JP2015159482A - Network device and communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily set a terminal connectable to an IP network.SOLUTION: A network device has a transfer section which: holds learning information indicating whether or not addresses of a plurality of terminals can be learned, address information indicating packets that the network device transfers, and filter information indicating whether or not packet transfer is permitted; and transfers the packets on the basis of at least one of the address information and the filter information. The transfer section, when receiving the packets from a terminal, determines on the basis of the learning information whether or not the network device can learn the address when receiving the packets. When the network device can learn the address, the network device stores the address of a transmission source of the received packets in the address information, and when network device cannot learn the address, the network device does not store the address of the transmission source of the received packets in the address information but determines on the basis of the address included in the filter information whether or not the received packets should be transferred.

Description

  The present invention relates to a network device.

  Currently, since an IP network is used, a widely used general-purpose product can be used. Therefore, when the network device does not place any restrictions, not only the intended terminal but also various terminals can easily connect to the IP network. Then, if an unintended terminal is connected to the IP network, there is a possibility that unauthorized data may flow through the IP network or security may be compromised.

  On the other hand, since the network device transfers the packet transmitted from the terminal to another terminal, the network device maintains a correspondence relationship between the interface (port) of the network device and the terminal. Adding or updating this correspondence is called address learning.

  Conventionally, in order to determine whether address learning is possible, a technique using a condition held by a network device has been proposed (see, for example, Patent Document 1). In Patent Document 1, “first information for identifying an authenticated terminal device is created according to a result of Web authentication for determining whether or not a terminal device connected to a network relay device can be connected to a specific network. A network relay device that manages whether or not the communication data between the terminal device and the node on the specific network can be relayed by the communication unit is described.

JP2012-080418A

  The network administrator needs to construct a secure network that prevents an unintended terminal from connecting to the IP network and prevents illegal data from flowing through the IP network. Then, the network administrator needs to let the network device learn an address so that a secure network is constructed.

  However, it is difficult for a general user to set a network device so that the data flowing into the IP network is restricted by the network device. This is because setting to the network device is complicated, and specialized and advanced knowledge is required for setting.

  Further, when using the technique of Patent Document 1, when using the technique of Patent Document 1, it is necessary to use an authentication function and a DHCP server, and specialized knowledge is required for network design and network device setting.

  It is an object of the present invention to provide an apparatus that can set a terminal that can be connected to an IP network without special network knowledge, and that can construct a secure IP network.

  According to an aspect of the present invention, when a network device is located between an IP network and a plurality of terminals and is connected to the plurality of terminals and receives a packet transmitted from the terminal, the terminal uses the received packet. A learning process for learning the address and generating address information, or a filtering process for controlling transfer of a received packet based on filter information indicating whether or not packet transfer is permitted.

  More specifically, according to one aspect of the present invention, a network device includes a processor and a memory, and has a network interface connected to a plurality of terminals and receiving packets transmitted from the plurality of terminals. And learning information indicating whether the network device can learn addresses of the plurality of terminals, address information indicating packets transferred by the network device, and whether transfer of the packets is permitted. A transfer unit that holds the filter information and transfers the packet based on at least one of the address information and the filter information, and the transfer unit receives the packet when receiving the packet from the terminal. Whether or not the network device can learn the address based on the learning information. When the work device can learn the address, the address of the source of the received packet is stored in the address information, and when the network device cannot learn the address, the address of the source of the received packet is stored in the address information. It is determined whether to transfer the received packet based on the address included in the filter information without storing.

  According to an embodiment of the present invention, a terminal that can be connected to an IP network can be easily set.

  Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.

It is a block diagram which shows the network system of a present Example. It is explanatory drawing which shows the address table of a present Example. It is explanatory drawing which shows the transfer table of a present Example. It is explanatory drawing which shows the filter table of a present Example. It is a flowchart which shows the process of the address management part when the packet of a present Example is received. It is explanatory drawing which shows the address table after storing the address of the transmission source of the address resolution request of a present Example. It is explanatory drawing which shows the transfer table after storing the address of a present Example newly. It is explanatory drawing which shows the filter table after storing the address of a present Example newly. It is explanatory drawing which shows the example of the screen which the input / output device of a present Example displays.

  The network device according to the present embodiment allows communication only with terminals connected when setting the IP network by permitting communication only with terminals that have communicated within a predetermined effective time.

  Hereinafter, the packet transfer apparatus according to the present embodiment will be described with reference to the drawings.

  FIG. 1 is a block diagram illustrating a network system according to the present embodiment.

  The network system of this embodiment includes a network 10, at least one packet transfer apparatus 100 (100a to 100c), at least one server 410, and a plurality of terminals 400 (400a to 400e). The network 10 is, for example, an IP network.

  The packet transfer apparatus 100 is installed in the network 10 and receives packets transmitted from the terminal 400 and the server 410. Further, the packet transfer device 100 receives a packet transmitted from another packet transfer device 100. The packet transfer apparatus 100 is a network apparatus having a processor.

  The terminal 400 is a computer having a processor, and may be, for example, a personal computer used directly by a user. The terminal 400 may be a terminal including a sensor for measuring temperature or the like, for example.

  The server 410 communicates with the terminal 400 via the packet transfer device 100. The server 410 is a computer having a processor. The server 410 may be, for example, a computer that provides a service by an application to the terminal 400, or may be a computer that collects and aggregates the results measured by the terminal 400 and provides the aggregated results to the user. Good.

