JP4226606B2 - COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM - Google Patents

Description

  The present invention relates to a communication device, a communication method, and a program for realizing these on a computer, which are suitable for appropriately limiting communication partners.

2. Description of the Related Art Conventionally, router devices and gateway devices that perform address conversion and port conversion when relaying between a home LAN (Local Area Network) and the Internet have been proposed. Such a technique is disclosed in the following documents, for example.
JP 2000-99469 A JP 2002-344443 A

  [Patent Document 1] describes a subject involved in access right management for resources connected to an open-type distributed network, a user who uses a specific resource, a verifier who proves and guarantees a specific feature of the user, The specific resource is separated from the authorized person who determines the availability of the specific user, the user holds the public name, key, and multiple profile information that characterizes the user, and the verifier requests the user to issue In response, the individual contents of the profile information are issued to the user, and when the authority grants a resource use request from the user, the user is requested to present the profile information, and the contents of the presented profile information are displayed. A technique for confirming and determining whether or not a resource can be used is disclosed.

  In [Patent Document 2], one encryption device changed the identifier (IP address) for identifying the device itself, and then encrypted using the “identifier before change”, the encryption key, and the authentication key. A security association disconnect notification including “security association release” is transmitted to the other encryption device that is the communication partner, and the other encryption device disconnects the security association using the encryption key and the authentication key. A technique for decrypting the notification, performing mutual authentication, and disconnecting the old security association is disclosed.

In addition, a router device or a gateway device, such as Universal Plug and Play (UPnP), opens a communication port on the Internet side (global network side), and is also called NAT (Network Address Translation; “IP Masquerade”). A technique for enabling communication between a terminal on the home LAN side and an external terminal by performing address conversion such as.
At this time, a technique for maintaining and managing a “white list” that permits only communication from a terminal having a specific IP address and a “black list” that rejects communication from a terminal having a specific IP address has also been proposed. ing.

However, in technologies such as UPnP, when a port is opened to a certain partner, the port is opened to an arbitrary partner, resulting in a security problem.
In particular, it is not possible to create a whitelist or blacklist for terminals that are dynamically assigned IP addresses to communication ports for the global network, such as P2P (Peer To Peer) communication via the Internet. Appropriate communication partners must be properly maintained.

Therefore, there is a strong demand for a technique for easily and appropriately controlling whether or not communication is permitted to a communication partner on the global network side.
SUMMARY OF THE INVENTION The present invention solves the above-described problems, and an object thereof is to provide a communication device, a communication method, and a program that realizes these on a computer, which are suitable for appropriately limiting communication partners. .

  In order to achieve the above object, the following invention is disclosed in accordance with the principle of the present invention.

  A communication apparatus according to a first aspect of the present invention includes a generation unit, a transmission unit, a determination unit, a permission unit, and a reception unit, and is configured as follows. The communication apparatus typically functions as a device such as a router, a gateway, or a firewall. However, the communication apparatus may be configured on a single computer to appropriately limit communication partners in the computer. .

That is, the generation unit generates a key code. As the key code, various types such as a randomly generated integer, integer string, character, or character string can be adopted. Based on this key code, it is determined whether or not the other party is allowed to communicate.
On the other hand, the transmission unit transmits a packet designating the generated key code to a partner to which communication is to be permitted via the computer communication network. When this packet arrives at the other party to which communication is permitted, the other party acquires the key code in the packet, specifies the acquired key code, and sends a packet requesting communication permission to the communication device. Come.

  Therefore, the determination unit determines whether or not the generated key code is specified for the packet coming from the computer communication network. In general, in communication via a computer communication network, so-called bucket relay communication is performed, so that the content of the packet that has arrived at the communication device is received by the communication device itself, or the subsequent processing is performed or discarded. Whether or not to send the message to other communication devices is determined based on the destination included in the packet and the setting of the transmission route. In the present invention, when making this determination, it is also determined whether or not the previously generated key code is included (as a byte string) in the packet.

