JP5589210B2 - Information processing apparatus, program, information processing method, and information processing system - Google Patents

Information processing apparatus, program, information processing method, and information processing system Download PDF

Info

Publication number
JP5589210B2
JP5589210B2 JP2010095430A JP2010095430A JP5589210B2 JP 5589210 B2 JP5589210 B2 JP 5589210B2 JP 2010095430 A JP2010095430 A JP 2010095430A JP 2010095430 A JP2010095430 A JP 2010095430A JP 5589210 B2 JP5589210 B2 JP 5589210B2
Authority
JP
Japan
Prior art keywords
ip address
interface
routing table
vpn
information processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2010095430A
Other languages
Japanese (ja)
Other versions
JP2011217336A (en
Inventor
悟史 小林
憲且 大石
Original Assignee
株式会社ネクステック
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社ネクステック filed Critical 株式会社ネクステック
Priority to JP2010095430A priority Critical patent/JP5589210B2/en
Publication of JP2011217336A publication Critical patent/JP2011217336A/en
Application granted granted Critical
Publication of JP5589210B2 publication Critical patent/JP5589210B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Description

  The present invention relates to a routing process between a VPN server and a VPN client that perform VPN (Virtual Private Network) communication, and more particularly to a technique suitable for a routing process related to a VPN using an Ethernet frame.

  In recent years, VPN technology for connecting a virtual dedicated line between terminals using the Internet or a network possessed by a communication carrier has become widespread. VPN technologies include an Internet VPN that uses the Internet as a public network and a VPN that is provided using a dedicated service network managed by a communication carrier.

In Internet VPN, IPsec (IP security) that implements VPN by implementing protocols with encryption and authentication functions necessary for VPN configuration in routers and firewall devices, and VPN using SSL protocol There are SSL-VPNs to be realized.
In addition, a VPN provided by using a dedicated service network managed by a telecommunications carrier includes an IP-VPN that implements VPN by MPLS (Multi Protocol Label Switching) using a label and a routing table, and a VLAN in an Ethernet frame. There is a wide area Ethernet that implements VPN by adding information called a tag (for example, refer to Patent Document 1 for MPLS).

Japanese Patent No. 4109692

FIG. 1 is a diagram for explaining the configuration of a VPN network that uses an Ethernet frame.
FIG. 2 is a diagram illustrating the structure of a general communication packet. Here, the Ethernet frame is composed of a MAC header and an IP packet as shown in FIG. An IP packet consists of an IP header and data. Data consists of a TCP header and data fragments.

In FIG. 1, for example, a VPN session when VPN communication is performed from the terminal 500B to the terminal 500A is first created from the VPN client B of the terminal B to the VPN server. At that time, the VPN session is set at the address in the TCP header.
An Ethernet frame is transmitted and received between the VPN client and the VPN server using the address in the set TCP header.

  By the way, the VPN clients 500A to 500C of the terminals 600A to 600C that perform VPN communication are not necessarily all in the same ISP (Internet Service Provider) network. Therefore, as shown in FIG. 1, the VPN server 100 is connected to a plurality of ISPs 300A to 300C via routers 200A to 200C.

The VPN server 100 in FIG. 1 is assigned a fixed IP address from the connected ISP. Specifically, for example, IP-A is assigned from ISPA 300A, IP-B is assigned from ISPB 300B, and IP-C is assigned from ISPC 300C.
On the other hand, the IP addresses of the VPN clients 500A to 500C in FIG. 1 are assigned and dynamically determined by the ISP when connecting to the ISP network.

Here, for example, a case where VPN communication is performed from the VPN client 500B to the VPN client 500A via the VPN server 100 will be described.
A packet transmitted from the VPN client 500B to the VPN server 100 is transmitted based on a destination IP address in the packet and a conventional general routing table possessed by the router.

When the VPN server 100 transfers the Ethernet frame received from the VPN client 500B to the VPN client 500A, the VPN server 100 determines the VPN client 500A as a transfer destination based on the MAC address described in the MAC header of the received packet.
Next, using the determined VPN client 500A as a key, the VPN session table shown in FIG. 3 is searched and a TCP local address and a TCP client side IP address are selected, and a packet is transmitted to the selected VPN client 500A.

