KR101996588B1 - Network bridge apparatus and control method thereof to support arp protocols - Google Patents

Abstract

The present invention is to provide a method for implementing network separation in a subnet without performing such a separate operation, such as modifying the application and changing network settings, and at the same time in the L2 and L3 layer in a separate network By linking separate subnets without supporting configuration changes, ARP can be supported to enable communication between hosts connected to separate subnets.
The present invention provides complete transparency by making the external network and the internal network physically separate from each other but systemically like one connected network by participating in the address resolution process of the ARP protocol. .
The separation network linkage apparatus of the present invention includes an external network linkage server and an internal network linkage server connected by an incompatible protocol. Each of the external network linkage server and the internal network linkage server includes an ARP address determination process manager for changing a source address and a destination address, and a session manager for establishing and managing an ARP session between an application layer.
The present invention transparently supports users to use ARP protocol based services in each network as if they are connected as one in each network. It provides a technique for eliminating clutter and inefficiency.
In addition, the present invention, when configuring a specific network separated subnet, by using the virtual IP address and MAC address to implement the subnet stealth (Subnet Stealth) function so that the existence of a specific segment in another network segment, separation, The present invention relates to a network linkage method that provides a higher level of security and concealment to users of a specific subnet. The network association method according to the present invention can be applied to the network using the IPv4 address and the ARP protocol, as well as the network using the IPv6 address and the Neighbor Discovery Protocol (NDP).

Description

A network connection device supporting ARP protocol and its control method {NETWORK BRIDGE APPARATUS AND CONTROL METHOD THEREOF TO SUPPORT ARP PROTOCOLS}

In the existing network separation environment, a service that uses a specific IP address / port for connection between separate subnets is connected to a service of a specific IP address / port of another subnet that is separated from the network, or operates as a gateway. This is done by translating addresses between two separate networks. Accordingly, work such as modification of a separate network setting or an application and a change of a network setting are required.

The present invention is to provide a method for easily implementing network separation at a relatively low cost and effort within one subnet without performing any additional work such as modifying such applications and changing network settings. In this network, the ARP protocol can be supported to link separate network segments without changing the network configuration at the L2 and L3 layers, thereby enabling communication between network segments separated from the L2 layer.

When a network is separated within one subnet, a host connected to another network segment of the same subnet in the data link layer (L2) is recognized as existing in the same network, thereby directly communicating without passing through a router. To enable this direct communication, all packets sent by each host to a host connected to a separate network segment must be routed by a separate network bridge. To this end, the present invention devised a method for delivering a predetermined hardware address by participating in an address resolution process of a subnet.

More specifically, the present invention applies an address determination process by applying a separated network bridge according to the present invention even without configuring a network setting for separate network separation in a currently used network segment. Resolution Process) Through the processing of ARP request / response packets by the management unit, physical address mapping can be performed between L2 and L3 layers without setting up a separate routing table between physically separated networks. By doing so, network separation can be easily implemented in one subnet.

In addition, the present invention provides a method for supporting the ARP by connecting the subnets between the subnetted network as described above. Systemically, this enables smooth routing between separated network segments even in separate subnet environments, enabling transparent or non-transparent support of TCP / IP-based application services. It ensures that the convenience and efficiency of related network management tasks remain the same as before network separation.

In addition, the present invention, when configuring a separate network segment in a specific subnet, whether or not to separate the separated segment from another subnet or another segment of the same subnet using a virtual IP address and a virtual MAC (Media Access Control) address The present invention relates to a network linkage method that enables a user to implement an unknown subnet stealth function so as to provide a higher level of security to users on a specific subnet.

Recently, as cyber attacks have become more intelligent and the damage caused by the leakage of important information has increased, network separation technology has attracted attention. Network separation technologies have been introduced around national and financial institutions, and institutions and information and communication service providers that handle more than a certain amount of personal information are obliged to separate the work network from the Internet. Here, network separation refers to `` a network blocking measure that separates the internal work network and the external internet network to block illegal access and internal information leakage through the external internet network. ''

In particular, there are many cases of complaints of inconvenience and inefficiency due to frequent breakdowns and processing delays in the network environment among the employees of national and financial institutions that have recently introduced and used the network. Increasingly, there are frequent cases in which the original purpose of network separation is overridden and exposure to security risks occurs even by arbitrarily reconnecting the separated network for business convenience.

