCP connection has not yet been deleted from each entry of the address conversion table 500. In general, the period of the TIME_WAIT state ST4 (the period from the TIME_WAIT state ST4 to the CLOSED state ST0: hereinafter referred to as “memory release waiting period”) is generally the maximum period during which the TCP segment can exist in the Internet (maximum It is specified as a period twice as long as the segment valid period (MSL), and a recommended value is 120 seconds. As described above, the memory release waiting period is provided for waiting for only a period during which the TCP segment may arrive with delay, and is sufficient to determine that there is no problem even if the entry in the address translation table 500 is invalidated. The purpose is to wait for a long period. The TCP connection state transitions again to the above-mentioned CLOSED state ST0 after the memory release waiting period has elapsed after entering the TIME_WAIT state ST4.

  The value of the connection state field shown in FIG. 2 is “TIME_WAIT” indicates that the TCP connection corresponding to the entry is the above-described TIME_WAIT state ST4. In addition, in an entry whose connection type is “TCP”, the value of the connection state field “established” indicates that the TCP connection corresponding to the entry is the above-described TCP connection establishment state ST2. In an entry whose connection type is “UDP”, the value of the connection state field being “established” indicates that a session using the UDP corresponding to the entry is established.

  In the aging counter value field shown in FIG. 2, a value indicating the remaining period of the period requiring management in each connection is recorded. Specifically, the remaining period of the above-mentioned memory release waiting period is recorded as the number of times of counting down (decrementing) for the TCP connection, and the remaining period of the session for the session using UDP (connection type = UDP). The

  The aging counter value is sequentially decremented by the address conversion unit 100. Specifically, the address conversion unit 100 searches for an entry in which an aging counter value is set one by one, decrements the aging counter value of the found entry by 1, and then the aging counter of the next found entry Repeatedly decrementing the value by 1. When the aging counter value becomes “0”, the address conversion unit 100 changes the value of each field of the corresponding entry to make it an empty entry.

  Here, in the network system 1000, the decrement is completed due to the fact that many entries are registered in the address translation table 500 and the access speed of the memory storing the address translation table 500 is low. It takes about 200 seconds to decrement the aging counter value by 1 for all entries to be decremented. As described above, since the recommended value for the memory release waiting period is 120 seconds, the state may be changed to the CLOSED state ST0 120 seconds after the TIME_WAIT state ST4. Therefore, in the network system 1000, the smallest value “1” is set as the initial value of the aging counter value in the TCP connection. However, since the aging counter value decrements from “1” to “0” takes approximately 200 seconds at the longest, 120 seconds after the TIME_WAIT state ST4 is reached (memory release waiting period) has elapsed. However, there may occur a case where the TCP connection cannot transition to the CLOSED state ST0. In this case, if there is no empty entry in the address conversion table 500, a TCP connection cannot be established even if there is a request for establishing a new TCP connection. Therefore, in the network system 1000, by performing entry update processing and entry addition processing of the address conversion table 500 described later, information related to a new TCP connection is quickly overwritten and registered in the corresponding entry after the memory release waiting period has elapsed. To do.

  In addition, for a session using UDP, a period from session start to session end (hereinafter referred to as “session period”) is determined in advance, and the remaining period of the session period is managed by an aging counter value. The initial value of the aging counter for the session using UDP is set to “18”.

  In the CLOSED time field shown in FIG. 2, the time at which each TCP connection transitions from the TIME_WAIT state ST4 to the CLOSED state ST0 is recorded. In the example of FIG. 2, time T2 is recorded in entry E1. In addition, time T4 is recorded in entry E2, time T1 is recorded in entry E102, and time T3 is recorded in entry E200. In FIG. 2, “Tp” indicates the current time (described later). In the example of FIG. 2, the time T1 is temporally before the current time Tp. On the other hand, the other times T2 to T4 are all later in time than the current time Tp. For connections other than the TCP connection type, a valid value is not recorded in the CLOSED time field.

  In the network system 1000, in order to ensure fairness among users, the number of entries that can be registered in the address translation table 500 for each user is set to 100. In FIG. 2, only entries for three users (user A, user B, and user C) are shown, but registration of 100 entries for each of other users (not shown) is allowed. In FIG. 2, for users A and B, information related to connection is registered in all 100 entries (that is, the valid flag is “valid”). For the user C, some entries are empty entries, for example, the entry with the entry number E300 is an empty entry (that is, the validity flag is “invalid”).

  FIG. 4 is an explanatory diagram showing an example of setting contents of the TCP release waiting table shown in FIG. In FIG. 4, the upper row shows the TCP release waiting table 600, and the lower row shows the temporal order of the times T1 to T4. In the address translation device 10, a table 600 is provided for each user. In the example of FIG. 4, a table 600a for user A, a table 600b for user B, and a table 600c for user C are shown.

  In the TCP release wait table 600, the entry number of the entry in the address conversion table 500 corresponding to the TCP connection in the TIME_WAIT state ST4 is registered. At this time, entry numbers are registered in the TCP release waiting table 600 so that the order of registration becomes clear. Specifically, in each of the TCP release waiting tables 600a to 600c in FIG. 4, it is clearly indicated that the entry number registered above (upper) is registered earlier (before time). ing. For example, in the TCP release waiting table 600a, the entry number E1 is registered before the entry number E2. Similarly, the TCP release table table 600b indicates that the entry number E102 is registered before the entry number E200. Note that the entry number is not registered in the TCP release waiting table 600c for the user C. As shown in the lower part of FIG. 4, the times T1, T2, T3, and T4 are temporally later in this order. The registration states of the tables 600a to 600c shown in the upper part of FIG. 4 indicate the registration states at the current time Tp shown in the lower part of FIG. Note that the state of each of the tables 600a to 600c can also change with the change of the current time Tp. The address conversion table 500 shown in FIG. 2 also shows the registration state at the current time Tp, and the state can change as the current time Tp changes.

  The address conversion unit 100 corresponds to the related time determination unit and the address management unit in the claims. The time management unit 400 corresponds to the time acquisition unit in the claims, and the entry in the address conversion table 500 corresponding to the entry number registered in the TCP release waiting table 600 corresponds to the release scheduled entry in the claims.

