WO2019221207A1 - Communication device and communication method - Google Patents

Communication device and communication method Download PDF

Info

Publication number
WO2019221207A1
WO2019221207A1 PCT/JP2019/019400 JP2019019400W WO2019221207A1 WO 2019221207 A1 WO2019221207 A1 WO 2019221207A1 JP 2019019400 W JP2019019400 W JP 2019019400W WO 2019221207 A1 WO2019221207 A1 WO 2019221207A1
Authority
WO
WIPO (PCT)
Prior art keywords
mac address
address
host
ethernet frame
communication
Prior art date
Application number
PCT/JP2019/019400
Other languages
French (fr)
Japanese (ja)
Inventor
五十嵐 弓将
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Publication of WO2019221207A1 publication Critical patent/WO2019221207A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to a communication device and a communication method.
  • a repeater hub is a device that operates in the physical layer (layer 1) of the OSI (Open Systems Interconnection) reference model and relays communication between multiple hosts.
  • the OSI reference model is an international standard model that divides the communication functions of communication devices such as computers established by the International Organization for Standardization (ISO) into a hierarchical structure. Seven layers are defined up to seven layers.
  • the repeater hub is connected to a host such as a terminal in a network topology (form) called a star type. That is, the repeater hub is a network device that plays a central role in connecting to a plurality of hosts and relaying communication between the plurality of hosts.
  • a host such as a terminal in a network topology (form) called a star type. That is, the repeater hub is a network device that plays a central role in connecting to a plurality of hosts and relaying communication between the plurality of hosts.
  • the repeater hub receives an electrical signal transmitted by the host at a physical port that accommodates the host. This physical port is connected to the host by a cable that transmits one electrical signal.
  • the repeater hub transmits the received electrical signal to all other ports of the repeater hub after amplification and shaping of the waveform of the received electrical signal.
  • a repeater hub having such a function communication traffic in a computer network can be mirrored as follows. First, a host that performs communication to be mirrored is connected to a repeater hub. In this case, three or more hosts may be connected. Next, a device that acquires communication traffic is connected to an empty port of the repeater hub. Since the repeater hub transmits the electrical signal received at its own port to all other ports, all communications passing through the repeater hub are mirrored at one port of the repeater hub.
  • the useless traffic is, for example, when communication between two hosts connected to the repeater hub is transmitted to all ports of the repeater hub. In other words, in reality, if an electrical signal is relayed only to a port to which two hosts are connected, communication between the two hosts is established, but the repeater hub transmits unnecessary electrical signals to other ports. Therefore, useless communication traffic occurs.
  • a communication collision means that when two or more hosts connected to a repeater hub transmit electrical signals at the same time, the repeater hub does not transmit all of the electrical signals to other ports at the same time. Occurs because it is possible.
  • a method of dividing the reach of electric signals called division of collision (collision) domains, a method of transmitting after the host confirms whether or not electric signals can be transmitted, etc. Is being used.
  • a network device that makes a collision (collision) domain as small as possible is mainly used.
  • the switching hub is a device that operates in the data link layer (layer 2) of the OSI reference model, and in addition to the function of relaying communication between a plurality of hosts of the repeater hub, the data link layer Ethernet (registered trademark) It is a network device with a function to decode the frame header.
  • the switching hub When the switching hub receives an Ethernet frame from a host at its own port, it refers to the destination MAC (Media Access Control) address (address indicating the destination of the frame) included in the Ethernet frame header, and the host corresponding to the destination address Only forward frames to the port where is connected. With such a function, the switching hub solves the problem that unnecessary traffic and communication collision of the repeater hub occur.
  • MAC Media Access Control
  • a switching hub cannot mirror communication traffic in the same manner as a repeater hub. This is because the repeater hub sends the electrical signal received at its own port to all other ports, but the switching hub sends frames only to the port to which the host corresponding to the destination MAC address is connected. is there. Therefore, in the switching hub, a port mirror system is used as a system for realizing traffic mirroring (see Non-Patent Document 1).
  • the port mirror method it is set whether to mirror traffic in units of ports of the switching hub, and the Ethernet frame transmitted / received / transmitted / received by the port set to mirror is sent to the communication traffic to be mirrored. In this method, all data is copied to another port assigned exclusively for retrieval. If such a port mirror system is used, communication traffic can be mirrored even by a switching hub.
  • the port mirror method has the following two problems.
  • the port mirror method cannot be applied to a wireless local area network (LAN) that is a computer network for wireless communication.
  • LAN wireless local area network
  • a host that performs communication and a switching hub that accommodates the host are connected by a single physical cable, so that a mirror in units of ports is possible.
  • AP access point
  • an electric signal transmission path is an electromagnetic wave, which corresponds to a switching hub. The function is hidden inside the AP. Therefore, in a wireless LAN, a wired switching hub having a port mirror function cannot be inserted in the middle of a wireless communication path.
  • the present invention has been made in view of the above, and mirrors communication traffic between hosts with respect to a communication path between a switching hub that does not have a port mirror function or a host that turns back an AP of a wireless LAN as a relay point.
