JP4785654B2 - COMMUNICATION SYSTEM, ADDRESS SOLUTION METHOD, COMMUNICATION PROGRAM, AND RECORDING MEDIUM - Google Patents

Description

  The present invention relates to a communication system, an address resolution method, a communication program, and a recording medium suitable for use when, for example, WAN (Wide Area Network) and LAN (Local Area Network) are connected to perform communication. Specifically, good address resolution is performed using an identification address used in the communication system.

  Conventional address resolution uses a so-called MAC (Media Access Control) address (see, for example, Patent Document 1). That is, in this method, a communication destination or the like is specified using an identification code added to a predetermined communication card.

  Further, the inventors of the present application have proposed an encrypted communication system named “TCP2” (see, for example, Patent Document 2). That is, in “TCP2”, an encryption function is added to the transport layer of the fourth layer to realize a communication system that is resistant to unauthorized intrusion from the outside.

Conventional techniques are known that perform address resolution using a MAC address. The inventors of the present application have proposed a new encrypted communication system named “TCP2”.
JP 2006-20085 A International Publication WO2005 / 015828 Pamphlet

  In the Internet protocol (IPv4) currently used on the Internet, address resources are managed by 32 bits, so the maximum number of computers that can be identified is 4,249,967,296. However, due to the rapid spread of the Internet in recent years, there is a growing concern among concerned parties that address resource depletion will occur earlier than expected, and IPv6 that manages addresses with 128 bits has been developed.

  However, IPv6 is not widely used because it is not compatible with IPv4, and users are expected to perform address resolution under compatibility with IPv4. As a coping method, address resolution using a MAC address or the like disclosed in Patent Document 1 is performed. Here, the computer equipped with the communication card is specified using the identification code given to the specific communication card.

  However, with this method called NAPT (Network Address Port Translation), the port number is also changed at the same time as the address translation. That is, FIG. 11 shows a configuration of a conventional communication system. In this configuration, for example, consider a case where a client 101 connected to the LAN 100 connects to a server 201 connected to the LAN 200 via the Internet 300 as a WAN.

  In this case, first, the client 101 prepares a communication packet using the destination and source IP address and port number, for example, as shown in the table (A) in the figure. Here, when only the domain name is known, the destination IP address is entered by inquiring DNS (Domain Name System) 301 or the like. The DNS 301 has a domain name and global address replacement table as shown in the table (B) in the figure. The destination port number “80” is designated.

  On the other hand, the IP address of the transmission source is a local address in the LAN 100, and the port number is arbitrarily determined. Therefore, when this communication packet is sent to the router 302 connecting the LAN 100 and the Internet 300, the router 302 rewrites the transmission source IP address from the local address to the global address. The source port number is rewritten to an appropriate number so that the same number does not overlap in the LAN 100. In the router 302, a table based on the IP address before the change and the port number before and after the change as shown in the table (C) in the figure is created at the time of connection.

  As a result, the communication packet to which the destination and transmission source IP address and the port number are added is transmitted from the router 302 to the router 303 specified by the global address as shown in the table (D) in the figure. . The router 303 is provided with a pre-change address and port number table as shown in the table (E) in the figure, and the global address is rewritten to a local address accordingly and transmitted to the LAN 200. As a result, a communication packet as shown in the table (F) in the figure is received by the server 201 connected to the LAN 200.

  The reply from the server 201 is a communication packet in which the destination and the transmission source are switched in the table (F) in the above figure, and the local address of the transmission source (the destination in the figure) is written in the global address by the router 303. Be replaced. Further, in the router 302, the IP address and port number of the destination (source in the figure) are restored according to the table (C) in the figure, and the destination and source are switched in the table (A) in the figure. The communication packet is received by the client 101. In this way, the connection between the client 101 and the server 201 is established.

  However, in this communication system, the rewritten port number table in the router 302 shown in the table (C) in the figure is created only when the Internet is connected, for example, and disappears when the connection is completed. End up. For this reason, the conventional NAPT method cannot be used to access an internal computer from the Internet side, for example, and ICMP (Internet Control Message Protocol) for transferring error messages and control messages cannot be used. Limitations will occur.

  The present invention has been made in view of such problems, and the object of the present invention is to use a novel encrypted communication system “TCP2” previously proposed by the inventors of the present application. It is to propose a completely new address resolution that is compatible with IPv4 and does not cause functional limitations.

In order to solve the above problems and achieve the object of the present invention, a communication system of the present invention is a communication system that handles a protocol corresponding to TCP or UDP between a computer that issues a connection request and a computer that accepts the connection request. a is, the computer makes a connection request, a unique identification address of the computer for TCP packet or UDP packet, adding TCP2 address to be used for mutual authentication between the client terminals in the transport layer Means to do. The computer that receives a connection request, which was authenticated to determine the TCP2 address from the TCP packet or UDP packet, the connection is permitted if the TCP2 address matches with a preset range, advance TCP2 address If the set range does not match, the connection is rejected. The registration means for registering the individual TCP2 address of the computer that accepts computer and the connection request requesting a connection with the IP address is provided, the address resolution for the computer to accept a connection request to the computer to make a connection request using the TCP2 address Like to do.