  When the key code generated for the incoming packet is specified, the permission unit permits communication with the transmission source of the incoming packet. Since the key code generated by this communication device is sent to the other party that wants to allow communication, the transmission source of the packet specifying the key code has a tally, and the transmission The original packet is processed by the communication device itself.

Therefore, the reception unit receives a packet transmitted from a transmission source that is permitted to communicate among packets arriving from the computer communication network.
For example, when this communication apparatus is a router or the like, if the destination of the packet from the permitted partner is within the LAN connected to the router, the packet is sent into the LAN. On the other hand, if the destination of the packet from the unauthorized party is within the LAN connected to the router, the packet is discarded or the communication partner is appropriately restricted by rejecting the connection.

  In the present invention, communication with a transmission source using this tally is permitted by using the generated key code as a tally without opening the communication partner to an arbitrary partner. According to this, communication partners can be appropriately restricted.

  In the communication device of the present invention, a port number for receiving in the communication device is further specified in the packet specifying the generated key code, and the receiving unit is transmitted from a transmission source permitted to communicate Of the packets, the packet can be received via the designated port number.

That is, the limited release of the transmission source is performed on a port basis. As a result, the port number used for communication can be dynamically changed.
According to the present invention, even when the NAPT (Network Address Port Translation) or the like is used in a situation where a plurality of notebooks in the LAN communicate with the outside at the same time when the communication apparatus functions as a router or the like, The port can be opened, and the communication partner can be appropriately restricted.

  In the communication device of the present invention, the transmission unit transmits a packet specifying the key code to a predetermined server device, and the arrival of the packet that has arrived and the generated key code is specified. The transmission source of the packet obtained can acquire the key code from the server device and transmit the packet to the communication device.

  For example, when implementing an online battle game, after matching (introducing) a terminal (player) with a server device and another terminal (player), the terminals communicate directly with each other on a peer-to-peer basis. In many cases, the present invention corresponds to such an embodiment.

In the above example, when a key code is sent from one terminal to a server device that performs matching of the partner, the server device transmits the key code to the terminal of the matching partner. As a result, when the partner terminal transmits a packet specifying a key code to one terminal, communication in the direction of transmission of the packet becomes possible. By doing this, both parties appropriately limit communication partners in bidirectional communication.
According to the present invention, by registering a key code in a fixed server device that introduces a communication partner, only the partner introduced by the server device can be permitted as a communication partner.

  In addition, the communication device of the present invention further includes a cancellation unit, and the cancellation unit, when the elapsed time from the last reception of a packet transmitted from a transmission source permitted to communicate exceeds a predetermined threshold time The communication permission for the transmission source can be revoked.

The present invention relates to a preferred embodiment of the above invention, and provides a time limit for permission of a communication partner. Even if the partner is permitted to communicate once, permission of communication is granted after a certain period of time. It is a thing to cancel. For example, in the example of the communication battle described above, a time sufficient for playing a communication battle in peer-to-peer may be set as the threshold time.
According to the present invention, even if the other party once permitted the communication, the permission is canceled after a certain period of time. Therefore, the IP address of the other party can be changed by dial-up connection or DHCP (Dynamic Host Configuration Protocol). Even if it changes, it is possible to reduce the risk of permitting communication to a party that should not be permitted.

In addition, the communication device of the present invention may further include a cancellation unit, and may be configured to cancel the communication permission for the transmission source when the elapsed time since the generation of the key code exceeds a predetermined threshold time. it can.
The present invention relates to a preferred embodiment of the invention described above, in which an expiration date is provided for the key code, and even if the other party once permitted communication, the permission of communication is canceled after the expiration date. is there. For example, in the example of the communication battle described above, a time sufficient for playing a communication battle in peer-to-peer may be set as the threshold time.

  According to the present invention, even if the other party once permitted the communication, the permission is canceled after the expiration date, so that the IP address of the other party changes due to dial-up connection or DHCP (Dynamic Host Configuration Protocol). Even in this case, it is possible to reduce the risk of permitting communication to a partner that should not be permitted.

