JP3656134B2 - VPN selective connection gateway and communication method therefor - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a VPN selective connection gateway that enables a plurality of user terminals in the same LAN to connect to a plurality of NSPs (Network Service Providers) at the same time in an always-connected access system such as ADSL and a communication method therefor.
[0002]
[Prior art]
2. Description of the Related Art Conventionally, an ADSL (Asymmetric Digital Subscriber Line) technique that uses an existing telephone line to provide services such as video transmission that coexists with a telephone is known. For example, in a US telephone company, there is a video-on-demand that allows users to call and view movies and the like together with a telephone service using the ADSL technology and the digital video compression technology MPEG1.
On the other hand, a VPN service (Virtual Private Network Service) (virtual private network) has attracted attention as a service that can use a public network like a private network. That is, the subscriber telephone network can be used as if it is an internal extension telephone, for example, an arbitrary telephone number of 2 to 7 digits can be set, and the telephone can be freely called by that number. This is not only a voice network but also a provider (for example, NSP (Network Service Provider)) that provides a VPN service on the Internet.
[0003]
FIG. 6 is a system configuration diagram of a conventional always-on network.
As shown in FIG. 6, the system configuration of the network in the always-on access system such as ADSL is connected to the access network 9 from the user terminals 1-1 and 1-2 via the ADSL modem (ATU-R) 2, Further, it is connected to the core network 10 via the DSLAM (Digital Subscriber Line Access Multiplexer) 3 and the ATM switch 4, and connected to the NSPs 5-1, 5-5 via the ATM switch 4. 2 is connected. The ATU-R (ADSL Transceiver Unit-Remote (ADSL modem inside the user's house)) 2 includes a NAT function, a DHCP server function, and an HTTP server function as shown in FIG. For example, in order to connect from the user terminal 1-1 to the network 5 of the NSP or the corporate LAN, the ATM switch 4 in the core network is fixedly set to the network registered by the user at the time of contract, and connected to the contract network Is done. A packet transmitted from the user terminal 1-1 passes through the ADSL network 9 from the ATU-R 2, is once terminated at the DSLAM 3, and then transferred to the network by the ATM switch 4.
[0004]
A symbol shown below each node of the network is a protocol stack provided in a node at a corresponding position, and indicates protocol conversion for each layer.
Incidentally, DHCP (DynamicHostConfigurationProtocol) server, when the communication using TCP / IP, IP address and default computer, it is necessary to set the address of the gateway, as a protocol for automating this, the DHCP server Register the IP address and default gateway address. An HTTP (Hyper Text Transfer Protocol) server is a server having a protocol used for transmitting and receiving information such as files to and from a WWW browser.
In such a configuration, since the network registered at the time of contract is fixedly set, it is not possible to select a plurality of networks desired by the user on demand. You cannot connect to different networks.
[0005]
[Problems to be solved by the invention]
As described above, in the conventional always-on access system such as ADSL, since it is fixedly connected to the network registered at the time of contract, the connection destination is selected or the connection destination is simultaneously selected by a plurality of terminals. There was a problem that it was not possible to connect to the desired company or NSP.
[0006]
Therefore, an object of the present invention is to solve these conventional problems, and in computer communication using an always-connected access system such as ADSL, on-demand selection of a connection destination (hereinafter referred to as a selection connection service), and a user-side LAN It is an object of the present invention to provide a VPN selective connection gateway and a communication method therefor that can realize a service in which a plurality of computers are simultaneously connected to a plurality of NSPs (hereinafter referred to as a simultaneous selective connection service).
[0007]
[Means for Solving the Problems]
In order to achieve the above object, the VPN selective connection gateway of the present invention, as a device installed on the user side, has a DNS function for detecting address resolution and address duplication, a source address (SA) and a destination address (DA). It has a Twice-NAT function for conversion, a virtual router (VR) function having a plurality of logically independent router functions, a DHCP function, an HTTP server function, and a RadiusClient function. While detecting IP address duplication, DA conversion is also performed when there is duplication with the SA of the destination IP packet, and the packet is sent to the requested connection destination NSP using the VR selected based on the SA of the user terminal. Route.
