JP7077697B2 - Route control devices, route control methods, and programs - Google Patents

Description

The present invention relates to a route control device, a route control method, and a program.

Conventionally, computer systems for automatic recognition, automatic control, remote measurement, etc. called IoT have been applied not only to OA but also to FA / industrial equipment and healthcare / medical equipment.

Such computer systems are networked and have traditionally been operated as on-premises in a limited intranet environment. In recent years, along with the development of cloud computing services (web services) such as Amazon Web Services (AWS) and the flow of IoT, a server for collecting information is placed on the cloud to store device information. Also, configurations such as going through the cloud as a relay point for communication between remote locations are becoming widespread.

For example, when an information collection server is placed on the cloud, communication with an information collection target terminal placed in the intranet can be made more efficient by placing an intermediary device having a proxy function on the intranet side. This intermediary device generally communicates using a LAN (local area network) installed in the intranet, but the Internet connection may be prohibited depending on the security policy of the intranet. In that case, there is a method of realizing the Internet connection by providing the intermediary device itself with its own communication path.

When using an original communication path for communication with the information collection server on the cloud, it is necessary to control the route for collecting device information as an intranet and for communication with the information collection server as an original communication path. When using a unique communication path for communication with the information collection server, generally, route control can be performed by checking the IP address of the information collection server and registering it in the routing rule (static rule) of the intermediary device. It will be possible.

However, in general, when a fixed IP service is not used as a paid option in a cloud service such as AWS, the URL of the server corresponds to a plurality of IP addresses, and any value among them is returned. Therefore, it is difficult to control the routing of the communication to the cloud service to the original communication path by registering the IP address of the server in the routing rule (static route) of the intermediary device.

This is because it is difficult to make it possible to register a routing rule so as to cover a plurality of IP addresses returned by the cloud service system. Also, if one of the arbitrary IP addresses returned by the cloud service system is fixedly registered in the routing rule, it is not guaranteed that the IP address returned by the cloud service system will not change permanently. However, the response will be provisional, and if the IP address returned by the cloud service system changes, it will not be possible to respond.

The present invention has been made in view of the above, and mediates the communication between the server arranged on the cloud and the information terminal on the intranet, and uses the original communication path for the communication with the server arranged on the cloud. It is an object of the present invention to provide a simple means for appropriately route-controlling a packet addressed to a server on a cloud whose IP address changes arbitrarily to an original communication path in the route control device.

In order to solve the above-mentioned problems and achieve the object, the route control device of the present invention sets a packet according to a route control rule including a transmission rule that defines a transmission route of the packet to the destination address of the packet. A route control switch for switching between a first communication path and a second communication path used for communication with a server on the cloud, and a DNS received when sending a packet to the route control switch. When there is a DNS response error in the DNS response related to the request, the detection mechanism that detects the packet for which the transmission rule corresponding to the destination address of the packet is not registered in the routing rule, and the destination of the packet detected by the detection mechanism. It is characterized by having a verification mechanism for verifying the above and a rule generation mechanism for registering a new transmission rule via the second communication path in the route control rule based on the verification result by the verification mechanism.

According to the present invention, in a route control device that mediates communication between a server arranged on the cloud and an information terminal on an intranet and uses an original communication path for communication with a server arranged on the cloud, IP is arbitrarily used. It is possible to provide a simple means for appropriately controlling the route of a packet addressed to a server on a cloud whose address changes to an original communication path.

FIG. 1 is a block diagram schematically showing a system of an embodiment. FIG. 2 is a block diagram schematically showing a hardware configuration of an intermediary device of the system of FIG. FIG. 3 is a functional configuration diagram schematically showing the configuration of the intermediary device and the signal flow. FIG. 4 is a flowchart showing an example of the operation of the intermediary device. FIG. 5 is a block diagram schematically showing a modified example system.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

In this embodiment, a server is arranged on the cloud, an information terminal is arranged on the intranet, an intermediary device as an example of a route control device that mediates communication between the server and the information terminal is arranged, and the intermediary device is a server. In a communication system that uses an original communication path (original line) for communication, a simple means for appropriately route control (routing) a packet addressed to a server on the cloud whose IP address changes arbitrarily to the original communication path is provided. It is a thing.