  • An object of the present invention is to provide a communication device and a communication method that enable the communication device.
  • the communication system of the present invention is a communication device that accommodates a plurality of hosts and connects to a switching hub that does not have a port mirror function or a relay device that is an access point of a wireless LAN.
  • a list is searched for an Ethernet frame transmitted from the relay device with a spoofed MAC address as a destination MAC address, and the destination MAC address is rewritten to an original MAC address corresponding to the IP address of the Ethernet frame.
  • the second rewriting unit that rewrites the source MAC address of the Ethernet frame with the destination MAC address rewritten to the original MAC address to the spoofed MAC address, and the destination MAC address can be rewritten to the original MAC address in the first rewriting unit.
  • a transmitting unit that transmits the Ethernet frame to the mirror traffic receiving device and transmits the Ethernet frame in which the source MAC address is rewritten to the spoofed MAC address in the second rewriting unit to the relay device.
  • communication traffic between hosts can be mirrored with respect to a communication path between a switching hub that does not have a port mirror function or a host that wraps back a wireless LAN AP as a relay point.
  • FIG. 1 is a diagram illustrating a configuration of a communication system according to an embodiment.
  • FIG. 2 is a diagram showing an example of the data configuration of the IP-MAC list shown in FIG.
  • FIG. 3 is a diagram for explaining a flow of a mirror process of communication traffic in the communication system according to the embodiment.
  • FIG. 4 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment.
  • FIG. 5 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment.
  • FIG. 6 is a diagram for explaining a flow of mirroring of communication traffic in the communication system according to the embodiment.
  • FIG. 7 is a diagram for explaining the flow of communication traffic mirroring in the communication system according to the embodiment.
  • FIG. 1 is a diagram illustrating a configuration of a communication system according to an embodiment.
  • FIG. 2 is a diagram showing an example of the data configuration of the IP-MAC list shown in FIG.
  • FIG. 3 is a diagram for explaining a
  • FIG. 8 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment.
  • FIG. 9 is a sequence diagram illustrating a processing procedure of host scan processing of the communication system according to the embodiment.
  • FIG. 10 is a sequence diagram illustrating a processing procedure of mirror processing of the communication system according to the embodiment.
  • FIG. 1 is a diagram illustrating a configuration of a communication system according to an embodiment.
  • the communication system 100 includes two hosts 1 ⁇ / b> A and 1 ⁇ / b> B, a relay device 2, and a switching hub 3.
  • the relay device 2 does not have a port mirror function or is a wireless LAN AP.
  • the switching hub 3 is connected to one port of the relay device 2 by wire.
  • the number of hosts is an example. Further, the host 1 is used when the hosts 1A and 1B are described without being distinguished.
  • the hosts 1A and 1B perform communication by turning back the relay device 2 as a relay point.
  • the host 1A has an IP address “IP_A” and a MAC address “MAC_A”.
  • the host 1B has an IP address “IP_B” and a MAC address “MAC_B”.
  • the relay device 2 is a switching hub or a wireless LAN AP that does not have a port mirror function.
  • the relay device 2 has a general switching hub function, and transfers an Ethernet frame to a port to which a host corresponding to the destination address is connected according to the destination MAC address included in the received Ethernet frame header.
  • the path from the host 1A to the host 1B is the host 1A, the relay device 2, and the host 1B.
  • the port 21A is a connection port with the host 1A
  • the port 21B is a connection port with the host 1B
  • the port 22 is a connection port with the switching hub 3.
  • the switching hub 3 When the relay device 2 is a switching hub having no port mirror function, the switching hub 3 is connected to one port (for example, port 22) of the switching hub that is the relay device 2 via the transmission / reception port 36. As with the host 1 in FIG. Further, when the relay device 2 is a wireless LAN AP, the switching hub 3 is connected to a wired interface (port) belonging to the same IP subnet as the wireless LAN of the AP that is the relay device 2 by wire.
  • the switching hub 3 is connected to the communication device 4 via the port 37.
  • the communication device 4 captures the communication traffic mirrored by the switching hub 3 via the port 37.
  • a switching hub that does not have a port mirror function or a communication path between hosts 1 ⁇ / b> A and 1 ⁇ / b> B that turns back a relay device 2 that is a wireless LAN AP as a relay point is operated using an external switching hub 3.
  • the communication traffic between the hosts 1A and 1B can be mirrored.
  • the switching hub 3 includes a memory 30, a host scanning unit 31 (scanning unit), a spoofed ARP (Address Resolution Protocol) reply transmission unit 32 (spoofing unit), and a destination MAC address rewriting unit 33. (First rewriting unit), source MAC address rewriting unit 34 (second rewriting unit), Ethernet frame transfer unit 35 (transmission unit), and ports 36 and 37.
  • the functions of the host scan unit 31, the spoofed ARP reply transmission unit 32, the destination MAC address rewriting unit 33, the transmission source MAC address rewriting unit 34, and the Ethernet frame transfer unit 35 are formed on the substrate.