A2. Address translation table entry update processing (first embodiment: TCP):
FIG. 5 is a flowchart showing the procedure of the address update table entry update process. When the TCP connection transitions from the TCP connection blocking state ST3 to the TIME_WAIT state ST4, the address conversion device 10 starts an entry update process of the address conversion table 500.

  The address conversion unit 100 acquires the current time from the time management unit 400 (step S105). Based on the acquired current time, the address conversion unit 100 determines the CLOSED time of the TCP connection that has entered the TIME_WAIT state ST4 (step S110). Specifically, the time obtained by adding the memory release waiting period (120 seconds) to the acquired current time is set as the CLOSED time.

  In the entry of the address translation table 500 corresponding to the TCP connection in the TIME_WAIT state ST4, the address translation unit 100 sets the connection state field value to “TIME_WAIT”, the aging counter value to “1”, and the value of the CLOSED time field. Are updated at the times determined in step S110 (step S115).

  FIG. 6 is an explanatory diagram showing an example of the address conversion table after the entry is updated in step S115 shown in FIG. In the example of FIG. 6, the TCP connection corresponding to the entry number E100 transitions from the TCP connection blocking state ST3 to the TIME_WAIT state ST4, and the values of the connection state field, the aging counter value field, and the CLOSED time field in this entry are shown in FIG. It has been updated from the value shown in. Specifically, the connection state field value changes from “established” to “TIME_WAIT”, the aging counter value field value changes from “−” (invalid) to “1”, and the CLOSED time field value changes to “−” (invalid). ) To “T5”, respectively. The period from the state of FIG. 5 to the state of FIG. 6 is short (for example, 20 seconds), and the aging counter value of each entry of entry numbers E1, E2, and E200 is not decremented.

  After step S115 shown in FIG. 5, the address conversion unit 100 adds the entry number of the entry in the address conversion table 500 updated in step S115 to the TCP release waiting table 600 of the corresponding user for the TCP connection transitioned to the TIME_WAIT state. New registration is performed (step S120).

  FIG. 7 is an explanatory diagram showing an example of the TCP release waiting table after the entry number is newly registered in step S120 shown in FIG. In FIG. 7, the upper and lower stages are the same as the upper and lower stages in FIG. As shown in FIG. 7, the entry number E100 of the updated entry is newly registered in the TCP release table 600a. At this time, the newly registered entry number E100 is registered at the lowest position (lower order) in the TCP release table 100a. As shown in the lower part of FIG. 7, when the time when the entry with the entry number E100 is updated is the current time Tp, the current time has not reached the CLOSED time T2 of the entry with the entry number E1.

  When the TCP connection enters the TIME_WAIT state ST4 in the already registered TCP connection entry by the above address conversion table entry update processing, the scheduled time when the CLOSED state ST0 is entered is recorded in the CLOSED time field. In addition, the entry number of the updated entry in the address translation table 500 is newly registered in the corresponding TCP release waiting table 600 for the user.

A3. Address translation table entry addition processing (first embodiment: TCP):
FIG. 8 is a flowchart showing the procedure of address addition table entry addition processing. When a TCP connection is newly established between any user (terminal 21) and the server 30 (that is, in the TCP connection establishment processing state ST1), the address translation device 10 adds an entry to the address translation table 500. Processing is executed. When the address conversion unit 100 receives a TCP connection establishment request from any user before the entry addition process starts, the address conversion unit 100 creates a new correspondence between the private IP address and the global IP address, and the port numbers before and after the conversion. Determine the correspondence relationship. Further, when a TCP connection establishment request is received from any user, the TCP connection transitions from the CLOSED state ST0 to the TCP connection establishment processing state ST1. In the following description, it is assumed that the entry with the entry number E100 is not updated by the entry update process of the address conversion table 500 described above.

  The address conversion unit 100 searches for an empty entry in the address conversion table 500 (step S205). At this time, a free entry is searched in a range (in a memory area) predetermined for each user, and the presence or absence of a free entry is determined (step S210). For example, if the address conversion table 500 is in the state shown in FIG. 2, it is determined that there is no empty entry when trying to establish a new TCP connection for the users A and B. On the other hand, when a new TCP connection is to be established for user C, it is determined that there is an empty entry. If it is determined that there is a free entry, information regarding the TCP connection is registered in the found free entry (step S245), and the entry addition process ends. In this case, the TCP connection transitions from the TCP connection establishment processing state ST1 to the TCP connection establishment state ST2.

  If it is determined in step S210 described above that there is no empty entry, the address conversion unit 100 has an entry in the TCP release waiting table 600 (that is, any entry number in the address conversion table 500 is recorded). Is determined (step S215). For example, if the TCP release table 600 is in the state shown in FIG. 4, it is determined that there are entries in the TCP release wait tables 600a and 600b for the TCP connections related to the users A and B. On the other hand, for the TCP connection related to the user C, it is determined that there is no entry in the TCP release waiting table 600c.

  If it is determined that there is no entry in the TCP release waiting table 600 (step S215: NO), the TCP connection establishment fails, and the entry addition process ends. In this case, the TCP connection changes (returns) from the TCP connection establishment processing state ST1 to the CLOSED state ST0. The state in which there is no entry in the TCP release waiting table 600 in step S215 is a state in which all entries are valid and there is no room to register a new entry because all TCP connections are in the TCP connection establishment state ST2. It is. Therefore, in this case, a new TCP connection cannot be established.

  If it is determined in step S215 that there is an entry in the TCP release waiting table 600, the entry is registered in the entry of the address conversion table 500 corresponding to the oldest entry (the entry registered first) in the TCP release waiting table 600. The closed time is acquired (step S220). For example, for a new TCP connection for user A, there are two entries in the TCP release waiting table 600 (an entry with entry number E1 registered and an entry with entry number E2 registered) as shown in FIG. Therefore, in this case, since the entry with the entry number E1 registered at the uppermost position (the highest level) is the oldest entry, the CLOSED registered with the entry with the entry number E1 in the address translation table 500 shown in FIG. Time T2 is acquired. Further, for example, for a new TCP connection related to the user B, the entry with the entry number E2 shown in FIG. 4 is the oldest entry, so it is registered in the entry with the entry number E102 in the address conversion table 500 shown in FIG. The CLOSED time T1 is acquired.