In the background technology of the present invention, which aims to solve problems such as inconvenience and inefficiency caused by the introduction of such a network separation network, a routing method and a virtual network between the separated networks using Proxy ARP are proposed. Routing method between separated networks using hardware address, routing method between separated networks using virtual IP address, and virtual MAC address, the system can set virtual MAC address instead of MAC address of Separated Network Bridge. This method includes setting a MAC address or an actual MAC address of another segment.

In addition, the conventional patent using a technology for linking data in a separate network that is the background of the present invention is a TCP streaming of "network-linked gateway, network separation method and computer network system using the same" (Publication No. 10-2013-0109561) Linkage methods.

The problem to be solved by the present invention can be divided into the following.

1. The Challenge of Implementing Network Separation within a Specific Subnet

2. Challenges to Solve ARP Communication Problems

3. Countermeasure in the case of failure of the separated network bridge according to the present invention

For reference, the problem to be solved by the present invention is not the transmission of general data but the address resolution of the L2 and L3 layers. Since it is impossible to communicate data directly because it is a separate network, it is communicated through a disconnected network linkage device without direct communication. However, when network separation between network segments is implemented according to the present invention, it is possible to provide network transparency that makes it appear as if communicating directly at the L2 layer in each server dimension.

In addition, another object of the present invention is to install only the internal and external separation network connection device according to the present invention for a specific security purpose, even in the state without introducing a separate network separation solution in the network currently in use It is easy to configure specific network segments that are separated, while also providing subnet stealth, in which the presence of such network segments is not exposed to the outside world. To provide.

In order to solve the above problems, the present invention proposes the following solution.

1. Network Separation in One Subnet

   Subnet separation in non-manganese networks

   -Zero configuration that does not require network-related settings (Zero configuration)

   Subnet stealth of network segmentation

2. Routing Method between Separate Networks Using Proxy ARP

   -Routing method using MAC address of network connection device (general ARP proxy)

   -Routing Method between Separate Networks Using Virtual Hardware Address

   -Routing Method between Separate Networks Using Virtual IP Address

Here, in the system that can set the virtual MAC address, the Proxy ARP can respond to the ARP request as a method of giving the virtual MAC address instead of the MAC address of the SLA. In this case, the ARP response may be performed in the separation network association apparatus as a method in which the separation network association apparatus has the other party's IP address belonging to the network segment separated by the virtual IP address and the MAC address.

3. In the case of having the actual MAC address in 2, in case of failure of the network connection device, the network service can be maintained by directly connecting the separated network.

4. In 2 above, the static or dynamic IP address and the MAC address may be used, or a combination thereof may be used. When using static tables, you don't have to know what IP addresses are on different network segments, and you can also check if you place a host on the wrong segment. In other words, segment identification by IP address is not necessary and when using host's MAC address, ARP address resolution process in other segments is not necessary.

5. Since the network linkage device according to the present invention does not need to have its own IP address, it provides a hidden function of the network linkage device.

6. The present invention proposes a method for implementing network separation in one subnet without performing an inconvenient task such as modifying such an application and changing network settings, and thus without changing the configuration in L2 and L3 in a separate network. By connecting the separated network segment to support ARP, it is possible to communicate between hosts connected to the separated network segment.

The present invention secures high security in a physically separated network and at the same time system supports the ARP protocol as if several physically separated networks use a service in a single network, thereby making it convenient for a user to perform a task. It aims to provide network linkage methods and technology for building computer network systems to make it possible to maintain the efficiency of performance and management, as well as to reduce the cost of building and managing such networks.

Another object of the present invention is to block the external attack at the source and to prevent the leakage of internal data, and network transparency (network transparency) to make several physically separated networks look like a network connected to each other systemically Network Bridging Technology provides network bridging technology to implement network separation on subnet or to efficiently implement application service using ARP protocol.

In addition, another object of the present invention is to separate the network by installing only the internal and external separation network linkage device for a specific security purpose, even without a separate network separation solution in the sub-network currently in use Subnet Stealth Technology to simplify the configuration of subnetwork To provide.

The effects of the present invention can be seen as follows.

1. It is easy to build and manage network segmentation according to the necessity of network segmentation within one subnet without modifying applications and changing network settings, and also according to specific security requirements. It can conceal separate network segments.

2. By implementing the routing method between the separate networks using Proxy ARP, there is no need to modify any network configuration or application, and it can use the existing network as it is, so the introduction cost is low and the existing work environment is maintained. Integrated management of servers makes them highly efficient and easy to manage.

