JP2014045245A - Relay device and its operation method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable construction of a session exceeding a limit due to a range of port numbers in a communication between a relay device and a server.SOLUTION: When a relay device accesses a redundant server group having the same domain name but different IP addresses, the relay device changes a destination of a packet so that the relay device will communicate with another redundant server when the number of sessions at one redundant server in the redundant server group reaches the upper limit.

Description

  The present invention relates to communication efficiency improvement when a plurality of relay apparatuses are aggregated in an upper giant relay apparatus in an environment using IPv4.

  The global IP address of IPv4 is in a depleted state, and it is common for a plurality of terminals and devices to share one global IP address that the relay device has. Not only a global IP address but also a method of sharing a single IP address among a plurality of devices and terminals, NAT (Network Address Translation) or NAPT (Network Address Port Translation) (hereinafter collectively referred to as “NAT”). Is used. When the relay device executes NAT, when a packet from the LAN (Local Area Network) side to the WAN (Wide Area Network) side is received, how is the packet from which address on the LAN side received? A session management table that records whether the packet is sent to the network side is stored. When a packet is received from the WAN side, it is determined which address on the LAN (Local Area Network) side to relay based on the packet information.

  In 5-tuple, which is a general NAT, the LAN side uses the five information of “source IP address”, “source port number”, “destination IP address”, “destination port number” and “protocol” of the packet received from the WAN side. To which address to relay. When relaying is managed with a port number and an address as in this 5-tuple, a terminal connected to the relay device establishes a plurality of sessions for the same port of a specific server. The number must be different for each terminal. Therefore, when a plurality of terminals are connected under the relay device, the number of WAN side port numbers of the relay device that can be used by one terminal decreases in inverse proportion to the number of terminals. This is because the port numbers that can be used by the relay apparatus are limited to 65536 types from 0 to 65535 and must be shared among the terminals under their control. If the subordinate terminal directly connected to the relay apparatus is 655, the port number per terminal is limited to 100. However, in reality, port number sharing is not uniform, and one terminal may occupy many port numbers. On the other hand, Patent Document 1 proposes a method in which subordinate terminals are divided into groups and the number of sessions with a server on a specific global network is limited for each group. However, this is a method of eliminating unfairness among users who use the terminal, and is not a method of solving the upper limit of assignable port numbers.

  By the way, with the exhaustion of IPv4 addresses, networks constructed with IPv6 have come to be used, but there are still many networks that can be connected only with IPv4, so address translation using IPv4 addresses in IPv6 networks. Has been done. For example, in a closed network constructed with IPv6, a host relay device having a global IP address of IPv4 has, and a number of home relay devices to which local IPv4 addresses are assigned are connected. There is actually a configuration in which a plurality of terminals having IPv4 local IP addresses managed by the home relay device are connected to the home relay device. As described above, when using IPv4 in the IPv6 network, the upper relay apparatus is configured such that the IPv6 address assigned to the subordinate relay apparatus is arranged with the IPv4 address in the middle or the end following the predetermined prefix. By limiting, SAM (Stateless Address Mapping) that automatically performs address translation between IPv4 and IPv6 without providing a translation table may be used. This is because if the number of terminals under the control increases and all of them are converted by referring to the table one by one, the load on the upper relay apparatus becomes too large.

  However, when such a higher-level relay device (LSN: Large Scale NAT) has a home relay device under its control, the LSN port number is shared and assigned to a plurality of home relay devices, and each home relay Since the port assigned to the device is assigned to the subordinate terminal, the upper limit of the number of sessions that each terminal can establish becomes very small. Under such an environment, there are cases where the number of sessions to be managed is too large and the memory release waiting time cannot be counted in time, and a session that should be able to be released cannot be released. On the other hand, Patent Document 2 describes a method of overcoming the situation by overwriting a session in a TIME_WAIT state that is not normally released as being used when a TCP session exceeds an allowable amount.

  Further, Patent Document 3 describes a method for assigning information for identifying a terminal to an application layer when a packet is transmitted from the WAN side to the LAN side in order to share one port among a plurality of terminals.

