JP4642628B2 - Data transfer device, address information search circuit, and address information search method - Google Patents

Description

  The present invention relates to a data transfer apparatus, an address information search circuit, and an address information search method suitable for use in processing for converting an IP address and a port number included in transferred data.

  Conventionally, when connecting the Internet routed with a global IP address and an intranet routed with a private IP address, a firewall is constructed to effectively use a limited global IP address or between the Internet and the intranet. Therefore, a technique called NAPT (Network Address Port Transport) that converts the IP address and port number of a TCP or UDP packet is known.

  In NAPT, an IP address and a port number are converted based on a conversion table stored inside a router or the like. For example, when the NAPT is transmitted from the Internet to the intranet, the router An entry of a combination of a global IP address and a destination port number is detected from the conversion table, and a combination of a private IP address and a port number included in the detected entry is used to determine the destination global IP address and destination port number of the packet. Rewrite. Then, the router sends the rewritten packet to the intranet side so that the packet reaches the terminal.

 When transmitted from the intranet to the Internet, the entry of the combination of the source private IP address and the source port number in the packet header is detected from the conversion table, and the global IP address included in the detected entry is detected. The private IP address and port number of the transmission source of the packet are rewritten in combination with the port number, and the packet is transmitted to the Internet side.

  By the way, if the number of entries stored in the conversion table is small, sequential search will not affect the transfer time, but if the number of entries is very large, the transfer time will be impaired. It is desired to devise a search method and further reduce the search time by hardware processing.

As a search method, a binary search method using a radix tree, which is a method for searching a destination IP address at a high speed from a routing table, is generally known, and this method is applied to search processing in NAPT. It is also possible (see Non-Patent Document 1).
Gary R. Wright (Author), W. Richard Stevens (Author), Hideyuki Tokuda (Translation), Yoshito Tobe (Translation), "Detailed TCP / IP <Vol.2>Implementation", ISBN4-89471-495-7, pp527-534, Pearson Education

  However, the above-described search method using a radix tree may be completed early or depending on the pattern of data to be searched, and may take a long time for the search. In this case, there is a problem that it is difficult to perform timing control.

  The present invention has been made to solve the above-described problem, and its object is to make it possible to shorten the search time in the NAPT and to further realize the NAPT search process suitable for hardware processing. A transfer device, an address information search circuit, and an address information search method are provided.

In order to solve the above problem, the present invention provides a plurality of first networks that are transferred using uniquely identifiable first address information, and second address information that can be uniquely identified only within the network. A data transfer device connected to a second network where transfer is performed and transferring data between the plurality of first networks and the second network, wherein the first address information and the first network Conversion information storage means for storing conversion information in association with the second address information corresponding to the address information, and the first address information included in the plurality of conversion information stored in the conversion information storage means. A first order information storage unit that stores first order information that enables the conversion information to be referred to in order of the magnitude of the numerical value, and the conversion information storage unit When the second address information included in the plurality of conversion information to be stored is indicated by a numerical value, the second order information is stored so that the conversion information can be referred to in order of the numerical value. When the data is received from any one of the sequence information storage means and the plurality of first networks, the search includes the first address information from the first address information indicating the transmission destination included in the data Conversion information that generates key information and includes the search key information from the conversion information storage means by a binary search method based on the first order information and the search key information stored in the first order information storage means The first search means for reading out and outputting the second address information contained in the searched conversion information from the conversion information storage means, and the second address output by the first search means A first transfer means for rewriting the destination of the data and transferring it to the second network, and a second address indicating the destination included in the data when the data is received from the second network Search key information including the second address information is generated from the information, and the conversion information is obtained by a binary search method based on the second order information and the search key information stored in the second order information storage means. Second search means for searching for conversion information including the search key information from the storage means, and reading out and outputting first address information contained in the searched conversion information from the conversion information storage means; and the second search And a second transfer means for rewriting the data transmission source with the first address information outputted by the means and transferring the data to the first network. is there.

  According to the present invention, in the invention described above, the conversion information stored in the conversion information storage means includes the first IP address, the first port number, the second IP address, and the second IP address. Port number and the protocol number, the first address information is information combining the first IP address and the first port number, and the second address information is The information is a combination of the second IP address and the second port number, and the search key information is a combination of the first IP address, the first port number, and the protocol number. Information or a combination of the second IP address, the second port number, and the protocol number, and the conversion information storage means stores the first order information. When the information combining the first address information and the protocol number included in the plurality of conversion information is expressed by a numerical value, the conversion information can be referred to in order of the value of the numerical value. If the order information of 2 represents the combination of the second address information and the previous protocol number included in the plurality of pieces of conversion information stored in the conversion information storage means as a numerical value, the magnitude of the value of the numerical value In this order, the conversion information can be referred to.

  The present invention relates to an address information search circuit provided in a data transfer device for converting address information of a transmission destination or a transmission source included in received data into other address information and transferring the address information, and the address information Storage means for storing a predetermined number of pieces of conversion information associated with the other address information corresponding to the information in descending order of numerical values indicated by the address information, clock generation means for generating a clock at a constant period, and An input means for inputting search key information including address information, and a first register for recording the predetermined number of median values at the first clock and outputting the information stored therein every clock cycle; In the first clock, a zero value is recorded, and a second register for outputting the information stored therein every clock cycle, and the first clock A median value when the predetermined number of median values is the maximum value is recorded, and a third register for outputting information stored therein for each clock cycle, and the first register for each clock cycle. A first OR operation means for calculating a logical sum of a value output from the first register and a value output from the third register, and outputting the calculated OR as a first OR; and a clock cycle Each time, a logical sum of a value output from the second register and a value output from the third register is calculated, and the calculated logical sum is output as a second logical sum. Sum operation means, median value calculation means for outputting a median value when the value output from the third register is the maximum value for each clock cycle, and the first register from the storage means for each clock cycle Corresponds to the value output from Whether or not the numerical value of the information obtained by combining the search target parts included in the read conversion information is equal to or less than the numerical value indicated by the search key information input by the input means, or the input means A determination unit that determines whether or not the numerical value indicated by the input search key information matches, a first logical sum output from the first logical sum operation unit, and the second logical unit for each clock cycle The second logical sum output by the sum calculation means is stored, and the numerical value of the information obtained by combining the search target parts included in the conversion information read by the determination means is indicated by the search key information input by the input means. When it is determined that the value is less than or equal to a numerical value, the stored first logical sum is recorded in the first register, and the determination unit is configured to store information including a combination of search target portions included in the conversion information. A first selector that records the stored second logical sum in the first register when it is determined that the numerical value is not less than or equal to the numerical value of the search key information input by the input means; In addition, a value output from the first register and a value output from the second register are stored, and a numerical value of information obtained by combining the search target portions included in the read conversion information by the determination unit When it is determined that the value is equal to or less than the numerical value indicated by the search key information input by the input means, the stored value output from the first register is recorded in the second register, and the determination means However, if it is determined that the numerical value of the information combined with the search target portion included in the conversion information is not less than or equal to the numerical value indicated by the search key information input by the input means, the stored second A second selector for recording the value output by the register in the second register, a third selector for recording the value calculated by the median value calculation means in the third register for each clock period, and the determination When the means determines that the numerical value of the information combining the search target parts included in the conversion information matches the numerical value indicated by the search key information input by the input means, the conversion information together with the information indicating the match Output means for outputting other address information included in the address information search circuit.

  According to the present invention, in the invention described above, the output unit generates a search target part included in the conversion information after the clock is generated from the clock generation unit a number of times according to the predetermined number. When it is determined that the numerical value of the information combined with the numerical value indicated by the search key information input by the input means matches, the other address information included in the conversion information is output together with the information indicating the matching. Features.

  According to the present invention, in the above-described invention, the storage means stores conversion information storage means for storing a predetermined number of pieces of conversion information in which address information is associated with the other address information corresponding to the address information. Order information that allows the conversion information to be referred to in order of the magnitude of the numerical value when the address information included in the predetermined number of pieces of conversion information stored in the conversion information storage means is indicated by a numerical value. Order information storage means for storing, and the determination means reads the order information from the order information storage means for each clock cycle, and outputs the read order information from the storage means to the first register. Based on the value, the conversion information is read from the conversion information storage means, and the numerical value of the information obtained by combining the search target portions included in the read conversion information is the input value. There and judging whether the search key whether or not the information is a numerical value indicating less, or to match the numerical value the indicated retrieval key information input means inputs to be input.

