WO2014148483A1 - Dns server device, network machine, communication system, and communication method - Google Patents

Dns server device, network machine, communication system, and communication method Download PDF

Info

Publication number
WO2014148483A1
WO2014148483A1 PCT/JP2014/057310 JP2014057310W WO2014148483A1 WO 2014148483 A1 WO2014148483 A1 WO 2014148483A1 JP 2014057310 W JP2014057310 W JP 2014057310W WO 2014148483 A1 WO2014148483 A1 WO 2014148483A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
network
communication
domain name
address
Prior art date
Application number
PCT/JP2014/057310
Other languages
French (fr)
Japanese (ja)
Inventor
秀岳 荻野
良太 ▲廣▼瀬
Original Assignee
ヤマハ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ヤマハ株式会社 filed Critical ヤマハ株式会社
Priority to CN201480016873.XA priority Critical patent/CN105144642B/en
Publication of WO2014148483A1 publication Critical patent/WO2014148483A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to a technique for ensuring the confidentiality of data communication by using a VPN (Virtual Private Network).
  • VPN Virtual Private Network
  • VPN refers to a communication technology that establishes a virtual communication path for encrypted communication between network devices such as routers via a general public network such as the Internet and ensures confidentiality of data communication.
  • VPN it is possible to secure the secrecy of data communication while suppressing costs compared to the case where a dedicated line is used for connection between network devices.
  • Patent Document 1 enables automatic construction of a VPN between bases by registering VPN connection device information in a VPN connection management device and authenticating the VPN connection device itself. More specifically, the network address of the VPN connection device and the identifier of the device are registered in the VPN connection management device, so that even if the IP (Internet Protocol) address of the VPN connection device changes, it is constructed.
  • the VPN connection management device notifies the VPN connection device of information necessary for the VPN connection disconnection process and the reconnection process with the new IP address, and the VPN connection is automatically established.
  • a VPN for control is constructed by IPsec between a router installed at a base and a control server, and for VPN connection with a router installed at another base via the control VPN
  • the setting is acquired from the control server, and the VPN is established in each router according to the VPN connection setting.
  • the present invention has been made in view of the above-described problems, and provides a technique that makes it possible to realize highly confidential data communication using a VPN while reducing the workload of a network administrator. With the goal.
  • the present invention has a management table in which one or a plurality of domain names assigned to a network device are stored in association with communication addresses assigned to the network device.
  • a DNS Domain Name System
  • a DNS server device that provides a domain name service by referring to a network device whose domain name and communication address are stored in the management table, for each higher-order domain included in the domain name of each network device Grouping means for generating a plurality of groups, and among the plurality of groups generated by the grouping means, each of the network devices in the group to which the plurality of network devices belong
  • Providing DNS server characterized by having a establishing destination notifying means for performing established target notification process for notifying the other communication address of the network devices belonging to flop as communication address of establishment destination virtual channel.
  • Various timings can be considered as to when the establishment destination notification process is executed. For example, a mode in which the establishment destination notification process is executed every time a set of a communication address and a domain name is registered in the management table is conceivable. According to such an aspect, each network device that participates in the VPN simply registers the domain name and communication address of its own device in the DNS server device, and the network administrator does not need to perform any other special work. A virtual communication path is established between network devices, and a VPN is constructed. In addition to (or instead of) executing the establishment destination notification process each time a set of a communication address and a domain name is registered in the management table, the network device belongs in response to a request from the network device.
  • the establishment destination notifying unit may execute processing for notifying each network device belonging to the group of the communication address of another network device belonging to the same group as the communication address of the establishment destination of the virtual communication path.
  • an aspect of providing a program that causes a computer to function as the DNS server apparatus and each of the above-described means is also conceivable.
  • the same group is assigned to each network device belonging to a group consisting of a plurality of network devices having the same upper domain excluding the device unique identifier from the domain name.
  • the communication addresses of all the other network devices belonging to the network may be notified as the establishment destination of the virtual communication path.
  • any of the network devices having the same upper domain Is selected as the center network device, and the communication address of all other network devices is notified as the establishment destination of the virtual communication path to the center network device, while each of these other network devices is notified.
  • the communication address of the center network device may be notified.
  • Various modes can be considered as to how to select the center network device. For example, a mode in which the communication address is the smallest is selected as the center network device, and a mode in which the processing capability is the highest or the processing load is lightest is selected as the center network device.
  • the present invention is notified from the DNS server device by device information notifying means for notifying the DNS (Domain Name System) server device of the communication address and domain name assigned to the device itself.
  • a network device comprising virtual communication path establishing means for establishing a virtual communication path with the other network device based on a communication address of the other network device. If such network devices are installed at each base and connected to a general public network such as the Internet, and the DNS server device of the present invention is connected to the general public network, these network devices are grouped in a higher domain. Then, the communication address of the other network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each network device belonging to the group including a plurality of network devices.
  • FIG. 1 is a block diagram illustrating a configuration example of a DNS server device 10 included in a communication system 1.
  • FIG. An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 is shown.
  • the other example of the management table 144b stored in the non-volatile storage part 144 of the DNS server apparatus 10 is shown.
  • An example (mesh-type VPN) of VPN network topology realized under the control of the DNS server device 10 is shown.
  • 2 shows an example of a VPN network topology (hub-and-spoke VPN) realized under the control of the DNS server device 10.
  • 2 is a block diagram illustrating a configuration example of network devices 20A and 20B included in the communication system 1.
  • FIG. 4 is a flowchart for explaining a communication flow in the communication system 1, and operations of the DNS server device 10, the network device 20A, and the network device 20B.
  • An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 after the above operation will be shown. It is a figure for demonstrating a modification (3). It is a table
  • FIG. 1 is a diagram showing a configuration example of a communication system 1 according to an embodiment of the present invention.
  • the communication system 1 includes a DNS server device 10, a network device 20A, and a network device 20B.
  • the DNS server device 10, the network device 20A, and the network device 20B are connected to a communication network 30 that is a general public network such as the Internet.
  • the DNS server device 10 provides DNS (Domain Name System; that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and sends it back). It is a computer device that is operated and managed by a business operator.
  • a domain name is a character string representing a name assigned to a network device and a character string indicating the name, type, nationality, etc. of an organization (company, school, public institution, etc.) that operates the network device. It is a character string obtained by concatenating via a delimiter (for example, a period).
  • a part representing the name of the network device in the domain name is referred to as a device unique identifier, and the other part is referred to as an upper domain.
  • the network device 20A and the network device 20B are routers that are operated and managed by an organization (a company in the present embodiment) that is a DNS user, and are installed at each base such as a head office or a branch of the company.
  • Each of the network device 20A and the network device 20B connects a LAN (Local Area Network: not shown in FIG. 1) installed in the base where the device is installed to the communication network 30, thereby An in-house information system is formed.
  • LAN Local Area Network: not shown in FIG. 1
  • the confidentiality of data communication in the in-house information system is ensured.
  • the configurations of the network device 20A and the network device 20B are the same, and therefore, when there is no need to distinguish between the two, they are described as “network device 20”.
  • IP address A global IP address (hereinafter simply referred to as “IP address”) uniquely indicating the network device in the communication network 30 is dynamically allocated to the communication interface unit on the communication network 30 side of the network device 20 by PPPoE.
  • the network device 20 is given a domain name by a network administrator in the company. As described above, this domain name includes a device unique identifier unique to each network device 20 and an upper domain representing the name of an organization that owns the network device. This domain name and IP address are registered in the DNS server device 10 and are subject to DNS application.
  • the feature of this embodiment is that the DNS server device 10 and the network device 20 execute processing unique to the present invention, so that a virtual communication path can be easily established between the network device 20A and the network device 20B, and VPN can be easily established. This is the point that can be constructed.
  • the DNS server device 10 and the network device 20 that remarkably show the features of the present embodiment will be mainly described.
  • FIG. 2 is a block diagram illustrating a configuration example of the DNS server device 10.
  • the DNS server device 10 includes a control unit 110, a communication interface (hereinafter abbreviated as “I / F”) unit 120, a user I / F unit 130, a storage unit 140, and data between these components.
  • a bus 150 that mediates transfer is included.
  • the control unit 110 is, for example, a CPU (Central Processing Unit).
  • the control unit 110 functions as a control center of the DNS server device 10 by executing the server program 144a stored in the storage unit 140 (more precisely, the nonvolatile storage unit 144). Details of processing executed by the control unit 110 in accordance with the server program 144a will be clarified later.
  • the communication I / F unit 120 is, for example, a NIC (Network Interface Card) and is connected to the communication network 30.
  • the communication I / F unit 120 receives the data block transmitted from the communication network 30 and delivers it to the control unit 110, while sending the data block delivered from the control unit 110 to the communication network 30.
  • An example of the data block is a packet transmitted / received according to IP.
  • the user I / F unit 130 includes a display device such as a liquid crystal display and an input device such as a keyboard and a mouse. On the display device of the user I / F unit 130, an input screen for inputting a domain name or an IP address of a network device to which DNS is applied is displayed.
  • the input device of the user I / F unit 130 is for allowing the operation manager to input various instructions and the domain name and IP address.
  • both the display device and the input device are included in the user I / F unit 130, but either one (or both) of the input device and the display device is separately connected to the DNS server device 10. Of course, it is also good as an apparatus.
  • the storage unit 140 includes a volatile storage unit 142 and a nonvolatile storage unit 144 as shown in FIG.
  • the volatile storage unit 142 is, for example, a RAM (Random Access Memory).
  • the volatile storage unit 142 is used by the control unit 110 as a work area when executing various programs.
  • the non-volatile storage unit 144 is, for example, a hard disk.
  • the non-volatile storage unit 144 stores a server program 144a and a management table 144b.
  • FIG. 3A shows an example of the management table 144b.
  • the management table 144b includes a device unique identifier and an upper domain included in the domain name of the network device, an IP address of the network device, and authentication of whether or not the DNS device is an application target.
  • the passwords used in are stored in groups for each higher domain.
  • the above-described DNS is provided based on the contents stored in the management table 144b. For example, when a packet for inquiring an IP address of a network device whose domain name is “router1.company.example.jp” is received from the client device, the DNS server device 10 receives the upper domain “company.example.jp”. And a packet in which the IP address ("AAAA" in the example shown in FIG. 3A) stored in the management table 144b in association with the device unique identifier "router1" is written in the payload portion is returned. And so on.
  • Registration of various information (upper domain, device unique identifier, IP address, and password) about one network device in the management table 144b is performed in stages as follows.
  • the DNS operator Upon receiving an application for registration of a higher domain from a DNS user, the DNS operator has already registered a higher domain that is the same as the higher domain for which registration has been applied, or whether the higher domain submitted for registration is in violation of public order and morals. If the registration requirements are met, a password to be distributed to the user is generated. Then, the DNS operator writes the password and the upper domain in association with each other in the management table 144b, writes the password in a document notifying the completion of registration, and returns it to the registration applicant.
  • the DNS server device 10 generates a domain name of the network device from the network device of the registration applicant (that is, a DNS user), the domain name, and the password using a predetermined one-way hash function.
  • a registration request packet in which an encrypted character string (hereinafter referred to as an authentication character string) is written in the payload portion is received, a device information registration process is executed.
  • the control unit 110 first reads the domain name and the authentication character string written in the payload portion of the received registration request packet, and uses the domain name and the authentication character string to transmit the domain name. Authenticate. The specific contents of this authentication process will be made clear when the server program 144a is described.
  • the control unit 110 includes the device unique identifier included in the domain name and the transmission source address of the packet in the domain name. It is written in the management table 144b in association with the upper domain. As a result, all the information (device unique identifier, upper domain, and IP address) necessary for providing the DNS is provided, and the DNS can be provided for the network device having the information.
  • FIG. 3B shows another specific example of the management table 144b.
  • the IP address and password information of the network device are stored in association with the domain name of the network device to which the DNS is applied, as in the general DNS server device. This is different from the management table 144b shown in FIG. 3A.
  • the management table 144b either the configuration shown in FIG. 3A or the configuration shown in FIG. 3B may be used. In the present embodiment, the configuration shown in FIG. 3A is adopted.
  • the management table 144b also stores address range information in association with information related to the network device (that is, upper domain, device unique identifier, IP address, and password). .
  • the address range information refers to information indicating a range of IP addresses uniquely assigned by the DNS server device as a range of IP addresses used in a LAN under the control of a network device.
  • the server program 144a is software for causing the control unit 110 to implement DNS.
  • the control unit 110 reads the server program 144a from the non-volatile storage unit 144 to the volatile storage unit 142 and starts executing it when the power (not shown) of the DNS server device 10 is turned on.
  • the control unit 110 operating according to the server program 144a executes four types of processing: domain registration processing, device information registration processing, address resolution processing, and establishment destination notification processing.
  • the domain registration process is a process for registering the high-order domain for which a registration application has been made by a DNS user and the password described above with an operation administrator or the like.
  • the control unit 110 operating according to the server program 144a starts the processing when triggered by the instruction to start execution of the domain registration processing via the user I / F unit 130.
  • the control unit 110 causes the display device to display an input screen for prompting the input of the upper domain and password information, and associates the upper domain and password information input via the user I / F unit 130 with each other.
  • the control unit 110 may be caused to execute the process of writing to the management table 144b as the domain registration process.
  • the device information registration process is a process that is executed when the registration request packet is received via the communication I / F unit 120.
  • the control unit 110 reads the domain name and the authentication character string written in the payload portion of the packet, and the network device that is the transmission source of the packet It authenticates whether or not the device is a DNS application target device.
  • control unit 110 searches the management table 144b using the upper domain included in the domain name read from the payload portion of the received registration request packet as a search key, and obtains a password corresponding to the upper domain. To do.
  • control unit 110 generates an authentication character string from the domain name and the password using the above-described unidirectional hash function (that is, the same unidirectional hash function as that in the network device).
  • the control unit 110 compares the authentication character string generated in this way with the authentication character string read from the payload part of the received registration request packet, and if they match, the source of the registration request packet is It authenticates that it is applicable to DNS.
  • the control unit 110 When the authentication result that the DNS application target is obtained, the control unit 110 is included in the transmission source address and the domain name written in the header part of the received registration request packet.
  • the device unique identifier is written in the management table 144b in association with the corresponding higher domain and password pair.
  • the management table 144b has the configuration shown in FIG. 3A. Therefore, by executing the device information registration process, the domain names and communication addresses of the network devices are grouped for each higher domain. Are stored in the management table 144b. That is, the server program 144b according to the present embodiment causes the control unit 110 to function as a grouping unit that performs the above grouping.
  • the management table 144b having the configuration shown in FIG. 3B is used, only the IP address may be registered in accordance with the authentication result.
  • the notification process When the notification process is executed, it may be executed as a pre-process.
  • DNS that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and returns it
  • DNS that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and returns it
  • the establishment destination notification process is a process that is executed every time a combination of a domain name and an IP address is registered in the management table 144b (in the present embodiment, every time device information registration process is executed).
  • the control unit 110 processes a group to which a plurality of network devices belong, and includes a group in which the number of network devices to which the change has occurred or a group in which device information has changed.
  • the communication address of another network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each of the network devices belonging to the processing target group. That is, the server program 144a of the present embodiment causes the control unit 110 to function as an establishment destination notifying unit that executes the establishment destination notifying process that significantly shows the features of the present embodiment.
  • the management table 144 having the configuration shown in FIG. 3B is used, after the device information registration process is executed, the establishment destination notification process is executed after grouping by the higher domain. It's fine
  • the control unit 110 only allows the network device whose upper domain is “university.example.jp”.
  • the establishment destination of the virtual communication path is notified for. This is because there is only one network device whose upper domain is “company.example.jp” and one network device whose upper domain is “club.example.jp”.
  • various modes can be considered for the way of notifying the establishment destination of the virtual communication path to the network device whose upper domain is “university.example.jp”.
  • the IP addresses and address range information of all other network devices belonging to the same group may be notified to each network device.
  • the hub-and-spoke VPN shown in FIG. 4B is constructed, the network device that is the center of the VPN (in the example shown in FIG. 4B, the network device whose device unique identifier is place1)
  • the IP address and address range information of all other network devices belonging to the same group are notified, and the IP address and address range information of the central network device are notified to each of these other network devices. You can do it.
  • Various methods can be considered for selecting a network device that is the center of a hub-and-spoke VPN. For example, a mode in which the IP address having the youngest address is selected or a mode in which the device unique identifier having the lowest dictionary order is considered.
  • the network device 20 executes processing for writing information indicating the processing capability of the own device and information indicating the processing load applied to the own device in the payload portion of the registration request packet and transmitting the information to the network device 20
  • information indicating the processing capability (or processing load) is written in the management table 144b, and the one with the highest processing capability (or the one with the lightest processing load) is used as the center of the hub-and-spoke VPN. You may make it select.
  • the above is the configuration of the DNS server device 10.
  • the network device 20 includes a control unit 210, a first communication I / F unit 220, a second communication I / F unit 230, a storage unit 240, and a bus 250 that mediates data exchange between these components.
  • the control unit 210 is a CPU, like the control unit 110, and functions as a control center of the network device 20.
  • the first communication I / F unit 220 and the second communication I / F unit 230 are NICs.
  • the first communication I / F unit 220 is connected to the communication network 30, and the second communication I / F unit 230 is connected to the LAN in the base where the network device 20 is installed.
  • the storage unit 240 includes a volatile storage unit 242 and a nonvolatile storage unit 244.
  • the nonvolatile storage unit 244 stores a client program 244a.
  • the client program 244a performs processing for realizing the original function of the network device 20 (in this embodiment, setting support processing for setting various parameters for performing data communication via the communication network 30 by a network administrator, etc., and packet
  • This is a program for causing the control unit 210 to realize the transfer control processing based on the destination address of
  • Specific examples of various parameters for performing data communication via the communication network 30 include an IP address of the DNS server device 10, a domain name (device unique identifier and higher domain) given to the network device 20, and a password. Can be mentioned.
  • These parameters set in the setting support process are stored in the nonvolatile storage unit 244.
  • the control unit 210 reads the client program 244a from the non-volatile storage unit 244 to the volatile storage unit 242 and starts executing it when the network device 20 is powered on (not shown).
  • the control unit 210 operating according to the client program 244a executes device information transmission processing and virtual communication path establishment processing in addition to the setting support processing and transfer control processing.
  • the setting support processing is processing that is executed when a parameter setting instruction is given from another computer device (for example, a personal computer) connected to the LAN to which the network device 20 is connected.
  • the process is a process executed when a packet is received via the first communication I / F unit 220 or the second communication I / F unit 230. Since the setting support processing and the transfer control processing are not particularly different from those in a general router, detailed description thereof is omitted.
  • the device information transmission process is a process that is executed when the transmission instruction for the registration request packet is given. About this transmission instruction
  • the control unit 210 generates the registration request packet described above and sends it to the communication network 30 by the first communication I / F unit 220.
  • the IP address of the DNS server device 10 is written as the transmission destination address, and the IP address assigned to the first communication I / F unit 220 by PPPoE or the like is written as the transmission source address.
  • character string data representing a domain name assigned to the network device 20 and a password are written.
  • the virtual communication path establishment process presents the IP address notified from the DNS server device 10 to the network administrator as the establishment destination of the virtual communication path, and various types used when establishing the virtual communication path with the establishment destination. This is a process of setting a parameter to a network administrator and establishing a virtual communication path according to the parameter. This virtual communication path establishment process is executed every time the DNS server apparatus 10 is notified of the IP address to which the virtual communication path is established, and is executed for each IP address when a plurality of IP addresses are notified. .
  • the above is the configuration of the network device 20.
  • the IP address of the DNS server device 10 is set, and “BBBB” has been set as the IP address of the first communication I / F unit 220 by PPPoE.
  • the control unit 210 of the network device 20B executes a device information transmission process triggered by a registration request packet transmission instruction given by a network administrator or the like (step SA100).
  • the control unit 210 of the network device 20B reads the domain name, password, IP address of the local device and the DNS server device 10 stored in the nonvolatile storage unit 244, and generates the above-described registration request packet. Then, the first communication I / F unit 220 transmits it to the communication network 30.
  • the IP address of the DNS server device 10 is written as the transmission destination address and the IP address “BBBB” is written as the transmission source address in the header part of the registration request packet,
  • the payload part includes a character string representing the domain name (router2.company.example.jp) of the network device 20B and an authentication character string generated by a one-way hash function using the domain name and password ("password"). And are written.
  • the registration request packet transmitted from the network device 20B is routed by another network device included in the communication network 30, and reaches the DNS server device 10.
  • control unit 110 of the DNS server apparatus 10 When the control unit 110 of the DNS server apparatus 10 receives the registration request packet via the communication I / F unit 120, the control unit 110 uses the domain name and password information included in the payload part of the registration request packet. Authentication is performed (step SB100). As described above, in this authentication process, the control unit 110 is stored in the management table 144b in association with the domain name included in the payload portion of the received registration request packet and the upper domain included in the domain name. Authentication of the transmission source of the registration request packet is performed by comparing the authentication character string generated by the one-way hash function with the password and the authentication character string included in the payload portion.
  • the domain name included in the payload portion of the registration request packet received by the control unit 110 from the network device 20B is “router2.company.example.jp”, and the upper level included in the domain name.
  • the domain is “company.example.jp”.
  • the authentication character string included in the payload portion is generated by a one-way hash function using the domain name and the password “password”.
  • the password stored in the management table 144b in association with the upper domain “company.example.jp” is “password”.
  • the same one-way hash function is used in the DNS server device 10 and the network device 20B.
  • step SB100 the determination result in step SB100 is “Yes” (ie, authentication OK), and the control unit 110 executes device information registration processing (step SB110).
  • the contents stored in the management table 144b are updated to the contents shown in FIG.
  • control part 110 performs the establishment destination notification process (step SB120) mentioned above.
  • a group of network devices whose domain is “university.example.jp” and a network whose upper domain is “company.example.jp”.
  • Each device group is a “group consisting of a plurality of network devices”.
  • the number of network devices belonging to the former group does not increase or decrease, and device information does not change. For this reason, only the latter group becomes the processing target group, and notification of the establishment destination of the virtual communication path is performed. To explain in more detail. As shown in FIG.
  • the network device 20A is notified of the IP address and address range information of the network device 20B, and the network device 20B is notified of the IP address and address range information of the network device 20A. . Then, in each of the network devices 20A and 20B, a virtual communication path establishment process (Step SA110A and Step SA110B) is executed based on the information notified from the DNS server device 10, and virtual communication is performed between the network devices 20A and 20B. A road is established.
  • a virtual communication path is established between the network device 20A and the network device 20B, and a VPN is constructed.
  • the point to be noted here is that even when a new network device is introduced as in the above operation example, the selection of the network device to be the establishment destination of the virtual communication path and the communication device under each network device There is no need for the network administrator to perform tasks such as investigating the address range assigned to. For this reason, the network administrator can leave the construction of the environment to a user with poor network knowledge (for example, a general user who works at each site) even when the network device 20 is newly installed.
  • the setting of the existing base is automatically changed, it is not necessary for the network administrator to go to another base and change the setting when newly installing a network device.
  • the communication system 1 includes two network devices (network devices 20A and 20B), but it is needless to say that three or more network devices may be included.
  • network devices 20A and 20B network devices
  • network devices 20A and 20B network devices
  • three or more network devices may be included.
  • network devices are grouped in a higher domain obtained by removing a device unique identifier from a domain name assigned to each network device.
  • a domain that represents the name of an organization that owns these network devices. May be grouped using only The point is that the network device may be grouped by the domain name included in the domain name assigned to the network device.
  • a group to which a plurality of network devices belong and a group including a network device in which the number of network devices to which the change belongs or a change in device information is included is set as a processing target group.
  • a group to which a plurality of network devices belong may be always set as a processing target group regardless of whether or not the number of network devices to which they belong has changed or whether or not device information has changed.
  • the establishment destination notification process is executed by the control unit 110 in response to the execution of the device information registration process (that is, the update of the stored contents of the management table 144b), but the establishment destination notification process is executed.
  • control unit 110 may be caused to execute the establishment destination notification process with the group to which the network device 20 belongs as the processing target group.
  • the control unit 210 of the network device 20 may be caused to execute transmission of the packet in response to an instruction to transmit the packet by a network administrator or the like. (That is, periodically) the packet may be transmitted.
  • the storage content of the management table 144b is the content shown in FIG. 7, and the domain name “place5.university.example.example.com” is received from the network device 20A under the situation where the hub-and-spoke VPN shown in FIG. jp ”and the registration request packet including the password information corresponding to the upper domain“ university.example.jp ”are received, the storage contents of the management table 144b are updated as shown in FIG. 8B. Based on the stored contents of the management table 144b, the VPN is reconstructed so as to additionally establish a virtual communication path indicated by a dotted line in FIG. 8A.
  • the higher-level domain is set to “university. It is possible to perform data communication that ensures confidentiality between an organization that is “example.jp” and an organization whose upper domain is “company.example.jp”.
  • a server program that causes the control unit 110 of the DNS server device 10 to execute processing that significantly shows the features of the present invention is stored in the nonvolatile storage unit 144 in advance.
  • the program may be distributed by writing it on a computer-readable recording medium such as a CD-ROM (Compact Disk Read Only), or may be distributed by downloading via a telecommunication line such as the Internet. good.
  • a general computer can be made to function as the DNS server device 10 of the above embodiment.
  • the client program 244a may be distributed by being written on a computer-readable recording medium, or may be distributed by downloading via a telecommunication line such as the Internet.
  • DESCRIPTION OF SYMBOLS 10 ... DNS server apparatus, 20A, 20B ... Network equipment, 110, 210 ... Control part, 120 ... Communication I / F part, 130 ... User I / F part, 220 ... 1st communication I / F part, 230 ... 2nd Communication I / F unit, 140, 240 ... storage unit, 142, 242, volatile storage unit, 144, 244 ... non-volatile storage unit, 150, 250 ... bus, 30 ... communication network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The purpose is to make it possible to achieve highly confidential data communication by using a VPN without forcing an excessive workload on a network machine user or a network manager. A DNS server device is made to execute a process in which network machines that store domain names and communication addresses in the managing table of a host device are grouped in upper domains, and each of the network machines in a group belonging to the plurality of network machines is notified of the communication addresses of other network machines belonging to the same group, the communication addresses being the communication addresses of a destination for establishing a virtual communication path.