  The address conversion unit 100 acquires the current time from the time management unit 400 (step S225), and whether the CLOSED time acquired in step S220 is earlier in time than the current time acquired in step S225 and in time match. It is determined whether or not (that is, whether it is before in time) (step S230).

  When the CLOSED time is earlier than the current time (step S230: YES), the address conversion unit 100 performs overwrite registration on the TCP connection in the corresponding entry in the address conversion table 500 (step S235). If the CLOSED time is earlier in time than the current time, the memory release waiting period for the corresponding TCP connection has already expired or has just expired. Therefore, no problem occurs even if information is overwritten in each field of the corresponding entry.

  FIG. 9 is an explanatory diagram showing an example of the address conversion table after the entry is updated in step S235 shown in FIG. In the example of FIG. 9, information related to the TCP connection is overwritten and registered in the entry of the entry number E102 from the state of the address conversion table 500 shown in FIG. As shown in FIGS. 2 and 4, the entry with the entry number E102 has a CLOSED time of time T1 and is earlier in time than the current time Tp. Accordingly, when a new TCP connection is to be established for user B, information regarding the newly determined TCP connection is overwritten and registered in the entry of entry number E102. As a result, as shown in FIG. 9, the newly associated IP address and port number are registered in the address conversion information field, the connection type is “TCP”, and the connection state is “established”. However, "-" (invalid) is registered in the aging counter value field, and "-" (invalid) is registered in the CLOSED time field. Therefore, at this point, the new TCP connection transitions from the TCP connection establishment processing state ST1 shown in FIG. 3 to the TCP connection establishment state ST2.

  In the above-described step S230, when the acquired CLOSED time is later in time than the current time, establishment of the TCP connection fails and the entry addition process ends. In this case, the TCP connection changes (returns) from the TCP connection establishment processing state ST1 to the CLOSED state ST0. If the CLOSED time is later in time than the current time, the memory release waiting period of the corresponding TCP connection has not yet expired. Therefore, in this case, since the value of each field must be held in the entry corresponding to the corresponding TCP connection, establishment of a new TCP connection will fail.

  After step S235 shown in FIG. 8, the address conversion unit 100 updates the TCP release waiting table (step S240).

  FIG. 10 is an explanatory diagram showing an example of the TCP release table updated in step S240 shown in FIG. As described above, when a new TCP connection is established for the user B, the TCP release waiting table 600b for the user B is updated. Specifically, the entry number E102 shown in FIG. 4 is deleted, and the entry with the entry number E200 that is the second registered (second oldest) entry in FIG. , Registered at the top.

  In the network system 1000 described above, when a new TCP connection establishment request is received from one of the users in the address translation apparatus 10, an entry whose CLOSED time is earlier than the current time is included in the new TCP connection. Information is overwritten and registered. Therefore, the TCP connection establishment failure due to the lack of empty entries in the address translation table 500 can be suppressed.

  In addition, in the address translation table 500, the number of entries that can be registered for each user is determined, and the TCP release waiting table 600 is provided for each user. TCP connection establishment failure due to insufficient free entries for each user can be suppressed.

  Also, in the TCP release waiting table 600, entry numbers are registered so that the order of registration is clear, so the highest entry (registered first) can be easily found. In addition, in this TCP release waiting table 600, the CLOSED time of the entry of the address conversion table 500 corresponding to the entry number registered at the top is the address corresponding to any entry number registered after the second. The time is before the CLOSED time of the entry in the conversion table 500. Therefore, by determining whether or not the CLOSED time of the entry of the address conversion table 500 corresponding to the entry number registered at the highest level in the TCP release waiting table 600 is earlier than the current time, the second or later is determined. It can be determined whether or not the CLOSED time of the entry of the address conversion table 500 corresponding to the registered entry number is earlier than the current time. Therefore, in the address translation table 500, the presence / absence of an entry whose CLOSED time is earlier than the current time can be determined in a short time.

  If there is a free entry for each user, the information related to the new TCP connection is registered in the free entry without overwriting the valid entry. Therefore, for example, when the current time provided from the time management unit 400 to the address conversion unit 100 is earlier than the actual current time due to a failure of the time management unit 400, the actual CLOSED time has been reached. It is possible to suppress erroneously overwriting and registering information related to a connection in an entry corresponding to a non-TCP connection. In addition, since the CLOSED time field and the value of the aging counter value field are used together for the management of the memory release period, there are the following advantages. That is, when TCP connections are established in such a number that an empty entry can exist, the period from the TIME_WAIT state ST4 to the CLOSED state ST0 is managed using an aging counter, and the TCP connection in the CLOSED state ST0 is managed. The corresponding entry can be changed (updated) to an empty entry. Therefore, in such a case, the period from the TIME_WAIT state ST4 to the CLOSED state ST0 can be realized by counting using an aging counter with a relatively light processing load. Therefore, the processing load of the entire address translation device 10 can be reduced.

A4. System configuration (second embodiment: UDP):
FIG. 11 is an explanatory diagram showing a schematic configuration of a network system to which the address translation device according to the second embodiment of the present invention is applied. The network system 2000 includes an address translation device 40, the aforementioned local network N1, a global network N2, a plurality of terminals 21, and a server 30.

  Similar to the network system 1000 described above, the network system 2000 is a system in which each terminal 21 and the server 30 communicate via the local network N1 and the global network N2, and in such communication, a global IP (Internet Protocol) address and Private IP addresses (also called local IP addresses) are mutually converted. In the network system 2000, IP is used as a network layer protocol in the OSI reference model, and TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), or the like is used as a transport layer protocol. Thereafter, TCP in the network system 2000 is as described in the network system 1000.

