JP2015173374A - Relay device, relay method and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a relay device etc. capable of reducing unnecessary traffic when a terminal, operable using a plurality of communication methods, accesses a destination which is inaccessible by a part of the communication methods.SOLUTION: The relay device includes: first communication control means for controlling communication to a first network; second communication control means for controlling communication to a second network; and relay control means for receiving a first packet from the first network, and judging whether the destination of the first packet is accessible, on the basis of access capability/incapability information which includes information representing a destination which is accessible or inaccessible through the second network, and when the destination of the first packet is the inaccessible destination, transmitting, to the transmission source of the first packet, a notification packet for prompting communication with a communication method which is different from the communication method with which the first packet is transmitted.

Description

  The present invention relates to a communication packet relay apparatus in a communication system using an information processing apparatus (computer).

  In a communication network environment in which both IPv4 (IP version 4) and IPv6 (IP version 6), which are a kind of Internet protocol (IP), can operate simultaneously, a node has both IPv4 and IPv6 addresses.

  In such a network, in general, when a terminal obtains both IPv4 and IPv6 addresses by name resolution when accessing a server, it tries to access by both IPv4 and IPv6. For example, the terminal first accesses the IPv6 address of the server using IPv6. When the access using IPv6 fails, the terminal retries access to the IPv4 address using IPv4. That is, when a terminal first accesses with IPv6 to a destination that cannot be accessed with IPv6, a connection request to the IPv6 network and a failure response packet are generated, resulting in an increase in traffic to the network. .

  As another method, there is also a method in which the terminal always tries to access both addresses in order to reduce the waiting time. However, this method also has a problem that traffic to the network increases more than necessary. That is, there is a problem that a terminal that can operate in a plurality of communication schemes increases traffic due to unnecessary access to a destination that is inaccessible in some communication schemes.

  As a related technique for such a problem, Patent Document 1 provides a relay device capable of relaying both IPv4 and IPv6 communications between a user terminal and a web server, and the relay device replaces the user terminal. A technique for confirming the responsiveness of a web server is disclosed.

  The relay device described in Patent Document 1 includes a DNS (Domain Name Server) -proxy function unit and a responsiveness measurement unit. First, the DNS-proxy function unit relays the DNS request received from the user terminal, and receives both versions of the IP address from the DNS server as a response to the request. Next, the responsiveness measurement unit confirms the responsiveness of the web server at the IP address by trying to access each IP address. Finally, the DNS-proxy function unit selects a version of an IP address for which a response can be measured or a better response quality, and returns the IP address to the user terminal. As a result, this relay server can save the user terminal from trying to connect to both versions of the IP address. In Patent Document 1, there is a description that it is desirable not to leave a cache of responsiveness measurement results because the communication quality of the network changes.

  Patent Document 2 discloses a network connection control system in which a transfer device performs route selection according to a transfer policy for each provider in an access IP network operated as a shared infrastructure by a plurality of carriers. . An access IP network is an access IP network provider network that transfers packets transmitted from user devices in the IP layer.

  In the control system described in Patent Document 2, a network connection control device and a transfer device are provided. The network connection control device assigns an IP address to the user device according to the group to which the user belongs. The transfer device selects an optimal transfer route according to a transfer policy based on the source IP address of the packet to be transferred. Thereby, it is possible to reduce unnecessary traffic in the access IP network.

JP 2013-192156 A JP 2009-218926 A

  However, the technique disclosed in Patent Document 1 has a problem that it takes time until the user terminal receives a DNS request response because the relay apparatus confirms the responsiveness instead of the user terminal. Further, in the relay device described in Patent Document 1, since the cache of the response measurement result is not left, the user terminal is affected by such a response time delay for all DNS requests. That is, the relay device described in Patent Document 1 cannot solve the problem of time required for access to an inaccessible destination in some communication methods.

  In addition, since the network connection control system disclosed in Patent Document 2 includes a network connection control device related to IP address assignment, there is a problem that the practitioner is limited to a business operator who operates the network.

  One object of the present invention is to provide a relay device capable of reducing unnecessary traffic that occurs when a terminal operable in a plurality of communication systems accesses an inaccessible destination in some communication systems. And so on. Another object of the present invention is to provide a relay device that can be used by anyone other than the network operator.

  In order to achieve the above object, a relay apparatus according to the present invention has the following configuration.

That is, the relay device according to the present invention is
First communication control means for controlling communication to the first network performed by a plurality of communication methods;
Second communication control means for controlling communication to the second network performed by a plurality of communication methods;
Access permission information including information indicating a destination that receives the first packet from the first network via the first communication control means and is accessible or not accessible via the second network. To determine whether the destination of the first packet is accessible, based on
When the destination of the first packet is an accessible destination, the first packet is relayed to the second network via the second communication control means;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent via the first communication control unit. Relay control means for transmitting to the transmission source of the first packet.

In order to achieve the above object, the relay method according to the present invention is performed by an information processing device.
Receiving a first packet from a first network;
Determining whether the destination of the first packet is accessible based on accessibility information including information representing a destination that is accessible or not accessible via the second network;
If the destination of the first packet is an accessible destination, relay the first packet to the second network;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent to the transmission source of the first packet. Send to.

  The same object is also achieved by a relay device having the above-described configurations and a corresponding method by a computer program for realizing the method by a computer, and a computer-readable storage medium storing the computer program. Is done.

  The present invention provides a relay device capable of reducing unnecessary traffic that occurs when a terminal operable by a plurality of communication methods accesses a destination that is inaccessible in some communication methods. There is an effect that can be done.

It is a block diagram which shows the structure of the relay apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram which shows an example of the communication environment in the network system which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the relay apparatus which concerns on the 2nd Embodiment of this invention. It is a sequence diagram which shows an example of communication in the network system which concerns on 2nd Embodiment. It is a block diagram which shows an example of the communication environment in the network system which concerns on the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the relay apparatus which concerns on the 3rd Embodiment of this invention. It is a sequence diagram which shows an example of communication in the network system which concerns on 3rd Embodiment. It is a figure which shows an example of the management information 110 in 3rd Embodiment. It is a sequence diagram which shows an example of communication in a general network system. It is a figure which illustrates the structure of the computer (information processing apparatus) applicable to each embodiment of this invention and the network system which concerns on the modification.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

<First Embodiment>
FIG. 1 is a block diagram showing a configuration of a relay device according to the first embodiment of the present invention. Referring to FIG. 1, the relay device 1 according to the present embodiment includes a first communication control unit 2, a second communication control unit 3, a relay control unit 4, and a storage device 5.

  The relay apparatus 1 may be configured by a general information processing apparatus (computer) that operates under the control of a computer program (software program) executed using a CPU (Central Processing Unit: not shown). Alternatively, each unit of the relay device 1 may be configured by a dedicated hardware device or a logic circuit. A hardware configuration example in which the relay device 1 is realized by a computer will be described later with reference to FIG.

  The storage device 5 can store access permission information 6. The storage device 5 is realized by, for example, a semiconductor memory device or a disk device.

  The access permission / inhibition information 6 includes information indicating a destination that is accessible or inaccessible via the second network 1001. That is, the accessibility information 6 includes information indicating the reachability (Reachability) from the relay apparatus 1 via the second network for each address.

  The first communication control unit 2 can control communication between a node (not shown) and the relay device 1 via the first network 1000. The first communication control unit 2 can communicate with the first network 1000 by a plurality of communication methods. That is, the first communication control unit 2 can control communication with the first network 1000 performed by a plurality of communication methods.

  The second communication control unit 3 can control communication between a node (not shown) and the relay device 1 via the second network 1001. The second communication control unit 3 can communicate with the second network 1001 by a plurality of communication methods. That is, the second communication control unit 3 can control communication with the second network 1001 performed by a plurality of communication methods.

  The first network 1000 and the second network 1001 are realized by the Internet or a local area network (LAN), for example.

  The relay control unit 4 can receive the first packet from the first network 1000 via the first communication control unit 2. The relay control unit 4 determines whether the destination of the received first packet is accessible based on the accessibility information 6. When the destination of the first packet is an accessible destination, the relay control unit 4 relays the first packet to the second network via the second communication control unit.

