JP7433944B2 - Information processing device, information processing method and program - Google Patents

Description

The present invention relates to an information processing device, an information processing method, and a program.

Conventionally, an information processing device determines a communication path for network communication based on routing information. There are two types of routing information configuration means: static routing that is manually set by a user, and dynamic routing that is automatically set by an information processing device using a routing protocol. Static routing allows a user to intentionally determine a communication route, and is therefore used when a user wants to fix a communication route for a particular communication. Users who use static routing generally set the destination address, prefix length, and gateway address, and perform maintenance such as adding or deleting settings as necessary. For example, Patent Document 1 proposes means for checking whether a static routing communication destination exists and maintaining the static routing settings according to the check result.

Furthermore, in an endpoint information processing device such as an image forming apparatus that has multiple LAN I/Fs (Interfaces), static routing determines which LAN I/F is used for each communication. Also used as a means.
Note that, similar to static routing settings, there is an address filter as a function that operates by specifying an address and prefix length. The address filter is used as a means for permitting or restricting communication with a specific external device based on the destination address.

Patent application 5-330280

However, while static routing has the feature that a user can clearly set a communication route, there is a concern that the user may make an incorrect setting and the communication route may not be as intended by the user. For example, if 192.168.10.1/24 is specified as the destination at the time of setting, a value is set not only in the 24-bit network part but also in the remaining 8-bit host part. In this case, the specified prefix length may be incorrect. For example, if a user wants to apply a static routing rule to one address, 192.168.168.10.1, it will be applied to 255 addresses, 192.168.10.0/24. The value may be automatically changed and set to the value specified by the user. If the information processing device automatically changes and registers the information in this way, there is a problem in that problems arise from a security perspective, such as communication with a destination other than the user's intention, resulting in information leakage.

However, with conventional network devices, it is assumed that network experts directly edit configuration commands and simple configuration files via a command line, or configure network settings via a simple configuration screen. Therefore, no allowances were considered for the above-mentioned incorrect settings.

One aspect of the present invention is an information processing device capable of communicating with an external device via a communication unit, the display control displaying a screen for inputting network setting information for controlling communication of the communication unit. means, inquiring whether or not to change the IP address to match the prefix length if there is an inconsistency in the combination of the IP address input through the screen and the prefix length for the IP address; A first inquiry means .

According to one aspect of the present invention, it is possible to prevent settings for inputting the address and prefix of an information processing device from being set incorrectly as intended by the user.

1 is a diagram illustrating an example of a system configuration of an information processing system. 1 is a diagram illustrating an example of a hardware configuration of an image forming apparatus. 1 is a diagram illustrating an example of a software configuration, etc. of an image forming apparatus. It is a flowchart concerning static routing setting. It is a figure showing an example of the setting screen concerning static routing setting. It is a flowchart concerning address filter setting. It is a figure showing an example of the setting screen concerning address filter setting based on an IPv4 address.

Embodiments of the present invention will be described below based on the drawings. Note that in describing the embodiment, an image forming apparatus will be used as an example of an information processing apparatus, but a device having a communication function other than the image processing apparatus may be used.

<Embodiment 1>
In the first embodiment, processing related to static routing settings will be described.
(System configuration)
FIG. 1 is a diagram showing an example of the system configuration of an information processing system. In this embodiment, there are four LANs (Local Area Networks), which operate at the addresses shown in Table 1. Image forming apparatus 100 includes two LAN I/Fs and is directly connected to LAN 110 and LAN 120. Further, the image forming apparatus 100 can communicate with the LAN 130 via the router 101 and with the LAN 140 via the router 102. Furthermore, the LAN 130 includes a PC 131 and a PC 131. The LAN 140 includes a PC 141 and a PC 142. The addresses of each device are shown in Table 2. Note that although the LAN 130 and the LAN 140 are different LANs, they are operated in the same address band. Therefore, the image forming apparatus 100 uses static routing settings to determine which device on the LAN 130 or the LAN 140 to communicate with. Therefore, if the static routing settings are not performed as the user intends, communication between the PCs 131 and 141 or between the PCs 132 and 142, which have the same address, will be mistakenly performed to an unintended terminal. There are concerns.

