JP3394727B2 - Method and apparatus for communication between networks - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention provides a shared server hosting service (a service for lending to each user side network) for a plurality of different networks, especially an extranet for communicating between closed networks, a ticket reservation service, etc. By providing public services with the information held by the servers on these user-side networks (closed networks), it is possible to provide customized services (according to the needs of each user-side network) safely on a user-side network (closed network) basis. The present invention relates to an information distribution communication method and an apparatus thereof including electronic commerce.

[0002]

2. Description of the Related Art Today, the use of networks including the Internet has become widespread, and many companies are constructing closed networks in order to keep communication costs within companies low and to carry out them safely. In this construction, not only leased lines but also ATM and FR (frame relay) are used, and IP
(Internet Protocol) It uses tunneling. In addition, when a salesperson or the like connects to these closed networks from outside, PPP (Point-to-Point P
rotocol) and its extension, L2TP (Layer2 tunneling)
Protocol) is used. Communication between closed networks will increase in the future, and shared servers used by multiple closed networks will be provided without losing the closed nature of the closed network, and public services such as ticket reservation services will be provided on the servers on each closed network. The information will be customized and used in combination with the information of. As a method of realizing this, there is a method of preparing a server that provides a service on each closed network, but this is costly and the burden on the side of preparing the server is large. Therefore, consider the construction of a virtual private server, which is physically one server, but appears to exist as a separate server from each closed network and can provide customized services securely.

Currently, in the construction of a closed network of a company or the like, a local address is used or a global address is dynamically assigned only when connecting to the outside such as the Internet due to a shortage of IP addresses due to the rapid spread of the network. Then, the method of communicating with the outside is taken.
However, when dynamically assigning an address, the same address is not always assigned at the next connection. Therefore, if a mobile terminal is connected only when necessary / the connection itself is unstable, It is more necessary to give an address to. In addition, since it is difficult to establish a connection from the server side to a specific terminal in a situation where addresses are dynamically assigned, a local address is often assigned statically during network construction. When considering the service provision to the closed network constructed physically by one server in this way, (1) prevention of illegal connection via the server side network, (2) connection It is necessary to solve three problems: collision of address spaces between closed networks, and (3) establishment of connection from a server to specific terminals including mobile terminals.

This server is constructed by using the existing technology L2T.
PPP (Layer 2 tunneling Protocol) typified by PPP tunneling technology, NAT (Network Address Translato)
It can be said that two types of address conversion technology, represented by r), are useful technologies. First, the PPP tunneling technology allows a mobile terminal to connect to its own closed network without being restricted by time and place, and to use the closed network as if it exists in the closed network. . Further, as shown in FIG. 22, the closed networks A and B can be connected to the server side network via the Internet / public network, and hosts (also called terminals) belonging to the closed networks A and B have their own local addresses. Addresses in spaces A and B are given, and each host connects to the inter-network access server of the server side network using PPP tunneling through the inter-network access server (AS) of the closed network to which the host belongs. It is possible to connect with. With this configuration, P
By tunneling the PP connection to the server side, the terminal can be made to appear as if it is connected to the server belonging to its own closed network. As a result, it becomes possible to maintain the closed property of the closed network and to use the local address assigned in the closed network as it is.
However, (1) in a closed network, local addresses are freely assigned to terminals, so that terminals belonging to a plurality of different closed networks may have the same address, in which case collisions cannot be avoided. Therefore, when viewed from the server side network of the connection destination, there may be a plurality of terminals having the same address, and at this time it is not possible to correctly recognize which terminal is communicating.

(2) It is necessary to make the address indicating the server common to each closed network, and it may be necessary to make a drastic change to the existing equipment. (3) When an address is dynamically assigned from the server side when a connection is established from the terminal, it is unclear which address is assigned to a terminal that connects to the network as needed, such as a mobile terminal, There is a problem that it is impossible to provide a useful service such as information distribution from the server side, and (4) there is a possibility of unauthorized access across the closed side via the server side network. I cannot solve all issues.

In order for a user terminal, which is connected to a closed network and is given a local address, to communicate with a server, which is given a global address on the Internet, the user terminal itself must also have a global address. is there. However, as described above, since the global address is insufficient, the local address is often statically assigned to the terminal. At this time, according to the NAT (Network Address Translation) technology, communication within the closed network is performed using the local address as shown in FIG. 23, and communication with the WWW server on the Internet is performed at the NAT provided at the network boundary.
It enables communication by dynamically allocating a pre-pooled global address to the device that can use. However, this NAT dynamically associates the local address with the global address / identifies the connection between the hosts (terminals) by the combination of the address and the port number.
Since the connection between the host and the server is dynamically recognized, push type such as information distribution from the server side that has the global address to the terminal to which the local address is statically assigned after the connection is disconnected (from the terminal No connection establishment request) is not possible. (2) Since the server cannot authenticate (identify) each closed network, it is difficult to provide customized services and information for each affiliated terminal. (3) Since the NAT part is connected to the global address space, there is a problem that there is a possibility of unauthorized access, and all problems in server construction cannot be solved.

The NAT technology itself is expanded in various ways.
It is used and is considered to be applicable to the construction of the server which is the subject of this specification. The NAT technology that cooperates with PPP and the Ci that can convert both the source address and the destination address of the packet by setting Ci
There is NAT technology by sco. N in cooperation with PPP
At the AT, after establishing a PPP connection with the server,
Using the global IP address projected from the server, the NAT function is performed in communication with a global IP network such as the Internet via the PPP line. That is, the established NAT for each PPP line is possible. Consider using this technology to build a server for the task. When this technique is introduced into the server side device, NAT can be performed for each PPP line, so that it is possible to easily customize the service to be used for each closed network or change the server to be used for each closed network. However, considering the implementation by one server, there are the following problems.

[0008]

(1) The closed network of the user corresponding to the client and the network on the server side are P
Since they are connected by the PP connection, address space collision will occur in the connection between the closed networks constructed by the local addresses as in the case of using the PPP tunneling technique. In particular, when this technology is introduced on the server side, a server that receives a packet arriving from a closed network host corresponding to a client will receive the packet from which closed network host due to duplication of the address part indicating the closed network host. The packet cannot be correctly sent to the corresponding host.

(2) Since NAT is performed for the address projected when the PPP connection is established, the addresses of a plurality of servers on the server side are mapped to the address, so that the host of the closed network of the user Unable to establish a connection to a specific server among multiple servers. To establish, PP depending on the number of servers you want to use
It is necessary to establish a P line and associate one address of the server with the address negotiated by PPP.

(3) Although the address indicating the server is converted, if the converted address is the same as the address indicating the host of the closed network, communication cannot be performed correctly. Therefore, it is necessary to prevent the address used by the host of each closed network from overlapping with the server address of the server side network. It is necessary to check what local address is used in each closed network and It takes a lot of trouble and time to decide the address.

