WO2014148483A1 - Dns server device, network machine, communication system, and communication method - Google Patents
Dns server device, network machine, communication system, and communication method Download PDFInfo
- Publication number
- WO2014148483A1 WO2014148483A1 PCT/JP2014/057310 JP2014057310W WO2014148483A1 WO 2014148483 A1 WO2014148483 A1 WO 2014148483A1 JP 2014057310 W JP2014057310 W JP 2014057310W WO 2014148483 A1 WO2014148483 A1 WO 2014148483A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network device
- network
- communication
- domain name
- address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
Definitions
- the present invention relates to a technique for ensuring the confidentiality of data communication by using a VPN (Virtual Private Network).
- VPN Virtual Private Network
- VPN refers to a communication technology that establishes a virtual communication path for encrypted communication between network devices such as routers via a general public network such as the Internet and ensures confidentiality of data communication.
- VPN it is possible to secure the secrecy of data communication while suppressing costs compared to the case where a dedicated line is used for connection between network devices.
- Patent Document 1 enables automatic construction of a VPN between bases by registering VPN connection device information in a VPN connection management device and authenticating the VPN connection device itself. More specifically, the network address of the VPN connection device and the identifier of the device are registered in the VPN connection management device, so that even if the IP (Internet Protocol) address of the VPN connection device changes, it is constructed.
- the VPN connection management device notifies the VPN connection device of information necessary for the VPN connection disconnection process and the reconnection process with the new IP address, and the VPN connection is automatically established.
- a VPN for control is constructed by IPsec between a router installed at a base and a control server, and for VPN connection with a router installed at another base via the control VPN
- the setting is acquired from the control server, and the VPN is established in each router according to the VPN connection setting.
- the present invention has been made in view of the above-described problems, and provides a technique that makes it possible to realize highly confidential data communication using a VPN while reducing the workload of a network administrator. With the goal.
- the present invention has a management table in which one or a plurality of domain names assigned to a network device are stored in association with communication addresses assigned to the network device.
- a DNS Domain Name System
- a DNS server device that provides a domain name service by referring to a network device whose domain name and communication address are stored in the management table, for each higher-order domain included in the domain name of each network device Grouping means for generating a plurality of groups, and among the plurality of groups generated by the grouping means, each of the network devices in the group to which the plurality of network devices belong
- Providing DNS server characterized by having a establishing destination notifying means for performing established target notification process for notifying the other communication address of the network devices belonging to flop as communication address of establishment destination virtual channel.
- Various timings can be considered as to when the establishment destination notification process is executed. For example, a mode in which the establishment destination notification process is executed every time a set of a communication address and a domain name is registered in the management table is conceivable. According to such an aspect, each network device that participates in the VPN simply registers the domain name and communication address of its own device in the DNS server device, and the network administrator does not need to perform any other special work. A virtual communication path is established between network devices, and a VPN is constructed. In addition to (or instead of) executing the establishment destination notification process each time a set of a communication address and a domain name is registered in the management table, the network device belongs in response to a request from the network device.
- the establishment destination notifying unit may execute processing for notifying each network device belonging to the group of the communication address of another network device belonging to the same group as the communication address of the establishment destination of the virtual communication path.
- an aspect of providing a program that causes a computer to function as the DNS server apparatus and each of the above-described means is also conceivable.
- the same group is assigned to each network device belonging to a group consisting of a plurality of network devices having the same upper domain excluding the device unique identifier from the domain name.
- the communication addresses of all the other network devices belonging to the network may be notified as the establishment destination of the virtual communication path.
- any of the network devices having the same upper domain Is selected as the center network device, and the communication address of all other network devices is notified as the establishment destination of the virtual communication path to the center network device, while each of these other network devices is notified.
- the communication address of the center network device may be notified.
- Various modes can be considered as to how to select the center network device. For example, a mode in which the communication address is the smallest is selected as the center network device, and a mode in which the processing capability is the highest or the processing load is lightest is selected as the center network device.
- the present invention is notified from the DNS server device by device information notifying means for notifying the DNS (Domain Name System) server device of the communication address and domain name assigned to the device itself.
- a network device comprising virtual communication path establishing means for establishing a virtual communication path with the other network device based on a communication address of the other network device. If such network devices are installed at each base and connected to a general public network such as the Internet, and the DNS server device of the present invention is connected to the general public network, these network devices are grouped in a higher domain. Then, the communication address of the other network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each network device belonging to the group including a plurality of network devices.
- FIG. 1 is a block diagram illustrating a configuration example of a DNS server device 10 included in a communication system 1.
- FIG. An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 is shown.
- the other example of the management table 144b stored in the non-volatile storage part 144 of the DNS server apparatus 10 is shown.
- An example (mesh-type VPN) of VPN network topology realized under the control of the DNS server device 10 is shown.
- 2 shows an example of a VPN network topology (hub-and-spoke VPN) realized under the control of the DNS server device 10.
- 2 is a block diagram illustrating a configuration example of network devices 20A and 20B included in the communication system 1.
- FIG. 4 is a flowchart for explaining a communication flow in the communication system 1, and operations of the DNS server device 10, the network device 20A, and the network device 20B.
- An example of the management table 144b stored in the nonvolatile storage unit 144 of the DNS server device 10 after the above operation will be shown. It is a figure for demonstrating a modification (3). It is a table
- FIG. 1 is a diagram showing a configuration example of a communication system 1 according to an embodiment of the present invention.