  Further, when the destination of the first packet is an inaccessible destination, the relay control unit 4 indicates that communication is performed using a communication method different from the communication method that transmitted the first packet. Prompt (guide). For example, the relay control unit 4 sends a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet, via the first communication control unit 2, to the transmission source of the first packet. May be sent to. In this case, the relay control unit 4 returns a notification packet to the transmission source of the first packet without transmitting (relaying) the first packet for the inaccessible destination to the second network 1001.

  In this way, the transmission source node of the first packet does not wait for a time until the first packet is actually relayed to the second network 1001 and an access failure response is returned, and the destination is You can recognize that it is unreachable.

  As described above, according to the present embodiment, when a terminal (not shown) connected to the first network 1000 transmits a packet for an inaccessible destination, the relay device 1 transmits the packet to the second network 1001. Without transmitting the packet, it can be notified that the packet is unreachable. As a result, it is possible to reduce unnecessary traffic that occurs when a terminal operable by a plurality of communication methods accesses a destination that is inaccessible in some communication methods.

  The reason is that the relay control unit 4 receives a packet (first packet) from the terminal via the first communication control unit 2, and the destination of the received packet is accessed based on the accessibility information 6. This is because it is determined whether it is possible. This is because when the destination of the received packet is inaccessible, the relay control unit 4 can notify that the packet cannot reach the destination by prompting the change of the communication method. As a result, the relay device 1 does not perform unnecessary access to an inaccessible destination, thereby suppressing the increase in traffic of the second network 1001.

  Further, according to the present embodiment, the terminal that has transmitted the first packet for the inaccessible destination can shorten the time for waiting for an access failure response returned from the second network. For example, a terminal operable by a plurality of communication methods reduces the waiting time that occurs when a destination that cannot be accessed first is accessed, so that the terminal can finally access a destination that can be accessed. Time to try can be shortened. That is, according to this embodiment, there is an effect that the terminal can quickly access the target node.

  The reason is that the relay control unit 4 prompts the transmission source terminal to change the communication method without transmitting the packet for the inaccessible destination to the second network 1001.

  In addition, according to the present embodiment, since a special function implemented in the network connection control device related to IP address assignment is not included, the relay device according to the present invention can be used in addition to the network operator.

  In the present embodiment, the relay device 1 performs the above-described operation on the first packet received via the first communication control unit 2, but receives it via the second communication control unit 3. A similar operation may be performed on the second packet. In that case, each unit of the relay device 1 performs an operation in which “first” and “second” in the above description are replaced. At this time, the accessibility information 6 includes information on a destination that is accessible or inaccessible via the first network 1000.

  In the present embodiment, the relay device 1 operates for one-way communication from the first network 1000 to the second network 1001, for example. The same operation may be performed. At this time, the access enable / disable information 6 is configured by associating access destination information that is accessible or inaccessible for each communication direction. For example, the access permission information 6 includes information on a destination that is accessible or inaccessible via the first communication control unit 2 and information on a destination that is accessible or inaccessible via the second communication control unit 3. And may be held together with information for identifying.

  The present embodiment is also applicable to a configuration in which two or more networks and communication control units are connected to the relay device 1.

<Second Embodiment>
Next, a second embodiment based on the above-described first embodiment will be described. In the following, the characteristic part according to the second embodiment will be mainly described, and the components of the second embodiment having the same configuration as the first embodiment are attached in the first embodiment. The same reference numerals as those of the reference numerals are attached, and the detailed description of the constituent elements is omitted.

  The present embodiment is a specific example in which the present invention is applied to a network system that can use IPv4 and IPv6 as communication methods. This embodiment is different from the first embodiment described above in that the access permission information 6 is generated based on the communication status.

  First, the system configuration of this embodiment will be described below with reference to FIG. FIG. 2 is a configuration diagram showing an example of a communication environment in the network system according to the second embodiment of the present invention.

  Referring to FIG. 2, the network system according to the present embodiment includes a relay device 10, a terminal 40, a server 50, a DNS server 60, a router 70, a LAN 1100, an IPv4 network 1101, an IPv6 closed network 1102, and the Internet 1103.

  The relay device 10, the terminal 40, the server 50, the DNS server 60, and the router 70 are general information processing that operates under the control of a computer program (software program) that is executed using a CPU (not shown). You may comprise by an apparatus (computer). Or each part of the relay apparatus 10, the terminal 40, the server 50, the DNS server 60, and the router 70 may be comprised by a dedicated hardware device or a logic circuit. A hardware configuration example in which the relay device 10, the terminal 40, the server 50, the DNS server 60, and the router 70 are realized by computers will be described later with reference to FIG.

  In the present embodiment, the terminal 40 accesses the server 50 via the relay device 10. The packet transmitted by the terminal 40 corresponds to the “first packet” in the first embodiment. The LAN 1100 corresponds to the “first network” in the first embodiment. The IPv4 network 1101, the IPv6 closed network 1102, and the Internet 1103, which are the networks ahead of the router 70, correspond to the “second network” in the first embodiment. In the following description, portions corresponding to the second network are also collectively referred to as “WAN”.

  The terminal 40 and the relay apparatus 10 can be connected via the LAN 1100. The LAN 1100 is a local area network capable of communication using both IPv4 and IPv6 communication methods. In the following description, a packet transmitted by IPv4 with an IPv4 address as a destination is referred to as an “IPv4 packet”. Similarly, a packet transmitted by IPv6 with an IPv6 address as a destination is referred to as an “IPv6 packet”.

  The relay device 10 can be connected to the IPv4 network 1101 and the IPv6 closed network 1102 via the router 70. The IPv4 network 1101 is a network capable of IPv4 communication. The IPv4 network 1101 can be connected to the Internet 1103 via IPv4. The IPv6 closed network 1102 is a closed network capable of IPv6 communication. In the present embodiment, nodes that can be connected by IPv6 on the WAN side of the relay apparatus 10 are limited to nodes included in the IPv6 closed network 1102. Such a network configuration is seen when, for example, the IPv4 network 1101 and the IPv6 closed network 1102 are provided by a line operator or the like. At this time, the relay device 10 specifically corresponds to a home gateway (HGW) or the like that connects a network of a circuit provider and a home LAN.

  The terminal 40 is a node that can communicate by both IPv4 and IPv6. When accessing the server 50, the terminal 40 transmits a packet destined for the server 50 to the relay device 10.

  The server 50 and the DNS server 60 are nodes connected to the Internet 1103. The relay device 10 can be connected to the server 50 and the DNS server 60 via the router 70, the IPv4 network 1101, and the Internet 1103. That is, the relay device 10 can be connected to the server 50 and the DNS server 60 by IPv4, but cannot be connected by IPv6.

  The DNS server 60 is a name resolution server that can provide address information of nodes in the Internet 1103, including the server 50.

  As described above, the present embodiment is a specific example showing a case where the terminal 40 operable by the two communication methods of IPv4 and IPv6 accesses the server 50 that is inaccessible in some communication methods (that is, IPv6). It is.

  Below, with reference to FIG. 3, the structure of the relay apparatus 10 which concerns on this embodiment is demonstrated. FIG. 3 is a block diagram showing the configuration of the relay device according to the second embodiment of the present invention. Referring to FIG. 3, the relay device 10 includes a relay control unit 4, a storage device 5, a monitoring unit 11, network interface units (NICs) 21 and 31, IPv4 control units 22 and 32, and an IPv6 control unit 23. And 33. The storage device 5 can store access permission information 6.

  Since the relay control unit 4, the storage device 5, and the access permission / inhibition information 6 have the same configuration and function as those in the first embodiment, redundant description is omitted. However, in this embodiment, the information included in the accessibility information 6 is generated by the monitoring unit 11.

  The NIC 21, the IPv4 control unit 22, and the IPv6 control unit 23 correspond to the first communication control unit 2 in the first embodiment. In the present embodiment, these three functional units can control communication between the terminal 40 and the relay device 10 via the LAN 1100 by the two communication methods of IPv4 and Ipv6.