  The server 410 may include an input / output device 500. The input / output device 500 is a device used by a user to input an instruction to the packet transfer device 100 via the server 410. The input / output device 500 is a device for outputting the processing result in the packet transfer device 100 to the user.

  The input / output device 500 is a device including a display, a printer, a keyboard, a mouse, or a tablet terminal, for example. Note that the input / output device 500 may be included in the packet transfer device 100.

  The packet transfer apparatus 100a shown in FIG. 1 is connected to a plurality of terminals 400 (400a, 400b) and a server 410. The packet transfer apparatus 100 includes a control unit 202, a transfer unit 300, and at least one interface 110.

  The control unit 202 includes a processor and a memory. The processor implements the function of the control unit 202 by executing a program held in the memory 204.

  The control unit 202 includes an address management unit 200 and at least one address table 201. The address management unit 200 is a functional unit that manages an address for transferring a packet transmitted and received between the terminal 400 and the server.

  The address management unit 200 receives an instruction 1501 from the user. The instruction 1501 is sent to the packet transfer apparatus 100 via the input / output device 500 using a console cable. Note that the notification from the input / output device 500 to the packet transfer device 100 may be packet communication via the interface 110.

  Note that the address management unit 200 may be implemented by a program, or may be implemented by a physical device such as an integrated circuit incorporated in the control unit 202. The control unit 202 may be implemented by a program, or may be implemented as a physical device such as an integrated circuit incorporated in the packet transfer apparatus 100.

  The address table 201 indicates the address of the terminal 400 or the server 410 that can communicate via the packet transfer apparatus 100. Further, the address table 201 of this embodiment holds learning information indicating whether the address management unit 200 can set an address in the address table 201. The address table 201 holds addresses that may be learned.

  The learning information in the present embodiment indicates whether or not the packet transfer apparatus 100 can learn an address. For example, the learning information may simply indicate “learnable” or “not learnable”, or may indicate the time during which an address can be learned as an effective time.

  Hereinafter, a case where the learning information included in the address table 201 is a valid time (a valid time 211 described later) will be described.

  The control unit 202 may hold the address table 201 in association with the interface 110. For this reason, the address table 201 may be set for each terminal 400 or server 410 to which the packet transfer apparatus 100 is connected, or set for each network segment composed of apparatuses having the same network address. Also good.

  The transfer unit 300 is a device for transferring a packet. The transfer unit 300 includes a processor and a memory. The transfer unit 300 includes a data transfer unit 303 as a functional unit, and holds a transfer table 301, a filter table 302, and an effective time 305 as information.

  The data transfer unit 303 may be implemented by a program, or may be implemented by a physical device such as an integrated circuit incorporated in the transfer unit 300. The transfer unit 300 may be implemented by a program, or may be implemented as a physical device such as an integrated circuit incorporated in the packet transfer device 100.

  The forwarding table 301 indicates the address of the terminal 400 or the server 410 that can communicate via the packet forwarding apparatus 100.

  The filter table 302 indicates a source address of a packet that is not transferred by the packet transfer apparatus 100.

  The valid time 305 corresponds to the valid time 211 set in the address management unit 200. Specifically, when the valid time 211 is set according to a user instruction, the data transfer unit 303 updates the valid time 305 based on the valid time 211 in the address table 201. When a plurality of valid times 211 are set corresponding to a plurality of interfaces 110, the valid time 305 may hold a value corresponding to the interface 110, or a value obtained by merging a plurality of valid times 211. May be.

  For example, when the valid time 211a indicating 1 o'clock to 3 o'clock and the effective time 211b indicating 2 o'clock to 4 o'clock are set in the address table 201, the data transfer unit 303 performs 1 o'clock to 3 o'clock and 2 o'clock to 2 o'clock The effective time 305 may be updated with a value indicating 1 o'clock to 4 o'clock by merging by converting 1 o'clock to 4 o'clock. Thereby, the amount of information held by the valid time 305 can be reduced.

  In addition, when the effective time 211 indicates “learning” or “learning impossible” instead of time, the data transfer unit 303 sets “learning” as the effective time 305 when at least one effective time 211 indicates “learning possible”. “Yes” may be held.

  In the present embodiment, the address of the address table 201 and the address of the transfer table 301 are the same. The address table 201 is a table for setting an address in the transfer table 301.

  In the present embodiment, learning of an address is to set an address in the address table 201 and store the address of the address table 201 in the transfer table 301.

  The interfaces 110 (110a and 110b) are network interfaces for connecting to the terminal 400 or the server 410. The interface 110 of this embodiment is, for example, a port. The interface 110 may be connected to the interface 110 of another packet transfer apparatus 100.

  The interface 110 may be connected to each of the network segments to which the terminal 400 or the server 410 belongs, may be connected to each of the terminals 400, or may be connected to each of the servers 410.

  In the following, the terminal 400a is assigned 192.168.168.1.1 as the IP address, and is further assigned 0000.1111.11401 as the MAC address. Further, the terminal 400b is assigned 192.168.168.1.2 as an IP address, and is further assigned 0000.1111.1402 as a MAC address. Also, the terminal 400a and the terminal 400b belong to one network segment whose upper 24 bits are the network address among the IP addresses, and the terminal 400a and the terminal 400b belong to one network segment whose network address is 192.168.1.0.