- the communication system 1 includes a DNS server device 10, a network device 20A, and a network device 20B.
- the DNS server device 10, the network device 20A, and the network device 20B are connected to a communication network 30 that is a general public network such as the Internet.
- the DNS server device 10 provides DNS (Domain Name System; that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and sends it back). It is a computer device that is operated and managed by a business operator.
- a domain name is a character string representing a name assigned to a network device and a character string indicating the name, type, nationality, etc. of an organization (company, school, public institution, etc.) that operates the network device. It is a character string obtained by concatenating via a delimiter (for example, a period).
- a part representing the name of the network device in the domain name is referred to as a device unique identifier, and the other part is referred to as an upper domain.
- the network device 20A and the network device 20B are routers that are operated and managed by an organization (a company in the present embodiment) that is a DNS user, and are installed at each base such as a head office or a branch of the company.
- Each of the network device 20A and the network device 20B connects a LAN (Local Area Network: not shown in FIG. 1) installed in the base where the device is installed to the communication network 30, thereby An in-house information system is formed.
- LAN Local Area Network: not shown in FIG. 1
- the confidentiality of data communication in the in-house information system is ensured.
- the configurations of the network device 20A and the network device 20B are the same, and therefore, when there is no need to distinguish between the two, they are described as “network device 20”.
- IP address A global IP address (hereinafter simply referred to as “IP address”) uniquely indicating the network device in the communication network 30 is dynamically allocated to the communication interface unit on the communication network 30 side of the network device 20 by PPPoE.
- the network device 20 is given a domain name by a network administrator in the company. As described above, this domain name includes a device unique identifier unique to each network device 20 and an upper domain representing the name of an organization that owns the network device. This domain name and IP address are registered in the DNS server device 10 and are subject to DNS application.
- the feature of this embodiment is that the DNS server device 10 and the network device 20 execute processing unique to the present invention, so that a virtual communication path can be easily established between the network device 20A and the network device 20B, and VPN can be easily established. This is the point that can be constructed.
- the DNS server device 10 and the network device 20 that remarkably show the features of the present embodiment will be mainly described.
- FIG. 2 is a block diagram illustrating a configuration example of the DNS server device 10.
- the DNS server device 10 includes a control unit 110, a communication interface (hereinafter abbreviated as “I / F”) unit 120, a user I / F unit 130, a storage unit 140, and data between these components.
- a bus 150 that mediates transfer is included.
- the control unit 110 is, for example, a CPU (Central Processing Unit).
- the control unit 110 functions as a control center of the DNS server device 10 by executing the server program 144a stored in the storage unit 140 (more precisely, the nonvolatile storage unit 144). Details of processing executed by the control unit 110 in accordance with the server program 144a will be clarified later.
- the communication I / F unit 120 is, for example, a NIC (Network Interface Card) and is connected to the communication network 30.
- the communication I / F unit 120 receives the data block transmitted from the communication network 30 and delivers it to the control unit 110, while sending the data block delivered from the control unit 110 to the communication network 30.
- An example of the data block is a packet transmitted / received according to IP.
- the user I / F unit 130 includes a display device such as a liquid crystal display and an input device such as a keyboard and a mouse. On the display device of the user I / F unit 130, an input screen for inputting a domain name or an IP address of a network device to which DNS is applied is displayed.
- the input device of the user I / F unit 130 is for allowing the operation manager to input various instructions and the domain name and IP address.
- both the display device and the input device are included in the user I / F unit 130, but either one (or both) of the input device and the display device is separately connected to the DNS server device 10. Of course, it is also good as an apparatus.
- the storage unit 140 includes a volatile storage unit 142 and a nonvolatile storage unit 144 as shown in FIG.
- the volatile storage unit 142 is, for example, a RAM (Random Access Memory).
- the volatile storage unit 142 is used by the control unit 110 as a work area when executing various programs.
- the non-volatile storage unit 144 is, for example, a hard disk.
- the non-volatile storage unit 144 stores a server program 144a and a management table 144b.
- FIG. 3A shows an example of the management table 144b.
- the management table 144b includes a device unique identifier and an upper domain included in the domain name of the network device, an IP address of the network device, and authentication of whether or not the DNS device is an application target.
- the passwords used in are stored in groups for each higher domain.
- the above-described DNS is provided based on the contents stored in the management table 144b. For example, when a packet for inquiring an IP address of a network device whose domain name is “router1.company.example.jp” is received from the client device, the DNS server device 10 receives the upper domain “company.example.jp”. And a packet in which the IP address ("AAAA" in the example shown in FIG. 3A) stored in the management table 144b in association with the device unique identifier "router1" is written in the payload portion is returned. And so on.
- Registration of various information (upper domain, device unique identifier, IP address, and password) about one network device in the management table 144b is performed in stages as follows.
- the DNS operator Upon receiving an application for registration of a higher domain from a DNS user, the DNS operator has already registered a higher domain that is the same as the higher domain for which registration has been applied, or whether the higher domain submitted for registration is in violation of public order and morals. If the registration requirements are met, a password to be distributed to the user is generated. Then, the DNS operator writes the password and the upper domain in association with each other in the management table 144b, writes the password in a document notifying the completion of registration, and returns it to the registration applicant.