Further, in the communication device of the present invention, the permission unit, when the generated key code is specified and the number of packet transmission sources that have arrived exceeds a predetermined threshold number, Can be configured not to permit communication.
The present invention relates to a preferred embodiment of the above invention, and sets a limit on the number of external transmission sources that can use a key code.Although communication with a certain number of transmission sources is permitted on a first-come-first-served basis, The subsequent communication is not permitted.

At this time, when counting the number of transmission sources, the unit for distinguishing the transmission source is, for example, the transmission source IP address, the combination of the transmission source IP address and the port number, the transmission source MAC address, the transmission source terminal An identification number or the like can be employed.
According to the present invention, even if the other party knows the key code necessary for permission of communication, if there is an access from a certain number or more, the key is not permitted. Even if the code is wiretapped, intercepted, or leaked, the risk of permitting communication to a party that should not be permitted can be reduced.

The communication device of the present invention further includes a relay unit, and the relay unit can be configured to relay the received packet to a terminal device connected to the communication device.
The present invention relates to a preferred embodiment of the present invention, and can be applied to a case where the relay unit is configured to have an IP masquerade function such as NAT (Network Address Translation) or NAPT.
According to the present invention, the communication device can function as a router, a gateway, a firewall, or the like.

A communication method according to another aspect of the present invention is executed by a communication device including a generation unit, a transmission unit, a determination unit, a permission unit, and a reception unit, and includes a generation step, a transmission step, a determination step, a permission step, and a reception step. And is configured as follows.
That is, in the generation process, the generation unit generates a key code.
On the other hand, in the transmission step, the transmission unit transmits a packet designating the generated key code to a partner to which communication should be permitted via the computer communication network.

Further, in the determination step, the determination unit determines whether or not the generated key code is specified for the packet coming from the computer communication network.
In the permission step, the permission unit permits communication with the transmission source of the arrived packet when the key code generated in the arrived packet is designated.
On the other hand, in the receiving step, the receiving unit receives a packet transmitted from a transmission source that is permitted to communicate among packets arriving from the computer communication network.

A program according to another aspect of the present invention is configured to cause a computer to function as the communication device and to cause the computer to execute the communication method.
The program of the present invention can be recorded on a computer-readable information storage medium such as a compact disk, flexible disk, hard disk, magneto-optical disk, digital video disk, magnetic tape, and semiconductor memory.
The above program can be distributed and sold via a computer communication network independently of the computer on which the program is executed. The information storage medium can be distributed and sold independently from the computer.

  ADVANTAGE OF THE INVENTION According to this invention, the communication apparatus suitable for restrict | limiting a communicating party appropriately, a communication method, and the program which implement | achieves these with a computer can be provided.

  Embodiments of the present invention will be described below, but the embodiments described below are for explanation and do not limit the scope of the present invention. Therefore, those skilled in the art can employ embodiments in which each or all of these elements are replaced with equivalent ones, and these embodiments are also included in the scope of the present invention.

  FIG. 1 is a schematic diagram showing a schematic configuration of a router device realized by a communication device according to one embodiment of the present invention operating a program. Hereinafter, a description will be given with reference to FIG.

  The router apparatus 101 performs various operations when the CPU 103 executes a program recorded in a flash EEPROM (Electrically Erasable Programmable Read Only Memory) 102. At this time, a RAM (Random Access Memory) 104 is used as a temporary storage area.

  The flash EEPROM 102 stores various setting data in addition to programs executed by the CPU 103. For example, in a normal router, the IP address of a terminal permitted as a communication partner, the IP address of a terminal rejected as a communication partner, and the like are recorded in the flash EEPROM 102 as a white list or a black list.

The router device 101 includes a network interface card (NIC) LAN side NIC 105 and a WAN side NIC 106, and functions as a gateway for communication between the LAN and the WAN. For example, consider the case of functioning as a normal NAPT router.
When it is detected that the packet has arrived at the LAN-side NIC 105, the CPU 103 confirms the destination of the packet and determines whether the packet should be sent to the WAN or to a terminal in the LAN. Identify

  If it is to be transmitted to the WAN, the IP address and port number in the LAN of the source terminal are rewritten with the IP address of the WAN side NIC 106 and the dynamically assigned port number, and the WAN side NIC is rewritten. The data is sent to the outside (typically the Internet) via 106.

