JP5605728B2 - Information processing apparatus, communication method, and communication program - Google Patents

Description

  The present invention relates to an information processing apparatus, a communication method, and a communication program.

  Conventionally, there is an edge node redundant system in which customer terminals provided at one site are accommodated in edge nodes configured redundantly with two main systems and secondary systems, and the primary edge nodes are normally used. Yes (see Patent Document 1).

  In addition, there is a technique for performing line redundancy by link aggregation (see Patent Document 2). When a double failure occurs in a working path having a redundant configuration and a packet is detoured to a protection path, There is a technique of assigning different labels to a packet that should flow through a label switched path and a packet that should flow through a second label switched path and transferring them to a backup path (see Patent Document 3).

International Publication No. 2008/120267 JP 2007-221526 A JP 2003-78553 A

  Conventionally, in order to increase network availability, VPNs are made redundant by using a plurality of lines and backup VPNs are set. However, in the conventional network system, when the line is physically disconnected, even if the line is made redundant, the logical connection is disconnected and must be reconnected.

  In view of the above problems, an object of the present invention is to provide a network system in which communication is maintained even when a line is disconnected.

  The present invention employs the following means in order to solve the above-described problems. That is, the present invention is an information processing apparatus connected to a network via a first physical line and a second physical line, and another information processing apparatus is connected to the network via the first physical line. Establishing a plurality of logical connections with each of the plurality of physical lines possessed by, and further, via the second physical line, with each of the plurality of physical lines possessed by the other information processing apparatus Establishing a plurality of logical connections between, a connection establishment means, a data transmission means for transmitting data to the other information processing apparatus via a plurality of logical connections established by the connection establishment means, Is an information processing apparatus.

Here, the logical connection is a logical communication path for transmitting and receiving information, which is established between apparatuses that perform communication. Examples of logical connections include VPN connections and TCP connections. The information processing apparatus according to the present invention establishes a plurality of logical connections from one physical line to each of a plurality of physical lines of another information processing apparatus that is a communication partner, and a plurality of such logical connections. Prepare multiple physical lines that have been established. In this way, logical connections of different paths (paths) that are larger than the number of physical lines can be established with the other information processing apparatus.

  According to the present invention, a plurality of logical connections with different paths, which are larger than the number of physical lines, are connected to the other information processing apparatus, so that even if the line is physically disconnected, it is affected. It is possible to maintain a logical connection in a non-path, and to maintain without interrupting communication. In the present invention, a plurality of established logical connections can be bundled and used as a single communication path (tunnel) between an information processing apparatus and another information processing apparatus. Therefore, according to the present invention, it is possible to increase the availability of the network system without sacrificing the communication speed.

  The information processing apparatus according to the present invention further includes priority setting means for setting a priority for each of the plurality of logical connections, and the data transmission means determines the logical connection according to the priority. May be used to transmit data to the other information processing apparatus.

  According to the present invention, the reliability of data transmission when a plurality of logical connections are used as a whole can be improved by determining the logical connection used for data transmission according to the priority.

  In addition, the information processing apparatus according to the present invention further includes a communication speed measuring unit that measures a communication speed for each of the plurality of logical connections, and the priority setting unit includes the plurality of logical connections based on the communication speed. Priorities may be set for each of the connections.

  For example, the priority setting means can set a higher priority for a logical connection having a higher speed. By setting the priority based on the communication speed in this way, according to the present invention, traffic can be more efficiently allocated to the logical connection, and the data transmission speed can be increased.

  The information processing apparatus according to the present invention further includes a usage suitability determination unit that determines whether the logical connection is used in data transmission by the data transmission unit, and the priority setting unit includes the plurality of logical connections. Among them, the priority may be set for each of the logical connections excluding the logical connection determined to be unsuitable for use by the use suitability determining unit.

  According to the present invention, communication quality can be maintained by finding a logical connection that is not suitable for use and excluding it from the use target. For the excluded logical connection, re-establishment of the logical connection may be attempted after the exclusion.

  The information processing apparatus according to the present invention includes a sequence adding unit that adds a sequence to data transmitted by the data transmitting unit, and a mismatch between the sequence and the data arrival order in the other information processing device is predetermined. Notification receiving means for receiving a notification transmitted from the other information processing apparatus when the condition is met, and the priority setting means receives the notification and receives the priority. May be set.

  According to the present invention, it is possible to determine the arrival order of data by adding a sequence, and it is possible to set a priority by receiving a notification from the other information processing apparatus that a mismatch has occurred in the other apparatus. This makes it possible to suppress inconsistencies in the data arrival order that may occur when a plurality of logical connections are bundled and used.

The information processing apparatus according to the present invention includes line information acquisition means for acquiring line information of a physical line included in the information processing apparatus and the other information processing apparatus, and establishment of the logical connection based on the line information. As a path that can be used for the above, a plurality of paths between each of the plurality of physical lines included in another information processing apparatus via the first physical line, and the second physical line Route specifying means for specifying a plurality of paths between each of the plurality of physical lines of the other information processing apparatus, and the connection establishing means is specified by the path specifying means. In this route, the logical connection may be established.

  According to the present invention, line information that can be used for establishing a logical connection is set, and by specifying a route based on this line information, all the logical connections to be established are designated in advance, Multiple logical connections can be established to increase system availability.

  The information processing apparatus according to the present invention includes a physical line that the information processing apparatus and the other information processing apparatus have via the established logical connection after at least one logical connection is established by the connection establishing means. Line information exchanging means for exchanging the line information of the circuit, and the route specifying means specifies the route based on the line information acquired by the line information acquiring means and the line information exchanged by the line information exchanging means. May be.

  In the present invention, the information processing apparatus is a gateway apparatus that mediates communication between a managed network and a network managed by another gateway apparatus, and the information processing apparatus according to the present invention includes A receiving unit that receives a packet transmitted from a transmission source terminal that belongs to a managed network, and a packet that is added to the packet received by the receiving unit by adding information for transferring the packet to the other gateway device And the data transmitting means may transmit the packet encapsulated by the encapsulating means to the other gateway device.