Cis, which cannot be solved due to problems such as
The NAT technology developed by Co. is different from the NAT defined in RFC1631, and uses an address conversion table by static / dynamic allocation of addresses for both the source address and destination address of the target packet. It is possible to perform address translation by using it, and it is possible to perform flexible operation by creating an address translation table used for NAT in cooperation with the application layer, especially in cooperation with DNS (Domain Name System). Due to these characteristics,
It is also possible to establish a connection from a server on the Internet having a global address, which has been difficult with the conventional NAT technology, to a host on a closed network constructed with a local address connected behind the NAT device. Also,
If the address indicating the external host of the received packet is not in the address conversion table, the packet can be discarded, or the address notified to the external network can be restricted to maintain the closedness of the closed network. When the server considered in this specification is constructed using this technique, (1) in the case of a closed network in which the server side network is also constructed with local addresses, avoid address space collision,
NAT is performed on both networks in order to communicate with hosts outside the closed network, such as servers on the Internet. At this time, in order to communicate between the closed networks, it is not possible to identify the host of the connection destination unless the global address used for NAT and the local address of the host have at least one-to-one correspondence. In this case, not only cannot the server connect to the host of the closed network, but if there are multiple servers, it is also not possible to connect to the specific server for the reasons described above.

There are problems such as the above, and all cannot be solved. As described above, when the existing technology is used, it is not possible to solve all the problems that occur in the server construction described in this specification.

[0013]

In the first invention, the first invention, and the second invention as well, a plurality of user-side networks used by a user (hereinafter, the user-side network is described as a closed network) is a server-side network. The connection is established by PPP (Point-to-Point Protocol). In the authentication at the time of establishing the PPP connection, in addition to the conventional user authentication, the connection source that has made the PPP connection authenticates (identifies) which PPP line of which closed network. According to the first invention, according to the result, information indicating which PPP line of which closed network the connected PPP connection is is associated with each PPP line. Then, by using this information as a key, the address of the server side network allocated to the corresponding PPP line and the port number corresponding to the service of the server to be used, which is determined in closed network units as necessary, P
Enter the server side network through the PP line /
Translates outgoing and outgoing packets for both source and destination network addresses and port numbers as needed.

In the first aspect of the present invention, the address space is uniquely assigned to each closed network unit in the server side network, and flexible use is performed according to the closed network unit policy. The address space prepared for each closed network in the server side network is allocated according to the following policy. First, an address space is statically assigned to each PPP line. This address space will be allocated in units of subnets. There is no need for static allocation. In that case, all are dynamically assigned to the PPP line in subnet units. And
If there is remaining space, PPP LCP for the PPP line that has consumed the allocated address space.
It is assumed that the PPP line is dynamically assigned using (setting protocol) or the like. The size of the address space to be dynamically allocated may be a necessary amount by dynamically negotiating, a fixed size may be decided, or it may be freely selected by gradually increasing the size by a certain algorithm. . Moreover, when the PPP line is dynamically allocated,
By managing which address space is assigned to which PPP line of the closed network, a packet from the server side to the terminal on the closed network side can be sent to an appropriate PPP line.

As described above, since the operations including the allocation are independent for each closed network, it is possible to avoid the problem due to the collision of the address spaces of the connected closed networks and to connect to a specific terminal. In addition, the address conversion is done on the server side, and the server side can easily control the connection.
Not only can the closed networks of each closed network be maintained, but the connected closed network can assign an address to the server that is freely used from the address space of the closed network, and the network settings can be changed at the time of introduction. Can be minimized. Hereinafter, this address conversion method will be referred to as Root-side NAT or RNA.
T). Second Invention Similar to the first invention, when the PPP connection is established, the closed network of the user to which the line belongs authenticates (identifies) which one. After the authentication of the closed network to which the PPP connection is established is established, a VLAN to be used when a VLAN (Virtual LAN) sufficient for identifying which PPP line of which closed network it is used for the PPP line is identified. Correspond with the information to Then, the packet from the PPP line is carried to the server to be used by a VLAN configuration technique such as switching based on the information for identifying the VLAN. And
The above-mentioned server is realized by operating an OS that performs various processes in units of information for identifying each VLAN in one server.

When associating the PPP line with information for identifying a VLAN sufficient to identify the closed network, the PPP line that received the packet is associated with the host address of the closed network indicated in the packet. It should be noted that this association is performed in units of information for identifying the VLAN. This allows you to make changes to your network without changing
The above server can be easily constructed and used by controlling the server side network using the information for identifying the VLAN. The VL that can identify at least the closed network in the established PPP line based on the authentication result of the closed network to which it belongs.
The method of assigning the information for identifying the AN is described below as VNAT.
Call.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION First Invention First, an embodiment of the first invention will be described. Figure 1 now
It is assumed that the system configuration is as shown in. That is, the closed networks A, B and C are respectively connected to the Internet / public network via the access server AS, and the Internet / public network and the server side network are the root-sids according to the present invention.
It is connected via an access server R-NAT with an e-NAT function. Hosts (terminals) in closed networks A and B
Addresses are assigned to the respective addresses as shown in FIG. 2A. That is, in the address space of the closed network A, the host 1 has the address 1, the host 2 has the address 2, the host 3 has the address 3, and the Server to be used has the address 10.
It is assumed that 0 is assigned. Server is one of the hosts in the server side network.
Address 1 is given to rver in the network on the server side. Further, in the network on the server side, as shown in FIG. 2B, unique address spaces are prepared for the closed networks A and B, respectively. Address groups 101 to 300 are prepared for terminals connecting from the closed network A, of which address group 1 is used for terminals connecting from the PPP line 1 used by the host 1 and the host 3.
01-200 is the PPP line 2 used by the host 2
Address groups 201 to 250 are respectively assigned to the terminals connected from. And the remaining address group 2
51 to 300, when the above allocation is used up,
It is dynamically assigned to the PPP lines 1 and 2 as needed. In the address space of the closed network B, an address 11 is used for the host 4 and an address 22 is used for the host 5.
An address 150 is assigned to each Server.
Further, in the server side network, address groups 301 to 350 are prepared for terminals connecting from the closed network B, and among them, the address groups 301 to 310 are PPP lines directly established by the terminals of the closed network B. Is statically assigned to. Also, 311 to 350 are PPP
It is assigned to the line 1 and is dynamically assigned to the host using this PPP line when the server is connected. In this way, the address space is pooled for each closed network unit in the network on the server side, the address space is allocated to the PPP line according to the usage policy of the closed network, and from there, it is statically directed to the host using the corresponding PPP line. Flexible allocation including dynamic.

Further, there is a PPP connection between the access server AS placed in each closed network and the device R-NAT having the function of Root-side NAT. Also, the terminals of the closed network are
Use a server using this PPP connection, or use a PPP
Root-s placed directly on the server side using tunneling
ide Makes a PPP connection with a device with NAT function (R-NAT) and uses a server.

Therefore, one physical server on the network on the server side is made to appear virtually as if it exists in each closed network, and can be used in multiple closed networks without losing the closedness of each closed network. It is this Root-side
It is NAT. This Root-side NAT is based on the conventional authentication of the host whether the terminal requesting the connection at the time of establishing the PPP connection with the closed network is correct when allocating the prepared address for each closed network on the server side. , Which P of the closed network
It authenticates (identifies) whether it belongs to a PP line. Based on this result, if the address is statically allocated to the terminal from the address group prepared in advance for the PPP line of the closed network, the corresponding one is selected. If not, the PP is set.
Addresses are dynamically allocated to terminals from the address space prepared for each P line.