  The address translation device 40 is connected to the local network N1 and the global network N2, respectively, and a plurality of global IP addresses are pooled in advance. The address translation device 40 has a so-called NAPT (Network Address and Port Translation) function, translates a global IP address and a private IP address, and translates a port number.

  The address translation device 40 includes an address translation unit 150, a first packet interface unit 200, a second packet interface unit 300, a time management unit 400, an address translation table 500, and a plurality of TCP release waiting tables 600. In addition, a plurality of UDP release wait tables 700 are provided.

  The address translation unit 150 is connected to each UDP release wait table in addition to the first packet interface unit 200, the second packet interface unit 300, the time management unit 400, the address translation table 500, and each TCP release wait table 600. Yes. The address conversion unit 150 converts the IP address and port number and manages the tables 500, 600, and 700. Since the processing related to TCP of the address conversion unit 150 is the same as that of the network system 1000, the description thereof is omitted below.

  FIG. 12 is an explanatory diagram showing an example of setting contents of the address conversion table shown in FIG. The address conversion table 500 records connection information for each connection (TCP connection, session using UDP, etc.) in association with each other. In FIG. 12, information regarding connections for a plurality of connections has already been recorded in the address conversion table 500.

  The meaning of each field in the address translation table 500 is as described above. In the case of TCP, the time (T) at which the TCP connection transits to the CLOSED state ST0 is recorded in the CLOSED time field. In the case of UDP, the session creation time is recorded. The difference is that the time (t) at which the UDP connection session is generated is recorded in the field.

  In the example of FIG. 12, “established” is recorded as the connection state in the entry (entry number E101) whose connection type is “UDP”. In the entry (entry number E103) whose connection type is “UDP”, “not established” is recorded as the connection state. Here, “established” means the above-mentioned UDP connection established state, and “unestablished” means the above-mentioned UDP connection unestablished state.

  FIG. 13 is an explanatory diagram showing the relationship between the UDP communication between the user and the server, the state of the UDP connection, and the UDP session period. The state of the UDP connection is one of a connection non-established state ST10 and a connection established state ST11.

  The connection unestablished state ST10 is a state in which UDP communication between the user and the server repeats retransmission from the start of connection of the user (P1 to P3), or a state in which the server responds to communication from the user once (P4). ). In a UDP communication form that is generally used, the times P1 to P3 cannot communicate with the server or are delayed. The state in which the server responds once (P4) is a state until a transition to a connection establishment state described later, or a state in which UDP communication is completed by one-way bidirectional communication. In general, DNS corresponds to the latter. Although details will be described later, on the address conversion table 500, information regarding the UDP connection is recorded as the connection state “unestablished” when P1 is relayed. At the same time, an identifier for the corresponding entry in the address conversion table 500 is registered in the UDP release waiting table 700.

  The connection establishment state ST11 means a state where the communication (P5) has been relayed even once from the connection unestablished state. P5 in FIG. 13 is communication from the user, but communication from the server may be used. In the UDP communication form generally used frequently, communication between the user and the server continues after P5. In the example in the figure, the communication is terminated with P6. Although details will be described later, on the address conversion table 500, the connection state related to the UDP connection is updated to “established” when P5 is relayed. At the same time, the identifier for the corresponding entry in the address translation table 500 is deleted from the UDP release waiting table.

  For the session using UDP shown in FIG. 12, a period from the start of the session to the end of the session (hereinafter referred to as “session period”) is determined in advance, and the remaining period of the session period is managed by the aging counter value. Is done. The initial value of the aging counter for the session using UDP is set to “18”. In the network system 2000, as shown in FIG. 12, for a connection whose connection type is UDP, the time when the UDP session is generated in the field in which the CLOSED time is recorded for the TCP connection (hereinafter referred to as “session generation time”). ).

  The aging counter value is sequentially decremented by the address conversion unit 150. Specifically, the address conversion unit 150 searches the entries for which the aging counter value is set one by one, decrements the aging counter value of the existing entry by 1, and then the aging counter of the next existing entry Repeatedly decrementing the value by 1. When the aging counter value becomes “0”, the address conversion unit 150 changes the value of each field of the corresponding entry to make it an empty entry.

  Here, in the network system 2000, as in the above-described network system 1000, the period until the “1” is decremented takes about 200 seconds at the longest. Also, in the UDP connection, in any form of communication, specifically, even if the communication is ended at P4, the address conversion is performed until the UDP session period expires (until the aging counter value becomes 0). The entry continues to exist in the table. In this case, if there is no empty entry in the address translation table 500, a UDP connection cannot be established even if a new UDP connection establishment request is made. Therefore, in the network system 2000, by executing an entry update process and an entry addition process of the address conversion table 500 described later, information related to a new UDP connection is quickly overwritten and registered in the corresponding entry after the protection period described later elapses. .

  In the network system 2000, the number of entries that can be registered in the address translation table 500 for each user is set to 100 in order to ensure fairness among the users. In FIG. 12, only entries for three users (user A, user B, and user C) are shown, but registration of 100 entries for each of other users (not shown) is allowed. In FIG. 12, for users A and B, information related to connection is registered in all 100 entries (that is, the validity flag is “valid”). For the user C, some entries are empty entries, for example, the entry with the entry number E300 is an empty entry (that is, the validity flag is “invalid”).

  FIG. 14 is an explanatory diagram showing an example of setting contents of the UDP release waiting table 700 shown in FIG. In the address translation device 40, a table 700 is provided for each user. In the example of FIG. 14, a table 700a for user A, a table 700b for user B, and a table 700c for user C are shown.

  In the UDP release waiting table 700, the entry identifier of the entry in the address translation table 500 corresponding to the UDP connection in the connection unestablished state ST10 is registered. The identifier may be the memory address of the entry (hereinafter, the entry number is registered as the identifier). At this time, entry numbers are registered in the UDP release waiting table 700 so that the order of registration is clear. Specifically, in each of the UDP release waiting tables 700a to 700c in FIG. 14, it is clearly indicated that the entry number registered higher (upper) is registered earlier (before time). ing. For example, in the UDP release wait table 700b, the entry number E103 indicates that it is registered before the entry number E104. The entry numbers are not registered in the UDP release waiting tables 700a and 700c for the users A and C. As described above, the registration entries in the tables 700a to 700c shown in FIG. 14 are deleted when the state is determined to be the UDP connection established state. In the example, the entry number E101 that is the UDP connection in the connection establishment state of the user B has already been deleted from the table 700b.