  Here, the managed network is a network such as a base network in which communication with an external network is mediated by a gateway device. The gateway device according to the present invention can communicate with other gateway devices via an external network such as the Internet, and transfers a plurality of gateways by transferring communication from the managed network to other gateway devices. Enables communication between a plurality of base networks under device management. A virtual private network is constructed by mediating communication between managed networks by a plurality of gateway devices.

  Furthermore, the present invention can be grasped as a method executed by a computer or a program executed by the computer. Further, the present invention may be a program in which such a program is recorded on a recording medium readable by a computer, other devices, machines, or the like. Here, a computer-readable recording medium is a recording medium that stores information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from a computer or the like. Say.

  According to the present invention, it is possible to provide a network system in which communication is maintained even when a line is disconnected.

It is a figure which shows the outline of a structure of the VPN system which concerns on embodiment. It is a figure which shows the outline of the hardware constitutions of the VPN gateway which concerns on embodiment. It is a figure which shows the outline of a function structure of the VPN gateway which concerns on embodiment. It is a figure which shows the structure of the VPN tunnel structure table which concerns on embodiment. It is a flowchart which shows the flow of the connection establishment process in embodiment. It is a figure which shows the outline | summary of the connection established in embodiment. It is a flowchart which shows the flow of the data transmission process in embodiment. It is a sequence diagram which shows the flow of the data transmission / reception in embodiment.

<System configuration>
Hereinafter, embodiments of a VPN system according to the present invention will be described with reference to the drawings. The embodiment described below shows an example for carrying out the present invention, and the present invention is not limited to the specific configuration described below. In practicing the present invention, it is preferable to adopt a specific configuration according to the embodiment as appropriate.

  The information processing apparatus according to the present invention only needs to be connectable to a network via a plurality of physical lines, and a system including the information processing apparatus according to the present invention includes a plurality of information processing apparatuses (computers). Any system can be used as long as it is capable of communicating via a physical line. For example, the VPN system according to the present embodiment can be used for various networks such as a normal VPN, a VPN in a core business, and a data communication network between data centers such as a cloud.

  FIG. 1 is a diagram showing an outline of the configuration of a VPN system according to the present embodiment. The VPN system according to the present embodiment is a system in which a plurality of VPN gateways 1a and 1b are communicably connected via a network 9 such as the Internet. A plurality of physical lines to the network 9 are accommodated in the WAN (Wide Area Network) side network interface of the VPN gateways 1a and 1b. In this embodiment, WAN 1 (WAN port 1) of the VPN gateway 1a is connected to the first physical line 100, WAN 2 (WAN port 2) of the VPN gateway 1a is connected to the second physical line 200, and the VPN gateway 1b. WAN 1 (WAN port 1) is connected to the physical line 300, and WAN 2 (WAN port 2) of the VPN gateway 1b is connected to the physical line 400. In the VPN gateways 1a and 1b, the physical line connected to the WAN 1 and the physical line connected to the WAN 2 are preferably different lines. For example, when one is an optical broadband line, the other is a CATV line, a power line, or the like, thereby improving the reliability of the VPN system.

  In addition, one or a plurality of private networks (LAN) are connected to a LAN (Local Area Network) port of the VPN gateway. The default gateway of these private networks is the VPN gateway 1a or 1b, and the terminals 2a and 2b connected to the private network are connected to the WAN side network interface of the VPN gateway 1a or 1b via the VPN gateway 1a or 1b. Communication with external network is possible. In addition, it does not ask | require whether the connection form between each said apparatus is a wired connection or a wireless connection. In this embodiment, an IP network is used. However, a communication method or protocol used for communication between devices is not limited to IP as long as necessary information can be transmitted and received between the devices. Regarding the VPN system, the present invention can be adopted in various types of VPN such as SSH, TLS, SSL, and the like.

The VPN gateways 1a and 1b are VPN gateway devices that mediate communication between a managed network and a network managed by another VPN gateway (in this embodiment, one of the VPN gateways 1a and 1b). . The VPN gateways 1a and 1b encrypt packets destined for the private network connected to the LAN side network interface of the other VPN gateways 1a and 1b and transmitted from the private network connected to the own LAN side network interface. By encapsulating data with authentication data, etc., the communication between multiple private networks is concealed and a virtual tunnel is constructed. A VPN is constructed by tunneling communication between a plurality of private networks in this way.

  FIG. 2 is a diagram showing an outline of the hardware configuration of the VPN gateway according to the present embodiment. Each of the VPN gateways 1a and 1b according to the present embodiment includes an information processing apparatus including a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), a network interface, and a storage device (storage). (Computer). Here, the VPN gateways 1a and 1b include, as network interfaces, a LAN side network interface (LAN port) to which a private network is connected and a WAN side network interface (WAN1 and WAN2) connected to the network 9 side. .

  Similarly to the VPN gateways 1a and 1b, the terminals 2a and 2b include a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), a network interface, and a storage device (storage). A device (computer). As the storage devices included in the VPN gateways 1a and 1b and the terminals 2a and 2b, for example, an EEPROM (Electrically Erasable Programmable ROM), an HDD (Hard Disk Drive), an SSD (Solid State Drive), or the like can be used.

  The default gateway set in the VPN gateways 1a and 1b is generally an ISP (Internet Service Provider) router that provides connection to the Internet. That is, the VPN gateways 1a and 1b transmit packets other than those sent to the VPN among packets received by the LAN side network interface to the ISP router in principle.