  The server 410 is assigned an IP address of 10.0.0.1 and a MAC address of 10000.11.11403. The network to which the server 410 belongs belongs to a different network segment from the network to which the terminal 400a and the terminal 400b belong. In the IP address of the server 410, the upper 8 bits are a network address, and the network address of the network segment to which the server 410 belongs is 10.0.0.0.

  FIG. 2 is an explanatory diagram showing the address table 201 of this embodiment.

  The address table 201 (201a, 201b) includes a valid time 211 (211a, 211b), an address 212 (212a, 212b), and a permitted address 213 (213a, 213b). The valid time 211 is a period during which an address can be set for the address 212.

  The valid time 211 may be specified by any method as long as it can indicate a predetermined period such as time, end time, or start time and end time. The valid time 211 may indicate the content of the learning information described above, and may indicate “learning is possible” or “learning is not possible”, for example.

  When the valid time is input as learning information from the user according to the instruction 1501, the address management unit 200 stores the valid time input in the valid time 211 of the address table 201. For example, when the valid time 211 does not include the start time and is specified by the time, the address management unit 200 stores the valid time input by the user in the valid time 211, and the valid time 211 indicates The time and address 212 can be updated.

  In addition, when “learnable” or “learning impossible” is input as learning information according to the instruction 1501, the address management unit 200 stores the value input in the valid time 211 of the address table 201.

  The address 212 indicates the address of the terminal 400 or the server 410 that can communicate via the packet transfer apparatus 100. The address 212 of this embodiment stores an IP address and a MAC address.

  The permitted address 213 indicates an address for which learning is permitted. Specifically, the permission address 213 indicates an address that can be set as the address 212. The permitted address 213 may indicate an address for which learning is not permitted.

  The memory 204 may have one address table 201 for one interface 110 or one address table 201 for a plurality of interfaces 110.

  That is, the memory 204 may have one address table 201 for the network segment to which the terminal 400 or the server 410 connected to the packet transfer apparatus 100 belongs, and the memory 400 of the terminal 400 connected to the packet transfer apparatus 100 One address table 201 may be provided for each.

  By having the address table 201 for the interface 110 and further having the valid time 211 for the interface 110, the user can cause the packet transfer apparatus 100 to learn the address for each of the interfaces.

  An address table 201a illustrated in FIG. 2 is an address table corresponding to a network segment to which the terminal 400a and the terminal 400b belong. An address table 201b shown in FIG. 2 is an address table corresponding to the network to which the server 410 belongs.

  Further, the address 212a shown in FIG. 2 indicates that there is no device permitted to communicate via the packet transfer device 100 in the network segment to which the terminal 400a and the terminal 400b belong. Also, the address 212b shown in FIG. 2 indicates that only the server 410 is permitted to communicate via the packet transfer apparatus 100 in the network segment to which the server 410 belongs.

  FIG. 3A is an explanatory diagram illustrating the transfer table 301 of this embodiment.

  The forwarding table 301 includes an interface 3011, an IP address 3012, and a MAC address 3013. An interface 3011 indicates the interface 110 of the packet transfer apparatus 100.

  An IP address 3012 is an IP address of a device connected to the interface 110 indicated by the interface 3011 and indicates an IP address of a device that communicates via the packet transfer device 100.

  The MAC address 3013 is a MAC address of a device connected to the interface 110 indicated by the interface 3011 and indicates a MAC address of a device communicating via the packet transfer device 100.

  The forwarding table 301 shown in FIG. 3A indicates that the packet forwarding apparatus 100 can transmit only packets destined for the server 410 from the interface 110b to which the network segment to which the server 410 belongs is connected.

  When the next hop to the destination of the packet received by the packet transfer apparatus 100 does not match the IP address 3012 and the MAC address 3013 indicated by the transfer table 301, the transfer unit 300 may discard the received packet. As a result, the data transfer unit 303 can prevent transfer of a packet to an address that has not been learned. And it is possible to prevent unauthorized data from flowing into the IP network.

  When the next hop to the destination of the packet received by the packet transfer apparatus 100 matches the IP address 3012 and the MAC address 3013 indicated by the transfer table 301, the data transfer unit 303 transfers the packet according to the destination of the packet.

  FIG. 3B is an explanatory diagram illustrating the filter table 302 according to this embodiment.

  The filter table 302 includes a filter check order 3021, a transmission source IP address 3022, a transmission source MAC address 3023, and a transfer permission 3024. The filter check order 3021 indicates the priority order in which the entries in the filter table 302 are adopted.

  Specifically, the data transfer unit 303 according to the present embodiment searches for entries in the filter table 302 in ascending order of the numbers in the filter check order 3021. When the address condition indicated by the entry matches, the data transfer unit 303 determines whether to transfer the packet according to the transfer permission 3024 of the matched entry. The data transfer unit 303 filters received packets using the filter table 302 and performs packet transfer control.

  The transmission source IP address 3022 indicates the transmission source IP address of the packet received by the packet transfer apparatus 100. The transmission source MAC address 3023 indicates the transmission source MAC address of the packet received by the packet transfer apparatus 100.

  The transfer permission 3024 indicates whether or not to permit transfer of a packet including the addresses of the transmission source IP address 3022 and the transmission source MAC address 3023 in the header.