  The address conversion unit 150 corresponds to the UDP connection state determination unit and the address management unit in the claims. The time management unit 400 corresponds to the time acquisition unit in the claims, and the entry in the address conversion table 500 corresponding to the entry number registered in the UDP release waiting table 700 corresponds to the release planned entry in the claims.

A5. Address translation table entry addition processing (second embodiment: UDP):
FIG. 15 is a flowchart showing the procedure of the address addition table entry addition process. When a UDP connection is newly started between any one of the users (terminal 21) and the server 30, the address translation device 40 executes an entry addition process for the address translation table 500. When the address conversion unit 150 receives a UDP connection establishment request from any user before the entry addition process starts, the address conversion unit 150 creates a new correspondence between the private IP address and the global IP address, and the port number before and after the conversion. Determine the correspondence relationship.

  The address conversion unit 150 searches for an empty entry in the address conversion table 500 (step S305). At this time, a free entry is searched in a range (in the memory area) predetermined for each user, and the presence or absence of a free entry is determined (step S310). For example, if the address conversion table 500 is in the state shown in FIG. 12, it is determined that there is no empty entry when trying to establish a new UDP connection for the users A and B. On the other hand, when a new UDP connection is to be established for user C, it is determined that there is an empty entry. If it is determined that there is a free entry, the address conversion unit 150 obtains the current time from the time management unit 400 (step S315), and information related to the UDP connection (valid flag is set to “valid”) in the existing free entry. As the address translation information, “IP address correspondence, port number correspondence determined above”, connection type “UDP”, connection state “not established” indicating connection unestablished state ST10, aging counter value "18" and the current time acquired in S315 as the session creation time are registered (step S320).

  After step S320, the address conversion unit 150 adds the entry identifier (entry number or memory address) of the address conversion table 500 set in step S320 to the corresponding user's UDP release waiting table 700 for the newly started UDP connection. Is newly registered (step S325).

  In FIG. 12, an entry number E104 is an example immediately after an entry is newly registered in step S320. In FIG. 14, the entry number E104 registered in the table 700b exemplifies the entry identifier newly registered in step S325. Newly registered entry identifiers are always registered at the bottom of the table, as in E104.

  If it is determined in step S310 described above that there is no empty entry, the address conversion unit 150 has an entry in the UDP release waiting table 700 (that is, any entry number in the address conversion table 500 is recorded). Is determined (step S330). For example, if the UDP release table 700 is in the state shown in FIG. 14, it is determined that there is an entry in the UDP release waiting table 700b for the UDP connection related to the user B. On the other hand, with respect to the UDP connection related to the users A and C, it is determined that there is no entry in the UDP release waiting tables 700a and 700c.

  If it is determined that there is no entry in the UDP release waiting table 700 (step S330: NO), the establishment of the UDP connection fails, and the entry addition process ends. The state in which there is no entry in the UDP release waiting table 700 in step S330 means that all entries in the address translation table are valid and all the UDP connections are in the UDP connection establishment state ST11, so a new entry is registered. There is no room. Therefore, in this case, a new UDP connection cannot be established.

  When it is determined in the above-described step S330 that there is an entry in the UDP release waiting table 700 (step S330: YES), the address conversion corresponding to the oldest entry (the entry registered first) in the UDP release waiting table 700 The session generation time registered in the entry of the table 500 is acquired (step S335). For example, for a new UDP connection for user B, there are two entries (entries in which entry numbers E103 and E104 are registered) in the UDP release wait table 700b as shown in FIG. Therefore, in this case, since the entry with the entry number E103 registered at the top (the highest) is the oldest entry, the session registered with the entry with the entry number E103 in the address translation table 500 shown in FIG. The generation time t1 is acquired.

  The address conversion unit 150 acquires the current time from the time management unit 400 (step S340), and determines whether or not a predetermined protection time has elapsed by comparison with the session generation time t1 acquired in step S335 ( Step S345).

  When the predetermined protection time has elapsed (step S345: YES), the address conversion unit 150 overwrites and registers information related to the UDP connection in the corresponding entry in the address conversion table 500 (step S350). The registered contents are the same as in step S320. If the predetermined protection time has elapsed, the communication of the corresponding UDP connection has ended, that is, the UDP communication in a transitional state at the start of communication (for example, communication in which one host repeats retransmission, bidirectional Therefore, there is no problem even if information is overwritten in each field of the corresponding entry. In other words, after the UDP session is generated, the UDP connection is not established ST10 first, but if the transition to the connection established state ST11 is not made after a predetermined protection period has passed, this UDP communication has already ended. Therefore, the entry of the address conversion table 500 related to this UDP communication is released and overwritten with information related to a new UDP connection. As for the predetermined protection time, the user can arbitrarily set an appropriate time in advance so that it can be considered that the communication has ended, not the UDP communication in a transitional state at the start of communication. That's fine.

  In step S345 described above, when the predetermined protection time has not elapsed (step S345: NO), establishment of the UDP connection fails, and the entry addition process ends.

  After overwriting registration in step S350, the entry identifier of the UDP release waiting table pointing to the overwriting destination is deleted, and the identifier of the address conversion table entry newly overwritten and registered is re-registered in the UDP release waiting table (step S355).

  FIG. 16 is an example immediately after the entry number E103 is overwritten and registered in step S350 from the state of FIG. FIG. 17 shows an entry that is the entry registered second (from the oldest) from the top, in which the entry number E103 registered at the top of the table 700b in the state of FIG. 14 is deleted in step S355. In the example, the entry with the number E104 is registered at the top, and the entry with the entry number E103 in which information related to the new UDP connection is overwritten is newly registered as a release waiting entry. The newly registered entry identifier (E103) is always registered at the bottom of the table.