  FIG. 3 is a diagram showing an outline of a functional configuration of the VPN gateway according to the present embodiment. Each of the VPN gateways 1a and 1b is configured such that the CPU executes a communication program expanded in the RAM or ROM, and controls each configuration of the RAM, ROM, network interface, storage device, and the like, thereby transmitting and receiving unit 11, VPN A VPN gateway comprising a processing unit 12, an information acquisition unit 13, a connection establishment unit 14, an information exchange unit 15, a path identification unit 16, a communication speed measurement unit 17, a use suitability determination unit 18, a priority setting unit 19, and a sequence addition unit 20. Functions as 1a and 1b. In the VPN system according to the present embodiment, a plurality of VPN connections are managed by a single software (communication program), and a connection establishment process and a data transmission process, which will be described later, are performed, thereby realizing quick control.

  The transmission / reception unit 11 transmits / receives packets to / from the private networks managed by the VPN gateways 1a and 1b, in other words, the terminals 2a and 2b belonging to the network connected to the LAN side network interface of the VPN gateways 1a and 1b. In addition, the VPN packet (user data) and control data encapsulated by the VPN processing unit 12 are transmitted / received to / from other VPN gateways 1 a and 1 b connected via the network 9.

  The VPN processing unit 12 encapsulates the packet received from the managed private network by adding information for transferring the packet to the other VPN gateways 1a and 1b, and connection of the VPN connection. A packet extraction process for extracting a packet before adding information for transfer (before encapsulation) from the VPN packet (encapsulated packet) received from the VPN gateways 1b and 1a on the other side is executed.

  FIG. 4 is a diagram showing a configuration of a VPN tunnel configuration table according to the present embodiment. The VPN tunnel configuration table is a table that holds information that is referred to for bundling and using a plurality of established VPN connections in the present embodiment. The VPN connection communication speed is associated with each VPN connection and path combination. , And weights are retained. In the present embodiment, “weight” is information indicating a priority that is referred to in order to determine a VPN connection used for transmission of each packet when the VPN connections are bundled and used as one VPN tunnel.

<Process flow>
Next, a flow of connection establishment processing, data transmission processing, and data transmission / reception according to the present embodiment will be described. In the processing flow described below, a connection establishment process when establishing a VPN connection from the VPN gateway 1a, a data transmission process when transmitting data from the VPN gateway 1a, and a case where the VPN gateway 1a is the data transmission side The flow of data transmission / reception will be described. However, a connection establishment process when establishing a VPN connection from the VPN gateway 1b, a data transmission process when transmitting data from the VPN gateway 1b, and a data transmission / reception flow when the VPN gateway 1b is on the data transmission side, Only the processing subject is different, and the content of the processing is substantially the same.

  FIG. 5 is a flowchart showing a flow of connection establishment processing in the present embodiment. The process shown in this flowchart is executed when the activation of the VPN gateway 1a is completed. However, the processing shown in this flowchart is based on the fact that the VPN gateway 1a has received a packet addressed to the private network under the VPN gateway 1b from the private network under the VPN gateway 1a, or that the set predetermined time has arrived. Execution may be started in response to other events such as reception of an instruction instructing establishment of a VPN connection. It should be noted that the specific contents and order of the processing shown in this flowchart are examples for carrying out the present invention. It is preferable that specific processing contents and order are appropriately selected according to the embodiment.

  In step S101, preset line information is acquired. The information acquisition unit 13 of the VPN gateway 1a acquires, from the VPN gateway 1a storage device, the designation of the physical line (line information) used for the VPN, which is set before the processing of this flowchart is executed. The line information acquired here includes the line information of the physical line of the VPN gateway 1a (for example, WAN1 and WAN2 of the VPN gateway 1a), as well as the line of the physical line of the VPN gateway 1b that is the establishment partner of the VPN connection. Information (eg, WAN 1 and WAN 2 of VPN gateway 1b) is included.

The line information used for the VPN may be held in a place other than the storage device of the VPN gateway 1a. For example, the information acquisition unit 13 of the VPN gateway 1a may acquire line information preset in a management server (not shown) via the network 9 or the like. From the management server, the IP address of the information processing apparatus (in this embodiment, the VPN gateway 1b) as a connection partner may be acquired. VPN gateways 1a and 1b
By uploading the IP address of the own device to the management server and causing the other party's VPN gateway to acquire it, the IP address can be acquired via the management server.

  Of the line information, information on the physical line related to the own device (VPN gateway 1a) may not be set in advance. The information acquisition unit 13 of the VPN gateway 1a may acquire all the currently active physical lines as line information used for the VPN in the VPN gateway 1a by referring to the RAM of the own device, or the currently active physical line Of these, a line satisfying a predetermined condition may be acquired as line information used for VPN. Here, as the predetermined condition, for example, a physical line having a communication speed or a band greater than a predetermined value may be used. Thereafter, the process proceeds to step S102.

  In step S102, the first VPN connection is established. The connection establishment unit 14 of the VPN gateway 1a selects any one physical line on the VPN gateway 1a side and any one on the VPN gateway 1b side among the physical lines specified in the line information acquired in step S101. A VPN connection is established with the physical line. For example, in this embodiment, a VPN connection is established between the first physical line 100 on the VPN gateway 1a side and the physical line 300 on the VPN gateway 1b side.

  As for the VPN connection, a VPN connection establishment request is transmitted from either the VPN gateway 1a or the VPN gateway 1b to the other VPN gateway, and processing required for establishing the VPN connection (authentication, VPN connection identifier) is received. Are generally established by execution. However, the specific content of the VPN connection establishment process varies depending on the VPN protocol adopted, and the conventional VPN technology can be adopted for establishing the VPN connection, and thus detailed description is omitted. To do. Hereinafter, a communication path using the first physical line 100 on the VPN gateway 1a side and the physical line 300 on the VPN gateway 1b side is referred to as “path 1”, and the VPN connection established in the path 1 is referred to as “VPN connection 1”. Called. Thereafter, the process proceeds to step S103.