JP 2010-103709 A JP 2011-172201 A JP 2009-146306 A

  However, since the method of Patent Document 2 cannot be overwritten when the TCP session is actually used instead of WAIT, it cannot be applied when the active communication to one server is actually concentrated, and the situation is solved. I couldn't.

  Further, in the method of Patent Document 3, since information is incorporated in the application layer, there is a problem that the packet processing becomes slow and the load on the relay apparatus increases.

  In recent years, when the opportunity to provide rich contents on the Internet has increased, applications on the terminal have multiple sessions set up on one server for the purpose of downloading a large amount of information from the Internet at the same time. Implementations that communicate are increasing. For this reason, in a configuration in which a plurality of in-home relay devices are connected under the higher-level relay device, and when the ports of the higher-level relay device are shared by many terminals connected in multiple stages, there is a further phenomenon that a session cannot be established due to overlapping ports. It is likely to occur.

  SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to enable a session to be established beyond the limit of a port number frame in communication between a relay device and a server.

The present invention provides a relay apparatus having a terminal under its control and having a DNS-PROXY function.
When resolving a domain name for a single domain name, when a plurality of IP addresses specifying each server in a redundant server group consisting of a plurality of redundant servers are returned, the plurality of IP addresses are retained. A possible DNS cache;
Judgment is made as to whether or not a packet to establish a new session from the LAN side specifies one IP address having a plurality of IP addresses with the same domain name as the destination IP address in the DNS cache. A destination IP determination function unit to
If applicable, let the NAPT function unit change the destination IP address to the IP address of another redundant server held as the IP address for the same domain name in the DNS cache, thereby solving the above problem It was.

  This is because, in a portal site having a large number of accesses, access cannot be processed by a single server, and therefore, load distribution is achieved by providing a plurality of servers having the same domain. Such a redundant server group is composed of a plurality of servers having the same domain name but different IP addresses, and the contents provided as servers are basically set to be the same. For this reason, the same result is obtained as a terminal regardless of which of these redundant server groups is accessed. A plurality of IP addresses of such redundant server groups are registered together in the DNS server, and a plurality of IP addresses are returned in response to a DNS name resolution request.

  Therefore, a relay apparatus having a DNS-PROXY function is provided with a DNS cache that can hold the plurality of IP addresses together. Normally, it is sufficient to record one IP address for one domain name as a DNS cache. However, in the present invention, a plurality of IP addresses of redundant server groups registered for one domain name are stored. By recording, it becomes possible to change the IP address as the destination among those IP addresses. As a result, if the number of sessions for one redundant server in the redundant server group has reached the limit of the number of assigned port numbers, and if an attempt is made to construct a session, the redundant server with the same domain name By replacing the communication for the group with a session for another redundant server having a different IP address, the session can be established beyond the limit. Alternatively, before the limit is reached, the relay device may replace the destination so that the number of sessions is as uniform as possible for each redundant server constituting the redundant server group.

  In carrying out the present invention, the user of the terminal held by the relay apparatus is not particularly aware of anything. In order to access a server having a certain domain name as a terminal, it requests DNS name resolution from the relay device that becomes DNS-PROXY, and sends a packet with the returned IP address as the destination. The relay device that has received this relay changes the destination IP address of the packet as necessary and relays it, and also transmits a reply packet returned from the other redundant server to which the replacement is made. The original IP address is changed to the IP address of one redundant server originally designated by the terminal, and then the packet is transmitted to the terminal.

  Here, the number of sessions (that is, the number of port numbers) that the relay device can establish for the same destination IP address is limited by the number of lower-layer relay devices held by a higher-order relay device (for example, LSN). The assigned number may be specified in advance from a higher-level relay device, and a session may be established according to that number. In addition, when the relay device rejects a request to establish a session with a higher-level relay device, it detects that the number of sessions has reached the limit and changes the IP address using the destination IP determination function. May be implemented. When the relay device is directly connected to the Internet, there is no upper relay device. In this case, the number of sessions that can be established with respect to the server having the same IP address is 65536 as specified. It becomes.