A6. Address translation table entry update processing (second embodiment: UDP):
FIG. 18 is a flowchart showing the procedure of the address conversion table entry process when the UDP connection is changed to the connection establishment state. When transitioning to the UDP connection establishment state, the address translation device 40 starts an entry update process of the address translation table 500.

  The address translation unit 150 updates the value of the connection status field to “established” indicating the established status in the entry of the address translation table 500 corresponding to the UDP connection in the UDP connection established status ST11 (step S405).

  FIG. 16 is an explanatory diagram showing an example of the address conversion table after the entry is updated in step S405. In the example of FIG. 16, the connection state field of the UDP connection corresponding to the entry number E104 is updated from “not established” indicating the UDP connection unestablished state ST10 to “established” indicating the established state ST11.

  After step S405 illustrated in FIG. 18, the address conversion unit 150 deletes the entry identifier of the entry in the corresponding address conversion table 500 from the UDP release waiting table 700 of the corresponding user for the UDP connection transitioned to the connection establishment state. (Step S410).

  FIG. 19 is an explanatory diagram showing an example of the UDP release wait table after the entry number is deleted in step S410 from the state shown in FIG. As shown in FIG. 19, the entry number E104 of the above-mentioned updated entry is deleted, and the entry with the entry number E103 which is the second registered from the top (second oldest) is registered at the top. ing.

  As a result of the above address conversion table entry update processing, when a connection establishment state ST11 is reached in an already registered UDP connection entry, the connection state field is updated to “established”, and the corresponding user UDP release waiting state The entry number of the updated entry in the address translation table 500 is deleted from the table 700. As a result, the state in which only the entry number indicating the UDP connection in the connection unestablished state is registered in the UDP release waiting table.

  In the network system 2000 described above, in the address translation device 40, when there is a request for establishing a new UDP connection from any user, information on the new UDP connection is added to the connection unestablished state entry after the protection time has passed. Is overwritten and registered. Therefore, a UDP connection establishment failure due to a shortage of empty entries in the address translation table 500 can be suppressed.

  By providing a predetermined protection time for overwriting registration, it is possible to protect the UDP connection that is in a transitional state and has not yet ended communication from being overwritten by mistake.

  In addition, in the address translation table 500, the number of entries that can be registered for each user is determined, and since the UDP release waiting table 700 is provided for each user, fairness among the users can be ensured, It is possible to suppress a failure to establish a UDP connection due to insufficient empty entries for each user.

  In the UDP release wait table 700, entry numbers are registered so that the order of registration is clear, so that the highest entry (registered first) can be found at high speed.

  In the two embodiments related to TCP and UDP described above, TCP and UDP are individually described. However, in the address conversion table 500, information related to the TCP connection and information related to the UDP connection are overwritten and registered in the registered entry. Or vice versa. In this case, for example, when a request for a new TCP connection is received, the processing flow of FIG. 8 is first executed. When the overwriting registration for the TCP entry cannot be performed, the processing flow of FIG. It is possible to determine whether or not overwrite registration can be performed, and to perform processing such as overwriting a TCP entry on a UDP entry if possible. The same applies when a new UDP connection request is received. Of course, the order of performing the processing flow of FIG. 8 and the processing flow of FIG. 15 may be reversed, or both processing flows may be performed simultaneously to determine an entry that can be overwritten and registered.

B. Variations:
In addition, elements other than the elements claimed in the independent claims among the constituent elements in each of the above embodiments are additional elements and can be omitted as appropriate. The present invention is not limited to the above-described examples and embodiments, and can be implemented in various modes without departing from the gist thereof. For example, the following modifications are possible.

B1. Modification 1:
In the above embodiment, the CLOSED time of TCP connection is registered in the address conversion table 500, but the present invention is not limited to this. For example, instead of the CLOSED time, the time when the TCP connection blocking process state ST3 transits to the TIME_WAIT state ST4 can be registered. In this case, in step S230 of the entry addition process, it is preferable to determine the CLOSED time based on the time of transition to the TIME_WAIT state ST4 and determine whether the CLOSED time is earlier than the current time. . The CLOSED time can be determined, for example, by adding a memory release waiting period (120 seconds) to the time of transition to the TIME_WAIT state ST4. Further, for example, instead of the CLOSED time, a time obtained by adding a predetermined offset time (for example, 10 seconds) to the time when the state transits to the TIME_WAIT state ST4 can be registered. In this case, in step S230, it can be determined whether or not the time obtained by adding the period obtained by subtracting the offset time from the memory release waiting period to the registered time is earlier in time than the current time. . That is, in general, any time related to the CLOSED time can be registered in the address conversion table 500.

B2. Modification 2:
In the above embodiment, in order to register the entry number in the TCP release waiting table 600 so that the order of registration becomes clear, the previous entry is registered higher in time. It is not limited to this. For example, the registration time when registering the entry number in the TCP release waiting table 600 can also be registered. In such a configuration, the entry registered first can be searched based on the registration time registered in each entry of the TCP release waiting table 600 in step S220 of the entry addition process.

  It is also possible to register entry numbers in the TCP release waiting table 600 so that the registration order is not clarified. Even in this configuration, for each entry of the entry number registered in the TCP release waiting table 600, the CLOSED time is determined to be the current time by determining whether the CLOSED time is earlier than the current time. It is possible to search for previous entries in terms of time.

  Further, the TCP release waiting table 600 can be omitted. In this case, in the entry addition process, it is determined whether each CLOSED time registered in the address conversion table 500 is earlier than the current time in time, thereby determining an entry whose memory release waiting period has expired. You can search.

  In each embodiment, the CLOSED time is earlier than the current time and the information related to the new TCP connection is overwritten and registered in the entry whose CLOSED time is the earliest in time. The present invention is not limited to this. Information related to a new TCP connection can be overwritten and registered in any entry whose CLOSED time is earlier than the current time.

B3. Modification 3:
In the above embodiment, the aging counter value is recorded in each entry for the TCP connection in the address conversion table 500. However, instead of this, the aging counter value may not be recorded. In this case, each entry for the TCP connection is not a free entry even when the CLOSED time is reached. However, because the entry addition process overwrites and registers information on a new TCP connection in the entry whose CLOSED time has expired, it is possible to suppress a TCP connection establishment failure due to a lack of empty entries.