  In step S103, information is exchanged between VPN gateways. The information exchange unit 15 of the VPN gateway 1a and the VPN gateway 1b exchanges information necessary for the subsequent processing via the VPN connection 1 established in step S102. The information exchanged here includes, for example, whether there is a line that can be used for VPN use other than the physical line acquired in step S101, and if there is a usable line, the line information of the line, etc. included. More specifically, the VPN gateway 1a and the VPN gateway 1b exchange information by transmitting and receiving, as control data, an inquiry about the presence or absence of a line that can be used for VPN use in the VPN connection 1 and a response to the inquiry. The control data is data used for controlling the VPN connection, and includes authentication data, key exchange data, data for confirming the line status of the VPN connection, and the like. In order to prevent a delay in packet transmission / reception processing, the CPU of the VPN gateway 1a preferably executes processing for handling control data in a thread different from processing for handling user data. In the present embodiment, information used for VPN redundancy and speed-up is exchanged between the VPN gateways 1a and 1b as control data. Thereafter, the process proceeds to step S104.

In step S104, the number of available paths is calculated. The route specifying unit 16 of the VPN gateway 1a calculates the number of paths that can establish a VPN connection to the VPN gateway 1b based on the line information acquired in steps S101 and S103. The number of paths that can establish a VPN connection from the VPN gateway 1a to the VPN gateway 1b is calculated using the following equation.

  Number of paths that can be used = (Number of physical lines that can be used by VPN of VPN gateway 1a) * (Number of physical lines that can be used by VPN of VPN gateway 1b)

  FIG. 6 is a diagram showing an outline of a connection established in the present embodiment. In the example shown in FIG. 6, the VPN gateway 1a has two physical lines 100 and 200 that can use VPN, and the VPN gateway 1b has two physical lines 300 and 400 that can use VPN. . Therefore, the number of available paths between the VPN gateway 1a and the VPN gateway 1b is 4 (= 2 * 2). That is, in the example shown in FIG. 1, the first physical line 100 on the VPN gateway 1a side and the physical line 400 on the VPN gateway 1b side are used in addition to the path 1 in which the VPN connection is established in step S102. Path 2, path 3 using the second physical line 200 on the VPN gateway 1a side and the physical line 300 on the VPN gateway 1b side, the second physical line 200 on the VPN gateway 1a side, and the physical line 400 on the VPN gateway 1b side There is a path 4 using Based on the line information acquired by the information acquisition unit 13 and the line information exchanged by the information exchange unit 15, the route specifying unit 16 uses the above path 1, path 2 as paths that can be used for establishing a VPN connection. , Path 3 and path 4 are identified. Thereafter, the process proceeds to step S105.

  In step S105, a VPN connection is individually established in each available path. The connection establishment unit 14 of the VPN gateway 1a performs the VPN connection in each of the paths (path 2, path 3, and path 4) excluding the path 1 in which the VPN connection 1 has already been established among the paths specified in step S104. 2. Establish VPN connection 3 and VPN connection 4. The specific establishment method of the VPN connection is the same as the establishment of the VPN connection described in step S102 except that the physical line on which the VPN connection is established is different. In order to prevent a delay in packet transmission / reception processing, it is preferable that the CPU of the VPN gateway 1a executes establishment or re-establishment of an unconnected VPN connection using a thread different from processing for handling other VPN connections. .

  In the example shown in FIG. 6, the VPN connection 1 is established in the path 1 using the first physical line 100 accommodated in the WAN 1 of the VPN gateway 1a and the physical line 300 accommodated in the WAN 1 of the VPN gateway 1b. The VPN connection 2 is established in the path 2 using the first physical line 100 and the physical line 400 accommodated in the WAN 2 of the VPN gateway 1b. Further, the VPN connection 3 is established in the path 3 using the second physical line 200 accommodated in the WAN 2 of the VPN gateway 1a and the physical line 300 of the VPN gateway 1b, and the second physical line 200 of the VPN gateway 1a The VPN connection 4 is established in the path 4 using the physical line 400 of the VPN gateway 1b. When a VPN connection is established for an available path, the processing shown in this flowchart ends, and the processing proceeds to data transmission processing.

  According to the VPN system according to the present embodiment, even when a failure occurs in a physical line (lower layer) by establishing such a plurality of VPN connections, communication is performed using a VPN connection in an unaffected path. Can be maintained without interruption. That is, according to the VPN system according to the present embodiment, reconnection processing, switching processing to a backup line, and the like are unnecessary.

More specifically, in the VPN system according to the present embodiment, even when one physical line is disconnected, two VPN connections can be continuously used as they are. In the VPN system according to the present embodiment, if one physical line is alive on the VPN gateway 1a side and one physical line is alive on the VPN gateway 1b side, one of the VPN connections is established and maintained without interruption. And no interruption of communication occurs. In the conventional line redundancy method, even if one physical line is alive on one gateway side and one physical line is alive on the other gateway side, the connection is disconnected. Further, even in a network in which a backup connection is set, conventionally, the connection is reestablished after the disconnection of the communication is detected, so that the communication is interrupted.

  FIG. 7 is a flowchart showing the flow of data transmission processing in the present embodiment. The process shown in this flowchart is executed when the connection establishment process described with reference to FIG. 5 is completed. It should be noted that the specific contents and order of the processing shown in this flowchart are examples for carrying out the present invention. It is preferable that specific processing contents and order are appropriately selected according to the embodiment.

  In step S201, re-establishment of a VPN connection is attempted for a VPN connection with a poor line condition or a path where the VPN connection is disconnected. However, the process shown in step S201 is a process executed when a tunnel reconfiguration described later in step S207 is performed. For this reason, details of the processing in step S201 will be described later together with step S207.

