JP6487620B2 - Communication control system, communication control method, and program - Google Patents

Description

  The present invention relates to a communication control system, a communication control method, and a program.

  2. Description of the Related Art Conventionally, a technique for mediating communication between a user terminal operated by a user and a communication target system is known. Patent Document 1 describes a communication control system that acquires a user ID and password from a user terminal, executes login processing, and relays access from the user terminal to a target system.

JP2013-077995A

  The administrator of the target system performs an IP address setting operation so that the IP addresses do not overlap in the target system. However, in the case where there are a plurality of target systems having different management entities, the IP addresses may overlap between the target systems because each administrator assigns an IP address independently. In this case, even if the communication control system receives a packet from the user terminal, it may not be possible to specify to which target system the packet should be sent.

  The present invention has been made in view of the above problems, and an object thereof is to provide a communication control system, a communication control method, and a program capable of mediating communication even when IP addresses overlap between target systems. There is to do.

  In order to solve the above problems, a communication control system according to the present invention is a communication control system that mediates communication between a user terminal operated by a user and a plurality of target systems including combinations of overlapping IP addresses. A router that communicates with any one of the target systems, and communicates with a plurality of routers prepared for each target system and any of a plurality of target systems with overlapping IP addresses in a network different from each target system. Forwarding means that forwards a packet received from the user terminal to a router that communicates with a target system of a communication destination of the user terminal among the plurality of target systems having overlapping IP addresses, and the forwarding means The router that has received the forwarded packet forwards the packet to the target system with which the router communicates. And wherein the door.

  A communication control method according to the present invention is a communication control method that mediates communication between a user terminal operated by a user and a plurality of target systems including combinations of overlapping IP addresses, and any one of the target systems Receiving from the user terminal that communicates with any of a plurality of target systems having overlapping IP addresses among a plurality of routers prepared for each target system in a network different from each target system. A transfer step of transferring a packet to a router communicating with a target system of a communication destination of the user terminal among the plurality of target systems having overlapping IP addresses, and a router that has received the packet transferred in the transfer step, Forwarding the packet to a target system with which the router communicates. And butterflies.

  A program according to the present invention is a software router that communicates a computer that mediates communication between a user terminal operated by a user and a plurality of target systems including combinations of overlapping IP addresses with any one target system. Then, in a network different from each target system, a packet received from the user terminal that communicates with a plurality of software routers prepared for each target system or a plurality of target systems with overlapping IP addresses, A program for functioning as a transfer unit that transfers to a router that communicates with a target system that is a communication destination of the user terminal among the plurality of overlapping target systems, the software receiving the packet transferred by the transfer unit The router routes the packet to its software route. To transfer the communication destination of the target system, and wherein the.

  In one aspect of the present invention, the communication control system is an IP address corresponding to each target system, the management IP address not overlapping with another target system, a router communicating with the target system, Means for acquiring the stored contents of the means for storing the association, wherein the transfer means transfers the packet received from the user terminal to the router associated with the management IP address indicated by the transmission destination of the packet. The router that receives the packet transferred by the transfer means converts the transmission destination of the packet into the IP address of the target system corresponding to the transmission destination and transfers the packet.

  In one aspect of the present invention, each router converts a transmission source of a packet received from a target system of a communication destination of the router into a management IP address corresponding to the target system, and the communication control system includes: Means for transferring the packet whose transmission source has been changed to the user terminal;

  In one aspect of the present invention, the communication control system has an IP address overlapping with at least one target system, and the target system includes a router that converts an IP address, and communicates with the target system. The router in the system converts the transmission source of the packet transferred by the transfer means into an IP address different from the IP address after conversion by the router in the target system, and transfers the IP address.

  According to the present invention, it is possible to mediate communication even when IP addresses overlap between target systems.

It is a figure which shows an example of the whole structure of an information processing system. It is a functional block diagram which shows the function implement | achieved by information processing system. It is a figure which shows the example of storage of a static route. It is a figure which shows the example of a storage of the address conversion table memorize | stored in a data storage part. It is a figure which shows the example of a storage of the address conversion table memorize | stored in a data storage part. It is a figure which shows a mode that a packet is transmitted / received. It is a figure which shows the process performed with an information processing system. It is a figure which shows the process performed with an information processing system. It is a figure which shows an example of a console screen. FIG. 10 is a diagram for explaining functions realized in the second embodiment.

[1. Embodiment 1]
Hereinafter, examples of embodiments of the present invention will be described in detail with reference to the drawings. This embodiment demonstrates the case where the communication control system which concerns on this invention is applied to the information processing system using cloud computing, for example.

[1-1. Hardware configuration of information processing system]
FIG. 1 is a diagram illustrating an example of the overall configuration of an information processing system. As shown in FIG. 1, the information processing system 1 distinguishes between the communication control system 10, a plurality of user terminals 20, and a plurality of target systems 30 (hereinafter, referred to as target systems 30 </ b> A and 30 </ b> B as necessary. )including. These are connected via a network (for example, VPN: Virtual Private Network) so that data can be transmitted and received. The user terminal 20 accesses the target system 30 via the communication control system 10 and cannot directly access the target system 30.