B4. Modification 4:
In the above embodiment, the number of entries that can be registered for each user is defined in the address conversion table 500, but such a restriction may not be provided. In this case, in step S210 of the entry addition process, it is possible to determine whether there is an empty entry in the entire address conversion table 500. Further, the TCP release waiting table 600 can be unified.

B5. Modification 5:
In the above-described embodiment, in the entry addition process, a free entry is searched in step S210. After that, if there is no free entry, the entry whose CLOSED time has expired is searched in steps S220 to S235 to overwrite the connection information. Although registered, the present invention is not limited to this. First, an entry whose CLOSED time has expired is searched. If such an entry is found, information related to the connection is overwritten and registered, and an entry whose CLOSED time has expired is not found. You can also search.

B6. Modification 6:
In the above embodiment, the address translation device 10 has a NAPT (Network Address and Port Translation) function, but may instead have a NAT (Network Address Translation) function that does not translate port numbers. it can. Further, although the address translation device 10 translates a global IP address and a private IP address, the present invention is not limited to this. For example, the address translation device 10 can be used for address translation in the LAN, and the address translation device can translate the first private IP address to the second private IP address. Further, an address used in IPX (Internetwork Packet eXchange) can be adopted instead of the IP address. That is, in general, an address conversion device that performs address conversion between the first address for communication and the second address for communication can be employed as the address conversion device of the present invention.

B7. Modification 7:
In the above embodiment, the address translation device 10 is a dedicated machine, but instead, it can be configured as a part of another device. For example, it can be installed in an edge router or firewall in the local network N1. Further, for example, in a configuration in which a Radius (Remote Authentication Dial-In User Service) server (not shown) is connected to the local network N1, it can be mounted on the Radius server.

B8. Modification 8:
In the address translation device 40 of the above-described embodiment, in order to register the entry number in the UDP release waiting table 700 so that the order of registration is clear, the previous entry is registered higher in time. However, the present invention is not limited to this. For example, by registering the registration time when registering the entry number in the UDP release waiting table 700, the earliest destination is based on the registration time registered in each entry of the table 700 in the entry addition processing step S330. You can also search for entries registered in.

  Further, the UDP release waiting table 700 can be omitted. In this case, in the entry addition process, it is determined whether the connection state and the session generation time of each session registered in the address translation table 500 have passed the protection time and the connection state is “unestablished”. Thus, it is possible to search for an entry that can be overwritten.

  Further, in the embodiment, the information regarding the new UDP connection is overwritten and registered in the UDP entry that has been registered the oldest, the protection time has passed, and the connection state is “unestablished”. The present invention is not limited to this. Even if it is not the oldest registered, it can be overwritten if the protection time has passed and the UDP entry has a connection status of “unestablished”. Furthermore, even if the protection time has not passed, it is possible to improve the utilization efficiency of the UDP entry (although there is a trade-off that the transient UDP connection is not protected). The overwriting operation by these address translation devices can be configured as an address translation device configuration that can be set by a network system designer.

B9. Modification 9:
In the address translation device 40 of the above-described embodiment, the number of entries that can be registered for each user is defined in the address translation table 500, but such a restriction may not be provided. In this case, in step S310 of the UDP entry addition process, it is possible to determine whether or not there is an empty entry in the entire address conversion table 500. Further, the UDP release waiting table 700 can be unified.

B10. Modification 10:
In the address translation device 40 of the above embodiment, the protection time against UDP entry overwrite is exemplified as a predetermined value, but the present invention is not limited to this. It is not a fixed value, but can be configured as an address translation device that can be set by the network system designer.

B11. Modification 11:
In the address translation device 40 of the above embodiment, in the UDP entry addition process, a free entry is searched in step S310, and if there is no free entry after that, a release waiting entry is searched in steps S335 to S350, and information on connection is obtained. However, the present invention is not limited to this. It is also possible to search for a release waiting entry first, and thereafter register information related to connection if such an entry exists, and search for a free entry if no release waiting entry is found.

B12. Modification 12:
In the above embodiment, the address translation device 40 has a NAPT (Network Address and Port Translation) function, but may instead have a NAT (Network Address Translation) function that does not translate port numbers. it can. Further, the address translation device 40 translates the global IP address and the private IP address, but the present invention is not limited to this. For example, the address translation device 10 can be used for address translation in the LAN, and the address translation device can translate the first private IP address to the second private IP address. Further, an address used in IPX (Internetwork Packet eXchange) can be adopted instead of the IP address. That is, in general, an address conversion device that performs address conversion between the first address for communication and the second address for communication can be employed as the address conversion device of the present invention.

B13. Modification 13:
In the above embodiment, the address translation device 40 is a dedicated machine, but instead, it can be configured as a part of another device. For example, it can be installed in an edge router or firewall in the local network N1. Further, for example, in a configuration in which a Radius (Remote Authentication Dial-In User Service) server (not shown) is connected to the local network N1, it can be mounted on the Radius server.

DESCRIPTION OF SYMBOLS 1000 ... Network system 10 ... Address conversion apparatus 21 ... Terminal 30 ... Server 100 ... Address conversion part 200 ... 1st packet interface part 300 ... 2nd packet interface part 400 ... Time management part 500 ... Address conversion table 600, 600a, 600b, 600c ... TCP release wait table 2000 ... network system 150 ... address translation unit 40 ... address translation device 700, 700a, 700b, 700c ... UDP release wait table

Claims (11)