Description

DNSサーバ装置、ネットワーク機器、通信システム、および通信方法DNS server device, network device, communication system, and communication method
 この発明は、VPN(Virtual Private Network)によりデータ通信の秘匿性を確保する技術に関する。 The present invention relates to a technique for ensuring the confidentiality of data communication by using a VPN (Virtual Private Network).
 VPNとは、ルータなどのネットワーク機器間に暗号化通信のための仮想通信路をインターネットなどの一般公衆網を介して確立し、データ通信の秘匿性を確保する通信技術のことをいう。VPNを利用することで、ネットワーク機器間の接続に専用線を用いる場合と比較してコストを抑えつつ、データ通信の秘匿性を確保することができる。 VPN refers to a communication technology that establishes a virtual communication path for encrypted communication between network devices such as routers via a general public network such as the Internet and ensures confidentiality of data communication. By using VPN, it is possible to secure the secrecy of data communication while suppressing costs compared to the case where a dedicated line is used for connection between network devices.
 VPNの構築によりデータ通信の秘匿性確保を実現する場合、各ネットワーク機器に仮想通信路の確立先となる他の拠点のネットワーク機器の通信アドレスを漏れなく設定するといった作業を行わねばならない。さらに、VPNの構築に先立って、そのVPNに参加させる各ネットワーク機器の選定やそれらネットワーク機器の通信アドレスを調べ上げるといった作業も勿論必要となる。従来これらの作業はネットワーク管理者により手動で行われており、ネットワーク管理者の作業負担が大きかった。このため、このようなネットワーク管理者の作業負担を軽減するための技術が従来より種々提案されており、その一例としては、特許文献1および特許文献2に開示の技術が挙げられる。 In order to secure the confidentiality of data communication by constructing a VPN, it is necessary to perform the work of setting the communication address of the network device at the other base that is the establishment destination of the virtual communication path to each network device without omission. Further, prior to the construction of the VPN, it is of course necessary to select each network device to participate in the VPN and to check the communication address of those network devices. Conventionally, these operations have been performed manually by the network administrator, and the work burden on the network administrator has been large. For this reason, various techniques for reducing the workload of such network managers have been proposed in the past, and examples thereof include the techniques disclosed in Patent Document 1 and Patent Document 2.
 特許文献1に開示の技術は、VPN接続管理装置へのVPN接続機器情報の登録およびVPN接続機器自体の認証を行うことで拠点間VPNを自動的に構築できるようにするものである。より詳細に説明すると、VPN接続管理装置にVPN接続機器のネットワークアドレスとその機器の識別子とを登録しておくことで、VPN接続機器のIP(Internet Protocol)アドレスが変化した場合でも、構築されていたVPN接続の切断処理および新しいIPアドレスでの再接続処理に必要な情報をVPN接続管理装置からVPN接続機器に通知し、自動的にVPN接続が確立される。特許文献2に開示の技術では、拠点に設置されたルータと制御サーバの間でIPsecによる制御用VPNを構築し、その制御用VPNを介して他の拠点に設置されたルータとのVPN接続用設定を制御サーバから取得し、そのVPN接続用設定にしたがって各ルータにVPNを確立させている。 The technology disclosed in Patent Document 1 enables automatic construction of a VPN between bases by registering VPN connection device information in a VPN connection management device and authenticating the VPN connection device itself. More specifically, the network address of the VPN connection device and the identifier of the device are registered in the VPN connection management device, so that even if the IP (Internet Protocol) address of the VPN connection device changes, it is constructed. The VPN connection management device notifies the VPN connection device of information necessary for the VPN connection disconnection process and the reconnection process with the new IP address, and the VPN connection is automatically established. In the technique disclosed in Patent Document 2, a VPN for control is constructed by IPsec between a router installed at a base and a control server, and for VPN connection with a router installed at another base via the control VPN The setting is acquired from the control server, and the VPN is established in each router according to the VPN connection setting.
日本国特開2006-166028号公報Japanese Unexamined Patent Publication No. 2006-166028 日本国特開2005-012485号公報Japanese Unexamined Patent Publication No. 2005-012485
 特許文献1に開示された技術では、VPNに参加させるネットワーク機器(VPN接続機器)を選定し、それらVPN接続機器の情報をVPN接続管理装置に予め登録しておかなければならない。このため、選定作業に要する手間は軽減されない。また、特許文献2に開示の技術では、各拠点に設置されたルータと制御サーバとの間に制御用のVPNを構築する必要がある。このため、制御サーバと制御用のVPNを確立するための各種情報(パスワード等)を各拠点のルータに予め設定しておかねばならず、また、制御サーバにも制御用VPNを確立するための情報を予め設定しておかねばならない。つまり、特許文献2に開示の技術では、新たな作業負担が発生し、ネットワーク管理者の作業負担が全体として軽減されるのかについて疑問が残る。 In the technique disclosed in Patent Document 1, it is necessary to select network devices (VPN connection devices) to participate in the VPN and register the information of the VPN connection devices in the VPN connection management device in advance. For this reason, the labor required for the selection work is not reduced. In the technique disclosed in Patent Document 2, it is necessary to construct a control VPN between a router installed at each base and a control server. For this reason, various information (password, etc.) for establishing a control VPN with the control server must be set in advance in the router at each site, and also for establishing a control VPN in the control server. Information must be set in advance. In other words, in the technique disclosed in Patent Document 2, a new work load is generated, and there remains a question as to whether the work load of the network administrator is reduced as a whole.
 本発明は上記課題に鑑みて為されたものであり、ネットワーク管理者の作業負担を軽減しつつ、VPNを利用して秘匿性の高いデータ通信を実現することを可能にする技術を提供することを目的とする。 The present invention has been made in view of the above-described problems, and provides a technique that makes it possible to realize highly confidential data communication using a VPN while reducing the workload of a network administrator. With the goal.
 上記課題を解決するために本発明は、ネットワーク機器に割り当てられた通信アドレスに対応付けて当該ネットワーク機器に割り当てられた1または複数のドメインネームが格納される管理テーブルを有し、当該管理テーブルを参照してドメインネームサービスを提供するDNS(Domain Name System)サーバ装置において、ドメインネームおよび通信アドレスが前記管理テーブルに格納されているネットワーク機器を、各ネットワーク機器のドメインネームに含まれる上位のドメインごとにグループ分けして、複数のグループを生成するグループ分け手段と、前記グループ分け手段により生成された前記複数のグループのうち、複数のネットワーク機器が属するグループ内のネットワーク機器の各々に対して当該グループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する確立先通知処理を実行する確立先通知手段とを有することを特徴とするDNSサーバ装置、を提供する。 In order to solve the above problems, the present invention has a management table in which one or a plurality of domain names assigned to a network device are stored in association with communication addresses assigned to the network device. In a DNS (Domain Name System) server device that provides a domain name service by referring to a network device whose domain name and communication address are stored in the management table, for each higher-order domain included in the domain name of each network device Grouping means for generating a plurality of groups, and among the plurality of groups generated by the grouping means, each of the network devices in the group to which the plurality of network devices belong Providing DNS server, characterized by having a establishing destination notifying means for performing established target notification process for notifying the other communication address of the network devices belonging to flop as communication address of establishment destination virtual channel.
 上記確立先通知処理をどのようなタイミングで実行するのかについては種々の態様が考えられる。例えば、通信アドレスおよびドメインネームの組を管理テーブルに登録する毎に確立先通知処理を実行する態様が考えられる。このような態様によれば、VPNに参加させる各ネットワーク機器に自装置のドメインネームおよび通信アドレスをDNSサーバ装置に登録するだけで、ネットワーク管理者が他に特段の作業を行わなくても、各ネットワーク機器間に仮想通信路が確立され、VPNが構築される。また、通信アドレスおよびドメインネームの組を管理テーブルに登録する毎に上記確立先通知処理を実行することに加えて(或いは、代えて)、ネットワーク機器からの要求に応じて、当該ネットワーク機器の属するグループに属する各ネットワーク機器に対して同じグループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する処理を確立先通知手段に実行させても良い。なお、本発明の別の態様として、コンピュータをDNSサーバ装置および上記各手段として機能させるプログラムを提供する態様も考えられる。 * Various timings can be considered as to when the establishment destination notification process is executed. For example, a mode in which the establishment destination notification process is executed every time a set of a communication address and a domain name is registered in the management table is conceivable. According to such an aspect, each network device that participates in the VPN simply registers the domain name and communication address of its own device in the DNS server device, and the network administrator does not need to perform any other special work. A virtual communication path is established between network devices, and a VPN is constructed. In addition to (or instead of) executing the establishment destination notification process each time a set of a communication address and a domain name is registered in the management table, the network device belongs in response to a request from the network device. The establishment destination notifying unit may execute processing for notifying each network device belonging to the group of the communication address of another network device belonging to the same group as the communication address of the establishment destination of the virtual communication path. As another aspect of the present invention, an aspect of providing a program that causes a computer to function as the DNS server apparatus and each of the above-described means is also conceivable.
 ここで、フルメッシュ型のVPNを構築する場合には、ドメインネームから機器固有の機器固有識別子を除いた上位ドメインが同一の複数のネットワーク機器からなるグループに属する各ネットワーク機器に対して、同じグループに属する他の全てのネットワーク機器の通信アドレスを仮想通信路の確立先として通知すれば良く、ハブアンドスポーク型のVPNを構築する場合には、上位ドメインが同一の複数のネットワーク機器のうちに何れか1つをセンタネットワーク機器として選択し、当該センタネットワーク機器に対しては、他の全てのネットワーク機器の通信アドレスを仮想通信路の確立先として通知する一方、これら他のネットワーク機器の各々に対してはセンタネットワーク機器の通信アドレスを通知するようにすれば良い。なお、センタネットワーク機器をどのように選択するのかについては種々の態様が考えられる。例えば、通信アドレスが最も若いものをセンタネットワーク機器として選択する態様や処理能力の最も高いもの或いは処理負荷の最も軽いものをセンタネットワーク機器として選択する態様が考えられる。 Here, in the case of constructing a full mesh VPN, the same group is assigned to each network device belonging to a group consisting of a plurality of network devices having the same upper domain excluding the device unique identifier from the domain name. The communication addresses of all the other network devices belonging to the network may be notified as the establishment destination of the virtual communication path. When a hub-and-spoke VPN is constructed, any of the network devices having the same upper domain Is selected as the center network device, and the communication address of all other network devices is notified as the establishment destination of the virtual communication path to the center network device, while each of these other network devices is notified. For example, the communication address of the center network device may be notified.Various modes can be considered as to how to select the center network device. For example, a mode in which the communication address is the smallest is selected as the center network device, and a mode in which the processing capability is the highest or the processing load is lightest is selected as the center network device.
 また、上記課題を解決するために本発明は、自機器に割り当てられた通信アドレスとドメインネームとをDNS(Domain Name System)サーバ装置に通知する機器情報通知手段と、前記DNSサーバ装置から通知された他のネットワーク機器の通信アドレスを基に、前記他のネットワーク機器との間に仮想通信路を確立する仮想通信路確立手段と、を有することを特徴とするネットワーク機器を提供する。このようなネットワーク機器を各拠点に設置してインターネットなどの一般公衆網に接続し、かつ当該一般公衆網に本発明のDNSサーバ装置を接続しておけば、これらネットワーク機器が上位ドメインでグループ分けされ、複数のネットワーク機器からなるグループに属する各ネットワーク機器に対して同じグループに属する他のネットワーク機器の通信アドレスが仮想通信路の確立先の通信アドレスとして通知される。 In order to solve the above problems, the present invention is notified from the DNS server device by device information notifying means for notifying the DNS (Domain Name System) server device of the communication address and domain name assigned to the device itself. There is also provided a network device comprising virtual communication path establishing means for establishing a virtual communication path with the other network device based on a communication address of the other network device. If such network devices are installed at each base and connected to a general public network such as the Internet, and the DNS server device of the present invention is connected to the general public network, these network devices are grouped in a higher domain. Then, the communication address of the other network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each network device belonging to the group including a plurality of network devices.
この発明の実施形態の通信システム1の構成例を示す図である。It is a figure which shows the structural example of the communication system 1 of embodiment of this invention. 通信システム1に含まれるDNSサーバ装置10の構成例を示すブロック図である。1 is a block diagram illustrating a configuration example of a DNS server device 10 included in a communication system 1. FIG. DNSサーバ装置10の不揮発性記憶部144に格納されている管理テーブル144bの一例を示す。An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 is shown. DNSサーバ装置10の不揮発性記憶部144に格納されている管理テーブル144bの他の例を示す。The other example of the management table 144b stored in the non-volatile storage part 144 of the DNS server apparatus 10 is shown. DNSサーバ装置10による制御下で実現されるVPNのネットワークトポロジの一例(メッシュ型のVPN)を示す。An example (mesh-type VPN) of VPN network topology realized under the control of the DNS server device 10 is shown. DNSサーバ装置10による制御下で実現されるVPNのネットワークトポロジの一例(ハブアンドスポーク型のVPN)を示す。2 shows an example of a VPN network topology (hub-and-spoke VPN) realized under the control of the DNS server device 10. 通信システム1に含まれるネットワーク機器20Aおよび20Bの構成例を示すブロック図である。2 is a block diagram illustrating a configuration example of network devices 20A and 20B included in the communication system 1. FIG. 同通信システム1における通信の流れ、DNSサーバ装置10、ネットワーク機器20Aおよびネットワーク機器20Bの動作を説明するためのフローチャートである。4 is a flowchart for explaining a communication flow in the communication system 1, and operations of the DNS server device 10, the network device 20A, and the network device 20B. 上記動作の後にDNSサーバ装置10の不揮発性記憶部144に格納されている管理テーブル144bの一例を示す。An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 after the above operation will be shown. 変形例(3)を説明するための図である。It is a figure for demonstrating a modification (3). 変形例(3)を説明するための表である。It is a table | surface for demonstrating a modification (3).