On the other hand, if it is to be sent to any terminal in the LAN, the LAN-side NIC 105 sends the packet as it is to the terminal having the IP address in the destination LAN.
The WAN side NIC 106 performs the same processing as described above in the reverse direction.

The NAPT process as described above is particularly necessary when a plurality of game devices are connected to the LAN side and the same game software is operated by different users on the game device.
In general, the same port number is used for the communication port used by the game software, so NAT alone cannot cope with a plurality of game devices connected to the LAN side. In the router device 101 according to the present embodiment, when terminals having different LAN side IP addresses try to communicate with the WAN side using the same port number, the same address is assigned to both as the WAN side IP address, Assuming that the WAN side port number is different, the address and port number are converted, and IP masquerade is appropriately performed.

  In addition, the router device 101 can function as a web server from a terminal on the LAN side. In this case, by inputting various setting values into a form displayed by accessing the IP address of the LAN side NIC 105 from the web browser at the LAN side terminal and transmitting the form to the router apparatus 101, the router apparatus 101. Generally, the setting value stored in the flash EEPROM 102 is changed.

  FIG. 2 is a schematic diagram showing a schematic configuration of an embodiment of a communication device realized on the router device. Hereinafter, a description will be given with reference to FIG. Since this communication device functions as a so-called router, a program for performing the functions described below is executed on the same hardware as the information processing device that constitutes a normal router device. Is realized.

  The communication apparatus 201 according to the present embodiment includes a generation unit 202, a transmission unit 203, a determination unit 204, a permission unit 205, a reception unit 206, a cancellation unit 207, and a relay unit 208. Since the communication apparatus 201 functions as a router as described above, the communication between the LAN-side terminal and the WAN-side Internet is performed by NAPT. The address and port conversion work related to the NAPT is performed in the relay unit 208. In addition to the whitelist / blacklist recorded in the flash EEPROM 102 as described above in a non-volatile manner, temporary operations with an expiration date for each port are also made. A white list is recorded in the RAM 104 to determine whether to accept and relay the packet.

  The communication apparatus 201 according to the present embodiment adds a new function to the function of the general router apparatus 101 as described above. In order to facilitate understanding, hereinafter, the communication apparatus 201 has a function different from that of a normal router. Focus on the explanation. The processing for executing these functions is roughly divided into LAN packet processing when a packet arrives at the LAN side NIC 105 from the LAN side, and WAN when a packet arrives at the WAN side NIC 106 from the WAN side. There are two types of packet processing. These processes are realized by each unit of the router device 101 cooperating as the above-described generation unit 202, transmission unit 203, determination unit 204, permission unit 205, reception unit 206, and relay unit 208 as appropriate. . Hereinafter, it demonstrates in order. In addition, the cancellation part 207 demonstrated in Example 2 is also illustrated by this figure.

FIG. 3 is a flowchart showing a control flow of LAN packet processing. Hereinafter, a description will be given with reference to FIG.
In the LAN packet processing, first, the LAN side NIC 105 of the router apparatus 101 checks whether or not a packet transmitted from within the LAN has arrived (step S301). If it has not reached (step S301; No), it waits (step S302) and returns to step S301. During this standby, other processing can be executed in a coroutine manner. When the NIC has a reception interrupt function, arrival of a packet may be detected by the reception interrupt.

  If the packet has arrived (step S301; Yes), the destination of the packet is checked (step S303). If the destination is another terminal in the LAN (step S303; in the LAN), the packet is relayed to the destination (step S304), and the process returns to step S301.

  On the other hand, when the destination is the router device 101 (step S303; self), the type of the packet is checked (step S306). As a method for examining the type of packet, it is common to determine which port number of the router device 101 is the destination, but various information is embedded in the packet to cause the router device 101 itself to perform processing. It's also good.

Here, as the packet type,
(1) Key code generation request packet from LAN side terminal (2) Consider two types of other packets.