(Hardware configuration)
FIG. 2 is a diagram showing an example of the hardware configuration of the image forming apparatus 100. Note that the hardware configuration in this embodiment is an example, and is not limited to this. Note that in this embodiment, an image forming apparatus having a printing function for printing an image on a sheet and a transmission function for transmitting scan data obtained by reading a document to the outside is exemplified as an example of an information processing apparatus. It is not limited to. The setting control in this embodiment can also be applied to a single-function image processing device having only a transmission function. Furthermore, it can also be applied to setting control of information processing devices such as PCs, network routers, and access point devices that perform wireless communication based on the IEEE802.11 series.
In the image forming apparatus 100, various hardware 201 to 209 are connected via an internal bus 200 and exchange data with each other. CPU 201 controls the overall operation of image forming apparatus 100 . The CPU 201 performs various controls such as print control and scan control by reading and executing a control program stored in the ROM 202 .

The RAM 203 is a non-volatile memory used as a work area for the CPU 201 to execute various programs. The HDD 204 stores image data, various programs, and setting values related to the operation of the image forming apparatus 100. The operation unit 205 includes a display that operates as a touch panel that can be operated with a user's finger, and allows keyboard input. The printer unit 206 prints the image data transferred via the internal bus 200 on paper. The scanner unit 207 transfers image data of the read document via the internal bus 200, stores it in the HDD 204, or transmits it to an external device from the LANI/F 208 or LANI/F 209. The LANI/F 208 communicates with an external device connected to the Ethernet (registered trademark) 110, and can receive print instructions from the external device and send scan data to the external device. Like the LANI/F 208, the LANI/F 209 can also communicate with external devices connected to the LAN 120. LANI/F208 and LANI/F209 are examples of communication units. The image forming apparatus 100 is capable of communicating with external devices via the LANI/F 208 and LANI/F 209. The image forming apparatus 100 can accept the setting of a transmission destination based on a user operation via a transmission function screen (not shown). When a transmission destination is set and an instruction to start transmission is received, the image forming apparatus 100 uses the scanner unit 207 to read the document and generate scan data. The process of the scanner unit 207 is an example of a reading process. Subsequently, the image forming apparatus 100 transmits the data generated based on the generated scan data to the transmission destination set by the user.

Although the present embodiment has a configuration including two LAN I/Fs, the present invention is not limited to this, and any configuration may be used as long as it includes one or more I/Fs. Furthermore, the LAN I/F is not limited to a physical I/F, but may be realized using a logical I/F such as a virtual I/F realized at a software level.

(Functional configuration)
FIG. 3 is a diagram illustrating an example of the software configuration, etc. of the image forming apparatus 100. Note that each processing unit shown in FIG. 3 is realized by the CPU 201 executing the control program 300. Further, the software configuration in this embodiment is an example, and is not limited to this.
The control program 300 is a control program for the entire image forming apparatus 100, and includes a panel control section 301, a data management section 302, a filter management section 303, and a communication control section 304.

The panel control unit 301 performs input/output processing equivalent to the operation unit 205 . For example, the panel control unit 301 passes static routing settings input from the operation unit 205 to the data management unit 302, thereby saving them in a storage device such as the HDD 204. Further, the panel control unit 301 displays screen data acquired from the data management unit 302 on the screen 205, and notifies each processing unit of the control program 300 of an event input from the operation unit 205.
The data management unit 302 performs input processing to the storage devices of the ROM 202 and the HDD 204 in response to requests from each processing unit.

The filter management unit 303 manages control functions related to communication with external devices, such as static routing settings and address filter settings. Upon receiving notification from the panel control unit 301 that static routing information and address filter information have been input, the filter management unit 303 verifies whether there is any inconsistency in the static routing information and address filter information. If a mismatch is detected, the filter management unit 303 displays a message to that effect on the operation unit 205 via the panel control unit 301. Furthermore, when the image forming apparatus 100 is started up, settings are changed, etc., the filter management unit 303 sets static routing information and address filter information in the communication control unit 304.