  According to the present invention, in an environment in which a number of lower level relay devices are connected to a higher level relay device, the number of port numbers that can be allocated to individual lower level relay devices and terminals connected to the same server is limited. Thus, the upper limit of the number of sessions can be substantially expanded. When a new session is to be established for a single server from the lower level relay device side (ie, terminal side), if that server has multiple redundant server groups assigned to a single domain name, the redundancy By changing to the construction of a session to any one of the server groups, the upper limit value of the session can be substantially improved by multiplying the number of servers constituting the redundant server group.

Example of a network in which a relay device according to the present invention is installed Functional block diagram of the relay device according to the present invention DNS cache example diagram Example of session management table Flow diagram when the relay device according to the present invention resolves the DNS name FIG. 7 is a flowchart showing an example of processing when the relay device according to the present invention processes a packet from the LAN side to the WAN side. Extension of Fig. 6 FIG. 7 is a flowchart showing an example of processing when the relay apparatus according to the present invention processes a packet from the WAN side to the LAN side.

  Hereinafter, embodiments of a relay device according to the present invention will be described in detail. First, a situation in which the effect of the relay device according to the present invention is suitably obtained will be exemplified with reference to FIG.

  On the Internet 1, there is a redundant server group 11 having the same domain (for example, “www.example.co.jp”), and the servers 11a, 11b,. (Assuming “20.20.20.20” and “30.30.30.30”). A host relay device 12 is provided between the Internet 1 and a closed network 2 configured with IPv6. The upper level relay device 12 has one IPv4 global IP address (assuming that it is “40.40.40.40”. The lower level relay device 13 such as a home gateway connected to the closed network 2 Both share the same IPv4 global IP address (40.40.40.40) to the Internet 1. The same applies to the individual terminals 14 connected to the local area network 3 held by the individual relay devices 13. Share the IPv4 global IP address.

  The host relay device 12 is a host relay device having a NAT (NAPT) function, and is a gateway that relays all communications from the closed network 2 to the Internet 1. Accordingly, all of the relay devices 13 and, in turn, all communications connected to the Internet from the terminals 14 connected thereto are concentrated.

  The relay device 13 is a gateway device having the local area network 3 such as a home gateway functioning as a router, and has necessary functions to be described later as the relay device according to the present invention.

  A functional block diagram of the relay device 13 is shown in FIG. There is a LAN-side transmission / reception function unit 21 on the LAN side leading to the terminal 14, and a WAN-side transmission / reception function unit 22 is located on the WAN side leading to the upper relay apparatus 12. Specifically, these transmission / reception function units include a physical network interface and software such as a driver for controlling the physical network interface, and transmit / receive packets.

  Further, the relay device 13 has a DNS-proxy function unit 31 that functions as a DNS resolver in response to a DNS name resolution request from the terminal 14 side. The DNS-proxy function unit 31 performs domain name resolution for a DNS server (not shown) on the Internet 1. The relay device 13 has a DNS cache 32 that records the resolved domain name and IP address.

  An example of the DNS cache 32 is shown in FIG. FQDN indicates the domain name corresponding to the IP address. The IP address is an IP address of a server existing on the WAN side. The update time is the time when the entry information is updated. When there are a plurality of IP addresses returned by the DNS server for a single domain name, at least two IP addresses are recorded instead of only one. The number of records with the same domain name is not particularly limited, and all the returned IP addresses may be recorded. However, it is preferable that the search load of the DNS cache 32 is in an allowable range.

  Further, the relay device 13 includes a NAPT function unit 35 that converts an address and a port number for a packet exchanged between the closed network 2 and the local area network 3, and the NAPT function unit 35 is connected from the LAN side to the WAN side. A session management table 36 that is recorded at the time of packet conversion to and is referred to at the time of packet conversion from the WAN side to the LAN side.