  In step S202, the speed of each VPN connection is measured bidirectionally. The communication speed measurement unit 17 of the VPN gateway 1a exchanges data of a predetermined size in each of the VPN connections established in the VPN connection establishment process described above, and measures the time taken for the response, thereby measuring each VPN. Get the communication speed of the connection. More specifically, the communication speed measuring unit 17 transmits a request packet from the VPN gateway 1a to the VPN gateway 1b in each VPN connection, and the VPN gateway 1a transmits a response packet from the VPN gateway 1b from the transmission of the request. By measuring the time taken to receive, the speed of each VPN connection is acquired. The acquired communication speed is stored in the VPN tunnel configuration table. In addition, the communication speed measuring unit 17 determines the time (hereinafter referred to as “arrival time”) required for the VPN connection to reach the VPN gateway 1b after the packet is transmitted from the VPN gateway 1a in each VPN connection. It is obtained by calculating using the transmission time and the reception time at the VPN gateway 1b. Information necessary for calculating the arrival time is acquired from the VPN gateway 1b. In the present embodiment, data exchanged for speed measurement is exchanged as control data in each VPN connection. However, when the traffic of user data is equal to or greater than a predetermined threshold, speed measurement may not be performed or the speed measurement may be postponed until the next or later speed measurement timing so as not to apply a load with the control data. Thereafter, the process proceeds to step S203.

  Note that the speed of the VPN connection may be measured using a method of monitoring traffic of user data instead of a method of measuring the data exchange rate of control data. The VPN gateways 1a and 1b use the user data traffic information (including the user data size and the time taken for data transfer) obtained by monitoring the traffic as control data with the other party's VPN gateway. The speed can be calculated based on the traffic information (the size of the user data and the time taken for data transfer, etc.) obtained by the exchange.

In step S203, it is determined whether or not there is a VPN connection with poor line status (appropriate use of VPN connection). The packet transmitted and received for speed measurement in step S202 is a packet for confirming the line status of each VPN connection (so-called KeepAlive).
Also used as e). However, KeepAlive may be transmitted separately from the packet for speed measurement. The use appropriateness determination unit 18 of the VPN gateway 1a determines the use appropriateness of the VPN connection in data transmission by the transmission / reception unit 11. More specifically, when the response from the VPN gateway 1b times out in the VPN connection that transmitted the KeepAlive packet, the usage suitability determination unit 18 has a poor line status of the VPN connection (path). It is determined that the VPN connection is not suitable for the connection. If there is a VPN connection with a poor line status (a VPN connection for which the confirmation of the line status has failed), the process proceeds to step S207. On the other hand, if a VPN connection with poor line status is not found, the process proceeds to step S204.

  In step S204, each VPN connection is weighted. The priority setting unit 19 of the VPN gateway 1a performs weighting (priority setting) of each VPN connection used by the weighted round robin based on the speed of each VPN connection measured in step S202. In the example shown in FIG. 4, the speed of each VPN connection is indicated by the time taken from the transmission of the data request to the reception of the response in each VPN connection. For example, the speed of the VPN connection 1 is 20 msec, the speed of the VPN connection 2 is 40 msec, the speed of the VPN connection 3 is 80 msec, and the speed of the VPN connection 4 is 20 msec. In this embodiment, the priority setting unit 19 refers to the VPN tunnel configuration table and uses the slowest VPN connection (in this case, the VPN connection 3) as a reference and how many times the VPN connection is the reference VPN connection. Weighting is performed by calculating whether it is the same. Specifically, in the example shown in FIG. 4, a value “4” is assigned to the VPN connection 1, a value “2” is assigned to the VPN connection 2, and a value “2” is assigned to the VPN connection 3 in the VPN tunnel configuration table. The value “1” is set, and the value “4” is set in the VPN connection 4. When the weighting of each VPN connection is completed, the process proceeds to step S205.

  When there is a VPN connection whose communication speed is slower than a threshold indicating a speed that is not suitable for use, the VPN connection may be excluded from the VPN tunnel and weighting may not be performed. The VPN connection may be excluded using a flag or a list indicating that the corresponding connection is excluded, or the weight of the corresponding VPN connection is set to 0 (zero) in the VPN tunnel configuration table. It may be done by doing.

  In step S205, user data is transmitted. When the VPN processing unit 12 of the VPN gateway 1a receives a packet addressed to the private network under the VPN gateway 1b from the private network under the VPN gateway 1a, the VPN processing unit 12 adds information for transferring the packet to the VPN gateway 1b to the received packet. Thus, a VPN packet (encapsulated packet) is created by encapsulating the received packet. When the VPN packet is created, the transmission / reception unit 11 of the VPN gateway 1a transmits the created VPN packet to the VPN gateway 1b via the plurality of VPN connections established by the connection establishment unit 14. The VPN gateway 1b that has received the transmitted VPN packet extracts the packet before the transfer information is added from the received VPN packet, and transfers the extracted packet to the private network under the VPN gateway 1b. .

In the data transmission processing according to the present embodiment, the VPN gateways 1a and 1b use the plurality of established VPN connections 1 to 4 as a single VPN tunnel as a whole. At this time, the transmission / reception unit 11 transmits data to the other party's VPN gateway using the VPN connection according to the priority. In the present embodiment, the VPN connection used for the VPN gateway 1a to transmit a VPN packet to the VPN gateway 1b is determined by weighted round robin (weighted round robin).

  In the weighted round robin, each VPN connection is weighted (priority setting) in advance, and scheduling is performed so that more VPN connections having a higher weight (priority) are used. Specifically, in this embodiment, in the weighted round robin, the weight set in the VPN tunnel configuration table in step S204 is referred to and used. The transmission / reception unit 11 performs VPN connection 1 and VPN connection 4 for which weight 4 is set 4 times (4 slots), and VPN connection 2 for which weight 2 is set 2 times (2 slots) in one round robin. Scheduling is performed so that the VPN connection 3 with the weight 1 set is used once (one slot), and a VPN packet addressed to the VPN gateway 1b is transmitted in each slot.