- the DNS server device 10 generates a domain name of the network device from the network device of the registration applicant (that is, a DNS user), the domain name, and the password using a predetermined one-way hash function.
- a registration request packet in which an encrypted character string (hereinafter referred to as an authentication character string) is written in the payload portion is received, a device information registration process is executed.
- the control unit 110 first reads the domain name and the authentication character string written in the payload portion of the received registration request packet, and uses the domain name and the authentication character string to transmit the domain name. Authenticate. The specific contents of this authentication process will be made clear when the server program 144a is described.
- the control unit 110 includes the device unique identifier included in the domain name and the transmission source address of the packet in the domain name. It is written in the management table 144b in association with the upper domain. As a result, all the information (device unique identifier, upper domain, and IP address) necessary for providing the DNS is provided, and the DNS can be provided for the network device having the information.
- FIG. 3B shows another specific example of the management table 144b.
- the IP address and password information of the network device are stored in association with the domain name of the network device to which the DNS is applied, as in the general DNS server device. This is different from the management table 144b shown in FIG. 3A.
- the management table 144b either the configuration shown in FIG. 3A or the configuration shown in FIG. 3B may be used. In the present embodiment, the configuration shown in FIG. 3A is adopted.
- the management table 144b also stores address range information in association with information related to the network device (that is, upper domain, device unique identifier, IP address, and password). .
- the address range information refers to information indicating a range of IP addresses uniquely assigned by the DNS server device as a range of IP addresses used in a LAN under the control of a network device.
- the server program 144a is software for causing the control unit 110 to implement DNS.
- the control unit 110 reads the server program 144a from the non-volatile storage unit 144 to the volatile storage unit 142 and starts executing it when the power (not shown) of the DNS server device 10 is turned on.
- the control unit 110 operating according to the server program 144a executes four types of processing: domain registration processing, device information registration processing, address resolution processing, and establishment destination notification processing.
- the domain registration process is a process for registering the high-order domain for which a registration application has been made by a DNS user and the password described above with an operation administrator or the like.
- the control unit 110 operating according to the server program 144a starts the processing when triggered by the instruction to start execution of the domain registration processing via the user I / F unit 130.
- the control unit 110 causes the display device to display an input screen for prompting the input of the upper domain and password information, and associates the upper domain and password information input via the user I / F unit 130 with each other.
- the control unit 110 may be caused to execute the process of writing to the management table 144b as the domain registration process.
- the device information registration process is a process that is executed when the registration request packet is received via the communication I / F unit 120.
- the control unit 110 reads the domain name and the authentication character string written in the payload portion of the packet, and the network device that is the transmission source of the packet It authenticates whether or not the device is a DNS application target device.
- control unit 110 searches the management table 144b using the upper domain included in the domain name read from the payload portion of the received registration request packet as a search key, and obtains a password corresponding to the upper domain. To do.
- control unit 110 generates an authentication character string from the domain name and the password using the above-described unidirectional hash function (that is, the same unidirectional hash function as that in the network device).
- the control unit 110 compares the authentication character string generated in this way with the authentication character string read from the payload part of the received registration request packet, and if they match, the source of the registration request packet is It authenticates that it is applicable to DNS.
- the control unit 110 When the authentication result that the DNS application target is obtained, the control unit 110 is included in the transmission source address and the domain name written in the header part of the received registration request packet.
- the device unique identifier is written in the management table 144b in association with the corresponding higher domain and password pair.
- the management table 144b has the configuration shown in FIG. 3A. Therefore, by executing the device information registration process, the domain names and communication addresses of the network devices are grouped for each higher domain. Are stored in the management table 144b. That is, the server program 144b according to the present embodiment causes the control unit 110 to function as a grouping unit that performs the above grouping.
- the management table 144b having the configuration shown in FIG. 3B is used, only the IP address may be registered in accordance with the authentication result.
- the notification process When the notification process is executed, it may be executed as a pre-process.
- DNS that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and returns it
- DNS that is, a service that converts a domain name transmitted from a client device into an IP address of a network device to which the domain name is assigned and returns it
- the establishment destination notification process is a process that is executed every time a combination of a domain name and an IP address is registered in the management table 144b (in the present embodiment, every time device information registration process is executed).
- the control unit 110 processes a group to which a plurality of network devices belong, and includes a group in which the number of network devices to which the change has occurred or a group in which device information has changed.
- the communication address of another network device belonging to the same group is notified as the communication address of the establishment destination of the virtual communication path to each of the network devices belonging to the processing target group. That is, the server program 144a of the present embodiment causes the control unit 110 to function as an establishment destination notifying unit that executes the establishment destination notifying process that significantly shows the features of the present embodiment.
- the management table 144 having the configuration shown in FIG. 3B is used, after the device information registration process is executed, the establishment destination notification process is executed after grouping by the higher domain. It's fine
- the control unit 110 only allows the network device whose upper domain is “university.example.jp”.
- the establishment destination of the virtual communication path is notified for. This is because there is only one network device whose upper domain is “company.example.jp” and one network device whose upper domain is “club.example.jp”.
- various modes can be considered for the way of notifying the establishment destination of the virtual communication path to the network device whose upper domain is “university.example.jp”.
- the IP addresses and address range information of all other network devices belonging to the same group may be notified to each network device.
