JP2022153318A - Relay device and local breakout transfer method - Google Patents

Abstract

To solve a problem in which, as a local breakout method, when a session between a terminal and a router and a session between an external website and the router are terminated at the router, processing such as TCP flow control, window control, congestion control, and retransmission control takes time, and the relay cannot be performed at high speed.SOLUTION: A router 42 rewrites a source IP address and the PORT number of the destination of a packet transmitted by a terminal 41 from the IP address and the PORT number of the terminal 41 to the IP address and the PORT number of the router 42. Also, the router 42 rewrites the IP address and the PORT number of the destination of a packet transmitted by the terminal 41 from the IP address and the PORT number of a proxy server 44 to the IP address and the PORT number of an external website 45. In this way, two TCP sessions are converted by a table, such that the relay can be performed at high speed.SELECTED DRAWING: Figure 10

Description

The present invention relates to network local breakout technology.

In general, when connecting a computer at a base within a company to a network outside the company, the connection is made via a computer at the data center of the head office. This is to prevent dangerous connection destinations existing in the network outside the company from being detected by the computer in the data center of the head office and not connected.

FIG. 1 is a conceptual diagram of such a connection. 11 is a network outside the enterprise. 12 is a data center at the head office. 13 to 15 are computers at the base. The computers at the base are connected to a network 11 outside the company via a data center 12 at the head office.
However, in recent years, access to SaaS (Software as a Service) such as Microsoft 365 (registered trademark) (hereinafter also referred to as "M365") is increasing. Therefore, it is a problem that the intra-company network is under pressure.

As one method for solving this problem, a technique called Local Break Out (hereinafter sometimes referred to as "LBO") is known, as described in Patent Document 1.
FIG. 2 is a diagram for explaining the principle of LBO. 11 to 15 mean the same as in FIG. In LBO, the base computer determines whether or not the connection destination is safe, and if the connection destination is safe, it connects directly to the external network 11 without going through the data center 12 at the head office (dotted line in FIG. 2). ).

FIG. 3 is a diagram showing the existing LBO procedure.
A DNS (Domain Name System) server 31 converts a domain name into an IP address. 32 is a router. The router 32 has a table of secure domain names, ie domain names to LBO. This table is hereinafter referred to as LBO profile 37 . 33 is an Internet gateway. 34 is a closed network. 35 is the Internet network. 36 is a terminal such as a personal computer.

The operation of FIG. 3 will be described.
Step S301: The terminal 36 transmits a URL or mail address including a domain name.
Step S302: The router 32 sends the domain name of the received URL or mail address to the DNS server 31. FIG.
Step S303: The DNS server 31 converts the received domain name into an IP address and sends it back to the router 32 together with the received domain name.
Step S304: The router 32 compares the domain name received from the DNS server 31 with the LBO profile 37 and determines whether or not to perform LBO.

Step S305: If the domain name received from the DNS server 31 does not match the domain name recorded in the LBO profile 37 and the router 32 decides not to perform LBO, as usual, via the Internet gateway 33, Connect to the Internet network 35 .
Step S306: When the domain name received from the DNS server 31 matches the domain name recorded in the LBO profile 37 and the router 32 determines to perform LBO, the IP address received from the DNS server 31 is LBOed. Register as a route.
Step S307: Directly connect to the Internet network 35 according to the registered LBO route.

In Patent Document 2, as a result of querying a DNS server, if the connection destination is a destination to be directly forwarded to the Internet, by registering route information with the IP address of the query result as the destination in a routing table, The communication to the corresponding connection destination from the head office is transferred directly to the Internet without going through the head office.

Further, in Patent Document 3, when an application running on a terminal requests a server to send a request packet is detected by the TCP management unit of the relay device, the determination unit of the relay device analyzing the request packet, and determining whether or not to switch a plurality of communication paths of a second network connecting the relay device and the server, which transmits the request packet, based on the result of the analysis; Have been described.

4 and 5 are diagrams for explaining conventional LBO when there is a proxy server at the boundary between the internal network and the external network. FIG. 4 is a diagram when LBO is performed. FIG. 5 is a diagram when LBO is not performed. The operation of a conventional LBO with this proxy server is described in detail on pages 16-17 of Non-Patent Document 1.
41 is a terminal such as a personal computer. 42 is a router. 43 is a DNS server. 44 is a proxy server. 45 is an external website. Proxy server 44 may reside at data center 12 of FIG.

The operation of FIG. 4 will be described.
Step S401: The terminal 41 uses the destination IP as a proxy server to transmit a synchronization packet of the TCP 3-way handshake procedure.
Step S402: The router 42 returns a synchronous ACK packet of the TCP 3-way handshake procedure.
Step S403: The terminal 41 transmits an ACK packet of the TCP 3-way handshake procedure. This completes the TCP three-way handshake procedure. The terminal 41 sets the Host as "microsoft365.com" and transmits the HTTP CONNECT method.