  According to the present invention, in the invention described above, the conversion information stored in the conversion information storage means includes the first IP address, the first port number, the second IP address, and the second IP address. Port number and the protocol number, the address information is information combining the first IP address and the first port number, and the other address information is the second address information. The information is a combination of an IP address and the second port number, and the search target portion included in the search key information and the conversion information includes the first IP address, the first port number, and the like. , Information combining the protocol numbers, or information combining the second IP address, the second port number, and the protocol number, and the order information is: When the combination of the address information and the protocol number included in a predetermined number of pieces of conversion information stored in the conversion information storage means is indicated by a numerical value, the conversion information is referred to in order of the numerical value. It is characterized by being able to do it.

  According to the present invention, in the invention described above, the predetermined number is a power of 2, and the storage unit stores the conversion information stored in the conversion information storage unit less than the predetermined number. The conversion information stored in the conversion information storage means is stored in advance for the number of conversion information having a value in which all bits are 1 when expressed in numerical values in a binary bit string, and the conversion information storage means stores the conversion information. The number of pieces of information is matched to a predetermined number.

  According to the present invention, in the above-described invention, the storage unit includes conversion information referred to when the destination address information is converted, and conversion information referred to when the source address information is converted. It is memorized.

  In the invention described above, the present invention includes conversion information adding means for inputting conversion information to be added, wherein the input means inputs address information included in the conversion information input by the conversion information adding means, The conversion information adding means refers to the value stored in the first register after the clock is generated from the clock generation means a number of times corresponding to the predetermined number, and sets the conversion information to be added to the read value. On the basis of this, it is recorded in the storage means.

  According to the present invention, in the invention described above, the storage means stores a first area for storing the conversion information, and information having the same contents as the first area, and the conversion information is added or deleted. The conversion information adding means records the input conversion information in addition to the second area, and the contents of the second area are: The first area is rewritten.

The present invention relates to a plurality of first networks that are transferred with first address information that can be uniquely identified, and a second network that is transferred with second address information that can be uniquely identified only within the network. And transferring data between the plurality of first networks and the second network, and including first address information and the second address information corresponding to the first address information. When the conversion information storage means for storing the associated conversion information and the first address information included in the plurality of pieces of conversion information stored in the conversion information storage means are indicated by numerical values, the value of the numerical value A first order information storage unit that stores first order information that allows the conversion information to be referred to in order; and a second address included in the plurality of conversion information stored in the conversion information storage unit. In a data transfer apparatus comprising: second order information storage means for storing second order information that enables the conversion information to be referred to in order of the magnitude of the numerical value when the information is indicated by a numerical value In the address information search method, when data is received from any one of the plurality of first networks, the first address information is included from the first address information indicating a transmission destination included in the data. Based on the step of generating search key information, the first order information stored in the first order information storage means and the search key information, the search key information is obtained from the conversion information storage means by a binary search method. A step of searching for conversion information to be included; a step of reading out and outputting the second address information contained in the searched conversion information from the conversion information storage means; Rewriting the transmission destination of the data with the address information and transferring the data to the second network; and when receiving data from the second network, the second address information indicating the transmission destination included in the data Based on the step of generating search key information including second address information, the second order information stored in the second order information storage means, and the search key information, the conversion information storage is performed by a binary search method. A step of searching for conversion information including the search key information from the means, a step of reading out the first address information included in the searched conversion information from the conversion information storage means, and outputting the first address information. And rewriting the transmission source of the data and transferring it to the first network. The

  The present invention is provided in a data transfer device that converts address information of a transmission destination or a transmission source included in received data into other address information and transfers it, generates a clock at a constant period, and generates address information and the address An address information search method in an address information search circuit comprising storage means for storing a predetermined number of pieces of conversion information associated with the other address information corresponding to information in descending order of numerical values indicated by the address information. A step of inputting search key information including the address information, a step of recording the predetermined number of median values in a first register at a first clock, and a zero value at a first clock. In the step of recording in the second register and in the first clock, the median value when the predetermined number of median values is the maximum value is recorded in the third register. A step of calculating a logical sum of a value output from the first register and a value output from the third register for each clock cycle, and calculating the logical sum of the calculated logical sum as a first logical sum. And a logical sum of a value output from the second register and a value output from the third register for each clock cycle, and the calculated logical sum is calculated as a second logical value. A step of outputting as a sum, a step of outputting a median value when the value output from the third register is set to a maximum value for each clock cycle, and recording it in a third selector; The conversion information of the order corresponding to the value output from the first register is read from the means, and the numerical value of the information obtained by combining the search target portions included in the read conversion information is input. A step of determining whether or not the numerical value indicated by the information is equal to or less than the numerical value indicated by the search key information input by the input means, and for each clock cycle, the first logical sum, And the step of recording the second logical sum in the first selector, and the numerical value of the information obtained by combining the search target portion included in the read conversion information is less than or equal to the numerical value indicated by the input search key information When the determination is made, the first selector records the first logical sum in the first register, and a numerical value of information obtained by combining the search target portion included in the conversion information is input to the search If it is determined that the value is not less than or equal to the numerical value of the key information, the first selector records the second logical sum in the first register, and the first register every clock cycle. The value output from the data and the value output from the second register are recorded in the second selector, and the numerical value of the information combining the search target portion included in the read conversion information is input. The second selector records the value output from the first register in the second register when it is determined that the value is equal to or less than the numerical value indicated by the search key information, and is included in the conversion information When it is determined that the numerical value of the information combining the search target portions is not less than or equal to the numerical value indicated by the input search key information, the second selector records the value output from the second register in the second register And a step of recording a median value in the third register when the third selector sets the value output from the third register as the maximum value for each clock cycle. If the numerical value of the information combining the search target parts included in the conversion information matches the numerical value indicated by the input search key information, other information included in the conversion information together with the information indicating the match And outputting the address information of the address information.

  According to this invention, the data transfer device includes conversion information storage means for storing conversion information in which the first address information is associated with the second address information corresponding to the first address information, and the conversion information. When the first address information included in the plurality of pieces of conversion information stored in the storage unit is indicated by a numerical value, the first order information that allows the conversion information to be referred to in order of the magnitude of the numerical value is stored. When the first address information storage means and the second address information included in the plurality of pieces of conversion information stored in the conversion information storage means are indicated by numerical values, the conversion information can be referred to in order of the magnitude of the numerical values. The second order information storage means for storing the second order information and the first address information indicating the transmission destination included in the data when data is received from any one of the plurality of first networks. Concerned The search key information including the address information of 1 is generated, and the conversion information including the search key information is searched from the conversion information storage means based on the first order information and the search key information stored in the first order information storage means. The second address information included in the searched conversion information is read from the conversion information storage means and output, and the second address information output by the first search means is used as the data transmission destination. The first transfer means for rewriting and transferring to the second network, and when receiving data from the second network, the second address information is included from the second address information indicating the transmission destination included in the data Search key information is generated, and conversion information including search key information is searched from the conversion information storage means based on the second order information and search key information stored in the second order information storage means. The first address information included in the searched conversion information is read from the conversion information storage means and output, and the first address information output by the second search means is used to specify the data transmission source. And a second transfer means for rewriting and transferring to the first network. As a result, by referring to the first order information storage means and the second order information storage means, the search can be performed in the order of the size of the values, so that the search time in NAPT can be shortened. it can.

  According to the invention, in the data transfer device, the first search means includes search key information from the conversion information storage means by a binary search method based on the read first order information and search key information. The conversion information is searched. Thus, a binary search is performed based on the first order information, and the first address information can be searched within the search time by the binary search.

  According to the invention, in the data transfer device, the second search means includes search key information from the conversion information storage means by a binary search method based on the read second order information and search key information. The conversion information is searched. Thus, a binary search is performed based on the second order information, and the second address information can be searched within the search time by the binary search.