  • the port 36 is a port for connecting the relay device 2.
  • the port 37 is a port prepared for taking out mirror traffic. For example, the communication device 4 that captures mirrored packets is connected to the port 37 by wire.
  • the memory 30 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory) formed on the substrate.
  • the memory 30 stores data related to operation processing of the switching hub 3.
  • the memory 30 stores an IP-MAC list 301.
  • the IP-MAC list 301 is data in which the IP addresses of the mirror target hosts 1A and 1B accommodated in the relay apparatus 2 are associated with the MAC addresses.
  • FIG. 2 is a diagram showing an example of the data configuration of the IP-MAC list 301 shown in FIG.
  • the IP-MAC list 301 includes an IP address of a host and a MAC address as items.
  • the MAC address “MAC_A” is associated with the IP address “IP_A”
  • the MAC address “MAC_B” is associated with the IP address “IP_B”.
  • the host scanning unit 31 scans a pair of the IP address and MAC address of the hosts 1A and 1B connected to the relay device 2, and stores an IP-MAC list 301 in which the IP address and the MAC address are associated with each other in the memory 30. Store.
  • the host scanning unit 31 determines the IP address of the host connected to the relay apparatus 2 from two information, which is given in advance, the network address of the IP subnet to which the hosts 1A and 1B belong and the subnet mask. Calculate the range of values of. For example, a case where the network address is “192.168.1.0” and the subnet mask is “255.255.255.0” will be described. In this case, the host part of the IP subnet connected to the relay device 2 is the address part not masked by the subnet mask, that is, the fourth octet part of “192.168.1.X” “0” to “0”. 255 ". Therefore, it can be seen from the calculation that the host connected to this IP subnet may take values from “192.168.1.0” to “192.168.1.255” as IP addresses.
  • the host scanning unit 31 includes ARP (for example, [online], [search May 10, 2018], Internet ⁇ URL: http://www.infraexpert.com/study/tcpip2.html>, and [Online], [May 10, 2018 search], get the MAC address corresponding to an IP address called Internet ⁇ URL: http://www.infraexpert.com/study/dhcpz6.html> Scan all the MAC addresses in the range of IP address values that the host may have.
  • ARP for example, [online], [search May 10, 2018], Internet ⁇ URL: http://www.infraexpert.com/study/tcpip2.html>
  • [Online] [May 10, 2018 search]
  • the IP address is determined using the MAC address “MAC_D” of the host scan unit 31 itself as the source MAC address as the source MAC address. Broadcasts an Ethernet frame (referred to as an ARP request) requesting to return the MAC address of the host having “192.168.1.1” to all the hosts 1A and 1B connected to the relay apparatus 2 simultaneously. .
  • ARP request an Ethernet frame
  • All the hosts 1A and 1B that have received the ARP request compare whether or not their own IP address matches the IP address that has been inquired in the ARP request. Send a responding Ethernet frame.
  • the ARP reply is received by the relay device 2 and transmitted to the port to which the destination MAC address (inquiry source) “MAC_D” is connected.
  • the host scanning unit 31 repeatedly uses ARP scanning for all IP addresses in the IP subnet, so that the IP addresses and MAC addresses of all the hosts 1A and 1B connected to the relay device 2 are obtained. You can get a pair with.
  • the host scan unit 31 stores, in the memory 30, an IP-MAC list 301 that is a list of pairs of IP addresses and MAC addresses of hosts connected to the relay apparatus 2 obtained by the above procedure.
  • the host scanning unit 31 not only actively scans the set of the IP address and MAC address of the host connected to the relay device 2 as described above, but also the ARP request broadcast by the hosts 1A and 1B. Can be received passively, and the IP address and MAC address of the transmission source host of the ARP request can be held in the memory 30 inside the switching hub 3. However, in this case, it is not always possible to acquire a set of IP addresses and MAC addresses of all the hosts connected to the relay device 2.
  • the camouflaged ARP reply transmission unit 32 rewrites the MAC address corresponding to the IP address of the host communication destination with another MAC address (referred to as a camouflaged MAC address here).
  • the camouflaged ARP reply transmission unit 32 uses the MAC address of the communication device as the camouflaged address.
  • the camouflaged ARP reply transmission unit 32 rewrites a MAC address corresponding to an IP address of a certain host with a camouflaged address using only the ARP reply portion of the ARP.
  • This function is generally called “ARP cache poisoning”, a computer network that performs illegal communication by forcibly rewriting temporary storage information (referred to as an ARP cache) between an IP address and a MAC address held by a host.
  • a type of attack on communications is generally called “ARP cache poisoning”, a computer network that performs illegal communication by forcibly rewriting temporary storage information (referred to as an ARP cache) between an IP address and a MAC address held
  • the normal ARP function operates by an ARP request and an ARP reply responding thereto. However, even when there is no ARP request, it is possible to rewrite the contents of the ARP cache of the target host by transmitting only the ARP reply to the host.