FIG. 1 is a schematic block diagram showing a system of the present embodiment. This system includes a customer system 1 in which an intranet including a LAN such as Ethernet (registered trademark) is constructed.

The customer system 1, which is a remote access system, has a center system 3 built on the cloud and an intermediary device 20 having a proxy function for mediating communication with the intranet side. As an information terminal, a printer 11, a whiteboard 12 having a network function, a projector (PJS) 13, and the like are connected to the intermediary device 20 via an intranet. Further, the intermediary device 20 is connected to the router (FW) 14, and the PC 15 is connected to the router 14.

According to the security policy of the intranet in the customer system 1, the intermediary device 20 communicates with the center system 3 not via the router 14 and the Internet but via a unique communication path. This is due to operational restrictions due to, for example, security requirements.

In the present embodiment, the intermediary device 20 uses a carrier line 2 which is a 3G line as a unique communication path. The server 2a of the carrier line 2 and the center system 3 are connected via IP-VPN.

The original communication path is not limited to the 3G line, but is a communication interface physically different from the intranet such as 3G, LTE, LPWA, or a virtual private such as VPN (Virtual Private Network) constructed on the intranet. It may be a network.

The center system 3 is built on the cloud, has a plurality of information collection servers 3a, and returns the IP address of one of the information collection servers 3a in response to the DNS request to the center system 3. Therefore, the IP address in the response from the center system 3 changes arbitrarily.

The intermediary device 20 is realized by, for example, an application on a PC or an appliance box (small dedicated terminal), and has, for example, a hardware configuration as shown in FIG. That is, in this configuration, the CPU 21 and a storage device such as a RAM 22 or a ROM 23 are connected by a bus 26, and the CPU 21 executes an application that is a program stored in the storage device to perform various functions as described later. The part is realized. Further, the intermediary device 20 has a first interface 24 for communication via an intranet and a second interface 25 for communication via a unique communication path.

Next, the operation of the intermediary device 20 will be described with reference to FIGS. 3 and 4. FIG. 3 is a functional configuration diagram schematically showing the configuration of the mediation device 20 and the flow of signals, and FIG. 4 is a flowchart showing an example of the operation of the mediation device 20.

The information collection proxy 30 of the intermediary device 20 collects device information from devices such as a printer 11 and a projector 13 arranged in the intranet. Hereinafter, a scenario in which the collected data is transmitted from the information collection proxy 30 to the center system 3 will be described.

The information collection proxy 30 solves the destination (IP address) by using the DSN60 registered in itself to collect device information from the device arranged in the intranet, and communicates with the device. This DSN60 is assigned for intranet use, and realizes address resolution in the intranet.

However, this DNS60 does not guarantee name resolution on the Internet side. Therefore, in the present embodiment, the intermediary device 20 uses the DNS 70 for the cloud server for address resolution (URL → IP address) of the information collection server 3a on the cloud. For example, in the case of a 3G line, it is possible to have the DNS information assigned by the provider who has a SIM contract, and it is conceivable to use this DNS.

When the information collection proxy 30 appropriately accumulates information, the information collection proxy 30 uploads the data to the information collection server 3a. At this time, the intermediary device 20 communicates with the IP address of the information collection server 3a using the original communication path as described above.

For this purpose, the intermediary device 20 sets a route control switch 40 for switching the communication path from the information collection proxy 30 between the intranet (first communication path) side and the original communication path (second communication path) side. Have. Further, the intermediary device 20 has a route control controller 50 that controls the route control switch 40.

Next, the operation will be described with reference to the flowchart of FIG. First, when the information collection proxy 30 sends a communication packet to the route control switch 40, the route control mechanism 41 of the route control switch 40 receives the DNS request in step S1. Then, in step S2, the route control mechanism 41 sends a DNS request to the DNS60, and in step S3, the response packet of the DNS60 is extracted.

Then, in step S4, the route control mechanism 41 determines the presence or absence of a DNS response error based on the DNS response. If there is no error in the DNS response, the process proceeds to step S9. On the other hand, if there is an error in the DNS response, the process proceeds to step S5.

In step S5, the route control mechanism 41 inquires of the route control controller 50. In the route control controller 50, the destination verification mechanism 51 having a DNS surrogate function transmits a DNS request to the DNS 70 for a cloud server as a second DNS server in response to an inquiry from the route control mechanism 41.