When the VPN server 100 is connected to only one ISP, it is sufficient for the VPN server to send a packet received from the VPN client to the connected ISP to the destination VPN client.
However, when the VPN server 100 is connected to a plurality of ISPs, it is necessary to select an optimum transfer destination including which ISP to transmit. This is because when the transfer destination is inappropriate, the communication quality may deteriorate due to the detour of the packet, or the packet may not reach the VPN client at the transfer destination.

When performing routing control using a conventional general routing table, because there is a destination IP address item in the routing table, there is no destination IP address group that can be routed and no destination IP address item in the routing table. There is a group of destination IP addresses that cannot be routed.
For this reason, if the destination IP address of the IP packet is included in a group of destination IP addresses to be route-controlled, route control for transferring the IP packet to the transfer destination router associated with the group can be performed.

  For example, if the destination IP address of the VPN client A 500A in FIG. 1 and the IP address of the IP-A assigned to the VPN server 100 have items in the routing table and belong to the same destination IP address group, the optimum The router A 200A can be selected as the transfer destination.

  However, IP address groups that are subject to path control in the ISP are subdivided, and various IP address groups are also included in the same ISP. For this reason, even when belonging to the same ISPA network, the IP address of IP-A assigned by ISPA and the IP address assigned to VPN client A500A often do not belong to the same IP address group. .

  When the destination IP address of the IP packet is not included in the group of destination IP addresses to be route controlled, the packet is uniformly transmitted to an ISP called a default route which is not necessarily an optimal transfer destination. Thus, there is a problem that the communication time is delayed due to a packet being transmitted without being route-controlled.

As a countermeasure when the route control cannot be performed because there is no item of the destination IP address subject to the route control, for example, as shown in FIG. 4, a routing table having the same number of items as the IP addresses of the connected VPN clients is used. Must be created dynamically.
However, creating a routing table with the same number of items as the destination IP address has the problem that the cost of management operation increases and the scalability is not sufficient.

  Therefore, the present invention has been made in view of the above problems, and an object of the present invention is a novel and capable of selecting an optimal transfer destination that cannot be selected by a conventional general routing table. An object is to provide an improved information processing apparatus, program, information processing method, and information processing system.

A central processing unit, at least two or more interfaces, a storage unit for storing an interface IP address assigned to each interface, a first routing table for performing path control based on a source IP address, and a destination IP A second routing table for performing routing based on the address,
When the central processing unit can identify the interface corresponding to the source IP address based on the first routing table and the source IP address received from one interface, Communicate using the interface,
When the interface corresponding to the IP address of the interface cannot be specified, the specified destination IP address and the interface are used based on the second routing table and the destination IP address received from one interface. An information processing apparatus that performs communication.

The first routing table includes link information of an IP address group in which an IP address number is an upper or lower position, or an IP address range is wide or narrow, and the central processing unit includes the first routing table. The interface corresponding to the interface IP address is identified based on the link information of one routing table.
Further, the information processing apparatus is a VPN server, the interface is connected to a VPN client, and the communication is communication by VPN.

  As described above, according to the present invention, an optimal transfer destination that cannot be selected by the IP routing table based only on the destination IP address can be specified by using the source IP address.

It is explanatory drawing for demonstrating the structure of the network which concerns on this Embodiment. It is explanatory drawing for showing the structure of an Ethernet frame. It is explanatory drawing for showing a VPN session table. It is explanatory drawing which shows the IP routing table by a destination IP address. It is a block diagram which shows schematic structure of a VPN server. It is explanatory drawing for demonstrating the structure of the source address IP routing table of a VPN server. It is a block diagram which shows schematic structure of a router. It is a block diagram which shows schematic structure of a VPN client. It is a flowchart of the packet transfer process of a VPN server. It is a structural diagram which shows the structure of a source IP address routing table. It is explanatory drawing which shows the example of an entry of a source IP address routing table. It is a structural diagram showing an IP address block in an IP address space in which IP addresses are arranged in numerical order. It is a flowchart of the optimal entry search process of a source IP address routing table. FIG. 14 is a detailed flowchart of the search loop of FIG. 13. It is a flowchart which shows the 2nd Example of the optimal entry search process of a source IP address routing table. FIG. 16 is a detailed flowchart of the search loop of FIG. 15. It is explanatory drawing which shows the number of entry searches. It is explanatory drawing for showing the structure of the packet used by the VPN session in this application.

