JP5949488B2 - Communication apparatus and program - Google Patents

Description

  The present invention relates to a communication device and a program.

  There is a technique for preventing leakage of identification information (for example, an IP address) assigned to an information processing apparatus. Patent Document 1 discloses an IPv6 (Internet Protocol Version 6) address in which an interface ID selected by a user from a plurality of interface IDs prepared in advance or selected based on a prefix is assigned to an information processing apparatus. The technology used as the interface ID of is described. Non-Patent Document 1 describes a technique for randomly changing an interface ID included in an IPv6 address in an information processing apparatus to which an IPv6 address is assigned.

JP 2005-64572 A

“Privacy Extensions for Stateless Address Autoconfiguration in IPv6”, http: // www. ietf. org / rfc / rfc3041. txt, IETF, January 2001

  One of the objects of the present invention is a communication apparatus different from an information processing apparatus in which identification information associated with information to identify a transmission source or a transmission destination is assigned to a transmission target. The portion assigned to each information processing device among the identification information is kept secret from an information processing device different from the information processing device to which the identification information is assigned while maintaining the portion assigned in common to the information processing device. The identification information is changed.

  The invention according to claim 1 is a communication device, wherein the identification information assigned to the information processing device receives a transmission target associated with information identifying a transmission source or a transmission destination, and the identification Of the information, the transmission unit is configured to associate the identification information changed by the changing unit with a changing unit that changes a part allocated to each information processing device while maintaining a part that is commonly assigned to a plurality of information processing devices. And transmitting means for transmitting the object.

  The invention according to claim 2 is the communication apparatus according to claim 1, wherein the receiving unit associates identification information assigned to the first information processing apparatus as information for identifying a transmission source. The transmission target associated with the identification information assigned to the second information processing apparatus as information for identifying the transmission destination is received from the first information processing apparatus, and the changing means includes the first information Of the identification information assigned to the processing device, the portion assigned to each information processing device is changed while maintaining the portion assigned in common to the plurality of information processing devices, and the changing means is changed by the changing means. The identified information is associated as information for identifying the transmission source, and the transmission target is transmitted to the second information processing apparatus.

  A third aspect of the present invention is the communication apparatus according to the second aspect, wherein the receiving means associates identification information assigned to the second information processing apparatus as information for identifying a transmission source. And a response to the transmission target, in which the identification information after the change performed on the identification information assigned to the first information processing apparatus is associated as information for identifying a transmission destination, Received from the information processing apparatus, and the changing means is common to a plurality of information processing apparatuses among the identification information received from the second information processing apparatus and associated with the response as information for identifying a transmission destination. And changing the portion assigned to each information processing device to the identification information assigned to the first information processing device, and changing the transmission means. The identification information, in association with the information identifying the destination, in which the response was that transmits the control information to the first information processing apparatus.

  The invention according to claim 4 is the communication apparatus according to claim 3, wherein the changing means is an identification associated with the response in a method used in changing the identification information associated with the transmission target. Information is to be changed.

  Invention of Claim 5 is a communication apparatus as described in any one of Claim 1 to 4, Comprising: The said change means changes the identification information linked | related with the said transmission object, The said transmission object This is done by a method corresponding to the port number of the transmission source.

  The invention according to claim 6 is a program that is a program for receiving a transmission target in which identification information assigned to an information processing apparatus is associated as information for identifying a transmission source or a transmission destination. Among them, a change unit that changes a portion assigned to each information processing device while maintaining a portion that is commonly assigned to a plurality of information processing devices, and transmits the transmission target in association with identification information changed by the change unit The computer is caused to function as a transmission means.

  According to the first and sixth aspects of the present invention, in a communication apparatus different from the information processing apparatus to which identification information associated as information for identifying a transmission source or a transmission destination is assigned to a transmission target, While the portion commonly assigned to the information processing devices is maintained, the portion of the identification information assigned to each information processing device is concealed by an information processing device different from the information processing device to which the identification information is assigned. Thus, the identification information is changed.

  According to the second aspect of the present invention, in the communication device different from the first information processing device, the identification information assigned to the first information processing device associated with the transmission target as information for identifying the transmission source Of these, the portion assigned to each information processing device among the identification information is kept secret by the second information processing device as the transmission destination while the portion assigned in common to the plurality of information processing devices is maintained. The identification information is changed.