Step S404: The router 42 decides to LBO because "microsoft365.com" matches the domain name recorded in the LBO profile.
Step S405: The router 42 sends "microsoft365.com" to the DNS server 43 and acquires the IP address of "microsoft365.com".
Step S406: The router 42 sends the synchronization packet of the TCP 3-way handshake procedure to the external website 45 without going through the proxy server 44 .

Step S407: The external website 45 returns a synchronous ACK packet of the TCP 3-way handshake procedure.
Step S408: The router 42 sends the ACK packet of the TCP 3-way handshake procedure to the external website 45; This completes the TCP three-way handshake procedure between router 42 and external website 45 . The router 42 converts the TCP session between the terminal 41 and the router 42 and the TCP session between the router 42 and the external website 45 for communication.

FIG. 5 shows the case where there is a proxy server on the boundary between the internal network and the external network, but in S404 of FIG. 4, the Host does not match the domain name of the LBO profile and LBO is not performed. 41 to 45 are the same as those in FIG.

The operation of FIG. 5 will be described.
Step S501: The terminal 41 uses the destination IP as a proxy server to transmit a synchronization packet of the TCP 3-way handshake procedure.
Step S502: The router 42 returns a synchronous ACK packet of the TCP 3-way handshake procedure.
Step S503: The terminal 41 transmits an ACK packet of the TCP 3-way handshake procedure. This completes the TCP three-way handshake procedure. The terminal 41 sets the Host to "aaa.net" and transmits the HTTP CONNECT method.

Step S504: The router 42 decides not to LBO because "aaa.net" does not match the domain name recorded in the LBO profile.
Step S505: The router 42 sends a synchronization packet of TCP 3-way handshake procedure with the destination IP as the proxy server 44 .

Step S506: The proxy server 44 returns a synchronous ACK packet of the TCP 3-way handshake procedure.
Step S<b>507 : The router 42 transmits an ACK packet of the TCP 3-way handshake procedure to the proxy server 44 . This completes the TCP three-way handshake procedure between router 42 and proxy server 44 . The router 42 sets the Host to "aaa.net" and transmits the HTTP CONNECT method.
Step S508: The proxy server 44 converts the TCP session between the router 42 and the proxy server 44 and the TCP session between the proxy server 44 and the external website 45 for communication.

JP 2019-057801 (paragraph number 0002-0003) Japanese Patent No. 5790775 Japanese Patent No. 5913258

juniper. NETWORKS, “What is an enterprise SD-WAN that can be easily introduced in a proxy environment?”, pp. 11-17, [online], September 24, 2019, [searched February 19, 2021], Internet, <https: //www.juniper.net/assets/jp/jp/local/pdf/additional-resources/osaka-seminar-sd-wan-handsout.pdf＞

In the conventional example of FIG. 4, when performing LBO, the router 42 terminates the TCP session between the terminal 41 and the router 42, and terminates the TCP session between the external website 45 and the router 42. connected two TCP sessions.
However, with this configuration, TCP flow control, window control, congestion control, retransmission control, and other processes are performed in the router 42. These processes take time, and high-speed relaying is not possible. There was a problem.

Rather than terminating the TCP session between the terminal 41 and the router 42 and the TCP session between the external website 45 and the router 42 at the router 42, the present invention uses a table to terminate the TCP session between the terminal and the proxy server. 1 and high-speed relay by rewriting the session information of the TCP session 2 between the router and the external website.

The present inventors used a table in the router to rewrite the session information of TCP session 1 between the terminal and the proxy server and TCP session 2 between the router and the external website, thereby enabling high-speed relaying. I found that it can be done, and came to complete the present invention.

[1] A relay device that locally breaks out communication from the terminal to a specific connection destination in an environment where the terminal communicates via a proxy server,
The relay device includes a processing unit,
When the processing unit performs the processing of the local breakout,
rewriting the source IP address and port number of a packet sent by the terminal to the proxy server to the IP address and port number of the relay device, and replacing the destination IP address and port number of the packet with the connection destination IP address; and a first process of rewriting to a PORT number and transmitting to the connection destination;
difference between the sequence number and the acknowledgment number in the communication between the terminal and the proxy server and the sequence number and the acknowledgment number in the communication between the relay device and the connection destination are registered in the relay device; A relay device that performs a second process of rewriting a sequence number and an acknowledgment number of a packet transmitted by the connection destination according to the registered difference.
[2] The relay device according to [1] above, in which the first process and the second process are performed in a data plane of the processing unit.
[3] The processing unit registers a difference between the time stamp of the connection destination and the time stamp of the proxy server in the relay device, and in the data plane of the processing unit, when the connection destination is the local breakout, The relay device according to [1] above, which updates the time stamp of the packet to be transmitted with the difference.
[4] The processing unit registers a difference between the window scale of the connection destination and the window scale of the proxy server in the relay device, and in the data plane of the processing unit, when the local breakout occurs, the connection destination The relay device according to [1] above, wherein the window size of the packet to be transmitted is updated by the difference.
[5] The relay device according to [1] above, wherein the processing unit updates the checksum of the IP header after rewriting the portion other than the checksum of the IP header.