  Exemplary embodiments of the present invention will be described below in detail with reference to the accompanying drawings. In addition, in this specification and drawing, about the component which has the substantially same function structure, duplication description is abbreviate | omitted by attaching | subjecting the same code | symbol.

The description will be made in the following order.
1. 1. Network configuration according to an embodiment of the present invention 2. Example flow of VPN server packet transfer processing 3. Example of source IP address routing table 4. Optimal candidate entry search processing flow example Second Example of Search Process Flow for Optimal Candidate Entry

[Network configuration according to the embodiment of the present invention]
First, a network configuration according to the embodiment of the present invention will be described. FIG. 1 is an explanatory diagram for explaining a configuration of a network according to the present embodiment.

  In FIG. 1, a VPN server 100 is connected to terminals 600A to 600C via routers A200A to C200C, ISPA 300A to ISPC 300C, routers D400A to F400C, and VPN clients A500A to VPN clients C500C. . Each device is connected by, for example, an Ethernet cable.

  Next, schematic configurations of the VPN server 100, the router A 200A to the router C 200C, and the VPN client A 500A to the VPN client C 500C in FIG. 1 will be described.

FIG. 5 is a block diagram showing a schematic configuration of the VPN server.
As shown in FIG. 5, the VPN server 100 includes a CPU 101, a VPN session table 102, a source IP address routing table 103, an IP routing table 104 by destination address, interfaces A105, B106, C107, and a storage unit 108.

  The CPU 101 controls processing of each block in the VPN server.

  The VPN session table 102 is a table used for determining a VPN session when the VPN server transmits a packet to the VPN client. Specifically, as described above with reference to FIG.

FIG. 6 is an explanatory diagram for explaining the configuration of the source address IP routing table of the VPN server.
As shown in FIG. 6, the source IP address routing table 103 includes items of a source IP address, a transfer destination router, and an interface to be used, and a source IP address assigned in advance from ISPA or ISPC, a transfer destination router, and a use. Manage interfaces as a set.
The CPU 101 of the VPN server searches the source IP address routing table 103 using the source (source) IP address of the packet to be transferred received by any interface as a key, and determines the interface to be used with the transfer destination router. . Details of this table will be described later.
As the source IP address, a fixed IP address assigned in advance from ISPA to C is used. For this reason, the number of items in the source IP address routing table is sufficient as the number of ISPs to be connected, and it is not necessary to have the same number of items as the number of VPN clients to be connected. Further, this table may be set when the VPN server is activated, for example.

  As described above with reference to FIG. 4, the IP routing table based on the destination IP address has items of the destination IP address, the transfer destination router, and the used interface, and manages these as a set.

  Interfaces A105 to C107 are assigned to each ISP and connected to other devices to transmit and receive packets.

  The storage unit 108 stores information such as encryption, message authentication, and connection destination authentication necessary for VPN communication.

FIG. 7 is a block diagram showing a schematic configuration of the router.
The routers 200A to 200C include a CPU 201, a routing table 202, and interfaces 203 and 204, as shown in FIG.
Note that the routers 400A to 400C have substantially the same functional configuration as the routers 200A to 200C, and a description thereof will be omitted.

  The CPU 201 determines a packet relay destination based on the routing table 202 and controls transmission / reception of the packet to the determined relay destination.

  The routing table 202 is a table in which packet relay destinations are registered.

  The interfaces 203 and 204 are connected to other devices and transmit / receive packets.

FIG. 8 is a block diagram showing a schematic configuration of a VPN client. VPN clients 500A to 500C include a CPU 501, a storage unit 502, and interfaces 503 and 504 as shown in FIG.

[Example of packet transfer processing flow of VPN server]
Next, the packet transfer processing flow of the VPN server of the present invention will be described. FIG. 9 is a flowchart of packet transfer processing of the VPN server.

Any interface of the VPN server 100 receives the Ethernet frame transfer request from the VPN client (S702).
The CPU 101 of the VPN server 100 determines a transfer destination VPN client based on the MAC address described in the MAC header of the received packet (S704).
The CPU 101 of the VPN server 100 refers to the determined VPN client VPN destination in the VPN session table 102 to determine the TCP local address (S706).

Next, the CPU 101 of the VPN server 100 searches the source IP address routing table 103 by using the determined TCP local address as a key, and checks whether or not it exists in the table (S708).
If the TCP own-side address exists in the source IP address routing table 103, the transfer destination router and the used interface are determined from the source IP address routing table (S710).
If the TCP local address does not exist in the source IP address routing table 103, the transfer destination router and the interface to be used are determined from the IP routing table based on the destination address (S712).