  According to the third aspect of the present invention, in a communication device different from the first information processing device, a response destination to the transmission target from the first information processing device to the second information processing device is sent. The identification information associated as the information for identifying is changed to the identification information assigned to the first information processing apparatus.

  According to the fourth aspect of the present invention, the method is used in changing the identification information associated with the transmission target from the first information processing apparatus to the second information processing apparatus, and is associated with the response to the transmission target. The identification information is changed.

  According to the invention described in claim 5, when the port number of the transmission source of the transmission target from the first information processing device to the second information processing device is changed, the method used for changing the identification number is changed. Become.

It is a figure which shows an example of the whole structure of the communication system which concerns on one Embodiment of this invention. It is a functional block diagram which shows an example of the function implement | achieved by the communication apparatus which concerns on one Embodiment of this invention. It is a figure which shows an example of a conversion algorithm table. It is a flowchart which shows an example of the flow of the packet transmission / reception process performed by the communication apparatus which concerns on one Embodiment of this invention. It is a flowchart which shows an example of the flow of the process performed by the communication apparatus which concerns on one Embodiment of this invention.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of the overall configuration of a communication system 10 according to the present embodiment. As shown in FIG. 1, a communication system 10 according to the present embodiment includes a communication device 12, a server 14 (14-1 to 14-n) that is an information processing device belonging to the first information processing device group, a second information processing device. User terminals 16 (16-1 to 16-m), which are information processing apparatuses belonging to the information processing apparatus group, are included. The communication device 12 and the server 14 are connected to first communication means (in this embodiment, for example, the Internet 18). The communication device 12 and the user terminal 16 are connected to a second communication means (in this embodiment, for example, a local area network (LAN) 20).

  The communication device 12 according to the present embodiment is, for example, a gateway device that relays communication between the user terminal 16 and the server 14, and a program control device such as a CPU that operates according to a program installed in the communication device 12. A control unit, a storage element such as a ROM or a RAM, a storage unit such as a hard disk drive, a communication unit that is a communication interface such as a network board, and the like. These elements are connected via a bus or the like.

  The server 14 according to the present embodiment is, for example, an information processing apparatus that provides various services to the user terminal 16, and is a control unit that is a program control device such as a CPU that operates according to a program installed in the server 14, a ROM, It includes a storage unit such as a RAM, a storage unit such as a hard disk drive, a communication unit such as a communication interface such as a network board, and the like.

  The user terminal 16 according to the present embodiment is, for example, a computer such as a personal computer, a control unit that is a program control device such as a CPU that operates according to a program installed in the user terminal 16, and a storage such as a ROM or a RAM. It includes a storage unit such as an element and a hard disk drive, a communication unit such as a communication interface such as a network board, a display, a speaker, a mouse, a keyboard, and buttons.

  In the present embodiment, for example, transmission / reception of packets according to IPv6 is performed between the user terminal 16 and the server 14. The packet includes, for example, an IPv6 address (hereinafter referred to as a transmission source address) that is identification information of the information processing apparatus that is the transmission source of the packet, and an IPv6 address that is identification information of the information processing apparatus that is the transmission destination of the packet. (Hereinafter, referred to as a transmission destination address) and the like, and information (payload) to be transmitted to the information processing apparatus of the transmission destination. Thus, in this embodiment, the transmission source address and the transmission destination address are associated with the information to be transmitted to the transmission destination information processing apparatus.

  In the present embodiment, the IPv6 address assigned to each user terminal 16 is, for example, a prefix assigned by an Internet service provider (for example, “2001: db8: 111: 111 :: / 64”) and a user terminal. And an interface ID assigned every 16th. The prefix is a portion of the IPv6 address that is commonly assigned to a plurality of user terminals 16 connected to the LAN 20. In the present embodiment, the interface ID is set using, for example, the EUI64 mechanism. That is, in this embodiment, for example, a value generated based on a MAC (Media Access Control) address that uniquely identifies a device such as a network board provided in the user terminal 16 is used as the interface ID of the user terminal 16. Is set.