- the hub-and-spoke VPN shown in FIG. 4B is constructed, the network device that is the center of the VPN (in the example shown in FIG. 4B, the network device whose device unique identifier is place1)
- the IP address and address range information of all other network devices belonging to the same group are notified, and the IP address and address range information of the central network device are notified to each of these other network devices. You can do it.
- Various methods can be considered for selecting a network device that is the center of a hub-and-spoke VPN. For example, a mode in which the IP address having the youngest address is selected or a mode in which the device unique identifier having the lowest dictionary order is considered.
- the network device 20 executes processing for writing information indicating the processing capability of the own device and information indicating the processing load applied to the own device in the payload portion of the registration request packet and transmitting the information to the network device 20
- information indicating the processing capability (or processing load) is written in the management table 144b, and the one with the highest processing capability (or the one with the lightest processing load) is used as the center of the hub-and-spoke VPN. You may make it select.
- the above is the configuration of the DNS server device 10.
- the network device 20 includes a control unit 210, a first communication I / F unit 220, a second communication I / F unit 230, a storage unit 240, and a bus 250 that mediates data exchange between these components.
- the control unit 210 is a CPU, like the control unit 110, and functions as a control center of the network device 20.
- the first communication I / F unit 220 and the second communication I / F unit 230 are NICs.
- the first communication I / F unit 220 is connected to the communication network 30, and the second communication I / F unit 230 is connected to the LAN in the base where the network device 20 is installed.
- the storage unit 240 includes a volatile storage unit 242 and a nonvolatile storage unit 244.
- the nonvolatile storage unit 244 stores a client program 244a.
- the client program 244a performs processing for realizing the original function of the network device 20 (in this embodiment, setting support processing for setting various parameters for performing data communication via the communication network 30 by a network administrator, etc., and packet
- This is a program for causing the control unit 210 to realize the transfer control processing based on the destination address of
- Specific examples of various parameters for performing data communication via the communication network 30 include an IP address of the DNS server device 10, a domain name (device unique identifier and higher domain) given to the network device 20, and a password. Can be mentioned.
- These parameters set in the setting support process are stored in the nonvolatile storage unit 244.
- the control unit 210 reads the client program 244a from the non-volatile storage unit 244 to the volatile storage unit 242 and starts executing it when the network device 20 is powered on (not shown).
- the control unit 210 operating according to the client program 244a executes device information transmission processing and virtual communication path establishment processing in addition to the setting support processing and transfer control processing.
- the setting support processing is processing that is executed when a parameter setting instruction is given from another computer device (for example, a personal computer) connected to the LAN to which the network device 20 is connected.
- the process is a process executed when a packet is received via the first communication I / F unit 220 or the second communication I / F unit 230. Since the setting support processing and the transfer control processing are not particularly different from those in a general router, detailed description thereof is omitted.
- the device information transmission process is a process that is executed when the transmission instruction for the registration request packet is given. About this transmission instruction
- the control unit 210 generates the registration request packet described above and sends it to the communication network 30 by the first communication I / F unit 220.
- the IP address of the DNS server device 10 is written as the transmission destination address, and the IP address assigned to the first communication I / F unit 220 by PPPoE or the like is written as the transmission source address.
- character string data representing a domain name assigned to the network device 20 and a password are written.
- the virtual communication path establishment process presents the IP address notified from the DNS server device 10 to the network administrator as the establishment destination of the virtual communication path, and various types used when establishing the virtual communication path with the establishment destination. This is a process of setting a parameter to a network administrator and establishing a virtual communication path according to the parameter. This virtual communication path establishment process is executed every time the DNS server apparatus 10 is notified of the IP address to which the virtual communication path is established, and is executed for each IP address when a plurality of IP addresses are notified. .
- the above is the configuration of the network device 20.
- the IP address of the DNS server device 10 is set, and “BBBB” has been set as the IP address of the first communication I / F unit 220 by PPPoE.
- the control unit 210 of the network device 20B executes a device information transmission process triggered by a registration request packet transmission instruction given by a network administrator or the like (step SA100).
- the control unit 210 of the network device 20B reads the domain name, password, IP address of the local device and the DNS server device 10 stored in the nonvolatile storage unit 244, and generates the above-described registration request packet. Then, the first communication I / F unit 220 transmits it to the communication network 30.
- the IP address of the DNS server device 10 is written as the transmission destination address and the IP address “BBBB” is written as the transmission source address in the header part of the registration request packet,
- the payload part includes a character string representing the domain name (router2.company.example.jp) of the network device 20B and an authentication character string generated by a one-way hash function using the domain name and password ("password"). And are written.
- the registration request packet transmitted from the network device 20B is routed by another network device included in the communication network 30, and reaches the DNS server device 10.
- control unit 110 of the DNS server apparatus 10 When the control unit 110 of the DNS server apparatus 10 receives the registration request packet via the communication I / F unit 120, the control unit 110 uses the domain name and password information included in the payload part of the registration request packet. Authentication is performed (step SB100). As described above, in this authentication process, the control unit 110 is stored in the management table 144b in association with the domain name included in the payload portion of the received registration request packet and the upper domain included in the domain name. Authentication of the transmission source of the registration request packet is performed by comparing the authentication character string generated by the one-way hash function with the password and the authentication character string included in the payload portion.
- the domain name included in the payload portion of the registration request packet received by the control unit 110 from the network device 20B is “router2.company.example.jp”, and the upper level included in the domain name.
