JP5893546B2 - Network system, communication control method, communication control apparatus, and communication control program - Google Patents

Description

  The present invention relates to a network system, a communication control method, a communication control apparatus, and a communication control program.

  Conventionally, a home gateway (HGW) is used in order to realize a new service in a home network (HNW: Home Network) constructed at a user's home. However, HGWs (or broadband routers, etc.) are required to be manufactured at low cost in order to spread them throughout the city, and there are severe restrictions on computer resources such as CPU, memory, hard disk, and performance. -It is also difficult to expand the functions by connecting external devices.

  Therefore, in recent years, with the development of virtualization technology, a technology for virtualizing the HGW has been studied. This technology operates a virtualized HGW on a data center or the like to which cloud computing technology capable of expanding / degrading computer resources on demand is used. It is released and it becomes possible to further expand the performance and function of the HGW.

  In the above-described HGW virtualization technology, the home network on the user's home side (hereinafter referred to as RHNW: Real Home Network) where the HGW has been placed and the RHNW are located at remote locations and virtualized. A network for users on the data center side (hereinafter referred to as VHNW: Virtual Home Network) in which HGW (hereinafter referred to as VHGW: Virtual Home Gateway) is arranged is, for example, a layer 2 tunneling technique. Connected with. This is because RHNW and VHNW can be handled as networks of the same segment in layer 2 to which Ethernet (registered trademark) or the like is applied.

Daniel Abgrall, Orange, "Virtual Home Gateway", EURESCOM, [online], [searched November 2, 2012], Internet <http://archive.eurescom.eu/~pub/deliverables/documents/P2000-series /P2055/D1/P2055-D1.pdf>

  However, in the above-described conventional technology, communication efficiency may be reduced when accessing the Internet. For example, when a terminal included in the RHNW accesses the Internet via the VHGW, communication efficiency may be reduced.

  Therefore, the technology according to the present application has been made in view of the above-described problems of the prior art, and it is possible to reduce a decrease in communication efficiency in accessing the Internet, a network control device, a communication control, and the like. It is an object to provide a program and a communication control method.

  In order to solve the above-described problems and achieve the object, a network system according to the present application includes a first device in a first network, a second network connected to the first network, and an external network. A network system comprising a second device, wherein the first device is configured such that a destination of communication data received from a terminal in the first network is in the second network, or An identification unit for identifying whether the network is an external network, and when the destination of the communication data identified by the identification unit is within the second network, at least an encryption process and the second If the destination of the communication data identified by the identification unit is the external network Includes: a first tunneling processing unit that executes a capsuling process for tunnel communication with the second device on the communication data; and communication data that has been processed by the first tunneling processing unit A first communication unit that transmits to the first device, wherein the second device receives the communication data transmitted from the first device and cancels the processing by the first tunneling processing unit. And a second communication unit that transmits the communication data released by the second tunneling process to a destination of the communication data.

  A network system, a communication control method, a communication control apparatus, and a communication control program according to the present application make it possible to reduce a decrease in communication efficiency in accessing the Internet.

FIG. 1 is a diagram illustrating an example of a configuration of a network system according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of the CPE according to the first embodiment. FIG. 3 is a diagram for explaining destination identification processing and tunneling processing by the CPE according to the first embodiment. FIG. 4 is a diagram illustrating an example of the configuration of the VHGW according to the first embodiment. FIG. 5 is a diagram illustrating an example of the configuration of the VHGW according to the first embodiment. FIG. 6 is a diagram schematically illustrating an overview of the network system according to the first embodiment. FIG. 7 is a sequence diagram for explaining the procedure of the first processing of the network system according to the first embodiment. FIG. 8 is a sequence diagram for explaining the procedure of the second process of the network system according to the first embodiment. FIG. 9 is a diagram illustrating a modification of the configuration of the CPE and the VHGW according to the first embodiment. FIG. 10 is a diagram for explaining a modification of the network system according to the first embodiment. FIG. 11 is a diagram illustrating an example of the configuration of the CPE according to the second embodiment. FIG. 12 is a diagram illustrating an example of a target of the confidential processing by the confidential processing unit according to the second embodiment. FIG. 13 is a diagram illustrating an example of the configuration of the VHGW according to the second embodiment. FIG. 14 is a sequence diagram for explaining the procedure of the first process of the network system according to the second embodiment. FIG. 15 is a sequence diagram for explaining the procedure of the second process of the network system according to the second embodiment. FIG. 16 is a diagram schematically illustrating an overview of a network system according to the third embodiment. FIG. 17 is a diagram illustrating an example of a configuration of a network system according to the third embodiment. FIG. 18 is a diagram for explaining an example of IP encapsulation processing according to the fourth embodiment. FIG. 19 is a diagram illustrating a computer that executes a communication control program according to the fourth embodiment.

  Exemplary embodiments of a network system, a communication control method, a communication control apparatus, and a communication control program according to the present application will be described below in detail with reference to the accompanying drawings. Note that the network system, the communication control method, the communication control apparatus, and the communication control program according to the present application are not limited to the following embodiments.

(First embodiment)
First, the network system according to the first embodiment will be described. Hereinafter, an example of the configuration of the network system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining an example of a configuration of a network system 1 according to the first embodiment. As shown in FIG. 1, for example, the network system 1 according to the first embodiment includes a home network (RHNW) 2 constructed in a user's home and a data center (DC: Data Center) 10. The network system 1 includes, for example, a network device (CPE: Customer Premises Equipment) 100 on the RHNW 2 and a VHGW 200 on the VHNW 3 constructed in the DC 10 via a closed network such as an access network or a network 4 such as the Internet. Is connected.

  For example, a terminal is connected to the RHNW 2 in addition to the CPE 100. In addition to the VHGW 200, for example, the VHNW 3 is configured with a communication device such as a virtual service AP (virtual application server) or a virtual storage (virtual storage server). In the network system 1, the CPE 100 and the VHGW 200 are L2 tunnel connected, so that the RHNW2 and the VHNW3 are made into the same subnet (same segment). Thereby, RHNW2 in a user's house and VHNW3 in DC10 in a remote base can be used as one home network.

  As described above, since the VHNW 3 is arranged in the DC 10, the network system 1 is free from computer resource restrictions and can easily expand the performance and function as a home gateway by using a virtualization technology or the like. Here, in such a network system 1, even when a device in the VHNW 3 (for example, a virtual service AP or a virtual storage) is accessed from a terminal in the RHNW 2, a device on the Internet is accessed from the terminal in the RHNW 2. In this case, the same L2 (Layer 2: Data link layer or second layer of OSI reference model) tunnel is used.

  As described above, in the network system 1, the RHNW 2 and the VHNW 3 are connected via an L2 tunnel over the network 4 such as an access network or the Internet. Therefore, for example, when the DC 10 is located on the Internet (constructing an L2 tunnel on the Internet), a secure L2VPN (L2 Virtual Private Network) to which encryption or the like is applied is applied as a tunneling technique. It is common.

  Here, in the prior art, when a terminal in the RHNW2 accesses a device in the VHNW3 or when a terminal in the RHNW2 accesses a device on an external network such as the Internet different from the VHNW3, it is constructed by the L2VPN. Via the L2 tunnel. For example, accessing a device in the VHNW3 from the RHNW2 is the same as accessing a communication device in the same home network from a terminal in the home network when compared with a conventional home network. Therefore, it is desirable to conceal the communication contents related to this access from the outside of the home network. Therefore, from the RHNW 2 to the VHNW 3 using the L2 tunnel constructed by the secure L2VPN in which the communication path is encrypted or the like as it is. It is desirable to access.