Next, in step S6, the destination verification mechanism 51 determines the presence or absence of a DNS response error based on the DNS response. If the destination verification mechanism 51 determines in step S6 that there is a DNS response error, the process proceeds to step S12, the DNS response is replied to the information collection proxy 30, and the process ends. If the destination verification mechanism 51 determines in step S6 that there is no DNS response error, the process proceeds to step S7.

In step S7, the route control mechanism 41 refers to the route control rule of the route control switch 40 based on the DNS response in step S5, and the transmission rule (routing rule) corresponding to the IP address in the DNS response is the route. If it is determined that the control rule is not registered, the rule generation mechanism 52 of the route control controller 50 generates a new transmission rule. As described above, the route control mechanism 41 functions as a detection mechanism for detecting a packet whose rule is unknown, that is, a packet to a destination whose transmission rule is not registered in the route control rule. The route control rule includes a transmission rule that defines a transmission route of the packet with respect to the IP address of the destination of the packet.

Next, in step S8, the rule generation mechanism 52 registers a new transmission rule in the route control rule. As a result, a rule for selecting a transmission route via the original communication path is registered in the route control rule as a transmission rule corresponding to the information collection server 3a on the cloud.

After that, the process proceeds to step S9, in which the DNS response is replied from the route control mechanism 41 to the information collection proxy 30. Then, in step S10, the route control mechanism 41 receives a transmission packet from the information collection proxy 30 that has received the DNS response. Then, in step S11, the route control mechanism 41 transmits data according to the transmission rule registered in the route control rule.

At this time, if the packet of data to be transmitted is addressed to an address in the intranet, the route control rule holds the transmission rule via the intranet as a static transmission rule that is permanently held. Therefore, the route control mechanism 41 transmits the packet via the intranet according to this transmission rule.

On the other hand, when the packet of the data to be transmitted is addressed to the information collection server 3a on the cloud, the route control mechanism 41 transmits the packet according to the transmission rule added in step S8. As a result, the packet addressed to the information collection server 3a on the loudspeaker is transmitted via the original communication path.

In the above, an example of transmitting a packet from the information collection proxy 30 is shown. However, for example, when a packet is transmitted from the printer 11, the same routing process is performed, and the intranet and the original communication path are used. Packets can be transmitted by appropriately switching the transmission route.

As described above, according to the present embodiment, when data to be transmitted to the center system 3 on the cloud is transmitted via the original communication path, the route control mechanism 41 controls the corresponding transmission rule. It detects whether or not it is registered in the route control rule of the switch 40, and if it is not registered, a new transmission rule is registered and feedback is given. As a result, it is possible to dynamically control the transmission rule for the packet to the system on the cloud whose corresponding IP address changes, and appropriately control the route to the original communication path. It is preferable that the transmission rule dynamically added by the rule generation mechanism 52 is deleted after a certain period of time in order to maintain the freshness of the registered information.

At this time, in the present embodiment, the information collection proxy 30 is not modified, and by providing the route control mechanism 41 and the route control controller 50 as described above, communication to the system on the cloud via the original communication path is provided. Can be made possible. Therefore, it is easy to apply.

That is, a means of mounting a mechanism of resolving the IP address of the URL and then updating the routing setting in the communication application of the intermediary device 20 is conceivable, but the following disadvantages can be considered.
-It is difficult to modify the program of the developed intermediary device itself. That is, if the intermediary device has been designed exclusively for the intranet, the existing design will be significantly changed in order to support the original line later. Therefore, there is a risk that the development man-hours will be excessive and the quality will deteriorate. In addition, specialized skills related to original communication channels and knowledge about complicated route control are required, and technical hurdles are high. Therefore, it is desirable to realize route control to the original communication path by adding another module without modifying the service application on the intermediary device.
-It is inefficient to update the routing settings for each communication process. Also, if you do it regularly, there is a risk of erroneous transmission depending on the cycle. ・ If there are multiple communication applications, it is redundant to operate the corresponding mechanism for each.

Therefore, instead of improving the existing device as in the present embodiment, the external module for the existing module controls the route of the packet addressed to the server on the cloud whose IP address changes arbitrarily to the original communication path. It is desirable to realize it.