  An example of the session management table 36 is shown in FIG. The source address on the LAN side is the local IP address of the terminal 14, and the destination address is the IP address of the redundant server 11a (20.20.20.20) obtained by inquiring the domain name of the redundant server group 11. is there. However, for sessions exceeding the set limit port number (here, 100), the IP address of the redundant server 11b (30.30.30.30), which is the second address recorded in the DNS cache 32, It has become.

  Further, the relay device 13 receives the IP address of one redundant server 11a (for example, “20.20.20.20”) of the redundant server group 11 in a packet for requesting a new session construction from the LAN side. It is determined whether or not it is designated as a destination, and if it meets a predetermined condition, the destination IP address is assigned to another redundant server 11b of the redundant server group held in the DNS cache. And a destination IP determination function unit 38 that passes the packet to the NAPT function unit 35 after being changed to an IP address (for example, “30.30.30.30”). However, the destination IP determination function unit 38 should always perform determination when receiving a packet from the LAN side to the WAN side. As a result, the condition for whether or not to change the IP address is the situation. It may be changed appropriately according to the situation.

The conditions for changing the address will be described together with the situation of the example of FIG.
The address on the closed network 2 side of the relay device 13 is an IPv6 IP address assigned by the upper relay device 12 or its attached server. In the local area network 3 partitioned by the relay device 13, a local IP address in IPv4 is assigned to each terminal by the relay device 13 to construct a network. Here, the relay device 13 is No. 1 to No. Take the situation where 655 units up to 655 are connected.

  When the upper relay device 12 accesses the redundant server group 11, the maximum port number that can be used as the transmission source port number is 65535, and here, each relay device 13 (No. 1 to No. 655) is used. ) Is assigned a number of 100 at a fixed value. Actually, this number varies depending on the number of connected relay devices 13, and the number of port numbers assigned with priority assigned to each relay device 13 may vary. Assuming that the fixed value is 100, the number of sessions that can be established from one relay device 13 to a single server (not shown) on the Internet 1 is the number assigned in the higher-level relay device 12. 100 is the limit number. However, for the redundant server group 11, since 100 sessions can be established for each redundant server 11a, 11b,..., (The number of redundant servers 11a etc. × 100) sessions are established. Can do.

  By the way, basically, when an application such as a browser of the terminal 14 requests domain name resolution, a session is constructed by receiving one IP address for one domain name. Therefore, the DNS-proxy function unit 31 that operates as a DNS resolver in response to a request from the terminal 14 receives a plurality of IP addresses from the DNS server for one domain name inquired from the terminal 14 and records them in the DNS cache 32. Even in such a case, the IP address returned to the terminal 14 may be one of them. Therefore, the application of the terminal 14 tries to establish a session for the one IP address (assuming 20.20.20.20) and sends a packet to the relay device 13. In response to this, the relay device 13 first constructs a session addressed to the redundancy server 11a corresponding to the first IP address as a session addressed to the redundancy server group 11, and the number of assigned port numbers. Will be used.

  In the first embodiment, when the destination IP determination function unit 38 receives a packet for requesting a new session construction from the LAN side, the destination IP determination function unit 38 stores the number of sessions for one redundant server 11a, that is, the session management table 36. It is first determined whether or not the number of records destined for the redundant server 11a to be recorded has reached the limit number assigned to the relay device 13. If the limit is reached, the DNS cache 32 is searched with the IP address to check whether there are different IP addresses with the same domain name. This different IP address is an address having a lower priority and not returned to the terminal 14. If there is, the packet addressed to the redundancy server 11a is changed to the packet addressed to the redundancy server 11b, which is another address corresponding to the same domain name recorded in the DNS cache 32, and sent to the WAN side. That is, in this embodiment, when the allocated number of sessions destined for one redundant server 11a is used up, sessions destined for the next redundant server 11b are sequentially constructed. If the redundant server group 11 is composed of three or more redundant servers 11a, 11b, 11c,..., The next redundant server 11b is used when the allocated number of sessions addressed to the redundant server 11b is used up in the same manner as described above. Sessions addressed to the server 10c, 11d,. In the session management table 36, as shown in the example of FIG. 4, a session is registered with the address changed by the destination IP determination function unit 38, and the packet from the redundant server 11b that is the changed destination is the NAPT function. The unit 35 performs processing as usual.