  The communication control system 10 mediates communication between the user terminal 20 and the target system 30. The communication control system 10 includes a communication control server 11. The communication control server 11 is a server computer, and transmits and receives various information under a given protocol (for example, SSH: Secure Shell or RDP: Remote Desktop Protocol). Here, for simplification of description, the communication control server 11 is described as one unit, and a case where a virtual machine or a software router is realized in the communication control server 11 will be described. There may be more than one.

  As illustrated in FIG. 1, the communication control server 11 includes a control unit 12, a storage unit 13, and a communication unit 14. The control unit 12 includes, for example, one or a plurality of microprocessors. The control unit 12 executes various processes according to the operating system and programs stored in the storage unit 13. The storage unit 13 includes a main storage unit and an auxiliary storage unit. For example, the main storage unit is a RAM, and the auxiliary storage unit is a hard disk or a solid state drive. The communication unit 14 includes a network card. The communication unit 14 is for performing data communication via a network.

  The communication control server 11 may include a component (for example, a memory card slot) for reading a program or data stored in a computer-readable information storage medium (for example, a memory card). In the present embodiment, programs and data described as being stored in the storage unit 13 may be supplied to the storage unit 13 from an external computer via the communication unit 14.

  The user terminal 20 is a computer operated by the user, and is, for example, a personal computer or a tablet terminal. In the present embodiment, a worker who inputs a command to be executed by the target system 30 (for example, a privileged user or system engineer who performs maintenance) corresponds to the user. As shown in FIG. 1, the user terminal 20 includes a control unit 21, a storage unit 22, a communication unit 23, an operation unit 24, and a display unit 25. Note that the hardware configurations of the control unit 21, the storage unit 22, and the communication unit 23 are the same as those of the control unit 12, the storage unit 13, and the communication unit 14, and thus description thereof is omitted.

  The operation unit 24 is a known input device, such as a mouse, a keyboard, or a touch panel. The operation unit 24 transmits the content of operation by the user to the control unit 21. The display unit 25 is, for example, a liquid crystal display unit or an organic EL display unit. The display unit 25 displays a screen according to instructions from the control unit 21.

  The target system 30 is a system with which the user communicates. For example, each target system 30 can be accessed by a plurality of users, and executes a command input by each user. Here, the management subject (for example, company) of each target system 30 is different, and the management of the IP address (private address) is performed independently. Therefore, it is assumed that there is a combination of target systems 30 whose IP addresses overlap with other target systems 30. For example, company A gives an IP address of each device of target system 30A, and company B different from company A gives an IP address of each device of target system 30B.

  Each target system 30 includes a target server 31. The target server 31 is a server computer. Here, for simplification of explanation, a case will be described in which a single target server 31 in each target system 30 is provided and a virtual machine or software router is realized in the target server 31. There may be a plurality of 30 units. Furthermore, the target system 30 may include a communication device such as a router, a database server, and the like.

  As illustrated in FIG. 1, the target server 31 includes a control unit 32, a storage unit 33, and a communication unit 34. Since the hardware configurations of the control unit 32, the storage unit 33, and the communication unit 34 are substantially the same as those of the control unit 12, the storage unit 13, and the communication unit 14, the description thereof will be omitted. For example, applications and various data used by users of the information processing system 1 are managed in the storage unit 33 of the target server 31. Each user accesses the target server 31 and uses these applications and various data.

[1-2. Outline of processing in information processing system]
In the information processing system 1, the communication control system 10 provides, for example, a service for recording a user operation log by mediating communication between the user terminal 20 and the target system 30. Hereinafter, an outline of processing executed by the information processing system 1 will be described in accordance with a procedure in which a certain company Z newly registers for use of a service.

  First, the company Z registers various information related to users belonging to the company Z (for example, the user's name and affiliation, a login account to the communication control system 10, etc.) in the communication control system 10. Then, the communication control system 10 issues authentication information for each user to log in to the communication control system 10. The authentication information may be information used at the time of authentication defined by the protocol, such as an authentication key (certificate) or a password.

  Then, the company Z registers information related to the target system 30 managed by the company Z (that is, the target system 30 newly added to the information processing system 1) in the communication control system 10. For example, each server name in the target system 30, its IP address, the type of protocol to be used, a login account for the server, authentication information for the server, and the like are registered. Similar to the above, the authentication information may be information (authentication key or password) defined by the protocol.

  When the company Z registers information related to the user and information related to the target system 30, the company Z performs these linking operations. For example, when different servers are accessible for each user, the company Z designates a server that can be accessed by each user among the servers in the target system 30 and registers the server in the communication control system 10. .

