JP3490358B2 - Inter-network communication method, server device, and inter-network communication system - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention provides a shared server hosting service (a service for lending to each user side network) for a plurality of different networks, especially an extranet that operates between closed networks, and a public service such as a ticket reservation service. Such as providing services customized according to the needs of each user side network (closed network) by incorporating the information that the servers on these user side networks (closed network) have into The present invention relates to an inter-network communication method, a server device and an inter-network communication system for distributing information including electronic commerce.

[0002]

2. Description of the Related Art Today, the use of networks including the Internet has become widespread, and many companies are constructing a closed network in order to keep communication costs within the company low and to perform it safely. In this construction, not only leased lines but also ATM (asynchronous transfer mode), FR (frame
A relay is used or an IP (internet protocol) tunnel is used. An IP tunnel is a method of transferring an IP packet using IP (the IP packet sent by the host at the entrance of the tunnel is
A P header is attached, and the packet is transferred to the exit of the tunnel via the Internet according to the header. In the host at the exit of the tunnel, the IP header of the packet is removed, and the packet is transferred again according to the internal IP header. ). Communication between closed networks will increase in the future, and shared servers used by multiple closed networks will be provided without losing the closed nature of the closed network, and public services such as ticket reservation services will be provided on the servers on each closed network. Customized usage will be increased by combining with the information of. As a method of realizing this, there is a method of preparing a server that provides a service on each closed network, but this is costly and the burden on the side of preparing the server is large. Therefore, consider the construction of a virtual private server, which is physically one server, but appears to exist as separate servers from each closed network and can provide customized services.

Currently, in the construction of a closed network of a company or the like, a method of using a local address is often used because of a shortage of IP addresses due to the rapid spread of the network. When considering the service provision to a closed network constructed in this way with one physical server, (1) address space collision between connected closed networks (2) server side network It is necessary to solve the problem of preventing unauthorized connection to (3) prevention of wiretapping of communication contents (4) establishment of connection from a server to a host in a closed network.

To build this server, L2TP (l
It can be said that two types of technologies are useful: an IP tunnel technology typified by an ayer two tunneling protocol) and an address translation technology typified by NAT (network address translation). For example, the closed networks A and B are the Internet /
It is possible to connect to the server side network via the public network,
Addresses in the local address spaces A and B are given to the hosts belonging to each closed network A and B, and each host uses the IP tunnel through the inter-network access server of the closed network to which the server belongs. It is possible to connect to the inter-network access server of the side network and connect to the server. With this configuration, the host can appear as if it is connected to the server belonging to the closed network. As a result, it becomes possible to maintain the closed property of the closed network and to use the local address assigned in the closed network as it is.

However, since a local address is freely assigned to a host in a closed network, terminals belonging to a plurality of different closed networks may have the same address. In this case, collision cannot be avoided. Therefore, when viewed from the server side network of the connection destination, there may be a plurality of hosts having the same address, and it is not possible to correctly recognize which host is communicating at this time.

Further, in order for a host connected to a closed network and given a local address to communicate with a server provided with a global address on the Internet, the host itself must also have a global address. However, as mentioned above, since the global address is insufficient, a local address is often statically assigned to the host. At this time, according to the NAT technology, communication in the closed network is performed by using a local address, and for communication with a server (for example, a WWW server) on the Internet, a device that can use the NAT provided at the network boundary is pooled in advance. The assigned global address is dynamically assigned to enable communication. However, this NAT dynamically associates the local address with the global address and identifies the connection between the hosts. (1) Since the connection between the host and the server is dynamically recognized, once the connection is Push-type services such as information distribution from a server that has a global address to a terminal that statically allocates a local address after disconnection are not possible. (2) Since the server cannot identify each closed network However, there is a problem that it is difficult to provide a customized service or information for each belonging terminal.

As a modification of NAT, R-NAT (Roo
There is a method called t-side NAT) (Japanese Patent Application No. 11-183067)
issue). In this method, PPP (point-to-point protoco
l) is used and authentication for access from the closed network is performed using the PPP protocol. (1) For each host or user of the user side network, the user name and password for the server side server Considering the necessity of registration and the need for regular password exchange, it is difficult to prevent unauthorized connection on the server side. (2) Authentication for access is performed, but communication content is encrypted. There is a problem that it is difficult to cope with eavesdropping on communication contents using encryption and the like.

[0008]

The closed network of the user corresponding to the client and the network on the server side are IPse
Since they are connected by an IP tunnel in the tunneling mode of c (IP security protocol), a collision of address spaces will occur in the connection between closed networks constructed by local addresses. In particular, when this technology is introduced on the server side, the server that receives a packet arriving from a closed network host corresponding to a client determines from which closed network host the packet came due to duplication of the address part indicating the closed network host. Cannot be identified, and the packet cannot be correctly sent to the corresponding host.

When the existing technology is used as described above, it is impossible to solve all the problems that occur in the server construction described in this specification.