[6] The relay device according to any one of [1] to [4] above, wherein the processing unit updates the checksum of the TCP header after rewriting the portion other than the checksum of the TCP header.
[7]
A method in which a relay device locally breaks out communication from a terminal to a specific connection destination in an environment where the terminal communicates via a proxy server,
The relay device includes a processing unit,
When the relay device processes the local breakout,
rewriting the source IP address and port number of a packet sent by the terminal to the proxy server to the IP address and port number of the relay device, and replacing the destination IP address and port number of the packet with the connection destination IP address; and a first process of rewriting to a PORT number and transmitting to the connection destination;
difference between the sequence number and the acknowledgment number in the communication between the terminal and the proxy server and the sequence number and the acknowledgment number in the communication between the relay device and the connection destination are registered in the relay device; A local breakout method for performing a second process of rewriting a sequence number and an acknowledgment number of a packet transmitted by the connection destination according to the registered difference.

According to the present invention, a table is used in the router to rewrite the session information of the TCP session 1 between the terminal and the proxy server and the TCP session 2 between the router and the external website, thereby relaying at high speed. can be done.

FIG. 1 is a diagram in which a computer at a base is connected to a network outside the company via a data center; It is a figure explaining the principle of LBO. 1 is a diagram showing an existing LBO procedure; FIG. FIG. 10 is a diagram of conventionally performing LBO when having a proxy server; FIG. 10 is a diagram of conventionally not performing LBO when having a proxy server; FIG. 4 is a diagram of performing LBO in an embodiment of the present invention; FIG. 4 is a diagram without LBO in an embodiment of the present invention; FIG. 10 is a diagram illustrating details of conversion of session information when LBO is performed in the embodiment of the present invention; FIG. 10 is a diagram illustrating details of conversion of session information when LBO is performed in the embodiment of the present invention; FIG. 10 is a diagram illustrating details of conversion of session information when LBO is performed in the embodiment of the present invention; It is a figure explaining rewriting of a sequence number and an acknowledgment number in embodiment of this invention. It is a figure explaining rewriting of a sequence number and an acknowledgment number in embodiment of this invention. FIG. 4 is a diagram illustrating details of time stamp conversion according to the embodiment of the present invention; FIG. 5 is a diagram illustrating details of notification of MSS information in the embodiment of the present invention; FIG. 4 is a diagram illustrating details of scale size conversion in the embodiment of the present invention; It is a figure explaining the internal structure of the router in embodiment of this invention. FIG. 10 is a diagram showing communication paths when terminals at the head office and branch offices do not perform LBO; FIG. 4 is a diagram showing communication paths when terminals of a head office and branch offices perform LBO;

An embodiment of the present invention will be described below with reference to FIGS. 6 and 7. FIG.
FIG. 6 is a diagram for performing LBO in the embodiment of the present invention. 41 to 45 are the same as those in FIG.
Step S601: Establish a TCP session between the terminal 41 and the proxy server 44 by a TCP 3-way handshake procedure. The router 42 snoops on the communication between the terminal 41 and the proxy server 44 and acquires TCP parameters.

Step S602: The terminal 41 sets the Host as "microsoft365.com" and transmits the HTTP CONNECT method to the proxy server 44. FIG. The router 42 snoops on this communication and detects that the Host is "microsoft365.com". Router 42 matches the detected "microsoft365.com" to the LBO profile and determines that "microsoft365.com" matches the domain name recorded in the LBO profile. Accordingly, it is decided to perform LBO.
Step S603: The router 42 uses the DNS server 43 to convert the domain name into an IP address.
Step S604: The router 42 may register the IP address as the LBO route.