  The CPU 101 of the VPN server 100 transmits a packet to the determined transfer destination router using the determined interface (S714).

As described above, for example, depending on which IP address of the VPN server 500B is connected to which IP address of the VPN server 100 (through which ISP is transmitted), the VPN server 100 transfers to the VPN client 500A. The optimum transfer destination router 200 is selected. As a result, the communication path can be shortened, the response time can be shortened, and the communication conditions can be improved.
Further, by using both the source IP address routing table 103 and the routing table 104 using the destination address, selection of the optimum transfer destination is possible as compared with the case where processing is performed using only the routing table 104 using the destination address. Can reduce the number of table entries used.

[Example of source IP address routing table]
FIG. 10 is a structural diagram showing the structure of the source IP address routing table 103. The source IP address routing table 103 is as described above with reference to FIG.
It is a table having items of a source IP address, a transfer destination router, and an interface used. However, in more detail, as shown in FIG. 10, each item is a linked list simulating a tree structure.

FIG. 11 is an explanatory diagram showing each component of the source IP address routing table 103.
More specifically, each component of the source IP address routing table 103 includes an IP address prefix, a netmask, a used interface, a transfer destination router, a next, and a child.

The IP address prefix is a prefix portion of the IP address. The net mask is a net mask portion of the IP address.
“Prefix” and “Netmask” indicate the range of the IP address block.
An IP address composed of 32 bits is generally expressed by a part called “prefix” and a part called “netmask” when the address is divided into groups. That is, when an AND operation with a “net mask” is performed on a certain IP address and the result matches the “prefix”, the IP address is expressed by the prefix and the net mask.
For example, the IP address group in FIG. 11 includes IP addresses such as 192.168.1.1 and 192.168.1.250. This is because when the AND operation is performed with the net mask 255.255.255.0, both are 192.168.1.0 and match the prefix. On the other hand, IP addresses such as 172.16.250.1 are not included in the IP address group because the AND operation result does not match the prefix.

  The used interface is an interface name for transferring a packet. The transfer destination router is an IP address of a router that is a packet transfer destination.

“next” is a link to an entry having the next IP address prefix. The entries linked by “next” indicate the IP address groups before and after having different ranges.
On the other hand, child is a link to an entry having a smaller IP address prefix.
The entry linked by the child indicates an IP address group in a narrower range.

FIG. 12 is a structural diagram in the case where the entire IP addresses from 0.0.0.0 to 255.255.255.255 are sequentially arranged in the IP address space, for example, in the entire IP address space. This shows an example of the positional relationship of each IP address group.
The entries {circle around (1)}, {circle around (3)}, {circle over (7)} and the entries {circle around (4)} and {circle around (5)} shown in FIG. This is because the IP address range is different, and when IP addresses are arranged in numerical order, they are located in the preceding and following IP address groups.
On the other hand, entry (2) linked by child of entry (1), entry (4) linked by child of entry (3), and entry (6) linked by child of entry (5) are IP addresses in numerical order. When arranged, they are positioned in a narrower range of IP address groups.

[Example of optimal candidate entry search processing flow]
When an IP packet is transferred using the source IP address routing table 103, it is determined in which entry the source address of the IP packet is included in the table, and the transfer destination router described in the entry and Use the used interface.
Here, since the IP address group has a hierarchical structure as shown in FIG. 12, the optimum entry for one IP address has the narrowest range in the group to which the IP address can belong.

  In order to select an optimum entry from the structure of FIG. 10, the source IP address routing table is referred to, and the processes of FIGS. 13 and 14 are performed using two variables of “optimum candidate entry” and “current entry”.

Next, the optimum entry search processing flow of the VPN server of the present invention will be described.
FIG. 13 is a flowchart of the optimum entry search process of the source IP address routing table 103.

The CPU 101 of the VPN server 100 extracts the source IP address from the received packet (S802).
The CPU 101 of the VPN server 100 initializes the optimum candidate entry that is a variable (S804).
The CPU 101 of the VPN server 100 sets the current entry as a variable to the child of the root entry (S806).
After the initialization of the optimal candidate entry that is a variable and the setting of the current entry that is also a variable, the CPU 101 of the VPN server 100 performs a search loop process (S808). Details of this processing will be described with reference to FIG.