    According to the present invention, the conversion information stored in the conversion information storage means in the data transfer apparatus includes the first IP address, the first port number, the second IP address, and the second port number. , The first address information is information combining the first IP address and the first port number, the second address information is the second IP address, and the second The search key information is information combining the first IP address, the first port number, and the protocol number, or the second IP address and the second port. The first order information is a combination of the first address information and the protocol number included in the plurality of pieces of conversion information stored in the conversion information storage means. When the information is represented by a numerical value, the conversion information can be referred to in the order of the magnitude of the numerical value, and the second order information is a second address included in the plurality of conversion information stored in the conversion information storage means. When information combining information and the previous protocol number is represented by a numerical value, the conversion information can be referred to in the order of the numerical value. As a result, NAPT processing for converting the IP address and the port number becomes possible.

  According to the present invention, the address information search circuit stores a predetermined number of pieces of conversion information in which address information is associated with other address information corresponding to the address information in descending order of numerical values indicated by the address information. Storing means, clock generating means for generating a clock at a fixed period, input means for inputting search key information including address information, and a predetermined number of medians are recorded at the first clock, and for each clock period A first register for outputting information stored therein, a second register for recording a value of zero at the first clock, and outputting information stored internally for each clock cycle, A first register that records a median value when a predetermined number of median values are maximum values, and outputs information stored therein for each clock cycle; For each lock cycle, a first logical sum that calculates the logical sum of the value output from the first register and the value output from the third register and outputs the calculated logical sum as the first logical sum. The logical sum of the value output from the second register and the value output from the third register is calculated for each clock cycle with the arithmetic means, and the calculated logical sum is output as the second logical sum. The second OR operation means, the median calculation means for outputting the median value when the value output from the third register is set to the maximum value for each clock cycle, and the storage means for the first time from the storage means. The conversion information of the order corresponding to the value output from the register of the above is read, and the numerical value of the information combining the search target part included in the read conversion information is less than or equal to the numerical value indicated by the search key information input by the input means No or no A determination unit that determines whether or not the numerical value indicated by the search key information input by the input unit matches, a first logical sum output from the first logical sum calculation unit, and a second logical unit for each clock cycle. The second logical sum output by the sum calculation means is stored, and the determination means has a numerical value of information obtained by combining the search target portions included in the read conversion information equal to or less than the numerical value indicated by the search key information input by the input means. When it is determined that there is a search, the stored first logical sum is recorded in the first register, and the determination means inputs a search value in which the input means inputs the numerical value of the combination of search target parts included in the conversion information If it is determined that the value is not less than the numerical value of the key information, a first selector that records the stored second logical sum in the first register, a value output from the first register for each clock cycle, From the second register When the determination means determines that the numerical value of the information combined with the search target portion included in the read conversion information is equal to or less than the numerical value indicated by the search key information input by the input means, Search key information in which the value output from the stored first register is recorded in the second register, and the numerical value of the information obtained by combining the search target portion included in the conversion information by the determination unit is input by the input unit If it is determined that the value is not less than or equal to the second value, the second selector that records the value output from the stored second register in the second register, and the value calculated by the median calculating unit for each clock period The numerical value of the information obtained by combining the third selector to be recorded in the third register and the determination unit with the search target portion included in the conversion information matches the numerical value indicated by the search key information input by the input unit. When it is determined, and the configuration with information indicating that matched and output means for outputting the other address information included in the conversion information. As a result, the address information search process of the NAPT process can be realized by parallel processing by hardware, and the processing time can be shortened.

  According to the present invention, in the address information search circuit, the output means combines the search target parts included in the conversion information after the clock is generated from the clock generation means a number of times corresponding to the predetermined number. When it is determined that the numerical value of the received information matches the numerical value indicated by the search key information input by the input means, the other address information included in the conversion information is output together with the information indicating the match. Thus, after performing the binary search process a number of times corresponding to the predetermined number, it becomes possible to search the address information to be searched, and the search process can be completed in a certain time.

  According to the present invention, the storage means in the address information search circuit includes conversion information storage means for storing a predetermined number of conversion information in which the address information is associated with other address information corresponding to the address information. The order in which the order information is stored so that, when the address information included in the predetermined number of pieces of conversion information stored in the conversion information storage means is indicated by a numerical value, the conversion information can be referred to in the order of the numerical value An information storage means, and the determination means reads the order information from the order information storage means for each clock cycle, and based on the read order information and the value output from the first register from the storage means, The conversion information is read from the conversion information storage means, and the numerical value of the information combining the search target parts included in the read conversion information is the search key information input by the input means Or less than to numerical, or the input unit was determined configure whether to match to the values indicated by the retrieval key information input. As a result, it is possible to perform the rearrangement by the order information storage unit while keeping the data configuration of the conversion information storage unit, which is a so-called NAPT table indicating the correspondence relationship of the address information.

    Further, according to the present invention, the conversion information stored in the conversion information storage means in the address information search circuit includes the first IP address, the first port number, the second IP address, and the second port number. And the protocol number, the address information is information combining the first IP address and the first port number, and the other address information is the second IP address and the second port number. The search target part included in the search key information and the conversion information is information combining the first IP address, the first port number, and the protocol number, or the second IP. The information is a combination of the address, the second port number, and the protocol number. When showing the information that combines protocol number in numerical and configured to be able to see the conversion information in the order of magnitude of the value of the number. As a result, NAPT processing for converting the IP address and the port number becomes possible.

  Further, according to the present invention, the predetermined number in the address information search circuit is a power of 2, and the storage means is a binary number when the number of conversion information stored in the conversion information storage means is less than the predetermined number. When the numerical value is shown in the bit string, the conversion information having a value in which all the bits are 1 is stored in advance for the predetermined number, and the number of pieces of conversion information stored in the conversion information storage unit is stored in a predetermined number. The configuration is adjusted to the number. Thus, even when there is no predetermined number of pieces of change information, the number of pieces of change information can be kept at a predetermined number in the hardware configuration, and the binary search process is performed a number of times according to the predetermined number. Thus, address information can be searched.

  Further, according to the present invention, the storage means in the address information search circuit includes the conversion information referred to when the destination address information is converted, the conversion information referred to when the source address information is converted, Is stored. As a result, it is possible to realize a process of converting the address information of the transmission destination and a process of converting the address information of the transmission source.

  Further, according to the present invention, the address information search circuit includes conversion information adding means for inputting conversion information to be added, and the input means inputs address information included in the conversion information input by the conversion information adding means, The conversion information adding means refers to the value stored in the first register after the clock is generated from the clock generation means a number of times corresponding to the predetermined number, and based on the value obtained by reading the conversion information to be added The recording is performed in the storage unit. As a result, the conversion information can be added to the storage unit in the order of size.

  According to the present invention, the storage means in the address information search circuit stores the first area for storing the conversion information and information having the same contents as the first area, and when the conversion information is added or deleted. The conversion information adding means records the input conversion information in addition to the second area and records the first area in the contents of the second area. The configuration was rewritten. Thus, even when conversion information is added or deleted, the search process can be performed with reference to the first area, and the contents of the second area can be changed with the contents of the second area at the end of the search process. By rewriting one area, conversion information can be added or deleted in a short time.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a schematic block diagram showing the internal configuration of the data transfer apparatus 1 according to the present embodiment. The data transfer device 1 is a device that transfers IP packets such as a router in an IP (Internet Protocol) network. In the data transfer apparatus 1, a connection unit 11 is connected to a WAN (Wide Area Network), and transmits and receives data via the WAN. The connection unit 13 is connected to a LAN (Local Area Network) and transmits / receives data via the LAN.

  Here, the WAN is, for example, the Internet, and a global IP address that can be uniquely identified is assigned to a terminal connected to the WAN. The LAN is, for example, an intranet or the like, and a private IP address that can be uniquely identified only within the LAN is assigned to a terminal belonging to the LAN.

  The address information search circuit 20 searches for and outputs address information corresponding to the address information based on the address information to be converted included in the received IP packet. Here, the address information indicates each of an IP address and a port number, or information obtained by combining an IP address and a port number.

  The conversion unit 23 converts the destination address information of the IP packet received from the WAN into the private IP address and port number output from the address information search circuit 20, that is, rewrites the header and outputs it to the route search unit 12.