  Thereafter, the company Z performs network setting for accessing the target system 30 via the communication control system 10. Here, network settings in the communication control system 10 and network settings in the target system 30 are required. Although details will be described later, in this embodiment, since a software router is used, the setting operation of each software router of the communication control system 10 and the target system 30 is performed. For example, a link operation between the software router in the communication control system 10 and the target system 30 to be newly added is performed. Note that the software router of the communication control system 10 may be prepared in advance or may be newly created at the time of use registration.

  When the use registration is completed, the company Z can use the service. Here, when a user accesses the target system 30, the user logs in the communication control system 10 once and then logs in the target system 30 via the communication control system 10. This is because when encrypted communication such as SSH is performed, the command input by the user and the execution result thereof are also encrypted. Therefore, the protocol is temporarily terminated by the communication control system 10 and decrypted. This is because the operation log is surely acquired.

  In the present embodiment, as described above, since there are combinations of target systems 30 with overlapping IP addresses, the communication control system 10 provides a dedicated software router for each target system 30. The communication control server 11 assigns a management IP address so as not to overlap each virtual machine in each target system 30.

  For this reason, even if the virtual IP addresses of the virtual machines in each target system 30 are duplicated, these virtual machines can be identified by the management IP address. That is, the communication control system 10 can identify which virtual machine of which target system 30 is addressed by referring to the management IP address indicated by the transmission destination of the packet received from the user terminal 20.

  The communication control system 10 is configured to mediate communication even if the target systems 30 have overlapping IP addresses by distributing packets to a software router that is responsible for communication of the target system 30 including the identified virtual machine. It has become. Hereinafter, details of the technology will be described.

[1-3. Functions realized in information processing system]
FIG. 2 is a functional block diagram illustrating functions realized by the information processing system 1. Here, functions realized by the communication control system 10 and the target system 30 will be described. In FIG. 2, the numerical values described under the names of the gateway 110, the software router 120, the virtual machine 310, and the software router 320 are respective IP addresses.

[Functions implemented in the target system]
In each target system 30, a virtual machine 310 and a software router 320 are realized. The number of virtual machines 310 and software routers 320 may be one or plural. These are mainly implemented by the control unit 32, the storage unit 33, and the communication unit 34.

  Hereinafter, when it is necessary to distinguish the virtual machine 310 for each target system 30, they are referred to as virtual machines 310A and 310B. Further, when it is necessary to distinguish the virtual machine 310 in the target system 30, it is described as virtual machines 310A1 to 310A3. Similarly, when it is necessary to distinguish the software router 320 and the later-described data storage unit 321 for each target system 30, they are described as software routers 320A and 320B and data storage units 321A and 321B.

  The virtual machine 310 is a virtual server computer. In other words, the virtual machine 310 is a virtual device that is a communication destination of the user, and executes a command input by the user. Each virtual machine 310 is assigned an IP address (private address) that is valid in the target system 30. For example, the IP address of each virtual machine 310 is assigned by an administrator in the target system 30. For this reason, in the example illustrated in FIG. 2, at least one of the virtual machines 310A1 to 310A3 and at least one of the virtual machines 310B1 to 310B3 have overlapping IP addresses.

  The software router 320 is a virtual router. The software router 320 mediates communication between each virtual machine 310 and the communication control system 10. The software router 320 includes a data storage unit 321 and stores setting information (for example, a routing table) of the software router 320.

  For example, the setting of the software router 320 is performed by the administrator of the target system 30. At the time of service usage registration, a static route setting for the gateway 110 is added to the software router 320. For example, the next hop when the IP address of the gateway 110 is the destination is set to the IP address of the software router 320. As shown in FIG. 2, the IP address of software router 320A may overlap with the IP address of software router 320B.

  Note that various known technologies can be applied to the device virtualization technology itself for realizing the virtual machine 310 and the software router 320. The same applies to the gateway 110 and the software router 120 described later. Furthermore, in the first embodiment, the IP address on the target system 30 side (IP address of the virtual machine 310 or software router 320) does not overlap with the IP address on the communication control system 10 side (IP address of the gateway 110 or software router 120). It is like that.

[Functions implemented in the communication control system]
In the communication control system 10, a gateway 110 and a plurality of software routers 120 are realized. A plurality of gateways 110 may be provided. These are mainly implemented by the control unit 12, the storage unit 13, and the communication unit 14. Hereinafter, the software routers 120A and 120B and the data storage units 121A and 121B are distinguished as necessary.

  The gateway 110 is a virtual server computer. The gateway 110 transfers a packet received from the user terminal 20 to any one of the software routers 120, or transfers a packet received from each target system 30 via each software router 120 to the user terminal 20. Further, the gateway 110 acquires and records a user operation log.

  In the present embodiment, the gateway 110 includes a data storage unit 111, an acquisition unit 112, and a transfer unit 113.

  The data storage unit 111 stores data for identifying the communication destination of each software router 120. For example, the data storage unit 111 associates an IP address corresponding to each target system 30 and a management IP address that does not overlap with other target systems 30, and the software router 120 that communicates with the target system 30. The static route indicating is stored. The acquisition unit 112 acquires the storage content (here, static route) of the data storage unit 111.