  • MAC_B For example, in FIG. 1, it is assumed that a certain host (MAC address is “MAC_B”) holds the IP address “IP_A” of the host 1 and the corresponding MAC address “MAC_A” in the ARP cache.
  • IP_A IP address
  • MAC_A MAC address
  • the destination MAC address is set to “MAC_A” and the Ethernet frame is transmitted. It is transmitted to the relay device 2.
  • the spoofed ARP reply transmission unit 32 In response to this normal state, the spoofed ARP reply transmission unit 32 periodically sends the MAC address corresponding to the host “IP_A” to the target host “MAC_B” with the ARP reply indicating that the spoofed MAC address is “MAC_D”. Send to.
  • the time period for transmitting the ARP reply including the spoofed MAC address to the target host 1 is set to a sufficiently short time so that the temporary storage of the ARP cache is maintained without being lost.
  • the target host that has received the spoofed MAC address stores the MAC address corresponding to the IP address of a certain host as the spoofed MAC address, the destination MAC address of the Ether frame addressed to the IP address becomes the spoofed MAC address. Sent.
  • the camouflaged ARP reply transmission unit 32 connects to the relay device 2. It is possible to rewrite the destination MAC address of the ARP cache held by the host 1 that has been replaced with a spoofed MAC address.
  • the rewriting of the ARP cache by the spoofed ARP reply transmission unit 32 may be performed for all the hosts connected to the relay apparatus 2 acquired by the host scanning unit 31, or for some of the hosts. May be implemented only.
  • the switching hub 3 can mirror the traffic only for the communication of the destination MAC address for which the ARP cache has been rewritten.
  • the camouflaged ARP reply transmission unit 32 extracts the entire IP-MAC list 301 of the hosts connected to the relay device 2 acquired by the host scanning unit 31.
  • the spoofed ARP reply transmission unit 32 selects one set of the IP address and MAC address of the host 1 and performs an operation for rewriting the ARP cache for each IP address for all hosts other than the IP address. To do.
  • the spoofed ARP reply transmission unit 32 performs this operation on all IP addresses in the IP-MAC list 301, thereby rewriting the MAC addresses corresponding to all the IP addresses to the spoofed MAC addresses.
  • the Ethernet frame is transmitted toward the camouflaged MAC address.
  • the destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address corresponding to the IP address of the Ethernet frame with respect to the Ethernet frame transmitted from the relay device 2 and having the forged MAC address as the destination MAC address. .
  • the destination MAC address rewriting unit 33 searches the IP-MAC list 301 and acquires the original MAC address corresponding to the IP address of the Ethernet frame.
  • the destination MAC address rewriting unit 33 refers to the destination IP address of the IP packet included in the received Ethernet frame and, based on the value, determines the MAC address of the host 1 corresponding to the destination IP address from the IP-MAC list 301. Search for. A pair of the destination IP address and the MAC address obtained by this search is a value used when original normal communication is performed.
  • the destination MAC address rewriting unit 33 rewrites the destination MAC address, which is the forged MAC address of the received Ethernet frame, to the destination MAC address used when the original normal communication is performed.
  • the host “MAC_B” tries to communicate with the host “IP_A”, refers to the ARP cache inside the host “MAC_B” rewritten by the spoofed ARP reply transmission unit 32, and sets the destination MAC address as the spoofed MAC address.
  • An Ethernet frame is transmitted as a certain “MAC_D”. In this case, the Ethernet frame reaches the switching hub 3 via the relay device 2.
  • the source MAC address of the Ethernet frame that has reached the switching hub 3 is “MAC_B”.
  • the destination MAC address rewriting unit 33 receives the Ethernet frame and rewrites the destination MAC address to “MAC_A” which is the original MAC address of the host “IP_A”.
  • the destination MAC address rewriting unit 33 sends the Ethernet frame with the rewritten destination MAC address to the Ethernet frame transfer unit 35.
  • the Ethernet frame transfer unit 35 transmits the Ethernet frame in which the destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address from the port 37 to the communication device 4.
  • the functions of the Ethernet frame transfer unit 35 are the existing commercial / open technology Open vSwitch (for example, [online], [May 10, 2018 search], Internet ⁇ URL: https://docs.openvswitch.org / en / latest / tutorials / faucet />), etc., and refer to MAC addresses, IP addresses, IP port numbers, etc., and use the function to transfer Ethernet frames and IP packets included in them. realizable.
  • the Ethernet frame transfer unit 35 receives the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33, and transmits the Ethernet frame to the port 37 prepared for mirroring. That is, the Ethernet frame transfer unit 35 transmits the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33 to the mirror traffic extraction port 37 of the switching hub 3, so that the host “MAC_B” can change the host. Enables communication to "IP_A" to be mirrored.
  • the Ethernet frame transfer unit 35 duplicates the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33 and transfers the copied Ethernet frame to the source MAC address rewriting unit 34.
  • the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the Ethernet frame received from the Ethernet frame transfer unit 35 with a camouflaged MAC address.