  The memory 304 may have a filter table 302 for each network segment to which the terminal 400 or server 410 connected to the packet transfer apparatus 100 belongs, and for each terminal 400 or server 410 connected to the packet transfer apparatus 100. May be.

  3B is a filter table 302 for controlling connection from the network segment to which the terminal 400a and the terminal 400b belong. 3B is a filter table 302 for controlling connection from the network segment to which the server 410 belongs.

  3B indicates that the data transfer unit 303 does not transfer all packets transmitted from the network segment to which the terminal 400a and the terminal 400b belong. In addition, the filter table 302b illustrated in FIG. 3B indicates that the data transfer unit 303 does not transfer all packets other than the packet transmitted from the server 410 among the packets transmitted from the network segment to which the server 410 belongs.

  By using the filter table 302, the data transfer unit 303 can prevent a plurality of devices belonging to one network segment from resolving each other without address resolution by the packet transfer device 100.

  Specifically, when the terminal 400a and the terminal 400b belong to the same network segment, the terminal 400a directly transmits an address resolution request to the terminal 400b without transmitting a packet to the packet transfer apparatus 100, and the terminal 400a 400b MAC address can be resolved.

  Then, the terminal 400a transmits a packet to the MAC address of the terminal 400b, so that the terminal 400a and the terminal 400b can communicate with each other. However, in this case, the address management unit 200 of the packet transfer apparatus 100 cannot learn the IP addresses and MAC addresses of the terminals 400a and 400b.

  In addition, it is not desirable from the viewpoint of security that a plurality of devices belonging to one network segment transmit and receive packets to and from each other without address resolution by the packet transfer device 100.

  Therefore, when the packet transfer apparatus 100 according to the present embodiment receives a packet transmitted / received in one network segment within the valid time (the valid time 211 and the valid time 305), the packet transfer device 100 regards the packet as a valid packet, Learn the source address. Then, the data transfer unit 303 refers to the filter table 302 to transfer only the packet of the device that transmitted the packet during the valid time. The data transfer unit 303 filters packets received using the filter table 302 including addresses acquired by learning within the valid time, and performs packet transfer control.

  As a result, the packet transfer apparatus 100 can limit packet transfer when a packet transmitted from an address other than the learned address is received outside the valid time.

  Furthermore, the packet transfer apparatus 100 of the present embodiment learns the address of the address resolution request source when a plurality of apparatuses belonging to one network segment transmit address resolution requests to each other within the valid time. Therefore, the data transfer unit 303 transfers the address resolution request between the plurality of devices belonging to one network segment to the control unit 203 for the time indicated by the valid time 305.

  FIG. 4 is a flowchart illustrating processing of the address management unit 200 when the packet of this embodiment is received.

  In the following description, at the start of the processing shown in FIG. 4, the address table 201, the transfer table 301, and the filter table 302 are the address table 201 shown in FIG. 2, the transfer table 301 shown in FIG. 3A, and the filter shown in FIG. It is the same as the table 302.

  The terminal 400a transmits a packet toward the packet transfer apparatus 100. The packet transmitted from the terminal 400a to the packet transfer apparatus 100 includes an address resolution request and a packet transmitted to the terminal 400 belonging to the same network segment as the terminal 400a.

  The address resolution request includes the IP address and MAC address of the transmission source, and further includes the IP address of the packet transfer apparatus 100 as an address to be resolved. Note that the terminal 400 and the server 410 hold the IP address of the packet transfer apparatus 100 in advance.

  The data transfer unit 303 of the packet transfer apparatus 100 receives a packet via the interface 110. When a packet is received via the interface 110, the functional unit that controls the interface 110 or the transfer unit 300 adds the identifier of the interface 110 that has received the packet to the received packet.

  Then, when receiving the packet, the data transfer unit 303 refers to the valid time 305 and determines whether or not the received time is within the time indicated by the valid time 305 (S900).

  In the following description, the time when the packet is received is the time when the interface 110 receives the packet. However, the time at which the packet is received at S900 may be any time as long as it is from S110 when the interface 110 receives the packet to S900.

  When the valid time 305 holds a value corresponding to the interface 110, the data transfer unit 303 refers to the valid time 305 corresponding to the interface 110 that received the packet in S900.

  When the valid time 305 indicates “learnable” or “learnable”, the data transfer unit determines whether the valid time 305 is “learnable” in S900. The data transfer unit 303 executes S901 when “learning is possible”, and executes S1100 when “learning is not possible”.

  In S900, when the received time is within the time indicated by the valid time 305, the data transfer unit 303 determines whether the received packet is a packet destined for the packet transfer device 100 (a packet addressed to itself) or a transmission source. The IP address and the destination IP address are not packets destined for the packet transfer apparatus 100, and the source IP address and the destination IP address belong to the same network segment (reference packet), or others It is determined whether the packet is a packet (S901).

  In this embodiment, the terminal 400a and the terminal 400b use the upper 24 bits of the IP address as the network address, and the server 410 uses the upper 8 bits of the IP address as the network address. When the source IP address and the destination IP address belong to the same network segment, the network addresses of the source IP address and the destination IP address match.

  If the time when the packet is received in S900 is outside the time indicated by the valid time 305, or if it is determined that the packet is another packet in S901, the received packet is not an address learning target packet, so the data transfer unit 303 Advances to S1100.

  In the processing shown in FIG. 4, the data transfer unit 303 excludes packets transmitted / received between different network segments, not packets addressed to itself, from address learning target packet candidates. However, the data transfer unit 303 may omit S901 and may set all packets received within the valid time 303 as candidates for address learning target packets.