Step S605: The router 42 sends a synchronization packet of the TCP 3-way handshake procedure to the external website 45;
Step S606: The router 42 establishes a TCP session with the external website 45;
Step S<b>607 : The router 42 sends CONNECT Estab to the terminal 41 .
Step S608: Using the table, the router 42 rewrites the session information of the TCP session between the terminal 41 and the proxy server 44 and the TCP session between the router 42 and the external website 45 to set the breakout destination. Send to

FIG. 7 is a diagram of a case where LBO is not performed in the embodiment of the present invention. 41 to 45 are the same as those in FIG.
Step S701: Establish a TCP session between the terminal 41 and the proxy server 44 by a TCP 3-way handshake procedure. The router 42 snoops on the communication between the terminal 41 and the proxy server 44 and acquires TCP parameters.

Step S702: The terminal 41 sends the HTTP CONNECT method to the proxy server 44 with Host set to "aaa.com". The router 42 snoops on this communication and detects that the Host is "aaa.com". Router 42 matches the detected "aaa.com" to the LBO profile and determines that "aaa.com" does not match the domain name recorded in the LBO profile. Thereby, it is decided not to perform LBO.
Step S703: The proxy server 44 uses the DNS server 43 to convert the domain name into an IP address.

Step S704: The proxy server 44 establishes a TCP session with the external website 45.
Step S<b>705 : The proxy server 44 sends CONNECT Estab to the terminal 41 .
Step S706: The proxy server 44 converts the TCP session between the terminal 41 and the proxy server 44 and the TCP session between the proxy server 44 and the external website 45 for communication.

As described above, in the present invention, the router snoops the communication between the terminal and the proxy server and detects the domain name of the external website, so the router does not terminate the TCP session from the terminal. , therefore, the problem of degraded performance and increased resource consumption does not occur.
In addition, in the present invention, the proxy server is also used when LBO is performed, so the CONNECT ESTAB from the proxy server can be used as a criterion for relaying, thereby enabling the user authentication function and filtering function of the proxy server to be used. can.

In the embodiment of the present invention, the domain name is detected by referring to the CONNECT method, but the object of reference is not limited to the CONNECT method. The domain name may be detected by referring to the GET method of HTTP.

Also, as shown in FIG. 7, assuming that the connection goes through a proxy server, the router refers to the SNI option of Client Hello of SSL/TLS, and after it is found that the connection destination is an external website to which LBO should be performed, , the router may change the connection as indicated by the dotted line in FIG.

In the embodiment of the present invention, whether or not to perform LBO is determined based on the domain name detected by referring to the CONNECT method. and at least one of the QoS functions (priority control and bandwidth control) may be determined.

In addition, the detected domain name is converted to an IP address by a DNS server, and a TCP session connection to an external website is made based on that IP address.In addition, the IP address is registered as an LBO route. may

The method of determining whether or not to perform LBO by having the router 42 peek at packets transmitted from the terminal 41 to the proxy server 44 has been described above.
Details of the conversion between the TCP session between the terminal 41 and the proxy server 44 and the TCP session between the router 42 and the external website 45 performed by the router 42 in step S608 of FIG. 6 will be described below. do.

8 to 10 show the flow of a series of processes with three diagrams, and are diagrams showing the details of the process of FIG.
Step S<b>801 : The terminal 41 transmits a SYN packet to the proxy server 44 .
Step S<b>802 : Proxy server 44 transmits a SYN/ACK packet to terminal 41 .
Step S<b>803 : The terminal 41 transmits an ACK packet to the proxy server 44 .
Step S804: The router peeks at the packets transmitted during steps S801 to S803, and retrieves the session information of the TCP session between the terminal 41 and the proxy server 44 (hereinafter referred to as "TCP session 1"). get.

Step S<b>805 : The terminal 41 sends the CONNECT method to the proxy server 44 .
Step S806: The router 42 snoops the CONNECT method on the control plane 422 and, as a result, determines that LBO should be performed.
Step S<b>807 : The router 42 queries the DNS server 43 .
Step S808: The DNS server 43 returns the IP address of the external website 45 to the router 42;

Step S<b>809 : The proxy server 44 transmits CONNECT Estab addressed to the terminal 41 .
Step S810: The router 42 receives the CONNECT Estab addressed to the terminal 41 and holds the CONNECT Estab addressed to the terminal 41 without transmitting it to the terminal.

In FIG. 9, the following operations are performed.
Step S901: The router 42 sends a SYN packet to the external website 45 on the control plane 422;
Step S902: The external website 45 sends a SYN/ACK packet to the router 42;
Step S903: The router 42 sends an ACK packet to the external website 45;

Step S904: The router 42 establishes a TCP session with the external website 45 (this TCP session is hereinafter referred to as "TCP session 2") through steps S901 to S903.
Step S905: The router 42 creates conversion tables (970 and 980) for TCP session 1 and TCP session 2. FIG.
Step S906: The router 42 registers the conversion tables (970 and 980) for TCP session 1 and TCP session 2 in the data plane 421. FIG.