3. Also, since it is possible to hide a specific network segment that is separated from the network, it is possible to improve security and concealment by providing / using a service without exposing the servers and clients connected to the segment to the outside.

4. If network separation is implemented in the same subnet according to the present invention, since the internal network and the external network are physically separated with respect to a service using the ARP protocol, perfect transparency is provided as necessary, so that the existing service or No modifications are required to the application, and the existing network can be used as it is, resulting in low cost of introduction, high efficiency and easy management because the existing work environment is maintained and the server is integratedly managed.

5. In the present invention, because it uses an incompatible protocol and provides complete transparency, it can fundamentally block attacks from the outside and protect the transmitted data from being leaked to the outside. In addition, it provides the concealment function of the separated network bridge.

FIG. 1 shows the MAC address of the final destination host B in another network segment, although not registered in the Host ARP table when routing using Proxy ARP between network segments separated from the same subnet, according to the present invention. If it is registered in Proxy A of the associated device, it is a flowchart showing the routing method.
FIG. 2 shows that when routing using Proxy ARP between network segments separated from the same subnet according to the present invention, the MAC address of the final destination host B is not registered in the Host ARP table and Proxy A of the SBS in the same network segment. However, if it is registered in Proxy B of the SNS in the separated network segment, the flowchart shows the routing method.
FIG. 3 shows the MAC address of the final destination host B when the routing is performed using Proxy ARP between network segments separated from the same subnet according to the present invention. If it is not registered in Proxy B of the SNS in the network segment, it is a flowchart showing the routing method.
4 is an overall flow chart shown for the three cases.

The ARP protocol is a protocol for mapping IP addresses to MAC addresses in the TCP / IP stack. In the TCP / IP stack, the role of IP addresses is involved in routing and the role of MAC addresses is the addresses used to forward packets. In order to deliver the packet, the ARP packet must be transmitted to the network to find out the MAC address corresponding to the IP address. Proxy ARP may not be able to receive a response to an ARP request under certain network conditions. This is to overcome this problem.

For reference, the general operation of ARP protocol is as follows when IP packet is transmitted.

① Search the routing table to determine the IP address of the next hop path.

② The MAC address of the next hop is retrieved from the ARP table.

  end. Move to ③ if entry does not exist

  I. If the entry already exists, go to ④

③ Send ARP request packet to broadcasting address (FF: FF: FF: FF: FF: FF) and wait for response.

  end. When a reply is received, the MAC address corresponding to the IP address is added to the ARP table.

  I. Ignore if no response.

④ Fill the MAC value of the packet to send.

A detailed embodiment of the present invention will be described with reference to the drawings on the premise of the general operation process as described above. Hereinafter, in the present embodiment, the address determination request signal is a signal for requesting a hardware address (for example, a mac address) corresponding to an IP address, and the address determination response signal indicates a hardware address corresponding to the requested IP address. Means signal. For example, the address resolution request signal and the address resolution response signal according to the IPv4 (nternet protocol version 4) are the request signal and response signal according to the Address Resolution Protocol (ARP), and the address resolution request signal according to the Ethernet Protocol version 6 (IPv6). The response signal may be a request signal and a response signal according to a neighbor discovery protocol (NDP). System 100 to which the separation network linkage device of the present invention is applied is composed of the internal network 10, the separation network linkage device 20 and the external network 30.

As shown in FIG. 5, the external network 10 and the internal network 30 are physically separated. In order to separate the physical network, the network linkage device 20 is connected to an external network connection server (Proxy A) 22 and an internal network connection server (Proxy B) 24 by a compatible or incompatible protocol cable 25. have. In addition, the separation network linkage device 20 according to the present invention provides complete transparency or concealment such that the external network and the internal network are physically separated but systemically look like one connected network.

The external network linking server 22 connected to the external network 10 and the internal network linking server 24 connected to the internal network 30 are connected through the network linking middleware and the high-speed dedicated cable 25 that are not compatible or compatible with the standard network. Send and receive data.

Figure 5 is a block diagram of a separation network linkage apparatus according to the present invention. This schematic is based on the Open Systems Interconnection (OSI) reference model.