  • the Ethernet frame received from the Ethernet frame transfer unit 35 is a copy of the Ethernet frame in which the destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address.
  • the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the Ethernet frame input by the above procedure from the Ethernet frame transfer unit 35 to its own spoofed MAC address.
  • the destination MAC address rewriting unit 33 rewrites the destination MAC address to “MAC_A”, which is the original MAC address of the host “IP_A”, and the Ethernet frame transfer unit 35 transmits the data to the mirror port and duplicates it at the same time.
  • the transmission source MAC address rewriting unit 34 receives the frame. In this case, the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the received Ethernet frame to the forged MAC address “MAC_D”. As a result, the destination MAC address of the Ethernet frame is “MAC_A”, and the source MAC address is the spoofed MAC address “MAC_D”.
  • the source MAC address rewriting unit 34 sends the Ethernet frame to the Ethernet frame transfer unit 35.
  • the Ethernet frame transfer unit 35 receives the Ethernet frame in which the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address with a camouflaged MAC address, and transmits the received Ethernet frame from the port 36 to the relay device 2. As a result, the Ethernet frame returns to the relay device 2 and is received by the relay device 2 again, and is transferred to the host 1 connected to the relay device 2 by the switching hub function of the relay device 2.
  • the Ethernet frame in which the destination MAC address is rewritten to “MAC_A” is transmitted again to the relay device 2 by the transmission source MAC address rewriting unit 34.
  • the relay apparatus 2 that has received the Ethernet frame refers to the destination MAC address and transfers the Ethernet frame to the host 1A.
  • the Ethernet frame from “MAC_B” (host 1B) whose source MAC address has been rewritten to the spoofed MAC address “MAC_D” reaches “IP_A” (host 1A).
  • IP_A host 1A
  • the source MAC address appears as if it arrived from the spoofed MAC address “MAC_D” from the host 1A.
  • the communication system 100 it is possible to mirror the communication between the hosts 1A and 1B that turn back with the relay device 2 as a relay point.
  • mirroring can be performed even when the relay device 2 is a switching hub or a wireless LAN AP that does not have a port mirror function.
  • 3 to 8 are diagrams for explaining the flow of communication traffic mirror processing of the communication system according to the embodiment.
  • the AP 2A of the wireless LAN is the relay device 2.
  • the AP 2A has an access point function that accommodates the host 1 connected by the wireless LAN, and a wired interface (port 22) that is connected to the switching hub 3 by a cable.
  • Hosts 1A and 1B connect to AP2 via a wireless LAN. Host 1A and host 1B perform return communication using AP 2A as a relay point.
  • the switching hub 3 is connected to a wired interface (port 22) belonging to the same IP subnet as the host AP 2A connected to the AP 2A.
  • Terminal 4A connects to port 37 of switching hub 3 and captures mirrored communication traffic.
  • the AP 2A has a general switching hub function, and transfers the received Ethernet frame to the port to which the host 1 corresponding to the destination address is connected according to the destination MAC address included in the received Ethernet frame header. .
  • an IP address “IP_A” and a MAC address “MAC_A” are assigned to the host 1A
  • an IP address “IP_B” and a MAC address “MAC_B” are assigned to the host 1B.
  • the MAC address is resolved from the other party's IP address by ARP, and an Ethernet frame having the other party's MAC address as the destination MAC address is transmitted to AP 2A.
  • the switching hub 3 is connected to the port 22 of the wired interface of the AP 2A.
  • the switching hub 3 is one of the hosts connected to the AP 2A in the same manner as the hosts 1A and 1B.
  • the host scanning unit 31 determines the host 1's information from two pieces of information of the network address and subnet mask of the IP subnet to which the AP 2A host belongs.
  • the range of the IP address value is calculated (see (1) in FIG. 3).
  • the information on the network address and the subnet mask may be recorded in advance in a storage area inside the switching hub 3, or obtained by referring to the network address and subnet mask included in the DHCP protocol response. Also good.
  • the host scanning unit 31 scans MAC addresses corresponding to all IP addresses in the calculated range using ARP (see (2) in FIG. 3).
  • the host scanning unit 31 acquires a set of MAC addresses “MAC_A” corresponding to the IP address “IP_A” of the host 1A (see (3) of FIG. 3).
  • the host scanning unit 31 acquires a set of MAC addresses “MAC_B” corresponding to the IP address “IP_B” of the host 1B (see (4) in FIG. 3).
  • the host scan unit 31 stores the set of the host IP address and the MAC address in the memory 30 as the IP-MAC list 301.
  • the host scanning unit 31 only needs to perform the above processing once before connecting the switching hub 3 to the AP 2A and performing mirroring.
  • the camouflaged ARP reply transmission unit 32 searches the IP-MAC list 301 in the memory 30 and acquires the IP address “IP_B” of the host 1B (see (1) in FIG. 4). Similarly, the spoofed ARP reply transmission unit 32 searches the IP-MAC list 301 and acquires the MAC address “MAC_A” of the host 1A (see (2) in FIG. 4).