  The NIC 21 is a communication interface capable of transmitting and receiving both IPv4 packets and IPv6 packets to the LAN 1100. The NIC 21 is connected to the LAN 1100. The NIC 21 can output the received IPv4 packet to the IPv4 control unit 22. The NIC 21 can output the received IPv6 packet to the IPv6 control unit 23. Further, the NIC 21 can transmit the IPv4 packet received from the IPv4 control unit 22 to the LAN 1100. The NIC 21 can transmit the IPv6 packet received from the IPv6 control unit 23 to the LAN 1100.

  The IPv4 control unit 22 can perform IPv4 protocol processing in communication with the LAN 1100. The IPv4 control unit 22 can output the IPv4 packet received from the NIC 21 to the relay control unit 4. Further, the IPv4 control unit 22 can transmit the IPv4 packet received from the relay control unit 4 to the LAN 1100 via the NIC 21 using the IPv4 protocol.

  The IPv6 control unit 23 can perform IPv6 protocol processing in communication with the LAN 1100. The IPv6 control unit 23 can output the IPv6 packet received from the NIC 21 to the relay control unit 4. Further, the IPv6 control unit 23 can transmit the IPv6 packet received from the relay control unit 4 to the LAN 1100 via the NIC 21 using the IPv6 protocol.

  The NIC 31, the IPv4 control unit 32, and the IPv6 control unit 33 correspond to the second communication control unit 3 in the first embodiment. In the present embodiment, these three functional units control communication between the relay device 10 and a node on the WAN side such as the server 50 by the two communication methods of IPv4 and Ipv6 via the WAN. Can do. The functions of the NIC 31, the IPv4 control unit 32, and the IPv6 control unit 33 are the same as the reference numerals "21, 22, 23" in the above description of the NIC 21, IPv4 control unit 22, and IPv6 control unit 23 as "31, 32, 33". Since it can be explained by rereading and further replacing the LAN 1100 with WAN, duplicate explanation is omitted.

  The monitoring unit 11 is arranged between the relay control unit 4 and the IPv4 control unit 22 and the IPv6 control unit 23, and can monitor communication between them. That is, the monitoring unit 11 can monitor a response included in a relay packet such as an IPv4 packet and an IPv6 packet relayed by the relay device 10 and generate the access permission information 6 based on the monitoring result. In addition, the monitoring unit 11 can relay the transmission / reception of the IPv4 packet and the IPv6 packet between the relay control unit 4 and the IPv4 control unit 22 and the IPv6 control unit 23.

  Next, the operation of the present embodiment having the above-described configuration will be described in detail. The preconditions in this description are described below.

  First, it is assumed that the server 50 is assigned an address corresponding to both IPv4 and IPv6. Since the network configuration shown in FIG. 2 is used, the terminal 40 can access the server 50 by transmitting an IPv4 packet whose destination is the IPv4 address of the server 50. On the other hand, when the terminal 40 transmits an IPv6 packet destined for the IPv6 address of the server 50, the access fails.

  Further, it is assumed that the terminal 40 obtains the IPv4 address and the IPv6 address of the server 50 from the DNS server 60 in advance. When the terminal 40 obtains both IPv4 and IPv6 addresses, it is assumed that the terminal 40 tries to access from the IPv6 address.

  The operation when the terminal 40 accesses the server 50 under such preconditions will be described.

  First, as a reference when comparing the operation of the present invention and the background art, in the network system shown in FIG. 2, the relay device 10 is replaced with a general home gateway (hereinafter simply referred to as “HGW”). Will be described with reference to FIG. FIG. 9 is a sequence diagram illustrating an example of communication in a general network system.

  First, the terminal 40 first tries IPv6 access to the server 50. That is, the terminal 40 transmits an IPv6 packet destined for the IPv6 address of the server 50 to the HGW (step S300). The HGW transmits the received IPv6 packet to the IPv6 closed network 1102, which is a network capable of communication using IPv6 (step S301). Since there is no path that can be accessed from the IPv6 closed network 1102 to the server 50, an error response is returned from the IPv6 closed network 1102 (step S302). The HGW relays the error response to the terminal 40 (step S303). By receiving this error response, the terminal 40 recognizes that the IPv6 access to the server 50 has failed.

Next, the terminal 40 attempts IPv4 access to the server 50. That is, the terminal 40 transmits an IPv4 packet destined for the IPv4 address of the server 50 to the HGW (step S304). The HGW transmits the received IPv4 packet to the IPv4 network 1101, which is a network capable of IPv4 communication (step S305).
The IPv4 packet is transferred from the IPv4 network 1101 via the Internet 1103 and can finally reach the server 50. The server 50 processes the received IPv4 packet, and then returns a response IPv4 packet to the terminal 40 (step S306). The HGW relays the IPv4 packet of the response to the terminal 40 (step S307). By receiving this response, the terminal 40 recognizes that the IPv4 access to the server 50 has been successful.

  As described above, the terminal needs time to wait for an error response from step S300 to step S303 at the stage of recognizing the failure of IPv6 access. That is, in general, when accessing a destination that is inaccessible in some communication methods, when a terminal tries to access from IPv6, it takes time until the server 50 is successfully accessed by IPv4. There's a problem.

  Next, the operation when the terminal 40 accesses the server 50 in the network system (FIG. 2) including the relay device 10 according to the present embodiment will be described. In this description, it is assumed that the accessibility information 6 initially has information that all destinations are accessible or does not include information on inaccessible destinations. However, this embodiment is operable even when the access permission / inhibition information 6 holds information in advance.

  The sequence in the first communication in the present embodiment is the same as that of the general HGW described above with reference to FIG. Therefore, in the following, overlapping descriptions are omitted or described briefly.

  First, the terminal 40 tries IPv6 access to the server 50 (step S300). That is, the terminal 40 transmits an IPv6 packet destined for the IPv6 address of the server 50 to the relay device 10.

  In the relay device 10, the IPv6 control unit 23 receives the IPv6 packet via the NIC 21. Then, the IPv6 control unit 23 outputs an IPv6 packet to the monitoring unit 11. In the present embodiment, the monitoring unit 11 does not have to monitor packets sent from the LAN 1100 in the WAN direction. That is, the monitoring unit 11 simply transfers the packet received from the IPv6 control unit 23 and the IPv4 control unit 22 to the relay control unit 4.

  The relay control unit 4 determines whether the destination of the received IPv6 packet is accessible based on the accessibility information 6. At this time point, the access permission information 6 has information that all accesses are possible as described above, so the relay control unit 4 determines that access is possible. Based on the result of the determination, the relay control unit 4 outputs the received IPv6 packet to the IPv6 control unit 33. The IPv6 control unit 33 transmits the received IPv6 packet to the IPv6 closed network 1102 via the NIC 31 (step S301).

  Since there is no path that can be accessed from the IPv6 closed network 1102 to the server 50, an error response is returned from the IPv6 closed network 1102 (step S302).

  In the relay device 10, the IPv6 control unit 33 receives an error response via the NIC 31. The IPv6 control unit 33 outputs the received error response to the relay control unit 4. In the present embodiment, the relay control unit 4 does not determine whether or not access is possible to a packet sent from the WAN in the direction of the LAN 1100. That is, the relay control unit 4 simply outputs an error response to the monitoring unit 11.

  The monitoring unit 11 monitors a response of communication passing through the monitoring unit 11, and detects an access failure based on the response. Specifically, in the present embodiment, the monitoring unit 11 monitors an error response received from the IPv6 control unit 33. That is, the monitoring unit 11 detects that the IPv6 access has failed by analyzing the received error response. Then, the monitoring unit 11 generates inaccessible information based on the source address of the error response (that is, the IPv6 address of the server 50), and registers the inaccessible information in the access enable / disable information 6. The monitoring unit 11 transmits the received error response to the terminal 40 via the IPv6 control unit 23 and the NIC 21 (step S303). By receiving this error response, the terminal 40 recognizes that the IPv6 access to the server 50 has failed.

  Thereafter, the terminal 40 attempts IPv4 access to the server 50 (step S304).

  The relay apparatus 10 performs the same processing as that for the IPv6 packet described above via the IPv4 control units 22 and 32 instead of the IPv6 control units 23 and 33. That is, the relay control unit 4 determines that the destination of the received IPv4 packet is accessible based on the accessibility information 6. The relay control unit 4 transmits the received IPv4 packet to the IPv4 network 1101 (step S305).