 以下、図面を参照しつつ本発明の実施形態を説明する。
(A:構成)
 図1は、この発明の一実施形態の通信システム1の構成例を示す図である。
 通信システム1は、DNSサーバ装置10、ネットワーク機器20Aおよびネットワーク機器20Bを含んでいる。DNSサーバ装置10、ネットワーク機器20Aおよびネットワーク機器20Bは、インターネットなどの一般公衆網である通信網30に接続されている。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(A: Configuration)
FIG. 1 is a diagram showing a configuration example of a communication system 1 according to an embodiment of the present invention.
The communication system 1 includes a DNS server device 10, a network device 20A, and a network device 20B. The DNS server device 10, the network device 20A, and the network device 20B are connected to a communication network 30 that is a general public network such as the Internet.
 DNSサーバ装置10は、DNS(Domain Name System;すなわち、クライアント装置から送信されたドメインネームを当該ドメインネームの付与されているネットワーク機器のIPアドレスに変換して返信するサービス)を提供するためにDNS事業者によって運営管理されているコンピュータ装置である。なお、ドメインネームとは、ネットワーク機器を運用する組織(企業や学校、公的機関など)の名称や種別、国籍等を表す各文字列およびネットワーク機器に付与される名称を表す文字列を所定の区切り文字(例えば、ピリオド)を介して連結して得られる文字列である。以下では、ドメインネームのうちネットワーク機器の名称を表す部分を機器固有識別子と呼び、その他の部分を上位ドメインと呼ぶ。 The DNS server device 10 provides DNS (Domain Name System; that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and sends it back). It is a computer device that is operated and managed by a business operator. A domain name is a character string representing a name assigned to a network device and a character string indicating the name, type, nationality, etc. of an organization (company, school, public institution, etc.) that operates the network device. It is a character string obtained by concatenating via a delimiter (for example, a period). Hereinafter, a part representing the name of the network device in the domain name is referred to as a device unique identifier, and the other part is referred to as an upper domain.
 ネットワーク機器20Aおよびネットワーク機器20Bは、DNSの利用者である組織(本実施形態では、企業)により運用管理されるルータであり、上記企業の本店や支店などの各拠点に設置されている。ネットワーク機器20Aおよびネットワーク機器20Bの各々は、自装置の設置されている拠点内に敷設されたLAN(Local Area Network:図1では図示略)を通信網30に接続し、これにより、上記企業における社内情報システムが形成される。本実施形態では、ネットワーク機器20Aとネットワーク機器20Bの間に仮想通信路を確立してVPNを構築することで、上記社内情報システムにおけるデータ通信の秘匿性が担保される。本実施形態では、ネットワーク機器20Aとネットワーク機器20Bの構成は同一であるため、両者を区別する必要がない場合には「ネットワーク機器20」と表記する。 The network device 20A and the network device 20B are routers that are operated and managed by an organization (a company in the present embodiment) that is a DNS user, and are installed at each base such as a head office or a branch of the company. Each of the network device 20A and the network device 20B connects a LAN (Local Area Network: not shown in FIG. 1) installed in the base where the device is installed to the communication network 30, thereby An in-house information system is formed. In this embodiment, by establishing a virtual communication path between the network device 20A and the network device 20B and constructing a VPN, the confidentiality of data communication in the in-house information system is ensured. In the present embodiment, the configurations of the network device 20A and the network device 20B are the same, and therefore, when there is no need to distinguish between the two, they are described as “network device 20”.
 ネットワーク機器20の通信網30側の通信インタフェース部には、通信網30において当該ネットワーク機器を一意に示すグローバルIPアドレス(以下、単に「IPアドレス」と呼ぶ)がPPPoEによって動的に割り振られる。また、ネットワーク機器20には、上記企業におけるネットワーク管理者によってドメインネームが付与される。前述したように、このドメインネームは、ネットワーク機器20毎に固有の機器固有識別子と当該ネットワーク機器を所有する組織の名称等を表す上位ドメインとを含んでいる。このドメインネームとIPアドレスは、DNSサーバ装置10に登録され、DNSの適用対象となる。本実施形態の特徴は、DNSサーバ装置10、ネットワーク機器20に本発明特有の処理を実行させることで、ネットワーク機器20Aとネットワーク機器20Bとの間に容易に仮想通信路を確立し、VPNを容易に構築できるようにした点である。以下、本実施形態の特徴を顕著に示すDNSサーバ装置10およびネットワーク機器20を中心に説明する。 A global IP address (hereinafter simply referred to as “IP address”) uniquely indicating the network device in the communication network 30 is dynamically allocated to the communication interface unit on the communication network 30 side of the network device 20 by PPPoE. The network device 20 is given a domain name by a network administrator in the company. As described above, this domain name includes a device unique identifier unique to each network device 20 and an upper domain representing the name of an organization that owns the network device. This domain name and IP address are registered in the DNS server device 10 and are subject to DNS application. The feature of this embodiment is that the DNS server device 10 and the network device 20 execute processing unique to the present invention, so that a virtual communication path can be easily established between the network device 20A and the network device 20B, and VPN can be easily established. This is the point that can be constructed. Hereinafter, the DNS server device 10 and the network device 20 that remarkably show the features of the present embodiment will be mainly described.
 図2は、DNSサーバ装置10の構成例を示すブロック図である。
 図2に示すようにDNSサーバ装置10は、制御部110、通信インタフェース(以下、「I/F」と略記)部120、ユーザI/F部130、記憶部140、およびこれら構成要素間のデータ授受を仲介するバス150を含んでいる。制御部110は、例えばCPU(Central Processing Unit)である。制御部110は、記憶部140(より正確には、不揮発性記憶部144)に記憶されているサーバプログラム144aを実行することにより、DNSサーバ装置10の制御中枢として機能する。制御部110がサーバプログラム144aにしたがって実行する処理の詳細については後に明らかにする。 FIG. 2 is a block diagram illustrating a configuration example of the DNS server device 10.
As shown in FIG. 2, the DNS server device 10 includes a control unit 110, a communication interface (hereinafter abbreviated as “I / F”) unit 120, a user I / F unit 130, a storage unit 140, and data between these components. A bus 150 that mediates transfer is included. The control unit 110 is, for example, a CPU (Central Processing Unit). The control unit 110 functions as a control center of the DNS server device 10 by executing the server program 144a stored in the storage unit 140 (more precisely, the nonvolatile storage unit 144). Details of processing executed by the control unit 110 in accordance with the server program 144a will be clarified later.
 通信I/F部120は、例えばNIC(Network Interface Card)であり、通信網30に接続されている。通信I/F部120は、通信網30から送信されてくるデータブロックを受信し、制御部110に引き渡す一方、制御部110から引き渡されるデータブロックを通信網30へと送出する。なお、上記データブロックの一例としては、IPにしたがって送受信されるパケットが挙げられる。ユーザI/F部130は、液晶ディスプレイなどの表示装置と、キーボードやマウスなどの入力装置とを含んでいる。ユーザI/F部130の表示装置には、DNSの適用対象となるネットワーク機器のドメインネームやIPアドレスを入力するための入力画面が表示される。ユーザI/F部130の入力装置は、各種指示や、上記ドメインネームやIPアドレスを運用管理者に入力させるためのものである。本実施形態では、表示装置および入力装置の両方がユーザI/F部130に含まれていたが、これら入力装置および表示装置の何れか一方(或いは両方)をDNSサーバ装置10に接続される別個の装置としても勿論良い。 The communication I / F unit 120 is, for example, a NIC (Network Interface Card) and is connected to the communication network 30. The communication I / F unit 120 receives the data block transmitted from the communication network 30 and delivers it to the control unit 110, while sending the data block delivered from the control unit 110 to the communication network 30. An example of the data block is a packet transmitted / received according to IP. The user I / F unit 130 includes a display device such as a liquid crystal display and an input device such as a keyboard and a mouse. On the display device of the user I / F unit 130, an input screen for inputting a domain name or an IP address of a network device to which DNS is applied is displayed. The input device of the user I / F unit 130 is for allowing the operation manager to input various instructions and the domain name and IP address. In the present embodiment, both the display device and the input device are included in the user I / F unit 130, but either one (or both) of the input device and the display device is separately connected to the DNS server device 10. Of course, it is also good as an apparatus.
 記憶部140は、図2に示すように、揮発性記憶部142と不揮発性記憶部144とを含んでいる。揮発性記憶部142は例えばRAM(Random Access Memory)である。揮発性記憶部142は、各種プログラムを実行する際のワークエリアとして制御部110によって利用される。不揮発性記憶部144は、例えばハードディスクである。不揮発性記憶部144には、サーバプログラム144aと管理テーブル144bが格納されている。 The storage unit 140 includes a volatile storage unit 142 and a nonvolatile storage unit 144 as shown in FIG. The volatile storage unit 142 is, for example, a RAM (Random Access Memory). The volatile storage unit 142 is used by the control unit 110 as a work area when executing various programs. The non-volatile storage unit 144 is, for example, a hard disk. The non-volatile storage unit 144 stores a server program 144a and a management table 144b.
 図3Aは、管理テーブル144bの一例を示す。図3Aに示すように、管理テーブル144bには、ネットワーク機器のドメインネームに含まれる機器固有識別子および上位ドメインと、当該ネットワーク機器のIPアドレスと、DNSの適用対象であるか否かの認証の際に利用されるパスワードとが上位ドメイン毎にグループ分けされて格納される。本実施形態では、管理テーブル144bの格納内容に基づいて前述したDNSの提供が行われる。例えば、クライアント装置から、ドメインネームが“router1. company.example.jp”であるネットワーク機器のIPアドレスを問い合わせるパケットを受信した場合には、DNSサーバ装置10は、上位ドメイン“company.example.jp”と機器固有識別子“router1”とに対応付けて管理テーブル144bに格納されているIPアドレス(図3Aに示す例では、“A.A.A.A”)をペイロード部に書き込んだパケットを返信するといった具合である。 FIG. 3A shows an example of the management table 144b. As shown in FIG. 3A, the management table 144b includes a device unique identifier and an upper domain included in the domain name of the network device, an IP address of the network device, and authentication of whether or not the DNS device is an application target. The passwords used in are stored in groups for each higher domain. In the present embodiment, the above-described DNS is provided based on the contents stored in the management table 144b. For example, when a packet for inquiring an IP address of a network device whose domain name is “router1.company.example.jp” is received from the client device, the DNS server device 10 receives the upper domain “company.example.jp”. And a packet in which the IP address ("AAAA" in the example shown in FIG. 3A) stored in the management table 144b in association with the device unique identifier "router1" is written in the payload portion is returned. And so on.
 1つのネットワーク機器についての各種情報(上位ドメイン、機器固有識別子、IPアドレスおよびパスワード)の管理テーブル144bへの登録は、以下のように段階的に行われる。DNSの利用者から上位ドメインの登録申請を受理するとDNS事業者は、登録申請された上位ドメインと同一の上位ドメインが既に登録されていないか、登録申請された上位ドメインが公序良俗に反しないかなどの所定の登録要件の審査を行い、登録要件を満たしている場合には、当該利用者に配布するパスワードを生成する。そして、上記DNS事業者は、当該パスワードと上記上位ドメインとを対応付けて管理テーブル144bに書き込み、登録完了を通知する書面に上記パスワードを書き込んで登録申請者に返送する。以降、DNSサーバ装置10では、上記登録申請者(すなわち、DNSの利用者)のネットワーク機器から当該ネットワーク機器のドメインネームと、当該ドメインネームおよび上記パスワードから所定の単方向ハッシュ関数を用いて生成された暗号化文字列(以下、認証用文字列)とがペイロード部に書き込まれた登録要求パケットを受信する毎に機器情報登録処理が実行される。この機器情報登録処理では、制御部110は、まず、受信した登録要求パケットのペイロード部に書き込まれているドメインネームと認証用文字列を読み出し、当該ドメインネームおよび認証用文字列を用いて送信元の認証を行う。この認証処理の具体的な内容についてはサーバプログラム144aについての説明の際に明らかにする。そして、制御部110は、DNSの適用対象であるとの認証結果が得られた場合には当該ドメインネームに含まれている機器固有識別子と当該パケットの送信元アドレスとを当該ドメインネームに含まれている上位ドメインと対応付けて管理テーブル144bに書き込む。これにより、DNSを提供する際に必要となる情報(機器固有識別子、上位ドメイン、およびIPアドレス)が全てそろい、当該情報のそろったネットワーク機器についてDNSを提供することが可能になる。 Registration of various information (upper domain, device unique identifier, IP address, and password) about one network device in the management table 144b is performed in stages as follows. Upon receiving an application for registration of a higher domain from a DNS user, the DNS operator has already registered a higher domain that is the same as the higher domain for which registration has been applied, or whether the higher domain submitted for registration is in violation of public order and morals. If the registration requirements are met, a password to be distributed to the user is generated. Then, the DNS operator writes the password and the upper domain in association with each other in the management table 144b, writes the password in a document notifying the completion of registration, and returns it to the registration applicant. Thereafter, the DNS server device 10 generates a domain name of the network device from the network device of the registration applicant (that is, a DNS user), the domain name, and the password using a predetermined one-way hash function. Each time a registration request packet in which an encrypted character string (hereinafter referred to as an authentication character string) is written in the payload portion is received, a device information registration process is executed. In this device information registration process, the control unit 110 first reads the domain name and the authentication character string written in the payload portion of the received registration request packet, and uses the domain name and the authentication character string to transmit the domain name. Authenticate. The specific contents of this authentication process will be made clear when the server program 144a is described. Then, when an authentication result indicating that DNS is applicable is obtained, the control unit 110 includes the device unique identifier included in the domain name and the transmission source address of the packet in the domain name. It is written in the management table 144b in association with the upper domain. As a result, all the information (device unique identifier, upper domain, and IP address) necessary for providing the DNS is provided, and the DNS can be provided for the network device having the information.