  FIG. 3 is a diagram illustrating an example of storing a static route. As shown in FIG. 3, a management route IP address managed by the gateway 110 and information (for example, the IP address) for identifying the software router 120 are associated with the static route.

  The management IP address is a private address for uniquely identifying the virtual machine 310 in each target system 30. The management IP address is not duplicated between the target systems 30. In other words, the management IP address and the virtual machine 310 in each target system 30 have a one-to-one relationship.

  The software router 120 associated with the management IP address is a software router 120 that communicates with the target system 30 of the virtual machine 310 corresponding to the management IP address. In other words, each software router 120 is associated with a management IP address corresponding to each virtual machine 310 in the communication target system 30.

  In the data storage example shown in FIG. 3, the software router 120A that communicates with the target system 30A is associated with the management IP addresses of the virtual machines 310A1 to 310A3. On the other hand, the software router 120B that communicates with the target system 30B is associated with the management IP addresses of the virtual machines 310B1 to 310B3.

  For example, the static route is updated when a new virtual machine 310 is added. When a new virtual machine 310 is added, a management IP address corresponding to the virtual machine is issued and associated with the software router 120 that communicates with the target system 30. The newly issued management IP address does not overlap with the already issued management IP address. The setting of the management IP address may be performed by an administrator of the communication control system 10 or may be automated by the communication control system 10.

  The transfer unit 113 receives a packet received from the user terminal 20 that communicates with any one of the plurality of target systems 30 having overlapping IP addresses, and the communication destination of the user terminal 20 among the plurality of target systems 30 having overlapping IP addresses. Transfer to software router 120 that communicates with system 30. The transfer unit 113 specifies the target system 30 with which the user terminal 20 communicates, and transfers the packet received from the user terminal 20 to the software router 120 that communicates with the specified target system 30 among the plurality of software routers 120. To do.

  Here, the transmission destination of the packet transmitted by the user terminal 20 is not the real IP address of the virtual machine 310 of the communication target system 30, but the management IP address of the virtual machine 310. For this reason, the transfer unit 113 transfers the packet received from the user terminal 20 to the software router 120 associated with the management IP address indicated by the transmission destination of the packet. The transfer unit 113 identifies the virtual machine 310 corresponding to the management IP address of the packet transmission destination by referring to the static route. Then, the transfer unit 113 transfers the packet to the software router 120 that performs communication with the target system 30 of the virtual machine 310.

  Each software router 120 is a virtual router. Each software router 120 communicates with any one target system 30. Each software router 120 is prepared for each target system 30 in a network different from each target system. That is, each software router 120 is outside the target system 30 and has a different network address. Each software router 120 mediates communication between the gateway 110 and one target system 30 of its communication destination (for example, the software router 320 in the target system 30). Each software router 120 is configured so that the IP address does not overlap.

  Each software router 120 includes a data storage unit 121. The data storage unit 121 stores setting information (for example, a routing table) of the software router 120. For example, a routing table is defined for each software router 120 so that there is one target system 30 for which the software router 120 is responsible for routing. For this reason, each software router 120 does not communicate with a plurality of target systems 30. In addition, although the case where the software router 120 and the target system 30 are in a one-to-one relationship will be described, these may be in a many-to-one relationship.

  The software router 120 that has received the packet transferred by the transfer unit 113 transfers the packet to the target system 30 that is the communication destination of the software router 120. That is, each software router 120 transfers the packet received from the transfer unit 113 to the target system 30 that is the communication destination of the software router 120 among the plurality of target systems 30.

  In the present embodiment, the data storage unit 121 stores an address conversion table indicating the relationship between the management IP address and the IP address of the virtual machine 310. Here, it is assumed that address translation is performed according to the rules of DNAT (Destination Network Address Translation).

  FIG. 4 is a diagram illustrating a storage example of the address conversion table stored in the data storage unit 121A. As shown in FIG. 4, the address conversion table includes a management IP address corresponding to each of the virtual machines 310A1 to 310A3 in the target system 30A and a real IP address of the virtual machines 310A1 to 310A3 (in FIG. 4, Is described as “original IP address”).

  FIG. 5 is a diagram illustrating a storage example of the address conversion table stored in the data storage unit 121B. As shown in FIG. 5, in the address conversion table, management IP addresses corresponding to the virtual machines 310B1 to 310B3 in the target system 30B and real IP addresses of the virtual machines 310B1 to 310B3 are associated with each other. ing. In the example shown in FIGS. 4 and 5, the virtual machine 310A1 and the virtual machine 310B1 have the same true IP address but different management IP addresses.

  The routing table and the address conversion table of each software router 120 are updated when a virtual machine 310 is newly added to the target system 30 with which the software router 120 communicates. For example, when a new virtual machine 310 is added, an association between the management IP address corresponding to the virtual machine 310 and the IP address of the target system 30 is added to the address conversion table. These settings may be performed by an administrator of the communication control system 10 or may be automated by the communication control system 10.