  The IPv4 packet reaches the server 50 from the IPv4 network 1101 via the Internet 1103. The server 50 returns a response IPv4 packet to the terminal 40 (step S306).

  The relay apparatus 10 performs the same processing as that for the IPv6 error response described above via the IPv4 control units 22 and 32 instead of the IPv6 control units 23 and 33. In other words, the monitoring unit 11 analyzes the IPv4 response to detect that the IPv4 access has been successful. Then, the monitoring unit 11 relays the IPv4 response to the terminal 40 (step S307). By receiving this response, the terminal 40 recognizes that the IPv4 access to the server 50 has been successful.

  In this way, according to the present embodiment, the monitoring unit 11 can determine whether access is possible based on the performance of communication via the relay device 10 even if the access permission information 6 is not registered in the storage device 5 in advance. Information 6 can be generated by itself. In addition, since the monitoring unit 11 generates the access permission information 6 for the server 50, the operation of the relay device 10 according to the present embodiment is the same as that of the first embodiment regarding the second and subsequent accesses to the server 50. Become.

  Next, the operation when the terminal 40 further accesses the same server 50 will be described with reference to FIG. In general, the terminal often repeats the same operation as the first access even if the terminal is the same destination. FIG. 4 is a sequence diagram illustrating an example of communication in the network system according to the second embodiment. The following operation is performed in the same manner even when a terminal other than the terminal 40 performs the second and subsequent accesses to the server 50.

  First, the terminal 40 first attempts IPv6 access to the server 50 (step S100).

  In the relay device 10, the relay control unit 4 receives the received IPv6 packet via the NIC 21, the IPv6 control unit 23, and the monitoring unit 11. Based on the accessibility information 6, the relay control unit 4 determines that the IPv6 address of the server 50 that is the destination of the received packet is inaccessible. If it is determined that access is not possible, the relay control unit 4 prompts communication using a communication method different from the received packet. In the present embodiment, the relay control unit 4 transmits to the terminal 40 a notification packet that leads to a communication method that is not IPv6 (that is, IPv4) (step S101).

  Various methods are known as a method of guiding to a communication method other than IPv6. For example, in the case of TCP (Transmission Control Protocol) communication, a method is known in which the relay apparatus 10 responds to an IPv6 (RST, ACK) packet in response to an IPv6 (SYN) packet received from the terminal 40. Note that the SYN packet is a packet in which the Synchronize sequence numbers field is set in the control flag of the TCP header. Similarly, the RST packet is a packet in which the Reset field is set in the control flag of the TCP header. The ACK packet is a packet in which the Acknowledgment field is set in the control flag of the TCP header. In this method, the terminal 40 can switch to IPv4 access triggered by reception of an IPv6 (RST, ACK) packet.

  When receiving the notification packet for guiding to IPv4, the terminal 40 recognizes that the IPv6 access has failed. And the terminal 40 tries the IPv4 access with respect to the server 50 (step S102).

  The subsequent operation of the relay device 10 from step S103 to S105 is the same as the operation of the relay device 10 from step S305 to S307 described above. That is, the relay device 10 transfers the IPv4 packet received from the terminal 40 to the server 50 via the IPv4 network 1101. Then, the relay device 10 transfers the response transmitted by the server 50 to the terminal 40 via the LAN 1100.

  In this way, as in the first embodiment, the terminal 40 switches to IPv4 that can be accessed quickly without waiting for a response to an IPv6 access failure even when accessed using IPv6 that cannot be accessed first. It becomes possible.

  As described above, in addition to the same effects as those of the first embodiment described above, this embodiment also has an effect that it is not necessary to register the access permission information 6 in the relay device 10 in advance. is there.

  The reason is that the monitoring unit 11 can generate the access permission information 6 based on the performance of communication via the relay device 10.

  The position where the monitoring unit 11 is connected may be any place where the relay control unit 4 can monitor the relay packets (IPv4 packet and IPv6 packet) received from each network. That is, the position of the monitoring unit 11 may be between the relay control unit 4 and the IPv4 control unit 32 and the IPv6 control unit 33. Alternatively, the monitoring unit 11 may be arranged at a position where a copy of each packet can be received instead of being included in the route through which the relay control unit 4 relays the packet. When the monitoring unit 11 is not included in the relay route, relaying of relay packets may not be performed.

In the present embodiment, the monitoring unit 11 may provide a validity period for each piece of information included in the access permission / inhibition information 6. That is, when the information is registered in the access permission / inhibition information 6, the monitoring unit 11 may add time information indicating a time limit during which the information is valid and include the information in the access permission / inhibition information 6. The time information may be a fixed time or may be determined based on information such as TTL (Time To Life) included in the received packet. Then, the monitoring unit 11 may invalidate the information after the validity period has elapsed by a method such as deleting the information from the accessibility information 6. In addition, when the error response is received in step S303, the monitoring unit 11 may perform a process of not analyzing the error response and not updating the access permission information 6 if it is within the valid period. As a result, the relay device 10 can follow the change in the reachability status (reachability) of the node in the same manner due to a change in the network configuration or the like. Further, the monitoring unit 11 can reduce the load of the monitoring operation within the effective period.
(Modification of the second embodiment)
In addition, the following can be considered as a modification of this embodiment.

  For example, the monitoring unit 11 may update the access permission information 6 based on the time taken for communication measured for each communication method. The time required for communication is, for example, that the relay apparatus 10 receives (transfers) an access request transmitted from a terminal to a certain node N, and then receives a response to the access request from the node N. Response time until. In this modification, the monitoring unit 11 measures the time required for the communication in communication performed by different communication methods. The monitoring unit 11 registers, for example, information indicating that the communication method with the later response time is inaccessible in the access permission information 6 based on the comparison result of the measurement results in each communication method for the same node. Good. This is effective when there is a node N accessible in a plurality of communication methods in the network system.

  Hereinafter, for example, a case where the terminal can access the node N by both IPv4 and IPv6 will be described. The monitoring unit 11 measures the response time from the transfer of the packet transmitted to the node N to the reception of the response packet by the node N for each of the IPv4 access and the IPv6 access from the terminal to the node N. Then, when the response time for each communication method is different by a predetermined ratio or more, the monitoring unit 11 may register information indicating that the communication method with the slower response is inaccessible in the access enable / disable information 6. That is, the monitoring unit 11 compares measurement results of different communication methods for the same node. The monitoring unit 11 then displays information indicating that the address of the slower communication method is inaccessible so that the communication method with a slow response to access is handled in the same manner as the inaccessible communication method. Register with. As a result, when the terminal accesses the node N by a communication method with a slow response, the relay device 10 can prompt the terminal to change the communication method without transferring a packet according to the communication method.

  There are several methods for the monitoring unit 11 to identify that one IPv4 address and another IPv6 address are addresses for the same node N when comparing the measurement results. For example, the monitoring unit 11 may obtain the IPv4 address and the IPv6 address of the node N from the DNS response included in the relayed communication. Or the monitoring part 11 may acquire the information regarding those addresses from the information previously stored in the memory | storage device 5 grade | etc.,.

  The monitoring unit 11 may record the measurement result in addition to the accessibility information 6 or as other management information.

  In this way, the relay device 10 can prompt the terminal to switch to a communication method with a fast response when the response times of the communication methods are different.

  As described above, this modification has an effect that a communication method having a fast response time can be dynamically selected in accordance with an actual network environment.

  The reason is that the monitoring unit 11 measures the time required for communication for each communication method with respect to communication actually performed. This is because the monitoring unit 11 can register, in the access enable / disable information 6, information that disables access to a communication method with a slow response based on the measurement result. In addition, the relay control unit 4 prompts the terminal to switch the communication method based on the accessibility information 6 without relaying the packet transmitted by the communication method with a slow response.

  Note that the function of the monitoring unit 11 according to the second embodiment and the function of the monitoring unit 11 according to this modification do not interfere with each other. Therefore, for example, the monitoring unit 11 according to the second embodiment may have the function of the monitoring unit 11 according to this modification.