As shown in FIG. 5, when the configuration of the separate network interworking device 20 is described in terms of hardware 110a and 110b, the external network interworking server 22 and the internal network interworking server 24 and the compatibility of connecting the servers or The separation network linkage device 20 is configured with an incompatible protocol cable 25. On the other hand, if the configuration of the network connection device 20 is described in terms of the software (120a, 120b), each of the associated server (22, 24) is an address determination process management unit (25a, 25b), packet operation unit (24a, 24b) And a session manager 23a, 23b, and the network connection device 20 to include a data transmitter 130 for data transfer between the application layers 22a and 22b of each of the associated servers 22 and 24. ) Is configured.

The packet manipulators 24a and 24b change the source address and the destination address in the packet layer, and the session managers 23a and 23b change the sessions between the application layers 22a and 22b and the internal and external network servers 10 and 30. Server) and the external network / internal network linked server (22, 24) to manage and establish.

The data transmission unit 130 transfers data from the external network connection server 22 to the internal network connection server 24 or the internal network connection server 24 to the external network connection server 22 using a compatible or incompatible protocol. send. Incompatible protocol refers to a communication protocol other than standard protocols (TCP, IP, Ethernet, etc.) used in TCP / IP-based network communication.

According to one embodiment of the present invention, this incompatible protocol provides fast response speed by directly transmitting data at the application layer using a Remote Direct Memory Access (RDMA) interface. In addition, the session ID is assigned through the session information, thereby managing the connection. Session information includes protocol, source IP, source port, destination IP, destination port, and ARP timeout value.

1. Routing Method Using Proxy ARP Between Separate Network Segments on the Same Subnet

Case 1: When the MAC address of the final destination host B (31) is not registered in the Host ARP table of the original source host 11, but is registered in the network A (Proxy A) in the same network segment (Fig. 1)

In this case, according to an embodiment of the present invention, after checking the IP routing table in the host A (11) to confirm that the Next Hop IP address is the IP address of the host B (31) ( 1-1 ), the host A (11) Search the ARP table to find out whether an entry of a MAC address corresponding to the IP address is registered ( 1-② ). In this case, since the entry of the MAC address is not in the ARP table of the host A 11, the host A 11 broadcasts the ARP request packet on the same network segment ( 1-③ ). As soon as the associated server Proxy A 22 of the network interworking device 20 existing in the same network segment receives the broadcasted ARP request packet ( 1-④ ), it considers the ARP request timeout (ARP REQUEST TIMEOUT). The ARP request packet is transmitted through the data transmission unit 130 to the associated server Proxy B 24 of the network linkage device 20 existing in the opposite network segment by a compatible or incompatible protocol ( 1). -⑤ ). Then, register or update the corresponding network segment of the host A 11 that requested the ARP request packet, the MAC address of the original source host A 11, the current time, etc. in the ARP table of the Proxy A 22 ( 1-⑥ ), the MAC address of Host B31 is retrieved from the ARP table of Proxy A (22) ( 1-⑦ ). In this case, since the MAC address of the final destination host B (31) is registered in the ARP table of Proxy A (22), the addressing process management section (25a) of Proxy A (22) is the network segment, the final destination host B (31). In response to the ARP response packet composed of MAC address, current time, etc., the host A 11 responds ( 1-⑧ ).

After the host A 11 receives the response from the host B 31 ( 1-⑨ ), the host A 11 displays the MAC address of the host B 31 and the current time according to the information of the ARP response packet. registered in the Proxy ARP table (1-⑩), and transmits the IP packets over Ethernet in a given MAC address of the host B (31) from a MAC address of the host a (11) (1-⑪ ). Through this process, the actual data transmission is made from the source host A (11) to the destination host B (31).

Case 2: When the MAC address of the final destination host B is not registered in the Host ARP table and the Proxy of the SNS in the same network segment, but is registered in Proxy B of the SNS in the separated network segment (Fig. 2)