In FIG. 1, when the PPP line is not yet established when the host 1 is connected, establishment of the PPP line starts from the AS (access server) being used, and at this time, the PPP line is closed. PPP from network A
Authenticate that it is line 1. And this closed network A
Addresses are dynamically allocated to the host from the pooled address space for the PPP line 1. In this case,
The PPP line 1 has an address space 1 as shown in FIG. 2B.
01-200 is given, and it is given dynamically from this space.
01 is assigned in the server side network. That is, the address 1 given in the closed network A for the packet from the PPP line 1 of the closed network A is converted into the address 101 by the RANT. This relationship is shown in Figure 2.
It is stored as a table as shown in A. After that, closed network A
When a packet arrives from the host 1 through the PPP line 1, the address 1 is converted into the address 101 of the server side network by referring to the table of FIG. 2A. Similarly, when a packet from the host 3 arrives, the unused address 102 is dynamically assigned to the host 3 from the same address space because it is from the PPP line 1, and the address that the host 3 has by the RATT. 3 is translated into address 102. When the host 2 connects to the server, since the PPP line 2 which is another PPP line is used, the address space 201 prepared for the PPP line 2 is used.
From -250, the unused address 220 is assigned in the network on the server side, and the address 2 is converted to the address 220 by RLAT.

The host 4 has made a PPP connection directly to the server-side device using PPP tunneling.
The establishment of the P line starts, and at this time, it is authenticated (identified) that this PPP line is the PPP line 2 from the closed network B by the same authentication. And the PPP of this closed network B
Since the address 301 is statically assigned to the line 2, the address 11 held by the host 4 is converted to the address 301 by the RNAT in the server-side network. When the host 5 connects to the server, it is authenticated that the PPP line to be used is the PPP line 1 of the closed network B, and the address space 31 prepared for the PPP line 1
Addresses not used by 1-350 are dynamically assigned to the host 5. This time, the address 311 is assigned. The packet from the host 5 to the server is
The address 22 held by the host 5 is converted to the address 311 by the RANT.

Further, the address of the server designated as the connection destination is also converted into the address assigned to the server in the server side network. This time about closed network A
The address 100 of the Server is converted to the address 1, and the address 150 of the Server for the closed network B is converted to the address 1. Although it is possible to limit the service to be used based on the address assigned to each closed network, by determining the port number of the server to be used for each closed network,
By using the port number of the server, it is possible to provide services in units of closed networks by one server physically. This time, Serv
er service for closed network A is port number A
Then, it is assumed that the service for the closed network B is provided by the port number B.

The Root-side NAT performs the conversion of the network address and the port number of both the source and the destination of the packet under the management of the server based on the correspondence between the address and the port number. In fact, host 1
When the WWW Server (port number 80) of Server is used, the packet of the host 1 undergoes the conversion operation as shown in FIG. FIG. 3A shows a packet from the host 1 to the server, and FIG. 3B shows a packet from the server to the host 1 at each R-NAT.

That is, the address translation part in the Root-side NAT is summarized as shown in FIG. In this figure, NetA is a group of addresses of the network in which the Server exists in the address space of the server side network, and NetB is a group of addresses prepared for each closed network in the address space of the server side network. is there. Further, as shown in FIG. 5, the address group prepared for each closed network is statically allocated to the terminal or each PPP line connected to the network, and the remaining space is statically allocated. It is used for dynamically allocating to a lacking PPP line in response to a request when there is not enough space left. The dynamically allocated space manages which PPP line is allocated at the time of allocation so that the packet can be transmitted to an appropriate PPP.
It can be sent to the line. In this way, the space prepared in the server-side network can be used by the closed network that is the user of each space. Compaction conversion is performed by associating the address of the terminal in each closed network with the address prepared in advance for each closed network on the server side, and the address of the Server allocated in each closed network is the address of the server in the network on the server side. Converting to will be called Merge conversion. Further, the inverse Compaction conversion identifies which PPP line of which closed network is from the address assigned to the terminal with reference to FIGS. 2A and 2B, and converts it into the address of the terminal in the closed network. Inverse Merge Transform is Inverse Compaction
The address of the server is converted into the address of the server in the closed network based on the information of the closed network that belongs to the closed network obtained from the conversion with reference to FIG. 2A. Then, by identifying which closed-loop network and which PPP line, an appropriate closed-network appropriate P
Send the packet to the PP line. At this time, the above conversion is performed as shown in FIG. 6 into the source and destination addresses of the packet from the terminal to the server and the packet from the server to the terminal. Also, regarding the port number of the server being used, the port number determined for each closed network in the server side network is converted to the port number used in the closed network.

Since the address space given to each closed network is assigned as a result of the authentication of the closed network to which it belongs, which closed network each address has been authenticated. By prohibiting connections between servers on the server side, as a result, communication between closed networks is prohibited, and the closed nature of closed networks can be secured. Furthermore, it becomes possible to customize the service to be provided for each closed network based on this address space assigned to each closed network or by determining the port number that can be used in the server for each closed network. The features of the prior art and the first invention (route side NAT) are summarized in FIG. Second Invention FIG. 8 shows a system configuration to which the second invention is applied. Closed network A, B are connected is connected to through an access server A S Internet / PSTN respectively, also the server-side network and the Internet / PSTN via VNAT function access server VNAT. In the access server VNAT with VNAT function, as shown in FIG.
A LAN tag is assigned to each PPP line in each closed network. Hereinafter, the change due to this allocation will be referred to as VNAT. The access server AS in each closed network is an access server VNAT having a VNAT function in the server side network.
PPP connection to.

Since the hosts 1, 2, and 3 are all hosts of the closed network A, information for identifying the VLAN used when using the VLAN indicating the closed network A, for example, VL.
VLAN 1 is assigned as an AN tag. Then, a child number x is assigned to identify a plurality of PPP lines from the same closed network. The hosts 1 and 3 come from the same PPP line 1, and VLAN 1-1 as the VLAN tag is associated with the PPP line 1. Also, host 2
Is connected using the PPP line 2 of the closed network A, VLAN 1-2 is associated with the corresponding PPP line 2 as a VLAN tag. Similarly, since the hosts 4 and 5 belong to the closed network B, VLAN2-x is assigned as the VLAN tag indicating the closed network B. As in the case of the closed network A, in order to identify the PPP line, the host 2 has the VLAN 2-2 ,
The VLAN 2-1 is assigned to the host 5.