  On the other hand, in a network environment such as the network system 1, when accessing a communication device on the Internet from the RHNW 2, it is necessary to go through the VHNW 3 in which a gateway to the Internet is arranged, so that it passes through the L2 tunnel. . In other words, even when accessing the Internet, it passes through a tunnel constructed by a uniform L2VPN. In such a case, since the communication goes out to the Internet in the first place, even if the communication content is not required to be encrypted, the communication goes through the secure L2VPN. The communication performance is degraded. Further, in communication through the L2 tunnel, overhead is generated by the amount corresponding to the header size for tunneling (IP encapsulation), the data size that can be transmitted in one communication is reduced, and communication efficiency is lowered. The cost related to the communication processing needs to be suppressed as much as possible.

  Therefore, in the network system 1 according to the first embodiment, it is possible to reduce a decrease in communication efficiency in accessing the Internet by processing of the CPE 100 and the VHGW 200 described in detail below. Note that the CPE 100 and the VHGW 200 according to the first embodiment have an address management function such as IPv4 and / or IPv6 as shown in FIG.

  Details of the CPE 100 and the VHGW 200 will be described below. First, a case will be described in which the communication device (terminal) in the RHNW2 is a transmission source and the destination is a communication device (virtual service AP or virtual storage) in the VHNW3 or a communication device on the Internet. FIG. 2 is a diagram illustrating an example of the configuration of the CPE 100 according to the first embodiment.

  As illustrated in FIG. 2, the CPE 100 includes a communication unit 110, a destination identification unit 120, a determination unit 130, and a tunneling processing unit 140. The communication unit 110 is, for example, a LAN (Local Area Network) interface, a WAN (Wide Area Network) interface, and the like. The communication data 110 includes L2 frames and L3 (Layer 3: OSI reference model network layer) included therein. Or the third layer) packet transmission / reception. Specifically, the communication unit 110 executes communication after processing by the tunneling processing unit 140 described later with the VHGW 200 that is a tunnel opposite terminal device. The communication unit 110 includes a switch, a hub, a bridge function, and the like.

  The destination identifying unit 120 is configured such that the destination of communication from the terminal included in the RHNW2 is in the VHNW3 which is a network on the opposite side of the tunnel or is different from the home network (the same L2 segment network including the RHNW2 and the VHNW3). Identify whether it is an external network such as the Internet. Specifically, the destination identifying unit 120 identifies whether the destination of the L2 frame or packet from the terminal in the RHNW2 is in the VHNW3 or the Internet. FIG. 3 is a diagram for explaining destination identification processing and tunneling processing by the CPE 100 according to the first embodiment. Information unnecessary for explanation is omitted.

  Here, in FIG. 3, (A) of FIG. 3 shows an L2 frame received from a terminal in RHNW2. FIG. 3B shows an example of the structure of a packet constituting the L2VPN when the packet destination is a communication device in the VHNW3. 3 shows an example of the structure of a packet in the L2VPN when the destination of the packet is a communication device on the Internet. The details of (B) and (C) in FIG. 3 will be described when the tunneling processing unit 140 is described.

  For example, as shown in FIG. 3A, an L2 frame received from a terminal includes a payload, a TCP or UDP destination port number, a TCP or UDP source port number, a destination IP address, and a source It includes an IP address, a destination MAC address, and a source MAC address. Note that in communication not using TCP or UDP, the destination port number and the source port number are not included.

  For example, when the communication unit 110 receives the L2 frame or packet shown in FIG. 3A, the destination identifying unit 120 identifies the destination at the L2 frame level or the L3 packet level. For example, when identifying at the L2 frame level, the destination identifying unit 120 refers to the destination MAC address of the received L2 frame, and the stored MAC address is addressed to the communication device in the VHNW3, or , The communication device on the Internet (that is, the MAC address of the gateway device to the Internet) is identified. Here, the destination identifying unit 120 can also identify a destination by using MAC address learning provided in the L2 switch function of the communication unit 110.

  In such a case, for example, the destination identification unit 120 stores the switch port and the MAC address of the communication device to which the port is connected in association with each other by MAC address learning by the communication unit 110. The destination can be specified using the MAC address information. For example, the destination identifying unit 120 specifies a communication destination in the VHNW 3 with the MAC address stored in association with the port used for the L2 tunnel as the destination MAC address. This method is a useful identification method also in terms of processing load after learning the MAC address of the communication device in the home network (L2 network of the same segment consisting of RHNW2 and VHNW3) by MAC address learning.

  Further, for example, when identifying at the packet level of L3, the destination identifying unit 120 refers to the destination IP address of the received packet and determines whether the stored IP address is addressed to the communication device in the VHNW3. Alternatively, it is identified whether it is addressed to a communication device on the Internet. For example, the destination identifying unit 120 determines whether the stored IP address is a private address in the home network (the L2 network in the same segment including RHNW2 and VHNW3) or a global address of the external network of the home network. , Identify the destination. Note that any one of the identification methods described above may be used, or a combination of a plurality of identification methods may be used.

  The destination identifying unit 120 can identify a communication device (terminal) in the RHNW 2 as a destination in addition to the communication device in the VHNW 3 and the communication device on the Internet using the above-described identification method.

  Returning to FIG. 2, the determination unit 130 determines processing according to the destination identified by the destination identification unit 120. For example, when the destination of the L2 frame or packet received from the transmission source terminal is identified as a communication device in the VHNW3, the determination unit 130 executes L2VPN in the L2 tunneling process on the received L2 frame. judge. That is, the determination unit 130 determines to execute security processing such as encryption / authentication / signature and L2 encapsulation processing (IP encapsulation processing for the L2 frame) on the received L2 frame. For example, the determination unit 130 determines to execute a process combining L2TPv3 (L2 Tunneling Protocol version 3) and IPSec or a process based on OpenVPN (registered trademark) on the received L2 frame.

  For example, when the destination of the L2 frame or packet received from the transmission source terminal is identified as a communication device on the Internet, the determination unit 130 performs the L2 tunneling process on the received L2 frame or packet. It is determined that only the L2 encapsulation process (IP encapsulation process) is executed.

  For example, when the destination of the L2 frame received from the transmission source terminal is identified as the communication device in the RHNW2, the determination unit 130 performs the L2 frame processing on the received L2 frame by the switch or bridge function. Judge to transfer.

  The tunneling processing unit 140 executes the L2 tunneling process determined by the determination unit 130. Specifically, when the destination of communication from the terminal is in VHNW3, tunneling processing unit 140 performs security processing such as encryption of the entire L2 frame that is communication content for communication and L2 encapsulation processing. If the destination of communication from the terminal is an external network, L2 encapsulation processing is executed for communication.

  For example, when it is determined that security processing such as encryption / authentication / signature and L2 encapsulation processing are executed on the received L2 frame, the tunneling processing 140 is performed as shown in FIG. The L2 frame is encrypted using the L2VPN encryption target part, and the L2 tunnel header and other headers, the destination IP address, and the source IP address are added. Here, the L2 tunnel header and other headers may be used as an area for storing identification information for identifying the L2VPN. For example, the tunneling processing unit 140 stores the determination result of the determination unit 130 and information indicating the processing content executed by itself in the L2 tunnel header and other headers. The added destination IP address is an area in which the global address of the tunnel terminating device on the VHGW 200 side is stored. The added source IP address is an area in which the global address of the tunnel termination device on the CPE 100 side is stored.

  For example, when it is determined that only the L2 encapsulation process is performed on the received L2 frame, the tunneling processing unit 140 includes a tunnel header in the L2 frame as illustrated in FIG. And other headers, a destination IP address, and a source IP address are added.

  In addition, when it is determined that the received L2 frame is transferred by the L2 switch or the bridge function by the processing of the L2 layer, specifically, when the destination is in the same RHNW2, the tunneling processing unit 140 is special. Does not execute any processing.

  The communication unit 110 transmits the packet processed by the tunneling processing unit 140 to the VHGW 200. In addition, the communication unit 110 transfers the packet to the communication device in the RHNW2 using an L2 switch or a bridge function.