  Next, address conversion that is performed from when the communication control system 10 transmits a packet to the target system 30 until the packet returns from the target system 30 to the communication control system 10 will be described.

  FIG. 6 is a diagram illustrating how packets are transmitted and received. Here, a case where the user accesses the virtual machine 310A3 will be described as an example. First, as shown in FIG. 6, the transmission source of the packet transferred by the transfer unit 113 is the gateway IP address “10.200.189.32”, and the transmission destination is the management IP address “10.100.1.5” of the virtual machine 310A3. It becomes.

  Upon receiving the packet transferred by the transfer unit 113, the software router 120A converts the transmission destination of the packet into the IP address of the target system 30A corresponding to the transmission destination and transfers the packet. As shown in FIG. 6, the software router 120A rewrites the packet transmission destination to the real IP address “192.168.1.4” of the virtual machine 310A3. For example, the software router 120 refers to the address conversion table, rewrites the transmission destination of the received packet with the IP address associated with the transmission destination, and then changes the destination to the communication target system 30 of the software router 120. Will be sent.

  Then, the transmission source of the packet (return packet) transmitted by the virtual machine 310A3 is the real IP address “192.168.1.4” of the virtual machine 310A3, and the transmission destination is the IP address “10.200.189.32” of the gateway. The software router 120 </ b> A converts the transmission source of the packet received from the target system 30 </ b> A that is the communication destination of the software router 120 </ b> A into a management IP address corresponding to the target system 30. As shown in FIG. 6, the software router 120A rewrites the packet transmission source to the management IP address “10.100.1.5” of the virtual machine 310A3 in accordance with the rules of DNAT. For example, the software router 120 refers to the address conversion table, rewrites the transmission source of the received packet to the management IP address associated with the transmission source, and transfers the packet to the gateway 110.

  As described above, each software router 120 performs address conversion of a transmission destination of a packet to be transmitted to the target system 30 according to a DNAT rule, and performs address conversion of a transmission source of a packet returned from the target system 30.

  It is assumed that information (for example, the IP address of the gateway 110) identifying each gateway 110 to which each software router 120 should transfer a packet is stored in advance in the routing table of the software router 120 or the like.

  The transfer unit 113 of the gateway 110 transfers the packet whose transmission source has been changed (that is, the return packet from the target system 30) to the user terminal 20. For this reason, the packet received by the user terminal 20 is not the real IP address of the virtual machine 310 of the communication partner, but is only converted to the management IP address.

[1-4. Processing executed in the embodiment]
7 and 8 are diagrams illustrating processing executed in the information processing system 1. Each functional block is realized by executing the processing shown in FIGS. The control units 12, 21, and 32 operate according to programs stored in the storage units 13, 22, and 33, respectively, thereby executing the following processing.

  In addition, when the process described below is executed, the first communication (for example, SSH) is established between the communication control system 10 and the user terminal 20, and the communication control system 10 and the target system 30 are connected. It is assumed that the second communication (for example, SSH) is established between them. For example, after a user logs in to the communication control system 10 using a login account to the communication control system 10 and an authentication key stored in the storage unit 22 of the user terminal 20, Assume that the user logs in to the virtual machine 310 using the login account to the virtual machine 310 and the authentication key stored in the storage unit 12 of the communication control server 11. At the time of login, the user may specify the real IP address of the virtual machine 310 that is the communication destination, or may specify the management IP address.

  As shown in FIG. 7, first, in the user terminal 20, the control unit 21 displays a console screen on the display unit 25 (S1). FIG. 9 is a diagram illustrating an example of a console screen. As shown in FIG. 9, the user has already logged in to the virtual machine 310 and can enter a command to be executed by the virtual machine 310. The user inputs a command to be executed by the virtual machine 310 as a login destination from the console screen 40 using the operation unit 24.

  The control unit 21 receives a command input from the user (S2). The control unit 21 encrypts the user input content and transmits it to the communication control system 10 (S3). In S <b> 3, the control unit 21 encrypts a symbol string such as a command or a file name input by the user using an encryption key (public key or common key) stored in the storage unit 22. Then, the control unit 21 stores the encrypted input content in a packet in which the management IP address of the virtual machine 310 of the connection destination is set as the transmission destination and transmits the packet.

  In the communication control system 10, when the packet is received, the control unit 12 causes the gateway 110 to decrypt it and record an operation log (S4). In S <b> 4, the control unit 12 decrypts the packet received from the user terminal 20 using the decryption key (secret key or common key) stored in the storage unit 13. Then, the control unit 12 operates the storage unit 13 on the login account of the user, a symbol string such as a command or file name input by the user, the name and IP address of the virtual machine 310 of the communication destination, and information on the current date and time. Store as a log.

  Note that the IP address of the virtual machine 310 stored in the operation log may be a real IP address or a management IP address. Further, both of these may be stored. Further, when the operation log is confirmed, the management IP address may be displayed after being converted into a real IP address.