As shown in FIG. 10, in the device VNAT having the VNAT function, this VLAN tag is embedded in the packet received from the closed network based on the assignment of the VLAN tag. Then, this packet is IEEE802.10.
Existing VLA such as switching function for LAN and VLAN
It is carried to the Server by N technology based on this VLAN tag. As shown in FIG. 11, the server that receives the packet uses a plurality of OSs to perform different processing for each VLAN tag.
So that one OS can operate with respect to a VLAN tag that is a unit capable of identifying a closed network.
In other words, OS 1 for performing the processing related to the tag of VLAN1-x, OS2 for performing the processing related to the tag of VLAN2-x, and so on.
S will be operated. In the network on the server side, the packet is delivered based on the VLAN tag, so that a virtual closed network including the server on the network on the server side can be constructed. No conversion is needed. As described above, by operating the OS for each VLAN tag in one server, a virtual private server can be constructed under the control of the server side without losing the closed property of the closed network. Modification of Second Invention A modification of the second invention is shown below. Since the hosts 1, 2, and 3 are all hosts of the closed network A, VLAN 1 is assigned as the VLAN tag indicating the closed network A. Next, when a plurality of PPP lines from the same closed network are established, the address indicating the host is associated with the PPP line so that the packet addressed to the host can be sent back to the PPP line that received the packet. Hosts 1 and 3
Come from the same PPP line 1 and each address is associated with the PPP line 1. Also, the host 2
Since the connection is made using the PPP line 2 of the closed network A, VLAN1 is assigned as the VLAN tag, but the address 2 of the host 2 is associated with the PPP line 2.

Similarly, since the hosts 4 and 5 belong to the closed network B, the VLAN 2 is assigned as the VLAN tag indicating the closed network B. Closed network A
As in the case of, the host address and the PPP line are associated with each other in order to send the packet back to the received PPP line. In this case, the address of the host 4 goes to the PPP line 2,
The address of the host 5 is associated with the PPP line 1.
As shown in FIG. 12, the correspondence between the PPP line and the address of the host is performed for each VLAN tag.
1 and VLAN 2 are independently associated with each other. For reference, the association for VLAN1 is as follows. In this association, the latest connection time can also be managed and a security can be enhanced by providing a timeout. In a device that performs this VNAT conversion when receiving a packet from a server, the correspondence table to be searched is first determined by using the VLAN tag embedded in the packet as a key, and then the destination address (host P) that should be sent out by searching the correspondence table using the
Check the PP line. As a result, the packet can be sent to the PPP line that received it. Concrete Example As a concrete example of using the virtual private server enabled by the method of the present invention, an example of procurement work for a plurality of companies will be described. In this example, the company 1 makes a procurement request to the companies A and B for procurement, and it is necessary to register and exchange data between the companies in order to select the better one. is there. Specific Example of First Invention It is assumed that the network configuration is as shown in FIG. The closed networks A, B and 1 are access servers AS, respectively.
1, AS2, AS3 connected to the Internet,
The ISDN network is connected to the Internet by the access server AS4, and the server side network is the root side N
It is connected to the Internet by an access server R-NAT with AT function. The device R-NAT having the root side NAT function operates by creating an address conversion table as shown in FIG. How to create the conversion table will be described later. Here, the closed network N means a closed network of the company N. A device R-NAT with a route side NAT function placed in a server network and access servers AS1, AS2, AS3 placed in each closed network
A PPP connection is made between the two using tunneling. It is also possible to connect to the access server AS4 using ISDN or the like, and a host belonging to the closed network can directly make a PPP connection with the device R-NAT in the server side network via this.

Addresses are assigned to the hosts of each closed network as shown in FIG. 14 from the address space of the closed network to which it belongs. In order to utilize this Root-side NAT function, the address space is pooled for each closed network in the server side network. In this example, the closed network A is represented by an air address of 10.10.
An address space of 1.0 subnet mask 255.255.255.0 is prepared, and an address is allocated from this space to a terminal connecting from the closed network A. Similarly, closed network B has 10.10.2.0 subnet mask 255.2.
An address space of 55.255.0 is prepared, and from this space to the terminal connecting from the closed network B, 1 to the closed network 1.
0.10.11.0 subnet mask 255.255.
An address space of 255.0 is prepared, and an address is assigned from this space to a terminal connecting from the closed network 1.

In the closed network A, the host 1 has 10.0.
1.13, host 2 is 10.0.320, W to use
Assume that 10.1.1.1 is assigned to the WW Server. Actually, the WWW Server is located in the server side network, and this WWW Server is 10.100.10.1 in the server side network.
Are provided and services are provided to terminals belonging to different closed networks. Address space 1 assigned to closed network A in the server side network
0.10.10 Subnet mask 255.255.25
Of the 55.0, the 10.10.1.0 subnet mask 255.255.255.2519 is assigned to the PPP line 1 by 1
0.10.1.64 subnet mask 255.255.
255.192 is assigned to the PPP line 2. Then, the remaining space 10.10.1.128 subnet mask 255.255.255.258 dynamically changes to P
This is for allocating to the requested PPP line in sub-network units in response to the requests from the PP lines 1 and 2. Further, when the terminal of the closed network A uses the WWW Server, it is set to deploy the service for the closed network A at the port number 8080 in the server side network.

Now, when the host 1 uses the WWW Server, the PPP line 1 established from the access server 1 (hereinafter referred to as AS1) is used. If A
When the PPP line 1 is not established between the S1 and the AS with the Root-side NAT function on the server side (hereinafter referred to as the RLAT device), the PPP connection is first established. At this time, not only the authentication of the host but also the PPP line of which closed network is authenticated. In this case, the PPP line 1 of the closed network A is authenticated. Next, it is checked whether or not there is an unused address in the address space allocated in the server side network for the PPP line 1 of the closed network A.
In this case, if there is an unused address, 10.10.1.15 is dynamically assigned to the host 1 from that space. If the space for the PPP line 1 is already used, the AS 1 requests the necessary address space by using the LCP of PPP, etc., and the RAT device accordingly has the closed network A. Space 10.10.1.128 prepared for dynamic allocation
From the subnet mask 255.255.255.25128, the permitted part of the request is newly allocated to the plurality of PPP lines 1, and the address is dynamically allocated to the host 1 from among them. At this time, the RNAT device manages to which PPP line the space to be allocated is allocated, and thus the packet can be sent to an appropriate PPP line. In addition to allocating a request for each subnet, a fixed constant subnet space may be dynamically allocated, or the subnet space may be gradually increased as a unit.

The host 2 has an address of 10.0.3.20 in the closed network A, and connects to the server using the PPP line 2 established between the ASI and the RAT device.
Similar to the case where the host 1 connects, when this PPP connection is established, it is authenticated that this PPP line is the PPP line 2 belonging to the closed network A. Then, an unused address is searched from the space 10.10.1.64 subnet mask 255.255.255.2519 prepared for the PPP line 2 of the closed network A, and is allocated to the host 2. This time, 10.10.1.100 is dynamically allocated to the host 2. If all the prepared space is used, the address space is dynamically allocated to the PPP line 2 as in the case of the host 1, and the space is dynamically allocated to the host 2 from the space. In this way, an address is assigned to the connecting host in the network on the server side, and an address conversion table required for the RANT function is created.

R from host 1 to WWW Server
In the NAT device, the source address of the packet is 10.
From 0.1.13 to 10.10.1.15, the destination address from 10.1.1.1 to 10.10
Convert to 0.10.1. Further, in order to use the WWW Server, the host 1 issues a usage request to the port number 80 of the server, but also changes the port number to the port number 8080 of the server providing the service for the closed network A in the RANT device. Then, after the conversion, the data is correctly sent to the server by the routing of the server side network, and the service for the closed network A is used.