- the domain is “company.example.jp”.
- the authentication character string included in the payload portion is generated by a one-way hash function using the domain name and the password “password”.
- the password stored in the management table 144b in association with the upper domain “company.example.jp” is “password”.
- the same one-way hash function is used in the DNS server device 10 and the network device 20B.
- step SB100 the determination result in step SB100 is “Yes” (ie, authentication OK), and the control unit 110 executes device information registration processing (step SB110).
- the contents stored in the management table 144b are updated to the contents shown in FIG.
- control part 110 performs the establishment destination notification process (step SB120) mentioned above.
- a group of network devices whose domain is “university.example.jp” and a network whose upper domain is “company.example.jp”.
- Each device group is a “group consisting of a plurality of network devices”.
- the number of network devices belonging to the former group does not increase or decrease, and device information does not change. For this reason, only the latter group becomes the processing target group, and notification of the establishment destination of the virtual communication path is performed. To explain in more detail. As shown in FIG.
- the network device 20A is notified of the IP address and address range information of the network device 20B, and the network device 20B is notified of the IP address and address range information of the network device 20A. . Then, in each of the network devices 20A and 20B, a virtual communication path establishment process (Step SA110A and Step SA110B) is executed based on the information notified from the DNS server device 10, and virtual communication is performed between the network devices 20A and 20B. A road is established.
- a virtual communication path is established between the network device 20A and the network device 20B, and a VPN is constructed.
- the point to be noted here is that even when a new network device is introduced as in the above operation example, the selection of the network device to be the establishment destination of the virtual communication path and the communication device under each network device There is no need for the network administrator to perform tasks such as investigating the address range assigned to. For this reason, the network administrator can leave the construction of the environment to a user with poor network knowledge (for example, a general user who works at each site) even when the network device 20 is newly installed.
- the setting of the existing base is automatically changed, it is not necessary for the network administrator to go to another base and change the setting when newly installing a network device.
- the communication system 1 includes two network devices (network devices 20A and 20B), but it is needless to say that three or more network devices may be included.
- network devices 20A and 20B network devices
- network devices 20A and 20B network devices
- three or more network devices may be included.
- network devices are grouped in a higher domain obtained by removing a device unique identifier from a domain name assigned to each network device.
- a domain that represents the name of an organization that owns these network devices. May be grouped using only The point is that the network device may be grouped by the domain name included in the domain name assigned to the network device.
- a group to which a plurality of network devices belong and a group including a network device in which the number of network devices to which the change belongs or a change in device information is included is set as a processing target group.
- a group to which a plurality of network devices belong may be always set as a processing target group regardless of whether or not the number of network devices to which they belong has changed or whether or not device information has changed.
- the establishment destination notification process is executed by the control unit 110 in response to the execution of the device information registration process (that is, the update of the stored contents of the management table 144b), but the establishment destination notification process is executed.
- control unit 110 may be caused to execute the establishment destination notification process with the group to which the network device 20 belongs as the processing target group.
- the control unit 210 of the network device 20 may be caused to execute transmission of the packet in response to an instruction to transmit the packet by a network administrator or the like. (That is, periodically) the packet may be transmitted.
- the storage content of the management table 144b is the content shown in FIG. 7, and the domain name “place5.university.example.example.com” is received from the network device 20A under the situation where the hub-and-spoke VPN shown in FIG. jp ”and the registration request packet including the password information corresponding to the upper domain“ university.example.jp ”are received, the storage contents of the management table 144b are updated as shown in FIG. 8B. Based on the stored contents of the management table 144b, the VPN is reconstructed so as to additionally establish a virtual communication path indicated by a dotted line in FIG. 8A.
- the higher-level domain is set to “university. It is possible to perform data communication that ensures confidentiality between an organization that is “example.jp” and an organization whose upper domain is “company.example.jp”.
- a server program that causes the control unit 110 of the DNS server device 10 to execute processing that significantly shows the features of the present invention is stored in the nonvolatile storage unit 144 in advance.
- the program may be distributed by writing it on a computer-readable recording medium such as a CD-ROM (Compact Disk Read Only), or may be distributed by downloading via a telecommunication line such as the Internet. good.
- a general computer can be made to function as the DNS server device 10 of the above embodiment.
- the client program 244a may be distributed by being written on a computer-readable recording medium, or may be distributed by downloading via a telecommunication line such as the Internet.