<Third Embodiment>
Next, the second embodiment described above or a third embodiment based on a modification will be described. The following description will focus on the characteristic parts according to the third embodiment, and the components of the third embodiment having the same configuration as that of the second embodiment or the modification will be described as the second embodiment. The same reference numerals as those used in the embodiments or the modification examples are attached, and the detailed description of the constituent elements is omitted.

  The second embodiment, or its modification, is that this embodiment controls relaying using a cache function that holds DNS response information acquired once by name resolution instead of the access permission information 6. And different. Although the present embodiment can be realized based on the second embodiment, a configuration based on a modification of the second embodiment will be described below as a specific example.

  First, the system configuration of the present embodiment will be described below with reference to FIG. FIG. 5 is a configuration diagram showing an example of a communication environment in the network system according to the third embodiment of the present invention. Referring to FIG. 5, the network system according to the present embodiment includes a relay device 100, a terminal 40, servers 50 and 51, DNS servers 60 and 61, a router 70, a LAN 1100, an IPv4 network 1101, an IPv6 closed network 1102, and the Internet 1103. including. That is, the network system according to the present embodiment has a configuration in which the relay device 10 is replaced with the relay device 100 and a server 51 and a DNS server 61 are added to FIG. Since the configurations and operations of the elements denoted by the same reference numerals as those in FIG. 2 are the same as those in the second embodiment and the modified example, the detailed description thereof is omitted. Below, the structure of the relay apparatus 100, the server 51, and the DNA server 61 which are not contained in 2nd Embodiment is demonstrated in detail.

  The relay device 100, the server 51, and the DNS server 61 are each configured by a general information processing device (computer) that operates under the control of a computer program (software program) that is executed using a CPU (not shown). May be. Or each part of the relay apparatus 100, the server 51, and the DNS server 61 may be comprised by a dedicated hardware device or a logic circuit. A hardware configuration example in which the relay device 100, the server 51, and the DNS server 61 are realized by computers will be described later with reference to FIG.

  In the present embodiment, the terminal 40 accesses the server 51 via the relay device 100.

  The server 51 is a node that can be accessed from the terminal 40 in both IPv4 and IPv6. The server 51 corresponds to the node N that can be accessed by a plurality of communication methods in the modification of the second embodiment. In the present embodiment, the server 51 is connected to the IPv4 network 1101 and the IPv6 closed network 1102.

  In this embodiment, the DNS server 61 is a DNS server that can send back a DNS response (name resolution response) including both IPv4 and IPv6 addresses of the server 51. In the present embodiment, the DNS response server 61 is connected to the IPv4 network 1101. However, the location and configuration of the DNS response server 61 are not limited to the present embodiment as long as the address of the server 51 can be provided for the DNS inquiry transmitted via the relay device 100.

  The relay device 100 is based on the relay device 10. Since the connection relationship between the relay device 100, the LAN 1100, the IPv4 network 1101, and the IPv6 closed network 1102 is the same as that in the second embodiment and the modification, the detailed description thereof is omitted.

  Below, with reference to FIG. 6, the structure of the relay apparatus 100 which concerns on this embodiment is demonstrated. FIG. 6 is a block diagram illustrating a configuration of a relay device according to the third embodiment of the present invention. Referring to FIG. 6, the relay device 100 includes a monitoring unit 101, a relay control unit 103, a proxy DNS unit 102, a storage device 5, network interface units (NICs) 21 and 31, and IPv4 control units 22 and 32. And IPv6 control units 23 and 33. The storage device 5 can store management information 110 and cache information 111.

  The configurations and operations of the network interface units (NIC) 21 and 31, the IPv4 control units 22 and 32, and the IPv6 control units 23 and 33 are the same as those in the second embodiment and the modified example, so that overlapping detailed description is provided. Is omitted.

  The monitoring unit 101 is based on the monitoring unit 11 in the modification of the second embodiment. The monitoring unit 101 instructs the proxy DNS unit 102, which will be described later, to update the cache information 111 instead of updating the access permission information 6 based on the time taken for communication measured for each communication method. That is, the monitoring unit 101 compares the response time measurement results for each communication method, and determines whether to stop access by any communication method based on the comparison result. Then, the monitoring unit 101 instructs the proxy DNS unit 102 to update the cache information 111 relating to the address of the communication method that stops access.

  In the present embodiment, the monitoring unit 101 records the result of measuring the time required for communication in the management information 110. The management information 110 can hold a management record for each domain name. The management record includes a “domain name” field that includes information indicating the domain name, a “destination” field that includes address information that indicates the destination address for each communication method corresponding to the domain name, and a measurement result of the time taken for communication. And a “measurement result” column containing result information.

  In addition, the monitoring unit 101 monitors the DNS response included in the relayed communication, associates the IPv4 address and the IPv6 address corresponding to the name of the same node, and manages the management record including the information as management information Register at 110.

  Since the configuration and operation of the monitoring unit 101 other than those described above are the same as those of the monitoring unit 11 in the modification of the second embodiment, a detailed description thereof is omitted.

  The proxy DNS unit 102 can perform DNS proxy processing for the DNS communication (DNS inquiry and DNS response) relayed by the relay device 100. That is, the proxy DNS unit 102 transfers the received DNS inquiry to an appropriate DNS server, and holds the information included in the DNS response received from the DNS server as the cache information 111. When the proxy DNS unit 102 receives a DNS query for the same domain name as the domain name (FQDN: Fully Qualified Domain Name; hereinafter simply referred to as “name”) for the received DNS response, the cache information 111 Based on the above, a DNS response generated by itself is returned to the inquiry source. Note that the proxy DNS unit 102 transmits and receives packets related to DNS communication via the relay control unit 103.

  Further, the proxy DNS unit 102 changes a part of the cache information 111 to a negative cache based on an instruction to update the cache information 111 from the monitoring unit 101. Specifically, the proxy DNS unit 102 changes the cache information 111 related to the address included in the update instruction of the monitoring unit 101 to a negative cache. The negative cache is information indicating a domain name that has failed in name resolution.

  The cache information 111 can include information included in the DNS response transmitted from the DNS server 61. That is, the cache information 111 includes information necessary for the proxy DNS unit 102 to respond to a DNS inquiry sent from the terminal 40 on behalf of the DNS server 61.

  The proxy DNS unit 102 has a general DNS cache function other than the above, such as time management of the cache information 111 based on the valid period (TTL) and header address change accompanying transfer of DNS communication (DNS inquiry and DNS response). A function may be performed. Since a general technique can be adopted for the general DNS cache function and the configuration of the cache information 111, a detailed description in this embodiment, including an operation description to be described later, is omitted.

  The relay control unit 103 is based on the relay control unit 4 in the second embodiment. Instead of determining whether the destination of the received packet is accessible based on the accessibility information 6, the relay control unit 103 sends the received DNS communication (DNS inquiry and DNS response) packet to the proxy DNS unit. To 102. Then, the relay control unit 103 transfers the DNS communication packet received from the proxy DNS unit 102. Since the operation of the relay control unit 103 other than the above is the same as the operation of the relay control unit 4 in the second embodiment, a detailed description thereof is omitted.

  Next, the operation of the present embodiment having the above-described configuration will be described in detail. Below, with reference to FIG. 7, operation | movement in case the terminal 40 accesses the server 50 is demonstrated. FIG. 7 is a sequence diagram illustrating an example of communication in the network system according to the third embodiment. The description of the operation of the present embodiment starts with name resolution of the connection destination, which was assumed to be already executed in the second embodiment. Further, it is assumed that the management information 110 and the cache information 111 do not hold any information at the start of the following operation.

  First, the terminal 40 transmits a DNS inquiry requesting resolution of the name of the server 51 (for example, “abc.efg”) to the relay apparatus 100 (step S200). At this time, it is assumed that the terminal 40 transmits both the DNS inquiry requesting the IPv4 address (“A” record) of the server 51 and the DNS inquiry requesting the IPv6 address (“AAAA” record). Specifically, the terminal 40 includes an IPv4 packet including a DNS query requesting an “A” record for the name of the server 51, and an IPv4 packet including a DNS query requesting an “AAAA” record for the name of the server 51. The data is sequentially transmitted to the relay device 100.