[0010]

A plurality of user-side networks used by a user (hereinafter, the user-side network will be described as a closed network) are connected to a server-side network by an IP tunnel in an IPsec tunneling mode. To do. At the time of connection, the I
One address is assigned from the address space assigned to the P tunnel. At the same time, the above allocation is stored. Then, the source address or the destination address is converted with respect to the packet entering / leaving from the server side through the IP tunnel line.
Since addresses are independently assigned in units of closed networks in this way, it is possible to avoid problems due to collisions of addresses in the connected closed networks and to connect to specific terminals.

[0011]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments will be described. First, assume a system configuration as shown in FIG. That is, the closed networks A and B are connected to the Internet / public network via the respective access servers AS, and the Internet / public network and the server side network are connected to each other via the access server X according to the present invention. -Host A is connected to closed network A and has an address
L1 (10.0.0.5) is assigned. -Host B is connected to closed network A and has an address
L2 (10.0.0.6) is assigned. -Host C is connected to closed network B and has an address
L1 (10.0.0.5) is assigned. The address Gx (129.60.1.1) is assigned to the access server X as a global address. The address Ga (129.60.2.1) is assigned to the access server A as a global address. The address Gb (129.60.3.1) is assigned to the access server B as a global address. The server S is a server connected to the Internet / public network, and is assigned the address Gs (129.60.4.1). An IP tunnel is set between the access server A and the access server X and between the access server B and the access server X. In this embodiment, the access server X is
A table as shown in FIG. 4 (1) is generated. -In the access server X, G1 to G4 are secured as the addresses assigned to the IP tunnel line 1, and G5 to G9 are secured as the addresses assigned to the IP tunnel line 2.

In the following, each of "when communicating with another server via the access server" and "when communicating with a process on the access server" will be described. (In the following, [A-> B] represents an IP header whose source address is A and destination address is B, and [X
[XXXXXXX] and [YYYYYYYY] represent the payload. ) (1) When communicating with another server via the access server a. Host C connected to closed network B as shown in FIG.
Consider communicating with a server S on the Internet / public network. First, the host C uses a DNS (domain name syst)
The global address Gs of the server S is acquired by em). Then, the following packets are sent to the access server B.
To send to.

[L1-> Gs] [XXXXXXXX] b. The access server B performs the tunneling process, that is,
Addresses in the address allocation table (FIG. 4 (2)) that stores the address space that can be allocated to each IP tunnel of each user network for the pair (Gb, Gx) of the host L1 and IP tunnel on the user side Is assigned (G5), and the following packets are transmitted to the access server X using the IP tunnel line 2.

[Gb-> Gx] [L1-> Gs] [XXXXXXXX] c. The access server X receives the packet from the tunnel line 2 and receives the IP header for the IP tunnel and the IP in the closed network.
Since the destination of the header is different, it recognizes that the communication is with another server via the access server. Then, referring to the table as shown in FIG. 4 (1), the packet is rewritten as follows and sent again to the network (address conversion). (If the setting for the host is not in the table, add an entry to the table.)

[G5-> Gs] [XXXXXXXX] In this way, the server S receives the packet. Next, a method for the server S to reply to the packet will be described. d. The following packet is returned to the access server X. [Gs-> G5] [YYYYYYYY] e. The access server X recognizes that the packet is from the destination address of the packet to the host C of the IP tunnel line 2. Then, the packet is changed as follows.

[Gs-> L1] [YYYYYYYY] Further, IP tunnel processing is performed and the following packet is transmitted to the access server B. [Gx-> Gb] [Gs-> L1] [YYYYYYYY] f. The access server B performs the process of stripping the tunnel and transmits the following packet to the host C.

[Gs-> L1] [YYYYYYYY] The host and server S connected to the closed network as described above.
The portal site service (for example, a news site service of a newspaper company) can be developed by communicating with the server S and using the server S as a WWW server, for example. (2) When Communicating with a Process on the Access Server Consider a case where the host A connected to the closed network A communicates with a process on the access server X as shown in FIG. a. The host A acquires the global address Gx of the access server X by DNS. Then, the following packet is transmitted to the access server A.

[L1−> Gx] [XXXXXXXX] b. The access server A uses the tunneling process, that is,
User-side network host L1 and IP tunnel pair
One address in the address allocation table (Fig. 4 (2)) that stores the address space that can be allocated to each IP tunnel of each user side network for (Ga, Gx) ( G1 ), Packets like
It is transmitted to the access server X using the tunnel line 1.

[Ga-> Gx] [L1-> Gx] [XXXXXXXX] c. The access server X receives the packet from the tunnel line 1, and recognizes that the communication is to the access server X because the destination with the IP tunnel header is the same. Then, with reference to the above table, the packet is rewritten as follows and sent to the process on the access server X (address reverse conversion). (If the setting for the host is not in the table, an entry is added to the table.) [G1-> Gx] [XXXXXXXX] In this way, the process on the access server X receives the packet.