On the contrary, the packet from the WWW Server to the host 1 has the destination address of 10.10.
Host 1 belonging to closed network A from 1.15 and A
The packet is identified from S1 as being a packet for the PPP line 1, and the address is converted to 10.0.1.13. Next, the source address is converted from 10.100.10.1 to 10.1.1.1 based on the information that the host 1 belongs to the closed network A. And the port number is also 8
It is converted from 080 to the port number 80 specified in the packet sent by the host. After this conversion, the PPP of the closed network A, which is an appropriate PPP line, is used according to the information based on the destination address of the received packet.
Send the packet to line 1.

Similarly, the case of the closed network B will be described.
In closed network B, host 3 is 10.0.1.30, host 4 is 10.0.1.14, WWW Server to be used
It is assumed that 10.10.15.1 is assigned to. Actually, the WWW Server is placed in the server side network, and this WWW Server is assigned 10.100.10.1 in the server side network as described above. In the network on the server side, the address space allocated to the closed network B is 10.1.
0.2.0 subnet mask 255.255.255.
0, and in the closed network B, the terminal itself is also used to directly connect to the RNTP device by PPP, and therefore 1
0.10.2.64. Subnet mask 255.25
The space of 5.25.192 is prepared for them, and the addresses are statically allocated in a one-to-one correspondence with each PPP line. This time, the PPP line 2 and later are PPP lines directly established from the terminal, and the PPP line 2 includes 10.10.
2.65 is assigned, and one address is statically assigned to the other applicable PPP line. Also,
For PPP line 1 established from AS2, 10.10.
2.0 subnet mask 255.255.255.2519
Two spaces are statically allocated, and addresses are dynamically allocated from this space to the host using this PPP line. The remaining space 10.10.2.128 subnet mask 255.255.255.2528 is prepared for dynamic allocation in response to a request from the PPP line 1 using the allocated amount.

The host 3 is the P established by AS2.
Since the connection is made using the PP line 1, when it is authenticated that the PPP line being used is the PPP line 1 of the closed network B, as in the case of the hosts 1 and 2 of the closed network A, The statically allocated space 10.10.2.0 is searched for an unused address in the subnet mask 255.255.255.2519, and if any, an arbitrary one is allocated. This time, 10.2.10.10 is assigned to the host 3 in the server side network. The host 4, which is now moving, arrives at the nearest AS 4 and uses PPP tunneling to establish a PPP line directly to the RNAT device. At the time of this establishment, PPP
It is authenticated that the line is the PPP line 2 of the closed network B,
One address is statically assigned to the PPP line 2. In this example, the assigned address 10.1
0.2.65 becomes the address of the host 4. Also, WW
The W Server address is the same as in the closed network A.
Also, the port number indicating the service to be used is the closed network B
Is assigned a port number 8081.

At the time of communication from the actual host to the WWW Server (port number 80), as in the case of the hosts 1 and 2, the conversion table shown in FIG. Further, the port number is converted from 80 to 8081 designated for the closed network B. Conversely, for a packet from the WWW Server to the host, the address and port number of both the source and destination of the packet are converted in the same manner as described above. At the time of this conversion, it is possible to determine, by the destination address of the packet, which closed network the host belongs to and, if there are a plurality of PPP lines from the closed network, to which PPP line the packet should be sent. The port number connected to the server is also converted based on this information. Then, after the address and port number are converted, the address and port number are transmitted to an appropriate PPP line. For example, in the case of a packet to the host 3, since 10.10.2.10 is given as the destination address, the P of the closed network B is set by this.
If it is sent to the PP line 1, it is identified as a good packet and sent.

The same applies to the case of the host 5 of the closed network 1, the address is allocated to the host 5 according to the address space allocation policy determined by the closed network 1, and a table as shown in FIG. 14 is created. The address conversion is performed on the host 5 by utilizing it. Further, assuming that the port number is 8088 when the server is determined for the closed area network 1, the port number is also converted. A packet from the server side network to the host is also sent to an appropriate PPP line of an appropriate closed network by the same mechanism as described above.

Here, since the address is assigned in the network on the server side as a result of authenticating the closed network to which it belongs, the address is guaranteed in the sense of indicating the closed network, and the limitation is made based on this address. This is equivalent to the restriction on a closed network basis. That is, W with the address 10.100.10.1
WW Server has a 10.10.1.0 subnet mask 255.255.255.255.0, a 10.10.2.0 subnet mask 255.255.255.0, 10.1.
0.11.0 Subnet mask 255.255.25
By permitting the connection only from each address space of 5.0, it is possible to easily limit the use from other addresses, that is, other closed networks. This allows communication between limited closed networks while maintaining closedness. Also, in addition to restricting access to data using addresses, determine the port number to be used on a closed network basis like this time,
By running a program that responds to each port number and setting the data that can be referenced and the data that can be referenced and changed, you can physically realize a customized service for multiple closed networks by one server. .

In this case, the programs operating on the port numbers 8080 and 8081 assigned to the closed networks A and B are distinguished from each other by the data that can be accessed and operated so that the data exists on the same server. In the closed network A, the data registered by itself can be referred to and changed, but the data registered in the closed network B can of course be changed and cannot be viewed. On the contrary, the program operating for the port number 8088 assigned to the closed network 1 is
If the programs operating on the above port numbers 8080 and 8081 can access both the data that can be accessed and manipulated respectively, the host of the closed network 1 can independently operate both closed networks A and B. You can refer to the data to manage. This clears the problem that the orderer company 1 required in the procurement work in this example can freely see the data of both the companies A and B who are the order destinations. This may be restricted by the port number as in this time, or may be restricted by using the address space assigned to each closed network. Further, by prohibiting communication in different address spaces, it is possible to prevent communication between different closed networks via the network on the server side and maintain the closed nature of the closed networks. Furthermore, since the server address of the connection destination server can also be managed on the server side, if a plurality of servers are prepared, the load of the servers can be distributed by converting the addresses according to the load of the servers.

Next, the movement of a DNS (Domain Name System) server, which plays an important role during communication by the IP network, will be described by taking communication between the closed network A and the server side network as an example. In FIG. 13 , first, the case where the host belonging to the closed network of the user connects to the host of the server side network will be described. In order for the host 1 belonging to the closed network A to connect to the WWW server of the server side network,
It inquires the address of the WWW server to be connected to the DNS server 2 on the closed network A. Since the address is assigned to the WWW server in the address space of the closed network A, the DNS server 2 uses the address 10.1.1.1 assigned to the corresponding server in the closed network A as the host 1.
Return to. Then, the host 1 sends out a packet in which the source address is its own address 10.0.1.13, the destination address is the server address 10.1.1.1, and the destination port number 80. Then, in the network of closed network A, 1
By properly setting the routing so that the packet addressed to 0.1.1.1 will reach AS1, this packet will reach AS1, and if necessary, a PPP line will be established and the RAT function of the server side network will be added. Carried to the device. Upon receiving this packet, the RAT function-equipped device uses 10.1.1.1 to 10.100.1 based on the conversion table of the destination address of the packet.
Convert to 0.1. Next, the source address 10.
Search 0.1.13 in the conversion table. As a result of the search, if there is a corresponding address, that address is used to convert it to 10.10.1.15 in this example, and the destination port number 80 is assigned to the closed network A. Port number 8080 and the packet is carried to the corresponding server. If there is no corresponding address, it is assigned in the server side network by the above-mentioned method, and communication is performed in the same manner as in the normal case.