The address resolution method used in the communication system of the present invention is used for a communication system that handles a protocol corresponding to TCP or UDP between a computer that issues a connection request and a computer that accepts the connection request. in computer for, a unique identification address of the computer for TCP packet or UDP packet, and adds the TCP2 address to be used for mutual authentication between the client terminal at the transport layer. The computer that accepts the connection request determines the TCP2 address from the TCP packet or UDP packet and authenticates it. If the TCP2 address matches within a preset range, the connection is permitted and the TCP2 address is set in advance. If they do not match within the specified range, the connection is refused. Furthermore, the individual TCP2 address of the computer that accepts computer and the connection request requesting a connection to register in the registration means together with IP address, performs address resolution for the computer to accept a connection request and a computer to perform the connection request using TCP2 address Is the method.

Further, the communication program of the present invention realizes the following functions on a computer in order to perform communication using a protocol corresponding to TCP or UDP between a computer that issues a connection request and a computer that accepts a connection request. Communication program.
(A) a computer for performing a connection request is a unique identification address of the computer for TCP packet or UDP packet, adding TCP2 address to be used for mutual authentication between the client terminals in the transport layer function,
(B) a computer that accepts a connection request, which was authenticated to determine the TCP2 address from the TCP packet or UDP packet, the connection is permitted if they match to the extent that TCP2 address is set in advance, in advance TCP2 address A function that rejects the connection if they do not match within the set range,
(C) the ability to register individual TCP2 address of the computer to accept the connection request computer and a connection request to perform the registration means together with the IP address,
(D) TCP2 function to perform address resolution for the computer to accept a computer and a connection request to a connection request by using the address.

  According to the communication system, the address resolution method, the communication program, and the recording medium of the present invention, a function capable of mutual authentication is added to the transport layer protocol itself such as TCP or UDP, and the transport layer has this mutual authentication function. By adopting the protocol in the server and each client terminal, the client terminal itself can perform processing for permitting or denying connection with another client terminal that has requested connection, and the mutual authentication function described above can be used. It is possible to realize completely new address resolution that is compatible with IPv4 and does not cause functional limitations.

Embodiments of a communication system, an address resolution method, a communication program, and a recording medium according to the present invention will be described below with reference to the drawings.
Here, the user code in the novel encrypted communication system “TCP2” previously proposed by the inventors of the present application will be described.

  First, FIG. 1 is a block diagram showing an application example of a network using a communication system, an address resolution method, a communication program, and a recording medium according to the present invention. Groups A to C represent client terminal groups accommodated in one LAN 10. The group D client terminals are client terminals accommodated in a LAN 20 different from the LAN 10. The LAN 10 and the LAN 20 are connected via an external network 30.

  For the client terminals A1, A2, A3,... Belonging to the group A accommodated in the LAN 10, for example, a security level as a client terminal used by a company director class is set. Among the client terminals accommodated in the LAN 10, the client terminals B1, B2, B3,... Belonging to the group B are client terminals in which a security level of a manager class such as a general manager or a section manager is set. is there.

  Similarly, among the client terminals accommodated in the LAN 10, the client terminals C1, C2, C3,... Belonging to the group C are, for example, client terminals for which a security level of a person in charge is set. As a matter of course, the security level of the client terminals belonging to the group A is set to the highest level, and the security level of the client terminals belonging to the group C is set to the lowest level.

  On the other hand, client terminals D1, D2, D3,... Belonging to the group D accommodated in the LAN 20 different from the LAN 10 are, for example, client terminals existing in a branch office or branch office of the company, and the client terminals C1 belonging to the group C It is assumed that the same security level as that of .about.C3 is set.

  As described above, the client terminals accommodated in the LAN 10 have different security levels for each group, but the access authority is set for the client terminals belonging to each group according to the security level. Will be. In other words, the client terminals A1, A2, A3..., To which the director class security level is set, are set with access authority that allows access to client terminals belonging to any of the group A, group B, and group C. Yes.

  Further, the client terminals B1, B2, B3... Belonging to the group B having the security level of the managerial class (department manager class) and the client terminals C1, C2, C3. The access authority corresponding to each security level is set. As described above, when the installation server IS installs the communication protocol, the access authority corresponding to the security level is set to the client terminals belonging to each group accommodated by the LAN 10.

  The LAN 20 is, for example, a LAN owned by a branch office or a branch office of the company. The client terminals D1, D2, D3... Accommodated in the LAN 20 are, for example, client terminals C1, C2 belonging to the group C of the LAN 10. , C3... May be considered as a client terminal having the same security level. Each client terminal accommodated in the LAN 20 is set with an access authority corresponding to the security level when the installation server IS installs the communication protocol.