For example, slots used for data transmission may be allocated to each VPN connection in the following order.
(1) Connection 1 → Connection 2 → Connection 3 → Connection 4 →
(2) Connection 1 → Connection 2 → Connection 4 →
(3) Connection 1 → Connection 4 →
(4) Return to connection 1 → connection 4 → (1)

  In step S206, it is determined whether a predetermined update time has elapsed. The VPN gateway 1a determines whether or not a predetermined update time has elapsed from the measurement of the speed of the VPN connection and the confirmation of the line status in step S202. If it is determined that the update time has not elapsed from the speed measurement of the VPN connection and the confirmation of the line status, the process returns to step S205. If it is determined that the update time has elapsed from the speed measurement of the VPN connection and the confirmation of the line status, the process returns to step S201. That is, in the processing shown in this flowchart, the speed of the VPN connection and the confirmation of the line status are performed at each update time, whereby the status of the VPN connection used in the VPN is updated (step S202), and the user data is transmitted. The weight of the VPN connection used for the update is updated (step S204). By doing in this way, according to the VPN system according to the present embodiment, it is possible to efficiently transmit user data based on the latest line status.

  Next, processing when a VPN connection with a poor line status (a VPN connection for which confirmation of the line status has failed) is found will be described. If the response to the KeepAlive packet times out in step S203, the usage suitability determination unit 18 determines that the line status of the VPN connection in which the timeout has occurred is bad. In this case, the process proceeds to step S207.

  In step S207, the tunnel is reconfigured. The priority setting unit 19 of the VPN gateway 1a performs a setting not to use (exclude from the use target) the VPN connection determined in step S203 by the use suitability judging unit 18 as the line condition is bad and unsuitable for use. Reconfigure the VPN tunnel. For example, when KeepAlive times out in the VPN connection 3, the priority setting unit 19 performs setting to exclude the VPN connection 3 from the target VPN connection used for VPN communication with the VPN gateway 1 b.

Furthermore, the priority setting unit 19 updates the weighting for each VPN connection other than the excluded VPN connection. For example, when the VPN connection 3 is excluded, the speed of the remaining VPN connection 1 is 20 msec, the speed of the VPN connection 2 is 40 msec, and the speed of the VPN connection 4 is 20 msec. As a weight, a value “2” is set for the VPN connection 1, a value “1” is set for the VPN connection 2, and a value “2” is set for the VPN connection 4. The VPN connection (path) excluded from the transmission side tunnel configuration may be used for redundancy by being designated as a backup line. The result of tunnel reconfiguration is stored in the VPN tunnel configuration table, and the process proceeds to step S201.

  In step S201, re-establishment of a VPN connection is attempted for a VPN connection with a poor line condition or a path where the VPN connection is disconnected. The connection establishment unit 14 of the VPN gateway 1a attempts to establish a VPN connection for the VPN connection excluded in step S207 and the path where the VPN connection is disconnected for other reasons. The specific establishment method of the VPN connection is the same as the establishment of the VPN connection described in step S102 except that the physical line on which the VPN connection is established is different.

  In other words, according to the data transmission process shown in this flowchart, a VPN connection with a bad line condition is periodically found and excluded from the use target, so that the communication quality is maintained and the excluded VPN connection is periodically You can try to re-establish the VPN connection.

  According to the VPN system according to the present embodiment, by setting a higher priority to a VPN connection with a higher speed and using weighted round robin, traffic is more efficiently allocated to the VPN connection, and the data transmission speed is increased. Can be increased. Here, when the speeds of the VPN connections are equal to each other, a higher speed can be expected by multiplexing the paths by round robin.

  Note that a method other than weighted round robin may be employed as an algorithm for determining the VPN connection used for transmission. For example, when a plurality of VPN connections whose communication speeds deviate by a predetermined value or more have been established, it is determined whether a higher-speed VPN connection or a lower-speed VPN connection is used for user data transmission. An option to be determined based on the original definition may be prepared, and a waiting VPN connection may be used as necessary. In addition, round robin that does not perform weighting may be adopted using other VPN connections as a determination method.

  Note that, when a plurality of VPN connections are bundled and used as one VPN tunnel as in the present embodiment, the arrival of packets may be influenced by the transfer speed of the VPN connection used for data transfer. That is, in the example shown in FIG. 1, packets that are sequentially transmitted from the terminal 2 a may be received by the terminal 2 b in an arrival order different from the transmission order. Such a problem of inconsistency in the data arrival order is, for example, when a protocol that does not perform sequence control such as UDP is used, or when a retransmission process is performed on the TCP transmission side, or when a high-speed retransmission process on the reception side in TCP Or when a selective acknowledgment is used.

In this embodiment, a VPN tunnel configuration algorithm is determined by weighted round robin. For this reason, the occurrence of such inconsistency in the data arrival order is suppressed, but when the inconsistency still occurs, it is preferable to deal with the inconsistency. Here, it is conceivable that the inconsistency in the data arrival order is dealt with in the host protocol of the terminal using data. However, the upper level protocol does not necessarily have a function corresponding to the inconsistency in the data arrival order. Therefore, in this embodiment, when encapsulating user data transmitted / received via a VPN connection, a sequence is added to the head of the data to cope with inconsistency in the data arrival order. Hereinafter, a method for dealing with inconsistencies in the data arrival order in this embodiment will be described with reference to FIG.

  FIG. 8 is a sequence diagram showing the flow of data transmission / reception in the present embodiment. The process shown in this sequence diagram is executed when the VPN gateway 1a starts transmission of user data shown in step S205 of the data transmission process (see FIG. 7). The specific contents and order of the processing shown in the sequence diagram are examples for carrying out the present invention. It is preferable that specific processing contents and order are appropriately selected according to the embodiment.

  In step S301 and step S302, a sequence is added to the packet, and a VPN packet is transmitted. When the VPN processing unit 12 of the VPN gateway 1a receives a packet addressed to the private network under the VPN gateway 1b from the private network under the VPN gateway 1a, the VPN processing unit 12 adds information for transferring the packet to the VPN gateway 1b to the received packet. Thus, a VPN packet (encapsulated packet) is created by encapsulating the received packet. Here, when the user data is encapsulated, the sequence adding unit 20 of the VPN gateway 1a adds a sequence indicating the order of the packets to the head of the data (step S301). When the VPN packet is created, the transmission / reception unit 11 of the VPN gateway 1a transmits the created VPN packet to the VPN gateway 1b via the plurality of VPN connections established by the connection establishment unit 14 (step S302). . At this time, the transmission / reception unit 11 transmits data to the other party's VPN gateway using the VPN connection according to the priority (see the description of the weighted round robin in step S205).