The IP address and PORT number of the terminal 41 are stored in the source column of the packet transmitted by the terminal 41 in the TCP session 1 . The router 42 rewrites this to the IP address and PORT number of the router 42 in the TCP session 2 . Also, in the TCP session 1, the IP address and PORT number of the proxy server 44 are stored in the destination column of the packet transmitted by the terminal 41 . The router 42 rewrites this to the IP address and PORT number of the external website 45 in the TCP session 2 .
Similarly, the data plane 421 rewrites the IP address and the PORT number for packets destined for the router 42 from the external website 45 in the opposite direction.

Step S907: The router 42 transfers to the terminal 41 the CONNECT Estab addressed to the terminal 41 held in step S810.
Step S908: The router 42 disconnects the TCP session 1 with the proxy server 44 to release resources.

In FIG. 10, the following operations are performed.
Step S1001: The terminal 41 transmits CLIENT Hello.
Step S1002: On the data plane 421, the router 42 rewrites the IP address and PORT number between the TCP session 1 and the TCP session 2 described in step S906.

As a result of the processing described with reference to FIGS. 8 to 10, the router 42 converts TCP sessions, but does not manage TCP sessions. Therefore, the router 42 does not need to perform protocol processing.
In addition, since the router 42 converts the TCP session on the data plane 421 , it is more advantageous in terms of performance than the method of terminating the TCP session on the control plane 422 .

In the above description, the rewriting of the IP address and the PORT number when performing LBO has been described with reference to FIGS.
However, when performing LBO, it is also necessary to rewrite the sequence number and acknowledgment number (hereinafter referred to as "Ack number") in addition to the IP address and PORT number. This will be explained below.

Rewriting of sequence numbers and acknowledgment numbers (hereinafter referred to as “Ack numbers”) when LBO is performed will be described with reference to FIGS. 11 and 12. FIG.
The TCP header has fields for Sequence Number and Ack Number.
Steps S1101 to S1103 in FIG. 11 are a well-known 3-way handshake procedure, so description thereof will be omitted. In step S1104, the terminal 41 transmits 120 bytes of data.

In step S1105, the proxy server 44 sets "the Ack number (20001) received from the other party" as the sequence number. In step S1105, the proxy server 44 sets "10121" obtained by adding the "received data size value (120)" to the "received sequence number (10001)" as an Ack number.

At step S 1106 , router 42 initiates a three-way handshake with external website 45 . Since the three-way handshake in steps S1106 to S1108 is performed separately from the communication up to step S1105, there is no relationship between the sequence number and Ack number in step S1105 and the sequence number and Ack number in step S1108. do not have. Therefore, for example, if the packet sent by the terminal 41 is delivered to the external website 45 as it is after step S1109, the external website 45 receives a packet containing a sequence number and an Ack number that do not comply with TCP rules. It will be.

Therefore, at the time of A in FIG. 11, the difference in sequence number and the difference in Ack number between the communication between the terminal 41 and the proxy server 44 and the communication between the router 42 and the external website 45 are registered in the router 42. back. Then, in subsequent communications, the router 42 rewrites the sequence number and the Ack number.

When the terminal 41 transmits after step S1109, the terminal 41 uses "the Ack number (10121) received from the other party" as the sequence number. Also, the terminal 41 sets “20040” obtained by adding “the value of the received data size (39)” to “the sequence number (20001) received from the other party” as the Ack number. This content is described in the lower left corner of FIG.

Since the router 42 has grasped the contents described in the lower left corner of FIG. 11, the difference between the contents described in the lower left corner of FIG. create. Specifically, the difference (19880) between the sequence number (30001) in step S1108 and the sequence number (10121) in the lower left corner of FIG. 11 is the "upstream sequence number difference". Also, the difference (19961) between the Ack number (40001) in step S1108 and the Ack number (20040) in the lower left corner of FIG. 11 is the "uplink Ack number difference".

When the terminal 41 transmits 517-byte data in step S1201 of FIG. 12, the router 42 adds the difference "19880" to the sequence number (10121) in step S1202. Also, the router 42 adds the difference "19961" to the Ack number (20040). Thus, in step S1203, external website 45 receives a packet containing a sequence number and an Ack number according to TCP rules.

In step S1204 of FIG. 12, the external website 45 uses "the Ack number received from the other party (40001)" as the sequence number. Also, the external website 45 sets "30518", which is obtained by adding the "received data size value (517)" to the "received sequence number (30001)", as an Ack number.

According to TCP's rules for Sequence Numbers and Ack Numbers, the difference in Down Sequence Numbers is equal to the difference in Up Ack Numbers. In addition, the difference in downlink Ack numbers is equal to the difference in uplink sequence numbers.