  Each client terminal accommodated in the LAN 10 or the LAN 20 includes a communication interface 40, a storage unit 50, and an authentication unit 60. In FIG. 1, the above-described communication interface 40, storage unit 50, and authentication unit 60 are described only in the client terminal C1 to which the security level of the person in charge belonging to the group C of the LAN 10 is set. And all client terminals accommodated in the LAN 20 and a server (not shown).

  The communication interface 40 is a part that constitutes an interface serving as a connection unit when communication is performed between client terminals accommodated in the LAN 10 or the LAN 20. The storage means 50 stores the identification address of each client terminal. The authentication unit 60 is a unit that determines permission of connection requests or rejection of connection requests using a masked identification address provided in accordance with the security level of each client terminal. This authentication procedure will be described in detail later.

  As described above, application programs of communication protocols such as TCP / IP and UDP / IP are installed (downloaded) in each client terminal accommodated in the LAN 10 and the LAN 20 by the installation server IS. The communication protocol application program can be downloaded from a recording medium such as a CD-ROM or PC card to the hard disk of each client terminal. However, the communication protocol can be inserted by inserting the PC card or CD-ROM into each client terminal. May be made available.

  The installation server IS connected to the external network 40 includes a serial number of an application program of a communication protocol such as TCP / IP and UDP / IP, terminal device information such as a CPU ID, user information such as a name, Information on peripheral devices connected to the LAN 10 and LAN 20 such as a MAC address (Media Access Control: an address unique to hardware such as a computer or router that performs communication, also referred to as a “physical address”), an IP address of the router, etc. Is saved.

  When the installation server IS installs the communication protocol application program in each client terminal, the installation server IS sends an identification address (hereinafter referred to as TCP2) to each client terminal accommodated in the LAN 10 and the LAN 20. , Referred to as “TCP2 address”) and stored in the storage means 50 of each client terminal. This TCP2 address is used for mutual authentication between terminals in communication between the client terminals.

  FIG. 2 is a diagram showing communication protocol stacks such as TCP / IP, UDP / IP, TCPsec / IP, and UDPsec / IP installed in each client terminal.

  As shown in FIG. 2, the protocol stack used for “TCP2” includes a physical layer (first layer) corresponding to the lowest layer and a NIC (Network Interface Card) driver 11 in the data link layer (second layer). It is arranged. The driver 11 is an interface card driver for connecting hardware such as a computer to a network, and is software for data transmission / reception control. For example, a LAN board or a LAN card for connecting to Ethernet (registered trademark) corresponds to this.

  In the third network layer, there is an IP emulator 13 partially extending to the transport layer (fourth layer). The IP emulator 13 functions to switch between “IPsecon CP” 13b and “IP on CP” 13a, which are protocols for performing encrypted communication, depending on the application. Here, “on CP” indicates that it is subject to monitoring, destruction, disconnection or passage restriction of “entry” and “attack” by a cracking protector (CP), or that can be set. ing.

  In the network layer, an ARP (Address Resolution Protocol) 12 is arranged. The ARP 12 is a protocol used to obtain a MAC address that is a physical address of Ethernet (registered trademark) from an IP address. Further, in the network layer, ICMP 14a, which is a protocol for transferring IP error messages and control messages, controls a group of hosts configured to efficiently deliver or receive the same data to a plurality of hosts. IGMP 14b or the like, which is a protocol for the above, is provided.

  The IP emulator 13 is software or firmware for matching various security functions with a stack around a conventional IP. That is, software, firmware, or hardware (electronic circuit, electronic component) for matching various security functions to TCP, UDP, socket interface, etc., which will be described later. Therefore, the IP emulator 13 can perform adaptation processing before and after IPsec encryption / decryption and addition / authentication of authentication information.

  Further, a TCP emulator 15 and a UDP emulator 16 are arranged in the transport layer (fourth layer) above the IP emulator 13. The TCP emulator 15 functions to switch between “TCPsecon CP” 15b, which is a protocol for performing encrypted communications, and “TCP on CP” 15a, which is a normal communication protocol. Similarly, the UDP emulator 16 functions to switch between “UDPsecon CP” 16b which is a protocol for performing encrypted communication and “UDP on CP” 16a which is a normal communication protocol.

  However, since all of TCPsec15b and TCP15a, UDPsec16b and UDP16a are provided with a cracking protector (CP), even if any of them is selected, a defense function against “entrance” and “attack” by a cracker can be realized. it can. Further, while TCP has an error compensation function, UDP does not have an error compensation function, but has a feature that the transfer speed is correspondingly higher and a broadcast function is provided. Further, the TCP emulator 15 and the UDP emulator 16 also serve as an interface with a socket which is an upper layer.

  Further, a socket interface 17 for exchanging data with protocols such as TCP and UDP is provided in the upper session layer (fifth layer) of the transport layer (fourth layer). This socket means a network address that is a combination of an IP address and a port number. Actually, a single software program module (execution program, etc.) for collectively adding or deleting a series of headers. Alternatively, it consists of a single hardware module (electronic circuit, electronic component, etc.).