  As a second embodiment, when the destination IP determination function unit 38 receives a packet for requesting a new session construction from the LAN side to the WAN side, the destination IP determination function unit 38 shares a single domain name with the DNS cache 32. It is searched whether it is one of those registered as the IP address. If it matches, that is, it is a packet addressed to the redundancy server 11a, the number of sessions addressed to one redundancy server 11a recorded in the session management table 36 and the other redundancy servers 11b, 11c,. The number of sessions addressed is compared, and if it is addressed to a redundant server having a particularly large number of sessions than the other, it is changed to a packet addressed to another redundant server having a smaller number of sessions. That is, in this embodiment, resources for the number of sessions are distributed and access is made to each redundant server in a distributed manner. This embodiment is preferable in terms of load distribution of the redundant server group 11. As a determination of whether or not the number of sessions is particularly larger than the others, there is a case where the difference in the number of sessions is equal to or greater than a threshold value (for example, about 3, 5, 10). Also in the case of this second embodiment, it is preferable to check whether the number of sessions addressed to each redundant server 11x has reached the above limit number. If it is the packet of, it is better to unconditionally replace it with a packet addressed to another redundant server 11x. If the limit number is reached for all redundant servers 11x, the packet can only be discarded.

  Further, as an application form of the second embodiment, if the packet is a destination packet corresponding to one of a plurality of IP addresses corresponding to one domain name in the DNS cache 32, a session Regardless of the difference in the number of sessions in the management table 36, the address may be randomly changed to another redundant server 11x.

  In any of these embodiments, the upper relay apparatus 12 determines the number of sessions that the relay apparatus 13 can construct for the same server. Therefore, when operating such a closed network 2 composed of the higher-level relay device 12 and the relay device 13, regardless of which embodiment the relay device 13 is in the above-described embodiment, resources in a limited number of port numbers So that the limit number is optimally adjusted and transmitted to each relay device 13.

  Next, a specific operation mode example of the relay device 13 according to the present invention will be described with reference to the flowchart of FIG. However, the specific mounting form is not limited to this flow, and it is sufficient that the address can be changed within the range of the redundant server group 11 as described above.

  First, the cache update operation by the DNS-proxy function unit 31 will be described with reference to FIG. First (S101), a DNS name resolution request message transmitted when the terminal 14 newly accesses a server (including the redundant server group 11) is received via the LAN side transmission / reception function unit 21 (S102). The DNS-proxy function unit 31 transmits a message requesting resolution of the DNS name to a preset DNS server to the WAN-side transmission / reception function unit 22 (S103). When a DNS response message is received from the WAN side (S104), the response message is analyzed to obtain an IP address corresponding to the FQDN (S105).

  Then, the DNS cache 32 is updated for each combination of the FQDN and IP address acquired from the response message (S111 to S118). First, the DNS cache 32 is searched for an entry whose FQDN matches the FQDN acquired from the response message and whose IP address matches the IP address acquired from the response message (S112). If there is already an entry that matches the condition (S113 → Yes), the current time is set as the update time of the entry and the data is updated (S117). That is, since the inquiry is to an address that has already been inquired at the latest timing, only the date and time are updated. If no entry matching the condition exists in the DNS cache 32 (S113 → No), the entry is registered. However, at that time, it is determined whether the number of entries in the DNS cache 32 is less than the upper limit (S114). If the upper limit has not been reached, the process proceeds as it is (S114 → Yes), but if the upper limit has been reached (S114 → No), the entry with the oldest update time is deleted in advance (S115). Then, a new entry is added to the DNS cache 32, and the FQDN and IP address values acquired from the response message are set (S116). Then, the current time is set as the update time of the set entry (S117). The above processing is performed for all pairs of FQDNs and IP addresses acquired from the response message (S118 → S111). That is, when a plurality of IP addresses are returned for the inquired FQDN, the above steps are repeated for the number of IP addresses. When the cache update is completed, a DNS response message is transmitted to the terminal 14 (S119). The received terminal 14 receives the message, resolves the DNS name, and tries to establish a new session (S120). At this time, when the terminal 14 receives a plurality of IP addresses, it is an operation in a general personal computer or the like to attempt session construction using only the first IP address among them.