  FIG. 2 is a functional block diagram illustrating an example of functions realized by the communication device 12 according to the present embodiment. As shown in FIG. 2, the communication device 12 according to the present embodiment functionally includes, for example, a packet transmitting / receiving unit 30, an address change determination unit 32, an address change unit 34, a conversion algorithm determination unit 36, and a conversion algorithm table storage. Part 38, and the like. The function of each unit shown in FIG. 2 is realized by executing a program installed in the communication device 12 that is a computer and including a command corresponding to the function of each unit shown in FIG. 2 in the control unit of the communication device 12. Yes. This program is supplied to the communication device 12 via a computer-readable information storage medium such as an optical disk, a magnetic disk, a magnetic tape, a magneto-optical disk, or a flash memory, or via communication means such as the Internet.

  In the present embodiment, for example, the conversion algorithm table 40 illustrated in FIG. 3 is stored in advance in the conversion algorithm table storage unit 38. In this embodiment, for example, the conversion algorithm table 40 is a table for registering at least one method (conversion algorithm) for converting the interface ID included in the IPv6 address. The conversion algorithm used in this embodiment is a reversible conversion algorithm.

  The conversion algorithm used in this embodiment may be, for example, a block cipher algorithm or a stream cipher algorithm. The conversion algorithm used in the present embodiment includes, for example, a block cipher and a cipher usage mode (for example, OFB (Output Feedback), CFB (Cipher Feedback), CTR (Counter), etc.) that can handle the block cipher like a stream cipher. ) And may be combined.

  In the conversion algorithm table 40 according to the present embodiment, as shown in FIG. 3, the algorithm ID that is the identifier of the conversion algorithm, the name of the conversion algorithm, and the parameters used for the conversion (for example, the initialization vector iv, the key key, etc. Are managed in association with each other. In this embodiment, an encryption method (encryption algorithm) is used as a conversion algorithm. In addition, in the conversion algorithm table 40 according to the present embodiment, ten conversion algorithms are managed. In addition, the storage unit of the communication device 12 according to the present embodiment stores a program that implements the conversion algorithm whose name is shown in the conversion algorithm table 40.

  Here, an example of the flow of packet transmission / reception processing performed in the communication system 10 according to the present embodiment will be described with reference to the flowchart shown in FIG.

  First, when the packet transmission / reception unit 30 receives a packet from the user terminal 16 or the server 14, the packet transmission / reception unit 30 has received a packet reception interrupt from the device driver to the address change determination unit 32. (S101).

  Then, the address change determination unit 32 determines whether it is necessary to change the address for the received packet (S102). In this embodiment, for example, the address change determination unit 32 determines that an address change is necessary when the following condition 1 or condition 2 is satisfied, and otherwise determines that an address change is not necessary. To do.

  Condition 1: (1) The received packet is a packet transmitted from the information processing device on the LAN 20 side (ie, the user terminal 16) to the information processing device on the Internet 18 side (ie, the server 14), and ( 2) The source address included in the packet is an IPv6 global unicast address, and (3) the prefix of the source address is “2001: db8: 111: 111 :: / 64” (ie, transmission) The prefix of the original address is assigned to the LAN 20 to which the user terminal 16 is connected).

  Condition 2: (1) The received packet is a packet transmitted from the information processing device on the Internet 18 side (that is, the server 14) to the information processing device on the LAN 20 side (that is, the user terminal 16), and ( 2) The destination address included in the packet is an IPv6 global unicast address, and (3) the prefix of the destination address is “2001: db8: 111: 111 :: / 64” (ie, the prefix). Is a prefix assigned to the LAN 20 to which the user terminal 16 is connected).

  If it is determined in the process shown in S102 that an address change is necessary (S102: Y), an address change instruction is output to the address change unit 34 (S103).

  When receiving the address change instruction, the address changing unit 34 outputs the conversion algorithm determining instruction to the conversion algorithm determining unit 36 (S104). Then, the conversion algorithm determination unit 36 refers to the conversion algorithm table 40 stored in the conversion algorithm table storage unit 38 (S105) and determines a conversion algorithm (S106).

  In this embodiment, the conversion algorithm determination unit 36, for example, for a packet transmitted from the information processing device on the LAN 20 side (ie, the user terminal 16) to the information processing device on the Internet 18 side (ie, the server 14), An algorithm associated with an algorithm ID having a value obtained by adding 1 to the value of the first place of the transmission source port number included in the packet is determined as a conversion algorithm used for the conversion of the packet, and is associated with the algorithm ID The determined parameter is determined as a parameter used for conversion of the packet.