  Next, processing by the VHGW 200 will be described. FIG. 4 is a diagram illustrating an example of the configuration of the VHGW 200 according to the first embodiment. As illustrated in FIG. 4, the VHGW 200 includes a communication unit 210 and a tunneling processing unit 240. The communication unit 210 is a LAN interface, a WAN interface, or the like, and transmits and receives L2 frames and packets. Specifically, the communication unit 210 receives a packet subjected to the L2 tunneling process from the CPE 100 via the L2 tunnel. Further, the packet after processing by the tunneling processing unit 240 described later is transmitted to the VHNW 3 or the Internet.

  The tunneling processing unit 240 receives the communication from the opposite side of the L2 tunnel and identifies the processing applied to the communication, and cancels the security processing such as encryption for the entire communication content and the L2 capsuling processing, or the communication Releases L2 encapsulation. Specifically, the tunneling processing unit 240 establishes an L2 tunnel connection with the CPE 100 and refers to identification information stored in the L2 tunnel header of the packet received via the tunnel or other headers. The corresponding L2 tunneling process is canceled and the packet is taken out.

  As described above, the communication unit 210 performs communication destined for VHNW3 or the Internet in a state where security processing such as encryption and L2 encapsulation processing or L2 encapsulation processing is released.

  In the above-described example, the case where the terminal in the RHNW 2 is a transmission source terminal and a packet is transmitted from the CPE 100 to the VHGW 200 has been described. Next, the case of packet communication from a communication device in VHNW3 or a communication device in an external network such as the Internet to a communication device in RHNW2 will be described. FIG. 5 is a diagram illustrating an example of the configuration of the VHGW 200 according to the first embodiment. Here, in FIG. 5, a transmission source identification unit 220 and a determination unit 230 are newly added to the VHGW 200 illustrated in FIG. 4, and new functions are added to the communication unit 210 and the tunneling processing unit 240.

  When transmitting a packet from a communication device in VHNW3 or a communication device in an external network such as the Internet to a communication device in RHNW2, communication unit 210 receives the packet from the communication device in VHNW3 or on the Internet. And the packet after the process of the tunneling process part 240 mentioned later is transmitted with respect to CPE100.

  The transmission source identification unit 220 identifies the transmission source of the L2 frame or packet received by the communication unit 210. Specifically, the transmission source identifying unit 220 is based on the transmission source MAC address of the L2 frame and the transmission source IP address of the packet received by the communication unit 210, or the transmission source is a communication device in the VHNW3, or Identify whether the communication device is on the Internet (see FIG. 3A). That is, similar to the destination identifying unit 120 of the CPE 100, the transmission source is identified at the L2 frame level or the L3 packet level. Note that the transmission source identification unit 220 also performs identification of a transmission source using MAC address learning by the communication unit 210, similarly to the destination identification unit 120. The transmission source identifying unit 220 identifies whether the destination of the received L2 frame or packet is addressed within the RHNW2 or VHNW3 based on the destination MAC address or the destination IP address, and the L2 frame identified as addressed within the RHNW2 Alternatively, the above identification is performed on the packet.

  The determination unit 230 determines the L2 tunneling process corresponding to the transmission source identified by the transmission source identification unit 220. Specifically, when the transmission source of the received L2 frame or packet is identified as a communication device in VHNW3, determination unit 230 determines to execute L2VPN on the received L2 frame. That is, the determination unit 230 determines to execute security processing such as encryption / authentication / signature and L2 encapsulation processing on the L2 frame.

  Also, for example, when the transmission source of the received L2 frame or packet is identified as a communication device on the Internet, the determination unit 230 determines that only the L2 encapsulation process is performed on the received L2 frame. .

  Further, for example, when the source and destination terminals of the received L2 frame or packet are identified as a communication device in the VHNW3, the determination unit 230 converts the received L2 frame to the L2 switch or bridge function. Judgment to transfer in level processing.

  When the destination is in RHNW2 and the transmission source terminal is in VHNW3, tunneling processing unit 240 executes security processing such as encryption of the entire communication content and L2 encapsulation processing for communication, When the terminal is in an external network, L2 encapsulation processing is executed for communication. Specifically, the tunneling processing unit 240 performs the process determined by the determination unit 230 on the received L2 frame.

  For example, when it is determined that security processing such as encryption / authentication / signature and L2 encapsulation processing are executed on the received L2 frame, the tunneling processing 240 encrypts the L2 frame as an encryption target portion of the L2VPN. The L2 tunnel header and other headers, the destination IP address, and the source IP address are added (see (B) of FIG. 3). Here, the tunneling processing unit 240 may store the determination result of the determination unit 230 and information indicating the processing content executed by itself in the L2 tunnel header or other headers.

  For example, when it is determined that only the L2 encapsulation process is performed on the received L2 frame, the tunneling processing unit 240 adds the L2 tunnel header and other headers, the destination IP address, and the L2 frame. And a source IP address are added (see FIG. 3C). In addition, when it is determined that the received L2 frame is transferred by the L2 switch or the bridge function by the L2 level process, the tunneling processing unit 240 does not perform a special process. Then, the communication unit 210 transmits the packet processed by the tunneling processing unit 240 to the CPE 100. In addition, the communication unit 210 transfers data by a switch function or the like in the case of communication from a communication device in the VHNW3 to a communication device in the same VHNW3, and in the case of communication from a communication device on the Internet to a communication device in the VHNW3. IP routing.

  Next, the CPE 100 when a packet is transmitted from a communication device in the VHNW 3 or a communication device in an external network such as the Internet to the communication device in the RHNW 2 will be described. In this case, the CPE 100 includes at least a communication unit 110 and a tunneling processing unit 140. Therefore, description will be made below with reference to FIG.

  In such a case, the communication unit 110 receives a packet subjected to the L2 tunneling process from the VHGW 200 via the L2 tunnel. Further, the packet after processing by the tunneling processing unit 140 described later is transmitted in the RHNW2.

  The communication unit 110 receives the communication data from the VHGW 200, and the tunneling processing unit 140 identifies the process being performed for the communication, and performs security processing such as encryption and L2 encapsulation processing for the entire received communication content. The cancellation or the cancellation of the L2 encapsulation process for the communication data is executed to extract the L2 frame or packet. The communication unit 110 executes communication with the destination in the RHNW2 in a state where security processing such as encryption and L2 encapsulation processing, or L2 encapsulation processing is released.

  As described above, in the network system 1 according to the first embodiment, in communication in which the communication device in the RHNW 2 is the transmission source, communication is performed by the CPE 100 through the L2 tunnel using the secure L2VPN based on the communication destination. Or it is determined whether communication is performed through an L2 tunnel based on simple encapsulation. Further, in the network system 1 according to the first embodiment, in communication in which the communication device of the VHNW 3 or the external network is a transmission source and the destination is a communication device in the RHNW 2, the VHGW 200 is based on the communication transmission source. Thus, it is determined whether communication is performed using an L2 tunnel based on secure L2VPN or communication is performed using an L2 tunnel based on simple encapsulation. FIG. 6 is a diagram schematically illustrating an overview of the network system 1 according to the first embodiment.

  As shown in FIG. 6, in the packet communication route, when the communication terminal in the RHNW2 is the transmission source and the destination is the VHNW3, the network system 1 communicates with the L2 tunnel using a secure VPN such as L2VPN. Execute. On the other hand, when the destination is the Internet side, the network system 1 executes communication using the L2 tunnel by IP encapsulation such as L2 encapsulation. Therefore, the network system 1 according to the first embodiment is regarded as communication in the same home network when accessing from the RHNW2 to the VHNW3, and is indispensable when accessing the Internet from the RHNW2 while establishing secure communication. It is possible to reduce a decrease in communication efficiency in accessing the Internet by not performing encryption or the like that is not performed. Note that the network system 1 according to the first embodiment can cope with communication within the RHNW 2 using a switch function or the like.