  The data transfer unit 303 refers to the filter table 302 and determines whether the received packet is a packet to be discarded (S1100). If the packet is to be discarded, the data transfer unit 303 discards the packet and further notifies the control unit 202 that a packet not registered in the filter table 302 has been received.

  The address management unit 200 of the control unit 202 displays on the input / output device 500 of the server 410 that a packet not registered in the filter table 302 has been received (S1007). If the data transfer unit 303 determines in step S1100 that the packet is not to be discarded, the process proceeds to step S1101.

  In step S1101, the data transfer unit 303 refers to the transfer table 301 and determines whether the destination next hop of the received packet is registered. If registered, the process proceeds to Yes in S1101, and the data transfer unit 303 transmits the packet to the destination. On the other hand, when the received packet is a packet to the next hop that is not registered, the data transfer unit 303 discards the packet, and further notifies the control unit 202 that the packet not registered in the transfer table 301 has been received. Notice.

  When the address management unit 200 of the control unit 202 is notified by the data transfer unit 303 that a packet that is not registered in the transfer table 301 has been received, it indicates that the packet that is not registered in the transfer table 301 has been received. The information is displayed on the input / output device 500 of the server 410 (S1007). In S1007, the address management unit 200 may generate a log indicating that a packet that should not be transferred has been received.

  If it is determined in S901 that the packet is addressed to itself, the data transfer unit 303 transfers the packet to the control unit 202 (S903).

  If it is determined in S901 that the received packet is a packet in the same network, the data transfer unit 303 refers to the received packet and acquires contents such as header information from the received packet (S902). The content acquired here includes the IP address and MAC address of the transmission source, the identifier of the received interface 110, and the like.

  In step S902, the data transfer unit 303 transfers the referenced packet according to the destination indicated by the packet.

  After S902, the data transfer unit 303 transfers the content acquired by reference to the control unit 202 as a packet (S903). This is because the packet transfer apparatus 100 according to the present embodiment considers a packet transmitted / received between two apparatuses belonging to the same network segment within a valid time as a packet by necessary communication, and learns the address of such a packet. Because. As a result, the packet transfer apparatus 100 can permit necessary communication within the same network segment.

  Note that the data transfer unit 303 acquires the contents of the packet by reference in step S902, but the packet may be duplicated.

  When the control unit 202 receives a packet from the data transfer unit 303, the address management unit 200 determines whether the received packet is a packet addressed to itself other than the address resolution request based on the header information included in the received packet. (S1000).

  If the received packet is a packet addressed to itself other than the address resolution request, the received packet is not subject to the processing shown in FIG. 4, and therefore the address management unit 200 ends the processing shown in FIG.

  When the received packet is an address resolution request or is a packet other than the address addressed to itself, the address management unit 200 refers to the identifier of the interface 110 added to the received packet, and sends it to the interface 110 that has received the packet. The corresponding address table 201 is specified. For example, when the transmission source of the received packet is the terminal 400a and the packet is received via the interface 110a, the address management unit 200 specifies the address table 201a corresponding to the interface 110a.

  Then, the address management unit 200 determines whether or not the time when the packet is received is within the valid time 211 (the valid time 211a in the above example) of the identified address table 201 (in the above example, the address table 201a). Is determined (S1001). Note that the time at which the packet is received at S1001 may be any time as long as it is from the time at which the interface 110 receives the packet to S1001.

  When the valid time 305 holds a value corresponding to the interface 110, the process of S1001 may be omitted.

  In S1001, when the time when the packet is received is within the valid time 211, the received packet is highly likely to be a packet whose address should be learned. For this reason, the address management unit 200 refers to the permitted address 213 of the identified address table 201, and determines whether or not the address of the transmission source of the received packet (the terminal 400a in the above example) should be learned. Determination is made (S1002).

  If it is determined in S1002 that the source address of the received packet should be learned based on the permitted address 213, it is permitted to learn the source address of the received packet. The device 100 learns the source address.

  For this reason, the address management unit 200 transmits the address of the transmission source of the received packet (in the above-described example, the terminal 400a) to the transfer unit 300 by executing S1003 to S1006, and learns it. By using the permitted address 213, only the address designated by the user can be learned by the packet transfer apparatus 100.

  If it is determined in S1001 that the time when the packet is received is not within the valid time 211, or if it is determined in S1002 that the packet transmission source address should not be learned, the address management unit 200 Does not learn the address of the received packet and discards the received packet.

  Then, the address management unit 200 outputs that a packet whose address should not be learned has been received (S1007). For example, in S1007, the address management unit 200 has received an address resolution request outside the valid time, or has received a packet transmitted from an unauthorized device to another device in the same network segment, etc. Is displayed on the input / output device 500 of the server 410.

  The address management unit 200 may generate a log indicating that a packet whose address should not be learned is received in S1007. As a result, the user can recognize that the address resolution request has been received outside the valid time period, or that a packet has been transmitted from an unauthorized device to another device in the same network segment.

  The address management unit 200 adds the IP address and MAC address of the transmission source of the received packet to the address 212 (specifically, address 212a) of the address table 201 referenced in S1001 (S1003).

  FIG. 5 is an explanatory diagram illustrating the address table 201 after storing the address of the address resolution request source according to this embodiment.