  The conversion unit 24 receives the IP packet received from the LAN as input to the route search unit 12, and uses the global IP address output from the address information search circuit 20 as the source address information of the IP packet output by the route search unit 12. And the port number, and the converted IP packet is output to the connection unit 11. Here, the reason why the source IP address is converted to the global IP address is because, for example, the terminal that has received the IP packet refers to the source address information and transmits reply data. It is.

  The route search unit 12 stores a route information table therein, refers to the destination of the input IP packet, detects the connection units 11 and 13 that send out the IP packet from the route information table, and detects them. The connection units 11 and 13 are made to send out the IP packet.

  In the address information search circuit 20, the search unit 22 receives an IP packet that is received by the connection unit 11 from the WAN and is to be transferred to the LAN, and includes a destination address included in the header of the input IP packet. The IP address, port number, and protocol number indicating the protocol type of the fourth layer protocol of the OSI (Open Systems Interconnection) reference model are read. Here, the fourth layer protocol is TCP (Transmission Control Protocol), UDP (User Datagram Protocol), etc., one layer above the IP protocol. In the case of TCP, 6 is assigned to the protocol number. In the case of UDP, 17 is assigned.

  Further, the search unit 22 refers to the order table 26 described later, the NAPT table 21 indicating the correspondence relationship between the WAN address information and the LAN address information, and from the NAPT table 21 by binary search, Using the combination of the read IP address, port number, and protocol number as search key information, an entry that matches the search key information is searched, and the address information recorded in the searched entry, that is, the private IP address and the private IP Reads the port number corresponding to the address.

  The search unit 25 receives an IP packet that is received from the LAN by the connection unit 13 and is to be transferred to the WAN, and includes a source IP address, a port number, and a protocol included in the header of the input IP packet. Read the number. Further, the search unit 25 refers to the order table 27 and the NAPT table 21 to be described later, and by performing a binary search, the combination of the IP address, port number, and protocol number read from the NAPT table 21 is used as search key information. An entry matching the search key information is searched, and the global IP address recorded in the searched entry and the port number corresponding to the global IP address are read.

  In FIG. 1, only two connection portions, that is, a connection portion 11 connected to the WAN and a connection portion 13 connected to the LAN are shown, but there are a plurality of connection portions 11 connected to the WAN. You may do it.

  Next, with reference to FIG. 2, the data structure of the NAPT table 21 and the order tables 26 and 27 and the search procedure by the search units 22 and 24 described above will be described.

  The NAPT table 21 includes items of “entry”, “gAddr: global Address”, “gPort #”, “lAddr: Local Address”, “lPort #”, and “Protocol #”. In “entry”, an entry number that can uniquely identify each entry included in the NAPT table 21 is recorded. A global IP address is recorded in “gAddr”. In “gPort #”, a port number corresponding to the global IP address is recorded. In “lAddr”, a private IP address corresponding to the global IP address is recorded. In “lPort #”, a port number corresponding to the private IP address is recorded. In “Protocol #”, a protocol number is recorded.

  The order table 26 has items “order” and “entry”, and “order” is numbered in order from 0. In “entry”, 64 bits combining “gAddr” (32 bits), “gPort #” (16 bits), and “Protocol #” (16 bits) of the NAPT table 21 are defined as one variable. The order of the entry numbers in the NAPT table 21 when rearranged in the order of ascending is recorded.

  The order table 27 has items “order” and “entry” as in the order table 26, and “order” is numbered sequentially from 0. In “entry”, 64 bits obtained by combining “lAddr” (32 bits), “lPort #” (16 bits), and “Protocol #” (16 bits) of the NAPT table 21 are defined as one variable. The order of the entry numbers in the NAPT table 21 when rearranged in the order of ascending is recorded.

  In the conventional NAPT search, when converting the IP address and port number of the transmission destination of the packet received from the WAN, first, the IP address and port number of the transmission destination of the IP packet received from the WAN and the protocol number are read. Using the read IP address, port number, and protocol number as search key information (keyw), search the same combination as the search key information for the items “gAddr”, “gPort #”, and “Protocol #” in the NAPT table 21 To do. As a result of the search, if there are entries of “gAddr”, “gPort #”, and “Protocol #” with the same combination, the private records recorded in the “lAddr” and “lPort #” items included in the entries are included. The IP address and port number are read and output as a search result (resw).

  Conversely, when converting the source IP address and port number of the packet received from the LAN, first, the source IP address and port number and protocol number of the IP packet received from the LAN are read and read. Using the IP address, port number, and protocol number as search key information (keyl), the same combination as the search key information is searched for the items “lAddr”, “lPort #”, and “Protocol #” in the NAPT table 21. As a result of the search, if there are entries of “lAddr”, “lPort #”, and “Protocol #” with the same combination, they are recorded in the “gAddr” and “gPort #” items that can be included in the entry. The private IP address and port number are read and output as a search result (resl).

  However, since the NAPT table 21 is a table for storing a correspondence relationship between a pair of a normal global IP address and a port number and a pair of a private IP address and a port number, from the first entry to the last entry. If you do not search, you may not get results.

  Therefore, in the present embodiment, by providing the order table 26 and the order table 27, when searching with each search key information (keyw, keyl), the order for each variable corresponding to the search key information can be easily referred to. It is possible to easily perform a binary search that makes a search by determining whether a value exists in a group of values higher than the center or in a group of values lower than the center. Shortening is possible.

  Next, with reference to FIGS. 3 to 5, a specific hardware configuration for performing a search from the NAPT table 21 by the above-described binary search and its operation will be described.

  FIG. 3 is a diagram showing an address information search circuit 20a in which the address information search circuit 20 provided in the data transfer apparatus 1 described above is configured by hardware.

  The address information search circuit 20a includes four registers, that is, a data register 31 (Data), a first register 32 (naptp), a second register 33 (naptmp), a third register 34 (Shiftreg), and an address register 50 (Addrreg). Four selectors, that is, selectors 40, 41, 42, and 43, two OR operation circuits (ORs) 35 and 36, one bit shifter 37, a subtracter (SUB) 51, a buffer circuit 52, and an enable signal The circuit 53, the determination circuit 54, the NAPT table 21a, and the order table 26a are provided.

  Although not shown in FIG. 3, the address information search circuit 20a includes a clock circuit that generates a clock and a start signal circuit that outputs a search processing start instruction signal.

  In the order table 26a, data is recorded with the same data configuration as that of the order table 26 used for converting the address information of the destination of the IP address received from the WAN. When the first register 32 stores a value, the value of “order” matches the value stored in the first register 32, or the entry of the address in the order table 26a indicated by the first register is detected, and the value (“entry”) of the detected entry is recorded ( w2l [naptp]) is output.

  The address register 50 is connected to the output of the order table 26a, and stores data output from the order table 26a at the falling edge of the clock.

  The NAPT table 21a has the same data configuration as the NAPT table 21 described above, and 256 entries are recorded in advance. Further, when the address register 50 stores a value, the NAPT table 21a detects an entry whose “entry” value matches the value stored in the address register 50, and detects the detected entries “gAddr”, “gPort #”, The value of the item “Protocol #” (NAPTable [w2l [naptp]]) is output to the subtractor 51. Further, the NAPT table 21 a outputs the values of the “lAddr” and “lPort #” items (res (NewAddr, NewPort #)) of the entry to the buffer circuit 52.

  The subtractor 51 has two input terminals and two output terminals. One input terminal is connected to the selector 40 and the other input terminal is connected to the output of the NAPT table 21a. Further, the subtracter 51 uses 64 bits for “gAddr”, “gPort #”, and “Protocol #” output from the NAPT table 21a from the numerical value when the search key information input from the selector 40 is expressed in 64 bits. When the subtraction result is negative, 1 is output from the output terminal sign and 0 is output from the output terminal zero. When the calculation result is 0, 0 is output from the output terminal sign and 1 is output from the output terminal zero. When the calculation result is negative or other than 0, that is, positive, 0 is output from the output terminal sign and 0 is output from the output terminal zero.

  Here, the case where 1 is output from the output terminal zero (Hit) indicates a case where the value of the search key information matches the value output from the NAPT table 21a, and the case where 0 is output. (Miss) indicates a case where the value of the search key information and the value output from the NAPT table 21a do not match.