The communication control unit 304 controls the LANI/F 208 and the LANI/F 209, and controls communication with external devices via the LAN 110 and the LAN 120. For example, the communication control unit 304 reads the configuration information of each LAN I/F from the data management unit 302 and executes the configuration, or the communication control unit 304 reads out the configuration information of each LAN I/F from the data management unit 302 and executes the configuration, or the communication control unit 304 executes the configuration of the external device based on the static routing information and address filter information set from the filter management unit 303. Send and receive data with. The communication control unit 304, which has received the instruction to transmit data based on the scan data to the transmission destination, specifies the IP address corresponding to the transmission destination specified via the transmission function screen. Subsequently, if it is determined that the IP address matches the address filter, it is determined whether or not to perform communication based on the policy described in the address filter. Note that whether or not the rules match the policy is verified based on the order of rules input from the operation unit 205. If multiple rules are defined, the first rule that is determined to match will be applied. If it is determined that communication is to be performed as a result of the verification using the address filter, the communication control unit 304 determines whether the IP address matches the rules for static routing settings. In addition, when determining whether or not an IP address matches a static routing rule, if the IP address matches multiple intelligent routing rules, the routing rule to be applied is uniquely determined based on the law of the longest match. It is determined. If it is determined that any rule registered as static routing is matched, the communication control unit 304. A communication interface to be used as an output destination is specified based on the rule, and data is transmitted via the specified communication interface. If it is determined that the static routing settings do not match, the communication control unit 304 specifies the output destination communication interface according to the law of longest match. That is, the IP address and the subnet of each communication interface are logically ANDed, and data is transmitted via the interface corresponding to the longest matching subnet.

(Flowchart related to static routing settings)
FIG. 4 is a flowchart related to static routing settings. Each operation (step) shown in FIG. 4 and the flowchart of FIG. 6 described later is realized by the CPU 201 calling a program corresponding to each control module stored in the ROM 202 or HDD 204 to the RAM 203 and executing it. In this embodiment, it is assumed that data transmission/reception processing and the like are realized in cooperation with each I/F and each hardware. Furthermore, in cases where it is desired to clearly indicate the software module responsible for the actual processing, the name of each software module that causes the CPU to execute the processing shall be written as the subject, instead of using the CPU as the subject.

In S401, the filter management unit 303 detects that static routing information has been input from the panel control unit 301.
In S402, the filter management unit 303 verifies whether there is a mismatch between the input address and prefix length. The address is the address of the communication destination.

More specifically, the filter management unit 303 separates the address input in S401 into a network part and a host part based on the prefix length, and if there is a value in the host part, it determines that there is a mismatch. judge. The filter management unit 303 determines that there is no inconsistency if the host part does not contain a value. An example of the determination will be explained. The filter management unit 303 generates a bit mask in which the upper bits corresponding to the network address part specified by the prefix length are set to 0, and the lower bits corresponding to the host address part are set to 1. The filter management unit 303 determines that there is no mismatch if the result of the AND operation of the generated bit mask and the input address (IPV4 address) is 0. The filter management unit 303 determines that there is a mismatch if the result is other than 0. If the filter management unit 303 determines that there is no mismatch, the process advances to S408, and if it determines that there is a mismatch, the filter management unit 303 advances the process to S404.

In S404, the communication control unit 304 instructs the panel control unit 301 to display that there is a mismatch between the address input to the input operation unit 205 and the prefix length. The fact that there is a mismatch is an example of predetermined information. The process in S404 is an example of a process for notifying that there is a mismatch. Furthermore, in S405, the filter management unit 303 displays a confirmation screen on the operation unit 205 via the panel control unit 301 to confirm whether or not to change the address that is inconsistent with the prefix length to match the prefix length. The process in S405 is an example of the first inquiry process, which inquires whether the address should be changed according to the prefix length.

In S406, the filter management unit 303 determines whether change has been selected in response to the user's selection via the confirmation screen. If the user selects not to change, the filter management unit 303 ends the process and cancels the setting of static routing information, and if the user selects to change, the process advances to S407.

In S407, the filter management unit 303 changes the address according to the prefix length, and stores the changed data in the data management unit 302. The process of S407 is an example of the first change process of changing the address according to the prefix length.
In S408, the filter management unit 303 sets the address, prefix length, and default gateway address as static routing information to the communication control unit 304. Note that if the static routing setting is canceled, the filter management unit 303 may control the panel control unit 301 to display a message prompting re-input, and return to the input screen again.