If the address of the server to be connected to the DNS server 2 is not registered, the DNS server 2 is a DNS server on the server side network.
Queries the server 1 for the server address. This inquiry packet is sent to the RAT device of the server side network via AS1 by routing. The received RAT device translates both the source and destination addresses of the packet based on the translation table. If the packet is a DNS address inquiry packet, the data in the packet is not changed and the DNS
Send to server 1. The DNS server 1 returns the address of the designated connection destination server as a response. In this case, the server address 10.100.10.1 is embedded as data. This response packet is sent to the RANT device by the routing of the server side network. The received RAT device receives the PPP line 1 from the destination address 10.10.1.62 (the address statically assigned to the DNS server 1 of the closed network A in the server side network) from the AS1 of the closed network A. Is transmitted to the network, and the source and destination addresses are correctly converted by the conversion related to the closed network A. If this packet is DN
S is a response packet for returning the host address, the server address 10.100.10.1 embedded as data is the server address assigned in the closed network A, 10.1.1. 1.
And is sent to the DNS server 2. The DNS server 2 which received this receives 10.1.
1.1 is returned to the host 1 as the address of the server to be connected, and the host 1 sends out a packet and communicates as in a normal connection.

On the contrary, the case where the WWW server on the server side network connects to the host 1 of the closed network will be described.
First, the server on the server side network inquires the DNS server 1 about the address of the host 1. DNS server 1
Does not know the address of the host 1, it recognizes from the domain name included in the name of the host 1 that the host 1 belongs to the closed network A first. Then, the address inquiry packet is transmitted to the DNS server 2 which is the DNS server of the closed network A using the address (10.10.1.62 in this case) assigned in the server side network as the destination address.
This packet is RNA in the server side network
Routed to the T-device. Upon receiving the packet, the RLAT device identifies from the destination address that the packet is for the PPP line 1 of the closed network A,
Both the source address and the destination address are converted into the address space of the closed network A by the conversion table of its own.
Then, it is sent to the DNS server 2 of the closed network A.

DNS server 2 which received this packet
Sends, as a response, the address 10.0.1.13 of the inquired host 1 in the closed network A to the DNS server 1 of the server side network. This packet is received by the RLAT device on the server side network, and first, the source and destination addresses are respectively converted from the conversion table. Since this packet is the answer to the host address inquiry, the host address portion embedded in the data is converted into the server side network address. At this time, the conversion table of the RAT device is searched, and if there is corresponding data, the conversion table is converted into the corresponding address and sent to the DNS server 1. If there is no corresponding data, an address is dynamically allocated to the host 1 from the address space allocated for the PPP line 1 of the closed network A by the above-mentioned method, and a response is sent from the DNS server 2 to the allocated address. Host 1
Change the address of and send it to the DNS server 1. This time,
The address 10.10.1.15 will be assigned and translated. At this time, address data relating to the corresponding host 1 is added to the conversion table of the RLAT device. In this way, the address of the host, which is the response from the DNS server, is converted, and the converted address is notified to the server requesting the connection to the host of the corresponding closed network. Then, the server attempts to connect to the host belonging to the closed network by using the notified address as the destination address, and the connection from the server side to the host is established by the address conversion function by the RNAT to start the communication.

By doing so, it is possible to cooperate with the DNS server, and it is possible to use the existing DNS server without making any changes, and it is easy to introduce it in the IP network used for many communications. In addition, it is possible to establish a bidirectional connection between the server and the host of the closed network. Further, if the notification of the address is limited by using the DNS server, it is possible to perform detailed control such as limiting the hosts of the closed network to which the server can connect, and the closedness can be maintained according to the policy of the closed network.

From the above, an address space is prepared for each closed network in the network on the server side, and further, a port number that can be used for the server is determined for each closed network, and the received / sent packets correspond. Since each part is converted, it is possible to deliver information from the server side to the terminal and realize a customized service for each closed network or each region. Further, since the addresses are assigned in units of closed networks, it is possible to construct a virtual private server that can provide services to a plurality of closed networks by one server while maintaining the closed nature of the closed networks. In addition, by dynamically assigning an address to a certain period of time / until a certain event ends, it is possible to reuse an address that has been dynamically assigned, and it is possible to ensure scalability and security. . Concrete Example of Second Invention As in the case of the concrete example of the first invention, the company 1 is the companies A and B.
For example, the case of procuring is described below. The network configuration is as shown in FIG. That is, the closed networks A, B and 1 are access servers AS1 and AS1, respectively.
The server side network is connected to the Internet by AS2 and AS3, and the server side network is connected to the Internet by an access server with a VNAT function. The closed network N indicates the closed network of the company N. Further, in the device having the VNAT function, a VLAN tag is assigned to each PPP line unit of each closed network based on FIG. When the host 1 uses a server on the server side network, AS1 and VNA
If there is no PPP connection with the AS with T function (hereinafter, VNAT device), the PPP connection is established. In the authentication at the time of establishing the PPP connection, the PPP line is the PP of the closed network A.
It is authenticated that it is the P line 1. VN indicating closed network A
VLAN1 is assigned as an AT tag, and the PP number has been used so far to indicate the PPP line 1.
A VLAN tag called VNAT1-1 is assigned to the P line 1. As a result, the PPP line 1 of the closed network A
Can be identified. When the PPP line 2 is established, the child number is associated with the PPP line such as VLAN 1-2. The format of the VLAN tag is the existing V
In order to use the LAN technology, existing ones such as those defined by IEEE802.10 and the like may be used, and any PPP circuit of which closed network described here may be identified as the amount of information.

With respect to the packet coming to the server side network through this PPP line by the VNAT function,
As shown in FIG. 9, a VLAN tag is embedded and it is delivered to the server based on this tag. And at the server VLA
A program that performs various processes for each N tag, such as an OS, is separately operated to perform the process. In this server, by associating the information of the connected host with the VLAN tag, when sending a packet to the host, an appropriate VLAN tag can be attached and sent. As a result, the server can be used as if it exists in the closed network without the need for address translation on the server side network. Further, since the OS is operating for each VLAN tag, the operation can be flexibly changed for each closed network, and the data to be referred to / registered can be restricted using the VLAN tag as a key. When the packet is sent from the server side network to the closed network, the VLAN tag attached to the received packet is removed, and the VLAN tag identifies the appropriate closed network as the destination of the packet and the appropriate PPP line, and sends the packet to the correct PPP line.

When the host 2 connects to the server-side network, the PPP line 2 is used, so a VLAN tag is assigned to the packet from the host 2 to the server-side network in the same manner as the above-mentioned method.
Will be used. Using this tag, the operation is similar to that of the host 1. V embedded in each packet
The LAN tag is different, but the server is VLA indicating closed network A
Since the operation is determined based on N1, the same data can be referred to and changed even if the PPP line used is different.
Conversely, packets from the server to hosts 1 and 2 are VLAN
It is identified by the tag that the packet is to the closed network A, and the packet to the host 1 is appropriately distributed to the PPP line 1 and the packet to the host 2 is appropriately distributed to the PPP line 2 based on the child number of the VLAN tag. .