Therefore, in step S1205, the router 42 subtracts the upstream Ack number difference (19961) from the sequence number (40001) in step S1204 to obtain "20040" as the rewritten sequence number.
In step S1205, the router 42 subtracts the upstream sequence number difference (19880) from the Ack number (30518) in step S1204 to obtain "10638" as the rewritten sequence number.

If the proxy server 44 receives the packet of step S1201, the proxy server 44 performs the following operations. The proxy server 44 uses "the Ack number received from the other party (20040)" as the sequence number. Also, the proxy server 44 sets "10638" obtained by adding the "received data size value (517)" to the "received sequence number (10121)" as an Ack number. The above sequence number and Ack number are the same as the sequence number and Ack number in step S1206. Therefore, according to the embodiment of the present invention, it can be confirmed that the terminal 41 receives a packet containing a sequence number and an Ack number according to TCP rules.

By the way, the TCP header has a field called option. This option field can be used in various ways to improve the performance of TCP communication. Next, list some of the option types along with the option number.

0. End Of Option List
1. No operation
2. MSS (Maximum Segment Size)
3. Window Scale
4. SACK (Selective ACKnowledge) Permitted
5. SACK
8. time stamp

The options field can also be used for multiple options. Hereinafter, conversion processing between TCP session 1 and TCP session 2 will be described for each of the cases where the time stamp option is valid, the MSS option is valid, and the window scale option is valid.

FIG. 13 is a diagram illustrating conversion processing between TCP session 1 and TCP session 2 when the option field is used as a time stamp.
If a packet is delayed, there may be a previous packet with the same sequence number. TCP has a feature called PAWS (Protection Against Wrapped Sequence number), in which the receiver looks at the time stamps when there are two packets with the same sequence number and uses the old time Discard packets with stamps. Therefore, the time stamp must be correctly conveyed to the receiving side.

Step S1301: The terminal 41 and the proxy server 44 notify the time stamp by SYN and SYN/ACK of the TCP session 1. FIG.
Step S1302: The router 42 peeks at the packet between the terminal 41 and the proxy server 44 and reflects the time stamp information of the terminal 41 on the router 42 . By this reflection process, the difference between the time stamp of the terminal 41 and the time stamp of the router 42 can be set to zero. The router 42 registers that the difference between the time stamp of the terminal 41 and the time stamp of the router 42 is zero.

Step S1303: The router 42 and the external website 45 notify the time stamp by SYN, SYN/ACK of TCP session 2. Thereby, the router 42 can grasp the difference between the time stamp of the external website 45 and the time stamp of the proxy server 44 . The router 42 registers the difference between the time stamp of this external website 45 and the time stamp of the proxy server 44 . Assume here that the difference between the time stamp of the external website 45 and the time stamp of the proxy server 44 is "100".

Step S1304: The router 42 creates conversion tables (1370 and 1380) between TCP session 1 and TCP session 2.
Step S1305: The router 42 registers the conversion table (1370 and 1380) between TCP session 1 and TCP session 2 in the data plane 421. FIG.

Step S1306: The data plane 421 of the router 42 converts the time stamp (=2000) of the TCP packet from the external website 45 to the difference between the registered time stamp of the external website 45 and the time stamp of the proxy server 44. Update by (100). That is, the time stamp (=2000) of the external website 45 is rewritten to the time stamp (=2100) of the proxy server 44 .
Step S<b>1307 : The data plane 421 of the router 42 transmits the packet with the updated time stamp=2100 to the terminal 41 .

Step S1308: The data plane 421 of the router 42 updates the time stamp (=100) of the TCP packet from the terminal 41 with the registered difference (=0) between the time stamp of the terminal 41 and the time stamp of the router 42. do. It should be noted that even if it says "update", since the difference is zero, it is possible to actually omit the process of updating. Alternatively, as another method, the difference between the time stamp of the terminal 41 and the time stamp of the router 42, which is not zero, may be registered without performing the reflection process in step S1302, and the update process may be performed in step S1308. .
Step S<b>1309 : The data plane 421 of the router 42 transmits the updated timestamp=100 packet to the external website 45 .
Thus, for example, in steps S1306 and S1307, the external website 45 timestamp can be converted to the proxy server 44 timestamp.

FIG. 14 is a diagram for explaining notification of MSS information when the option field is used as MSS. MSS (Maximum Segment Size) represents how much size per packet can be accepted.
Step S1401: The terminal 41 and the proxy server 44 notify the MSS by SYN and SYN/ACK of TCP session 1.
Step S1402: The router 42 peeks at the packet between the terminal 41 and the proxy server 44 and reflects the MSS information of the terminal 41 on the router 42 in advance. By this reflecting process, the router 42 registers the MSS of the terminal 41 in advance.