  Also, the conversion algorithm determination unit 36, for example, for a packet transmitted from the information processing device on the Internet 18 side (that is, the server 14) to the information processing device on the LAN 20 side (that is, the user terminal 16), A conversion algorithm associated with an algorithm ID having a value obtained by adding 1 to the value of the included destination port number is determined as a conversion algorithm used for conversion of the packet, and is associated with the algorithm ID. Is determined as a parameter used for conversion of the packet.

  Then, the conversion algorithm determination unit 36 notifies the address change unit 34 of the name of the conversion algorithm determined by the conversion algorithm determination unit 36 and the parameter determined by the conversion algorithm determination unit 36 (S107).

  Then, the address changing unit 34 executes a program in which the conversion algorithm of the notified name is implemented, and performs address conversion using the conversion algorithm, whereby the source address included in the packet received by the packet transmitting / receiving unit 30 Alternatively, the destination address is changed (S108). In the present embodiment, the parameter notified in the process shown in S107 is used as a parameter for address conversion by the conversion algorithm.

  In the present embodiment, in the processing shown in S108, the prefix of the IPv6 address is maintained without being changed, and only the interface ID is changed. Details of the processing shown in S108 will be described with reference to the flowchart shown in FIG.

  The address changing unit 34 first confirms the communication direction of the packet received by the packet transmitting / receiving unit 30 (S201). In this embodiment, for example, the address changing unit 34 receives a packet received by the packet transmitting / receiving unit 30 from the LAN 20 side information processing device (that is, the user terminal 16) to the Internet 18 side (WAN side) information processing device ( That is, the packet is transmitted to the server 14) or transmitted from the information processing apparatus on the Internet 18 side (WAN side) (that is, the server 14) to the information processing apparatus on the LAN 20 side (that is, the user terminal 16). Check if it is a packet.

  If it is confirmed in the process shown in S201 that the packet received by the packet transmitting / receiving unit 30 is a packet transmitted from the information processing device on the LAN 20 side to the information processing device on the Internet 18 side, the address changing unit 34 , “Fffe”, which is a reserved part of the EUI 64, is disposed between the sixth hexadecimal character from the left and the sixth hexadecimal character from the right of the interface ID included in the transmission source address ( S202). For example, when the interface ID included in the transmission source address is “1: 11ff: fe11: 1111” (in accordance with the IPv6 address notation), the value “000111111111” is obtained by the processing shown in S202. .

  Then, the address changing unit 34 uses the parameter (for example, iv = 1111 and key = 1111) notified in the process shown in S107, and the conversion algorithm (for example, DES-CFB) notified in the process shown in S107. ), The value obtained by the process shown in S202 is encrypted (S203). For example, when the value “000111111111” is obtained in the process shown in S202, the value is converted to “d245c7fa7538” in the process shown in S203.

  The address changing unit 34 then calculates a 16-bit TCP / UDP checksum correction value (for example, “0e67” calculated using a known calculation method such as that described in RFC 1071 “Computing the Internet Checksum”, for example. ]) Is added to the end of the value obtained in the process shown in S203 (S204), and the process shown in S108 is terminated. For example, the value obtained by expressing the execution result of the process shown in S204 for the value “d245c7fa7538” in the IPv6 address notation is “d245: c7fa: 7538: 0e67”. The address changing unit 34 determines the value obtained in the process shown in S204 as the interface ID included in the changed source address.

  If it is confirmed in the process shown in S201 that the packet received by the packet transmitting / receiving unit 30 is a packet transmitted from the information processing device on the Internet 18 side to the information processing device on the LAN 20 side, the address changing unit 34 The lower 16 bits of the interface ID included in the transmission destination address are deleted (S205). For example, when the interface ID included in the transmission destination address is “d245: c7fa: 7538: 0e67” (in accordance with the IPv6 address notation), the value “d245c7fa7538” is obtained by the processing shown in S205. .