- DESCRIPTION OF SYMBOLS 10 ... DNS server apparatus, 20A, 20B ... Network equipment, 110, 210 ... Control part, 120 ... Communication I / F part, 130 ... User I / F part, 220 ... 1st communication I / F part, 230 ... 2nd Communication I / F unit, 140, 240 ... storage unit, 142, 242, volatile storage unit, 144, 244 ... non-volatile storage unit, 150, 250 ... bus, 30 ... communication network.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
(A:構成)
図1は、この発明の一実施形態の通信システム1の構成例を示す図である。
通信システム1は、DNSサーバ装置10、ネットワーク機器20Aおよびネットワーク機器20Bを含んでいる。DNSサーバ装置10、ネットワーク機器20Aおよびネットワーク機器20Bは、インターネットなどの一般公衆網である通信網30に接続されている。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(A: Configuration)
FIG. 1 is a diagram showing a configuration example of a
The
図2に示すようにDNSサーバ装置10は、制御部110、通信インタフェース(以下、「I/F」と略記)部120、ユーザI/F部130、記憶部140、およびこれら構成要素間のデータ授受を仲介するバス150を含んでいる。制御部110は、例えばCPU(Central Processing Unit)である。制御部110は、記憶部140(より正確には、不揮発性記憶部144)に記憶されているサーバプログラム144aを実行することにより、DNSサーバ装置10の制御中枢として機能する。制御部110がサーバプログラム144aにしたがって実行する処理の詳細については後に明らかにする。 FIG. 2 is a block diagram illustrating a configuration example of the
As shown in FIG. 2, the
以上がDNSサーバ装置10の構成である。 Various methods can be considered for selecting a network device that is the center of a hub-and-spoke VPN. For example, a mode in which the IP address having the youngest address is selected or a mode in which the device unique identifier having the lowest dictionary order is considered. In addition to the domain name and password information, the
The above is the configuration of the
図5に示すようにネットワーク機器20は、制御部210、第1通信I/F部220、第2通信I/F部230、記憶部240、およびこれら構成要素間のデータ授受を仲介するバス250を含んでいる。制御部210は、制御部110と同様、CPUであり、ネットワーク機器20の制御中枢として機能する。第1通信I/F部220および第2通信I/F部230は、通信I/F部120と同様、NICである。第1通信I/F部220は通信網30に接続されており、第2通信I/F部230はネットワーク機器20の設置されている拠点内のLANに接続されている。記憶部240は、記憶部140と同様に揮発性記憶部242と不揮発性記憶部244とを含んでいる。 Next, the configuration of the
As shown in FIG. 5, the
以上がネットワーク機器20の構成である。 The virtual communication path establishment process presents the IP address notified from the
The above is the configuration of the
次いで、本実施形態の動作について説明する。以下に説明する動作例では、ネットワーク機器20Aおよびネットワーク機器20Bを所有する企業の上位ドメイン(company.example.jp)は既に登録済であるとともに、ネットワーク機器20Aの機器情報も登録済であり、DNSサーバ装置10の不揮発性記憶部144には、図3Aに示す管理テーブルが格納されているものとする。以下、このような状況下でネットワーク機器20Bの機器情報を登録する場合について説明する。なお、ネットワーク機器20Bにおいては、前述した設定支援処理により、DNSサーバ装置10のIPアドレス、ネットワーク機器20Bに付与するドメインネーム(router2.company.example.jp)、DNS事業者によって配布されたパスワード(“password”)が設定されており、また、第1通信I/F部220のIPアドレスとして“B.B.B.B”がPPPoEによって設定済であるとする。 (B: Operation)
Next, the operation of this embodiment will be described. In the operation example described below, the upper domain (company.example.jp) of the company that owns the
以上本発明の一実施形態について説明したが、これら実施形態に以下の変形を加えても勿論良い。
(1)上記実施形態では、通信システム1に2台のネットワーク機器(ネットワーク機器20Aおよび20B)が含まれていたが、3台以上のネットワーク機器が含まれていても勿論良い。また、上記実施形態では、各ネットワーク機器に付与されるドメインネームから機器固有識別子を除いた上位ドメインでネットワーク機器をグループ分けする場合について説明したが、それらネットワーク機器を所有する組織の名称を表すドメインのみを用いてグループ分けしても良い。要は、ネットワーク機器に付与されるドメインネームに含まれるドメインネームでネットワーク機器をグループ分けする態様であれば良い。 (C: deformation)
Although one embodiment of the present invention has been described above, it goes without saying that the following modifications may be added to these embodiments.
(1) In the above embodiment, the
Claims (9)
- ネットワーク機器に割り当てられた通信アドレスに対応付けて当該ネットワーク機器に割り当てられた1または複数のドメインネームが格納される管理テーブルを有し、当該管理テーブルを参照してドメインネームサービスを提供するDNS(Domain Name System)サーバ装置において、
ドメインネームおよび通信アドレスが前記管理テーブルに格納されているネットワーク機器を、各ネットワーク機器のドメインネームに含まれる上位のドメインごとにグループ分けして、複数のグループを生成するグループ分け手段と、
前記グループ分け手段により生成された前記複数のグループのうち、複数のネットワーク機器が属するグループ内のネットワーク機器の各々に対して当該グループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する確立先通知処理を実行する確立先通知手段と
を有することを特徴とするDNSサーバ装置。 A DNS (with a management table that stores one or a plurality of domain names assigned to the network device in association with a communication address assigned to the network device, and provides a domain name service with reference to the management table (Domain Name System) server device,
Grouping means for grouping network devices whose domain names and communication addresses are stored in the management table for each higher domain included in the domain name of each network device, and generating a plurality of groups;
Among the plurality of groups generated by the grouping means, for each of the network devices in the group to which the plurality of network devices belong, the communication address of the other network device belonging to the group is set as the establishment destination of the virtual communication path A DNS server device, comprising: establishment destination notifying means for executing establishment destination notification processing for notification as a communication address. - 請求項1に記載のDNSサーバ装置であって、
前記確立先通知手段は、ネットワーク機器からの要求に応じて、当該ネットワーク機器の属するグループ内の各ネットワーク機器に対して他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知することを特徴とするDNSサーバ装置。 The DNS server device according to claim 1,
In response to a request from the network device, the establishment destination notifying unit notifies each network device in the group to which the network device belongs the communication address of the other network device as the communication address of the establishment destination of the virtual communication path. A DNS server device. - 請求項1または2に記載のDNSサーバ装置であって、
前記管理テーブルには、ネットワーク機器に割り当てられた通信アドレスおよびドメインネームに対応付けて当該ネットワーク機器の処理能力が高い程または当該ネットワーク機器にかかっている処理負荷が低い程、高い優先順位を表す優先順位データが格納されており、