Step S1403: Router 42 and external website 45 notify the MSS by SYN, SYN/ACK of TCP session 2. At this time, the router 42 notifies the external website 45 of the MSS of the terminal 41 .
Step S1404: Since the size of the packet sent from the external website 45 is smaller than the MSS of the terminal 41, the phenomenon that the terminal 41 cannot receive does not occur.

FIG. 15 is a diagram illustrating conversion processing between TCP session 1 and TCP session 2 when the option field is used as the window scale.
The TCP header has a window size field inherently, not as an option. Window size represents how much TCP payload can be received without an ACK. If the option field is used as the window scale, the window size can be bit-shifted by the number of values notified as the window scale.

Step S1501: The terminal 41 and the proxy server 44 notify the window scale by SYN and SYN/ACK of the TCP session 1 .
Step S1502: The router 42 peeks at the packet between the terminal 41 and the proxy server 44, and reflects the window scale of the terminal 41 on the router 42 in advance. By this reflection processing, the difference between the window scale of the terminal 41 and the window scale of the router 42 can be set to zero. The router 42 registers that the difference between the window scale of the terminal 41 and the window scale of the router 42 is zero.

Step S1503: The router 42 and the external website 45 notify the window scale by SYN, SYN/ACK of TCP session 2. Thereby, the router 42 can grasp the difference between the window scale of the external website 45 and the window scale of the proxy server 44 . The router 42 registers the difference between the window scale of this external website 45 and the window scale of the proxy server 44 . Assume here that the window scale of the external website 45 is "6" and the window scale of the proxy server 44 is "2". At this time, the router 42 registers the difference "4" between them.

Step S1504: The router 42 creates conversion tables (1570 and 1580) between TCP session 1 and TCP session 2.
Step S1505: The router 42 registers the conversion table (1570 and 1580) between TCP session 1 and TCP session 2 in the data plane 421. FIG.

Step S1506: The data plane 421 of the router 42 sets the window size (=261) of the TCP packet from the external website 45 to the difference between the registered window scale of the external website 45 and the window scale of the proxy server 44. (4:2 to the 4th power=16).
Step S<b>1507 : The data plane 421 of the router 42 transmits the updated window size=4176 packet to the terminal 41 .

From the exchange in S1501, the terminal 41 recognizes that the window scale of the communication partner is "2". However, there is a difference of "4" between the window scale "2" of the communication partner recognized by the terminal 41 and the window scale "6" of the external website 45 that receives the data transmitted by the terminal 41. do. Therefore, if the window size is updated with the difference, the correct amount of data that the external website 45 can receive without ACK is communicated to the terminal 41 .

Step S1508: The data plane 421 of the router 42 updates the window size (=32768) of the TCP packet from the terminal 41 by the registered difference (=0) between the time stamp of the terminal 41 and the time stamp of the router 42. do.
Step S<b>1509 : The data plane 421 of the router 42 transmits the packet with the updated time stamp=32768 to the external website 45 .

By configuring in this way, in steps S1506 and S1507, the window size of the external website 45 can be corrected to an appropriate value and transmitted to the terminal 41. FIG.

The TCP header has a checksum field. The value of this TCP header checksum is determined by the values of the other parts of the TCP header and the data part. Therefore, as described above, when the source PORT number, destination PORT number, sequence number, Ack number, window size, option field, etc. are rewritten, it is necessary to update the checksum of the TCP header accordingly. be.
The IP header also has a checksum field. The value of this IP header checksum is determined by the values of other parts of the IP header. Therefore, as described above, when the source IP address and the destination IP address are rewritten, it is necessary to update the checksum of the IP header accordingly.

FIG. 16 is a diagram illustrating the internal structure of the router 42 according to the embodiment of the invention. The router 42 as a relay device includes a detection section 1601 , a determination section 1602 and a processing section 1603 .
In an environment where the terminal 41 communicates via the proxy server 44, the detection unit 1601 refers to passing communication and detects the domain name of the connection destination. The passing communication is a CONNECT method sent by the terminal 41 to the proxy server 44, and referencing the passing communication means spying on this CONNECT method.
The determination unit 1602 refers to the LBO profile 37 and determines whether or not to perform LBO as a specific process based on the domain name detected by the detection unit 1601 .
The processing unit 1603 executes LBO processing.