  In the relay device 100, the IPv4 control unit 22 receives the IPv4 packet including these DNS queries via the NIC 21. Then, the IPv4 control unit 22 outputs the received DNS inquiry to the relay control unit 103 via the monitoring unit 101.

  At this time, the monitoring unit 101 checks the transferred packet based on the management information 110. At this time, since no information is held in the management information 110, the monitoring unit 101 simply transfers the information to the relay control unit 103.

  The relay control unit 103 outputs the received DNS inquiry to the proxy DNS unit 102. Since the cache information 111 does not include the address information of the server 51, the proxy DNS unit 102 makes a DNS inquiry to the DNS server 61. That is, the proxy DNS unit 102 generates two DNS queries that request an “A” record and an “AAAA” record for the name of the server 51, and passes through the relay control unit 103, the IPv4 control unit 32, and the NIC 31. The generated two DNS queries are transmitted to the DNS server 61 (step S201).

  When the DNS server 61 receives two DNS inquiries, it returns a DNS response including address information corresponding to each of them (step S202). That is, the DNS server 61 includes a DNS response including an “A” record (for example, an IPv4 address “XX.X.X”) for the name of the server 51, and an “AAAAA” record (for example, an IPv6 address “Y ::”). Y ") is transmitted to the relay device 100.

  In relay device 100, first, DNS cache unit 102 receives two DNS responses via NIC 31, IPv4 control unit 32, and relay control unit 103. Then, the DNS cache unit 102 registers information included in the two DNS responses in the cache information 111. Further, the DNS cache unit 102 generates a DNS response for the terminal 40 based on the DNS response received from the DNS server 61 and outputs the DNS response to the relay control unit 103. The relay control unit 103 transfers to the terminal 40 that is the destination of the DNS response. That is, the relay control unit 103 first outputs a DNS response to the monitoring unit 101.

  At this time, when the transferred packet is a DNS response, the monitoring unit 101 generates a management record including the name and address information included in each DNS response, and registers the management record in the management information 110. The processing for the DNS response including the “AAAA” record will be described as a specific example. The monitoring unit 101 generates a management record in which the information “abc.efg” indicating the name of the server 51 is stored in the “domain name” column. Furthermore, the monitoring unit 101 stores address information “Y :: Y” indicating the IPv6 address of the server 51 in the “destination” field corresponding to the “domain name” field in which the name of the server 51 is stored. The monitoring unit 101 also records the DNS response including the “A” record in the management information 110. As a result, the management information 110 is in the “domain name” field and the “destination” field shown in FIG. At this time, nothing is stored in the “measurement result” column. FIG. 8 is a diagram illustrating an example of the management information 110 according to the third embodiment.

  Furthermore, the monitoring unit 101 transfers two DNS responses via the IPv4 control unit 22 and the NIC 21 (step S203). By receiving these two DNS responses, the terminal 40 acquires the IPv4 address “XXX” and the IPv6 address “Y :: Y” of the server 51.

  Next, in this embodiment, the terminal 40 tries to access the server 51 sequentially in both IPv6 and IPv4. Such an access method may be performed when the terminal 40 wants to select a communication method with a fast response speed when the terminal 40 can be accessed by a plurality of communication methods. First, as in the second embodiment, the terminal 40 accesses the server 51 via IPv6 via the relay device 100 (step S204). The relay device 100 transfers the IPv6 packet received from the terminal 40 to the server 51. Since the relay operation of the relay device 100 is as described above, the following description will focus on the main points in the relay operation.

  Here, the monitoring unit 101 checks the destination of the transferred packet based on the management information 110. When the destination of the packet is included in the management information 110, measurement of the time required for communication (response time) is started. That is, the monitoring unit 101 stores the transmission time of the transferred packet. Specifically, since the management information 110 includes the IPv6 address of the server 51, the monitoring unit 101 temporarily stores the transmission time of this packet and information identifying the response to this packet in the storage device 5 or the like. Remember. If the destination of the packet is not included in the management information 110, the monitoring unit 101 does nothing and simply transfers the packet.

  When the server 51 receives the IPv6 packet transmitted by the terminal 40 via the relay device 100, the server 51 returns a response using the IPv6 packet (step S205). The relay device 100 transfers the IPv6 packet including the response received from the server 51 to the terminal 40.

  The monitoring unit 101 checks the transferred packet based on the packet transmission record to the server 51 temporarily stored in step S204. When a response to the packet that temporarily stores the transmission time is received in step S204, a time required for communication (response time) is obtained. Specifically, the monitoring unit 101 obtains a response time from the difference between the reception time of the response from the server 51 and the transmission time of the packet to the server 51 stored in step S204, and records the response time in the management information 110. To do. That is, the monitoring unit 101 stores information indicating the obtained response time (for example, “15”) in the “measurement result” field corresponding to the “destination” field in which the IPv6 address “Y :: Y” of the server 51 is stored. Is stored. In the present embodiment, as an example, the unit of response time is seconds.

  Next, the terminal 40 accesses the server 51 via IPv4 via the relay device 100 (step S206). The relay device 100 transfers the IPv4 packet received from the terminal 40 to the server 51. At this time, the monitoring unit 101 temporarily stores the transmission time of the packet addressed to the IPv4 address to the server 51 in the storage device 5 or the like.

  When the server 51 receives the IPv4 packet transmitted from the terminal 40 via the relay device 100, the server 51 returns a response using the IPv4 packet (step S207). The relay device 100 transfers the IPv4 packet including the response received from the server 51 to the terminal 40. At this time, the monitoring unit 101 obtains a response time of IPv4 access to the server 51 and records information (eg, “3”) indicating the obtained response time in the management information 110 as in step S205. The result is as shown in FIG.

  Here, when the measurement results of response times for a plurality of communication methods are obtained for the same domain name, the monitoring unit 101 compares the response times (measurement results). Then, the monitoring unit 101 determines whether to stop access by any communication method based on the comparison result. Then, the monitoring unit 101 instructs the proxy DNS response unit 102 to update the cache information 111 regarding the address corresponding to the communication method for stopping access. Specifically, the monitoring unit 101 stops the access using IPv6 because the measurement result “15” corresponding to the IPv6 address of the server 51 is worse (slower) than the measurement result “3” corresponding to the IPv4 address. Decide that. Then, the monitoring unit 101 sends the name (“abc.efg”) and the record type (“AAAA”) of the server 51 or the IPv6 address (“Y :: Y” of the server 51 to the proxy DNS response unit 102. ) Etc. are output. Note that the method in which the monitoring unit 101 determines access stop based on the response time comparison result is not limited to the above method.

  The proxy DNS response unit 102 updates the cache information 111 based on the cache update instruction from the monitoring unit 101. Specifically, the proxy DNS unit 102 changes the information regarding the “AAAA” record (IPv6 address “Y :: Y”) for the server 51 in the cache information 111 to a negative cache. At this time, the proxy DNS unit 102 does not change any information regarding the “A” record (IPv4 address “XX.X.X”) for the server 51 in the cache information 111.

  Next, the operation when the terminal 40 transmits the same DNS inquiry for the name of the server 51 again will be described below with reference to FIG. Note that the same operation is performed when a terminal other than the terminal 40 transmits a DNS inquiry to the server 51.

  The terminal 40 again sequentially transmits a DNS query requesting an “A” record for the name of the server 51 and a DNS query requesting an “AAAA” record (step S208).

  In the relay device 100, the proxy DNS unit 102 receives the received DNS inquiry as in step S201.

  The proxy DNS unit 102 responds to the terminal 40 itself based on the cache information 111 this time because the cache information 111 includes information related to the “A” and “AAAA” records of the server 51. That is, the proxy DNS unit 102 does not make an inquiry to the DNS server 61. Specifically, in response to a DNS query requesting an “A” record for the name of the server 51, the proxy DNS unit 102 “A” record (IPv4 address “XX.X” registered in the cache information 111). .X ") is transmitted to the terminal 40. On the other hand, the proxy DNS unit 102 does not have an “AAAAA” record for the server 51 because a negative cache is registered in the cache information 111 for a DNS query that requests an “AAAA” record for the name of the server 51. A DNS response indicating that is returned (step S209). By receiving these DNS responses, the terminal 40 acquires only the IPv4 address “XX.X.X” of the server 51 this time.