  Next, a relay process when a packet is transmitted from the terminal 14 that has resolved the DNS name toward the Internet 1 will be described with reference to the flowcharts of FIGS. 6 and 7. First (S201), the LAN side transmission / reception function unit 21 receives a packet (S202). The destination IP determination function unit 38 searches the session management table 36 to find the protocol, source IP address, destination IP address, source port number, destination port number, entry protocol, LAN side source address of the packet. Then, it is searched whether there is a matching entry for each of the LAN side destination address, the LAN side source port number, and the LAN side destination port number (S204). If there is an entry that matches the condition (S205 → Yes), it is sufficient to relay according to the entry, so it is passed to the NAPT function unit 35 as it is and the header information of the packet is changed as follows (S206). That is, the destination IP address, source IP address, destination port number, and source port number of the packet are respectively set to the WAN side source address, WAN side destination address, WAN side source port number, and WAN side destination port of the entry. Change to a number. The NAPT converted packet is transmitted from the WAN side transmission / reception function unit 22 (S207). In other words, in communication where a session has already been established, there is no need to perform IP address conversion according to the present invention. As a normal relay device, the packet is relayed and finished (S209).

  On the other hand, if there is no entry that matches the received packet (S205 → No), that is, if a new session is to be constructed, the processing moves to a process necessary for the present invention. The destination IP determination function unit 38 searches the session management table 36 to check the number of entries as follows (S211). That is, the packet protocol, destination IP address, and destination port number match the entry protocol, WAN-side source address, and WAN-side source port number, respectively, and the WAN-side destination address of the entry is the relay device. 13 is the entry that matches the WAN address of itself, or how many entries there are. This means that there is a session in which only the destination port number in the WAN side information of the entry does not match the source port number of the packet, and there is another session to the same server. It is also whether or not it already exists. If the number of hit entries has reached the upper limit value depending on the higher-level relay device 12 (S212 → No), the flow proceeds to the flow of S231 and later described (S213, FIG. 7). The upper limit value is a value notified from the upper relay apparatus 12 as the number of allocations.

  On the other hand, if the number of hit entries has not reached the upper limit (S212 → Yes), a port number that is not used as a WAN destination port number is arbitrarily selected in each entry that matches the condition. If the matching entry is 0, the port number can be arbitrarily selected within the range of 0 to 65535 (S214). After the selection, a new entry is added to the session management table 36 (S216). The contents are as follows. The protocol of the packet is set as the protocol of the entry. The source IP address, destination IP address, source port number, and destination port number of the packet are set in the source address, destination address, source port number, and destination port number on the LAN side of the entry, respectively. The source address, the destination address, the source port number, and the destination port number on the WAN side of the entry are the IP address of the packet, the WAN side address of the relay device 13, the destination port number of the packet, the selected port number, Is set (S216).

  Here, as shown in the example of FIG. 4, the information on the WAN side shows an example in which the items in the table are defined based on the concept of transmission and reception at the time when the relay device 13 receives on the WAN side. In terms of implementation, the transmission / reception items here may be reversed. However, since the session management table 36 is referred to at the time of reception from the WAN side to be described later, it is easier to understand the process if the entry is registered based on the WAN side standard.

  On that basis (S217 → S203), for the packet handled by the relay device 13 at that time, naturally, an entry in which the information on the LAN side matches the packet information has been generated. There is a matching entry (S204 → S205 → Yes), and the NAPT function unit 35 changes the header information of the packet according to the information of the entry registered immediately before (S206). Transmit (S207 → S209). The processing up to this point is basically the same as normal relay processing except that a check is made as to whether the upper limit value has been reached.