  • the spoofed ARP reply transmission unit 32 creates an ARP reply message in which the MAC address corresponding to the host “IP_B” is its own spoofed MAC address “MAC_D” and an Ethernet frame including the ARP reply message, and creates an Ethernet frame header. Is set to “MAC_A”.
  • the camouflaged ARP reply transmission unit 32 transmits the created Ethernet frame (ARP reply) from the port 36 (see (3) in FIG. 4).
  • the transmitted Ethernet frame is transmitted from the wireless LAN channel to which the host 1A is connected by the AP 2A according to the destination MAC address “MAC_A” after reaching the AP 2A.
  • the host 1A that has received the spoofed ARP reply rewrites the MAC address corresponding to the IP address “IP_B” of the host 1A as “MAC_D”, which is a spoofed MAC address (see (4) and (5) in FIG. 4). After rewriting the ARP cache, the destination MAC address of the Ethernet frame addressed to “IP_B” is transmitted as “MAC_D”.
  • the wireless LAN communication (Ethernet frame) addressed to the host 1B transmitted from the host 1A has the destination MAC address “MAC_D” (see (6) and (7) in FIG. 5)
  • the data is transferred from the wired interface (port 22) of the AP 2A toward the switching hub 3 (see (8) in FIG. 5).
  • the switching hub 3 receives the Ethernet frame addressed to the host 1B at the port 36, and the Ethernet frame transfer unit 35 transfers the received Ethernet frame to the destination MAC address rewriting unit 33 (see (9) in FIG. 5).
  • the destination MAC address rewriting unit 33 acquires the destination IP address “IP_B” of the IP packet included in the received Ethernet frame. Then, the destination MAC address rewriting unit 33 searches the IP-MAC list 301 (see (10) in FIG. 6), and acquires the MAC address “MAC_B” corresponding to “IP_B” (see (11) in FIG. 6). ). Subsequently, the destination MAC address rewriting unit 33 rewrites the destination MAC address in the header of the received Ethernet frame from “MAC_D” to “MAC_B” (see (12) in FIG. 6), and sends it to the Ethernet frame transfer unit 35.
  • the Ethernet frame transfer unit 35 performs mirror transmission of the received Ethernet frame from the port 37 (see (13) in FIG. 7).
  • the terminal 14 receives the Ethernet frame transmitted by mirror transmission and records the Ethernet frame. This process enables communication traffic mirroring.
  • the Ethernet frame transfer unit 35 replicates the Ethernet frame received from the destination MAC address rewriting unit 33 (see (13) in FIG. 7) in order to establish communication between the host 1A and the host 1B. Then, the Ethernet frame transfer unit 35 transfers the copied Ethernet frame to the source MAC address rewriting unit 34 (see (14) in FIG. 7).
  • the transmission source MAC address rewriting unit 34 receives the copied Ethernet frame, rewrites the transmission source MAC address “MAC_A” with the spoofed MAC address “MAC_D” (see (15) in FIG. 8), and again.
  • the data is transferred to the Ethernet frame transfer unit 35 (see (16) in FIG. 8).
  • the Ethernet frame transfer unit 35 receives the Ethernet frame with the destination MAC address “MAC_B” and the transmission source MAC address “MAC_D” from the transmission source MAC address rewriting unit 34, and transmits the packet from the port 36 (see FIG. 8 (17)).
  • the AP 2A receives the Ethernet frame, and transmits the received Ethernet frame from the channel of the wireless LAN to which the host 1B is connected according to “MAC_B” that is the destination MAC address (see (18) in FIG. 8) (see FIG. 8). (See (19)). As a result, the packet transmitted from the host 1A arrives at the host 1B.
  • the AP 2A refers to the transmission source MAC address of the ARP packet or Ethernet frame transmitted by the host 1A and the host 1B, and temporarily stores its own port and the MAC address of the host connected thereto in association with each other. For this reason, unless rewriting is performed, the same “MAC_A” is associated with both the port received from the switching hub 3 and the port received from the host 1A. This state is called a loop, and communication cannot be performed with a general switching hub. Therefore, the same MAC address cannot be associated with a plurality of ports.
  • the switching hub 3 rewrites the source MAC address to “MAC_D”, so that “MAC_D” is associated with the port received from the switching hub 3 in the hosts 1A and 1B.
  • MAC_D the same MAC address is not associated with a plurality of ports, and a normal transfer operation of a general switching hub is possible.
  • FIG. 9 is a sequence diagram illustrating a processing procedure of host scan processing of the communication system according to the embodiment.
  • the host scanning unit 31 calculates the value range of the IP address of the host 1 from two pieces of information, that is, the network address and subnet mask of the IP subnet to which the AP 2A host belongs (step S1).
  • the host scanning unit 31 scans MAC addresses corresponding to all IP addresses in the calculated range using ARP (steps S2 to S5). Then, the host scanning unit 31 acquires a set of MAC addresses corresponding to the IP address of the host 1 (step S6), and stores it in the memory 30 as the IP-MAC list 301 (step S7).