In this case, an embodiment of the present invention, after the search for the IP routing table at the host A (11) determines that the Next Hop IP Address The IP address of the host B (31) (2 -①) , host A (11) Search the ARP table to find out whether an entry of a MAC address corresponding to the IP address is registered ( 2-② ). In this case, since the entry of the MAC address is not in the ARP table of the host A 11, the host A 11 broadcasts the ARP request packet on the same network segment (2- ③ ). In consideration of the association A Proxy Server (22) is immediately (-④ 2) receiving a broadcast an ARP request packet, an ARP request time-out (ARP REQUEST TIMEOUT) of separate network connection device 20 is located in the same network segment, The ARP request packet is transmitted through the data transmission unit 130 to the associated server Proxy B 24 of the divided network interworking device 20 existing in the opposite network segment by a compatible or incompatible protocol (2). -⑤ ). Then, register or update the corresponding network segment of the host A 11 that requested the ARP request packet, the MAC address of the original source host A 11, the current time, etc. in the ARP table of the Proxy A 22 ( 2-6 ), the MAC address of the host B 31 is retrieved from the ARP table of the proxy A 22 (2- ⑦ ). In this case, it does not exist in the ARP table of Proxy A 22. Accordingly, Proxy B 24 receives the ARP request packet transmitted from Proxy A 22 through the data transmission unit 130 ( 2-8 ), and broadcasts the ARP request packet in the corresponding network segment (segment B) ( 2-⑨ ). Then, information such as the MAC address of the host A 11, the MAC address of the originating host A 11, the current time, and the like, which are requested by the addressing process manager 25b of the Proxy B 24, have requested the ARP request packet. It is registered or updated in the ARP table of the Proxy B 24 ( 2-⑩ ), and the MAC address of the host B 31 is retrieved from the ARP table of the Proxy B 24 (2- ⑪ ). In this case, since the MAC address of the final destination host B 31 is registered in the ARP table of the Proxy B 24, the addressing process management section 25a of the Proxy B 24 determines the corresponding network segment and the final destination host B 31. ARP response packet composed of information such as MAC address, current time, etc. is returned to Proxy A 22 through the data transmission unit 130 (2− ⑫ ).

After Proxy A 22 receives the response from Proxy B 24 (2- ⑬ ), the Proxy A 22's address resolution process manager 25a receives the corresponding network segment and host according to the information of the ARP response packet. The MAC address and current time of B 31 are registered in the Proxy ARP table of Proxy A 22 (2- ⑭ ), and an ARP response packet is transmitted to the source host A 11 ( 2-⑮ ). A 11 receives the response from Proxy A 22 ( 2- (16) ), and then receives an IP packet from the MAC address of Host A 11 via the Ethernet. (2- (17) ). Through this process, the actual data transmission is made from the source host A (11) to the destination host B (31).

Case 3: The MAC address of the final destination host B is not registered in the Host ARP table and Proxy B of the SBS in the same network segment as well as Proxy B in the SNS in the separated network segment (FIG. 3). )

In this case, according to an embodiment of the present invention, after checking the IP routing table in the host A (11) to confirm that the Next Hop IP address is the IP address of the host B ( 31-1 ), the host A (11) Search the ARP table to find out whether an entry of the MAC address corresponding to the IP address is registered (3- ② ). In this case, since the entry of the MAC address does not exist in the ARP table of the host A 11, the host A 11 broadcasts an ARP request packet on the same network segment (3- ③ ). In consideration of the association A Proxy Server (22) is immediately (3 -④) receives a broadcast of ARP request packets, ARP requests time out (ARP REQUEST TIMEOUT) of separate network connection device 20 is located in the same network segment, The ARP request packet is transmitted through the data transmission unit 130 to the linking server Proxy B 24 of the network linkage device 20 existing in the opposite network segment by a compatible or incompatible protocol (3). -⑤ ). Then, register or update the corresponding network segment of the host A 11 that requested the ARP request packet, the MAC address of the original source host A 11, the current time, etc. in the ARP table of the Proxy A 22 ( 3-6 ), the MAC address of the host B 31 is retrieved from the ARP table of the proxy A 22 (3- ⑦ ). In this case, it does not exist in the ARP table of Proxy A 22. Accordingly, Proxy B 24 receives the ARP request packet transmitted from Proxy A 22 through the data transmitter 130 ( 3-8 ), and broadcasts the ARP request packet in the corresponding network segment (segment B) ( 3-⑨ ). Then, information such as the MAC address of the host A 11, the MAC address of the originating host A 11, the current time, and the like, which are requested by the addressing process manager 25b of the Proxy B 24, have requested the ARP request packet. It is registered or updated in the ARP table of the Proxy B 24 ( 3-⑩ ), and the MAC address of the host B 31 is retrieved from the ARP table of the Proxy B 24 (3- ⑪ ). In this case, the search of the final destination host B31 fails and waits for an ARP packet response from the host B31. Host B 31 receives the ARP packet request from Proxy B 24 (3- ⑫ ), and the ARP response packet is composed of the corresponding network segment, the MAC address of the final destination host B 31, the current time, and the like. Responds with Proxy B (24) (3- ⑬ ). After Proxy B 24 receives the response from Host B 31 (3- ⑭ ), the Proxy B 24 addresses the same network segment and host in accordance with the information of the ARP response packet in the Address Resolution Process Manager 25b. The MAC address and current time of the B 31 are registered in the Proxy ARP table of the Proxy B 24, and the ARP response packet is transmitted to the Proxy A 22 through the data transmitter 130 ( 3- ( ). Proxy A 22 receives the response from Proxy B 24 ( 3- (16) ), and then, based on the information of the ARP response packet received from Proxy A 22's address resolution process manager 25a, The network segment, the MAC address of the host B 31, and the current time are registered in the Proxy ARP table of the Proxy A 22, and an ARP response packet is transmitted to the source host A 11 ( 3- (17) ). The source host A 11 transmits the IP packet from the MAC address of the host A 11 to the MAC address of the ARP response packet received from the Proxy A 22 via Ethernet (3- (18) ). Through this process, the actual data transmission is made from the source host A (11) to the destination host B (31).