  In steps S303 to S306, the VPN gateway 1b on the data receiving side receives the VPN packet, decapsulates, sequence matching, and transfers the packet. The VPN gateway 1b that has received the VPN packet extracts the packet before being encapsulated from the received VPN packet (steps S303 and S304). Here, the VPN gateway 1b arranges a predetermined buffer time sequence (step S305). In other words, the VPN gateway 1b processes the received user data sequence as it is when it matches the actual reception order, but if the sequence is skipped, the sequence is not transferred without transferring the received packet. Holds a predetermined buffer time (for example, 20 milliseconds) from the reception time of a packet received by flying, and if data that matches the sequence arrives within that time, arranges the sequence and transfers it in the order indicated in the sequence To do.

Here, the predetermined buffer time is set to a time that gives only a delay that is acceptable for transmission / reception of packets between end-to-end. The degree of delay that can be tolerated for transmission / reception of packets between end-to-end differs depending on the upper level protocol or application that uses the data contained in the packet. Therefore, the predetermined buffer time may be set according to the upper level protocol or application. Good. In the present embodiment, the buffer time set here is the arrival time measured together with the speed in step S202 (it is necessary until the packet reaches the VPN gateway 1b after the packet is transmitted from the VPN gateway 1a in each VPN connection. Time) or an average value of arrival times. In the present embodiment, a value obtained by multiplying the arrival time (or its average value) by 2 is set as the buffer time. For example, when the arrival time is 10 milliseconds, the buffer time is 20 milliseconds (= 10 milliseconds * 2). However, the buffer time calculation method is not limited to the above-described example. For the calculation of the buffer time, it is preferable to employ a method suitable for the embodiment, such as a method of calculating by adding a predetermined time to the arrival time. In addition, the buffer time is the time (or the average value) required from when the packet is transmitted from the VPN gateway 1a in each VPN connection until the response packet from the VPN gateway 1b to the packet is received by the VPN gateway 1a. ) Etc. may be set by other methods, or an arbitrary value may be set by the administrator.

  If the arrival time of the VPN connection used earlier in the transmission order is longer than the arrival time of the VPN connection used later, the packet reception order is switched between the VPN connections and the transmission order almost every time. there is a possibility. In such a case, it is considered that an unarrived packet is received by waiting until the arrival time of the unarrived packet calculated based on the arrival time of the VPN connection used for transmission / reception of the unarrived packet. . Therefore, in such a case, the difference between the arrival time of the VPN connection used for transmission / reception of the unarrived packet and the arrival time of the VPN connection used for transmission / reception of the arrived packet is set as the predetermined buffer time. May be.

  When the sequence is prepared, the VPN gateway 1b transfers the extracted packet to the private network under the VPN gateway 1b (step S306).

  In step S307, a transmission algorithm change instruction is transmitted as necessary. The transmission / reception unit 11 of the gateway 1b transmits a transmission algorithm change instruction (notification) to the VPN gateway 1a when the mismatch between the sequence and the data arrival order matches a predetermined condition (step S307). In the present embodiment, when the sequence order cannot be maintained within a predetermined monitoring time in the VPN gateway 1b on the receiving side, in other words, a sequence mismatch exceeding a predetermined reference (threshold value) occurs in the predetermined monitoring time. If so, the VPN gateway 1b transmits to the VPN gateway 1a a notification instructing to change the transmission algorithm of the VPN gateway 1a on the transmission side.

  In the present embodiment, it is determined whether or not a packet retransmission request generated during a predetermined monitoring time (for example, 1 minute) is equal to or greater than a predetermined reference (for example, 5). “1” may be set as the predetermined reference. In VPN, since all packets flowing through VPN are encapsulated, a specific packet can be detected by referring to the contents of the packet. By limiting the types of packets to be detected to specific packets, packet transfer delay (latency) associated with packet detection processing can be suppressed. In this embodiment, a retransmission request packet is detected from a received packet, and a transmission algorithm change instruction is transmitted when the number of retransmission requests detected within a predetermined monitoring time is equal to or greater than a predetermined reference. However, the detected packet may be a packet transmitted when a delay occurs, and is not limited to a retransmission request packet. Note that the monitoring time may be set to be automatically shortened when TCP suck or high-speed retransmission processing is observed.

  In step S308 and step S309, an instruction to change the algorithm is received, and the transmission algorithm is changed. The transmission / reception unit 11 of the VPN gateway 1a receives the algorithm change instruction transmitted by the VPN gateway 1b (step S308). Upon receiving the change instruction, the priority setting unit 19 of the VPN gateway 1a changes the VPN packet transmission algorithm to an algorithm in which data arrival order mismatch is less likely to occur (step S309).

For example, the priority setting unit 19 of the VPN gateway 1a changes the VPN tunnel configuration table referred to in the above-described weighted round robin, thereby causing the VPN packet transmission algorithm to be more inconsistent in the data arrival order. It can be changed to a difficult algorithm. As a method for changing the VPN tunnel configuration table, there is, for example, a method of excluding the slowest connection or a connection slower than a predetermined threshold and reconfiguring the weight. Since connection exclusion and weight reconfiguration are the same as the processing described in step S207, description thereof is omitted. The VPN gateway 1a that has received the notification may change MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit) as a change in the VPN packet transmission algorithm.

<System configuration variations>
In the present embodiment, the VPN system has been described in which a VPN connection is established between VPN gateways and communication between networks under the VPN gateway is performed via the VPN. However, according to the present invention, a VPN connection is established between terminals and communication between the terminals is performed via the VPN, or a VPN connection is established between the terminal and the VPN gateway so that the terminal and the VPN gateway are under control. The present invention may be applied to a VPN system in which communication with a network is performed via VPN.