  Then, the address changing unit 34 uses the parameter (for example, iv = 1111 and key = 1111) notified in the process shown in S107, and the conversion algorithm (for example, DES-CFB) notified in the process shown in S107. ), The value obtained in the process shown in S205 is decoded (S206). For example, when the value “d245c7fa7538” is obtained in the process shown in S205, the value is converted to “000111111111” in the process shown in S206. In the present embodiment, for example, the conversion executed in the process shown in S206 corresponds to the inverse conversion of the conversion executed in the process shown in S203.

  Then, the address changing unit 34 inserts “fffe” which is a reserved part of the EUI 64 between the sixth hexadecimal character from the left and the sixth hexadecimal character from the right (S207), and shows in S108 The process ends. For example, the value obtained by expressing the execution result of the process shown in S207 for the value “000111111111” in the IPv6 address notation is “0001: 11ff: fe11: 1111”. The address changing unit 34 determines the value obtained in this way as the interface ID included in the converted transmission destination address.

  In this embodiment, the prefix included in the transmission source address and the transmission destination address is maintained without being converted. Therefore, for example, when the processing shown in S202 to S204 is performed on the transmission source address “2001: db8: 111: 111: 1: 11ff: fe11: 1111”, the transmission source address “2001” after the change is executed. : Db8: 111: 111: d245: c7fa: 7538: 0e67 "will be obtained. Further, for example, when the processing shown in S205 to S207 is performed on the transmission destination address “2001: db8: 111: 111: d245: c7fa: 7538: 0e67”, the transmission destination address “2001” after the change is executed. : Db8: 111: 111: 1: 11ff: fe11: 1111 ".

  When the process shown in S108 is completed as described above, the address changing unit 34 notifies the address change determining unit 32 of the changed address (S109). When it is determined in the process shown in S102 that no address change is necessary (S102: N), or when the process shown in S109 is completed, the address change determination unit 32 sends a packet to the packet transmitting / receiving unit 30. A transmission interruption is notified (S110). Then, the packet transmitting / receiving unit 30 transmits the packet (S111).

  Here, in this embodiment, a packet (hereinafter referred to as a request packet) is transmitted from the user terminal 16 to the server 14, and then a response packet of the request packet (hereinafter referred to as a response packet). An example of a scene in which is transmitted from the server 14 to the user terminal 16 will be described.

  First, when the user terminal 16 transmits a request packet, the IPv6 address assigned to the user terminal 16 is set in the transmission source address included in the request packet, and the transmission destination address included in the request packet includes The IPv6 address assigned to the server 14 is set. Here, for example, the well-known port number (for example, 80) is set as the destination port number included in the request packet, and the destination port number included in the request packet is randomly determined. A number (here, for example, 52320) is set.

  In the communication device 12, the interface ID of the source address included in the request packet is converted. Here, for example, the interface ID of the source address is converted according to the algorithm corresponding to the algorithm ID “1”. When the server 14 receives the request packet, the IPv6 address in which the interface ID is converted in the communication device 12 is set in the transmission source address included in the request packet, and the transmission destination address included in the packet includes The IPv6 address assigned to the server 14 is set.

  Then, the server 14 transmits a response packet to the user terminal 16. The IPv6 address assigned to the server 14 is set as the source address included in the response packet, and the IPv6 address included as the source address in the request packet received by the server 14 is set as the destination address included in the response packet. (IPv6 address after the above conversion) is set. Further, the transmission destination port number included in the response packet is set to the transmission source port number (for example, 52320) included in the request packet, and the transmission source port number included in the response packet is included in the request packet. A transmission destination port number (for example, 80) is set.

  In the communication device 12, the interface ID of the transmission destination address included in the response packet is converted. In this embodiment, the same algorithm as that used for the address translation of the request packet is used for the translation. Further, the conversion is the reverse conversion of the conversion of the request packet. As a result of the conversion, the IPv6 address assigned to the user terminal 16 is set as the destination address included in the packet. When the user terminal 16 receives the response packet, the IPv6 address assigned to the server 14 is set in the source address included in the response packet, and the user is set in the destination address included in the response packet. The IPv6 address assigned to the terminal 16 is set.