As a result of the search loop process, the CPU 101 of the VPN server 100 determines whether there is an optimum candidate entry (S810).
When the optimum candidate entry exists, the CPU 101 of the VPN server 100 sets the existing optimum candidate entry as the transfer destination (S812).
If there is no optimal candidate entry, the CPU 101 of the VPN server 100 determines that there is no transfer destination and ends the process (S814).

FIG. 14 is a detailed flowchart of the search loop (S808) of FIG. Details of the search loop process will be described below.
After the start of the search loop process (S902), the CPU 101 of the VPN server 100 determines whether the IP address of the packet is included in the range of the IP address of the current entry (S904).
When the IP address of the packet is included in the range of the IP address of the current entry, the CPU 101 of the VPN server 100 sets the current entry as the optimum candidate entry (S906).

Next, the CPU 101 of the VPN server 100 determines whether or not a child of the current entry exists (S908).
If the child of the current entry exists, the current entry is set to that child (S910).
If the IP address of the packet is not included in the range of the IP address of the current entry, the CPU 101 of the VPN server 100 determines whether or not the next entry has a next (S912).
If there is a next entry next, the CPU 101 of the VPN server 100 sets the current entry to the next (S914).
When the next entry does not exist, the CPU 101 of the VPN server 100 ends the search loop (S916).
If there is no child of the current entry, the CPU 101 of the VPN server 100 ends the search loop (S916).

[Second Example of Search Process Flow for Optimal Candidate Entry]
FIG. 15 is a flowchart showing a second embodiment of the optimum candidate entry search process of the source IP address routing table 102.
The CPU 101 of the VPN server 100 extracts the source IP address from the packet (S1002).
The CPU 101 of the VPN server 100 initializes the optimum candidate entry (S1004).
After completing the initialization of the optimal candidate entry that is a variable, the CPU 101 of the VPN server 100 performs a search loop process (S1006). Details of this processing will be described with reference to FIG.

As a result of the search loop process, the CPU 101 of the VPN server 100 determines whether there is an optimum candidate entry (S1008).
When the optimal candidate entry exists, the CPU 101 of the VPN server 100 sets the existing optimal candidate entry as the transfer destination (S1010).
If there is no optimal candidate entry, the CPU 101 of the VPN server 100 determines that there is no transfer destination and ends the processing (S1012).

  FIG. 16 is a detailed flowchart of the search loop (S1006) of FIG. Details of the search loop process will be described below.

  After the start of the search loop process (S1102), the CPU 101 of the VPN server 100 sets the first entry in the table as the scanning target. Here, the head of the table means an entry having a lower number when entries are arranged in an IP address space in which IP addresses are arranged in numerical order.

The CPU 101 of the VPN server 100 determines whether or not the IP address range of the entry to be scanned includes the IP address of the packet (S1106).
If the IP address range of the entry to be scanned does not include the IP address of the packet, the process of S1116 described later is performed.

  When the IP address of the packet is included in the range of the IP address of the entry to be scanned, the CPU 101 of the VPN server 100 determines whether there is an optimum candidate entry (S1108).

If there is an optimum candidate entry, the CPU 101 of the VPN server 100 compares the optimum candidate entry with the IP address range of the entry to be scanned, and determines whether the optimum candidate entry is narrower than the entry to be scanned. (S1110).
If the IP address range of the optimum candidate entry is not narrower than the IP address range of the scan target entry, the process of S1116 described later is performed.

  When the IP address range of the optimal candidate entry is narrower than the IP address range of the scan target entry, the CPU 101 of the VPN server 100 sets the scan target entry as the optimal candidate entry (S1112).

  If the optimum candidate entry does not exist, the CPU 101 of the VPN server 100 sets the scan target entry as the optimum candidate entry (S1114).

  When the IP address range of the entry to be scanned does not include the packet IP address in S1106, the IP address range of the optimum candidate entry is not narrower than the IP address range of the scan target entry in S1110 When the scan target entry is set as the optimal candidate entry in S1112, and when the scan target entry is set as the optimal candidate entry in S1114, the CPU 101 of the VPN server 100 determines that the scan target is the source IP address routing table table. It is determined whether or not the end of the IP address order has been reached (S1116).

  The CPU 101 of the VPN server 100 ends the search loop process when the scan target reaches the end of the IP address order in the table of the source IP address routing table (S1118).