  Also, as shown in FIG. 6, in the packet communication route, when the destination is a communication device in the RHNW2, when the transmission source is the VHNW3, the network system 1 uses the secure VPN such as L2VPN and the L2 Execute communication by tunnel. On the other hand, when the transmission source is the Internet side, the network system 1 executes communication using the L2 tunnel by IP encapsulation such as L2 encapsulation. Therefore, the network system 1 according to the first embodiment is regarded as communication in the same home network when accessing the RHNW2 from the VHNW3, and is indispensable when accessing the RHNW2 from the Internet while establishing secure communication. By not performing encryption or the like, it is possible to reduce a decrease in communication efficiency in access from the Internet. Note that the network system 1 according to the first embodiment can cope with access from the VHNW 3 to the Internet, access from the Internet to the VHNW 3, and communication within the VHNW 3 using a switch function, a routing function, or the like.

  Next, a processing procedure of the network system 1 according to the first embodiment will be described with reference to FIGS. 7 and 8. FIG. 7 is a sequence diagram for explaining the procedure of the first process of the network system 1 according to the first embodiment. FIG. 8 is a sequence diagram for explaining the procedure of the second process of the network system according to the first embodiment. FIG. 7 shows a processing procedure in communication from the CPE 100 to the VHGW 200. FIG. 8 shows a processing procedure in communication from the VHGW 200 to the CPE 100.

  In communication from the CPE 100 to the VHGW 200, as shown in FIG. 7, in the network system 1 according to the first embodiment, when the communication unit 110 of the CPE 100 receives an L2 frame or packet (step S101), the destination identifying unit 120 The destination is determined (step S102). Here, when the destination is addressed to VHNW3 (Yes at Step S103), the tunneling processing unit 130 executes secure L2 tunneling processing such as L2VPN, and the communication unit 110 transmits a packet to the VHGW 200 ( Step S104).

  On the other hand, when the destination is not the address addressed to VHNW3 in step S103 (No in step S103), the tunneling processing unit 130 executes a simple L2 tunneling process such as an L2 encapsulation process, and the communication unit 110 Transmits a packet to the VHGW 200 (step S105). If the destination is in RHNW2, it is transferred by a switch function or the like.

  In the VHGW 200, when the communication unit 210 receives the packet (step S106), the tunneling processing unit 240 refers to the identification information and the like to cancel the L2 tunneling process corresponding to the implemented L2 tunneling process, and Is acquired (step S107). Then, the communication unit 210 transmits a packet to the destination (step S108).

  Next, in communication from the VHGW 200 to the CPE 100, as shown in FIG. 8, in the network system 1 according to the first embodiment, when the communication unit 210 of the VHGW 200 receives an L2 frame or packet (step S201), the destination is For the communication addressed to RHNW2, the transmission source identification unit 220 determines the transmission source (step S202). Here, when the transmission source is in VHNW3 (Yes in step S203), the tunneling processing unit 230 executes secure L2 tunneling processing such as L2VPN, and the communication unit 210 transmits a packet to the CPE 100. (Step S204). Note that the transmission source identification unit 220 may identify the destination of the packet received by the communication unit 210 of the VHGW 200.

  On the other hand, in step S203, if the transmission source is an external network that is not in VHNW3 (No in step S203), the tunneling processing unit 230 executes simple L2 tunneling processing such as L2 encapsulation processing to perform communication. The unit 210 transmits a packet to the CPE 100 (step S205).

  When the communication unit 110 receives the packet (step S206), the CPE 100 refers to the identification information and the like, and executes the cancellation of the L2 tunneling process corresponding to the implemented L2 tunneling process. Is acquired (step S207). Then, the communication unit 110 transmits a packet to the destination (step S208).

  In the first embodiment described above, communication from the RHNW2 side to the VHNW3 side and communication from the VHNW3 side to the RHNW2 side have been described separately. However, when bidirectional communication occurs, the CPE 100 and the VHGW 200 are provided. The configuration may be equivalent. FIG. 9 is a diagram illustrating a modification of the configuration of the CPE 100 and the VHGW 200 according to the first embodiment. For example, as shown in FIG. 9, the CPE 100 and the VHGW 200 have the same configuration, and execute bidirectional communication.

  Further, in the first embodiment described above, the case where the network system 1 is connected to the Internet via the VHGW 200 has been described. However, the embodiment is not limited to this, and may be connected to the Internet via the CPE 100, for example. FIG. 10 is a diagram for explaining a modification of the network system 1 according to the first embodiment.

  For example, as shown in FIG. 10, when the Internet is connected from the CPE 100, the RHNW2, the VHNW3, the CPE 100, and the VHGW 200 are configured as follows. That is, the configuration is symmetric based on the configuration of FIG. 6 and “access network / Internet”. The RHNW2 has the same configuration as the VHNW3 described above. That is, a service AP and a storage device are connected to the RHNW 2 (see FIG. 1). Further, VHNW3 has the same configuration as RHNW2 described above. That is, a terminal is connected to VHNW 3 (see FIG. 1).

  The CPE 100 has the same configuration as the VHGW 200 described above. That is, at least each unit having functions similar to those of the communication unit 210 and the tunneling processing unit 240 (see FIG. 4) is provided, and each unit having functions similar to those of the transmission source identification unit 220 and the determination unit 230 is also provided. Good (see FIG. 5). The CPE 100 can route the IPv4 Internet, the IPv6 Internet, or both of these Internets.

  The VHGW 200 has the same configuration as the CPE 100 described above. That is, each unit having the same functions as the communication unit 110, the transmission source identification unit 120, the determination unit 130, and the tunneling processing unit 140 is provided (see FIG. 2).

  In the modification according to the first embodiment, the RHNW2, VHNW3, CPE100, and VHGW200 having the above-described configuration are used to determine whether L2VPN or L2 encapsulation is performed according to each packet communication route as shown in FIG. Judgment is made and communication by the L2 tunnel is executed.

[Effect of the first embodiment]
As described above, according to the first embodiment, the network system 1 is a network system including the CPE 100 included in the RHNW 2 and the VHGW 200 included in the VHNW 3 connected to the RHNW 2 and the L2 tunnel, The identification unit 120 identifies whether the communication destination from the terminal in the RHNW2 is in the VHNW3 or an external network such as the Internet. Then, when the destination of communication from the terminal is in VHNW3, the tunneling processing unit 120 executes security processing such as encryption and L2 encapsulation processing on the communication data, and the destination of communication from the terminal is external. In the case of a network, L2 encapsulation processing is executed for communication. And the communication part 110 performs the communication after the process by the tunneling process part 120 between VHGW200. The tunneling processing unit 220 of the VHGW 200 receives the communication data from the CPE 100, and executes security processing such as encryption for the communication data and cancellation of the L2 encapsulation processing, or cancellation of the L2 encapsulation processing for communication. The communication unit 210 executes communication with the destination in the VHNW 3 or an external network in a state where the security process such as encryption and the L2 encapsulation process or the L2 encapsulation process is released. Accordingly, the network system 1 according to the first embodiment can use a secure L2 tunnel connection according to a destination and an IP capsule only by using an L2 tunnel connection, thereby reducing a decrease in communication efficiency in accessing the Internet. Enable.

(Second Embodiment)
In the first embodiment described above, the case has been described in which only the L2 encapsulation process in the L2 tunneling process is executed in communication destined for a communication device on an external network such as the Internet. In such a case, in the first embodiment, the L2 frame transmitted from the transmission source terminal remains in plain text. This may be used when the communication path between the CPE 100 and the VHGW 200 passes only through a secure closed network without eavesdropping or tampering by a third party without going through the Internet. However, when this communication path is via the Internet or the like, it may be desirable to consider the following.