2. Method of using a virtual MAC address in the routing method of FIG. 1 (FIG. 4)

How to give virtual MAC address instead of MAC address of separated network bridge in Proxy ARP

It is used in the case of the system that can set the virtual MAC address, and needs to respond to ARP.

 How to give a new virtual MAC address

 -How to use the other party's real MAC address as a virtual MAC address.

3. Method of using actual MAC address in the routing method of FIG. 1 (FIG. 5)

If you use a real MAC address or a virtual fixed MAC address, you can support DHCP. When using a virtual MAC address, the network connection device converts from a DHCP request / response to a predetermined MAC and delivers it to the other segment. In the case of a real MAC address, it is simply passed.

4. Method of using a virtual IP address in the routing method of FIG. 1 (FIG. 6)

 In this case, the network connection device having the opposite IP address as the virtual IP / MAC address. In this case, the host's operating system responds to the ARP and thus does not require a separate ARP response.

 -How to give an IP address and a new virtual MAC address

 -There is a way to give the real IP address and MAC address of the other network.

In the routing method of 3 and 4, if a real MAC address is provided, a service is available by direct connection in case of failure of the network linkage device. In addition, in this routing method, the IP / MAC address can be used statically or dynamically or a mixture of both.

In the network environment using the ARP, the present invention can disconnect the external network and the internal network by converting between the ARP protocol request of the external network and the ARP protocol response of the internal network to another protocol, thereby preventing external intrusion and internal government leakage in advance. To help.

In particular, the present invention may include the function of a firewall having a DMZ interval of the existing address, port change method or packet filtering method, and since the data transmission using the incompatible protocol is additionally performed in the data transmission unit, the network connection apparatus Even if it is invaded, the intruder can configure a network inside and outside that prevents the intruder from entering the internal network.

If an external intrusion request occurs, it can be rejected or ignored by the network interworking device, which is called a white list or a request that meets certain requirements or criteria. It can be implemented through a so-called black list that only rejects it.

The apparatus for linking a detached network according to an embodiment of the present invention includes an external network linking server (Proxy A) and an internal network linking server (Proxy B). External network connection server and external network are connected by standard network cable and standard TCP / IP protocol, and internal network connection server is also connected by internal network and standard network cable and standard TCP / IP protocol. On the other hand, the external network linking server and the internal network linking server are connected by a compatible or incompatible protocol, and each of the external network linking server and the internal network linking server has an ARP protocol addressing process management unit that manages the addressing of the source address and the destination. Include.

The present invention provides a computer network system including an Internet dedicated client and a business dedicated client as well as such a network connection device. The present invention also provides a network linkage method using a separate network linkage device including an external network linkage server and an internal network linkage server. Here, the external network connection server is connected to the network to which the source host of the ARP request is connected, and the internal network connection server is connected to the network to which the destination host of the ARP request is connected.

2 is a block diagram of a separation network linkage apparatus according to the present invention. System 100 to which the separation network linkage device of the present invention is applied is composed of the external network 10, the separation network linkage device 20 and the inner network 30. The external network 10 allows the service of the internal network 30 to be used for the allowed services.