 図3Bは、管理テーブル144bの他の具体例を示す。図3Bに示す管理テーブル144bでは、一般的なDNSサーバ装置におけるものと同様に、DNSの適用対象となるネットワーク機器のドメインネームに対応付けて当該ネットワーク機器のIPアドレスとパスワード情報とが格納されている点が図3Aに示す管理テーブル144bと異なる。管理テーブル144bについては、図3Aに示す構成のものと図3Bに示す構成のもののどちらを用いても良いが、本実施形態では、図3Aに示す構成のものが採用されている。また、図3Aでは詳細な図示を省略したが、管理テーブル144bには、ネットワーク機器に関する情報(すなわち、上位ドメイン、機器固有識別子、IPアドレスおよびパスワード)に対応付けてアドレス範囲情報も格納されている。アドレス範囲情報とは、ネットワーク機器の配下のLANにて使用されるIPアドレスの範囲としてDNSサーバ装置が一意に割り当てたIPアドレスの範囲を示す情報のことを言いう。 FIG. 3B shows another specific example of the management table 144b. In the management table 144b shown in FIG. 3B, the IP address and password information of the network device are stored in association with the domain name of the network device to which the DNS is applied, as in the general DNS server device. This is different from the management table 144b shown in FIG. 3A. As the management table 144b, either the configuration shown in FIG. 3A or the configuration shown in FIG. 3B may be used. In the present embodiment, the configuration shown in FIG. 3A is adopted. Further, although detailed illustration is omitted in FIG. 3A, the management table 144b also stores address range information in association with information related to the network device (that is, upper domain, device unique identifier, IP address, and password). . The address range information refers to information indicating a range of IP addresses uniquely assigned by the DNS server device as a range of IP addresses used in a LAN under the control of a network device.
 サーバプログラム144aは、DNSを制御部110に実現させるためのソフトウェアである。制御部110は、DNSサーバ装置10の電源(図示略)が投入されたことを契機として、サーバプログラム144aを不揮発性記憶部144から揮発性記憶部142に読み出してその実行を開始する。サーバプログラム144aにしたがって作動している制御部110は、ドメイン登録処理、機器情報登録処理、アドレス解決処理および確立先通知処理の4種類の処理を実行する。 The server program 144a is software for causing the control unit 110 to implement DNS. The control unit 110 reads the server program 144a from the non-volatile storage unit 144 to the volatile storage unit 142 and starts executing it when the power (not shown) of the DNS server device 10 is turned on. The control unit 110 operating according to the server program 144a executes four types of processing: domain registration processing, device information registration processing, address resolution processing, and establishment destination notification processing.
 ドメイン登録処理は、DNSの利用者から登録申請のあった上位ドメインおよび前述したパスワードを運用管理者等に登録させる処理である。サーバプログラム144aにしたがって作動している制御部110は、ユーザI/F部130を介してドメイン登録処理の実行開始を指示されたことを契機として当該処理を開始する。このドメイン登録処理では、制御部110は、上位ドメインおよびパスワード情報の入力を促す入力画面を表示装置に表示させ、ユーザI/F部130を介して入力された上位ドメインおよびパスワード情報を互いに対応付けて管理テーブル144bに書き込む。なお、管理テーブル144として図3Bに示す構成のものを用いる場合には、上位ドメインではなく、機器固有識別子を含むドメインネームをDNSの利用者に登録申請させ、ドメインネームとパスワード情報とを対応付けて管理テーブル144bに書き込む処理をドメイン登録処理として制御部110に実行させるようにすれば良い。 The domain registration process is a process for registering the high-order domain for which a registration application has been made by a DNS user and the password described above with an operation administrator or the like. The control unit 110 operating according to the server program 144a starts the processing when triggered by the instruction to start execution of the domain registration processing via the user I / F unit 130. In this domain registration process, the control unit 110 causes the display device to display an input screen for prompting the input of the upper domain and password information, and associates the upper domain and password information input via the user I / F unit 130 with each other. To the management table 144b. When the management table 144 having the configuration shown in FIG. 3B is used, the domain name including the device unique identifier is not registered with the DNS user, but the domain name and the password information are associated with each other. In this case, the control unit 110 may be caused to execute the process of writing to the management table 144b as the domain registration process.
 前述したように、機器情報登録処理は、登録要求パケットを通信I/F部120を介して受信したことを契機として実行される処理である。制御部110は、通信I/F部120を介して登録要求パケットを受信すると、当該パケットのペイロード部に書き込まれているドメインネームと認証用文字列を読み出し、当該パケットの送信元のネットワーク機器がDNSの適用対象の機器であるか否かの認証を行う。 As described above, the device information registration process is a process that is executed when the registration request packet is received via the communication I / F unit 120. When receiving the registration request packet via the communication I / F unit 120, the control unit 110 reads the domain name and the authentication character string written in the payload portion of the packet, and the network device that is the transmission source of the packet It authenticates whether or not the device is a DNS application target device.
 具体的には、制御部110は、受信した登録要求パケットのペイロード部から読み出したドメインネームに含まれている上位ドメインを検索キーとして管理テーブル144bを検索し、当該上位ドメインに対応するパスワードを取得する。次いで、制御部110は、当該ドメインネームと当該パスワードとから前述した単方向ハッシュ関数(すなわち、ネットワーク機器におけるものと同じ単方向ハッシュ関数)を用いて認証用文字列を生成する。制御部110は、このようにして生成した認証用文字列と受信した登録要求パケットのペイロード部から読み出した認証用文字列とを比較し、両者が一致した場合に、登録要求パケットの送信元はDNSに適用対象であると認証する。そして、制御部110は、DNSの適用対象であるとの認証結果が得られた場合には、受信した登録要求パケットのヘッダ部に書き込まれている送信元アドレスと上記ドメインネームに含まれている機器固有識別子とを、該当する上位ドメインおよびパスワードの組に対応付けて管理テーブル144bに書き込む。本実施形態では、管理テーブル144bとして図3Aに示す構成のものが用いられているため、上記機器情報登録処理を実行することで、ネットワーク機器のドメインネームおよび通信アドレスが上位ドメイン毎にグループ分けされて管理テーブル144bに格納されることになる。つまり、本実施形態のサーバプログラム144bは制御部110を、上記グループ分けを実行するグループ分け手段として機能させるのである。なお、管理テーブル144bとして図3Bに示す構成のものが用いられている場合には、上記認証結果に応じてIPアドレスのみを登録するようにすれば良く、上記グループ分けについては、後述する確立先通知処理を実行する際にその前処理として実行するようにすれば良い。 Specifically, the control unit 110 searches the management table 144b using the upper domain included in the domain name read from the payload portion of the received registration request packet as a search key, and obtains a password corresponding to the upper domain. To do. Next, the control unit 110 generates an authentication character string from the domain name and the password using the above-described unidirectional hash function (that is, the same unidirectional hash function as that in the network device). The control unit 110 compares the authentication character string generated in this way with the authentication character string read from the payload part of the received registration request packet, and if they match, the source of the registration request packet is It authenticates that it is applicable to DNS. When the authentication result that the DNS application target is obtained, the control unit 110 is included in the transmission source address and the domain name written in the header part of the received registration request packet. The device unique identifier is written in the management table 144b in association with the corresponding higher domain and password pair. In the present embodiment, the management table 144b has the configuration shown in FIG. 3A. Therefore, by executing the device information registration process, the domain names and communication addresses of the network devices are grouped for each higher domain. Are stored in the management table 144b. That is, the server program 144b according to the present embodiment causes the control unit 110 to function as a grouping unit that performs the above grouping. When the management table 144b having the configuration shown in FIG. 3B is used, only the IP address may be registered in accordance with the authentication result. When the notification process is executed, it may be executed as a pre-process.
 アドレス解決処理は、管理テーブル144bの格納内容に基づいて、DNS(すなわち、クライアント装置から送信されたドメインネームを当該ドメインネームの付与されているネットワーク機器のIPアドレスに変換して返信するサービス)を提供する処理である。このアドレス解決処理については既存のDNSサーバ装置におけるものと特段に変わるところはないため、詳細な説明を省略する。 In the address resolution process, DNS (that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and returns it) based on the stored contents of the management table 144b. It is a process to provide. Since this address resolution processing is not particularly different from that in the existing DNS server device, detailed description thereof is omitted.
 確立先通知処理は、ドメインネームおよびIPアドレスの組が管理テーブル144bに登録される毎(本実施形態では、機器情報登録処理が実行される毎)に実行される処理である。この確立先通知処理では、制御部110は、複数のネットワーク機器の属するグループであって、属するネットワーク機器の数に増減が生じたグループ、または機器情報に変化が生じたネットワーク機器を含むグループを処理対象とし、当該処理対象のグループに属するネットワーク機器の各々に対して同じグループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する。つまり、本実施形態のサーバプログラム144aは制御部110を、本実施形態の特徴を顕著に示す上記確立先通知処理を実行する確立先通知手段として機能させるのである。なお、管理テーブル144として図3Bに示す構成のものが用いられている場合には、機器情報登録処理の実行後、上位ドメインによるグループ分けを行った後に当該確立先通知処理を実行するようにすれば良い。 The establishment destination notification process is a process that is executed every time a combination of a domain name and an IP address is registered in the management table 144b (in the present embodiment, every time device information registration process is executed). In this establishment destination notification process, the control unit 110 processes a group to which a plurality of network devices belong, and includes a group in which the number of network devices to which the change has occurred or a group in which device information has changed. The communication address of another network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each of the network devices belonging to the processing target group. That is, the server program 144a of the present embodiment causes the control unit 110 to function as an establishment destination notifying unit that executes the establishment destination notifying process that significantly shows the features of the present embodiment. When the management table 144 having the configuration shown in FIG. 3B is used, after the device information registration process is executed, the establishment destination notification process is executed after grouping by the higher domain. It's fine
 例えば、アドレス登録処理が実行された結果、管理テーブル144bの格納内容が図3Aに示すものとなった場合には、制御部110は、上位ドメインが“university.example.jp”であるネットワーク機器のみを対象として仮想通信路の確立先を通知する。上位ドメインが“company.example.jp”であるネットワーク機器、および上位ドメインが“club.example.jp”であるネットワーク機器はそれぞれ1台だけだからである。 For example, when the stored contents of the management table 144b are as shown in FIG. 3A as a result of the address registration process being executed, the control unit 110 only allows the network device whose upper domain is “university.example.jp”. The establishment destination of the virtual communication path is notified for. This is because there is only one network device whose upper domain is “company.example.jp” and one network device whose upper domain is “club.example.jp”.
 ここで上位ドメインが“university.example.jp”であるネットワーク機器に対する仮想通信路の確立先の通知の仕方のついても種々の態様が考えられる。例えば、図4Aに示すメッシュ型のVPNを構築する場合には、各ネットワーク機器に対して同じグループに属する他の全てのネットワーク機器のIPアドレスとアドレス範囲情報とを通知するようにすれば良い。これに対して、図4Bに示すハブアンドスポーク型のVPNを構築する場合には、当該VPNの中心とするネットワーク機器(図4Bに示す例では、機器固有識別子がplace1であるネットワーク機器)には、同じグループに属する他の全てのネットワーク機器のIPアドレスとアドレス範囲情報とを通知し、これら他のネットワーク機器の各々には当該中心とするネットワーク機器のIPアドレスとアドレス範囲情報とを通知するようにすれば良い。 Here, various modes can be considered for the way of notifying the establishment destination of the virtual communication path to the network device whose upper domain is “university.example.jp”. For example, when constructing the mesh VPN shown in FIG. 4A, the IP addresses and address range information of all other network devices belonging to the same group may be notified to each network device. On the other hand, when the hub-and-spoke VPN shown in FIG. 4B is constructed, the network device that is the center of the VPN (in the example shown in FIG. 4B, the network device whose device unique identifier is place1) The IP address and address range information of all other network devices belonging to the same group are notified, and the IP address and address range information of the central network device are notified to each of these other network devices. You can do it.
 なお、ハブアンドスポーク型のVPNの中心となるネットワーク機器の選び方については種々の態様が考えられる。例えば、IPアドレスが最も若いものを選択する態様や、機器固有識別子の辞書順が最も若いものを選択する態様が考えられる。また、ドメインネームやパスワード情報の他に、自装置の処理能力を示す情報や自装置にかかっている処理負荷を示す情報を登録要求パケットのペイロード部に書き込んで送信する処理をネットワーク機器20に実行させ、機器情報登録処理では、処理能力(或いは処理負荷)を示す情報を管理テーブル144bに書き込み、処理能力が最も高いもの(または処理負荷が最も軽いもの)をハブアンドスポーク型のVPNの中心として選択するようにしても良い。
 以上がDNSサーバ装置10の構成である。 Various methods can be considered for selecting a network device that is the center of a hub-and-spoke VPN. For example, a mode in which the IP address having the youngest address is selected or a mode in which the device unique identifier having the lowest dictionary order is considered. In addition to the domain name and password information, the network device 20 executes processing for writing information indicating the processing capability of the own device and information indicating the processing load applied to the own device in the payload portion of the registration request packet and transmitting the information to the network device 20 In the device information registration process, information indicating the processing capability (or processing load) is written in the management table 144b, and the one with the highest processing capability (or the one with the lightest processing load) is used as the center of the hub-and-spoke VPN. You may make it select.