  As another packet (step S306; other), a case where communication for changing the setting of the router device 101 is performed based on HTTP (HyperText Transfer Protocol) is considered. Similarly to the above, the corresponding processing is executed (step S310), and the process returns to step S301.

On the other hand, if it is a key code generation request packet from the LAN side terminal, which is characteristic of the present invention (step S306; key request), the CPU 103 examines the following information specified in the key code generation request packet. .
(A) IP address and port number on the LAN side of the packet source.
(B) The global IP address / port number of the server device to which the key code is to be sent. This is not the direct destination of the packet, but the destination when the router apparatus 101 transmits a key code in response to a request from the LAN side terminal.

Next, the generation unit 202 randomly generates a key code for the LAN side IP address / port number (a) (step S307). Therefore, the CPU 103 functions as the generation unit 202.
Various key codes such as integers, integer strings, characters, or character strings that are randomly generated can be adopted as the key codes generated here, but they fit within the packet size in the lower communication layer. If the length is long, the communication efficiency can be increased.

  Alternatively, a “random” determination method may be used in which any one of predetermined candidates is selected. That is, a predetermined number of key code candidates are prepared in advance as constants, and one of them is determined to be “random”. As a “random” determination method, a normal pseudo-random number may be used, or the current time, the MAC address of the network card being used, the IP address, or the like may be referred to as an appropriate seed.

Further, the transmission unit 203 transmits a key code designating packet for designating the generated key code to the server apparatus (b) which is a partner to which communication should be permitted, via the WAN side NIC 106 and the computer communication network ( Step S308).
At this time, the IP address of the WAN side NIC 106 is used as the IP address of the packet transmission source, and the port number of the packet transmission source is operated by the NAPT for the LAN side IP address / port number (a). It is desirable to specify the assigned WAN IP port number (c).

As described above, when the server device is a matching server for a communication battle game, the following information designated in the key code designation packet is transmitted to the opponent of the LAN side terminal.
(C) The WAN side IP address (which is equal to the IP address of the WAN NIC 106) and the WAN side port number assigned by the NAPT to the LAN terminal that has requested the key code generation.
(D) The generated key code.

  As will be described later, the terminal that has acquired these two pieces of information sends a packet including the key code (d) to the WAN-side IP address / port number (c), thereby requesting the generation of the key code. Communication with is allowed.

  Then, in the key code table secured in the RAM 104, the LAN side IP address / port number (a) of the terminal that has requested the key code generation, the WAN side port number (c) of the terminal, and the generated key code The triplet (c) is additionally recorded (step S309), and the process returns to step S301.

  In addition, the router device 101 may request another key code generation server device to generate a key code and acquire the key code. In this case, the router apparatus 101 and another key code generation server apparatus work together to function as the generation unit 202. In addition, as the key code generation server device, the above matching server or the like can be used.

  On the other hand, if the destination of the arrived packet is the global IP address / port on the WAN side (step S303; external), the WAN side IP address assigned by the NAPT to the source LAN side IP address / port of the packet The port is written in the transmission source field of the packet, NAPT is performed, the rewritten packet is transmitted to the destination via the WAN-side NIC 106 (step S311), and the process returns to step S301. The IP address / port conversion table in the NAPT is also stored in the RAM 104, but the commonly used IP masquerade technique can be applied to these NAPT processes as they are.

  FIG. 4 is a flowchart showing a control flow of WAN packet processing. Hereinafter, a description will be given with reference to FIG.

  In the WAN packet processing, first, the WAN side NIC 106 of the router apparatus 101 checks whether or not a packet transmitted from the WAN side (typically the Internet) has arrived (step S401). If not reached (step S401; No), the process waits (step S402) and returns to step S401. During this standby, other processing can be executed in a coroutine manner. Further, a reception interrupt may be used as in the LAN packet processing.

  When the packet has arrived (step S401; Yes), the determination unit 204 checks the destination of the packet (step S403). When the destination is other than the IP address of the WAN-side NIC 106 of the router device 101 (step S403; external), the packet is relayed to the destination (step S404), and the process returns to step S401.