  The socket interface 17 provides a unified access method from a higher-level application, and maintains the same interface as in the past, such as argument types and types.

  2, the socket 17, TCP emulator 15, UDP emulator 16, “TCPsecon CP” 15b, “UDPsec on CP” 16b, “TCP on CP” 15a, “UDPon CP” 16a, “ICMP on CP” 14a, A protocol stack including the IGMP on CP 14b, the IP emulator 13, the “IPon CP” 13a, and the “ARPonCP” 12 is a protocol stack “TCP2” for realizing the encrypted communication system proposed by the present inventor.

  Next, TCPsec15b and UDPsec16b, which are functions that prevent “data leakage”, which is a particularly important function in TCP2, will be described.

  As an encryption / decryption method (algorithm, logic (logic)) for TCPsec15b and UDPsec16b, a known secret key (common key) encryption algorithm is used. For example, DES (Data Encryption Standard) which is a secret key encryption algorithm and 3DES as an improved version thereof are used. As another encryption algorithm, IDEA (International Data Encryption Algorithm) is also used. In this encryption algorithm, data is divided into 64-bit blocks and encrypted, and the length of the encryption key is 128 bits.

  In addition, encryption methods such as FEAL (Fastdata Encipherment Algorithm), MISTY, and AES (Advanced Encryption Standard) are used as encryption methods for TCPsec15b and UDPsec16b, and private encryption / decryption algorithms created independently are also used. You can also Here, FEAL is a secret key type encryption method that uses the same key for encryption and decryption. This FEAL has an advantage that encryption and decryption can be performed at a higher speed than DES.

FIG. 3 shows an example of the TCP2 address used in the embodiment of the present invention. This TCP2 address is composed of 80 bits (80 binary digits), and as shown in the figure, from codes classified into four categories: [classification code] [enterprise group code] [host code] [user code] [preliminary code]. Composed. [Classification code] is assigned as 2 bits, [User code] is assigned as 32 bits, and [ Preliminary code] is assigned as 3 bits. [Category code] is a code for determining the distribution ratio of 43 bits allocated to the business organization code and the host code, and is defined by dividing into 4 types (A to D in FIG. 3) with 2 bits. It is possible.

Therefore, in the classification code “00”, as shown in FIG. 3A, among the 43 bits, 7 bits are allocated to [corporate organization code] and 36 bits are allocated to [host code]. As a result, the classification code "00", can be up to 2 ^{7 (128)} groups defines the corporate organizations, host allocation per 1 groups is 2 ³⁶ units. In other words, with the classification code “00”, the number of business organizations to be allocated is reduced, but a large number of hosts can be allocated. Therefore, the classification code “00” is suitable for a business group such as a communication company (communication carrier) having a large number of clients, although the number of groups is small.

Next, in the classification code “01”, as shown in FIG. 3B, among the 43 bits, 15 bits are assigned to [Business organization code] and 28 bits are assigned to [Host code]. As a result, the classification code "01", but the industry associations can be defined up to 2 ^{15 (32768)} groups, on the other hand, the host allocation number per organization will become one 2 ²⁸ units. Therefore, an organization classified by this classification code “01” is a classification code suitable for large companies having many branches and branch offices in Japan and overseas.

In the classification code “10”, as shown in FIG. 3C, among the 43 bits, 25 bits are assigned to [corporate organization code] and 18 bits are assigned to [host code]. As a result, classification code "10" can be up to 2 ²⁵ organizations define corporate organizations, host allocation per 1 groups is 2 ^{18 (262144)} stand. Therefore, this classification code “10” is more suitable for a medium-sized company having fewer branches and branch offices than a large company.

In the last classification code “11”, as shown in D of FIG. 3, 31 bits are allocated to [corporate organization code] and 12 bits are allocated to [host code] among 43 bits. As a result, classification code "11" can be defined up to 2 ³¹ organizations corporate organizations, host per organization can only be assigned 2 ^{12 (4096)} units. Therefore, the classification code “11” is the opposite of the classification code “00”, and the number of business organizations to be allocated increases, but the allocation of the number of hosts decreases. This is a classification code for an organization such as a small and medium-sized business group that has a large number of companies and does not need to increase the number of hosts so much.

  Furthermore, the above-mentioned [corporate organization code] is a code that the assignment management section of the TCP2 address uniquely assigns to a business organization that uses TCP2. By doing this, it is possible to assign unique TCP2 addresses to all TCP2 using organizations. [Host code] is a code that indicates the individual computer device that implements TCP2 and is connected to the network. The TCP2 management department in the business organization uniquely assigns the TCP2 address in the business organization.

  Therefore, a unique TCP2 address can be assigned to all of the computer devices connected to the network on which TCP2 is implemented with these three codes of the classification code, the business organization code, and the host code, and the TCP2 connected to the network using these codes. It becomes possible to identify all the computer devices that implement the. [Host code] is a code grouped according to the organization in the company.