The above is the configuration of the DNS server device 10.
 次いで、図5を参照しつつネットワーク機器20の構成を説明する。
 図5に示すようにネットワーク機器20は、制御部210、第1通信I/F部220、第2通信I/F部230、記憶部240、およびこれら構成要素間のデータ授受を仲介するバス250を含んでいる。制御部210は、制御部110と同様、CPUであり、ネットワーク機器20の制御中枢として機能する。第1通信I/F部220および第2通信I/F部230は、通信I/F部120と同様、NICである。第1通信I/F部220は通信網30に接続されており、第2通信I/F部230はネットワーク機器20の設置されている拠点内のLANに接続されている。記憶部240は、記憶部140と同様に揮発性記憶部242と不揮発性記憶部244とを含んでいる。 Next, the configuration of the network device 20 will be described with reference to FIG.
As shown in FIG. 5, the network device 20 includes a control unit 210, a first communication I / F unit 220, a second communication I / F unit 230, a storage unit 240, and a bus 250 that mediates data exchange between these components. Is included. The control unit 210 is a CPU, like the control unit 110, and functions as a control center of the network device 20. Like the communication I / F unit 120, the first communication I / F unit 220 and the second communication I / F unit 230 are NICs. The first communication I / F unit 220 is connected to the communication network 30, and the second communication I / F unit 230 is connected to the LAN in the base where the network device 20 is installed. Similar to the storage unit 140, the storage unit 240 includes a volatile storage unit 242 and a nonvolatile storage unit 244.
 不揮発性記憶部244には、クライアントプログラム244aが格納されている。このクライアントプログラム244aは、ネットワーク機器20本来の機能を実現する処理(本実施形態では、通信網30を介してデータ通信を行うための各種パラメータをネットワーク管理者等に設定させる設定支援処理、およびパケットの送信先アドレスに基づく転送制御処理)を制御部210に実現させるためのプログラムである。なお、通信網30を介してデータ通信を行うための各種パラメータの具体例としては、DNSサーバ装置10のIPアドレス、ネットワーク機器20に付与するドメインネーム(機器固有識別子および上位ドメイン)、およびパスワードが挙げられる。設定支援処理にて設定されたこれらパラメータは不揮発性記憶部244に格納される。制御部210は、ネットワーク機器20の電源(図示略)投入を契機として、クライアントプログラム244aを不揮発性記憶部244から揮発性記憶部242に読み出し、その実行を開始する。クライアントプログラム244aにしたがって作動している制御部210は、設定支援処理および転送制御処理の他に、機器情報送信処理および仮想通信路確立処理を実行する。 The nonvolatile storage unit 244 stores a client program 244a. The client program 244a performs processing for realizing the original function of the network device 20 (in this embodiment, setting support processing for setting various parameters for performing data communication via the communication network 30 by a network administrator, etc., and packet This is a program for causing the control unit 210 to realize the transfer control processing based on the destination address of Specific examples of various parameters for performing data communication via the communication network 30 include an IP address of the DNS server device 10, a domain name (device unique identifier and higher domain) given to the network device 20, and a password. Can be mentioned. These parameters set in the setting support process are stored in the nonvolatile storage unit 244. The control unit 210 reads the client program 244a from the non-volatile storage unit 244 to the volatile storage unit 242 and starts executing it when the network device 20 is powered on (not shown). The control unit 210 operating according to the client program 244a executes device information transmission processing and virtual communication path establishment processing in addition to the setting support processing and transfer control processing.
 設定支援処理は、ネットワーク機器20の接続されているLANに接続されている他のコンピュータ装置(例えば、パーソナルコンピュータ)からパラメータ設定指示を与えられたことを契機として実行される処理であり、転送制御処理は第1通信I/F部220または第2通信I/F部230を介してパケットを受信したことを契機として実行される処理である。設定支援処理および転送制御処理については一般的なルータにおけるものと特段に変わるところはないため、詳細な説明を省略する。 The setting support processing is processing that is executed when a parameter setting instruction is given from another computer device (for example, a personal computer) connected to the LAN to which the network device 20 is connected. The process is a process executed when a packet is received via the first communication I / F unit 220 or the second communication I / F unit 230. Since the setting support processing and the transfer control processing are not particularly different from those in a general router, detailed description thereof is omitted.
 機器情報送信処理は、前述した登録要求パケットの送信指示を与えられたことを契機として実行される処理である。この送信指示については、ネットワーク機器20の接続されているLANに接続されている他のコンピュータ装置(例えば、パーソナルコンピュータ)から当該LANを介して与えるようにすれば良い。この機器情報送信処理では、制御部210は、前述した登録要求パケットを生成し、第1通信I/F部220により通信網30へ送出する。この登録要求パケットのヘッダ部には、送信先アドレスとしてDNSサーバ装置10のIPアドレスが、送信元アドレスとしてPPPoE等によって第1通信I/F部220に割り当てられたIPアドレスが夫々書き込まれており、同ペイロード部にはネットワーク機器20に付与されたドメインネームを表す文字列データとパスワードとが書き込まれている。 The device information transmission process is a process that is executed when the transmission instruction for the registration request packet is given. About this transmission instruction | indication, what is necessary is just to give it via the said LAN from the other computer apparatus (for example, personal computer) connected to LAN with which the network apparatus 20 is connected. In this device information transmission process, the control unit 210 generates the registration request packet described above and sends it to the communication network 30 by the first communication I / F unit 220. In the header part of this registration request packet, the IP address of the DNS server device 10 is written as the transmission destination address, and the IP address assigned to the first communication I / F unit 220 by PPPoE or the like is written as the transmission source address. In the payload portion, character string data representing a domain name assigned to the network device 20 and a password are written.
 仮想通信路確立処理は、DNSサーバ装置10から通知されたIPアドレスを仮想通信路の確立先としてネットワーク管理者に提示し、それら確立先との間に仮想通信路を確立する際に使用する各種パラメータをネットワーク管理者に設定させ、当該パラメータにしたがって仮想通信路を確立する処理である。この仮想通信路確立処理は、DNSサーバ装置10から仮想通信路の確立先のIPアドレスを通知される毎に実行され、複数のIPアドレスが通知された場合には、IPアドレス毎に実行される。
 以上がネットワーク機器20の構成である。 The virtual communication path establishment process presents the IP address notified from the DNS server device 10 to the network administrator as the establishment destination of the virtual communication path, and various types used when establishing the virtual communication path with the establishment destination. This is a process of setting a parameter to a network administrator and establishing a virtual communication path according to the parameter. This virtual communication path establishment process is executed every time the DNS server apparatus 10 is notified of the IP address to which the virtual communication path is established, and is executed for each IP address when a plurality of IP addresses are notified. .
The above is the configuration of the network device 20.
(B:動作)
 次いで、本実施形態の動作について説明する。以下に説明する動作例では、ネットワーク機器20Aおよびネットワーク機器20Bを所有する企業の上位ドメイン(company.example.jp)は既に登録済であるとともに、ネットワーク機器20Aの機器情報も登録済であり、DNSサーバ装置10の不揮発性記憶部144には、図3Aに示す管理テーブルが格納されているものとする。以下、このような状況下でネットワーク機器20Bの機器情報を登録する場合について説明する。なお、ネットワーク機器20Bにおいては、前述した設定支援処理により、DNSサーバ装置10のIPアドレス、ネットワーク機器20Bに付与するドメインネーム(router2.company.example.jp)、DNS事業者によって配布されたパスワード(“password”)が設定されており、また、第1通信I/F部220のIPアドレスとして“B.B.B.B”がPPPoEによって設定済であるとする。 (B: Operation)
Next, the operation of this embodiment will be described. In the operation example described below, the upper domain (company.example.jp) of the company that owns the network device 20A and the network device 20B has already been registered, and the device information of the network device 20A has also been registered. It is assumed that the management table shown in FIG. 3A is stored in the nonvolatile storage unit 144 of the server device 10. Hereinafter, a case where the device information of the network device 20B is registered under such a situation will be described. In the network device 20B, the IP address of the DNS server device 10, the domain name given to the network device 20B (router2.company.example.jp), and the password distributed by the DNS operator (by the setting support process described above) “Password”) is set, and “BBBB” has been set as the IP address of the first communication I / F unit 220 by PPPoE.
 図6に示すように、ネットワーク機器20Bの制御部210は、ネットワーク管理者等によって登録要求パケットの送信指示を与えられたことを契機として機器情報送信処理を実行する(ステッププSA100)。この機器情報送信処理においてネットワーク機器20Bの制御部210は、不揮発性記憶部244に格納されているドメインネーム、パスワード、自装置およびDNSサーバ装置10のIPアドレスを読み出し、前述した登録要求パケットを生成し、第1通信I/F部220により通信網30へ送信する。前述したように、この登録要求パケットのヘッダ部には、送信先アドレスとしてDNSサーバ装置10のIPアドレスが、送信元アドレスとしてIPアドレス“B.B.B.B”が夫々書き込まれており、同ペイロード部にはネットワーク機器20Bのドメインネーム(router2.company.example.jp)を表す文字列と当該ドメインネームおよびパスワード(“password”)を用いて単方向ハッシュ関数により生成された認証用文字列とが書き込まれている。このようにしてネットワーク機器20Bから送信された登録要求パケットは通信網30に含まれる他のネットワーク機器によりルーティングされ、DNSサーバ装置10に到達する。 As shown in FIG. 6, the control unit 210 of the network device 20B executes a device information transmission process triggered by a registration request packet transmission instruction given by a network administrator or the like (step SA100). In this device information transmission processing, the control unit 210 of the network device 20B reads the domain name, password, IP address of the local device and the DNS server device 10 stored in the nonvolatile storage unit 244, and generates the above-described registration request packet. Then, the first communication I / F unit 220 transmits it to the communication network 30. As described above, the IP address of the DNS server device 10 is written as the transmission destination address and the IP address “BBBB” is written as the transmission source address in the header part of the registration request packet, The payload part includes a character string representing the domain name (router2.company.example.jp) of the network device 20B and an authentication character string generated by a one-way hash function using the domain name and password ("password"). And are written. In this way, the registration request packet transmitted from the network device 20B is routed by another network device included in the communication network 30, and reaches the DNS server device 10.
 DNSサーバ装置10の制御部110は、通信I/F部120を介して登録要求パケットを受信すると、この登録要求パケットのペイロード部に含まれているドメインネームおよびパスワード情報を利用して送信元の認証を行う(ステップSB100)。前述したようにこの認証処理では、制御部110は、受信した登録要求パケットのペイロード部に含まれているドメインネームと当該ドメインネームに含まれる上位ドメインに対応付けて管理テーブル144bに格納されているパスワードとを用いて単方向ハッシュ関数により生成した認証用文字列と同ペイロード部に含まれている認証用文字列との比較により当該登録要求パケットの送信元の認証を行う。 When the control unit 110 of the DNS server apparatus 10 receives the registration request packet via the communication I / F unit 120, the control unit 110 uses the domain name and password information included in the payload part of the registration request packet. Authentication is performed (step SB100). As described above, in this authentication process, the control unit 110 is stored in the management table 144b in association with the domain name included in the payload portion of the received registration request packet and the upper domain included in the domain name. Authentication of the transmission source of the registration request packet is performed by comparing the authentication character string generated by the one-way hash function with the password and the authentication character string included in the payload portion.
 本動作例においては制御部110がネットワーク機器20Bから受信した登録要求パケットのペイロード部に含まれているドメインネームは“router2.company.example.jp”であり、当該ドメインネームに含まれている上位ドメインは“company.example.jp”である。また、同ペイロード部に含まれている認証用文字列は当該ドメインネームとパスワード“password”を用いて単方向ハッシュ関数により生成されたものである。一方、図3Aに示すように上記上位ドメイン“company.example.jp”に対応付けて管理テーブル144bに格納されているパスワードは“password”である。本実施形態では、DNSサーバ装置10とネットワーク機器20Bとで同一の単方向ハッシュ関数が用いられている。したがって、本動作例においては制御部110がネットワーク機器20Bから受信した登録要求パケットのペイロード部に含まれている認証用文字列と上記認証処理にて生成される認証用文字列とは一致する。このため、ステップSB100の判定結果は“Yes”(すなわち、認証OK)となり、制御部110は、機器情報登録処理を実行する(ステップSB110)。その結果、管理テーブル144bの格納内容は図7に示す内容へと更新される。 In this operation example, the domain name included in the payload portion of the registration request packet received by the control unit 110 from the network device 20B is “router2.company.example.jp”, and the upper level included in the domain name. The domain is “company.example.jp”. The authentication character string included in the payload portion is generated by a one-way hash function using the domain name and the password “password”. On the other hand, as shown in FIG. 3A, the password stored in the management table 144b in association with the upper domain “company.example.jp” is “password”. In the present embodiment, the same one-way hash function is used in the DNS server device 10 and the network device 20B. Therefore, in this operation example, the authentication character string included in the payload portion of the registration request packet received by the control unit 110 from the network device 20B matches the authentication character string generated in the authentication process. For this reason, the determination result in step SB100 is “Yes” (ie, authentication OK), and the control unit 110 executes device information registration processing (step SB110). As a result, the contents stored in the management table 144b are updated to the contents shown in FIG.