An address translation device,
A CLOSED time which is a time at which a TCP connection using the first address and the second address becomes a CLOSED state in each entry. An address conversion table in which related times that are related times are registered in association with each other;
A time acquisition unit for acquiring the current time;
When the TCP connection enters the TIME_WAIT state, a related time determination unit that determines the related time based on the acquired current time;
An address management unit,
Register the determined related time in the entry of the address translation table corresponding to the TCP connection that is in the TIME_WAIT state,
Based on the address conversion request, the first address and the second address are associated with each other, and based on the related time and the current time registered in the address conversion table, the CLOSED time is more temporal than the current time. An address management unit that searches for a release scheduled entry that is a previous entry and overwrites and registers the newly associated first address and second address in any of the scheduled release entries;
An address translation device comprising: The address translation device according to claim 1,
When the first address and the second address are newly associated with each other, the address management unit determines whether or not there is an empty entry in the address conversion table, and when there is the empty entry, the empty entry If the first address and the second address newly associated with each other are registered and there is no empty entry, the oldest entry which is the entry that is the earliest in time among the entries to be released is stored in the oldest entry. An address conversion apparatus for overwriting and registering a first associated first address and a second address. The address translation device according to claim 2, further comprising:
A TCP release waiting table for registering an identifier of an entry in the address conversion table corresponding to the TCP connection that is in a TIME_WAIT state;
The address management unit
When the TCP connection is in a TIME_WAIT state, an entry identifier that is an identifier of an entry corresponding to the TCP connection in the address translation table is registered in the TCP release waiting table so that the registration order is clear,
If there is no free entry, the oldest entry identifier, which is the entry identifier registered earliest in time in the TCP release waiting table, is acquired, and the entry in the address conversion table indicated by the oldest entry identifier is acquired. And whether the CLOSED time corresponding to the entry is earlier in time than the current time based on the related time registered in the current time and the current time. If it is earlier than the current time, the first address and the second address newly associated with the entry are overwritten and registered. An address translation device that does not register the associated first address and second address in the address translation table. The address translation device according to claim 3.
The TCP release waiting table is provided for each of a plurality of users,
When the address management unit newly associates the first address and the second address based on an address conversion request from any user, and there is no empty entry, the TCP / IP device waits for the TCP release for the user. The oldest entry identifier in the table is acquired, and based on the related time and the current time registered in the entry in the address conversion table indicated by the oldest entry identifier, the CLOSED time corresponding to the entry is It is determined whether or not the current time is earlier than the current time. If the current time is earlier than the current time, the first address and the second address newly associated with the entry are determined. If the address is overwritten and is not earlier than the current time, the newly associated first address and The second address is not registered in the address translation table, the address translator. In the address translation device according to any one of claims 1 to 4,
The address translation device, wherein the first address is a global IP address and the second address is a private IP address. A method for managing an address translation table used in an address translation device,
The address conversion table has a plurality of entries, and in each entry, at least a first address and a second address are registered in association with each other,
(A) When a TCP connection using the first address and the second address enters the TIME_WAIT state, the current time is acquired, and the TCP using the first address and the second address based on the current time Determining a related time that is a time related to a CLOSED time, which is a time when the connection is in the CLOSED state;
(B) registering the determined related time in an entry corresponding to the TCP connection already registered in the address translation table;
(C) Based on the address conversion request, when the first address and the second address are newly associated with each other, the current time is acquired, and the related time and the current time registered in the address conversion table Based on the above, the release scheduled entry whose CLOSED time is earlier than the current time is searched, and the newly associated first address and second address are searched for the release scheduled entry. A process of overwriting and registering to either
A method for managing an address conversion table. An address translation device,
A plurality of entries, each having a first address, a second address, and a time associated with a time for generating a session for a UDP connection using the first address and the second address; An address conversion table in which certain related times are registered in association with each other;
A time acquisition unit for acquiring the current time;
For the UDP connection, after one-way communication is exchanged from the start of communication, one-way communication has been established even once, or a one-way communication has been performed since the start of communication. A UDP connection state determination unit that determines whether or not a UDP connection has not yet been established, in which no one-way communication has occurred,
An address management unit,
Based on the address conversion request, the first address and the second address are associated with each other, and the UDP connection state determination unit determines that the UDP connection state has not been established from the entries of the address conversion table, and the related time And the current time are compared to search for a release scheduled entry that is an entry for which a predetermined time has elapsed, and the newly associated first address and second address are determined as one of the release scheduled entries. The address management department,
An address translation device comprising: The address translation device according to claim 7,
When the first address and the second address are newly associated with each other, the address management unit determines whether or not there is an empty entry in the address conversion table, and when there is the empty entry, the empty entry If the first and second addresses newly associated with each other are registered and there is no free entry, the entry with the related time that is the earliest in time in the release scheduled entry is registered. An address conversion apparatus for overwriting and registering the first address and the second address that are newly associated with an old entry. The address translation device according to claim 8, further comprising:
A UDP release waiting table for registering an identifier of an entry in the address translation table corresponding to the UDP connection in the UDP connection unestablished state;
The address management unit
When the UDP connection is in the UDP connection unestablished state, an entry identifier that is an identifier of an entry corresponding to the UDP connection in the address translation table is registered in the DUP release waiting table so that the registration order is clear And
If there is no free entry, the oldest entry identifier which is the entry identifier registered earliest in time in the UDP release waiting table is acquired, and the entry in the address conversion table indicated by the oldest entry identifier is acquired. The related time registered with the current time is compared with the current time to determine whether or not a predetermined time has elapsed. If the predetermined time has elapsed, the entry is newly added to the entry. The associated first address and second address are overwritten and registered, and if the predetermined time has not elapsed, the newly associated first address and second address are converted to the address conversion. Address translation device not registered in the table. The address translation device according to claim 9, wherein
The UDP release waiting table is provided for each of a plurality of users,
When the address management unit newly associates the first address and the second address based on an address conversion request from any user, and there is no empty entry, the address management unit waits for the UDP release for the user. Whether or not a predetermined time has elapsed by obtaining the oldest entry identifier in the table and comparing the related time registered in the entry in the address conversion table indicated by the oldest entry identifier with the current time If the predetermined time has elapsed, the first address and the second address newly associated with the entry are overwritten and registered, and the predetermined time has not elapsed. In this case, the address translation device does not register the newly associated first address and second address in the address translation table. The address translation device according to any one of claims 7 to 10,
The address translation device, wherein the first address is a global IP address and the second address is a private IP address.

Images