  Finally, the “user code” is a code for identifying a user who is connected to the network and uses each computer device on which TCP2 is mounted. When a plurality of people use one computer device, there are a plurality of user codes corresponding to the one computer device. When a specific user uses TCP2, a unique user ID, password, and biometric authentication information are required for the individual. These information is determined as a 32-bit user code. It is for keeping.

  [Preliminary code] is a code to be used when extending the TCP2 address in the future, and is not required at this time.

  Further, FIG. 4 shows an example of the classification code “10” shown in C of FIG. 3, that is, an example in which 18 bits are assigned to [Host Code] and this [Host Code] is divided according to the organization of the company. It is shown. In FIG. 4, [Host code] assigned 18 bits is grouped into four layers, and as shown in FIG. 4C, “business unit code”, “department code”, “section code”, “equipment code” "

  Next, the mechanism of communication and user authentication between the server and the client terminal or between the client terminals will be described with reference to FIGS.

  FIG. 5 is a diagram showing an example of the above system configuration for explaining grouping control of actual computer equipment (server or client terminal). The example shown in FIG. 5 is an example in which the classification code is 2 (binary number “10”) and the business organization code is 23. As shown in FIG. 5, the business unit code 3, the unit code 4, and the device code 1 are assigned as “host codes” to the server.

  Therefore, (1) in FIG. 6 shows the code of the server in binary notation as a TCP2 address. Here, since the section code and the user code are “0”, it is understood that this server is a server that is shared by all users belonging to this section.

  That is, the client terminal B and the client terminal CX shown in FIG. 5 are client terminals belonging to the same section, section X, and the client terminal B is, for example, a manager (section manager) belonging to the group (B) of the LAN 10 in FIG. One of the client terminals B1 to B3 having class security is shown. The client terminal B has, for example, a business department code 3, a department code 4, a section code 5, a device code 6, and a user code 1. That this user code is 1 indicates that one user (section manager) uses the client terminal B exclusively.

  On the other hand, the client terminal CX is an example of a client terminal belonging to the same X section as the client terminal B in any one of the client terminals C1 to C3 having security of the person in charge belonging to the group (C) in FIG. It is. Therefore, as shown in (2) of FIG. 6, the business unit code 3, the unit code 4, and the section code 5 are the same as the code of the client terminal B, but “7” is assigned to the device code, and the client code This is different from the device code “6” of terminal B.

  In addition, “???” is added to the last 3 bits of the user code indicated by the TCP2 address in (3) of FIG. 6, but this indicates user codes 2 to 7 (“010” to “111”). ) 6 users share this terminal. Theoretically, up to 8 users can be used.

  On the other hand, the client terminal CY matches the client terminals B and CX with the business division code 3 and the division code 4, but the section code is “6”. That is, the client terminal CY is a terminal that belongs to the Y section different from the X section to which the client terminals B and CX belong. As can be seen from the TCP2 address in (4) of FIG. 6, the device code of the client terminal CY is “7”, and the last four digits of the user code are “???”.

  In other words, this client terminal CY is a client terminal that is assigned a code of user codes 8 to 15 (binary numbers “1000” to “1111”) and is shared by eight users. The four-digit “?” Means that up to 16 users can use the client terminal CY.

  Furthermore, the possibility of communication connection between each client terminal or between a client terminal and a server will be described with reference to FIG.

  The server in (1) of FIG. 6 stores the “communication permission code” shown in (1) of FIG. 6 in the setting database of the storage means 50 in order to permit connection requests from all the host computers from within the department. ing.

  That is, the “communication permission code” is set to the same as the TCP2 address in the “classification code”, “enterprise group code”, “business department code”, “department code”, “spare code”, “Device code” and “User code” are not set to “0”. In addition, as the “communication permission mask information”, all bits of “classification code”, “business organization code”, “business division code”, “department code”, and “preliminary code” are set to “1”. “Section code”, “device code”, and “user code” are all set to “0”.

  Further, as shown in (1) of FIG. 6, the server of FIG. 5 has “communication prohibition code” and “communication prohibition mask information” in the setting database in the storage means 50 (see FIG. 1). . This is provided in order to deny access of a specific user of the client terminal CY.

  That is, as the “communication prohibition code”, the “classification code”, “enterprise group code”, “business department code”, “department code”, “section code” that are the TCP2 addresses to which the client terminals used by the users whose connection is prohibited belong. “Code”, “Device code”, “User code”, and “Reserve code” are all set. Then, as “communication prohibition mask information”, “classification code”, “business organization code”, “business department code”, “department code”, “section code”, “equipment code”, “user code”, “reserve code” All bits of "" are set to "1".

  On the other hand, as shown in (2) of FIG. 6, the client terminal CX of FIG. 5 has a communication permission code and communication permission mask information in its TCP2 setting database. This is provided to allow connection requests from client terminals from within the X section.