Once the static routing is set, the image forming apparatus 100 performs communication control based on the static routing information. For example, if 172.16.10.254 is set as the default gateway of the image forming apparatus 100, communication with 192.168.10.0 will be routed through the default gateway before static routing settings are performed. It is transmitted toward the LAN 140. On the other hand, if static routing settings are made that set the gateway to 192.168.10.0 to 10.0.10.254, communication with 192.168.10.0 will be configured using static routing settings. is transmitted to the LAN 130 based on the following.

(Settings screen related to static routing settings)
FIG. 5 is a diagram showing an example of a setting screen related to static routing settings. In this embodiment, a screen displayed on the operation unit 205 of the image forming apparatus 100 will be explained as an example, but a screen in a web format that can be accessed by external devices connected via the LANI/F 208 and LANI/F 209 will be described. It may be a screen.

FIG. 5(a) is a screen for performing static routing settings. When the user selects the edit button 501, the screen changes to that shown in FIG. 5(b), and static routing information can be added and edited.

FIG. 5(b) is a screen for adding and editing static routing information. When the user inputs values in the address input area 510, prefix length input area 511, and gateway address input area 512 and selects the OK button 513, the process of the static routing setting flowchart shown in FIG. 4 is executed. Ru. Here, when the image forming apparatus 100 detects a mismatch between the values input to the address input area 510 and the prefix length input area 511, the image forming apparatus 100 changes the screen to FIG. 5(c). The process of displaying the screen in FIG. 5(b) is an example of display control process.

FIG. 5(c) is a screen that is displayed when a mismatch between an address and a prefix length is detected in static routing settings. A message indicating that there is an inconsistency in the input value and a confirmation message asking whether to change the prefix length are output on the screen. In this state, if the OK button 520 is selected, the changes output in the confirmation message are implemented. On the other hand, if the cancel button 521 is selected, the setting of static routing information is canceled. Note that if the process is canceled, the screen returns to FIG. 5(b) and prompts the user to input again.

FIG. 5(d) is a screen that displays the set static routing information. The static routing settings set in the settings information display area 530 are displayed. Note that when a mismatch is detected and a change is made, the changed contents are displayed in the setting information display area 530. In other words, if an inconsistent change is made with 192.168.10.1 entered in the address and 24 entered in the prefix length, the address displayed in the setting information display area 530 will be 192.168.10. It becomes .0.

As described above, according to the present embodiment, it is possible to prevent the static routing settings of the image forming apparatus 100 from being set as intended by the user, and it is possible to solve problems from a security perspective.

<Embodiment 2>
In the second embodiment, a case will be described in which a check process is performed on address filter settings. Note that since the software configuration and hardware configuration are the same as those in Embodiment 1, their description will be omitted. Note that the second embodiment can also be combined with the first embodiment. In this case, the image forming apparatus 100 executes the control illustrated in FIG. 4 when setting the static routing, and executes the control illustrated in FIG. 6, which will be described later, when setting the address filter. The address filter settings are, for example, setting information regarding an IP filter that controls whether or not to permit communication using an IP address.

(Flowchart related to address filter routing settings)
FIG. 6 is a flowchart related to address filter setting. This will be explained in detail below.
In S601, the filter management unit 303 detects that address filter information has been input from the panel control unit 301.
In S602, the filter management unit 303 verifies whether there is a mismatch between the input address and prefix length.

In S603, the filter management unit 303 determines whether there is a mismatch between the address and the prefix length as a result of the verification in S602. When the filter management unit 303 determines that there is a mismatch, the process proceeds to S604, and when it determines that there is no mismatch, the process proceeds to S612. The filter management unit 303 separates the input address into a network part and a host part based on the prefix length, and determines that there is a mismatch if the host part contains a value. The filter management unit 303 determines that there is no inconsistency if the host part does not contain a value.
In S612, the filter management unit 303 sets the input address filter information in the communication control unit 304.

In step S604, the filter management unit 303 instructs the panel control unit 301 to display that there is a mismatch between the address input to the operation unit 205 and the prefix length.
Next, in S605, the filter management unit 303 determines whether the default policy of the address filter is denial or permission. If the filter management unit 303 determines that the default policy is denial, the process proceeds to step S606, and if it determines that the default policy is permission, the process proceeds to step S607.