  An address 212a illustrated in FIG. 5 is the address 212a after the processing of S1003, and holds the IP address and MAC address of the terminal 400a. The address table 201 other than the address 212a shown in FIG. 5 is the same as the address table 201 shown in FIG.

  After S1003, the address management unit 200 transmits the contents of the address 212 to the data transfer unit 303, and the data transfer unit 303 updates the transfer table 301 based on the received contents of the address 212 (S1004). In step S <b> 1004, the data transfer unit 303 stores the identifier of the interface 110 corresponding to the address table 201 in association with the IP address and MAC address of the address 212 in the transfer table 301.

  The data transfer unit 303 may add an address to the transfer table 301 based on the entry added in S1003, or may update the transfer table 301 based on all the addresses 212. Through the process of S1004, the packet transfer apparatus 100 learns an address.

  In step S1004, the data transfer unit 303 identifies the filter table 302 using the interface 110 added to the received packet. Then, the transmission source address of the received packet is stored in the specified filter table 302. The data transfer unit 303 may update the filter table 302 based on all the addresses 212, or may update the filter table 302 based on the entry added to the address 212 in S1003.

  Further, the data transfer unit 303 stores a value indicating that the added entry is applied with the highest priority in the filter check order 3021 of the newly added entry, and a value indicating that transfer is permitted to the transfer permission 3024 Is stored.

  FIG. 6A is an explanatory diagram illustrating the transfer table 301 after the address of this embodiment is newly stored.

  The transfer table 301 illustrated in FIG. 6A includes “terminal connection interface” as the identifier of the interface 110a in the interface 3011 of the terminal 400a.

  FIG. 6B is an explanatory diagram illustrating the filter table 302 after the address of this embodiment is newly stored.

  In the filter table 302 shown in FIG. 6B, the address of the transmission source of the terminal 400a is stored, and “permitted” is stored in the transfer permission 3024. Note that the filter table 302b illustrated in FIG. 6B and the filter table 302b illustrated in FIG. 3B are the same.

  By storing the source address of the received packet in the filter table 302 in S1004, the data transfer unit 303 does not transfer a packet transmitted from a device other than the filter table 302 outside the valid time, and the user Communication between unintended devices can be restricted.

  After S1004, the address management unit 200 determines whether the received packet is a request for resolving the IP address of the own device (S1005). The address management unit 200 determines whether the received packet is a request for resolving the IP address of the own device, according to the content of the header of the received packet.

  When the received packet is a request for resolving the IP address of the own device, the address management unit 200 returns the MAC address of the packet transfer device 100 to the terminal 400 that has transmitted the address resolution request (S1006). After S1006, the address management unit 200 ends the process shown in FIG.

  If it is determined in S1005 that the received packet is not a request for resolving the IP address of the own device, the address management unit 200 ends the process illustrated in FIG.

  Through the processing of S1003 to S1006, the packet transfer apparatus 100 can learn the address resolution request received within the valid time or the source address of the packet transmitted between apparatuses in the same network segment. A device connected to the packet transfer device 100 can transmit and receive packets via the packet transfer device 100.

  Specific examples are shown below. 4, when the address of the terminal 400a is learned by the packet transfer apparatus 100 and a packet is received from the terminal 400a outside the valid time, the data transfer unit 303 uses the terminal 400a according to the transfer table 301 and the filter table 302. Forward packets received from.

  However, when a device whose address has not been learned by the process shown in FIG. 4 (for example, the terminal 400b) transmits a packet to the packet transfer device 100 outside the valid time, the address of the terminal 400b is stored in the filter table 302. Therefore, the data transfer unit 303 does not transfer the packet transmitted from the terminal 400b.

  Even when the terminal 400a and the terminal 400b belong to the same network segment, the packet transfer apparatus 100 can restrict transmission of packets from the terminal 400b to the terminal 400a if the address of the terminal 400b is not learned within the valid time. . This improves security even in the same network segment.

  If the destination address is not stored in the transfer table 301 and the data transfer unit 303 receives a packet addressed to an address not stored in the transfer table 301 within the valid time 211, the data transfer is performed. The unit 303 and the address management unit 200 may transmit an address resolution request to an address not registered in the transfer table 301.

  Specifically, the data transfer unit 303 notifies the address management unit 200 that the address of the terminal 400a is not set in the transfer table 301. When receiving an unset notification, the address management unit 200 transmits an address resolution request to the terminal 400a in order to resolve the MAC address of the terminal 400a. This address resolution request includes the IP address of the terminal 400a.

  When receiving an address resolution request from the packet transfer apparatus 100, the terminal 400a responds to the packet transfer apparatus 100 with its own MAC address. When receiving the MAC address from the terminal 400a, the packet transfer apparatus 100 stores the IP address and the MAC address of the terminal 400a in the address table 201. Also, the packet transfer apparatus 100 causes the data transfer unit 303 to register the IP address and MAC address of the terminal 400a in the transfer table 301.

  FIG. 7 is an explanatory diagram illustrating an example of a screen displayed by the input / output device 500 according to the present embodiment.

  The input / output device 500 displays screens 510 to 540. A screen 510 is a screen for the user to input the valid time 211. A screen 530 is a screen for deleting an address learned by the user. A screen 540 is a screen for setting an address to the permitted address 213.