  Therefore, as the communication permission code, “classification code”, “business organization code”, “business department code”, “department code”, “section code” of section X, and “preliminary code” are set to the same as the TCP2 address. . Then, “device code” and “user code” are not set to “0”. Further, as “communication permission mask information”, all bits of “classification code”, “enterprise group code”, “business department code”, “department code”, “section code”, and “preliminary code” are set to “1”. Set “Device Code” and “User Code” to “0”.

  As a result, the client terminal B of section X can connect to the client terminal CX. Similarly, the client terminal B can access all the client terminals belonging to section X having the same security level as the client terminal CX.

  On the other hand, the client terminal B is a terminal occupied by the section manager, for example, and is set so that even a client terminal belonging to the section X can refuse a connection request from a special client terminal CX, for example. For this reason, the client terminal B uses “classification code”, “enterprise group code”, “business department code”, “department code”, “section code”, “equipment code”, “reserve code” as “communication prohibition code”. The same code as the code of the TCP2 address used by the client terminal CX that is prohibited is set.

  And, as “communication prohibition mask information”, all bits of “classification code”, “business organization code”, “business department code”, “department code”, “section code”, “equipment code”, “spare code” Is set to “1”, and all bits of “user code” are set to “0”. Since the “communication prohibition code” and “communication prohibition mask information” have priority over the “communication permission code” and “communication permission mask information”, the connection from the client terminal CX (person in charge) to the client terminal B (section manager) Will be rejected.

As described above, the client terminal CX shown in Figure 5, all as is set so as to allow the connection request from the client terminal, storage means information for the client terminal CX in X inside of a section 50 Stored in the configuration database.

  That is, as shown in (3) of FIG. 6, “communication permission code 1” includes “classification code”, “business organization code”, “business division code”, “department code”, “section code” of section X, and “Preliminary code” is set to be the same as the TCP2 address of the client terminal belonging to section X, for example, client terminal B, and “device code” and “user code” are not set to “0”. Then, as communication permission mask information 1, all bits of “classification code”, “business organization code”, “business department code”, “department code”, “section code”, and “preliminary code” are set to “1”. To do.

  Further, the client terminal CX does not have “communication prohibition code” and “communication prohibition mask information” in the setting database of the storage unit 50. Furthermore, the client terminal CX exceptionally permits only a connection request from the client terminal C of the other section Y, so that the communication permission code 2 includes “classification code”, “business organization code”, “ “Department code”, “Department code”, “Section code”, “Equipment code”, “Preliminary code” are set to the same as the TCP address of the client terminal C of Y section, and “User code” is not set to “0” And

  Then, as communication permission mask information 2, all bits of “classification code”, “business organization code”, “business department code”, “department code”, “section code”, and “preliminary code” are set to “1”. Then, “device code” and “user code” are all set to “0”. Thereby, the connection from the client terminal CY to the client terminal CX is permitted.

  Next, since the client terminal CY in FIG. 5 permits connection requests from all the client terminals in the Y section, the communication permission code 1 includes “classification code”, “business group code”, and “department code”. “Department code”, “Section code”, “Preliminary code” are set, and “Equipment code” and “User code” are not set to “0”. Then, as communication permission mask information 1, all bits of “classification code”, “business organization code”, “business department code”, “department code”, “section code”, and “preliminary code” are set to “1”. Then, “device code” and “user code” are all set to “0”.

  Further, the client terminal CY exceptionally permits only a connection request from the client terminal B of the other section X, so that the communication permission code 2 includes “classification code”, “business organization code”, “ “Business Division Code”, “Department Code”, “Section Code”, “Preliminary Code” are set to the same as the TCP2 address of the client terminal CX of Section X, and “Equipment Code” and “User Code” are not set to “0”. And

  Then, all bits of “classification code”, “business organization code”, “business department code”, “department code”, “section code”, and “spare code” in communication permission mask information 2 are set to “1”. , “Device code” and “user code” are all set to “0”. Thereby, the client terminal CY can permit a connection request from the client terminal CX.

  As described above, in communication between a server and a client terminal using TCP2, or between client terminals, each client terminal, a client terminal that grants connection permission to the server, or a client terminal that prohibits connection can be freely set. Information leakage and theft can be prevented, and security of communication between client terminals and between client terminals and servers can be more reliably maintained.

  FIG. 7 shows the configuration of a communication system corresponding to FIG. 11 described in the prior art. In this configuration, for example, consider a case where a client 111 connected to the LAN 110 connects to a server 211 connected to the LAN 210 via the Internet 310 as a WAN.

  In this case, first, the client 111 prepares a communication packet using the destination and transmission source IP address, the TCP2 address, and the port number, for example, as shown in the table (A) in the figure. Here, if only the domain name is known, the destination IP address and TCP2 address are entered by inquiring TCP2-DNS311 or the like. The TCP2-DNS 311 has a domain name, global address, and TCP2 address replacement table as shown in Table (B) in the figure. The destination port number “80” is designated.

  On the other hand, the IP address of the transmission source is a local address in the LAN 110, and the port number is arbitrarily determined. Therefore, when this communication packet is sent to the TCP2 router 312 connecting the LAN 110 and the Internet 310, the TCP2 router 312 rewrites the transmission source IP address from the local address to the global address. Here, since the TCP2 router 312 performs processing different from that of the conventional router, it is shown as a TCP2 router.