  The buffer circuit 52 associates the values of the items “lAddr” and “lPort #” output from the NAPT table 21 a (res (NewAddr, NewPort #)) with the values output from the output terminal zero of the subtractor 51. Add and remember.

  The enable signal circuit 53 is a circuit that outputs an enable signal for outputting the data stored in the buffer circuit 52. The enable signal circuit 53 has a counter inside. For example, the number of entries in the NAPT table 21a is 256. After the 9th (= log2 (256) +1) -th clock, which is the number of searches required for the binary search, is output from the clock circuit, the enable signal is output.

  The determination circuit 54 determines whether there is a search result whose output terminal zero is 1 among the search results output from the buffer circuit 52. If there is a search result, the IP address and port number ( res (NewAddr, NewPort #)) is output to the conversion unit 23 described above.

  The data register 31, the first register 32, the second register 33, and the third register 34 latch the input data at the rising edge of the clock, that is, store the input data, and output the stored data. The stored data is held until the next rising edge of the clock.

  The selector 40 has two input terminals in1 and in2. Data output from the data register 31 is input to in1, and search key information read from the IP packet received by the search unit 22 or the search unit 25 of the data transfer apparatus 1, that is, an IP address and a port number, is input to in2. The protocol number is entered. The selector 40 outputs data input from in2 to the data register 31 at the first clock, and outputs data input from in1 to the data register 31 at subsequent clocks.

  The selector 41 has three input terminals in1, in2, and in3. Data output from the OR operation circuit 35 is input to in1, data output from the OR operation circuit 36 is input to in2, and half of the number of entries in the NAPT table 21 is input to in3 as an initial value. 128 (1000_0000b) is input. The selector 41 outputs data input from in3 to the first register 32 at the first clock, and from in2 when the value output from the output terminal sign of the subtractor 51 is 1 at the subsequent clocks. The input data is output to the first register 32. When the value output from the output terminal sign of the subtractor 51 is 0, the data input from in1 is output to the first register 32.

  Like the selector 41, the selector 42 has three input terminals in1, in2, and in3. Data output from the first register 32 is input to in1, data output from the second register 33 is input to in2, and 0 (0000 — 0000b) is input as an initial value to in3. The selector 42 outputs the data input from in3 to the second register 33 at the first clock, and from in2 when the value output from the output terminal sign of the subtractor 51 is 1 at the subsequent clocks. Output the input data. If the value output from the output terminal sign of the subtractor 51 is 0, the data input from in1 is output.

  The selector 43 has two input terminals in1 and in2. Data output from the bit shifter 37 is input to in1, and 64 (0100_0000b), which is a half value of 128, is input to in2 as an initial value. The selector 43 outputs data input from in2 to the third register 34 at the first clock, and outputs data input from in1 to the third register 34 at the subsequent clocks.

  3 shows a configuration for converting the address information of the destination of the IP packet received from the WAN, and therefore the order table 26a is provided. However, the address information of the source of the IP packet received from the LAN is shown. Is converted to the order table 27a having the same data configuration as the order table 27. The NAPT table 21a outputs to the subtractor 51 the values of the items “lAddr”, “lPort #”, and “Protocol”, and the outputs to the buffer circuit 52 are “gAddr” and “gPort #”. It becomes an item. Further, the determination circuit 54 is configured to output to the conversion unit 24 in FIG.

  Further, in the address information search circuit 20a shown in FIG. 3, the above-described four registers, four selectors, two logical sum operation circuits, one bit shifter, a subtractor 51, a buffer circuit 52, an enable signal circuit. 53, the determination circuit 54, the clock circuit, and the start signal circuit correspond to the search unit 22 or the search unit 25 in FIG.

  In the address information search circuit 20a of FIG. 3 described above, the position where data is latched may be changed as appropriate depending on the memory speed of each register.

  Next, the operation of the address information search circuit 20a will be described with reference to FIGS. FIG. 4 is a flowchart showing the binary search operation by the address information search circuit 20a.

  First, search key information (Addr, Port #, Protocol) is input to the input terminal in2 of the selector 40, 128 is input to the input terminal in3 of the selector 41, and 0 is input to the input terminal in3 of the selector 42. And 64 is input to the input terminal in3 of the selector 43. In addition, 0 is set to the counter i included in the enable circuit 53 (step Sa1).

  Here, when the start signal is output from the start signal circuit, the search process is started, and the enable circuit 53 determines whether or not the counter i is less than 9, and if the counter i is less than 9, the enable signal Is not output, and the process proceeds to step Sa3 (step Sa2). On the other hand, if the counter i is not less than 9, an enable signal is output and the process proceeds to step Sa8.

  At the rising edge of the first clock, the data register 31 stores search key information (Addr, Port #, Protocol) output from the selector 40. The first register 32 stores 128 output from the selector 41. The second register 33 stores 0 output from the selector 42. The third register 34 stores 64 output from the selector 43.

  In the clock cycle, the first register 32 outputs the stored 128 values to the logical sum operation circuit 35 and the selector 42. The second register 33 outputs the stored value of 0 to the logical sum operation circuit 36 and the selector 42. The third register 34 outputs the stored 64 values to the logical sum operation circuit 35, the logical sum operation circuit 36, and the bit shifter 37.

  The logical sum operation circuit 35 outputs 192 which is a logical sum of 128 output from the first register 32 and 64 output from the third register 34. The logical sum operation circuit 36 outputs 64 (20h), which is the logical sum of 0 output from the second register and 64 output from the third register.

  The order table 26a refers to the 128 values stored in the first register 32, and outputs the value (w2l [naptp]) recorded in the “entry” item of the entry whose “order” is 128. .

  And the address register 50 memorize | stores the value output from the order table 26a by the falling of a clock. The NAPT table 21a refers to a value stored in the address register 50, reads an entry whose item “entry” is the value, and combines a 64-bit combination of “gAddr”, “gPort #”, and “Protocol”. The value (NAPTable [w2l [naptp]]) is output to the subtractor 51. The NAPT table 21a outputs “lAddr” and “lPort #” (res (NewAddr, NewPort #)) included in the read entry to the buffer circuit 52 (step Sa3).

  The subtractor 51 subtracts the numerical value output from the NAPT table 21a from the numerical value when the search key information output from the selector 40 is represented by 64 bits, and outputs the result obtained by subtracting the output terminal zero and the output terminal sign. (Step Sa4).

  When the subtraction result is positive, that is, when 0 is output from the output terminal sign, the selector 41 outputs the value input from in1, that is, the operation result (napt | shiftleg) of the OR operation circuit 35 to the first register 32. To (naptp). In addition, the selector 42 outputs the value input from in1, that is, the value (naptp) output from the first register 32 to the second register 33 (naptmp) (step Sa5).

  On the other hand, when the operation result is negative, that is, when 1 is output from the output terminal sign, the selector 41 outputs the value input from in2, that is, the operation result (naptmp | shiftreg) of the logical sum operation circuit 36 to the first. Output to the register 32 (naptp). The selector 42 outputs the value input from in2, that is, the value (naptmp) output from the second register 33 to the second register 33 (naptmp) (step Sa6).

  The enable signal circuit 53 adds 1 to the counter i after the clock is generated. The bit shifter 37 outputs 32 obtained by shifting 64 output from the third register 34 to the right by 1 bit (step Sa7). The processing from step Sa2 to step Sa7 is repeated nine times. At the ninth time, the enable signal circuit 53 outputs an enable signal to the buffer circuit 52. The buffer circuit 52 outputs the stored search result to the determination circuit 54. Then, the determination circuit 54 determines whether or not the search key information exists in the NAPT table 21a, that is, whether or not the output of the output terminal zero is 1 (step Sa8), and the output of the output terminal zero is 1. If it is, res (NewAddr, NewPort #) output from the NAPT table 21a is output to the conversion unit 23, and the IP address and port number of the IP packet received by the conversion unit 23 are displayed as NewAddr, NewPort #. Rewrite with. (Step Sa9). On the other hand, if there is no search result in which the output of the output terminal zero is 1, the IP address and port number are not changed, or the IP packet itself is discarded (step Sa10).