  For example, in a general home network, information that does not go out of the home network in communication may be desirable in the present invention not to go out of the home network as plain text. In one example, the MAC address of a communication device may be considered privacy information for the owner of the communication device. In addition, in the case of communication using IPv4, the source private address and source port number of the source terminal may be regarded as information to be kept secret. In a general home network, NAT (Network Address Translation) or The value is converted into another value by a NAPT (Network Address Port Translation) process, and is output to the external network. Therefore, in the second embodiment, a concealment process is performed so that at least such information is not intercepted by a third party in the L2 frame transmitted by the transmission source terminal. That is, the concealment process is further performed on the L2 encapsulation process described in the first embodiment.

  Hereinafter, as a second embodiment, a case where a part of a packet to be transmitted to a communication device on the Internet is concealed will be described. FIG. 11 is a diagram illustrating an example of the configuration of the CPE 100 according to the second embodiment. Here, the CPE 100 according to the second embodiment is different from the CPE 100 according to the first embodiment in that the tunneling processing unit 140 is newly provided with a rule storage unit 141 and a concealment processing unit 142. . Hereinafter, these will be mainly described.

  The rule storage unit 141 stores reference information for executing concealment processing on predetermined information in the L2 frame or packet. Specifically, the rule storage unit 141 stores rule information indicating which area is to be concealed and how in the L2 frame received from the transmission source terminal. For example, when the frame is an Ethernet (registered trademark) frame, the rule storage unit 141 stores the source and destination MAC addresses in the L2 frame, the private address of the source terminal (such as when L3 is IPv4), and In the case of communication using TCP or UDP, rule information designated as a target to be concealed in advance is stored for at least one piece of information among the port numbers set by the transmission source terminal.

  As the concealment process stored by the rule storage unit 141, the entire MAC address, IP address, and port number values may be concealed. For example, the lower 24 assigned by the device manufacturer uniquely among the 48 bits of the MAC address. Only bits may be targeted for concealment. Alternatively, only the lower 24/16/8 bits of the 32 bits of the source IPv4 address may be targeted for concealment, and only 64 bits of the interface ID of the 128 bits of the source IPv6 address may be targeted for concealment. In other words, in the confidential processing, only the information may be subjected to known encryption processing for the specified information, and the original information is specified based on a rule that is difficult for a third party to specify. However, it may be replaced or converted to a value or character different from the original information, or may be obfuscated. Alternatively, instead of the entire designated information, only a predetermined or arbitrary part of the information may be a secret object. In other words, this information need not be uniquely identified. These rules are shared in advance between the CPE 100 and the VHGW 200.

  In addition, as an example of a rule, it may be a conversion table for converting numerical values / characters into different numerical values / characters / symbols on a one-to-one basis, or any encoding / decoding process. In addition, the conversion table and the encoding / decoding processing algorithm may be changed every predetermined period and every predetermined period. In this case, it is necessary to synchronize the change contents between the CPE 100 and the VHGW 200. In addition, it is desirable to make the rule that the data size does not change before and after conversion because it does not affect the entire communication data size. In the example described above, the case where L2 is Ethernet (registered trademark) has been described. However, when L2 is not Ethernet (registered trademark), information corresponding to the protocol is targeted.

  The concealment processing unit 142 conceals predetermined communication contents in communication when the destination of communication from the terminal is on the Internet. Specifically, the concealment processing unit 142, based on the rule information stored in the rule storage unit 141, when the destination identification unit 120 identifies that the communication destination is a communication device on the Internet, A concealment process is performed on a predetermined area of the L2 frame. Here, the concealment processing unit 142 stores information related to the concealment processing that has been executed as identification information in a header area of a packet for terminating the tunnel of VPN communication. Specifically, the concealment processing unit 142 stores information that can identify information that can identify which rule is concealed in which area as identification information. Note that if the target area of the confidential process is fixed and there is only one confidential process, it is only necessary to store identification information indicating that the confidential process is being performed.

  FIG. 12 is a diagram illustrating an example of the target of the confidential processing by the confidential processing unit 142 according to the second embodiment. For example, as shown in FIG. 12, the concealment processing unit 142 includes at least one of a transmission source MAC address, a destination MAC address, a transmission source IP address, and a transmission source port number of a packet on which L2 tunneling processing is executed. A concealment process based on the rule information is executed for the set. Here, the four areas shown in FIG. 12 are areas where packets sent to the Internet are normally concealed. Therefore, by concealing these areas, for example, even when the Internet is used for the network between the CPE 100 and the VHGW 200, information that normally does not appear on the external network is concealed to execute communication. Can do.

  FIG. 13 is a diagram illustrating an example of the configuration of the VHGW 200 according to the second embodiment. As illustrated in FIG. 13, the VHGW 200 according to the second embodiment includes a new rule storage unit 241 and a concealment processing unit 242 in the tunneling processing unit 140 as compared to the VHGW 200 according to the first embodiment. The point to prepare is different. Hereinafter, these will be mainly described.

  The rule information storage unit 241 stores reference information for executing concealment processing on the packet. That is, the rule storage unit 241 stores the same rule information as the rule information storage unit 141 described above. These pieces of information are set in advance by the administrator of the network system 1 or the like, and are shared by the rule storage unit 141 and the rule storage unit 241.

  The concealment processing unit 242 releases the concealment of predetermined communication contents by the concealment processing unit 142. Specifically, the concealment processing unit 242 refers to the identification information included in the packet received from the opposite side of the L2 tunnel and restores the concealed information. In the above-described example, the case where a packet subjected to the L2 encapsulation process is transmitted from the CPE 100 to the VHGW 200 has been described. In such a case, the concealment processing unit 142 and the concealment processing unit 242 perform the processes described above in reverse.

  Next, a processing procedure by the network system 1 according to the second embodiment will be described with reference to FIGS. 14 and 15. FIG. 14 is a sequence diagram for explaining the procedure of the first process of the network system according to the second embodiment. FIG. 15 is a sequence diagram for explaining the procedure of the second process of the network system according to the second embodiment. FIG. 14 shows a processing procedure in communication from the CPE 100 to the VHGW 200. FIG. 14 shows a processing procedure in communication from the VHGW 200 to the CPE 100.

  In communication from the CPE 100 to the VHGW 200, as shown in FIG. 14, in the network system 1 according to the second embodiment, when the communication unit 110 of the CPE 100 receives an L2 frame or packet (step S301), the destination identifying unit 120 The destination is determined (step S302). Here, when the destination is addressed to VHNW3 (Yes in step S303), the tunneling processing unit 130 executes secure L2 tunneling processing such as L2VPN, and the communication unit 110 transmits a packet to the VHGW 200 ( Step S304).

  On the other hand, if the destination is an external network that is not addressed to VHNW3 in Step S303 (No in Step S303), the concealment processing unit 142 executes concealment processing (Step S305). The tunneling processing unit 130 executes simple L2 tunneling processing such as L2 encapsulation processing, and the communication unit 110 transmits a packet to the VHGW 200 (step S306).

  In the VHGW 200, when the communication unit 210 receives the L2 frame or packet (step S307), the tunneling processing unit 240 refers to the identification information or the like and cancels the L2 tunneling processing corresponding to the implemented L2 tunneling processing. Then, an L2 frame or packet is acquired (step S308). Then, the concealment processing unit 242 determines whether there is information subjected to concealment processing (step S309). If there is information that has been concealed (Yes at step S309), the concealment processing unit 242 restores the information that has been concealed (step S310), and the communication unit 210 transmits a packet to the destination. (Step S311). On the other hand, when there is no information subjected to the confidential processing (No at Step S309), the communication unit 210 transmits a packet to the destination (Step S311). Note that if the communication from the RHNW 2 to the external network is preset in the CPE 100 and the VHGW 200 so as to always perform the confidential processing, the processing in step S309 may be skipped.