  When the address table 201 holds the learning information indicating whether the packet transfer apparatus 100 can learn the address as the valid time 211, the screen 510 displays, for example, “learning possible” or “learning impossible” by the user. This is a screen for input.

  Screen 510 includes areas 511 to 520. An area 511 is an area for designating the interface 110 to which the valid time is applied on the screen 510. Areas 512 and 516 are areas for inputting valid times.

  An area 512 is an area for inputting a start time and an end time as valid times. The region 512 includes a region 513 to a region 515 and a region 520. An area 513 is an area for inputting a start time, and an area 514 is an area for inputting an end time.

  An area 520 is an area for inputting a day of the week or a date. When the day of the week is set in the area 520, the time from the start time of the area 513 to the end time of the area 514 on the set day of the week is designated as the address learning time.

  When the date is set in the area 520, the time from the start time of the area 513 to the end time of the area 514 in the set date is specified as the address learning time.

  Further, when at least one of year, month, and day is set in the area 520, the time from the start time of the area 513 to the end time of the area 514 in the period set in the area 520 is designated as the learning period, for example When only the month and day are set in the area 520, the time from the start time of the area 513 to the end time of the area 514 in the month and day set every year is designated as the address learning time.

  An area 515 is a button for reflecting the valid time input to the areas 513 and 514 in the valid time 211 of the packet transfer apparatus 100.

  An area 516 is an area for inputting time as an effective time. The region 516 includes a region 517 and a region 518. An area 517 is an area for inputting a time from the current time.

  An area 518 is a button for starting an effective time. When the area 518 is operated, the packet transfer apparatus 100 learns an address for the time input to the area 517 from the time of operation.

  An area 519 is a button for deleting the valid time. When the area 519 is operated by the user, the address management unit 200 deletes the value of the valid time 211 set corresponding to the interface 110 indicated by the area 511. By deleting the valid time 211, the packet transfer apparatus 100 does not learn an address from a packet received via the corresponding interface 110.

  The screen 510 allows the user to set the valid time of the present embodiment for learning the address. For this reason, the packet transfer apparatus 100 can learn a necessary address even if the user does not have advanced technology for the network.

  The valid time can be arbitrarily set on the screen 510, and the valid time can be deleted. This makes it possible to set a period during which no address is learned and improve security.

  When the valid time 211 is set on the screen 510, the address management unit 200 identifies the address 212 of the address table 201 in which the valid time 211 is newly set, and the address stored in the identified address 212 is The address 212, the transfer table 301, and the filter table 302 may be deleted. This is because only address learning within the set effective time 211 is enabled. The address management unit 200 instructs the data transfer unit 303 to delete addresses from the transfer table 301 and the filter table 302.

  Screen 530 includes regions 531 to 536. An area 531 is a button for deleting all the addresses stored in the address 212 of the address table 201, the transfer table 301, and the filter table 302.

  An area 532 is an entry for inputting an address to be deleted from the address 212, the transfer table 301, and the filter table 302. Region 532 includes regions 533 to 536.

  Areas 533 and 534 are areas for inputting the address 212, the IP address and the MAC address to be deleted from the forwarding table 301 and the filter table 302. An area 535 is an area for inputting a network segment of an address to be deleted from the address 212, the transfer table 301, and the filter table 302.

  An area 536 is a button for deleting an address from the address table 201 and the transfer table 301 according to the address input to the area 533 to the area 535.

  Screen 540 includes areas 541 to 544. An area 541 is an area for designating the interface 110 to which the permitted address is applied on the screen 540.

  An area 542 is an area for setting the IP address of the permitted address 213. An area 543 is an area for setting the MAC address of the permitted address 213. The area 544 is an area for setting the value specified in the area 542 and the area 543 to the permitted address 213 of the address table 201.

  By setting the permitted address 213 via the screen 540, the user can prevent the packet transfer apparatus 100 from learning an unnecessary address.

  According to the present embodiment, the packet transfer apparatus 100 learns an address for a specific packet during the valid time 211 set by the user. Therefore, a terminal that can be connected to the IP network can be set even if the user does not have special network knowledge.

  Further, the data transfer unit 303 has a filter table 302 indicating addresses permitted as a transmission source, and can use the filter table 302 to identify an unauthorized packet from packets transmitted outside the valid time 211. . The data transfer unit 303 does not transfer illegal packets.

  That is, the filter table 302 is a white list indicating addresses that are generated as a result of address learning and are permitted to be transferred. When the address learning is stopped, the packet transfer apparatus performs filtering on the received packet based on the created white list and controls whether or not to transfer. As a result, the data transfer unit 303 can provide a device that enables construction of a secure IP network.

  In addition, this invention is not limited to the above-mentioned Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.

  The above-described configurations, functions, processing units, procedures, and the like may be realized in hardware by designing a part or all of them, for example, with an integrated circuit. The above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function is stored in a recording device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD. Can do.