  In this case, the TCP2 address is uniquely determined by the above-described “TCP2” technique. Therefore, in this case, the TCP2 router 312 does not need to rewrite the TCP2 address, and since the terminal is specified by this TCP2 address, it is not necessary to rewrite the port number of the transmission source. In the TCP2 router 312, a table of the IP address before change, the unchanged TCP2 address and the port number is created as shown in the table (C) in the figure at the time of connection.

  As a result, the TCP2 router 312 sends a communication packet to which the destination and transmission source IP address, TCP2 address, and port number are added as shown in the table (D) in the figure to the TCP2 router 313 specified by the global address. Sent to. The TCP2 router 313 is provided with a pre-change address, TCP2 address, and port number table as shown in the table (E) in the figure, and the global address is rewritten to the local address accordingly and directed to the LAN 210. Sent. As a result, a communication packet as shown in the table (F) in the figure is received by the server 211 connected to the LAN 210.

  The reply from the server 211 is a communication packet in which the destination and the transmission source are switched in the table (F) in the above figure, and the TCP2 router 313 changes the local address of the transmission source (the destination in the figure) to the global address. Rewritten. Further, in the TCP2 router 312, the IP address of the destination (source in the figure) is restored according to the table (C) in the figure, and the destination and source are switched in the table (A) in the figure. Is received by the client 111. In this way, the connection between the client 111 and the server 211 is established.

  FIG. 8 is a sequence diagram showing the above-described processing flow. In FIG. 8, first, a DNS2 request based on the domain name is made from the client 111 to the TCP2-DNS 311 (step S1). In response to this DNS2 request, the TCP2-DNS 311 returns a global address and a TCP2 address corresponding to the domain name (step S2). Thereby, a communication packet is generated and transmitted to the TCP2 router 312 (step S3). Since the response includes a TCP2 address, it is referred to as DNS2.

  The TCP2 router 312 converts the source local address into a global address and transmits it to the TCP2 router 313 (step S4). In response to this, the TCP2 router 313 makes an ARP2 request to the server 211 (step S5). In response to this ARP2 request, the server 211 responds with a local address and a TCP2 address (step S6). Since the response includes a TCP2 address, it is called ARP2.

  As a result, the TCP2 router 313 converts the destination global address into a local address, and transmits a communication packet to which the local address and the TCP2 address are added to the server 211 (step S7). In response to this, the server 211 forms a response communication packet and returns it to the TCP2 router 313 (step S8). Further, the TCP2 router 313 converts the source local address into a global address and transmits it to the TCP2 router 312 (step S9).

  Then, the TCP2 router 312 converts the destination global address into a local address, and transmits a communication packet to which the local address and the TCP2 address are added to the client 111 (step S10). In this way, communication between the client 111 and the server 211 is performed.

  FIG. 9 shows a flowchart of processing on the transmission side in the above-described TCP2. In FIG. 9, when transmission from the client 111 to the server 211 is started, it is first determined whether or not the IP address of the server 211 is known (step S11). When the IP address is not known (NO), the TCP2-DNS 311 is inquired by the TCP2 DNS2 function of the client 111, and the IP address and the TCP2 address are acquired from the domain name of the server 211 (step S12).

  Further, the communication packet is transmitted from the client 111 to the destination of the communication packet (IP address of the TCP2 router 312) (step S13). The TCP2 router 312 registers the IP address (local address), TCP2 address, and port number of the client 111 in the table (C) (step S14). Further, the TCP2 router 312 converts the local address into a global address (step S15). Then, the communication packet is transmitted from the TCP2 router 312 to the destination of the communication packet (IP address of the TCP2 router 313) (step S16).

  When the communication packet arrives at the TCP2 router 313, it is analyzed whether the destination TCP2 address is registered in the table (E) (step S17). If registered, the IP address (local address) of the server 211 is acquired from the registered TCP2 address (step S18). Further, the communication packet is transmitted to the IP address (local address) of the server 211 (step S19). Thus, transmission is completed.

  Alternatively, when the destination TCP2 address is not registered in the table (E) in step S17, the TCP2 ARP2 function of the TCP2 router 313 is used to determine the IP address (local address) of the server 211 from the destination TCP2 address in the communication packet. ) Is acquired (step S20). After that, in step S19, a communication packet is transmitted toward the IP address (local address) of the server 211, thereby completing the transmission.

  On the other hand, FIG. 10 shows a flowchart of processing on the reply side in the above-described TCP2. In FIG. 10, when a reply is started from the server 211 to the client 111, the server 211 first transmits a communication packet to the destination of the communication packet (IP address of the TCP2 router 313) (step S21). Next, the TCP2 router 313 determines whether or not the TCP2 address of the server 211 is registered in the table (E) (step S22).