  Next, in communication from the VHGW 200 to the CPE 100, as shown in FIG. 15, in the network system 1 according to the second embodiment, when the communication unit 210 of the VHGW 200 receives an L2 frame or packet (step S401), the transmission source The identification unit 220 determines the transmission source (step S402). Here, when the transmission source is in the VHNW3 (Yes in step S403), the tunneling processing unit 230 executes secure L2 tunneling processing such as L2VPN, and the communication unit 210 transmits a packet to the CPE 100. (Step S404).

  On the other hand, in step S403, when the transmission source is from an external network that is not in VHNW3 (No in step S403), the concealment processing unit 242 executes concealment processing (step S405). Then, the tunneling processing unit 230 executes simple L2 tunneling processing such as L2 encapsulation processing, and the communication unit 210 transmits a packet to the CPE 100 (step S406).

  In the CPE 100, when the communication unit 110 receives the packet (step S407), the tunneling processing unit 140 refers to the identification information and the like, and cancels the L2 tunneling process corresponding to the implemented L2 tunneling process. A frame or packet is acquired (step S408). Then, the concealment processing unit 241 determines whether there is information subjected to concealment processing (step S409). If there is information that has been concealed (Yes at step S409), the concealment processing unit 241 restores the information that has been concealed (step S410), and the communication unit 210 transmits a packet to the destination. (Step S411). On the other hand, when there is no information subjected to the confidential processing (No at Step S409), the communication unit 210 transmits a packet to the destination (Step S411). Similar to step S309 of FIG. 14 described above, the process of step S409 may be skipped.

  In the processing procedure described above, the case where the L2 tunneling process is executed after the concealment process is executed has been described. However, the embodiment is not limited to this, and may be a case where the concealment process is executed after the L2 tunneling process is executed, for example.

[Effects of Second Embodiment]
As described above, according to the second embodiment, the concealment processing unit 141 of the CPE 100 conceals predetermined communication contents in communication when the destination of communication from the terminal is on the Internet. And the communication part 110 performs the communication after the process of the tunneling process part 140 and the concealment process part 141 between VHGW200. Then, the concealment processing unit 242 of the VHGW 200 releases the concealment of predetermined communication contents by the concealment processing unit 142. Then, the communication unit 210 performs communication to a destination on the Internet in a state where the tunneling process 240 and the concealment of predetermined communication contents are released. Therefore, the network system 1 according to the second embodiment can provide the minimum security when the network used for the L2 tunnel connection is a public network such as the Internet, and reduces the decrease in communication efficiency. Make it possible to do.

(Third embodiment)
In the first and second embodiments described above, the configuration example of the network system has been described. In the third embodiment, an example of a usage environment will be described. Here, due to the recent depletion of global IPv4 addresses, it is expected that the number of cases where one global IPv4 address is shared among a plurality of users will increase in the future. There, a technology called large-scale NAT (called Large Scale NAT or Carrier Grade NAT) is applied, and one global IPv4 is performed by performing NAT processing twice at home gateway and ISP (Internet Service Provider) or ISP. The address is shared by multiple users.

  In such an environment where a large-scale NAT is applied, the load of NAT processing is not small, and considering the maintenance cost, it is desirable that NAT processing at the home gateway can be avoided. In addition, it is considered that the number of IPv6 networks is easily expected to increase with the spread of IPv6 technology in the future. Therefore, in the third embodiment, for example, a network system shown in FIG. 16 will be described.

  FIG. 16 is a diagram schematically illustrating an overview of a network system according to the third embodiment. That is, in the network system according to the third embodiment, as shown in FIG. 16, the Internet communication by IPv4 is routed by the VHGW 200, and the Internet communication by IPv6 is routed by the CPE 100 and is sent to the external network. The system configuration will be described. In this embodiment, it is assumed that the “access network / Internet” is an IPv6 network, and the CPE 100 and the VHGW 200 have a function capable of establishing an IPv6 L2 tunnel connection.

  FIG. 17 is a diagram illustrating an example of a configuration of the network system 1 according to the third embodiment. For example, as shown in FIG. 17, in the network system 1, the CPE 100 in the RHNW 2 has a routing function related to IPv6 and a function of L2 tunneling processing as main functions. On the other hand, the VHGW 200 in the VHNW 3 has a routing function related to IPv4 and a function of L2 tunneling processing as main functions. In addition, a device having an IPv6 routing function for terminating a tunnel, or a device different from the VHGW 200 may have this function.

  Here, for example, when accessing the IPv6 Internet from a terminal in the RHNW2 and VHNW3, the IPv6 packet is routed from the CPE 100 to the external network. For example, when accessing the IPv4 Internet from a terminal in the RHNW2 and the VHNW3, the IPv4 packet is routed from the VHGW 200 to the external network. In other words, as described in the first and second embodiments, a packet addressed to the IPv4 Internet transmitted from a terminal in the RHNW 2 is routed from the VHGW 200 to the external network via the L2 tunnel.

  On the other hand, the packet addressed to the IPv6 Internet transmitted from the terminal in VHNW3 is symmetrical with the configuration described in the first and second embodiments, that is, as described in the modification of the first embodiment. Routing from the VHGW 200 to the external network from the CPE 100 via the L2 tunnel.

  Here, when accessing the IPv4 Internet, the address assigned to the WAN side interface of the VHGW 200 is a global IPv4 address. However, when applying a large-scale NAT, this global address is assigned to a plurality of users, that is, a plurality of VHGWs 200. Will share. For example, a shared private address of a different network domain is assigned to the WAN side interface of the VHGW 200, and a NAT device is placed at a gateway (GW) to the IPv4 Internet, and the NAT device converts the shared private address into a global IPv4 address. It is also possible to communicate with the IPv4 Internet. In this case, the VHNW 3 for each user is constructed in the DC 10, and the gateways of the plurality of VHNWs 3 to the IPv4 Internet are aggregated.

  Here, for example, when the RHNW 2 is accessed from the IPv4 Internet, the packet is transmitted to the global IPv4 address of the NAT device, and the NAT device transmits the packet to the shared private address assigned to the VHGW 200. The VHGW 200 performs IP encapsulation and / or concealment processing on the received packet and transmits it to the CPE 100. The CPE 100 transmits the received packet in the RHNW2. On the other hand, for example, when the VHNW 3 is accessed from the IPv4 Internet, the packet is transmitted to the global IPv4 address of the NAT device, and the NAT device transmits the packet to the shared private address assigned to the VHGW 200. The VHGW 200 further converts the received packet into an address, converts it into a private address in the home network, and transfers it to the VHNW 3.

  For example, when the RHNW2 is accessed from the IPv6 Internet, the CPE 100 transfers the packet received from the IPv6 Internet to the RHNW2. On the other hand, for example, when the VHNW 3 is accessed from the IPv6 Internet, the CPE 100 performs IP encapsulation and / or concealment processing on the received packet and transmits it to the VHGW 200. The VHGW 200 transmits the received packet into the VHGW 3.

  As described above, according to the third embodiment, the network system includes the CPE 100 in the RHNW2 and the VHGW 200 in the VHNW3 that is L2 tunnel-connected to the RHNW2, and the destination identification unit of the CPE 100 includes the RHNW2 in the RHNW2. Whether the destination of communication from the terminal is addressed to the IPv4 Internet is identified. The tunneling processing unit 140 executes a tunneling process for communication when the destination is addressed to the IPv4 Internet. The communication unit 110 executes communication after processing by the tunneling processing unit 140 with the VHGW 200, and the VHGW 200 transfers the received packet to the IPv4 Internet. The destination identifying unit of the VHGW 200 identifies whether the destination of communication from the terminal in the VHNW 3 is addressed to the IPv6 Internet. When the destination is addressed to the IPv6 Internet, the tunneling processing unit 240 executes a tunneling process for communication. When communication is performed with respect to the IPv4 Internet, the NAT device arranged in the DC 10 is executed after the VHGW 200 converts the shared private address converted from the home network private address into a global address. Alternatively, the IPv4 private address received by the VHGW 200 may be directly converted into a global address by the NAT device without using this shared private address. Therefore, the network system 1 according to the third embodiment makes it possible to construct a network system corresponding to global IPv4 address depletion. As described above, the address conversion processing may be performed once without performing the address conversion processing twice.