As a result, it is possible to connect arbitrarily and simultaneously to a plurality of connection destinations while allowing duplication of IP addresses of the user PC and the PC in the connection NSP.
[0008]
DETAILED DESCRIPTION OF THE INVENTION
Embodiments of the present invention will be described below in detail with reference to the drawings.
(First embodiment)
FIG. 1 is a system configuration diagram of a network configuration showing a first embodiment of the present invention, and FIG. 2 is an explanatory diagram of packet processing of the VSG (VPN Selection Gateway) in FIG.
In the first embodiment, a case where the VSG 6 and the ADSL modem (ATU-R) 2 are provided separately is shown, and the two are not integrated as in the second embodiment.
As shown in FIG. 1, in the first embodiment, as shown in 81, a Twice-NAT function, a VR function (virtual router function), and an ADSL modem (ATU-R) 2 of the access network 9 It is characterized by installing VSG 6 having a DNS ( Domain Name System Server) server function, a DHCP server function, an HTTP server function, and a Radius Client function. Note that the DNS server is a server that performs address resolution, and the NAT of Twice-NAT basically converts only Private Address (SA) from Private ← → Global, but Twice-NAT is not limited to SA. , DA ( Destination Address) is also converted. In the case of NAT, it is assumed that the address space of the connection destination is Global. When the connection destination is an in-house LAN or the like and a private address is used, there may be a conflict with the private address space on the home LAN side. Therefore, address conversion is performed not only for SA but also for DA so that the addresses do not conflict.
The DNS (Domain Name System) function allows a logical group called a domain to be set hierarchically in a TCP / IP network, and a domain name that is a logical group name is incorporated into a part of a computer name. . The DNS server has a correspondence table of host names and IP addresses.
A Radius Client (Remote Authentication Dial-in User Service Client) informs the access server whether or not authentication is possible by matching the user ID and password sent via the access server with the management table of user information. This server is a management server that grants access authority to the application server for each user and collects billing information.
[0009]
FIG. 1 shows an example in which the personal computer PC1-1 communicates with an NSP # 1 PC (not shown) and the PC1-2 communicates with an NSP # 2 PC (not shown). Therefore, in order to perform a plurality of simultaneous selection services, it is necessary to establish a plurality of PPP sessions, and therefore L2TP is used. PPP (Point to Point Protocol) is a WAN protocol used when data communication is performed by connecting two points.
For the IP packet sent from the user PC 1-1, VR is selected by the SA, and the private address assigned by the DHCP server is converted into an address assigned by the NSP using the NAT function. When the DNS server detects duplication of the connection destination PC and the IP address, DA is also converted. The converted packet is transferred to the NSP through a designated VC (Virtual Channel). In parallel, when other user PCs request connection to other NSPs, multiple PCs can connect to multiple NSPs at the same time in order to check SA and select different VRs. become.
[0010]
FIG. 2 shows a state in which packet processing for simultaneous selection connection is performed in the VSG.
In FIG. 2, 6 denotes VSG, 6-1 to 6-4 denote DHCP server function, Radius Client function, HTTP server function, and DNS server function implemented in VSG6. Reference numerals 6-5 to 6-9 and 6-6-1 are reference tables in the VSG. Specifically, the SA-VR correspondence table 6-5, the VR (virtual router) 6-6-1 , the address conversion table ( Private side) 6-7, address translation table (global side) 6-8, and ARP table 6-9. 6-10 indicates L2TP, 7 indicates not only dial-up but also BAS ( Broadband Access Server) which is an access server for accommodating ADSL and ATM.
When the PC 1-1, 1-2, 1-3 are powered on, the IP address is acquired from the DHCP server 6-1 of the VSG. Here, the IP address given to the PC 1-1, 1-2, 1-3 by the DHCP server is a private address of an arbitrary class defined in RFC1918.
[0011]
FIG. 3 is an operation sequence chart of the VPN selective connection gateway showing the first embodiment of the present invention.
The PC 1-1 requests an IP address from DHCP in advance (101), and acquires an IP address from the DHCP server 6-1 (102).