  The control unit 12 causes the gateway 110 to identify the software router 120 to which the packet should be sent by referring to the static route (S5). In S5, the control unit 12 refers to the transmission destination of the received packet. Then, the control unit 12 specifies the software router 120 associated with the transmission destination management IP address.

  The control unit 12 causes the gateway 110 to encrypt the packet again and transmit it to the software router 120 specified in S5 (S6). In S <b> 6, the control unit 12 encrypts the packet using the encryption key (public key or common key) stored in the storage unit 13. The gateway 110 and each software router 120 are assumed to have a virtual IP connection.

  The control unit 12 causes the software router 120 that has received the packet transmitted in S6 to perform address conversion of the packet (S7). In S <b> 7, the control unit 12 refers to the conversion table to convert the management IP address of the packet transmission destination into the IP address of the virtual machine 310 of the target server 30.

  The control unit 12 causes the software router 120 to transmit the packet whose address has been converted in S7 to the target system 30 (S8). In S <b> 8, the control unit 12 transmits the packet to the target system 30 that is the communication destination of the software router 120.

  In the target system 30, when the packet is received, the control unit 32 transfers the packet to the software router 320 (S9). In S9, the control unit 32 transmits the packet to the virtual machine 310 that is the transmission destination of the packet. In the target system 30 as well, it is assumed that a virtual IP connection is established between each virtual machine 310 and the software router.

  Moving to FIG. 8, the control unit 32 causes the virtual machine 310 that has received the packet to execute the command input by the user and generate the execution result (S <b> 10). In S10, the control unit 32 decrypts the received packet using the decryption key (secret key or common key) stored in the storage unit 33. Then, the control unit 32 executes the command input by the user and generates the execution result.

  The control unit 32 causes the virtual machine 310 that executed the command to encrypt the execution result generated in S10 and transmits the result to the communication control system 10 via the software router 320 (S11). The control unit 32 encrypts the packet by using the encryption key (public key or common key) stored in the storage unit 33. Then, the control unit 32 sets the transmission source of the packet to the IP address of the virtual machine 310 and transmits the packet to the communication control system 10 via the software router 320.

  In the communication control system 10, when the packet is received, the control unit 12 causes the software router 120 to perform address conversion (S12). In S12, the control unit 12 refers to the address conversion table and converts the transmission source of the received packet from the real IP address of the virtual machine 310 to the management IP address.

  The control unit 12 causes the software router 120 to transfer the packet whose address has been converted in S12 to the gateway 110 (S13). Note that the IP address of the gateway 110 is stored in the storage unit 13 in advance, and the software router 120 can specify the IP address.

  The control unit 12 causes the gateway 110 to decode the received packet and record an operation log (S14). In S <b> 14, the control unit 12 decrypts the packet received from the software router 120 using the decryption key (secret key or common key) stored in the storage unit 13, and operates the command execution result. Record in the storage unit 13 as a log.

  The control unit 12 causes the gateway 110 to encrypt the packet and transmit it to the user terminal 20 (S15). In S15, the control unit 12 encrypts and transmits the execution result of the command using the encryption key (public key or common key) stored in the storage unit 13.

  In the user terminal 20, when the command execution result is received, the control unit 21 decrypts the command, displays it on the console screen 40 (S16), and returns to the process of S2. In S <b> 16, the control unit 21 decrypts the command execution result using the decryption key (secret key or common key) stored in the storage unit 22. Thereafter, the processes from S2 to S16 are repeated until the user logs out.

  According to the information processing system 1 described above, the software router 120 is prepared for each target system 30, and the packets received from the user terminal 20 are distributed to the gateway 110, so that the IP addresses of the target systems 30 can be assigned to each other. Even if they overlap, it becomes possible to mediate communication.

  In the communication control system 10, the management IP address is managed so that the virtual machines 310 are not duplicated. Therefore, even if the real IP address is duplicated, which virtual machine 310 is used depending on the management IP address. Whether the packet is addressed can be specified. Furthermore, routing can be performed accurately by causing the software router 120 to convert the management IP address into a real IP address. In this regard, since the communication control system 10 performs the IP address conversion, it is not necessary to modify the target system 30 (that is, the customer receiving the service), and the convenience for the user is improved.

  Further, for example, if a proxy is used, it is possible to sort communication, but according to the method described in the embodiment, even if the protocol does not support the proxy (for example, RDP), the gateway 110 can distribute the packets, thereby enabling mediation of communication. That is, since it becomes possible to mediate communication without depending on the protocol used by the user, convenience for the user is improved.

  In addition, since each software router 120 rewrites the transmission destination of the packet received from the target system 30 to the management IP address and forwards it to the user terminal 20, the user terminal 20 has the virtual machine 310 of its communication destination. If the management IP address can be known and the packet is transmitted with the management IP address as the transmission destination, the packet can be delivered to the virtual machine 310.