  If the scan target has not reached the end of the IP address order in the table of the source IP address routing table, the CPU 101 of the VPN server 100 makes the next entry the scan target (S1129) and then makes the determination in S1106 again. .

  FIG. 17 is an explanatory diagram showing the number of entry scans. Specifically, for the source IP address routing table having the link structure shown in FIG. 10, it is necessary to determine the number of scans of entries required until each entry is selected and to determine that no entry is selected. FIG. 11 is a diagram comparing calculation results when the number of scans of a simple entry is processed according to the method of the present application and when processed by a simple routing table having no link structure in FIG. 10.

  FIG. 18 is an explanatory diagram for illustrating a packet structure exchanged between the VPN server 100 and the VPN clients A to C.

  In the present application, VPN communication can be performed using the packet of the general Ethernet frame shown in FIG. However, more preferably, when the VPN client establishes a VPN session with the VPN server, a packet having the structure shown in FIG. 18 is created from a general Ethernet frame to perform VPN communication.

  The IP header 701 and the TCP header 702 include data such as an IP address necessary for performing VPN communication between the VPN server and the VPN client.

  Data fragment 703 is data carried between the VPN server and the VPN client. For example, the Ethernet frame shown in FIG. 2 may be a data fragment. In this case, either or both of the IP header 701 and the TCP header 702 may use the IP header and the TCP header in the Ethernet frame as they are.

  The data fragment 703 may be any data of IPX, SNA, and FNA as long as it is data of communication using Ethernet. Furthermore, broadcast data with indefinite destination may be used.

9 to 16 enables efficient construction of the routing table in the VPN server 101, so that high-speed processing of the routing table can be performed.
In addition, since the routing table is small, management and operation costs can be reduced.

  Another object of the present invention is to supply a storage medium storing software program codes for realizing the functions of the above-described embodiments to a system or apparatus, and the computer of the system or apparatus (or CPU, MPU, or the like). Is also achieved by reading and executing the program code stored in the storage medium.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the program code and the storage medium storing the program code constitute the present invention. .

  Examples of the storage medium for supplying the program code include a floppy (registered trademark) disk, a hard disk, a magneto-optical disk, a CD-ROM, a CD-R, a CD-RW, a DVD-ROM, a DVD-RAM, and a DVD. An optical disc such as RW or DVD + RW, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used. Alternatively, the program code may be downloaded via a network.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (Operating System) running on the computer based on the instruction of the program code Includes a case where the functions of the above-described embodiments are realized by performing part or all of the actual processing.

  Furthermore, after the program code read from the storage medium is written to a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the expanded function is based on the instruction of the program code. This includes a case where a CPU or the like provided on the expansion board or the expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  The preferred embodiments of the present invention have been described in detail above with reference to the accompanying drawings, but the present invention is not limited to such examples. It is obvious that a person having ordinary knowledge in the technical field to which the present invention pertains can come up with various changes or modifications within the scope of the technical idea described in the claims. These are naturally understood to belong to the technical scope of the present invention.

100 VPN server 101 CPU
102 VPN session table 103 source IP address routing table 104 routing table 105 using destination address interface A
106 Interface B
107 Interface C
108 Storage unit 200 Router 200A Router A
200B Router B
200C Router C
201 CPU
202 Routing table 203 Interface 204 Interface 300 ISP
300A ISPA
300B ISPB
300C ISPC
400 router 400A router D
400B Router E
400C Router F
500 VPN client 500A VPN client A
500B VPN client B
500C VPN client C
501 CPU
502 storage unit 503 interface 504 interface 600 terminal 600A terminal A
600B Terminal B
600C Terminal C
701 IP header 702 TCP header 703 Data fragment

Claims (5)