When the PC 1-1, 1-2, 1-3 connects to the HTTP server 6-2 using a Web browser (103), and the NSP selection screen is displayed from the server 6-2 (104), a GUI (Graphical) The connection destination NSP is selected by User Interface (VR decision) (105), the user name and password are input, and an authentication request is sent to the authentication server of the connection destination NSP selected by Radius Client 6-3 (106). (108). The authentication operation inquires to the RAS (Remote Access Server (device that accommodates dial-up users and transfers packets to the core network)) of the connection destination network. When the user is authenticated, the VR name for the connected NSP associated with the SA of the PC transmission packet is set in the selected VR name field of the SA-VR correspondence table 6-5 (109). For example, SA: a → VR name: VR1 and SA: b → VR name: VR2 are converted. At the same time, an address conversion table 6-7 for associating the IP address (Ga) assigned from the NSP side with the private address (a) assigned to the PC 1-1 is generated (110). The same is generated for PC1-2. The ARP table 6-9 in which the IP address and the MAC address of the PC are associated is generated from the processing of the ARP table performed by the PC 1-1 and 1-2 (111).
[0012]
Next, a processing procedure in which the PC 1-1 sends an IP packet to NSP # 1 will be described.
The PC 1-1 communicating with the PC 5-1-1 of the NSP # 1 sends a DNS query packet (response to the Request packet) to the DSN server 6 of the VSG 6 in order to resolve the IP address from the name of the PC 5-1-1. -4 is transmitted (112). The VSG 6 forwards the DNS query from the PC 1-1 to the DNS server 5-1-2 of the connection destination NSP5-1 specified by the VR6-6-1 (113). The IP address (a ′) of the PC 5-1-1 is returned as a response from the DNS server 5-1-2 of NSP # 1 (114). Note that 'a' and 'a''are the same IP address. However, the IP addresses of PC1-1 and PC5-1 are both “a”, and duplication occurs. Therefore, the DNS server 6-4 converts the IP address (a ′) of the PC 5-1-1 into another arbitrary address (Ge), and an address conversion table (global side) 6-8 of the VR6-6-1. The mapping is added to (115).
[0013]
The DNS response packet thus changed is transmitted to the PC 1-1 (116). Thus, in the PC 1-1, the IP address of the PC 5-1-1 is stored as “Ga”. In the future, IP packets transmitted from the PC 1-1 to the PC 5-1-1 will be transmitted as SA: a and DA: Ge. For the transmitted packet, an appropriate VR is selected from the SA of the packet in the VSG 6, and both SA and DA are converted (117, 118). That is, SA: a → Ga, DA: Ge → a ′. As a result of the conversion, the packet is addressed to address a ′ , passes through PPP # 1 using L2TP tunneling 6-10, and is sent to the core network 10 via DSLAM3 and BAS7 (see FIG. 1).
[0014]
The packet (119) sent from the PC 5-1-1 of NSP # 1 is sent to VSG6 through PPP # 1, and SA / DA conversion is performed in VSG6 (SA: a ′ → Ge, DA: Ga). → a) (120). Then, it is transmitted to the PC 1-1 with reference to the ARP table 6-9 (121).
At the same time, the PC 1-2 can communicate with NSP # 2. It is assumed that PC1-2 has selected NSP # 2. All the tables are set as shown in the sequence chart of FIG. 4, and transmission data from PC1-2 and other PCs have different selection VRs. Therefore, the destination VC (Virtual Channel) is independent of PC1-1. ing. Therefore, there is no problem that the transmission data from the PC 1-1 and the transmission data from the PC 1-2 are confused.
[0015]
(Second embodiment)
FIG. 4 is a block diagram of a network showing a second embodiment of the present invention, and FIG. 5 is a diagram of an always-on ADSL network using a VSG incorporating an ATU-R function in FIG.
In this embodiment, PPPoverATM is used. However, IPoverATM can be similarly used.
In the second embodiment, a case where a VSG 6a having a configuration in which the VSG and the ATU-R function are integrated is used (see 82 in FIG. 4). In this case, unlike the first embodiment, there is no restriction by the interface between the VSG and the ATU-R, so that the packet can be directly transferred to the ATM interface of ADSL. That is, since a plurality of VCs (Virtual Channels) can be established on the ATM, it is not necessary to use the L2TP protocol to establish a plurality of PPP sessions as shown in FIG. 5 is also provided with an ATU-R function 6-11 instead of the L2TP 6-10 in FIG. The other configuration is almost the same.