  If not registered (NO), the IP address (local address), TCP2 address, and port number of the client 111 are registered in the table (E) of the TCP2 router 313 (step S23). Further, the local address is converted into a global address by the TCP2 router 313 (step S24). Further, the communication packet is transmitted from the TCP2 router 313 to the destination of the communication packet (IP address of the TCP2 router 312) (step S25).

  When the communication packet arrives at the TCP2 router 312, it is analyzed whether the destination TCP2 address is registered in the table (C) (step S26). Further, the IP address (local address) of the client 111 is acquired from the registered TCP2 address (step S27). Then, a communication packet is transmitted to the IP address (local address) of the client 111 (step S28). The reply is completed as described above.

  Thus, according to the communication system, the address resolution method, the communication program, and the recording medium of the present invention, a function capable of mutual authentication is added to the transport layer protocol itself such as TCP or UDP, and a transformer having this mutual authentication function is added. By adopting the port layer protocol for the server and each client terminal, the client terminal itself can perform processing for permitting or denying connection with another client terminal that has requested connection, and the mutual authentication described above. Using the function, it is possible to realize completely new address resolution that is compatible with IPv4 and does not limit the function.

  The present invention is not limited to the above-described embodiments, and it goes without saying that many other embodiments are included without departing from the gist of the present invention described in the claims. .

It is a block diagram which shows the example of application of the network using the communication system by this invention, the address resolution method, a communication program, and a recording medium. It is a figure which shows the example of the protocol stack used by this invention. It is a figure which shows the example which classified the bit number of the TCP2 address used by this invention according to the form of a business organization. It is a figure which shows the specific content of the host code used for this invention. It is a figure which shows the specific example of the TCP2 address of this invention, a communication permission code, communication permission mask information, a communication prohibition code, and communication prohibition mask information. It is a figure for demonstrating the communication between the client terminals from which the security level used for embodiment of this invention differs, or between a client terminal and a server. It is a figure for demonstrating the address resolution by the communication system of this invention. It is a figure for the description. It is a flowchart figure for description of the process by the side of the transmission. It is a flowchart figure for description of the process of the reply side. It is a figure for demonstrating the address resolution by the conventional communication system.

Explanation of symbols

  110, 210 ... LAN (Local Area Network), 310 ... Internet, 111 ... client computer, 211 ... server computer, 311 ... DNS computer, 312,313 ... router

Claims (5)

A communication system that handles a protocol corresponding to TCP or UDP between a computer that makes a connection request and a computer that accepts the connection request,
Computer for the connection request, the a unique identification address of the computer for TCP packet or UDP packet, means for adding TCP2 address to be used for mutual authentication between the client terminals in the transport layer Have
The computer that accepts the connection request determines the TCP2 address from the TCP packet or UDP packet, authenticates the TCP2 address, and permits the connection when the TCP2 address matches within a preset range, When the TCP2 address does not match within the preset range, the connection is rejected,
Registration means are provided for registering the individual said TCP2 address of the computer to accept the connection request computer and the connection request to perform together with the IP address,
Communication system and performs address resolution for the computer to accept a computer and the connection request to perform the connection request using the TCP2 address. The TCP2 address is composed of a predetermined bit length, a fixed-length classification code, user code, and spare code, and a variable-length business organization code and host classified by the classification code and having different number of bits The communication system according to claim 1, comprising a code . An address resolution method used in a communication system that handles a protocol corresponding to TCP or UDP between a computer that performs a connection request and a computer that receives the connection request,
In a computer to perform the connection request, the a unique identification address of the computer for TCP packet or UDP packet, adds the TCP2 address to be used for mutual authentication between the client terminal at the transport layer,
In the computer that accepts the connection request, the TCP2 address is identified from the TCP packet or UDP packet to authenticate the TCP2 address, and if the TCP2 address matches within a preset range, a connection is permitted, When the TCP2 address does not match within the preset range, the connection is rejected,
Registered in the registration means of each of said TCP2 address of the computer to accept the connection request computer and the connection request to perform together with the IP address,
Address resolution method in a communication system and performs address resolution for the computer to accept a computer and the connection request to perform the connection request using the TCP2 address. A communication program for performing communication using a protocol corresponding to TCP or UDP between a computer that performs a connection request and a computer that receives the connection request,
The computer for the connection request, the a unique identification address of the computer for TCP packet or UDP packet, adding TCP2 address to be used for mutual authentication between the client terminals in the transport layer Function and
The computer that accepts the connection request determines the TCP2 address from the TCP packet or UDP packet, authenticates the TCP2 address, and permits the connection when the TCP2 address matches within a preset range, A function of rejecting connection when the TCP2 address does not match within a preset range ;
A function of registering in the registration means each of said TCP2 address of the computer to accept the connection request computer and the connection request to perform together with the IP address,
A function of performing address resolution for the computer to accept a computer and the connection request to perform the connection request using the TCP2 address,
A communication program that makes a computer realize .   A recording medium storing the communication program according to claim 4 so as to be readable by a computer.

Images