前記確立先通知手段は、VPN(Virtual Private Network)を構築する旨の設定が為されたグループに属するネットワーク機器のうち、前記優先順位データの示す優先順位が最も高いものがハブアンドスポーク型トポロジの中心となるように各ネットワーク機器の仮想通信路の確立先を定めることを特徴とするDNSサーバ装置。 The DNS server device according to claim 1 or 2,
In the management table, the higher the processing capability of the network device in association with the communication address and domain name assigned to the network device, or the lower the processing load applied to the network device, the higher the priority. Ranking data is stored,
The establishment destination notifying means has a hub-and-spoke topology among the network devices belonging to the group set to construct a VPN (Virtual Private Network) having the highest priority indicated by the priority data. A DNS server apparatus, wherein a destination of establishment of a virtual communication path of each network device is determined so as to be central. - 自機器に割り当てられた通信アドレスとドメインネームとをDNS(Domain Name System)サーバ装置に送信し記憶させる機器情報送信手段と、
前記DNSサーバ装置から通知された他のネットワーク機器の通信アドレスを基に、前記他のネットワーク機器との間に仮想通信路を確立する仮想通信路確立手段と、
を有することを特徴とするネットワーク機器。 Device information transmission means for transmitting and storing a communication address and domain name assigned to the device itself to a DNS (Domain Name System) server device;
Virtual communication path establishment means for establishing a virtual communication path with the other network device based on the communication address of the other network device notified from the DNS server device;
A network device characterized by comprising: - 請求項4に記載のネットワーク機器であって、
前記機器情報送信手段は、前記通信アドレス及び前記ドメインネームを登録リクエストに含めて、該登録リクエストを前記DNSサーバ装置に対して送信し、
前記仮想通信路確立手段は、前記登録リクエストの応答として前記他のネットワーク機器の通信アドレスを受信することを特徴とするネットワーク機器。 The network device according to claim 4,
The device information transmitting means includes the communication address and the domain name in a registration request, and transmits the registration request to the DNS server device.
The network device characterized in that the virtual communication path establishment means receives a communication address of the other network device as a response to the registration request. - 請求項4または5に記載のネットワーク機器であって、
前記機器情報送信手段は、前記通信アドレス及び前記ドメインネーム、ならびに自機器の処理能力または処理負荷を登録リクエストに含めて、該登録リクエストを前記DNSサーバ装置に対して送信することを特徴とするネットワーク機器。 The network device according to claim 4 or 5, wherein
The device information transmitting means includes the communication address, the domain name, and the processing capability or processing load of the device itself in a registration request, and transmits the registration request to the DNS server device. machine. - 請求項1から3の何れか1項に記載のDNSサーバ装置を有するとともに、請求項4から6の何れか1項に記載のネットワーク機器を複数有する通信システム。 A communication system having the DNS server device according to any one of claims 1 to 3 and having a plurality of network devices according to any one of claims 4 to 6.
- ネットワーク機器に割り当てられた通信アドレスに対応付けて当該ネットワーク機器に割り当てられた1または複数のドメインネームが格納される管理テーブルを有し、当該管理テーブルを参照してドメインネームサービスを提供するDNS(Domain Name System)サーバ装置における通信方法において、
ドメインネームおよび通信アドレスが前記管理テーブルに格納されているネットワーク機器を、各ネットワーク機器のドメインネームに含まれる上位のドメインごとにグループ分けして、複数のグループを生成し、
生成された前記複数のグループのうち、複数のネットワーク機器が属するグループに属するネットワーク機器の各々に対して当該グループに属する他のネットワーク機器の通信アドレスを仮想通信路の確立先の通信アドレスとして通知する
ことを特徴とする通信方法。 A DNS (with a management table that stores one or a plurality of domain names assigned to the network device in association with a communication address assigned to the network device, and provides a domain name service with reference to the management table (Domain Name System) In a communication method in a server device,
Grouping network devices whose domain names and communication addresses are stored in the management table for each higher domain included in the domain name of each network device, generating a plurality of groups,
Among the generated plurality of groups, each of the network devices belonging to the group to which the plurality of network devices belong is notified of the communication address of the other network device belonging to the group as the communication address of the establishment destination of the virtual communication path. A communication method characterized by the above. - ネットワーク機器における通信方法において、
該ネットワーク機器に割り当てられた通信アドレスとドメインネームとをDNS(Domain Name System)サーバ装置に送信し記憶させ、
前記DNSサーバ装置から通知された他のネットワーク機器の通信アドレスを基に、前記他のネットワーク機器との間に仮想通信路を確立する
ことを特徴とする通信方法。 In a communication method in a network device,
The communication address and domain name assigned to the network device are transmitted to and stored in a DNS (Domain Name System) server device,
A communication method comprising establishing a virtual communication path with the other network device based on a communication address of the other network device notified from the DNS server device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201480016873.XA CN105144642B (en) | 2013-03-18 | 2014-03-18 | Dns server device, net machine, communication system and communication means |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013055744A JP6127622B2 (en) | 2013-03-18 | 2013-03-18 | DNS server device, network device, and communication system |
JP2013-055744 | 2013-03-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014148483A1 true WO2014148483A1 (en) | 2014-09-25 |
Family
ID=51580161