The IP packet transmission processing sequence is the same as that of the first embodiment shown in FIG. 3, except that a VR (virtual router) describes a destination VC (Virtual Channel) and passes through the IP packet VC. Is different in that it is transferred to BAS7.
[0016]
【The invention's effect】
As described above, according to the present invention, an NSP connected to a user-side LAN is provided by providing a VPN selective connection gateway that implements a DNS server function, an HTTP server function, a Radius Client function, a DHCP server function, and an SA + VR routing function. Thus, a plurality of computers can be connected to a plurality of NSPs simultaneously.
[Brief description of the drawings]
FIG. 1 is a block diagram of an always-on ADSL network showing a first embodiment of the present invention.
FIG. 2 is a detailed configuration diagram of the VSG in FIG. 1;
FIG. 3 is an operation sequence chart by the ADSL network showing the first embodiment of the present invention.
FIG. 4 is a block diagram of an always-on ADSL network showing a second embodiment of the present invention.
5 is a detailed configuration diagram of a VSG incorporating the ATU-R function in FIG.
FIG. 6 is a configuration diagram of a conventional always-on network.
[Explanation of symbols]
1-1, 1-2, 1-3 ... user PC, 5-1-1 ... NSP PC,
2 ... ATU-R (ADSL modem), 3 ... DSLAM,
4 ... ATM switch (exchange), 5-1, 5-2, 5-3 ... NSP,
6 ... VSG, 7 ... BAS,
81, 82 ... VPN selective connection gateway (VSG),
9 ... Access network, 10 ... Core network, 6-1 ... DHCP server function,
6-2 ... HTTP server function, 6-3 ... RadiusClient function,
6-4 ... DNS server function, 6-5 ... SA-VR correspondence table,
6-6-1 VR , 6-7 Address translation table (private side),
6-8 ... Address conversion table (global side), 6-9 ... ARP table,
5-1-2: DNS server on the NSP side.

Claims (2)

Based on the connection request from the user terminal, an inquiry is made to the DSN server of the connection destination network, and duplication of the IP address is detected from the answer to the inquiry. If there is duplication, the IP address of the connection destination terminal is not used. Converting to an IP address, registering the converted IP address in a table, notifying the user terminal as the IP address of the terminal in the connection destination network,
A source address of an uplink packet addressed to the connection destination network from the user terminal is converted into an IP address distributed to the user terminal by the connection destination network, and is replaced with the non-overlapping address,
A communication method using a VPN selective connection gateway, wherein a plurality of logically independent routes are selected by a plurality of routing tables and the packet is transmitted. A VPN connection device having a DHCP function of allocating and notifying an IP address in response to a request from a user terminal, and a VPN function including IP address conversion of a packet;
Based on the connection request from the user terminal to which the IP address is assigned by the DHCP function, the DNS function is used to inquire about the IP address of the connection destination terminal to the DSN server of the connection destination network. In addition to notifying the user terminal, when the duplication of the replied IP address is detected, the IP address is converted into an unused IP address and notified to the user terminal. The converted IP address and the IP before conversion DNS means for associating addresses with each other and registering them in the table;
HTTP server means for providing the user terminal with a GUI for selecting a connection destination network at the user terminal requested from the user terminal;
Authentication means for performing an authentication operation between the connection destination networks selected by the user terminal via the GUI provided by the HTTP server means;
If the transmission source address of the packet from the user terminal authenticated by the authentication means is converted by the NAT function and the transmission destination address of the packet is registered in the table by the DNS means, the transmission destination address is Twice-NAT means for converting to the IP address associated with the table;
The logically independent route to the connection destination network selected by the user terminal via the GUI provided by the HTTP server means is associated with the IP address of the user terminal and registered in the routing table, and the Twice A virtual routing means for selecting and sending out the packet from the user terminal whose header has been converted by the NAT means by selecting the logically independent route associated with the source IP address before conversion and the routing table;
A VPN selective connection gateway, characterized by comprising means for making a plurality of PPP connections.

Images