In S606, the filter management unit 303 displays a confirmation screen on the operation unit 205 via the panel control unit 301 to confirm whether or not to change the address that is inconsistent with the prefix length to match the prefix length. The process in S606 is an example of the process for the first inquiry, which inquires whether or not to change the address to match the prefix length. On the other hand, in S607, the filter management unit 303 displays a confirmation screen on the operation unit 205 via the panel control unit 301 to confirm whether or not to change the prefix length that is inconsistent with the prefix length to match the address. The process in S607 is an example of a second inquiry process that inquires whether the prefix length should be changed to match the address.
This is because if the default policy is deny, giving priority to the address value can narrow the address range where communication is permitted, reducing the risk from a security perspective even if the user accidentally sets it. It's for a reason. This is because even if the default policy is permit, giving priority to prefixes can narrow the range of allowed addresses.

In S608, the filter management unit 303 determines whether the user has selected change based on the information received via the panel control unit 301. If the filter management unit 303 determines that the user has selected change, it advances the process to S610, and if it determines that the user has not selected change, it ends the process of the flowchart shown in FIG.
In S610, the filter management unit 303 changes the address according to the prefix length. The process of S610 is an example of the first change process of changing the address according to the prefix length.

On the other hand, in S609, the filter management unit 303 determines whether the user has selected change based on the information received via the panel control unit 301. If the filter management unit 303 determines that the user has selected change, it advances the process to S611, and if it determines that the user has not selected change, it ends the process of the flowchart shown in FIG.
In S611, the filter management unit 303 changes the prefix length according to the address. The process of S611 is an example of the second change process of changing the prefix length according to the address.
In S612, the filter management unit 303 sets the address and prefix length as address filter information in the communication control unit 304.

In this embodiment, a filter related to an IP address is used as an example, but an address filter related to other types of addresses such as a MAC address may be used. Note that when the address filter setting is canceled, the filter management section 303 may control the panel control section 301 to return to the input screen again.

As described above, in the image forming apparatus 100 to which the address filter is applied, the communication control unit 304 allows only network packets with addresses registered as exceptions when the default policy is "reject", and other communications are performed using network packets. is dropped. Furthermore, if the default policy is permission, the communication control unit 304 drops network packets with addresses registered as exceptions, and other communications are permitted.

As described above, according to the present embodiment, it is possible to prevent the address filter settings of the image forming apparatus 100 from being set as intended by the user, and it is possible to solve problems from a security perspective.

(Settings screen related to address filter settings)
FIG. 7 is a diagram showing an example of a setting screen related to address filter settings based on IPv4 addresses. In this embodiment, a screen displayed on the operation unit 205 of the image forming apparatus 100 will be explained as an example, but a screen in a web format that can be accessed by external devices connected via the LANI/F 208 and LANI/F 209 will be described. It may be a screen.

FIG. 7(a) is a screen for adding and editing address filter information. When the user inputs values into address input area 710 and prefix length input area 711 and selects OK button 517, the process of the address filter setting flowchart shown in FIG. 6 is executed. The process of displaying the screen in FIG. 7A is an example of display control process. Here, when the image forming apparatus 100 detects a mismatch between the values input to the address input area 710 and the prefix length input area 711, the image forming apparatus 100 changes the value according to either the address or the prefix length (FIG. 7(b)). ) or display FIG. 7(c).

FIG. 7(b) shows a screen when the prefix length is changed according to the address. More specifically, it is determined whether or not to change the value 24 input into the prefix length input area 711 to 32 in accordance with the address 192.168.10.1 input into the address input area 710. A confirmation message is displayed. In this state, if the OK button 720 is selected, the changes output in the confirmation message are implemented. On the other hand, if the cancel button 721 is selected, the setting of address filter information is canceled. Note that if the process is canceled, the screen returns to FIG. 7A, and the image forming apparatus 100 prompts the user to input again.

FIG. 7(c) shows a screen when the address is changed according to the prefix length. More specifically, in accordance with the value 24 input in the prefix length input area 711, the address 192.168.10.1 input in the address input area 710 is changed to 192.168.10.0. A confirmation message is displayed asking if you want to make the change. In this state, if the OK button 730 is selected, the changes output in the confirmation message are implemented. On the other hand, if the cancel button 731 is selected, the setting of address filter information is canceled. Note that if the process is canceled, the screen returns to FIG. 7A, and the image forming apparatus 100 prompts the user to input again.