 そして、制御部110は、前述した確立先通知処理(ステップSB120)を実行する。管理テーブル144bの格納内容が図7に示す内容へと更新された結果、上記ドメインが“university.example.jp”であるネットワーク機器のグループ、および上位ドメインが“company.example.jp”であるネットワーク機器のグループが、夫々「複数のネットワーク機器からなるグループ」となる。しかし、図3Aと図7とを対比すれば明らかように、前者のグループについては、属するネットワーク機器の数に増減は生じておらず、また、機器情報の変化も生じてはいない。このため、後者のグループのみが処理対象グループとなり、仮想通信路の確立先の通知が行われる。より詳細に説明すると。図6に示すように、ネットワーク機器20Aに対しては、ネットワーク機器20BのIPアドレスとアドレス範囲情報が通知され、ネットワーク機器20Bに対してはネットワーク機器20AのIPアドレスおよびアドレス範囲情報が通知される。そして、ネットワーク機器20Aおよび20Bの各々では、DNSサーバ装置10から通知されたこれら情報に基づいて仮想通信路確立処理(ステップSA110AおよびステップSA110B)が実行され、ネットワーク機器20Aおよび20Bの間に仮想通信路が確立される。 And the control part 110 performs the establishment destination notification process (step SB120) mentioned above. As a result of updating the storage contents of the management table 144b to the contents shown in FIG. 7, a group of network devices whose domain is “university.example.jp” and a network whose upper domain is “company.example.jp”. Each device group is a “group consisting of a plurality of network devices”. However, as apparent from a comparison between FIG. 3A and FIG. 7, the number of network devices belonging to the former group does not increase or decrease, and device information does not change. For this reason, only the latter group becomes the processing target group, and notification of the establishment destination of the virtual communication path is performed. To explain in more detail. As shown in FIG. 6, the network device 20A is notified of the IP address and address range information of the network device 20B, and the network device 20B is notified of the IP address and address range information of the network device 20A. . Then, in each of the network devices 20A and 20B, a virtual communication path establishment process (Step SA110A and Step SA110B) is executed based on the information notified from the DNS server device 10, and virtual communication is performed between the network devices 20A and 20B. A road is established.
 以上に説明した動作が為される結果、ネットワーク機器20Aとネットワーク機器20Bとの間に仮想通信路が確立され、VPNが構築される。ここで注目すべき点は、上記動作例における場合のように、新たなネットワーク機器を導入する場合であっても、仮想通信路の確立先となるネットワーク機器の選択や各ネットワーク機器配下の通信装置に割り当てられるアドレス範囲の調査などの作業をネットワーク管理者が行う必要はないとう点である。このため、ネットワーク管理者は、ネットワーク機器20の新規設置時でもネットワーク知識の乏しいユーザ(例えば各拠点に勤務する一般ユーザ)に環境の構築を任せることができる。また、既存の拠点の設定も自動変更されるため、ネットワーク管理者がネットワーク機器の新規設置の際に他の拠点に出向いて設定変更を行う必要もない。 As a result of the operations described above, a virtual communication path is established between the network device 20A and the network device 20B, and a VPN is constructed. The point to be noted here is that even when a new network device is introduced as in the above operation example, the selection of the network device to be the establishment destination of the virtual communication path and the communication device under each network device There is no need for the network administrator to perform tasks such as investigating the address range assigned to. For this reason, the network administrator can leave the construction of the environment to a user with poor network knowledge (for example, a general user who works at each site) even when the network device 20 is newly installed. In addition, since the setting of the existing base is automatically changed, it is not necessary for the network administrator to go to another base and change the setting when newly installing a network device.
 また、PPPoEセッションのタイムアウト等により、ネットワーク機器20のIPアドレスが変化した場合でも、IPアドレスに変化が生じたことを契機として登録要求パケットがネットワーク機器20から送信され、管理テーブル144bの更新を契機として確立先通知処理が再度実行されるため、ネットワーク管理者が特段の作業を行わなくてもVPNが自動的に再構築される。 Even when the IP address of the network device 20 changes due to a timeout of the PPPoE session or the like, a registration request packet is transmitted from the network device 20 when the IP address changes, and the management table 144b is updated. Since the establishment destination notification process is executed again, the VPN is automatically reconstructed even if the network administrator does not perform any special work.
(C:変形)
 以上本発明の一実施形態について説明したが、これら実施形態に以下の変形を加えても勿論良い。
(1)上記実施形態では、通信システム1に2台のネットワーク機器(ネットワーク機器20Aおよび20B)が含まれていたが、3台以上のネットワーク機器が含まれていても勿論良い。また、上記実施形態では、各ネットワーク機器に付与されるドメインネームから機器固有識別子を除いた上位ドメインでネットワーク機器をグループ分けする場合について説明したが、それらネットワーク機器を所有する組織の名称を表すドメインのみを用いてグループ分けしても良い。要は、ネットワーク機器に付与されるドメインネームに含まれるドメインネームでネットワーク機器をグループ分けする態様であれば良い。 (C: deformation)
Although one embodiment of the present invention has been described above, it goes without saying that the following modifications may be added to these embodiments.
(1) In the above embodiment, the communication system 1 includes two network devices ( network devices 20A and 20B), but it is needless to say that three or more network devices may be included. In the above embodiment, a case has been described in which network devices are grouped in a higher domain obtained by removing a device unique identifier from a domain name assigned to each network device. However, a domain that represents the name of an organization that owns these network devices. May be grouped using only The point is that the network device may be grouped by the domain name included in the domain name assigned to the network device.
(2)上記実施形態では、複数のネットワーク機器の属するグループであって、属するネットワーク機器の数に増減が生じたグループ、または機器情報に変化が生じたネットワーク機器を含むグループを処理対象グループとしたが、属するネットワーク機器の数に増減が生じたか否かや機器情報に変化が生じたか否かを問わず、複数のネットワーク機器の属するグループを常に処理対象グループとしても良い。また、上記実施形態では、機器情報登録処理の実行(すなわち、管理テーブル144bの格納内容の更新)を契機として、確立先通知処理を制御部110に実行させたが、確立先通知処理の実行を要求するパケットをネットワーク機器20から受信したことを契機として、当該ネットワーク機器20の属するグループを処理対象グループとして確立先通知処理を制御部110に実行させるようにしても良い。この場合、ネットワーク機器20の制御部210には、ネットワーク管理者等によって当該パケットの送信指示を与えられたことを契機として当該パケットの送信を実行させても良く、また、一定時間が経過する毎に(すなわち、周期的に)当該パケットの送信を実行させるようにしても良い。 (2) In the above embodiment, a group to which a plurality of network devices belong, and a group including a network device in which the number of network devices to which the change belongs or a change in device information is included is set as a processing target group. However, a group to which a plurality of network devices belong may be always set as a processing target group regardless of whether or not the number of network devices to which they belong has changed or whether or not device information has changed. In the above embodiment, the establishment destination notification process is executed by the control unit 110 in response to the execution of the device information registration process (that is, the update of the stored contents of the management table 144b), but the establishment destination notification process is executed. When the requested packet is received from the network device 20, the control unit 110 may be caused to execute the establishment destination notification process with the group to which the network device 20 belongs as the processing target group. In this case, the control unit 210 of the network device 20 may be caused to execute transmission of the packet in response to an instruction to transmit the packet by a network administrator or the like. (That is, periodically) the packet may be transmitted.
(3)上記実施形態では、1つのネットワーク機器20に対して1つのドメインネームを付与する場合について説明した。しかし、1つのネットワーク機器20に対して複数のドメインネームを付与し、それら複数のドメインネーム(或いは各ドメインネームを構成する上位ドメインと機器固有識別子の組み合わせ)に対応付けて1つのIPアドレスを管理テーブル144bに格納しても良い。1つのネットワーク機器20に対して複数のドメインネームを付与したとしても、DNSの提供(すなわち、ドメインネームから通信アドレスへの変換)に特段の支障が生じることはない。加えて、既に付与されているドメインネームに含まれる上位ドメインとは異なる上位ドメインを含むドメインネームを新たに付与することによって、上位ドメインが異なるVPN間に仮想通信路を確立し、新たなVPNとすることができるといった効果が奏される。 (3) In the above embodiment, the case where one domain name is assigned to one network device 20 has been described. However, a plurality of domain names are assigned to one network device 20, and one IP address is managed in association with the plurality of domain names (or a combination of a higher domain and a device unique identifier constituting each domain name). You may store in the table 144b. Even when a plurality of domain names are assigned to one network device 20, there is no particular problem in providing DNS (that is, conversion from a domain name to a communication address). In addition, by newly assigning a domain name including an upper domain different from the upper domain included in the already assigned domain name, a virtual communication path is established between VPNs having different upper domains, and a new VPN and The effect that it can be done is produced.
 例えば、管理テーブル144bの格納内容が図7に示す内容であり、図8Aに示すハブアンドスポーク型のVPNが構築されていた状況下で、ネットワーク機器20Aから、ドメインネーム“place5.university.example.jp”と上位ドメイン“university.example.jp”に対応するパスワード情報とを含んだ登録要求パケットを受信したことを契機として管理テーブル144bの格納内容を図8Bに示すように更新させ、更新後の管理テーブル144bの格納内容に基づいて、図8Aにて点線で示す仮想通信路を追加確立するようにVPNを再構築させるのである。また、このようなドメインネームの登録を一定期間だけ認める(例えば、登録から一定時間経過後に削除する処理を制御部110に実行させる)ことで、当該一定期間の間だけ、上位ドメインが“university.example.jp”である組織と上位ドメインが“company.example.jp”である組織との間で秘匿性を確保したデータ通信を行わせることが可能になる。 For example, the storage content of the management table 144b is the content shown in FIG. 7, and the domain name “place5.university.example.example.com” is received from the network device 20A under the situation where the hub-and-spoke VPN shown in FIG. jp ”and the registration request packet including the password information corresponding to the upper domain“ university.example.jp ”are received, the storage contents of the management table 144b are updated as shown in FIG. 8B. Based on the stored contents of the management table 144b, the VPN is reconstructed so as to additionally establish a virtual communication path indicated by a dotted line in FIG. 8A. In addition, by permitting such domain name registration for a certain period (for example, by causing the control unit 110 to execute a process of deleting the domain name after a certain period of time has passed since registration), the higher-level domain is set to “university. It is possible to perform data communication that ensures confidentiality between an organization that is “example.jp” and an organization whose upper domain is “company.example.jp”.
(4)上記実施形態では、管理テーブル144bにドメインネームおよびIPアドレスが格納されているネットワーク機器を上位ドメインが共通するもの同士でグループ分けし、グループ毎にVPNを構築させる場合について説明した。しかし、ハブアンドスポーク型のVPNを構築する場合には、上位ドメインをさらにサブドメイン毎にグループ分けし、まず、サブドメインが共通する毎にVPNを構築し、さらにそれらVPN間に仮想通信路を確立して1つのVPNに統合するようにしても良い。 (4) In the above-described embodiment, a case has been described in which network devices whose domain names and IP addresses are stored in the management table 144b are grouped by those having a common upper domain, and a VPN is constructed for each group. However, when constructing a hub-and-spoke VPN, the upper domains are further grouped into subdomains. First, a VPN is constructed every time the subdomain is shared, and a virtual communication path is established between these VPNs. It may be established and integrated into one VPN.
(5)上記実施形態では、DNSサーバ装置10の制御部110に本発明の特徴を顕著に示す処理を実行させるサーバプログラムが不揮発性記憶部144に予め記憶されていた。しかし、CD-ROM(Compact Disk Read Only)などのコンピュータ読み取り可能な記録媒体に当該プログラムを書き込んで配布しても良く、また、インターネットなどの電気通信回線経由のダウンロードにより当該プログラムを配布しても良い。このようにして配布されるプログラムにしたがってコンピュータを作動させることによって一般的なコンピュータを上記実施形態のDNSサーバ装置10として機能させることが可能になる。同様に、クライアントプログラム244aをコンピュータ読み取り可能な記録媒体に書き込んで配布しても良く、また、インターネットなどの電気通信回線経由のダウンロードにより配布しても良い。 (5) In the above-described embodiment, a server program that causes the control unit 110 of the DNS server device 10 to execute processing that significantly shows the features of the present invention is stored in the nonvolatile storage unit 144 in advance. However, the program may be distributed by writing it on a computer-readable recording medium such as a CD-ROM (Compact Disk Read Only), or may be distributed by downloading via a telecommunication line such as the Internet. good. By operating the computer according to the program distributed in this way, a general computer can be made to function as the DNS server device 10 of the above embodiment. Similarly, the client program 244a may be distributed by being written on a computer-readable recording medium, or may be distributed by downloading via a telecommunication line such as the Internet.
 本出願は、2013年3月18日に出願された日本特許出願(特願2013-055744)に基づくものであり、その内容はここに参照として取り込まれる。 This application is based on a Japanese patent application filed on Mar. 18, 2013 (Japanese Patent Application No. 2013-055544), the contents of which are incorporated herein by reference.
 本発明によれば、ネットワーク管理者の作業負担を軽減しつつ、VPNを利用して秘匿性の高いデータ通信を実現することを可能にする。 According to the present invention, it is possible to realize highly confidential data communication using VPN while reducing the work load of the network administrator.
 10…DNSサーバ装置、20A,20B…ネットワーク機器、110,210…制御部、120…通信I/F部、130…ユーザI/F部、220…第1通信I/F部、230…第2通信I/F部、140,240…記憶部、142,242…揮発性記憶部、144,244…不揮発性記憶部、150,250…バス、30…通信網。 DESCRIPTION OF SYMBOLS 10 ... DNS server apparatus, 20A, 20B ... Network equipment, 110, 210 ... Control part, 120 ... Communication I / F part, 130 ... User I / F part, 220 ... 1st communication I / F part, 230 ... 2nd Communication I / F unit, 140, 240 ... storage unit, 142, 242, volatile storage unit, 144, 244 ... non-volatile storage unit, 150, 250 ... bus, 30 ... communication network.