Further, in a general DNS name resolution mechanism, if a request is established in the first inquiry to the DNS server, the name resolution process ends regardless of the success or failure of the name resolution. That is, the inquiry to the DNS 70 for the cloud server in step S5 of FIG. 4 does not occur. Therefore, it is not possible to communicate with a server on the cloud whose name cannot be resolved by DNS for intranet. On the other hand, in the present embodiment, in step S4, a DNS request name resolution failure is detected and an inquiry to the DNS 70 for the cloud server is automatically generated and executed. The DNS response is forwarded to the information collection proxy 30. As a result, the information collection proxy 30 can resolve the name without being aware of the existence of the DNS 70 for the cloud.

Further, if the name can be resolved in step S5, the destination packet needs to be routed to the original line. However, the default gateway is suitable for intranets and cannot be routed to its own line as it is. Therefore, in the present embodiment, the routing rule is generated in step S7 and the routing rule is applied in step S7. Therefore, even if the IP address for the URL of the server on the cloud fluctuates, it is possible to dynamically add a routing rule and route to a unique line.

The above-mentioned processing in the intermediary device 20 of the present embodiment can be realized by causing a computer equipped with the above-mentioned CPU 21 to execute the program. In this case, this program realizes the above control. The program is then recorded on a computer-readable recording medium such as a CD-ROM, flexible disc (FD), CD-R, or DVD (Digital Versaille Disc) as a file in an installable or executable format. Can be provided.

Further, the above program may be stored on a computer connected to a network such as the Internet and provided by downloading via the network. Further, the above program may be configured to be provided or distributed via a network such as the Internet.

Further, the above program may be configured to be provided by incorporating it into the ROM 23 or the like in advance.

The program executed by the intermediary device of the present embodiment has a modular configuration including the above-mentioned parts (route control mechanism 41, destination verification mechanism 51, rule generation mechanism 52, etc.), and the actual hardware is the CPU 21. When the (processor) reads the program from the storage medium and executes it, each of the above-mentioned parts is loaded on the RAM 22 which is the main storage device and is generated.

The above embodiment is an example, and various modifications can be made within the scope of the present invention.

For example, in the above-described embodiment, the information collection proxy 30, the route control switch 40, and the route control controller 50 are arranged inside the intermediary device 20, but they do not need to be arranged in the same device and are separately arranged. It may be placed in the device of.

Further, the route control switch 40 and the route control controller 50 may be arranged on different network nodes so that one route control controller 50 corresponds to a plurality of route control switches 40. As a result, the labor of installation and operation can be reduced.

Further, in the above-described embodiment, the information collection proxy 30 is an example of an application that needs to communicate with both an intranet and a system on the cloud, and does not necessarily have to be a device having an information collection function.

Here, another application example will be described with reference to FIG. FIG. 5 shows a management intermediary device to which the configuration of the route control device (intermediary device 20) of the above-described embodiment that communicates with both an intranet configured by a LAN and a management system 170 that is a system on the cloud can be applied. It is a block diagram which shows the whole structure of the remote management system including 110, 132, and the device 133 with a management intermediary function.

In the remote management system of FIG. 5, the customer system 160a is a system installed at the customer's site. In the customer system 160a, the management intermediary device 110 is connected to the managed system 130 by a LAN. The managed system 130 includes, for example, a plurality of industrial machines 131a such as a processing machine, a conveyor, and an inspection machine, and equipment of a sensor 131b (imaging device, sound collecting device, etc.). The management intermediary device 110 has a firmware update function for updating the firmware provided in each device by using the Internet connection.

Similarly, the customer system 160c is a system installed at another customer's destination. In the customer system 160c, the management intermediary device 110 is connected to a plurality of managed systems 130 by a LAN. Of these, one managed system 130 includes, for example, devices of a plurality of industrial machines 131a and sensors 131b (imaging device, sound collecting device, etc.) such as a processing machine, a conveyor, and an inspection machine, and a management intermediary device 110. A management intermediary device 132 having a similar firmware update function is included.

In the example of FIG. 5, the managed system 130 shows a configuration including a plurality of industrial machines 131a and sensors 131b and one management intermediary device 132, but may be further configured to include other devices. In this customer system 160c, the load becomes large just by installing one management intermediary device 110, so the function for updating the firmware with each industrial machine 131a and sensor 131b in one management target system 130 is management intermediation. The management intermediary device 110 is configured to have a function of centrally performing remote management of a plurality of managed systems 130 by allocating to the device 132 and using a connection with an external management system 170 via an original communication path.