  1. A central processing unit;
    At least two interfaces,
    A storage unit for storing an interface IP address assigned to each interface;
    A first routing table for routing based on a source IP address;
    A second routing table for performing route control based on the destination IP address,
    When the central processing unit can identify the interface corresponding to the interface IP address by searching the first routing table using the source IP address of the packet to be transferred received from one interface as a key Communicates with the specified interface IP address and the interface,
    If the interface corresponding to the interface IP address cannot be specified, communication is performed using the specified interface IP address and the interface based on the second routing table and the destination IP address received from one interface. I do,
    Information processing device.
  2. The first routing table has IP address group link information;
    The central processing unit identifies the interface corresponding to the interface IP address based on the link information.
    The information processing apparatus according to claim 1.
  3. The central processing unit is
    When the IP address group and the other IP address groups are arranged in the numerical order, it is determined that one of the IP address groups is higher or lower, or the IP address range is wide or narrow. Can
    The information processing apparatus according to claim 1.
  4. The information processing apparatus is a VPN server,
    The interface is connected to a VPN client;
    The communication is communication by VPN.
    The information processing apparatus according to claim 2.
  5. Computer
    A storage unit for storing an interface IP address assigned to each interface;
    The first routing table for performing path control based on the source IP address and the first IP address of the packet to be transferred received from one of at least two interfaces as a key. When the routing table is searched and the interface corresponding to the interface IP address can be specified, communication is performed using the specified interface IP address and the interface,
    When the interface corresponding to the interface IP address cannot be identified, the interface is identified based on the second routing table for performing route control based on the destination IP address and the destination IP address received from one interface. A communication unit that communicates using the interface IP address and the interface;
    Program to function as.
JP2010095430A 2010-03-31 2010-03-31 Information processing apparatus, program, information processing method, and information processing system Active JP5589210B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2010095430A JP5589210B2 (en) 2010-03-31 2010-03-31 Information processing apparatus, program, information processing method, and information processing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2010095430A JP5589210B2 (en) 2010-03-31 2010-03-31 Information processing apparatus, program, information processing method, and information processing system

Publications (2)

Publication Number Publication Date
JP2011217336A JP2011217336A (en) 2011-10-27
JP5589210B2 true JP5589210B2 (en) 2014-09-17

Family

ID=44946571

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2010095430A Active JP5589210B2 (en) 2010-03-31 2010-03-31 Information processing apparatus, program, information processing method, and information processing system

Country Status (1)

Country Link
JP (1) JP5589210B2 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014171970A (en) * 2013-03-08 2014-09-22 Japan Enviro Chemicals Ltd Adsorbent

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3963690B2 (en) * 2001-03-27 2007-08-22 富士通株式会社 Packet relay processor
JP2003092586A (en) * 2001-09-18 2003-03-28 Fujitsu Ltd Layer 2-vpn relaying system
JP3668731B2 (en) * 2002-10-29 2005-07-06 戸田建設株式会社 Virtual private network (VPN) system and relay node
JP4401942B2 (en) * 2004-12-08 2010-01-20 株式会社日立コミュニケーションテクノロジー Packet transfer device and communication network

Also Published As

Publication number Publication date
JP2011217336A (en) 2011-10-27

Similar Documents

Publication Publication Date Title
US9876760B2 (en) Peer-to-peer connection establishment using turn
US9491002B1 (en) Managing communications involving external nodes of provided computer networks
CA2870048C (en) Multi-tunnel virtual private network
US10291552B2 (en) Method for providing an information centric network with a software defined network and controller of the software defined network
US20160087840A1 (en) Using virtual networking devices to manage network configuration
US10164838B2 (en) Seamless segment routing
US10158568B2 (en) Method and apparatus for service function forwarding in a service domain
US9154424B1 (en) Method and system for scaling network traffic managers using connection keys
US9973379B1 (en) Managing integration of external nodes into provided computer networks
JP2017537547A (en) Stateful load balancing in stateless networks
EP2974164B1 (en) Indexed segment id
US20190342212A1 (en) Managing communications using alternative packet addressing
US9923833B2 (en) Network packet flow controller
ES2713078T3 (en) System and method to implement and manage virtual networks
US20160380966A1 (en) Media Relay Server
US9240944B2 (en) Overlay services in communication networks
US8930552B2 (en) Application switch system and application switch method
US8065434B2 (en) Method and device for maintaining routes
US20150003462A1 (en) Method for providing an internal server with a shared public ip address
US10225146B2 (en) Using virtual networking devices to manage routing information
US8763109B2 (en) Seamless data networking
US10244003B2 (en) Media session between network endpoints
EP2400693B1 (en) Routing and service performance management in an application acceleration environment
US10027626B2 (en) Method for providing authoritative application-based routing and an improved application firewall
US8533780B2 (en) Dynamic content-based routing

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20130325

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20131111

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20131119

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20140116

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20140610

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20140708

R150 Certificate of patent or registration of utility model

Ref document number: 5589210

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250