Since the hosts 3 and 4 are connected to the server side network via the same AS 2 and both use the PPP line 1, the same VLAN tag is used and VL.
The packet is incorporated in the VNAT device by using the AN 2-1 and sent to the server. Packets sent from the server to the host are also appropriate PPP in the same manner as the host 1 described above.
It is sent to the host through the line.

Similarly, in the case of the host 5, the closed network to which the PPP connection is established is the closed network 1, and it is authenticated that the closed network 1 is the PPP line 1. Based on this, the VLAN 3 which is a VLAN tag indicating the closed network 1, A VLAN 3-1 that is a VLAN tag indicating the PPP line 1 is assigned.
Then, the host and the server are properly exchanged by the same operation as other hosts. Further, by allowing the OS whose VLAN tag is to perform processing related to VLAN3 to refer to data that the VLAN tag can only reference to VLAN1 and VLAN2, the user of company 1 can make the data registered by companies A and B You can see
The restricted communication between closed networks that is necessary for the procurement work in this example will be realized.

Next, regarding the movement with a DNS (Domain Name System) server, which makes an important movement during communication by an IP network, in the case of the second invention, the server is certainly on the server side network, Since the communication within the closed network is virtually realized by using the function,
The DNS server can be used as usual.
The packet addressed to the server is correctly VNAT on the server side network in the closed network.
It can be used by simply setting it so that it is correctly routed to an AS that has a PPP connection with the device.

In this way, the address of the server is used as the destination address, and the packet is carried to the network on the server side. A single server enables provision of services to a plurality of closed networks by a virtual private server that can operate as if each server were a server.

A specific example for the modification of the second invention is shown below. Authenticates the closed network to which the PPP line is established,
For each closed network, the PPP line is associated with the address of the host that is the source of the received packet. In this case, the VNAT device has a table as shown in FIG. Also, for each closed network A, B ... VLAN tag, V
LAN1, VLAN2, ... Are assigned in advance.

When the host 1 tries to connect to the server side network, the PPP line 1 is connected between the AS 1 and the VNAT device.
Is established, and it is authenticated that it is the closed network A. Then, the VLAN 1 of the VLAN tag is assigned to the PPP line 1 according to the authentication result. When the packet from the host 1 arrives at the VNAT device, the VNAT device receives the address 1 of the host 1 embedded in the packet.
0.0.1.13 is associated with the PPP line 1 through which the packet is carried. Then, the VLAN tag assigned by the authentication result is embedded and sent to the server.
On the contrary, when a packet arrives from the server, the VLAN 1 of the embedded VLAN tag causes
Select the one related to LAN1, and select the address 10.0.
A search is performed using 1.13 as a key, and it is recognized from the correspondence table that this packet should be sent to the PPP line 1 established with the closed network A, the VLAN tag is removed, and the PP
Send to P line 1. In this way, even when a plurality of PPP lines are established from the same closed network, the packet can be correctly sent to the PPP line that received the packet.

Since the host 2 belongs to the closed network A, the VLAN 1 is assigned in the same manner as the host 1. However, since the PPP line used is different from that of the host 1, the address 10.0.3.20 of the host 2 is associated with the PPP line 2. As a result, the VLAN 1 is embedded in the packet as in the case of the host 1, but the packet from the server is properly sent using the PPP line 2 according to this correspondence table. In the case of the hosts 3, 4, 5 as well, a VLAN tag is assigned by the same method, a host address and a PPP line are assigned, and the VLAN tags are independently managed. As a result, the packet can be sent to the appropriate PPP line of the appropriate closed network.

Next, referring to FIG. 18, the R-NAT in FIG.
The schematic functional configuration of the device, that is, the access server with the root side NAT function will be described. A plurality of PPP line processing units 11 are provided, and an authentication unit 12 is attached to the PPP line processing unit 11. At the time of establishing the PPP line, the authentication section 12 confirms the authentication of which PPP line of which closed network,
Referring to the address allocation table 13 shown in FIG. 2B, a free address of the allocation of the server side network is allocated to the host of the packet arriving using the PPP circuit, and the PPP circuit and the closed network of each closed network are allocated. A correspondence table (conversion table) 14 between the side address and the assigned server side network address is created. When a packet arrives at the PPP line processing unit 11 from the terminal, the PPP
If the line is established, the address conversion unit 15 performs address conversion on the address of the packet with reference to the correspondence table 14 corresponding to the closed network and the PPP line, and the packet is sent to the server side network. The packet from the server side network is converted into the address given on the closed network side by referring to the correspondence table 14 according to the address and at the same time, the closed network side and the PPP line of which closed network are known and the corresponding PPP
The line processing unit 11 sends out to the PPP line.

The processing for packets from the closed network in this R-NAT device is as shown in FIG. Prior to the arrival of the first packet, the PPP line processing unit 11 checks whether there is a PPP line connection request (S1), and if the connection request is made, it authenticates which PPP line of which closed network is the request. (S2), a PPP line is established (S2)
3).

In this state, a packet from the host using the PPP line is awaited (S4), and when the packet arrives, the correspondence table 14 is searched by the closed network and the source address (S5), and if there is no corresponding one. , The address of the server side network is allocated to the address of the packet by referring to the address allocation table 13, and the relationship between them is written in the correspondence table 14 (S6). The correspondence table 14 is searched for the incoming packet with the address, the address is converted by the address conversion unit 15, and the packet is sent to the server side network (S7). Since the PPP line is established for the packet that arrives after that, the packet is waiting in step S4, and when the address is found by searching the correspondence table 14 (S5), the address based on the correspondence table (conversion table) 14 is used. The data is converted and sent to the server side network (S7). If not found, the address allocation correspondence table 14 is created as described above.

Next, a schematic functional configuration of the VNAT device (access server with VNAT function) in FIG. 8 will be described with reference to FIG. As in the case of FIG. 18, a plurality of PPP line establishing units 11 and an authentication unit 12 attached thereto are provided,
When a P line is established, which PPP line of which closed network is recognized, a VLAN tag corresponding to the PPP line of the closed network is assigned to the PPP line by the VLAN tag table 21 as shown in FIG. The packet conversion unit 22 receives the packet arriving through the PPP line.
Then, the VLAN tag assigned to the PPP line is added and transmitted to the server side network.

Packets arriving from the server side network are converted into V packets by the VLAN tag in the packet conversion unit 22.
The LAN tag table 21 is searched, and the VLAN tag is removed and transmitted to the corresponding PPP line. The processing for the packet from the closed network in this VNAT device is shown in FIG.
As shown in. Prior to the arrival of the first packet, there is a PPP line connection request (S1), and it is authenticated which PPP line of which closed network is the request (S1).
2) Establish a PPP line (S3).