Next, a method for the access server X to reply to the packet will be described. d. The following packet is generated from the process on the access server X. [Gx-> G1] [YYYYYYYY] The access server X recognizes that the packet is from the destination address of the packet to the host A of the IP tunnel line 1. Then, the packet is changed as follows.

[Gx-> L1] [YYYYYYYY] Further, IP tunnel processing is performed and the following packets are transmitted to the access server A. [Gx-> Ga] [Gx-> L1] [YYYYYYYY] e. The access server Ga performs the process of stripping the tunnel and transmits the following packet to the host A.

[Gx-> L1] [YYYYYYYY] By executing a process on the server side network from the host connected to the closed network as described above, for example, by providing the process with a WWW server function, the portal Can run site services.

[0023]

According to the present invention, each closed network is connected to the server side network by the IP tunnel connection. As a result, it is possible to physically provide a common service customized for each closed area to a user terminal of a plurality of closed areas by a single server without losing the closed area. Available as if the server exists.
In addition, a housing that provides the construction and operation of a shared server for multiple closed networks, which is required when implementing projects that require data exchange between multiple companies, which is expected to increase in the future, or when implementing procurement operations. Service can be deployed. By using this service, users can easily operate the shared server temporarily needed for each project without changing the closed network of their company and without losing the closed property, and cooperate with multiple companies. Since the information processing of the project can be smoothly performed, the service realized by the present invention can be expected to be developed as a new additional service of the VPN (virtual private netwoek) service currently performed by the ISP (Internet service provider). Also,
Utilizing the fact that it is possible to establish a connection from the server side to the host of the closed network while maintaining the closedness realized by this method, various types of services provided by multiple closed networks on the server side are utilized. It is also possible to build a server that can be used in an integrated manner to comprehensively use the above services, and to develop a portal site service for individuals (for example, news site service of a newspaper company). Thus, the present invention can be expected to be used as a means for constructing a new information distribution platform for closed networks.

[Brief description of drawings]

FIG. 1 is a configuration diagram of a communication system used in the present invention.

FIG. 2 is a diagram showing communication with another server via the access server of the present invention.

FIG. 3 illustrates communication to a process on an access server.

FIG. 4A is a diagram showing an example of an address conversion table used in the embodiment. (2) FIG. 6 is a diagram showing an example of an address conversion table of an address space assigned to each closed network.

─────────────────────────────────────────────────── ─── Continuation of the front page (58) Fields surveyed (Int.Cl. ⁷ , DB name) H04L 12/66 H04L 12/56

Claims (3)

(57) [Claims] 1. A networks servers provided in a plurality of user-side network and IPsec server networks that can be connected securely without the need for pre such as passwords set by IP tunnel by tunneling mode
In the inter-talk communication method , an address allocation table that stores the address space that can be allocated to each IP tunnel of each user-side network, and the address allocation table in the above-mentioned address allocation table for the host-IP tunnel pair of the user-side network Address 1
Address translation of the packet from the IP tunnel to which one is assigned, and the address of the inner packet after IP tunnel processing, and the packet is sent to the server side network or a process on the server; and the address translated address. A translated address storage means for storing the relationship with the address before translation, and the address of the packet from the server side network or the process on the server is translated by referring to the translated address storage means, and by referring to the table, An inter-network communication method characterized by using address reverse translation for sending the packet to an IP tunnel of a user side network. 2. A server device provided in a server-side network that enables secure connection without setting a password or the like in advance by means of a plurality of user-side networks and an IP tunnel in an IPsec tunneling mode. An address allocation table that stores the address space that can be allocated to each IP tunnel, and one of the addresses in the above address allocation table for the host-IP tunnel pair on the user side network
Address translation means for translating the address of the inner packet after the IP tunnel processing of the packet from the above-mentioned IP tunnel to which one is assigned, and sending the packet to the server side network or the process on the server; Translated address storage means for storing the relationship between the address and the address before translation and the address of the packet from the server side network or the process on the server are translated by referring to the translated address storage means, and the table is referenced. And an address reverse conversion means for sending the packet to the IP tunnel of the user side network. 3. An access server device on the user side and an access server device on the server side network, comprising a plurality of user side networks to which hosts are connected, an access server device on the user side, and an access server device on the server side network. In an inter-network communication system connected by an IP tunnel, the server-side network includes a server device or an access server device in the server-side network includes a process on a server, and the access server device in the server-side network includes each user side. An address allocation table that stores the address space that can be allocated to each IP tunnel of the network, and one of the addresses in the address allocation table for the host-IP tunnel pair of the user side network
Address translation means for translating the address of the inner packet after the IP tunnel processing of the packet from the above-mentioned IP tunnel to which one is assigned, and sending the packet to the server side network or the process on the server; A translated address storage means for storing the relationship between the address and the address before translation, and an address of a packet from a server device or a process on the server of the server side network are translated by referring to the translated address storage means, and the table , And an address reverse conversion means for sending the packet to the IP tunnel of the user side network, and securely connecting to the plurality of user side networks and the IP tunnel in the IPsec tunneling mode without setting a password in advance. Characterized by enabling Inter-network communication system that.