(Modified example)
In the first and second embodiments, an example has been described in which one type of change proposal is presented according to the address or prefix length when a mismatch is detected. However, it can be modified as appropriate. For example, in the first embodiment, the IP address input by the user may be given priority, an inquiry screen for modifying the prefix may be displayed, and changes may be accepted via the screen. Further, in the first and second embodiments, it is also possible to display a display item on one inquiry screen that allows the user to select whether to give priority to an IP address or a prefix, so that the user can select.
Furthermore, an embodiment may be adopted in which, when an address or prefix length value is input, an input prohibition on the screen is enabled so that a value that is inconsistent with the other value cannot be input.

<Other embodiments>
The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or device via a network or a storage medium. It can also be realized by a process in which one or more processors in the computer of the system or device read and execute the program. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

Although an example of the embodiment of the present invention has been described in detail above, the present invention is not limited to such specific embodiment.

As described above, according to each of the embodiments described above, it is possible to prevent settings for inputting the address and prefix length of the image forming apparatus 100 from not being configured as intended by the user, and it is possible to solve problems from a security perspective. can.

100 Image forming device 201 CPU
205 Operation section

Claims (13)

An information processing device capable of communicating with an external device via a communication unit,
display control means for displaying a screen for inputting network setting information for controlling communication of the communication unit;
If there is an inconsistency in the combination of the IP address input via the screen and the prefix length for the IP address, a first step of inquiring whether to change the IP address to match the prefix length; means of inquiry ,
An information processing device comprising: An information processing device capable of communicating with an external device via a communication unit,
display control means for displaying a screen for inputting network setting information for controlling communication of the communication unit;
If there is a mismatch in the combination of the IP address input via the screen and the prefix length for the IP address, a second means of inquiry,
An information processing device comprising: If changing the IP address in accordance with the prefix length is selected as a result of the inquiry by the first inquiry unit, the first changing unit may include a first changing unit that changes the IP address in accordance with the prefix length. The information processing device according to claim 1 , characterized in that: If changing the prefix length to match the IP address is selected as a result of the inquiry by the second inquiry means, the apparatus further comprises a second changing means for changing the prefix length to match the IP address. The information processing device according to claim 2 , characterized in that: 2. The network setting information inputted through the screen includes determining means for determining whether or not there is a mismatch in a combination of an IP address and a prefix length for the IP address. 4. The information processing device according to any one of 4 . The determining means separates the network part and the host part based on the prefix length, and determines that there is an inconsistency if the host part contains a value, and determines that there is an inconsistency if the host part does not contain a value. The information processing apparatus according to claim 5 , wherein the information processing apparatus determines that there is no matching. 7. The information processing apparatus according to claim 1, wherein the network setting information is setting information regarding static routing. The information processing device includes a plurality of communication interfaces, a reading means, and transmits data obtained by reading a document with the reading means to the outside through any one of the plurality of communication interfaces. An image processing device that has a transmission function to
Claim 1, further comprising determining means for determining a communication interface to transmit the data based on at least an IP address corresponding to a transmission destination set as a destination of the transmission function and settings regarding static routing. 8. The information processing device according to any one of 7 . The information processing apparatus according to any one of claims 1 to 8 , wherein the network setting information is setting information regarding an IP filter that controls whether or not to permit communication using an IP address. . 10. The information processing apparatus according to claim 1, wherein the information processing apparatus is an image forming apparatus. An information processing method executed by an information processing device capable of communicating with an external device via a communication unit, the method comprising:
a display control step of displaying a screen for inputting network setting information for controlling communication of the communication unit;
If there is an inconsistency in the combination of the IP address input via the screen and the prefix length for the IP address, a first step of inquiring whether to change the IP address to match the prefix length; an inquiry step;
An information processing method characterized by comprising: An information processing method executed by an information processing device capable of communicating with an external device via a communication unit, the method comprising:
a display control step of displaying a screen for inputting network setting information for controlling communication of the communication unit;
If there is a mismatch in the combination of the IP address input via the screen and the prefix length for the IP address, a second an inquiry step;
An information processing method characterized by comprising: A program for causing a computer to function as each means of the information processing apparatus according to claim 1 .

Images