  As described above, the communication device 12 according to the present embodiment is assigned to each user terminal 16 while maintaining a prefix that is commonly assigned to a plurality of user terminals 16 among addresses included in the packet. Change the interface ID. In the present embodiment, the interface ID of the user terminal 16 can be concealed from the information processing apparatus on the Internet 18 side without performing address conversion in the user terminal 16. In the present embodiment, it is not necessary to change the prefix management system between the information processing device on the Internet 18 side and the information processing device on the LAN 20 side with the communication device 12 in between. In the present embodiment, it is not necessary to store a table for managing the correspondence between the address before conversion and the address after conversion in the communication device 12.

  In addition, this invention is not limited to the above-mentioned embodiment.

  For example, the communication device 12 may include an algorithm changing unit that changes the conversion algorithm table 40 in accordance with a change instruction received from the user terminal 16 or the like. For example, when an instruction to change to the new conversion algorithm table 40 is received, the algorithm changing unit starts monitoring a communication session between the user terminal 16 and the server 14. Then, when it is confirmed that all communication sessions have been disconnected, the algorithm changing unit transmits the information processing device on the Internet 18 side (that is, the server 14) from the information processing device on the LAN 20 side (that is, the user terminal 16). ) Is temporarily blocked, and the contents of the new conversion algorithm table 40 are reflected in the conversion algorithm table 40. Then, the algorithm changing unit releases the communication block from the information processing apparatus on the LAN 20 side to the information processing apparatus on the Internet 18 side.

  For example, the communication apparatus 12 according to the present embodiment may change the interface ID while maintaining the prefix and subnet ID included in the transmission source address and the transmission destination address.

  In addition, the communication device 12 in the present embodiment may be configured from a plurality of housings. Further, specific character strings and numerical values in the specification, and specific character strings and numerical values in the drawings are examples, and are not limited to these character strings and numerical values.

DESCRIPTION OF SYMBOLS 10 Communication system, 12 Communication apparatus, 14 Server, 16 User terminal, 18 Internet, 20 LAN, 30 Packet transmission / reception part, 32 Address change judgment part, 34 Address change part, 36 Conversion algorithm determination part, 38 Conversion algorithm table memory | storage part 40 Conversion algorithm table.

Claims (5)

Receiving means for receiving a transmission target associated with identification information assigned to the information processing apparatus as information for identifying a transmission source or a transmission destination;
Changing the part of the identification information that is assigned to each information processing apparatus while maintaining the part that is commonly assigned to a plurality of information processing apparatuses, in a manner corresponding to the port number of the transmission target transmission source Means,
A transmission unit that associates the identification information changed by the change unit and transmits the transmission target;
A communication device comprising: In the receiving means, the identification information assigned to the first information processing apparatus is associated as information identifying the transmission source, and the identification information assigned to the second information processing apparatus is information identifying the transmission destination. Receiving an associated transmission target from the first information processing apparatus;
The changing unit changes a portion assigned to each information processing device while maintaining a portion assigned to a plurality of information processing devices in the identification information assigned to the first information processing device,
The transmitting unit associates the identification information changed by the changing unit as information for identifying a transmission source, and transmits the transmission target to the second information processing apparatus;
The communication apparatus according to claim 1. The reception means is associated with identification information assigned to the second information processing apparatus as information for identifying a transmission source, and is performed on the identification information assigned to the first information processing apparatus. A response to the transmission target associated with the changed identification information as information for identifying a transmission destination is received from the second information processing apparatus;
The changing means maintains a portion commonly assigned to a plurality of information processing devices among identification information associated with the response as information for identifying a transmission destination received from the second information processing device. While changing the portion assigned to each information processing device to the identification information assigned to the first information processing device,
The transmission unit associates the identification information changed by the change unit as information for identifying a transmission destination, and transmits the response to the first information processing apparatus.
The communication device according to claim 2. The changing means is a method used in changing the identification information associated with the transmission target, and changes the identification information associated with the response.
The communication apparatus according to claim 3. Receiving means for receiving a transmission target associated with identification information assigned to the information processing apparatus as information for identifying a transmission source or a transmission destination;
Changing the part of the identification information that is assigned to each information processing apparatus while maintaining the part that is commonly assigned to a plurality of information processing apparatuses, in a manner corresponding to the port number of the transmission target transmission source means,
Transmitting means for associating the identification information changed by the changing means and transmitting the transmission object;
A program characterized by causing a computer to function.

Images