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/057310 WO2014148483A1 (en) | 2013-03-18 | 2014-03-18 | Dns server device, network machine, communication system, and communication method |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP6127622B2 (en) |
CN (1) | CN105144642B (en) |
WO (1) | WO2014148483A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107736003A (en) * | 2015-06-18 | 2018-02-23 | 微软技术许可有限责任公司 | For the improved safety of domain name |
US9930004B2 (en) | 2015-10-13 | 2018-03-27 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102015205406A1 (en) | 2015-03-25 | 2016-09-29 | Siemens Aktiengesellschaft | Apparatus, method and system for collecting and resolving time information of different administrative domains |
CN108183896A (en) * | 2017-12-26 | 2018-06-19 | 珠海市君天电子科技有限公司 | Page acquisition methods, device and the electronic equipment of browser |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008034983A (en) * | 2006-07-26 | 2008-02-14 | Matsushita Electric Works Ltd | Remote supervisory control system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1643691B1 (en) * | 2003-07-04 | 2007-12-05 | Nippon Telegraph and Telephone Corporation | Remote access vpn mediation method and mediation device |
US20050066041A1 (en) * | 2003-09-19 | 2005-03-24 | Chin Kwan Wu | Setting up a name resolution system for home-to-home communications |
JP4339234B2 (en) * | 2004-12-07 | 2009-10-07 | 株式会社エヌ・ティ・ティ・データ | VPN connection construction system |
CN101197856B (en) * | 2007-12-27 | 2011-04-20 | 北京交通大学 | IP address space planning-free and private domain name access method in VPN network |
-
2013
- 2013-03-18 JP JP2013055744A patent/JP6127622B2/en active Active
-
2014
- 2014-03-18 CN CN201480016873.XA patent/CN105144642B/en active Active
- 2014-03-18 WO PCT/JP2014/057310 patent/WO2014148483A1/en active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008034983A (en) * | 2006-07-26 | 2008-02-14 | Matsushita Electric Works Ltd | Remote supervisory control system |
Non-Patent Citations (1)
Title |
---|
NORIHITO FUJITA: "Scalable VPN Architecture using DNS", PROCEEDINGS OF THE 2004 IEICE GENERAL CONFERENCE TSUSHIN 2, 8 March 2004 (2004-03-08), pages 200 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107736003A (en) * | 2015-06-18 | 2018-02-23 | 微软技术许可有限责任公司 | For the improved safety of domain name |
CN107736003B (en) * | 2015-06-18 | 2021-08-20 | 微软技术许可有限责任公司 | Method and apparatus for securing domain names |
US9930004B2 (en) | 2015-10-13 | 2018-03-27 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
US10257154B2 (en) | 2015-10-13 | 2019-04-09 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
US10798050B2 (en) | 2015-10-13 | 2020-10-06 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
US11399005B2 (en) | 2015-10-13 | 2022-07-26 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
Also Published As
Publication number | Publication date |
---|---|
JP6127622B2 (en) | 2017-05-17 |
CN105144642A (en) | 2015-12-09 |
JP2014183415A (en) | 2014-09-29 |
CN105144642B (en) | 2018-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10135827B2 (en) | Secure access to remote resources over a network | |
JP4988362B2 (en) | System and method for updating a wireless network password | |
US10776489B2 (en) | Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments | |
US10187356B2 (en) | Connectivity between cloud-hosted systems and on-premises enterprise resources | |
US11425098B2 (en) | Streamlined authentication and authorization for virtual private network tunnel establishment | |
CN110537354B (en) | System and method for configuring virtual private gateway | |
JP2021530916A (en) | Address migration service | |
JP6127622B2 (en) | DNS server device, network device, and communication system | |
JP4524906B2 (en) | Communication relay device, communication relay method, communication terminal device, and program storage medium | |
JP4835569B2 (en) | Virtual network system and virtual network connection device | |
JP6193147B2 (en) | Firewall device control device and program | |
Cisco | Easy VPN Server | |
JP6359260B2 (en) | Information processing system and firewall device for realizing a secure credit card system in a cloud environment | |
JP2022516290A (en) | Tracking contaminated connection agents | |
JP6487620B2 (en) | Communication control system, communication control method, and program | |
JP2017204890A (en) | Control device of firewall device and program | |
JP2011248690A (en) | Device and program for processing information | |
JP2011166312A (en) | Virtual private network system, communication method and computer program | |
Cabianca | Implementing Hybrid Connectivity | |
JP4930856B2 (en) | Communication system, gateway device, client device, computer name conversion method and program | |
JP2015167295A (en) | System and method for vpn connection | |
JP5955815B2 (en) | Address assignment apparatus, communication system, management method, and management program | |
JP2016163341A (en) | Communication system, gateway server and program therefor |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201480016873.X Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14769525 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: IDP00201505849 Country of ref document: ID |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14769525 Country of ref document: EP Kind code of ref document: A1 |