  Even if the clock is not generated nine times, if the subtraction result is zero in step Sa4, that is, if the search key information matches the information output from the NAPT table 21a, the process does not proceed to step Sa5. The process may be terminated by proceeding to step Sa8.

  FIG. 5 is a timing chart showing the operation of each circuit of the address information search circuit 20a when the search key information matches the entry in the NAPT table 21a at the 134th position in the order table 26a.

  As shown in FIG. 5, each time the clock (clk1, clk2,...) Rises, the values stored in the first register 32, the second register 33, and the third register 34 change, and the ninth clock At (clk9), the value stored in the first register 32 converges to 134. Then, at the falling edge of the ninth clock, the enable signal is output from the enable signal circuit 53, and the buffer circuit 52 outputs Hit / Miss, that is, the value of the output terminal zero and the searched address information (res (NewAddr, NewPort # )) Are associated and output to the determination circuit 54.

  In the above-described embodiment, when the memory speed of the memory constituting the NAPT table 21a is high, the address register 50 can be omitted.

  Further, in the above-described embodiment, when the number of entries recorded in the NAPT table 21a is less than 256, as shown by the entry number 255 of the NAPT table 21 in FIG. By adding 255 to “entry” of 254 and 255, the value of “order” in the order table 26 that does not have a corresponding entry number can be set to 256, and 9 without changing the circuit configuration. The binary search process can be executed without any trouble.

  As another countermeasure when the number of entries recorded in the NAPT table 21a is less than 256, a flag indicating that the entry is not to be searched is set in “entry” of the order table 26 in which the corresponding entry number does not exist. You may do it.

  Further, once the entry to be searched is output from the NAPT table 21a to the subtractor 51, the value stored in the first register 32 does not change thereafter, and therefore the same information is output to the buffer circuit 52. Become. Therefore, the buffer circuit 52 does not store all the information output from the subtractor 51, but stores only the latest information, and the enable signal from the enable signal circuit 53 is sent to the buffer circuit 52. When input, the buffer circuit 52 may output the information stored when the enable signal is input to the determination circuit 54.

  With the configuration of the above embodiment, when the number of entries in the NAPT table 21a is equal to the number of entries, that is, when the number of entries is N, address information can be retrieved by a binary search of log2 (N) +1 times. . In addition, by providing the order tables 26a and 27a as described above, it is possible to realize search processing in NAPT suitable for hardware processing.

  Next, with reference to FIGS. 6 to 8, processing for adding and deleting entries in the NAPT table 21 in the data transfer apparatus 1 shown in FIG. 1 will be described.

  FIG. 6 is a diagram showing a configuration of the address information search circuit 20 of the data transfer apparatus 1b to which the entry addition / deletion unit 60 for adding or deleting entries to the NAPT table 21 is added. When adding an entry, the entry addition / deletion unit 60 inputs address information included in the entry to be added to the search units 22 and 25, and the NAPT table 21 based on the search results output from the search units 22 and 25. And the entries in the order tables 26 and 27 are rewritten. In addition, when deleting an entry, the entry addition / deletion unit 60 deletes the entry based on the entry number of the NAPT table 21 including the entry to be deleted and the “order” number of the order tables 26 and 27 corresponding to the entry number. Perform deletion.

Next, processing for adding an entry will be described with reference to FIG.
FIG. 7 illustrates a case where the address information search circuit 20a of FIG. 3 is applied to the address information search circuit 20 of FIG.
When adding an entry, the order of the order table 26a is changed in accordance with the size of the numerical value in which “gAddr”, “gPort #”, and “Protocol” included in the entry to be added are represented by 64 bits, and “lAddr” , “LPort #” and “Protocol” need to be replaced in the order of the order table 27a according to the numerical value represented by 64 bits.

  First, the entry addition / deletion unit 60 inputs, as search key information, a numerical value representing the added entry “gAddr”, “gPort #”, “Protocol” in 64 bits to the selector 40 of the address information search circuit 20a. To do. The address information search circuit 20a performs steps Sb1 to Sb8, which are the same processes as steps Sa1 to Sa7, which are the binary search processes described with reference to FIG. Is output, and the determination circuit 54 outputs the search result in which the output terminal zero is 1 among the search results to the entry addition / deletion unit 60.

  If there is a search result in which the output from the output terminal zero is 1, the entry addition / deletion unit 60 reads the value of the first register 32 and stores it as an internal variable NAPTP. Then, a value obtained by adding 1 to NAPTP is set as NAPTP (step Sb9). In addition, when there is no search result in which the output from the output terminal zero is 1, the entry addition / deletion unit 60 reads the value of the first register 32 and stores the read value as an internal variable NAPTP. To do.

  The entry addition / deletion unit 60 sets 255 in the internal counter j, and determines whether or not the value of the counter j is larger than the value of the variable NAPTP (step Sb11). When the value of the counter j is larger than the value of the variable NAPTP, the entry addition / deletion unit 60 adds one to the “entry” item (w2l [j]) whose “order” value in the order table 26a is j. The previous “entry” item (w2l [j−1]) is written, and a value obtained by subtracting 1 from the counter j is substituted into the counter j. Then, the rewriting process of step Sb12 is repeated while the value of the counter j is larger than the value of the variable NAPTP.

  When the value of the counter j is equal to or less than the value of the variable NAPTP, the entry addition / deletion unit 60 searches for a free entry in the NAPT table 21a and records an entry to be added to the free entry (step Sb13). Then, the entry addition / deletion unit 60 reads the number of “entry” of the NAPT table 21a assigned to the added entry, and reads “empty entry” in the order table 26a, that is, “value” of the NAPT table 21a read in the order of the value of the variable NAPTP. The entry number is recorded (step Sb14).

  After the processing of FIG. 7, the processing for rewriting the order table 27a is detected in the order table 27a by detecting the position where the entry number of the new entry NAPT table 21a is to be inserted in the order table 27a. By rewriting, entry addition can be completed.

  With the above processing, the insertion position in the order table 26a, 27a for the entry to be added can be searched, and the value recorded in “entry” of the order table 26a, 27a is moved according to the searched insertion position. Can be made. Then, the entry to be added is written in the empty entry of the NAPT table 21a, and the entry number of the written entry is recorded at the insertion position of the order table 26a, 27a, thereby changing the order table 26a, 27a when the entry is added. It becomes possible.

Next, an entry deletion process performed by the entry addition / deletion unit 60 will be described with reference to FIG.
First, the entry number of the NAPT table 21a to be deleted by the entry addition / deletion unit 60 and the item number of the “order” item in the order table 26a corresponding to the entry number are read out. The read item number of “order” is set in the counter j (step Sc2), and it is determined whether or not the value of the counter j is less than 255 (step Sc3). When the value of the counter j is less than 255, the entry addition / deletion unit 60 adds the “order” value of the order table 26 a to the item “entry” (w2l [j]) having the value of j, the next “ The “entry” item (w2l [j + 1]) is written (step Sc4), and the value obtained by adding 1 to the counter j is substituted into the counter j. Then, the rewriting process of step Sc4 is repeated while the value of the counter j is larger than the value of the variable NAPTP.

  When the value of the counter j is 255 or more, the entry addition / deletion unit 60 records the entry number of the NAPT table 21a to be deleted in the “entry” item (w2l [255]) of order = 255 in the order table 26a. Then (step Sc5), all the bits are recorded as 1 in the entry (NAPTTable [entry]) of the NAPT table 21a (step Sc6).

  After the processing of FIG. 8, the entry deletion processing can be completed by performing the same processing on the order table 27a.

  By the above processing, the entry number corresponding to the entry to be deleted is deleted from the order tables 26a and 27a, the subsequent entries are packed, and all bits are recorded as 1 in the entry to be deleted from the NAPT table 21a. Is possible.

  In addition, in the case of the address information search circuit 20a configured by hardware shown in FIG. 3 in addition and deletion of entries, each table is written to or deleted from the order tables 26a and 27a and the NAPT table 21a. It is necessary to detect in advance the status of the entry, the position of the entry to be deleted, and the like. For example, the entry addition / deletion unit 60 is configured by an external processor and incorporated in the address information search circuit 20a. The addition / deletion unit 60 may be managed.