  Next, in S211, when the number of entries that match the condition has reached the upper limit (S212 → No → S213), that is, for the destination server, the port number frame allocated from the higher-level relay device 12 is used up. The case will be described. The flow mainly moves to FIG. 7 (S231).

  Perform error checking before processing. The DNS cache 32 is searched for whether there is an entry that matches the destination IP address of the packet and the LAN-side destination IP address of the entry (S232). If there is no entry, it is an unnatural state that there is no entry in the DNS cache 32 even though there is a record in the session management table 36, and the IP address according to the present invention cannot be changed. Since there is no way, the packet is discarded (S234), and the flow ends (S235 → S208 → S209, end). If the entry exists in the DNS cache 32, the value of the FQDN of the entry is substituted into the internal variable “destination domain name” (S241). After that, the change is examined within a certain range described in the DNS cache (S242). First, i = 1 is set (S242), and it is checked whether or not the FQDN of the i-th (here, the first) entry of the DNS cache 32 matches the “destination domain name” (S243). If they do not match (S243 → No), as long as DNS cache entries remain (S248 → Yes), i + 1 and the next entry (S249) are checked in the same manner (S243). If they match, the session management table 36 is searched for an entry that meets the following conditions (S244). That is, the protocol of the entry matches the protocol of the packet, the WAN-side source address matches the IP address of the i-th entry of the DNS cache being handled, and the WAN-side destination address matches the WAN-side address of the relay device 13 The number of entries that match and the WAN side source port number matches the destination port number of the packet is counted.

  If this entry exists (S245 → Yes), but the number of entries has reached the above upper limit (S246 → No), the IP address of the i-th entry has already been assigned by the higher-level relay device 12. Since the port number frame has been used up, the process proceeds to the next (i + 1) th check (S249-). This corresponds to the IP address of the packet that originally reached the upper limit value, as well as the port number for another IP address that has been changed to be distributed to another IP address according to the present invention. This also applies when the frame is used up.

  On the other hand, if the number of matching entries is 0 (S245 → No), the port number of the IP address of the i-th entry has not yet been used as an allocation destination overflowing from the port number frame. This means that there is sufficient free space, and that IP address can be the destination. If there is a matching entry (S245 → Yes) and the number of entries does not reach the upper limit (S246 → Yes), the IP address of the i-th entry is a part of the distribution destination. Although the port number assigned by the higher-level relay device 12 has not been used up yet, the IP address can be set as the destination. The distribution destination IP address shares the variable “destination domain name” with the destination IP address of the original packet, that is, a server that can provide the same content.

  Therefore, when it is determined that the IP address of the i-th entry can be used as a distribution destination (S247 → S215), the destination IP determination function unit 38 arbitrarily selects a usable port number (S214). Then, an entry of the packet is added to the session management table 36. The content is basically the same as S216 described above, but only the WAN source address is the IP address of the i-th entry. That is, an entry in which the LAN-side destination address and the WAN-side source address do not match is generated as in the entry described in the lower part of FIG. 4 (S216). After that (S217 → S203 → S204 → S205 → Yes), NAPT conversion is performed in accordance with the entry (S206), and the packet is not the redundant server designated by the terminal 14, but has the same domain name as that server. Is transmitted to another redundant server (S207).

  Finally, if no changeable entry is found even after searching up to the last entry (S248 → No), the packet cannot be relayed by the higher-level relay device 12 even if it is transmitted. (S251), the processing of the packet is terminated (S252 → S208 → S209).