  Therefore, the terminal 40 performs only IPv4 access to the server 51 (step S210). The terminal 40 receives a response from the server 51 by IPv4 having a quick response time (step S211). In this way, the terminal 40 can communicate by the IPv4 communication method having a fast response time in an actual network environment without attempting access by a plurality of communication methods.

  As described above, in addition to the same effects as those of the second embodiment and the modification example described above, the present embodiment does not require a device for selecting an optimal communication method in the terminal, and the terminal There is an effect that it is possible to access by an optimum communication method.

  The reason is that the proxy DNS unit 102 registers in the cache information 111 a negative cache related to an address corresponding to a communication method with a slow response. This is because, in response to the DNS inquiry from the terminal 40, the proxy DNS unit 102 stops providing the terminal with an address corresponding to a communication method with a slow response based on the negative cache. Thereby, since the terminal 40 can acquire only the address corresponding to the communication method with a fast response, the terminal 40 itself does not need to select the communication method with a fast response.

  In step S200, the terminal that has sent the DNS query requesting the IPv4 address of the server 51 may be different from the terminal that has sent the DNS query requesting the IPv6 address. In addition, the DNS inquiry transmission interval may be free. Also, the DNS server that responds with an IPv4 address may be different from the DNS server that responds with an IPv6 address.

  Further, in step S204 to step S206, the response time measurement performed by the monitoring unit 101 may be performed for communications transmitted from different terminals. For example, the measurement performed by the monitoring unit 101 may target IPv4 access to the server 51 performed by the terminal 40 and IPv6 access to the server 51 performed by a terminal other than the terminal 40.

  The monitoring unit 101 may provide a validity period for each piece of information included in the management information 110. For example, when recording the measurement result of the management information 110, the monitoring unit 101 may add time information indicating a time limit for which the measurement result is valid and include the time information indicating the validity period. And the monitoring part 101 may invalidate the measurement result which passed the effective period by methods, such as deleting from the management information 110. FIG.

  In each embodiment described above, each unit shown in FIGS. 1 to 3, 5, and 6 may be configured by an independent hardware circuit, or a function (processing) unit of a software program ( Software module). However, the division of each part shown in these drawings is a configuration for convenience of explanation, and various configurations can be assumed for mounting. An example of the hardware environment in such a case will be described with reference to FIG. FIG. 10 is a diagram illustrating the configuration of a computer (information processing apparatus) applicable to each embodiment of the present invention and a network system according to a modification thereof. That is, FIG. 10 shows a configuration of a computer capable of realizing at least one of the relay devices 1, 10 and 100, the terminal 40, the servers 50 and 51, the DNS servers 60 and 61, and the router 70 in each of the above-described embodiments. A hardware environment capable of realizing each function in the above-described embodiments will be described.

  The computer 900 shown in FIG. 10 includes a CPU (Central Processing Unit) 901, a ROM (Read Only Memory) 902, a RAM (Random Access Memory) 903, a communication interface (I / F) 904, a display 905, and a hard disk device (HDD). ) 906, and these are connected via a bus 907. Note that when the computer shown in FIG. 10 functions as the relay devices 1, 10 and 100, the terminal 40, the servers 50 and 51, the DNS servers 60 and 61, or the router 70, the display 905 need not always be provided. The communication interface 904 is a general communication unit that realizes communication between the computers in each of the above-described embodiments. The hard disk device 906 stores a program group 906A and various storage information 906B. The program group 906A is, for example, a computer program for realizing a function corresponding to each block (each unit) shown in FIG. 1, FIG. 3, and FIG. The various storage information 906B is, for example, the access permission / inhibition information 6, the management information 110, the cache information 111, and the like shown in FIGS. In such a hardware configuration, the CPU 901 governs the overall operation of the computer 900.

  Then, the present invention described by taking the above-described embodiments as an example, after supplying a computer program capable of realizing the functions of the block configuration diagrams (FIGS. 1, 3 and 6) referred to in the description of each embodiment The computer program is read out and executed by the CPU 901 of the hardware. The computer program supplied to the computer may be stored in a non-volatile storage device (storage medium) such as a readable / writable temporary storage memory 903 or a hard disk device 906.

  In the above-described case, the computer program can be supplied to each device by a method of installing in the device via various recording media such as a floppy disk (registered trademark) and CD-ROM, the Internet, etc. Currently, a general procedure can be adopted, such as a method of downloading from the outside via the communication network 1500. In such a case, the present invention can be understood to be configured by a computer-readable storage medium in which the code constituting the computer program or the code is recorded.

  Note that a part or all of the above-described embodiment can be described as the following supplementary notes, but is not limited to the following supplementary notes.

(Appendix 1)
First communication control means for controlling communication to the first network performed by a plurality of communication methods;
Second communication control means for controlling communication to the second network performed by a plurality of communication methods;
Access permission information including information indicating a destination that receives the first packet from the first network via the first communication control means and is accessible or not accessible via the second network. To determine whether the destination of the first packet is accessible, based on
When the destination of the first packet is an accessible destination, the first packet is relayed to the second network via the second communication control means;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent via the first communication control unit. And a relay control means for transmitting to the transmission source of the first packet.

(Appendix 2)
The access permission / prohibition information further includes information representing a destination that is accessible or not accessible via the first network,
The relay control unit further receives the second packet via the second communication control unit, and determines whether the destination of the second packet is accessible based on the access permission information. ,
When the destination of the second packet is an accessible destination, the second packet is relayed to the first network via the first communication control means;
When the destination of the second packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from that of the second packet is sent via the second communication control means. The relay apparatus according to appendix 1, wherein the relay apparatus transmits the packet to the transmission source of the second packet.

(Appendix 3)
The plurality of communication methods include an IPv4 protocol and an IPv6 protocol.
Appendix 1 or 2 relay device.

(Appendix 4)
The relay packet relayed by the relay control unit is monitored at any position on the path connecting the first communication control unit, the relay control unit, and the second communication control unit, and the result of the monitoring is The relay device according to any one of appendices 1 to 3, further comprising: a monitoring unit that generates the access permission information based on the information.

(Appendix 5)
In the monitoring of the relay packet, when the monitoring unit detects an access failure based on a response included in the relay packet, the access means determines whether the access is permitted based on the inaccessible information generated based on the source address of the response The relay device according to appendix 4.

(Appendix 6)
The monitoring unit measures the response time for each communication method from when the access request included in the relay packet is transferred to when the response to the access request is received when generating the access permission information. 6. The relay device according to appendix 4 or 5, wherein the response times for the communication methods with respect to the same destination are compared, and the access permission / prohibition information is updated with information indicating that the communication method with the slower response time is inaccessible.

(Appendix 7)
DNS proxy means for performing DNS proxy processing for a DNS inquiry and DNS response included in the relay packet instead of the access permission information,
The DNS proxy process holds the information included in the DNS response included in the relay packet as cache information, and then receives a new DNS query for the same domain name as the domain name targeted by the DNS response. , Including a process of returning a DNS response generated by itself based on the cache information to the inquiry source,
The monitoring unit instructs the DNS proxy unit to update the cache information, instead of generating or updating the access permission information.
The relay device according to any one of appendices 4 to 6, wherein the DNS proxy unit changes information regarding a domain name that has failed in name resolution to a negative cache, based on the instruction.

(Appendix 8)
Receiving a first packet from a first network;
Determining whether the destination of the first packet is accessible based on accessibility information including information representing a destination that is accessible or not accessible via the second network;
If the destination of the first packet is an accessible destination, relay the first packet to the second network;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent to the transmission source of the first packet. Relay method to send to.

(Appendix 9)
The access permission / prohibition information further includes information representing a destination that is accessible or not accessible via the first network,
Receiving a second packet from the second network;
Determining whether the destination of the second packet is accessible based on the accessibility information;
When the destination of the second packet is an accessible destination, relay the second packet to the first network;
When the destination of the second packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from that of the second packet is transmitted to the transmission source of the second packet. The relay method according to appendix 8.