  In the processing of FIG. 8, the case of deleting based on the entry number of the NAPT table 21a has been described. However, information of the entry to be deleted, that is, “gAddr”, “gPort #”, “lAddr”, “lPort #” It is also possible to perform deletion based on “Protocol #”.

In addition, in the above-described entry addition and deletion, it is necessary to move the position of the value recorded in the “entry” of the NAPT table 21a and the order tables 26a and 27a. Therefore, the NAPT search process is performed during the process. I can't. Therefore, there are two order tables 26a and 27a, and processing is performed on the back order table when adding / deleting, and the NAPT search cannot be performed by replacing the update timing and the back order table with the front order table. Time can be greatly reduced.
Here, the update timing is one time when an addition or deletion request occurs, when the currently executed NAPT search process is completed, or when updating is performed using a two-side table. There is an update permission time set in advance after the end of the NAPT table search or after the end of a plurality of NAPT table searches.

  If a NAPT table for an IP packet received from the WAN and a NAPT table for an IP packet received from the LAN can be provided, the NAPT table search target portion, that is, the search key information is configured except for the order table. It is also possible to set and operate a numerical value indicated by information combining items in ascending order. In addition, in the case where each NAPT table is provided, when adding and deleting entries, it is possible to significantly reduce the time during which NAPT search cannot be performed by having a total of four NAPT tables.

  In the above embodiment, a comparator may be applied instead of the subtracter 51.

  In the above embodiment, the number of entries stored in the order tables 26 and 27 has been described as 256. However, the present invention is not limited to the numerical value, and may be any number. The median value in the binary search is a value obtained by dividing the number of entries by 2 when the number is even, and can be processed as a value obtained by adding 1 to the value obtained by dividing the number of entries by 2 when the number is odd. .

  In the above embodiment, the search key information is information that combines an IP address, a port number, and a protocol number. However, the present invention is not limited to this, and the information included in the search key information is only an IP address. It may also be information that is a combination of an IP address and a port number.

  The conversion information storage means described in the present invention corresponds to the NAPT tables 21 and 21a, the first order information storage means corresponds to the order tables 26 and 26a, and the second order information storage means This corresponds to the tables 27 and 27a. The first search means of the present invention corresponds to the search unit 22, and the second search means corresponds to the search unit 25. The first transfer means of the present invention corresponds to a configuration in which the conversion unit 23, the route search unit 12, and the connection unit 12 are combined. The second transfer unit includes the conversion unit 24, the route search unit 12, and the connection unit. 13 corresponds to the combined configuration.

The input means described in the present invention corresponds to a configuration in which the search unit 22 or the search unit 25 reads and inputs information included in the search key information from the IP packet input from the connection unit 11 or the connection unit 13. The clock generation means according to the present invention corresponds to the clock circuit described above, the first register corresponds to the first register 32, the second register corresponds to the second register 33, and the third register corresponds to the third register 34. The first OR operation means corresponds to the OR operation section 35, the second OR operation means corresponds to the OR operation section 36, and the median calculation means described in the present invention is added to the bit shifter 37. Correspondingly, the determination means corresponds to the subtractor 51. Further, the first selector described in the present invention corresponds to the selector 41, the second selector corresponds to the selector 42, and the third selector corresponds to the selector 43. The output means described in the present invention corresponds to the buffer circuit 52 and the enable signal circuit 53. Further, the conversion information adding means described in the present invention corresponds to the entry addition / deletion unit 60.

It is a block diagram which shows the data transfer apparatus by this embodiment. It is the figure which showed the data structure of the NAPT table and order table in the embodiment. It is the figure which showed the hardware constitutions of the address information search circuit in the same embodiment. It is the flowchart which showed the address information search processing in the same execution form. It is the figure which showed the timing chart at the time of the address information search processing in the same execution form. It is a block diagram which shows the data transfer apparatus in the case of performing entry addition and deletion in the embodiment. It is the flowchart which showed the entry addition process in the same embodiment. It is the flowchart which showed the entry deletion process in the same embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Data transfer apparatus 11 Connection part 12 Path | route search part 13 Connection part 20 Address information search circuit 21 NAPT table 26 Order table 27 Order table 22 Search part 23 Conversion part 24 Conversion part 25 Search part

Claims (12)