Similarly, the customer system 160b is a system installed at yet another customer. In the customer system 160b, the device with management mediation function 133 (industrial machine 133a and sensor 133b) is connected to the LAN. The device 133 with a management mediation function is an industrial machine 133a or a sensor 133b having a firmware update function similar to that of the management mediation device 110.

The customer systems 160a, 160b, 160c configured as shown in FIG. 5 are connected from the inside to the external management system 170 via a unique communication path. The management system 170 performs remote management of each managed system 130 by using the original communication path.

The management system 170 and the management intermediary device 110 are configured to include general computer elements. That is, at least, it is configured to include a CPU that executes program processing, storage means such as RAM, ROM, and a large-capacity storage device used by this CPU for program processing, and communication means such as a modem and a network interface.

The managed device in the management system is not limited to industrial machines, but communicates with image forming devices, network home appliances, vending machines, medical equipment, industrial machines, power supply devices, air conditioning systems, measuring systems for gas, water, electricity, etc. It may be a device having a function.

For example, examples of industrial machines include processing equipment, inspection equipment, transfer equipment, picking equipment, and the like. Further, it may be an image pickup device or a sound collecting device installed in the vicinity of these devices and for grasping the state of the devices. Industrial machines use various information transmission means such as data format or image format for identification information of the equipment, information on the operating status of the equipment and the presence or absence of abnormal operation, information on the replacement time of consumables, inspection results by the equipment, etc. Use to send to the management device.

Further, for example, examples of the medical device include a fundus examination device, an X-ray examination device, a sphygmomanometer, a body fat meter, a visual acuity meter, a pacemaker, and the like. The medical device transmits the identification information of the device, the operating status of the device, the presence or absence of abnormal operation, the measurement result by the device, and the like to the management device by using various information transmission means such as a data format or an image format.

20 Mediation device 40 Route control switch 41 Route control mechanism 50 Route control controller 51 Destination verification mechanism 52 Rule generation mechanism

JP-A-2017-135508

Claims (5)

For the destination address of a packet, the route for transmitting the packet is used for communication between the first communication path and the server on the cloud according to the route control rule including the transmission rule that defines the transmission route of the packet. A route control switch that switches between the second communication path and
When sending a packet to the route control switch, if there is a DNS response error in the DNS response related to the received DNS request, the transmission rule corresponding to the destination address of the packet detects the packet that is not registered in the route control rule. Detection mechanism and
A verification mechanism that verifies the destination of the packet detected by the detection mechanism,
Based on the verification result by the verification mechanism, a rule generation mechanism for registering a new transmission rule via the second communication path in the route control rule, and
A route control device having. The route control device according to claim 1, wherein the rule generation mechanism deletes the registered transmission rule in a fixed time. The route control switch includes a plurality of route control switches .
The route control device according to claim 1 or 2, wherein the plurality of route control switches and the one rule generation mechanism corresponding to the plurality of route control switches are arranged at different network nodes. For the destination address of a packet, the route for transmitting the packet is used for communication between the first communication path and the server on the cloud according to the route control rule including the transmission rule that defines the transmission route of the packet. The step of switching to and from the second communication path,
When sending a packet, if there is a DNS response error in the DNS response of the received DNS request, the transmission rule corresponding to the destination address of the packet detects the packet whose route control rule is not registered.
The step of verifying the detected destination of the packet and
A step of registering a new transmission rule via the second communication path in the route control rule based on the verification result of the destination, and a step of registering the new transmission rule via the second communication path.
Route control method having. For the destination address of a packet, the route for transmitting the packet is used for communication between the first communication path and the server on the cloud according to the route control rule including the transmission rule that defines the transmission route of the packet. The step of switching to and from the second communication path,
When sending a packet, if there is a DNS response error in the DNS response of the received DNS request, the transmission rule corresponding to the destination address of the packet detects the packet whose route control rule is not registered.
The step of verifying the detected destination of the packet and
A step of registering a new transmission rule via the second communication path in the route control rule based on the verification result of the destination, and a step of registering the new transmission rule via the second communication path.
A program that lets your computer run.

Images