Thereafter, when a packet arrives at the established PPP line (S4), the VLAN tag table 21 is searched for at the PPP line of the closed network and the corresponding VLA is searched.
The N tag is taken out (S5), embedded in the packet by the packet conversion unit 22 and sent to the server side network (S5).
6). In the case described with reference to FIG. 12 and FIG. 17, a number for distinguishing a PPP line is not used as a VLAN tag. In the case of the VNAT device, the VLAN tag table 21 in FIG. 20 shows the correspondence between the closed network and the VLAN tag. If the PPP line is established as shown by the broken line in FIG. 20 and the embedded VLAN tag is determined, then FIG. 12 or FIG.
7, a correspondence table 23 showing the relationship between the VLAN tag, the PPP line, and the (source) address of the closed network of the packet is created. The packet from the server side network refers to the correspondence table 23 by its VLAN tag and its (destination) address, and in the packet conversion unit 22, to which PPP line of which closed network, to which PPP line.
Decide whether to send the packet with the VLAN tag removed.

In the process shown in FIG. 21, instead of step S6, a VLAN tag is embedded and transmitted as shown by a broken line, and a correspondence table of the VLAN tag, the incoming PPP line and the (source) address is created. become,
Others are the same. Although the present invention is applied to communication between a plurality of closed networks in the above, the present invention can also be applied to communication between a network of multiple users and a network of servers.

[0063]

According to the present invention, each closed network is connected to the server side network by the PPP connection, and when the PPP connection is established, the closed network to which the closed network belongs and the PPP line itself are authenticated, whereby the addresses assigned to each closed network unit. Various controls can be easily performed on the server side depending on the space. This allows
It is possible to physically provide a common service customized for each closed network to a user terminal of a plurality of closed networks by one server without losing the closed property. Each closed network has its own server in its own closed network. Available to exist. In addition, a housing service that provides the construction and operation of a shared server for multiple closed networks, which is required when implementing projects that require data exchange between multiple companies, which is expected to increase in the future, and when performing procurement operations. Can be deployed. By using this service, users can easily operate the shared server that is temporarily needed for each project without changing the closed network of their company and without closing the closed network. Since the information processing of the project can be smoothly performed, the service realized by the present invention can be expected to be developed as a new additional service of the VPN (Virtual Private Network) service currently performed by the ISP (Internet Service Provider). Further, by utilizing the fact that the server side can establish a connection to the host of the closed network while maintaining the closed state realized by this method, various types provided by a plurality of closed networks in the server side network are utilized. It will be possible to build a server that can be used for all of the above services in an integrated manner and to deploy portal site services for individuals. Thus, the present invention can be expected to be used as a means for constructing a new information distribution platform for closed networks.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration example of a system to which the first invention is applied.

2A is a diagram showing an example of an address conversion table in R-NAT in FIG. 1, and FIG. 2B is a diagram showing an example of allocation of an address space of a server side network to each closed network.

FIG. 3 is a diagram showing how packets are converted for a host 1.

FIG. 4 is a diagram showing an image of network address conversion.

FIG. 5 is a diagram showing a usage policy of a network address space assigned to a closed network.

FIG. 6 is a diagram showing a state of address translation in a packet.

FIG. 7 is a diagram showing the relationship between the features of the first invention and the prior art.

FIG. 8 is a diagram showing a configuration example of a system to which the second invention is applied.

FIG. 9 is a diagram showing an example of VLAN tag allocation.

FIG. 10 is a diagram showing an operation of a VNAT function packet.

FIG. 11 is a diagram showing an operation in the server using a VNAT tag.

FIG. 12 is a diagram showing an example of association of VLAN tags in the second invention.

FIG. 13 is a diagram showing a system in a specific example of the first invention.

14 is a diagram showing an example of address allocation in the R-NAT device in FIG.

FIG. 15 is a diagram showing a system in a specific example of the second invention.

16 is a diagram showing an example of VLAN tag allocation in the VNAT device in FIG.

FIG. 17 is a diagram showing correspondence between a VLAN tag, an address, and a PPP line in the modification of the second invention.

FIG. 18 is a diagram showing a schematic functional configuration of an R-NAT device.

FIG. 19 is a flowchart showing a part of processing in the R-NAT device.

FIG. 20 is a diagram showing a schematic functional configuration of a V-NAT device.

FIG. 21 is a flowchart showing a part of processing in the V-NAT device.

FIG. 22 is a diagram showing a conventional PPP tunneling connection system.

FIG. 23 is a diagram showing a conventional NAT connection system.

Continued Front Page (56) References JP-A-6-209323 (JP, A) Koichi Okada, Ryuji Nakayama, Tadashi Ijuin, Avoiding Address Duplication in Server Hosting Using VPN, IEICE Technical Report , IN98-162, The Institute of Electronics, Information and Communication Engineers, February 15, 1999 (58) Fields investigated (Int.Cl. ⁷ , DB name) H04L 12/56 H04L 12/66 H04L 12/46

Claims (9)

(57) [Claims] 1. A PPP (Point-to-Point Pro) for connecting each of a plurality of user-side networks and a server-side network.
In the method of connecting and communicating using (tocol), a plurality of address spaces are previously allocated to each user side network in the server side network, and P
When a PPP connection is established, the user side network to which the PPP line belongs and the PPP line are identified, one address is allocated from the address space allocated to the identified user side network and PPP line, and the PPP line of the user side network is allocated. The address of the packet from the server is converted into an allocated address and the packet is sent to the server side network, and the converted address and the address before the conversion, the identified user side network and PP.
The correspondence table with the P line is stored, and the address of the packet from the server side network is referred to the above correspondence table and inverse conversion of the above address conversion is performed and the packet is sent to the PPP line of the corresponding user side network. Communication method between networks. 2. The inter-network communication method according to claim 1, wherein the destination address of the packet from the user-side network is translated into a corresponding address in the server-side network when the address is translated. 3. The port number for a server of a packet from the user side network is converted into a port number specific to the user side network when the address is converted. Inter-network communication method. 4. The inter-network communication method according to claim 1, wherein the selection of the address is performed dynamically or statically according to a usage policy of the user side network. 5. The PPP connection after the PPP connection is established.
The inter-network communication method according to any one of claims 1 to 4, wherein the packet from the line is subjected to address conversion by referring to the correspondence table with the address and transmitted to the server side network. 6. A plurality of user side networks and PPP (Po
An access server device provided between the server side network connected by the int-to-point protocol), and an address space allocation table storing an address space allocated for each PPP line of each user side network, A means for identifying which PPP line of which user side network the connecting terminal belongs to;
Address conversion for converting the address of the packet from the PPP line to one address assigned in the address space allocation table for the identified PPP line of the user side network and sending the packet to the server side network Means, a translated address storage means for storing the relationship between the address translated address and the address before translation, and an address of a packet from the server side network is translated by referring to the translated address storage means, and the table And an address reverse conversion means for sending the packet to the PPP line of the corresponding user-side network with reference to. 7. packets from PPP link on the user side network, according to claim 6, characterized in that it comprises means for sending by referring to the translated address storage means to the address conversion to the server-side network by the address Access server device. 8. The access server device according to claim 6 or 7, wherein said address translation means comprises means for translating a destination address of a packet into a corresponding address of a server side network. 9. The address conversion means, the port number for the server in the packet, according to any one of claims 6 to 8, characterized in that also comprises means for converting the unique port number to the user-side network Access server device.