  Next, processing when a packet is returned from the WAN side will be described using the flow of FIG. First, when a packet is received by the WAN side transmission / reception function unit 22 (S301) (S302), the NAPT function unit 35 determines from the session management table 36 whether there is an entry whose WAN side information matches the received packet. (S303). If it does not exist (S304 → No), it is discarded as an unknown packet (S305 → S308). If present, the NAPT function unit 35 sets the destination IP address, source IP address, destination port number, and source port number of the packet to the LAN side source address, LAN side destination address, LAN side of the entry. The source port number and the LAN side destination port number are converted. That is, the reply packet of the packet sent by the destination IP determination function unit 38 according to the entry in which the address of the server serving as the destination is changed is obtained from the original destination IP address registered in the session management table 36. The header is rewritten so as to be a reply packet of the message and transmitted to the LAN side (S307 → S308). Since the packet whose destination has not been changed by the destination IP determination function unit 38 is a packet from the server that is the original destination, the packet is actually transmitted to the LAN side without changing the source IP address. For this reason, the terminal 14 can obtain the content as initially specified and expected without considering any change in the destination server performed by the relay device 13.

  In the environment in which the present invention is implemented, the higher-level relay apparatus 12 assigns a packet from the one relay apparatus 13 to the same IP address and having the same destination port number but a different source port number. After receiving the number of port numbers received, the NAPT conversion is performed. If the upper limit has already been reached, the packet is discarded as a connection failure. However, by changing the destination IP address of the packet sent to the higher-level relay device 12 by the relay device 13 according to the present invention, the number of cases leading to such packet discard can be greatly reduced.

  Although the destination IP determination function unit 38 and the NAPT function unit 35 have been described separately in terms of the determination process, these function units are integrated to process the flow when the present invention is implemented. There may be.

  Further, in the above description, the case where the upper relay device 12 exists via the closed network 2 has been described as an example of the description. However, the relay device 13 itself is directly connected to the Internet 1 without the upper relay device 12, The present invention can be used even when there are a large number of terminals 14 under control. When a session that uses up the port of 65536 is established from a large number of terminals 14 to one redundant server 11a, similarly, to the redundant server 11b having the same domain name that has not yet established a session. By using packets, the relay device 13 can be stably connected to the redundant server group 11.

DESCRIPTION OF SYMBOLS 1 Internet 2 Closed network 3 Local area network 11 Redundant server group 11a, 11b, 11c, 11x Redundant server 12 Upper level relay apparatus 13 Relay apparatus 14 Terminal 21 LAN side transmission / reception function part 22 WAN side transmission / reception function part 31 DNS-proxy function Unit 32 DNS cache 35 NAPT function unit 36 session management table 38 destination IP determination function unit

Claims (4)

DNS-PROXY function unit that performs domain name resolution for communication from the LAN side;
A NAPT function unit that relays packets that change between the LAN side and the WAN side by changing addresses and port numbers;
A relay apparatus having a session management table in which a destination IP address, a source IP address, a destination port number, and a source port number are recorded on both the LAN side and the WAN side in order to execute the NAPT function;
When resolving a domain name for a single domain name and returning a plurality of IP addresses specifying each server of a redundant server group consisting of a plurality of redundant servers, the plurality of IP addresses are A DNS cache that can be stored in association with the domain name,
Judgment is made as to whether or not a packet to establish a new session from the LAN side specifies one IP address having a plurality of IP addresses with the same domain name as the destination IP address in the DNS cache. A destination IP determination function unit,
If applicable, a relay device that causes the NAPT function unit to change its destination IP address to the IP address of another redundant server held as an IP address for the same domain name in the DNS cache. The condition for relaying the received packet after executing the change of the destination IP address by the determination of the destination IP determination function unit is as follows:
In the session management table, when the number of entries where the destination IP address of the packet received from the LAN side matches the IP address specifying the redundant server that is the transmission destination exceeds a predetermined upper limit value. The relay device according to claim 1. The condition for relaying the received packet after executing the change of the destination IP address by the determination of the destination IP determination function unit is as follows:
In the session management table, an entry whose destination IP address is the IP address of one redundant server in the redundant server group is the destination IP address of the other redundant server in the redundant server group. The relay apparatus according to claim 1, wherein the difference is greater than or equal to a predetermined difference with respect to an entry as an address. A method of operating a closed network in which a plurality of relay devices according to claim 2 are provided and a host relay device connected to the Internet is provided,
A method of operating a closed network, wherein the upper limit value is a number corresponding to the number of port numbers assigned to the relay device from the upper relay device.

Images