10: external network
20: Separated Network Bridge
22: External network connection server (Proxy A)
24: Internal network connection server (Proxy B)
22a, 22b: application layer
23a, 23b: session management unit
24a, 24b: packet control panel
25a, 25b: Address Determination Process Management Unit
25: compatible / incompatible protocol cable
30: internal network
11: Host A from origin of ARP request
31: Final destination host for ARP request (Host B)
130: data transmission unit

Claims (10)

A first proxy connected to a first communication network and a second proxy connected to a second communication network, and physically communicate the first communication network and the second communication network while communicating in a non-standard protocol between the first proxy and the second proxy. In the control method performed by the network connection device to be separated by,
(a) when the first proxy receives an address determination request signal according to IPv4 (nethernet protocol version 4) or IPv6 (nternet protocol version 6) from the first communication network, the first proxy transmits an address determination request signal using the non-standard protocol. 2 sending to a proxy;
(b) if the second proxy receives the address determination request signal from the first proxy, whether its own table includes a hardware address corresponding to an IP address included in the address determination request signal received from the first proxy; Determining and generating an address determination response signal including the hardware address if the hardware address is included, and transmitting the generated address determination response signal to the first proxy according to a non-standard protocol;
(c) the first proxy forwarding an address resolution response signal received from the second proxy to the first communication network,
The step (b) may include: (b1) the second proxy receiving an address determination request signal from the first proxy; (b2) the second proxy sending an address determination request signal to the second communication network by broadcasting or multicasting; (b3) determining, by the second proxy, whether the hardware address corresponding to the IP address included in the address determination request signal received from the first proxy is included in its table after step (b2); (b4) if the second proxy includes the corresponding hardware address as a result of the determination of the step (b3), generating the address determination response signal including the corresponding hardware address and transmitting the generated address determination response signal to the first proxy; Control method of the network connection device characterized in that. The method of claim 1,
In step (a), when the first proxy includes a hardware address corresponding to an IP address included in the address determination request signal received from the first communication network in its own table, an address resolution response signal including the corresponding hardware address. And generating and transmitting the generated information to the first communication network. The method of claim 2,
In step (a),
(a1) the first proxy receiving an address determination request signal from the first communication network;
(a2) the first proxy sending an address resolution request signal to the second proxy using the non-standard protocol;
(a3) determining, by the first proxy, whether the hardware address corresponding to the IP address included in the address determination request signal received from the first communication network is included in its table after step (a2);
(a4) if the first proxy includes the corresponding hardware address as a result of the determination of step (a3), generating the address determination response signal including the hardware address and transmitting the generated address determination response signal to the first communication network; Control method of the network connection device characterized in that. delete delete The method of claim 1,
And the first proxy and the second proxy do not have an IP address. The method of claim 1,
The address determination request signal according to the IPv4 (nternet protocol version 4) is a request signal according to ARP (Address Resolution Protocol), and the address determination request signal according to the IPv6 (nternet protocol version 6) is according to the Neighbor Discovery Protocol (NDP). Control method of the network connection device, characterized in that the request signal. A first proxy connected to a first communication network and a second proxy connected to a second communication network, and physically communicate the first communication network and the second communication network while communicating in a non-standard protocol between the first proxy and the second proxy. In the separation network linkage device to separate the
When the first proxy receives an address determination request signal based on Ethernet Protocol version 4 (IPv4) or Ethernet Protocol version 6 (IPv6) from the first communication network, the first proxy sends an address resolution request signal to the second proxy using the non-standard protocol. And when the address determination response signal is received from the second proxy, transmits the received address determination response signal to the first communication network.
When the second proxy receives the address determination request signal from the first proxy, the second proxy determines whether a hardware address corresponding to the IP address included in the address determination request signal received from the first proxy is included in its table. If it is determined that the corresponding hardware address is included, an address determination response signal including the hardware address is generated and transmitted to the first proxy according to a non-standard protocol.
The second proxy transmits the address determination request signal to the second communication network by broadcasting or multicasting when the address determination request signal is received from the first proxy, and then the address received from the first proxy in the own table. It is determined whether the hardware address corresponding to the IP address included in the determination request signal is included. If the determination result includes the hardware address, an address determination response signal including the hardware address is generated to generate the first address. Separation network connection device, characterized in that the transmission to the proxy. The method of claim 8,
When the first proxy includes a hardware address corresponding to an IP address included in the address determination request signal received from the first communication network in its own table, the first proxy generates an address determination response signal including the corresponding hardware address and generates the first address. Separator network connection device, characterized in that for transmitting to the communication network. delete

Images