Claims (9)

  1.  ネットワーク機器に割り当てられた通信アドレスに対応付けて当該ネットワーク機器に割り当てられた1または複数のドメインネームが格納される管理テーブルを有し、当該管理テーブルを参照してドメインネームサービスを提供するDNS(Domain Name System)サーバ装置において、
     ドメインネームおよび通信アドレスが前記管理テーブルに格納されているネットワーク機器を、各ネットワーク機器のドメインネームに含まれる上位のドメインごとにグループ分けして、複数のグループを生成するグループ分け手段と、
     前記グループ分け手段により生成された前記複数のグループのうち、複数のネットワーク機器が属するグループ内のネットワーク機器の各々に対して当該グループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する確立先通知処理を実行する確立先通知手段と
     を有することを特徴とするDNSサーバ装置。     A DNS (with a management table that stores one or a plurality of domain names assigned to the network device in association with a communication address assigned to the network device, and provides a domain name service with reference to the management table (Domain Name System) server device,
    Grouping means for grouping network devices whose domain names and communication addresses are stored in the management table for each higher domain included in the domain name of each network device, and generating a plurality of groups;
    Among the plurality of groups generated by the grouping means, for each of the network devices in the group to which the plurality of network devices belong, the communication address of the other network device belonging to the group is set as the establishment destination of the virtual communication path A DNS server device, comprising: establishment destination notifying means for executing establishment destination notification processing for notification as a communication address.
  2.  請求項1に記載のDNSサーバ装置であって、
     前記確立先通知手段は、ネットワーク機器からの要求に応じて、当該ネットワーク機器の属するグループ内の各ネットワーク機器に対して他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知することを特徴とするDNSサーバ装置。     The DNS server device according to claim 1,
    In response to a request from the network device, the establishment destination notifying unit notifies each network device in the group to which the network device belongs the communication address of the other network device as the communication address of the establishment destination of the virtual communication path. A DNS server device.
  3.  請求項1または2に記載のDNSサーバ装置であって、
     前記管理テーブルには、ネットワーク機器に割り当てられた通信アドレスおよびドメインネームに対応付けて当該ネットワーク機器の処理能力が高い程または当該ネットワーク機器にかかっている処理負荷が低い程、高い優先順位を表す優先順位データが格納されており、
     前記確立先通知手段は、VPN(Virtual Private Network)を構築する旨の設定が為されたグループに属するネットワーク機器のうち、前記優先順位データの示す優先順位が最も高いものがハブアンドスポーク型トポロジの中心となるように各ネットワーク機器の仮想通信路の確立先を定めることを特徴とするDNSサーバ装置。     The DNS server device according to claim 1 or 2,
    In the management table, the higher the processing capability of the network device in association with the communication address and domain name assigned to the network device, or the lower the processing load applied to the network device, the higher the priority. Ranking data is stored,
    The establishment destination notifying means has a hub-and-spoke topology among the network devices belonging to the group set to construct a VPN (Virtual Private Network) having the highest priority indicated by the priority data. A DNS server apparatus, wherein a destination of establishment of a virtual communication path of each network device is determined so as to be central.
  4.  自機器に割り当てられた通信アドレスとドメインネームとをDNS(Domain Name System)サーバ装置に送信し記憶させる機器情報送信手段と、
     前記DNSサーバ装置から通知された他のネットワーク機器の通信アドレスを基に、前記他のネットワーク機器との間に仮想通信路を確立する仮想通信路確立手段と、
     を有することを特徴とするネットワーク機器。     Device information transmission means for transmitting and storing a communication address and domain name assigned to the device itself to a DNS (Domain Name System) server device;
    Virtual communication path establishment means for establishing a virtual communication path with the other network device based on the communication address of the other network device notified from the DNS server device;
    A network device characterized by comprising:
  5.  請求項4に記載のネットワーク機器であって、
     前記機器情報送信手段は、前記通信アドレス及び前記ドメインネームを登録リクエストに含めて、該登録リクエストを前記DNSサーバ装置に対して送信し、
     前記仮想通信路確立手段は、前記登録リクエストの応答として前記他のネットワーク機器の通信アドレスを受信することを特徴とするネットワーク機器。     The network device according to claim 4,
    The device information transmitting means includes the communication address and the domain name in a registration request, and transmits the registration request to the DNS server device.
    The network device characterized in that the virtual communication path establishment means receives a communication address of the other network device as a response to the registration request.
  6.  請求項4または5に記載のネットワーク機器であって、
     前記機器情報送信手段は、前記通信アドレス及び前記ドメインネーム、ならびに自機器の処理能力または処理負荷を登録リクエストに含めて、該登録リクエストを前記DNSサーバ装置に対して送信することを特徴とするネットワーク機器。     The network device according to claim 4 or 5, wherein
    The device information transmitting means includes the communication address, the domain name, and the processing capability or processing load of the device itself in a registration request, and transmits the registration request to the DNS server device. machine.
  7.  請求項1から3の何れか1項に記載のDNSサーバ装置を有するとともに、請求項4から6の何れか1項に記載のネットワーク機器を複数有する通信システム。 A communication system having the DNS server device according to any one of claims 1 to 3 and having a plurality of network devices according to any one of claims 4 to 6.
  8.  ネットワーク機器に割り当てられた通信アドレスに対応付けて当該ネットワーク機器に割り当てられた1または複数のドメインネームが格納される管理テーブルを有し、当該管理テーブルを参照してドメインネームサービスを提供するDNS(Domain Name System)サーバ装置における通信方法において、
     ドメインネームおよび通信アドレスが前記管理テーブルに格納されているネットワーク機器を、各ネットワーク機器のドメインネームに含まれる上位のドメインごとにグループ分けして、複数のグループを生成し、
     生成された前記複数のグループのうち、複数のネットワーク機器が属するグループに属するネットワーク機器の各々に対して当該グループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する
     ことを特徴とする通信方法。     A DNS (with a management table that stores one or a plurality of domain names assigned to the network device in association with a communication address assigned to the network device, and provides a domain name service with reference to the management table (Domain Name System) In a communication method in a server device,
    Grouping network devices whose domain names and communication addresses are stored in the management table for each higher domain included in the domain name of each network device, generating a plurality of groups,
    Among the generated plurality of groups, each of the network devices belonging to the group to which the plurality of network devices belong is notified of the communication address of the other network device belonging to the group as the communication address of the establishment destination of the virtual communication path. A communication method characterized by the above.
  9.  ネットワーク機器における通信方法において、
     該ネットワーク機器に割り当てられた通信アドレスとドメインネームとをDNS(Domain Name System)サーバ装置に送信し記憶させ、
     前記DNSサーバ装置から通知された他のネットワーク機器の通信アドレスを基に、前記他のネットワーク機器との間に仮想通信路を確立する
     ことを特徴とする通信方法。     In a communication method in a network device,
    The communication address and domain name assigned to the network device are transmitted to and stored in a DNS (Domain Name System) server device,
    A communication method comprising establishing a virtual communication path with the other network device based on a communication address of the other network device notified from the DNS server device.
PCT/JP2014/057310 2013-03-18 2014-03-18 Dns server device, network machine, communication system, and communication method WO2014148483A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201480016873.XA CN105144642B (en) 2013-03-18 2014-03-18 Dns server device, net machine, communication system and communication means