  Further, the control lines or information lines indicate what is considered necessary for the explanation, and not all the control lines or information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

100 packet transfer device 110 interface 200 address management unit 202 control unit 201 address table 300 transfer unit 301 transfer table 302 filter table 303 data transfer unit 400 terminal 410 server

Claims (15)

A network device,
A processor and a memory;
Connected to multiple devices,
A network interface for receiving packets transmitted from the plurality of terminals;
Learning information indicating whether the network device can learn addresses of the plurality of terminals;
Address information indicating a packet transferred by the network device;
Filter information indicating whether or not transfer of the packet is permitted, and
A transfer unit that transfers a packet based on at least one of the address information and the filter information;
The transfer unit is
When a packet is received from a terminal, whether the network device can learn the address when receiving the packet is determined based on the learning information,
If the network device can learn an address, store the address of the source of the received packet in the address information,
If the network device cannot learn an address, it does not store the source address of the received packet in the address information, but determines whether to transfer the received packet based on the address included in the filter information A network device characterized by the above. The network device according to claim 1,
The learning information indicates an effective time during which the network device can learn addresses of a plurality of terminals,
The transfer unit is
When receiving a packet from the terminal, further determine whether the source and destination of the received packet belong to the same network segment,
If the packet is received within the valid time, and the source and destination of the received packet belong to the same network segment, obtain the address of the source of the received packet;
The network apparatus characterized in that the acquired transmission source address is stored in the address information. The network device according to claim 1,
The transfer unit is
When the network device can learn an address, the transmission source address of the received packet is stored in the filter information as an address of the packet that is permitted to be transferred,
The network apparatus, wherein the network apparatus cannot learn an address and does not transfer the received packet when the address of the transmission source of the received packet is different from the address included in the filter information. The network device according to claim 1,
The transfer unit is
If a packet is received within the valid time, obtain the source address of the received packet;
The network apparatus characterized in that the acquired transmission source address is stored in the address information. The network device according to claim 4, wherein
The packet received from the terminal includes an address resolution request,
The network device has a plurality of network interfaces to which the plurality of terminals are connected,
The learning information indicates whether the plurality of network interfaces can learn addresses,
The transfer unit is
When the network interface capable of learning the address receives a packet including an address resolution request, the address of the terminal that transmitted the address resolution request is stored in the address information,
If the network interface that cannot learn the address receives a packet including an address resolution request, and the source address of the received packet is different from the address included in the filter information, the received packet is not transferred. A network device characterized by the above. The network device according to claim 4, wherein
An output interface that outputs a notification to the user;
And a control unit that outputs, via the output interface, that the packet has been received in a state where the address cannot be learned when the network device cannot learn an address. The network device according to claim 1,
The network device is:
Having permission information indicating whether or not learning of the address is permitted;
If the network device can learn the address, determine whether or not learning the source address of the received packet is permitted based on the permission information,
When the control unit determines that learning of the source address of the received packet is permitted, the transfer unit stores the source address of the received packet in the address information. Feature network device. The network device according to claim 7, wherein
It has an input interface that accepts user instructions,
The network device according to claim 1, wherein the control unit updates the permission information in accordance with the user instruction received via the input interface. The network device according to claim 1,
An input interface that accepts user instructions;
And a control unit that updates or deletes the learning information in accordance with the user instruction received via the input interface. A communication method using a network device,
The network device is:
A processor and a memory;
Connected to multiple devices,
A network interface for receiving packets transmitted from the plurality of terminals;
Learning information indicating whether the network device can learn addresses of the plurality of terminals;
Address information indicating a packet transferred by the network device;
Filter information indicating whether or not transfer of the packet is permitted, and
The method
The processor includes a transfer procedure for transferring a packet based on at least one of the address information and the filter information;
The transfer procedure is:
When receiving a packet from a terminal, the processor determines, based on the learning information, whether the network device can learn the address when the packet is received;
When the network device can learn an address, the processor stores a source address of the received packet in the address information;
If the network device cannot learn an address, the processor does not store the source address of the received packet in the address information, and forwards the packet based on the address included in the filter information. A communication method characterized by comprising. The communication method according to claim 10, comprising:
The learning information indicates an effective time during which the network device can learn addresses of a plurality of terminals,
The transfer procedure is:
When the network interface receives a packet from the terminal, the processor further determines whether the source and destination of the received packet belong to the same network segment;
When the network interface receives the packet within the valid time and the source and destination of the received packet belong to the same network segment, the processor acquires the address of the source of the received packet Procedure and
And a procedure in which the processor stores the acquired transmission source address in the address information. The communication method according to claim 10, comprising:
The transfer procedure is:
When the network device can learn an address, the processor stores the address of the source of the received packet in the filter information as the address of the packet that is permitted to be transferred;
Including a procedure in which the processor does not transfer the received packet when the network device cannot learn an address and the source address of the received packet is different from the address included in the filter information. A communication method characterized by the above. The communication method according to claim 10, comprising:
The transfer procedure is:
If the network device can learn an address, the processor obtains a source address of the received packet; and
And a procedure in which the processor stores the acquired transmission source address in the address information. The communication method according to claim 13, comprising:
The packet received from the terminal includes an address resolution request,
The network device has a plurality of network interfaces to which the plurality of terminals are connected,
The learning information indicates whether the plurality of network interfaces can learn addresses,
The transfer procedure is:
When the network interface capable of learning the address receives a packet including an address resolution request, the processor stores the address of the terminal that has transmitted the address resolution request in the address information;
When the network interface that cannot learn the address receives a packet including an address resolution request, and the transmission source address of the received packet is different from the address included in the filter information, the processor receives the packet And a procedure that does not transfer the communication method. The communication method according to claim 13, comprising:
The network device has an output interface for outputting a notification to a user;
The method includes a control procedure for outputting, via the output interface, that the processor has received the packet in a state where the address cannot be learned when the network device cannot learn the address. Communication method.

Images