On the other hand, when the destination is the IP address of the WAN-side NIC 106 of the router device 101 (step S403; inflow), the determination unit 204 indicates that the port number that is the destination of the packet is the WAN-side port in the key code table. It is checked whether or not the packet is registered as a number (step S405). If so (step S405; Yes), the determination unit 204 adds the packet to the key code white list prepared in the RAM 104. It is checked whether or not the transmission source is registered (step S406).
In this way, the CPU 103 functions as the determination unit 204 in cooperation with the WAN-side NIC 106 and the like.

  Here, the key code whitelist prepared in the RAM 104 is a WAN port number and an external device that is permitted to communicate via the WAN port (source of the packet that arrived in step S401). Are stored in association with each other.

If not registered (step S406; No), the determination unit 204 checks whether or not the key code registered in association with the WAN side port number in the key code table is specified in the packet contents. (Step S407).
If specified (step S407; Yes), the permission unit 205 additionally registers the IP address / port number of the transmission source of the packet in association with the WAN port number in the key code white list ( Step S408) returns to Step S401.
Thus, the CPU 103 functions as the permission unit 205 in cooperation with the RAM 104 and the like.

  Note that an upper limit may be set for the number of transmission sources that can be registered in the key code white list for a certain key code, and in step S408, registration may be performed on a first-come-first-served basis, and subsequent registration may be disabled. Even if the key code is eavesdropped, intercepted, leaked, etc., it is possible to avoid as much as possible other parties who do not want to allow communication.

As a technique for distinguishing the transmission source in the key code white list, the IP address / port number of the transmission source is typically used. For example, an identification number or a session number assigned in advance is used. Alternatively, a MAC address, a CPU ID, or the like can be used.
On the other hand, if not designated (step S407; No), the process returns to step S401 as it is, rejects without responding to the communication with the transmission source, and behaves in a so-called Stealth mode.

  It is also possible to configure so that after step S408, the packet is processed to flow into the LAN side by NAPT described later, and then the process returns to step S401.

  The key code is specified in the packet, but a predetermined frame structure may be defined, and the key code may be stored according to the frame structure, or the key code may be simply stored as a byte string. It is only necessary to confirm whether or not it is included as a partial sequence of contents.

  In step S406, when the set of the WAN side port number and the packet transmission source IP address / port number is registered in the key code white list (step S406; Yes), the receiving unit 206 determines that the packet In order to accept the inflow to the LAN side, referring to the IP address / port conversion table or key code table in the normal NAPT, the LAN side IP address / port number of the LAN side terminal associated with the WAN side port number (this is (Step S409), the relay unit 208 rewrites the destination of the packet with the acquired LAN-side IP address and port number, performs NAPT, and rewrites the rewritten LAN-side NIC 105. To the destination terminal (step S410) and step S40. Back to.

In step S405, if the port number that is the destination of the packet is not registered as the WAN side port number in the key code table (step S405; No), normal router packet processing is performed ( Step S411) and return to Step S401.
For normal router packet processing, for example, only when management based on the normal white list and black list is performed, or when the IP address / port conversion table of NAPT is registered, packets are allowed to flow into the LAN side by IP masquerade. Various methods such as discarding the packet and setting the Stealth mode can be employed.

  As described above, the CPU 103 functions as the reception unit 206 and the relay unit 208 in cooperation with the LAN side NIC 105 and the WAN side NIC 106.

  In the above description, for the sake of easy understanding, the description of the return of ACK (ACKnowlegment) upon receipt of a packet is omitted. However, when the mode is not set to the Stealth mode, the basics of TCP / IP communication are used. It is common to return an ACK based on the technology.

  According to the present embodiment, communication with a transmission source using this tally is permitted by using a randomly generated key code as a tally without opening the communication partner to an arbitrary partner. Therefore, according to the present invention, communication partners can be appropriately restricted.

  In the above embodiment, the WAN-side device that has notified the key code is assumed to continue to be registered once registered in the key code white list. However, the key code itself may be provided with an expiration date. .