  • FIG. 10 is a sequence diagram illustrating a processing procedure of mirror processing of the communication system according to the embodiment.
  • FIG. 10 a case where communication traffic transmitted from the host 1A to the host 1B is mirrored will be described.
  • the spoofed ARP reply transmission unit 32 searches the IP-MAC list 301 in the memory 30 (step S11), acquires the IP address “IP_B” of the host 1B, and acquires the MAC address “MAC_A” of the host 1A. (Step S12).
  • the spoofed ARP reply transmission unit 32 creates an ARP reply message in which the MAC address corresponding to the host “IP_B” is its own spoofed MAC address “MAC_D”, and an Ethernet frame including the ARP reply message. Is set to “MAC_A”.
  • the camouflaged ARP reply transmission unit 32 transmits the created Ethernet frame as an ARP reply to the host 1A via the AP 2A (steps S13 and S14).
  • the host 1A that has received the ARP reply rewrites the MAC address corresponding to the IP address “IP_B” of the host 1A as “MAC_D”, which is a forged MAC address (step S15). After rewriting the ARP cache, the destination MAC address of the Ethernet frame addressed to “IP_B” is transmitted as “MAC_D”.
  • the host 1A transmits wireless LAN communication (Ethernet frame) addressed to the host 1B (step S16). Since this Ethernet frame has the destination MAC address “MAC_D”, the Ethernet frame is received by the AP 2A and then transferred to the switching hub 3 (step S17).
  • Wired LAN communication Ethernet frame
  • MAC_D destination MAC address
  • the Ethernet frame transfer unit 35 transfers the received Ethernet frame addressed to the host 1B to the destination MAC address rewriting unit 33 (step S18).
  • the destination MAC address rewriting unit 33 obtains the destination IP address “IP_B” of the IP packet included in the received Ethernet frame, searches the IP-MAC list 301 (step S19), and corresponds to the destination IP address “IP_B”. The MAC address “MAC_B” is acquired (step S20). Subsequently, the destination MAC address rewriting unit 33 rewrites the destination MAC address in the header of the received Ethernet frame to “MAC_B” (step S21), and sends it to the Ethernet frame transfer unit 35 (step S22).
  • the Ethernet frame transfer unit 35 performs mirror transmission of the received Ethernet frame to the communication device 4 via the port 37 (step S23). At the same time, the Ethernet frame transfer unit 35 duplicates the Ethernet frame received from the destination MAC address rewriting unit 33 (step S24). Then, the Ethernet frame transfer unit 35 transfers the copied Ethernet frame to the source MAC address rewriting unit 34 (step S25).
  • the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address “MAC_A” of the copied Ethernet frame with the spoofed MAC address “MAC_D” (step S26), and transfers it to the Ethernet frame transfer unit 35 (step S26). Step S27).
  • the Ethernet frame transfer unit 35 transmits the Ethernet frame having the destination MAC address “MAC_B” and the source MAC address “MAC_D” from the port 36 (step S28).
  • the AP 2A receives the Ethernet frame, and transfers the received Ethernet frame to the host 1B according to “MAC_B” that is the destination MAC address (step S29).
  • the switching hub 3 holds the IP-MAC list 301.
  • the switching hub 3 includes a forged ARP reply transmission unit 32 that rewrites a MAC address corresponding to the IP address of the communication destination of the host 1 into a forged MAC address that is the MAC address of the switching hub 3. Then, the switching hub 3 searches the IP-MAC list for the Ethernet frame transmitted from the relay device 2 with the forged MAC address as the destination MAC address, and sets the destination MAC address to the IP address of the Ethernet frame.
  • a destination MAC address rewriting unit 33 for rewriting the corresponding original MAC address is provided.
  • the switching hub 3 has a source MAC address rewriting unit 34 that rewrites the source MAC address of the Ethernet frame, in which the destination MAC address is rewritten to the original MAC address in the destination MAC address rewriting unit 33, to a camouflaged MAC address.
  • the switching hub 3 transmits the Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the destination MAC address rewriting unit 33 to the mirror traffic receiving device, and the transmission source MAC address rewriting unit 34 transmits the transmission source.
  • An Ethernet frame transfer unit 35 that transmits an Ethernet frame in which the MAC address is rewritten to a forged MAC address to the relay device 2 is provided.
  • the switching hub 3 having the above function by connecting the switching hub 3 having the above function to the relay device 2, the communication path between the hosts 1A and 1B that turns back using the relay device 2 as a joint is operated.
  • communication traffic between the hosts 1A and 1B via the switching hub that does not have a port mirror function or the relay device 2 that is an access point of a wireless LAN can be mirrored.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

A switching hub that does not have a port mirror function or a switching hub (3) that is connected to a relay device (2) being an AP of a wireless LAN, overwrites, with a dummy MAC address, a MAC address corresponding to a communication destination IP address of hosts 1A, 1B by using an ARP reply portion of an ARP, overwrites, upon reception of an Ethernet frame in which the dummy MAD address is set as a destination MAC address from the relay device (2), the destination MAC address of the Ethernet frame with the original MAC address, mirror-transmits the address, overwrites, with a dummy MAC address, a transmission source MAC address of the Ethernet frame having been overwritten with the original MAC address, and transmits the address to the relay device (2).