FIG. 17 is a diagram for explaining communication paths when the terminals of the head office and branch offices do not perform LBO. The branch offices in FIG. 17 correspond to bases 13 and 14 in FIG. A proxy server 1706 is installed on the head office side.
Terminal A of the branch office is temporarily connected to the head office via a VPN (Virtual Private Network).
When the branch office terminal does not perform LBO, it communicates through the route of terminal A 1701 →router A 1702 →VPN 1703 →router B 1704 →proxy server 1706 →Internet 1707 →DNS server 1708 or external website 1709 .
When the terminal at the head office does not perform LBO, communication is performed through a route of terminal B 1705 →router B 1704 →proxy server 1706 →Internet 1707 →DNS server 1708 or external website 1709 .

FIG. 18 is a diagram for explaining communication paths when terminals at the head office and branch offices perform LBO.
When the branch terminal performs LBO, the VPN 1703 and proxy server 1706 are not used. Terminal A of the branch office communicates through a route of terminal A 1701 →router A 1702 →Internet 1707 →DNS server 1708 or external website 1709 .
The proxy server 1706 is not used when the head office terminal performs LBO. Terminal B at the head office communicates through a route of terminal B 1705 →router B 1704 →Internet 1707 →DNS server 1708 or external website 1709 .

In FIG. 18, when terminal A of the branch office performs LBO, router A 1702 performs LBO. However, it is also possible to employ a method in which the router A 1702 on the side of the branch office is a router that does not support LBO, and the router B 1704 on the side of the head office performs LBO. When LBO is performed by this method, terminal A of the branch office communicates through the route of terminal A 1701 →router A 1702 →VPN 1703 →router B 1704 →Internet 1707 →DNS server 1708 or external website 1709 .
With this configuration, the routers on the side of a plurality of branch offices need not support LBO, and only one router on the side of the head office needs to support LBO, which leads to cost reduction.

Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes are possible within the scope of the gist of the present invention described in the claims. is.

11 network outside company 12 data center 13-15 base computer 31 DNS server 32 router 33 internet gateway 34 closed network 35 internet network 36 terminal 37 LBO profile 41 terminal 42 router 43 DNS server 44 proxy server 45 external website 421 data plane 422 control plane 1170 difference table 1601 detection unit 1602 determination unit 1603 processing unit 1701 terminal A
1702 Router A
1703 VPN
1704 Router B
1705 Terminal B
1706 proxy server 1707 internet network 1708 DNS server 1709 external website

Claims (7)

A relay device that locally breaks out communication from the terminal to a specific connection destination in an environment where the terminal communicates via a proxy server,
The relay device includes a processing unit,
When the processing unit performs the processing of the local breakout,
rewriting the source IP address and port number of a packet sent by the terminal to the proxy server to the IP address and port number of the relay device, and replacing the destination IP address and port number of the packet with the connection destination IP address; and a first process of rewriting to a PORT number and transmitting to the connection destination;
difference between the sequence number and the acknowledgment number in the communication between the terminal and the proxy server and the sequence number and the acknowledgment number in the communication between the relay device and the connection destination are registered in the relay device; A relay device that performs a second process of rewriting a sequence number and an acknowledgment number of a packet transmitted by the connection destination according to the registered difference. 2. The relay device according to claim 1, wherein said first processing and said second processing are performed in a data plane of said processing unit. The processing unit registers a difference between the time stamp of the connection destination and the time stamp of the proxy server in the relay device, and in the data plane of the processing unit, a packet transmitted by the connection destination at the time of the local breakout 2. The relay device according to claim 1, wherein the time stamp of is updated by said difference. The processing unit registers a difference between the window scale of the connection destination and the window scale of the proxy server in the relay device, and in the data plane of the processing unit, a packet transmitted by the connection destination at the time of the local breakout 2. The relay device according to claim 1, wherein the window size of is updated by said difference. 2. The relay device according to claim 1, wherein the processing unit updates the checksum of the IP header after rewriting the portion other than the checksum of the IP header. The relay device according to any one of claims 1 to 4, wherein the processing unit updates the checksum of the TCP header after rewriting the portion other than the checksum of the TCP header. A method in which a relay device locally breaks out communication from a terminal to a specific connection destination in an environment where the terminal communicates via a proxy server,
The relay device includes a processing unit,
When the relay device processes the local breakout,
rewriting the source IP address and port number of a packet sent by the terminal to the proxy server to the IP address and port number of the relay device, and replacing the destination IP address and port number of the packet with the connection destination IP address; and a first process of rewriting to a PORT number and transmitting to the connection destination;
difference between the sequence number and the acknowledgment number in the communication between the terminal and the proxy server and the sequence number and the acknowledgment number in the communication between the relay device and the connection destination are registered in the relay device; A local breakout method for performing a second process of rewriting a sequence number and an acknowledgment number of a packet transmitted by the connection destination according to the registered difference.

Images