It is connected to a plurality of first networks that are transferred with first address information that can be uniquely identified, and a second network that is transferred with second address information that can be uniquely identified only within the network. A data transfer device for transferring data between the plurality of first networks and the second network,
Conversion information storage means for storing conversion information in which the first address information is associated with the second address information corresponding to the first address information;
When the first address information included in the plurality of pieces of conversion information stored in the conversion information storage unit is indicated by a numerical value, a first order that allows the conversion information to be referred to in order of the magnitude of the numerical value First order information storage means for storing information;
When the second address information included in the plurality of pieces of conversion information stored in the conversion information storage unit is indicated by a numerical value, a second order that allows the conversion information to be referred to in order of the magnitude of the numerical value Second order information storage means for storing information;
When data is received from any one of the plurality of first networks, search key information including the first address information is generated from first address information indicating a transmission destination included in the data, Based on the first order information stored in the first order information storage means and the search key information, the conversion information including the search key information is searched from the conversion information storage means by the binary search method , and the searched conversion is performed. First search means for reading out and outputting second address information included in the information from the conversion information storage means;
First transfer means for rewriting the transmission destination of the data with the second address information output by the first search means and transferring it to a second network;
When data is received from the second network, search key information including the second address information is generated from second address information indicating a transmission destination included in the data, and the second order information storage unit The conversion information including the search key information is searched from the conversion information storage means by a binary search method based on the second order information stored in the search information and the search key information, and the first information included in the searched conversion information Second search means for reading out and outputting address information from the conversion information storage means;
Second transfer means for rewriting the data source with the first address information output by the second search means and transferring the data to the first network;
A data transfer device comprising: The conversion information stored in the conversion information storage means includes the first IP address, the first port number, the second IP address, the second port number, and the protocol number. ,
The first address information is information combining the first IP address and the first port number;
The second address information is information obtained by combining the second IP address and the second port number;
The search key information includes information combining the first IP address, the first port number, and the protocol number, or the second IP address, the second port number, and the protocol number. Is a combination of
The first order information is:
When information obtained by combining the first address information and the protocol number included in a plurality of pieces of conversion information stored in the conversion information storage unit is expressed by a numerical value, the conversion information is displayed in order of the magnitude of the numerical value. To be able to refer
The second order information is:
When information obtained by combining the second address information and the previous protocol number included in the plurality of pieces of conversion information stored in the conversion information storage unit is expressed by a numerical value, the conversion information is displayed in order of the magnitude of the numerical value. The data transfer device according to claim 1, wherein the data transfer device can be referred to. An address information search circuit provided in a data transfer apparatus that converts address information of a transmission destination or a transmission source included in received data into other address information and transfers the information.
Storage means for storing a predetermined number of pieces of conversion information in which address information is associated with the other address information corresponding to the address information in descending order of numerical values indicated by the address information;
Clock generation means for generating a clock at a constant period;
Input means for inputting search key information including the address information;
A first register that records the predetermined number of median values at a first clock and outputs information stored therein every clock period;
A second register in which a value of zero is recorded at the first clock and the information stored therein is output every clock cycle;
A first register that records a median value when the predetermined number of median values is a maximum value, and outputs information stored therein for each clock cycle;
For each clock cycle, a logical sum of a value output from the first register and a value output from the third register is calculated, and the calculated logical sum is output as a first logical sum. OR operation means;
A second OR that calculates a logical sum of a value output from the second register and a value output from the third register for each clock cycle, and outputs the calculated logical sum as a second OR. OR operation means of
Median value calculating means for outputting a median value when the value output from the third register is set to the maximum value for each clock cycle;
For each clock cycle, the conversion information of the rank corresponding to the value output from the first register is read from the storage means, and the numerical value of the information combining the search target parts included in the read conversion information is the input means Determining means for determining whether or not the numerical value indicated by the search key information to be input is equal to or less than the numerical value indicated by the search key information input by the input means;
For each clock cycle, the first logical sum output by the first logical sum operation means and the second logical sum output by the second logical sum operation means are stored, and the determination means reads the first logical sum. When it is determined that the numerical value of the information combined with the search target portion included in the conversion information is equal to or less than the numerical value indicated by the search key information input by the input means, the stored first logical sum is calculated as the first logical sum. If the determination means determines that the numerical value of the information combined with the search target portion included in the conversion information is not less than or equal to the numerical value of the search key information input by the input means, stores the information. A first selector for recording the second logical sum in the first register;
For each clock period, the value output from the first register and the value output from the second register are stored, and the determination unit combines the search target portions included in the read conversion information When it is determined that the numerical value of the information is equal to or less than the numerical value indicated by the search key information input by the input means, the value output from the first register stored is recorded in the second register, When the determination means determines that the numerical value of the information combining the search target parts included in the conversion information is not less than or equal to the numerical value indicated by the search key information input by the input means, the stored second A second selector for recording the value output by the register in the second register;
A third selector for recording the value calculated by the median value calculation means in the third register for each clock cycle;
When the determination unit determines that the numerical value of the information combined with the search target portion included in the conversion information matches the numerical value indicated by the search key information input by the input unit, the information together with the information indicating the match Output means for outputting other address information included in the conversion information;
An address information search circuit comprising: The output means is configured such that, after the clock is generated from the clock generation means a number of times corresponding to the predetermined number, the determination means has a numerical value of information obtained by combining the search target portions included in the conversion information. The address information according to claim 3 , wherein when it is determined that the numerical values indicated by the search key information input by are coincident, other address information included in the conversion information is output together with information indicating the coincidence. Search circuit. The storage means stores conversion information storage means for storing a predetermined number of pieces of conversion information in which address information is associated with the other address information corresponding to the address information.
When the address information included in a predetermined number of pieces of conversion information stored by the conversion information storage unit is indicated by a numerical value, order information is stored so that the conversion information can be referred to in order of the magnitude of the numerical value. Order information storage means for performing,
With
The determination means includes
For each clock cycle, the order information is read from the order information storage means, and the conversion information is read from the conversion information storage means based on the read order information and the value output from the first register from the storage means. Whether the numerical value of the information combining the search target parts included in the read conversion information is equal to or less than the numerical value indicated by the search key information input by the input means, or the search key information input by the input means 4. The address information search circuit according to claim 3 , wherein the address information search circuit determines whether or not the numerical value matches the numerical value indicated by. The conversion information stored in the conversion information storage means includes the first IP address, the first port number, the second IP address, the second port number, and the protocol number. ,
The address information is information that combines the first IP address and the first port number;
The other address information is information combining the second IP address and the second port number,
The search target part included in the search key information and the conversion information is information combining the first IP address, the first port number, and the protocol number, or the second IP address. , Information combining the second port number and the protocol number;
The order information is
When the combination of the address information and the protocol number included in the predetermined number of pieces of conversion information stored in the conversion information storage means is indicated by a numerical value, the conversion information is referred to in order of the magnitude of the numerical value. The address information search circuit according to claim 5 , wherein the address information search circuit is configured to be able to do this. The predetermined number is a power of 2;
The storage means
When the number of pieces of conversion information stored in the conversion information storage means is less than the predetermined number, when the numerical value is represented by a binary bit string, conversion information having a value in which all bits are 1 is the predetermined number. number fraction short of the stores in advance the address of any one of claims 3 to 6, the conversion information storage means, characterized in that to match the number of the conversion information stored in a predetermined number Information retrieval circuit. The storage means
A conversion information is referred to when the conversion of the destination address information, claim 3 to 7, characterized in that for storing the conversion information is referred to when the conversion of the transmission source address information 1 Address information search circuit described in 1. A conversion information adding means for inputting conversion information to be added;
The input means includes
Input address information included in the conversion information input by the conversion information adding means,
The conversion information adding means includes
After the clock is generated from the clock generation means a number of times corresponding to the predetermined number, the storage means is referred to based on the value read from the conversion information to be added with reference to the value stored in the first register. address information search circuit according to any one of claims 3 to 8, characterized in that to record the. The storage means
A first area for storing the conversion information; and a second area in which information having the same contents as the first area is stored and rewriting is performed when the conversion information is added or deleted. ,
The conversion information adding means includes
Conversion information to be input and recorded in addition to the second region, according to the contents of the second region, any one of claims 3 9, characterized in that rewriting the first region Address information retrieval circuit. It is connected to a plurality of first networks that are transferred with first address information that can be uniquely identified, and a second network that is transferred with second address information that can be uniquely identified only within the network. , Conversion that transfers data between the plurality of first networks and the second network, and associates the first address information with the second address information corresponding to the first address information When the conversion information storage means for storing information and the first address information included in the plurality of pieces of conversion information stored in the conversion information storage means are represented by numerical values, the conversion information in the order of the magnitude of the numerical values. The first order information storage means for storing the first order information that makes it possible to refer to the number, and the second address information included in the plurality of pieces of conversion information stored in the conversion information storage means In this case, the address information search in the data transfer device includes second order information storage means for storing second order information that enables the conversion information to be referred to in order of the magnitude of the numerical value. A method,
When receiving data from any one of the plurality of first networks, generating search key information including the first address information from first address information indicating a transmission destination included in the data; ,
Searching conversion information including the search key information from the conversion information storage means by a binary search method based on the first order information stored in the first order information storage means and the search key information;
Reading and outputting the second address information contained in the searched conversion information from the conversion information storage means;
Rewriting the transmission destination of the data with the output second address information and transferring it to the second network;
When receiving data from the second network, generating search key information including the second address information from second address information indicating a transmission destination included in the data;
Searching conversion information including the search key information from the conversion information storage means by a binary search method based on the second order information stored in the second order information storage means and the search key information;
Reading out and outputting first address information included in the retrieved conversion information from the conversion information storage means;
Rewriting the source of the data with the output first address information and transferring it to the first network;
A method for retrieving address information, comprising: Provided in a data transfer device that converts destination address information included in received data or source address information into another address information and transfers it, generates a clock at a fixed period, and corresponds to the address information and the address information. An address information search method in an address information search circuit comprising a storage means for storing a predetermined number of pieces of conversion information associated with the other address information in descending order of numerical values indicated by the address information,
Inputting search key information including the address information;
Recording the predetermined number of medians in a first register at a first clock;
Recording a zero value in a second register at a first clock;
Recording a median value in a first register when the predetermined number of median values is a maximum value in a third register;
Calculating a logical sum of a value output from the first register and a value output from the third register for each clock cycle;
Outputting the calculated logical sum as a first logical sum;
Calculating a logical sum of a value output from the second register and a value output from the third register for each clock cycle, and outputting the calculated logical sum as a second logical sum; ,
Outputting a median value when the value output from the third register is a maximum value for each clock cycle, and recording it in a third selector;
For each clock cycle, the conversion information of the rank corresponding to the value output from the first register is read from the storage means, and the numerical value of the information combining the search target parts included in the read conversion information is input. Determining whether or not it is equal to or less than a numerical value indicated by search key information, or whether or not it matches a numerical value indicated by the search key information input by the input means;
Recording the first logical sum and the second logical sum in a first selector for each clock period;
When it is determined that the numerical value of the information combining the search target portions included in the read conversion information is equal to or smaller than the numerical value indicated by the input search key information, the first selector calculates the first logical sum. Recording in a first register;
When it is determined that the numerical value of the information combining the search target parts included in the conversion information is not less than or equal to the numerical value of the input search key information, the first selector calculates the second logical sum. Recording to a register;
Recording a value output from the first register and a value output from the second register in a second selector for each clock period;
When it is determined that the numerical value of the information combining the search target portions included in the read conversion information is equal to or less than the numerical value indicated by the input search key information, the second selector is output from the first register. Recording a value in the second register;
When it is determined that the numerical value of the information combined with the search target portion included in the conversion information is not less than or equal to the numerical value indicated by the input search key information, the second selector outputs the value output from the second register. Recording in a second register;
Recording a median value in the third register when the value output from the third register is the maximum value by the third selector in each clock cycle;
When it is determined that the numerical value of the information obtained by combining the search target parts included in the conversion information matches the numerical value indicated by the input search key information, another address included in the conversion information together with the information indicating the match Outputting information; and
A method for retrieving address information, comprising:

Images