To set the expiration date,
(A) It becomes invalid when a predetermined threshold time elapses from the time when the key code is generated (after the key code is registered in the key code table).
(B) It becomes invalid when a predetermined threshold time elapses after the IP address permitted for communication is registered in the key code white list.
(C) It becomes invalid when a predetermined threshold time has elapsed since the packet from the IP address permitted to communicate finally arrived.
Such a method can be considered.

In each of the key code table and the key code white list, an expiration date field is added. In (a) and (b), an expiration date is set at the time of registration. In (c), an expiration date is set every time an inflow of a packet is accepted. Extend. Then, when the expiration date has passed in the standby time of step S302 or step S402, processing for deleting the data to be permitted is performed from the key code table or the key code white list.
In this case, the CPU 103 functions as the cancellation unit 207 in cooperation with the RAM 104.

  According to the present embodiment, even if the other party once permitted communication, the permission is canceled after a certain period of time, so the IP address of the other party may change due to dial-up connection or DHCP. However, it is possible to reduce the risk of permitting communication to a party that should not be permitted.

  In addition, when the communication apparatus 201 is realized on the router apparatus 101, the following modes can be considered as the timing when the cancellation unit 207 cancels the permission.

In other words, if there is no packet exchange with the LAN side terminal assigned to the key code for a predetermined time or longer, the data to be permitted is deleted from the key code table or key code white list. As a detection method,
(A) When a packet is transmitted to the LAN side terminal, but timeout occurs without a response acknowledge being returned.
(B) When a broadcast message inquiring about the status in the LAN is sent at regular intervals, and a timeout occurs without a response from the LAN side terminal.
And so on.

  Alternatively, the LAN side terminal may issue an instruction to invalidate the key code to the communication apparatus 201 in terms of software.

  For example, when the LAN side terminal individually determines the permission of communication with the transmission source and transmits to the communication apparatus 201 a packet designating that the communication permission of the other party that is considered unnecessary is cancelled, the cancellation unit 207 functions. Is.

  In addition, in the case of a device whose power can be turned off by software, a packet notifying that the power of the device is turned off is broadcast in the LAN, and when the router device 101 knows this, the LAN The key code of the side terminal is invalidated.

  In the above embodiment, the communication device 201 is realized on the router device 101. However, a single computer or game device that is directly connected to the Internet can be used as the communication device 201 of the present invention. .

  In this case, the computer or the like generates a key code based on the control of the application program, and sends the key code directly or indirectly via a server device to a party who wants to permit communication. In this case, the relay unit 208 is unnecessary, and the packet received by the receiving unit 206 is processed as it is.

  Similarly to the above-described embodiment, by registering the IP address (or port number) of the partner that sent the key code in the key code white list, it is possible to appropriately limit the communication device.

  In the above embodiment, the NAPT has been described as an example. However, when applying the principle of the present invention, the processing related to the port number is not necessarily required. It suffices if the destination can be specified in some form. For example, the same processing can be performed in an aspect in which communication permission is controlled in units of IP addresses or IP addresses / netmasks. It is included in the scope of the present invention.

  As described above, according to the present invention, it is possible to provide a communication device, a communication method, and a program that realizes these on a computer, which are suitable for appropriately limiting communication partners.

It is a schematic diagram which shows the outline | summary structure of the router apparatus implement | achieved when the communication apparatus which concerns on one of embodiment of this invention operates a program. It is a schematic diagram which shows schematic structure of embodiment of the communication apparatus implement | achieved on a router apparatus. It is a flowchart which shows the flow of control of LAN packet processing. It is a flowchart which shows the flow of control of WAN packet processing.