  When the VPN connection is once a terminal, the transmission / reception unit of the terminal transmits / receives the encapsulated VPN packet to / from a partner apparatus (VPN gateway or terminal) of the VPN connection connected via the network. . Further, the VPN processing unit of the terminal encapsulates the packet transmitted from the own device, and the packet before the encapsulation processing from the VPN packet (encapsulated packet) received from the partner device of the VPN connection. And a packet extraction process for extracting.

DESCRIPTION OF SYMBOLS 1a, 1b VPN gateway 11 Transmission / reception part 12 VPN process part 13 Information acquisition part 14 Connection establishment part 15 Information exchange part 16 Path | route identification part 17 Communication speed measurement part 18 Use appropriateness judgment part 19 Priority setting part 20 Sequence addition part

Claims (10)

An information processing apparatus connected to a network via a first physical line and a second physical line,
Via the first physical line, establish a plurality of logical connections with each of a plurality of physical lines that other information processing apparatuses have to the network, and further via the second physical line. A connection establishment means for establishing a plurality of logical connections with each of the plurality of physical lines of the other information processing apparatus;
Priority setting means for setting a priority for each of a plurality of logical connections established by the connection establishing means ;
Data transmitting means for transmitting the data to the other information processing apparatus by using the plurality of logical connections in an order such that the higher priority logical connections are used more frequently ;
Sequence adding means for adding a sequence to data transmitted by the data transmitting means;
A notification receiving means for receiving a notification transmitted from the other information processing apparatus when a mismatch between the sequence and the data arrival order in the other information processing apparatus meets a predetermined condition;
The priority setting means resets the priority in response to receiving the notification;
Information processing apparatus. A communication speed measuring means for measuring a communication speed for each of the plurality of logical connections;
The priority setting means sets a priority for each of the plurality of logical connections based on the communication speed;
The information processing apparatus according to claim 1 . The logical connection further comprises use propriety judging means for judging suitability for use in data transmission by the data sending means,
The priority setting means sets a priority for each of the plurality of logical connections excluding the logical connection determined to be unsuitable for use by the use suitability determining means;
The information processing apparatus according to claim 1 or 2 . Line information acquisition means for acquiring line information of physical lines of the information processing apparatus and the other information processing apparatus;
Based on the line information, as a path that can be used for establishing the logical connection, a plurality of paths between each of the plurality of physical lines that the other information processing apparatus has via the first physical line And a plurality of paths between each of the plurality of physical lines possessed by the other information processing apparatus via the second physical line, and a path specifying means for specifying the path,
The connection establishing means establishes the logical connection in the route specified by the route specifying means;
The information processing apparatus according to any one of claims 1 to 3 . Line information exchanging means for exchanging line information of physical lines of the information processing apparatus and the other information processing apparatus via the established logical connection after at least one logical connection is established by the connection establishing means; In addition,
The route specifying means specifies the route based on the line information acquired by the line information acquisition means and the line information exchanged by the line information exchange means;
The information processing apparatus according to claim 4 . The information processing device is a gateway device that mediates communication between a managed network and a network managed by another gateway device,
Receiving means for receiving a packet transmitted from a transmission source terminal belonging to the managed network;
Encapsulating means for encapsulating the packet received by the receiving means by adding information for transferring the packet to the other gateway device;
Further comprising
The data transmission means transmits the packet encapsulated by the encapsulation means to the other gateway device.
The information processing apparatus according to any one of claims 1 to 5 . A computer connected to the network via the first physical line and the second physical line,
Through the first physical line, establish a plurality of logical connections with each of a plurality of physical lines that other computers have to the network, and further, via the second physical line, Establishing a plurality of logical connections with each of the plurality of physical lines of the other computer; and
A priority setting step for setting a priority for each of the plurality of logical connections established in the connection establishing step ;
A data transmission step of transmitting data to the other computer using the plurality of logical connections in an order such that the higher priority logical connections are used more frequently ;
A sequence addition step of adding a sequence to the data transmitted in the data transmission step;
A notification receiving step of receiving a notification transmitted from the other computer when a mismatch between the sequence and the data arrival order in the other computer matches a predetermined condition;
In the priority setting step, upon receiving the notification, the priority is reset.
Communication method.   The computer is
  A line information acquisition step of acquiring line information of physical lines of the computer and the other computer;
  A plurality of paths between each of the plurality of physical lines possessed by another computer via the first physical line as paths that can be used for establishing the logical connection based on the line information. And a path specifying step for specifying a plurality of paths between each of the plurality of physical lines of the other computer via the second physical line, and
  In the connection establishing step, the logical connection is established in the route specified in the route specifying step.
  The communication method according to claim 7. To a computer connected to the network via the first physical line and the second physical line,
Through the first physical line, establish a plurality of logical connections with each of a plurality of physical lines that other computers have to the network, and further, via the second physical line, Establishing a plurality of logical connections with each of the plurality of physical lines of the other computer; and
A priority setting step for setting a priority for each of the plurality of logical connections established in the connection establishing step ;
A data transmission step of transmitting data to the other computer using the plurality of logical connections in an order such that the higher priority logical connections are used more frequently ;
A sequence addition step of adding a sequence to the data transmitted in the data transmission step;
A notification receiving step of receiving a notification transmitted from the other computer when an inconsistency between the sequence and the data arrival order in the other computer meets a predetermined condition;
In the priority setting step, upon receiving the notification, the priority is reset.
Through credit program.   In the computer,
  A line information acquisition step of acquiring line information of physical lines of the computer and the other computer;
  A plurality of paths between each of the plurality of physical lines possessed by another computer via the first physical line as paths that can be used for establishing the logical connection based on the line information. And a path specifying step for specifying a plurality of paths between each of the plurality of physical lines of the other computer via the second physical line, and
  In the connection establishing step, the logical connection is established in the route specified in the route specifying step.
  The program for communication according to claim 9.

Images