[2. Second Embodiment]
Next, another embodiment of the information processing system 1 will be described. In the first embodiment, the communication control when the IP addresses of the target systems 30 are duplicated has been described. In the second embodiment, the communication when the IP addresses are duplicated between the communication control system 10 and the target system 30 is described. Control will be described. Note that the hardware configuration is the same as that of the second embodiment, and a description thereof will be omitted. Also, with respect to other portions, the description of the same portions as those in the first embodiment will be omitted.

  In the second embodiment, the communication control system 10 has the same IP address as that of at least one target system 30. The software router 120 and the software router 320 both have DNAT and SNAT (Source NAT) functions.

  FIG. 10 is a diagram for explaining functions realized in the second embodiment. Here, a case will be described in which the IP address of the gateway 110 and the IP address of the virtual machine 310A3 overlap. As shown in FIG. 10, the transmission source of the packet transmitted from the gateway 110 is the IP address “10.200.189.32” of the gateway 110, and the transmission destination is the management IP address “10.100.1.5” of the virtual machine 310A3. Become.

  The software router 120A converts the packet transmission source from the real IP address “10.200.189.32” of the gateway 110 to the temporary IP address “172.16.1.1”, and the transmission destination is the management IP address “virtual machine 310A3” 10. Convert from "100.1.5" to a temporary IP address "192.168.1.4". In other words, the software router 120A converts the transmission source of the packet transferred by the transfer unit 113 into an IP address different from the IP address after conversion by the software router 320A of the target system 30, and transfers the gateway 110 and the virtual. The machine 310A3 is configured so that the temporary IP address does not overlap.

  The software router 320A converts the transmission destination of the packet from the temporary IP address “192.168.1.4” of the virtual machine 310A3 to the real IP address “10.200.189.32”. For this reason, the packet can be delivered to the virtual machine 310A3.

  On the other hand, the transmission source of the packet returning from the target system 30 to the communication control system 10 is set to the real IP address “10.200.189.32” of the virtual machine 310A3, and the transmission destination is the temporary IP address “172.16.1.1” of the gateway 110. Is set. The software router 320A converts the transmission source of the packet from the real IP address “10.200.189.32” of the virtual machine 310A3 to the temporary IP address “192.168.1.4”.

Software router 1 20A converts the transmission source of the received packet to the IP address "10.100.1.5" for managing the IP address "192.168.1.4" of the temporary virtual machine 310A3, the destination, the tentative gateway 110 IP The address “172.16.1.1” is converted to the real IP address “10.200.189.32”. For this reason, even if the IP address is duplicated between the gateway 110 and the virtual machine 310A3, the packet can be delivered to the user terminal 20.

  In the above description, the case where the IP addresses of the gateway 110 and the virtual machine 310A3 are duplicated has been described as an example. However, in the case where the IP addresses of the other virtual machines 310 are duplicated, the software routers 120 and 320 similarly. Communication is possible by performing address conversion twice. That is, the IP address of the communication control system 10 may be converted into a temporary IP address, and the IP address of the target system 30 may be converted into a temporary IP address so as to be different from the temporary IP address. Moreover, although the case where it combined with the technique of Embodiment 1 was demonstrated, when the IP address of the object systems 30 does not overlap, you may make it not convert the management IP address.

  According to the communication control system 10 of the second embodiment, even if the IP address is duplicated between the communication control system 10 and the target system 30, communication can be performed by performing address conversion twice.

[3. Modified example]
The present invention is not limited to the embodiment described above. Modifications can be made as appropriate without departing from the spirit of the present invention.

  For example, the method by which the transfer unit 113 identifies the software router 120 to which a packet received from the user terminal 20 should be transferred is not limited to the above example. The transfer unit 113 may identify the target system 30 to which the received packet is directed based on a predetermined method.

  For example, when the target system 30 to which the user can log in is limited, the transfer unit 113 identifies the target system 30 to which the user can log in, and transmits the packet received from the user terminal 20 to the target system 30. You may make it transfer to the software router 120 in charge of communication. In this case, data defining a target system 30 accessible by each user is stored in the data storage unit 111, and the transfer unit 113 refers to the data so that the target system 30 accessible by the user is stored. Will be specified.

  Further, for example, the transfer unit 113 may specify the target system 30 of the communication destination based on the IP address of the user terminal 20. For example, when the IP address of the user terminal 20 that can communicate with the target system 30 is determined for each target system 30, the transfer unit 113 selects the target system 30 that can be accessed with the IP address of the packet transmission source. It may be specified and transferred to the software router 120 in charge of communication with the target system 30. In this case, data defining the target system 30 that can be accessed with the IP address of each user terminal 20 is stored in the data storage unit 111, and the transfer unit 113 refers to the data so that the IP address of the user is stored. The target system 30 accessible by the address is specified.

  For example, although the case where a private address is allocated to the gateway 110 and each software router 120 is demonstrated, a global address may be allocated to these.