Explanation of symbols

101 router device 102 flash EEPROM
103 CPU
104 RAM
105 LAN side NIC
106 WAN side NIC
DESCRIPTION OF SYMBOLS 201 Communication apparatus 202 Generation part 203 Transmission part 204 Judgment part 205 Authorization part 206 Reception part 207 Cancellation part 208 Relay part

Claims (7)

A communication device that functions as a router that relays communication between a computer communication network and a terminal device,
LAN-side receiving unit that receives packets transmitted from the terminal device,
When the packet received by the LAN side receiving unit is a key code generation request packet for designating a destination to which a key code is to be sent, a generating unit that generates a key code;
A key code the generated, transmitting unit and the WAN side port number of the terminal device, the key code designated packet specifying a is transmitted to the destination specified in the key code generation request packets in the computer network,
A determination unit that determines whether or not the generated key code is specified in a packet addressed to the WAN side port number of the terminal device coming from the computer communication network;
When the generated key code is specified in a packet whose destination is the WAN side port number of the terminal device that has arrived, a permission unit that permits communication with the transmission source of the incoming packet,
Of the packets coming from the computer communication network, a WAN-side receiving unit that receives packets destined for the WAN-side port number of the terminal device transmitted from the transmission source permitted to communicate ,
A communication apparatus comprising: a relay unit that relays a packet received by the WAN side reception unit to the terminal device. The communication device according to claim 1,
The transmitter transmits a key code designating packet for designating the key code to a predetermined server device;
The transmission source of the packet that has arrived in the packet in which the generated key code is specified, obtains the key code from the server device, and transmits the packet to the communication device. A communication device characterized by: The communication device according to claim 1 or 2,
Canceling unit for canceling permission of communication to the transmission source when the elapsed time from the last reception of the packet transmitted from the transmission source permitted to perform communication exceeds a predetermined threshold time
A communication device further comprising: The communication device according to claim 1 or 2 ,
Cancellation unit that cancels communication permission for the sender if the elapsed time since the key code was generated exceeds a predetermined threshold time
A communication device further comprising: The communication device according to claim 1 or 2 ,
The permission unit does not permit communication with the transmission source of the newly arrived packet when the number of transmission sources of the packet that has arrived by specifying the generated key code exceeds a predetermined threshold number. A communication device. A communication device including a LAN side reception unit, a generation unit, a transmission unit, a determination unit, a permission unit, a WAN side reception unit, and a relay unit, and functions as a router that relays communication between a computer communication network and a terminal device. A communication method to execute,
  LAN side receiving step in which the LAN side receiving unit receives a packet transmitted from the terminal device;
  When the packet received in the LAN side reception step is a key code generation request packet for designating a destination to which a key code is to be sent, the generation unit generates a key code,
  The transmission unit sends a key code designating packet designating the generated key code and the WAN side port number of the terminal device to a destination designated in the key code generation request packet in the computer communication network. Sending process to send,
  A determination step of determining whether or not the generated key code is specified in a packet whose destination is the WAN side port number of the terminal device coming from the computer communication network;
  When the generated key code is specified in a packet whose destination is the WAN side port number of the terminal device that has arrived, the permission unit permits the communication with the transmission source of the arrived packet ,
  WAN side reception step of receiving, from the packet coming from the computer communication network, the packet destined for the WAN side port number of the terminal device transmitted from the transmission source permitted for the communication, from the WAN side reception unit ,
  Relay step in which the relay unit relays the packet received in the WAN side reception step to the terminal device
  A communication method comprising: A program that causes a computer to function as a communication device that functions as a router that relays communication between a computer communication network and a terminal device.
  LAN-side receiving unit that receives packets transmitted from the terminal device,
  When the packet received by the LAN side receiving unit is a key code generation request packet for designating a destination to which a key code is to be sent, a generating unit that generates a key code;
  A transmission unit for transmitting a key code designating packet for designating the generated key code and the WAN side port number of the terminal device to a destination designated by the key code generation request packet in the computer communication network;
  A determination unit that determines whether or not the generated key code is specified in a packet addressed to the WAN side port number of the terminal device coming from the computer communication network;
  When the generated key code is specified in a packet whose destination is the WAN side port number of the terminal device that has arrived, a permission unit that permits communication with the transmission source of the incoming packet,
  Of the packets coming from the computer communication network, a WAN-side receiving unit that receives packets destined for the WAN-side port number of the terminal device transmitted from the transmission source permitted to communicate,
  Relay unit that relays a packet received by the WAN side receiving unit to the terminal device
  A program characterized by functioning as

Images