(Fourth embodiment)
Although the first to third embodiments have been described so far, the embodiment according to the present application is not limited to the first to third embodiments. That is, these embodiments can be executed in various other forms, and various omissions, replacements, and changes can be made.

  As the L2 tunnel between the CPE 100 and the VHGW 200 in the above-described embodiment, both the L2VPN tunnel and the L2 encapsulation tunnel are established, and the tunnel to be used is selected according to the determination result of the determination unit. May be.

  Further, when only one L2 tunnel is used between the CPE 100 and the VHGW 200, based on the determination result of the determination unit, the L2VPN process “security process (encryption, authentication, signature) + L2 encapsulation” or L2 You may selectively perform the capsule processing each time. Here, for example, the default processing may be L2VPN, and L2 encapsulation processing that does not perform security processing selectively among L2VPNs may be performed. Conversely, the default processing is L2 encapsulation, and further security is selectively performed. You may process L2VPN by implementing a process.

  Further, the description has been given on the assumption that communication by L2-encapsulation is performed when the RHNW2 or VHNW3 and an external network such as the Internet access via the L2 tunnel. However, in such communication, since it is not essential to transmit the entire L2 frame to the tunnel opposite side, the embodiment is not limited to this. For example, this communication is L3 encapsulation, that is, IP-in -IP and IP tunneling may be applied. FIG. 18 is a diagram for explaining an example of IP encapsulation processing according to the fourth embodiment. As shown in FIG. 18, the packet may be encapsulated and transmitted by the L3 encapsulation process. The whole of the two areas shown in FIG. 18 or a part of the two areas may be used as the concealment process target, and these may be determined in advance.

  This is a tunneling technology for enabling the transfer through another network by directly encapsulating the IP packet for the internal network with the IP packet for the external network. At this time, in the second and third embodiments, the L2 frame header information for the internal network, which is the home network, does not flow on the Internet, so that only the information to be concealed of L3 or higher needs to be concealed. Information related to the concealment process may be stored in an optional part of the tunnel IP header. For example, when GRE (Generic Routing Encapsulation) is used, it may be stored in the GRE header. Further, since the L2 frame header information is not transmitted, the amount of data that can be transmitted per packet is increased, and the communication efficiency is improved.

  Hereinafter, details in the case of performing L3 encapsulation in the network system 1 according to the first to third embodiments described above will be described. First, a case where L3 encapsulation is performed in the network system 1 according to the first embodiment will be described. In this case, when the CPE 100 receives a packet destined for the Internet side from the communication device in the RHNW 2, the CPE 100 performs L3 encapsulation processing on the received packet and transmits the packet to the opposite VHGW 200. The VHGW 200 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to a destination on the Internet side.

  In addition, when receiving a packet addressed to the RHNW 2 from the Internet side, the VHGW 200 performs L3 encapsulation processing on the received packet and transmits it to the opposing CPE 100. The CPE 100 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to the destination communication device in the RHNW2.

  Next, a case where L3 encapsulation is performed in the network system 1 according to the second embodiment will be described. In such a case, when the CPE 100 receives a packet destined for the Internet side from a communication device in the RHNW 2, the CPE 100 executes a concealment process on a predetermined portion of the L3 header of the received packet. And CPE100 performs L3 encapsulation process with respect to the packet which performed the concealment process, and transmits to opposite VHGW200. The VHGW 200 cancels L3 encapsulation of the received packet that has been subjected to L3 encapsulation processing, and takes out the packet that has been concealed. Then, the VHGW 200 restores the concealed information in the extracted packet and transmits it to the destination on the Internet side.

  In addition, when receiving a packet addressed to the RHNW 2 from the Internet side, the VHGW 200 executes a concealment process on the L3 header of the received packet. Then, the VHGW 200 performs an L3 encapsulation process on the packet that has been subjected to the concealment process, and transmits the packet to the opposing CPE 100. The CPE 100 releases the L3 encapsulation of the received L3 encapsulation-processed packet and takes out the confidentially-processed packet. Then, the CPE 100 restores the concealed information in the extracted packet and transmits it to the destination communication device in the RHNW2.

  Next, a case where L3 encapsulation is performed in the network system 1 according to the third embodiment will be described. In such a case, when receiving a packet destined for the IPv4 Internet side from the communication device in the RHNW 2, the CPE 100 performs L3 encapsulation processing on the received packet and transmits the packet to the opposite VHGW 200. The VHGW 200 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to the NAT device. The NAT device transmits the received packet to a destination on the Internet side.

  Further, when the CPE 100 receives a packet addressed to the VHNW3 from the IPv6 Internet side, the CPE 100 performs L3 encapsulation processing on the received packet and transmits it to the opposing VHGW 200. The VHGW 200 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to the communication device in the VHNW3.

  In addition, when the VHGW 200 receives a packet addressed to the IPv6 Internet side from a communication device in the VHNW 3, the VHGW 200 performs L3 encapsulation processing on the received packet and transmits the packet to the opposing CPE 100. The CPE 100 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to a destination on the IPv6 Internet side.

  When a packet is transmitted from the IPv4 Internet side to the RHNW2, the NAT device first receives the packet from the IPv4 Internet, converts the global IPv4 address of the received packet into a shared private address, and transmits the packet to the VHGW 200. To do. When the VHGW 200 receives a packet addressed to the RHNW 2 from the NAT device, the VHGW 200 performs L3 encapsulation processing on the received packet and transmits the packet to the opposing CPE 100. The CPE 100 cancels L3 encapsulation of the received L3 encapsulation-processed packet, extracts the packet, and transmits the extracted packet to the destination communication device in the RHNW2. Note that, in the network system 1 according to the third embodiment described above, when the concealment process is executed, the CPE 100 and the VHGW 200 conceal the predetermined part of the L3 header of the packet when transmitting the packet to the opposite side. Execute the process.

  Further, although the VHNW 3 has been described as a virtualized network, it may be a non-virtualized physical network. Moreover, although RHNW2 was demonstrated as a physical network, it may be a virtualized network. Further, in order to be able to handle RHNW2 and VHNW3 as an L2 network of the same segment, the CPE 100 and the VHGW 200 have been described as being connected by L2VPN. However, the present invention is not limited to this and may be connected by L3VPN.

  In addition, although it has been described that the necessity of the confidential processing is determined based on the transmission source and destination of the communication, the present invention is not limited to this, and the necessity of the confidential processing is determined based on the communication protocol and the type and content of the communication message. May be. Alternatively, the necessity of the concealment process may be determined based on a combination of one or more of a communication protocol, a communication message, a transmission source, and a transmission destination. In this case, the CPE 100 and the VHGW 200 also store in advance the conditions related to the communication protocol and messages that are / are not concealed. Further, in the communication between the RHNW2 and the VHNW3, for example, when there is a specific communication that is required to have a delay lower than that of security, the communication is specified based on the communication protocol or message, and the security process is performed. It may be omitted and only the encapsulation process may be performed, or the encapsulation process and the concealment process may be performed.

  In addition, the concealment process may simply target all the L2 header information and L3 header information for the L2 frame, and all the L3 header information for the packet.

  Although the VHGW 200 has been described as a virtualized device, it may be a physical device that is not virtualized. The CPE 100 has been described as a physical device, but may be a virtualized device.

  The communication device in the RHNW2 or VHNW3 may be a virtual server or the like, or may be a physical server that is not virtualized. Further, a communication device that is not a server may be used.

  In the above-described embodiment, the home network and the home gateway have been described as examples. However, the embodiment is not limited thereto, and the target may be, for example, a corporate network.