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013055744A JP6127622B2 (en) 2013-03-18 2013-03-18 DNS server device, network device, and communication system
JP2013-055744 2013-03-18

Publications (1)

Publication Number Publication Date
WO2014148483A1 true WO2014148483A1 (en) 2014-09-25

Family

ID=51580161

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/057310 WO2014148483A1 (en) 2013-03-18 2014-03-18 Dns server device, network machine, communication system, and communication method

Country Status (3)

Country Link
JP (1) JP6127622B2 (en)
CN (1) CN105144642B (en)
WO (1) WO2014148483A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107736003A (en) * 2015-06-18 2018-02-23 微软技术许可有限责任公司 For the improved safety of domain name
US9930004B2 (en) 2015-10-13 2018-03-27 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015205406A1 (en) 2015-03-25 2016-09-29 Siemens Aktiengesellschaft Apparatus, method and system for collecting and resolving time information of different administrative domains
CN108183896A (en) * 2017-12-26 2018-06-19 珠海市君天电子科技有限公司 Page acquisition methods, device and the electronic equipment of browser

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008034983A (en) * 2006-07-26 2008-02-14 Matsushita Electric Works Ltd Remote supervisory control system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1643691B1 (en) * 2003-07-04 2007-12-05 Nippon Telegraph and Telephone Corporation Remote access vpn mediation method and mediation device
US20050066041A1 (en) * 2003-09-19 2005-03-24 Chin Kwan Wu Setting up a name resolution system for home-to-home communications
JP4339234B2 (en) * 2004-12-07 2009-10-07 株式会社エヌ・ティ・ティ・データ VPN connection construction system
CN101197856B (en) * 2007-12-27 2011-04-20 北京交通大学 IP address space planning-free and private domain name access method in VPN network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008034983A (en) * 2006-07-26 2008-02-14 Matsushita Electric Works Ltd Remote supervisory control system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NORIHITO FUJITA: "Scalable VPN Architecture using DNS", PROCEEDINGS OF THE 2004 IEICE GENERAL CONFERENCE TSUSHIN 2, 8 March 2004 (2004-03-08), pages 200 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107736003A (en) * 2015-06-18 2018-02-23 微软技术许可有限责任公司 For the improved safety of domain name
CN107736003B (en) * 2015-06-18 2021-08-20 微软技术许可有限责任公司 Method and apparatus for securing domain names
US9930004B2 (en) 2015-10-13 2018-03-27 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution
US10257154B2 (en) 2015-10-13 2019-04-09 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution
US10798050B2 (en) 2015-10-13 2020-10-06 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution
US11399005B2 (en) 2015-10-13 2022-07-26 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution

Also Published As

Publication number Publication date
JP6127622B2 (en) 2017-05-17
CN105144642A (en) 2015-12-09
JP2014183415A (en) 2014-09-29
CN105144642B (en) 2018-06-15

Similar Documents

Publication Publication Date Title
US10135827B2 (en) Secure access to remote resources over a network
JP4988362B2 (en) System and method for updating a wireless network password
US10776489B2 (en) Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments
US10187356B2 (en) Connectivity between cloud-hosted systems and on-premises enterprise resources
US11425098B2 (en) Streamlined authentication and authorization for virtual private network tunnel establishment
CN110537354B (en) System and method for configuring virtual private gateway
JP2021530916A (en) Address migration service
JP6127622B2 (en) DNS server device, network device, and communication system
JP4524906B2 (en) Communication relay device, communication relay method, communication terminal device, and program storage medium
JP4835569B2 (en) Virtual network system and virtual network connection device
JP6193147B2 (en) Firewall device control device and program
Cisco Easy VPN Server
JP6359260B2 (en) Information processing system and firewall device for realizing a secure credit card system in a cloud environment
JP2022516290A (en) Tracking contaminated connection agents
JP6487620B2 (en) Communication control system, communication control method, and program
JP2017204890A (en) Control device of firewall device and program
JP2011248690A (en) Device and program for processing information
JP2011166312A (en) Virtual private network system, communication method and computer program
Cabianca Implementing Hybrid Connectivity
JP4930856B2 (en) Communication system, gateway device, client device, computer name conversion method and program
JP2015167295A (en) System and method for vpn connection
JP5955815B2 (en) Address assignment apparatus, communication system, management method, and management program
JP2016163341A (en) Communication system, gateway server and program therefor

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480016873.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14769525

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: IDP00201505849

Country of ref document: ID

122 Ep: pct application non-entry in european phase

Ref document number: 14769525

Country of ref document: EP

Kind code of ref document: A1