  Further, for example, in the above-described embodiment, the gateway 110, the software router 120, the virtual machine 310, and the software router 320 have been described as examples. It may be a computer. For example, although the case where the server computer executes the user command has been described, the user command may be executed by, for example, a network device in the target system 30.

  For example, although SSH and RDP have been described as examples of communication protocols, communication using various other protocols can be applied. For example, communication may be performed by TELNET, FTP, SCP, SFTP, HTTP, or HTTPS. Further, for example, in the above description, the communication control system according to the present invention is applied to an information processing system using cloud computing. Applicable to various accessing systems.

  DESCRIPTION OF SYMBOLS 1 Information processing system, 10 Communication control system, 11 Communication control server, 12, 21, 32 Control part, 13, 22, 33 Storage part, 14, 23, 34 Communication part, 20 User terminal, 24 Operation part, 25 Display part , 30, 30A, 30B target system, 31 target server, 40 console screen, 110 gateway, 111, 111A, 111B, 121, 121A, 121B, 321, 321A, 321B data storage unit, 112 acquisition unit, 113 transfer unit, 120 120A, 120B, 320, 321A, 321B software router, 310, 310A1, 310A2, 310A3, 310B1, 310B2, 310B3 virtual machine.

Claims (5)

And a user terminal operated by a user, the communication control system to mediate a target system a plurality of paths are available simultaneously to each combination a including a plurality of systems which each other's IP addresses overlap, communication of There,
Means for logging the user into the communication control system;
Means for logging in the user who has logged into the communication control system into any of the plurality of target systems;
A router that communicates with any one of the target systems, and a plurality of routers prepared for each target system in a network different from each target system;
An IP address corresponding to each target system, a management IP address that does not overlap with another target system, and a means for acquiring storage contents of a means for storing an association between the router communicating with the target system;
An operation log obtained by decrypting an encrypted packet received from the user terminal that communicates with the target system to which the user has logged in among the plurality of target systems that have overlapping IP addresses and that can simultaneously use routes to each other. recording a transfer means for transferring to the router associated with the packet again encrypted management IP address indicated by the destination of the packet,
Including
The router that has received the packet transferred by the transfer means converts the transmission destination of the packet into the IP address of the target system of the communication destination of the router, and transfers the packet.
A communication control system characterized by that. Each router converts the transmission source of the packet received from the target system of the communication destination of the router into a management IP address corresponding to the target system,
The communication control system includes:
Means for transferring the packet whose source has been changed to the user terminal;
The communication control system according to claim 1, further comprising: The communication control system has an IP address overlapping with at least one target system,
The target system includes a router that translates an IP address,
The router in the communication control system that communicates with the target system converts the source of the packet transferred by the transfer means to an IP address different from the IP address after conversion by the router in the target system and transfers the packet. ,
The communication control system according to claim 1 or 2. And a user terminal operated by a user, the communication control system to mediate a target system a plurality of paths are available simultaneously to each combination a including a plurality of systems which each other's IP addresses overlap, communication of A communication control method,
Logging the user into the communication control system;
Logging the user logged into the communication control system into any of the plurality of target systems;
Association between a management IP address corresponding to each target system and not overlapping with another target system, and a router that is prepared in a network different from the target system and communicates with the target system Obtaining the stored contents of the means for storing
An operation log obtained by decrypting an encrypted packet received from the user terminal that communicates with the target system to which the user has logged in among the plurality of target systems that have overlapping IP addresses and that can simultaneously use routes to each other. record and a transfer step of the packet again encrypted transferred to a router associated with the management IP address indicated by the destination of the packet,
Including
The router that has received the packet transferred in the transfer step converts the destination of the packet into the IP address of the target system of the communication destination of the router, and transfers the packet.
The communication control method characterized by including. And a user terminal operated by a user, a target system a plurality of paths are available simultaneously to each combination a including a plurality of systems which each other's IP address is duplicated, the computer that mediates communication,
Means for logging the user into the computer;
Means for logging in the user logged into the computer into any of the plurality of target systems;
A software router that communicates with any one target system, and a plurality of software routers prepared for each target system in a network different from each target system,
Means for acquiring storage contents of a means for storing an association between a management IP address corresponding to each target system and not overlapping with other target systems and a router communicating with the target system;
A router associated with a management IP address indicated by a transmission destination of a packet received from the user terminal that communicates with any of the plurality of target systems that have overlapping IP addresses and routes that can be simultaneously used Transfer means to transfer to,
An operation log obtained by decrypting an encrypted packet received from the user terminal that communicates with the target system to which the user has logged in among the plurality of target systems that have overlapping IP addresses and that can simultaneously use routes to each other. A transfer unit that records the packet , re-encrypts the packet, and forwards the packet to the router associated with the management IP address indicated by the transmission destination of the packet ;
Is a program for functioning as
The router that has received the packet transferred by the transfer means converts the transmission destination of the packet into the IP address of the target system of the communication destination of the router, and transfers the packet.
A program characterized by that.

Images