(Appendix 10)
The plurality of communication methods include an IPv4 protocol and an IPv6 protocol.
The relay method according to appendix 8 or 9.

(Appendix 11)
After receiving a relay packet that is a packet received from the first network or the second network, a monitoring process for monitoring the relay packet is further performed.
The relay method according to any one of appendices 8 to 10, wherein the access permission information is generated based on a result of the monitoring process.

(Appendix 12)
In the monitoring process, when an access failure is detected based on a response included in the relay packet,
The relay method according to claim 11, wherein the access permission information is updated with inaccessible information generated based on a transmission source address of the response.

(Appendix 13)
In the monitoring process, a response time from when the access request included in the relay packet is transferred to when a response to the access request is received is measured for each communication method,
Compare the response times for each communication method for the same destination,
The relay method according to appendix 11 or 12, wherein the access enable / disable information is updated with information indicating that access to the communication method with a slower response time is inaccessible.

(Appendix 14)
When a DNS response is included in the relay packet when the relay packet is received, information included in the DNS response is retained as cache information,
Next, when a new DNS query is received for the same domain name as the domain name targeted by the DNS response, a DNS proxy process is performed to return a DNS response generated by itself to the query source based on the cache information. Run,
The relay according to any one of appendices 11 to 13, wherein, in the monitoring process, instead of generating or updating the access permission information, information on a domain name that has failed in name resolution included in the cache information is changed to a negative cache. Method.

(Appendix 15)
A first reception process for receiving a first packet from a first network;
First determination processing for determining whether or not the destination of the first packet is accessible based on access permission information including information indicating a destination that is accessible or not accessible via the second network When,
A first relay process for relaying the first packet to the second network when the destination of the first packet is an accessible destination;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent to the transmission source of the first packet. A computer program that causes a computer to execute first notification processing to be transmitted to the computer.

(Appendix 16)
The access permission / prohibition information further includes information representing a destination that is accessible or not accessible via the first network,
A second reception process for receiving a second packet from the second network;
A second determination process for determining whether the destination of the second packet is accessible based on the accessibility information;
A second relay process for relaying the second packet to the first network when the destination of the second packet is an accessible destination;
When the destination of the second packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from that of the second packet is transmitted to the transmission source of the second packet. The computer program according to attachment 15, wherein the computer executes the second notification process.

(Appendix 17)
The plurality of communication methods include an IPv4 protocol and an IPv6 protocol.
The computer program according to appendix 15 or 16.

(Appendix 18)
A monitoring process for monitoring a relay packet that is a packet received by the first reception process or the second reception process after the first reception process or the second reception process;
The computer program according to any one of supplementary notes 15 to 17, further causing a computer to execute a generation process for generating the accessibility information based on a result of the monitoring process.

(Appendix 19)
In the monitoring process, when an access failure is detected based on a response included in the relay packet,
The computer program according to claim 18, wherein, in the generation process, the access permission information is updated with inaccessible information generated based on a transmission source address of the response.

(Appendix 20)
In the monitoring process, a response time from when the access request included in the relay packet is transferred to when a response to the access request is received is measured for each communication method,
Compare the response times for each communication method for the same destination,
The computer program according to appendix 18 or 19, wherein, in the generation process, the access permission / rejection information is updated with information indicating that access to the communication method with a slower response time is inaccessible.

(Appendix 21)
When a DNS response is included in the relay packet, after the first reception process or the second reception process,
The information contained in the DNS response is stored as cache information, and then generated based on the cache information when a new DNS query is received for the same domain name as the target domain name of the DNS response. Execute DNS proxy processing that returns a DNS response to the inquiry source,
21. The computer according to any one of appendices 18 to 20, wherein, in the generation process, instead of generating or updating the access permission information, information related to a domain name that has failed in name resolution included in the cache information is changed to a negative cache. ·program.

1, 10, 100 Relay device 2 First communication control unit 3 Second communication control unit 4, 103 Relay control unit 5 Storage device 6 Accessability information 11, 101 Monitoring unit 21, 31 Network interface unit (NIC)
22, 32 IPv4 control unit 23, 33 IPv6 control unit 40 Terminal 50, 51 Server 60, 61 DNS server 70 Router 102 Proxy DNS unit 110 Management information 111 Cache information 900 Information processing device (computer)
901 CPU
902 ROM
903 RAM
904 Communication interface (I / F)
905 Display 906 Hard disk device (HDD)
906A Program group 906B Various storage information 907 Bus 1000 First network 1001 Second network 1100 LAN
1101 IPv4 network 1102 IPv6 closed network 1103 Internet 1500 network (communication network)

Claims (10)

First communication control means for controlling communication to the first network performed by a plurality of communication methods;
Second communication control means for controlling communication to the second network performed by a plurality of communication methods;
Access permission information including information indicating a destination that receives the first packet from the first network via the first communication control means and is accessible or not accessible via the second network. To determine whether the destination of the first packet is accessible, based on
When the destination of the first packet is an accessible destination, the first packet is relayed to the second network via the second communication control means;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent via the first communication control unit. And a relay control means for transmitting to the transmission source of the first packet. The access permission / prohibition information further includes information representing a destination that is accessible or not accessible via the first network,
The relay control unit further receives the second packet via the second communication control unit, and determines whether the destination of the second packet is accessible based on the access permission information. ,
When the destination of the second packet is an accessible destination, the second packet is relayed to the first network via the first communication control means;
When the destination of the second packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from that of the second packet is sent via the second communication control means. The relay apparatus according to claim 1, wherein the relay apparatus transmits the packet to the transmission source of the second packet. The plurality of communication methods include an IPv4 protocol and an IPv6 protocol.
The relay apparatus according to claim 1 or 2. The relay packet relayed by the relay control unit is monitored at any position on the path connecting the first communication control unit, the relay control unit, and the second communication control unit, and the result of the monitoring is The relay apparatus according to claim 1, further comprising: a monitoring unit that generates the access permission information based on the information. In the monitoring of the relay packet, when the monitoring unit detects an access failure based on a response included in the relay packet, the access means determines whether the access is permitted based on the inaccessible information generated based on the source address of the response The relay device according to claim 4. The monitoring unit measures the response time for each communication method from when the access request included in the relay packet is transferred to when the response to the access request is received when generating the access permission information. The relay apparatus according to claim 4 or 5, wherein the response times for the communication methods with respect to the same destination are compared, and the access permission / rejection information is updated based on inaccessibility information for a communication method with a slower response time. DNS proxy means for performing DNS proxy processing for a DNS inquiry and DNS response included in the relay packet instead of the access permission information,
The DNS proxy process holds the information included in the DNS response included in the relay packet as cache information, and then receives a new DNS query for the same domain name as the domain name targeted by the DNS response. , Including a process of returning a DNS response generated by itself based on the cache information to the inquiry source,
The monitoring unit instructs the DNS proxy unit to update the cache information, instead of generating or updating the access permission information.
The relay device according to any one of claims 4 to 6, wherein the DNS proxy means changes information related to a domain name that has failed in name resolution to a negative cache based on the instruction. Receiving a first packet from a first network;
Determining whether the destination of the first packet is accessible based on accessibility information including information representing a destination that is accessible or not accessible via the second network;
If the destination of the first packet is an accessible destination, relay the first packet to the second network;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent to the transmission source of the first packet. Relay method to send to. After receiving a relay packet that is a packet received from the first network or the second network, a monitoring process for monitoring the relay packet is further performed.
The relay method according to claim 8, wherein the access permission information is generated based on a result of the monitoring process. A first reception process for receiving a first packet from a first network;
First determination processing for determining whether or not the destination of the first packet is accessible based on access permission information including information indicating a destination that is accessible or not accessible via the second network When,
A first relay process for relaying the first packet to the second network when the destination of the first packet is an accessible destination;
When the destination of the first packet is an inaccessible destination, a notification packet that prompts communication using a communication method different from the communication method that transmitted the first packet is sent to the transmission source of the first packet. A computer program that causes a computer to execute first notification processing to be transmitted to the computer.

Images