  The specific form (for example, the form of FIG. 2) of the dispersion / integration of each device of the CPE 100 and the VHGW 200 is not limited to the illustrated one, and all or a part thereof can be arbitrarily set according to various loads and usage conditions. It can be distributed or integrated functionally or physically in units. For example, the destination identification unit 120 and the determination unit 130 may be integrated as one processing unit, while an encryption processing unit that encrypts the tunneling processing unit 140, and a tunneling unit that executes a tunneling process, May be dispersed. Each device may be provided with an IP routing function for communicating with an external network such as an access network / Internet, and the IP routing may be provided in another device. Furthermore, each device may have a general router function related to NAT, DHCP, or DNS, or may have these functions in another device.

  In addition, the destination identification unit 120 may be connected as an external device of the CPE 100 via a network, or another device has the destination identification unit 120 and the determination unit 130 and is connected to the network to cooperate. Thus, the functions of the CPE 100 described above may be realized.

  In addition, an L2 tunnel may be formed between the CPE 100 and the VHGW 200 by connecting devices having a function of forming the L2 tunnel as an external device of the CPE 100 and the VHGW 200 via a network and cooperating with each other.

  The CPE 100 and the VHGW 200 described in the above-described embodiment can also be realized by executing a program prepared in advance by a computer. Therefore, an example of a computer that executes a program that realizes the same function as the CPE 100 illustrated in FIG. 2 or the VHGW 200 illustrated in FIG. 4 will be described below.

  FIG. 19 is a diagram illustrating a computer 1000 that executes a communication control program according to the fourth embodiment. As shown in FIG. 19, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, a network Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 19, the hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. The communication control program according to the fourth embodiment is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described. Specifically, when realizing a function similar to that of the CPE 100, a communication step for executing information processing similar to that of the communication unit 110 described in the above embodiment, and destination identification for executing information processing similar to that of the destination identifying unit 120 A hard disk drive 1090 stores a program module in which a step, a determination step for executing information processing similar to that of the determination unit 130, and a tunneling processing step for executing information processing similar to the tunneling processing unit 140 are described. On the other hand, when realizing the same function as the VHGW 200, the communication step for executing the same information processing as the communication unit 210 described in the above embodiment and the tunneling processing step for executing the same information processing as the tunneling processing unit 240 are provided. The described program module is stored in the hard disk drive 1090.

  Further, like the data stored in the database described in the above embodiment, data used for information processing by the program is stored as program data, for example, in the hard disk drive 1090. Then, the CPU 1020 reads the program module and program data stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes a communication step, a destination identification step, a determination step, and a tunneling processing step, or A communication step and a tunneling processing step are executed.

  Note that the program module and program data relating to the program are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Good. Alternatively, a program module and program data related to the program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network) and read by the CPU 1020 via the network interface 1070. May be issued.

  These embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

1 Network system 2 RHNW
3 VHNW
4 network 10 DC
100 CPE
110, 210 Communication unit 120, 250 Destination identification unit 130, 230 Judgment unit 140, 240 Tunneling processing unit 141, 241 Rule storage unit 142, 242 Concealment processing unit 200 VHGW
220 Source identification unit

Claims (8)

A network system comprising a first device in a first network and a second device in a second network capable of communicating with the first network and an external network,
The first device includes:
An identification unit for identifying whether a destination of communication data received from a terminal in the first network is in the second network or the external network;
If the destination of the communication data identified by the identification unit is within the second network, at least an encryption process and a encapsulation process for tunnel communication with the second device are performed on the communication data And when the destination of the communication data identified by the identification unit is the external network, a first tunneling process for executing a encapsulation process for tunnel communication with the second device for the communication data And
A first communication unit that transmits communication data after processing by the first tunneling processing unit to the second device;
With
The second device includes:
A second tunneling processing unit that receives the communication data transmitted from the first device and executes release of processing by the first tunneling processing unit;
A second communication unit that transmits the communication data released by the second tunneling processing unit to a destination of the communication data;
A network system characterized by comprising: The first apparatus is configured to conceal a predetermined part of the communication data when the identification unit identifies that the destination of data communication received from the terminal is the external network. Further comprising
The first communication unit transmits the communication data after processing of the first tunneling processing unit and the first concealment processing unit to the second device,
The second device further includes a second concealment processing unit that cancels the processing by the first concealment processing unit,
The said 2nd communication part performs transmission to the destination of the said communication data with respect to the communication data cancelled | released by the said 2nd tunneling process part and the said 2nd concealment process part. 2. The network system according to 1. The first secret 匿処 management unit, the network system according to claim 2, wherein a predetermined portion of the communication data, characterized by concealing a part of header information of at least the communication data. And IPv6 Internet and the first device in the communicable first network, a network system and a second device of the first network and the IPv4 Internet and the communicable second network,
The first device includes:
First identification for identifying whether a destination of communication data received from a terminal in the first network is in the second network or the IPv4 Internet capable of communicating with the second network And
When the destination of the communication data identified by the first identification unit is within the second network, at least an encryption process for the communication data and encapsulation for tunnel communication with the second device And when the destination of the communication data identified by the first identification unit is the IPv4 Internet, executes a encapsulation process for tunnel communication with the second device for the communication data A first tunneling processor to
1st communication which transmits the communication data with respect to the IPv6 Internet which can transmit the communication data after the process by the said 1st tunneling process part to a destination via the said 2nd apparatus, and can communicate with the said 1st network. And
With
The second device includes:
Second identification for identifying whether the destination of communication data received from a terminal in the second network is in the first network or the IPv6 Internet capable of communicating with the first network And
When the destination of the communication data identified by the second identification unit is within the first network, at least an encryption process for the communication data and encapsulation for tunnel communication with the first device When the destination of the communication data identified by the second identification unit is the IPv6 Internet, a encapsulation process for performing tunnel communication with the first device is performed on the communication data. A second tunneling processing unit to
When the communication data after processing by the second tunneling processing unit is transmitted to the destination via the first device and communication data for the IPv4 Internet that can communicate with the second network is transmitted and received, A second communication unit that performs conversion between a private address pre-assigned to the second device and a global address;
A network system characterized by comprising: A communication control method executed by a network system comprising a first device in a first network and a second device in a second network capable of communicating with the first network and an external network,
Executed by the first device;
An identification step for identifying whether a destination of communication data received from a terminal in the first network is in the second network or the external network;
If the destination of the communication data identified in the identification step is within the second network, at least an encryption process and a encapsulation process for tunnel communication with the second device are performed on the communication data And when the destination of the communication data identified in the identification step is the external network, a first tunneling process for executing a encapsulation process for tunnel communication with the second device for the communication data Process,
A first communication step of transmitting communication data after processing by the first tunneling processing step to the second device;
Executed by the second device;
A second tunneling process step of receiving communication data transmitted from the first device and executing cancellation of the process by the first tunneling process step;
A second communication step of transmitting the communication data released by the second tunneling processing step to a destination of the communication data;
The communication control method characterized by including. A communication control device in the first network,
The destination of communication data received from a terminal in the first network is in a second network that can communicate with the first network, or an external network that can communicate with the second network. An identification part for identifying
When the destination of the communication data identified by the identification unit is in the second network, at least encryption processing is performed on the communication data and tunnel communication is performed with the second device in the second network. When the destination of the communication data identified by the identification unit is the external network, the encapsulation process for tunnel communication with the second device is performed on the communication data. A tunneling processing unit,
A communication unit for transmitting communication data after processing by the tunneling processing unit to the second device;
A communication control apparatus comprising: A communication control device in a second network capable of communicating with the first network,
For receiving communication data transmitted from a communication device in the first network and performing encryption processing and tunneling communication for the received communication data, or tunnel communication A tunneling processing unit for canceling the capsuling process;
A communication unit that transmits the communication data released by the tunneling processing unit to a destination of the communication data;
A communication control apparatus comprising:   A communication control program for causing a computer to function as the communication control device according to claim 6 or 7.

Images