Description

通信装置及び通信方法Communication apparatus and communication method
 本発明は、通信装置及び通信方法に関する。 The present invention relates to a communication device and a communication method.
 リピータハブを利用する通信方法がある。リピータハブとは、OSI(Open Systems Interconnection)参照モデルの物理層(レイヤ1)で動作し、複数のホストの間の通信を中継する機器のことをいう。ここで、OSI参照モデルとは、国際標準化機構(International Organization for Standardization:ISO)により策定されたコンピュータなどの通信機器の通信機能を階層構造に分割した国際標準のモデルであり、第1層から第7層まで7つの層が定義されている。 There is a communication method that uses a repeater hub. A repeater hub is a device that operates in the physical layer (layer 1) of the OSI (Open Systems Interconnection) reference model and relays communication between multiple hosts. Here, the OSI reference model is an international standard model that divides the communication functions of communication devices such as computers established by the International Organization for Standardization (ISO) into a hierarchical structure. Seven layers are defined up to seven layers.
 リピータハブは、スター型と呼ばれるネットワークトポロジー(形態)で端末などのホストと接続される。すなわち、リピータハブは、複数のホストと接続して、複数のホストの間の通信を中継する中心的な役割を果たすネットワーク機器である。 The repeater hub is connected to a host such as a terminal in a network topology (form) called a star type. That is, the repeater hub is a network device that plays a central role in connecting to a plurality of hosts and relaying communication between the plurality of hosts.
 次に、リピータハブの動作を説明する。まず、リピータハブは、ホストが送信した電気信号を、ホストを収容する物理的なポートで受信する。この物理的なポートは、1本の電気信号を伝送するケーブルによってホストと接続されている。次に、リピータハブは、受信した電気信号の波形の増幅と整形後に、リピータハブの持つ他の全てのポートに受信した電気信号を送信する。 Next, the operation of the repeater hub will be described. First, the repeater hub receives an electrical signal transmitted by the host at a physical port that accommodates the host. This physical port is connected to the host by a cable that transmits one electrical signal. Next, the repeater hub transmits the received electrical signal to all other ports of the repeater hub after amplification and shaping of the waveform of the received electrical signal.
 このような機能を持つリピータハブを利用すると、以下のようにしてコンピュータネットワークにおける通信トラフィックをミラーすることが可能である。まず、ミラー対象となる通信を行うホストをリピータハブに接続する。この場合、3つ以上の複数のホストを接続してもよい。次に、リピータハブの空きポートに通信トラフィックを取得する機器などを接続する。リピータハブは、自身のあるポートに受信した電気信号を他の全てのポートに送信するため、リピータハブのある1つのポートには、リピータハブを通過する全ての通信がミラーされることになる。 If a repeater hub having such a function is used, communication traffic in a computer network can be mirrored as follows. First, a host that performs communication to be mirrored is connected to a repeater hub. In this case, three or more hosts may be connected. Next, a device that acquires communication traffic is connected to an empty port of the repeater hub. Since the repeater hub transmits the electrical signal received at its own port to all other ports, all communications passing through the repeater hub are mirrored at one port of the repeater hub.
 このように、リピータハブを利用すると、リピータハブを通過する全ての通信をミラーすることが可能である。しかしながら、リピータハブを利用する場合には、ある1つのホストから受信した電気信号が常に全ての他のポートに送信されるため、無駄なトラフィックや通信の衝突が発生するという問題がある。 In this way, when a repeater hub is used, it is possible to mirror all communications passing through the repeater hub. However, when a repeater hub is used, an electrical signal received from a certain host is always transmitted to all other ports, and there is a problem that unnecessary traffic and communication collision occur.
 無駄なトラフィックとは、例えば、リピータハブに接続されるある2つのホストの間で通信が行われる場合、リピータハブの全てのポートに、2つのホスト間の通信が送信されることによる。すなわち、実際には、2つのホストが接続されるポートにだけ電気信号を中継すれば2つのホスト間の通信は成立するが、リピータハブは、それ以外のポートにも不要な電気信号を送信してしまうため、無駄な通信のトラフィックが発生する。 The useless traffic is, for example, when communication between two hosts connected to the repeater hub is transmitted to all ports of the repeater hub. In other words, in reality, if an electrical signal is relayed only to a port to which two hosts are connected, communication between the two hosts is established, but the repeater hub transmits unnecessary electrical signals to other ports. Therefore, useless communication traffic occurs.
 また、通信の衝突とは、ある同時刻にリピータハブに接続した2つ以上のホストが電気信号を送信した場合に、リピータハブにおいてそれらの電気信号を全て同時に他のポートに送信することは不可能であるために発生する。 Also, a communication collision means that when two or more hosts connected to a repeater hub transmit electrical signals at the same time, the repeater hub does not transmit all of the electrical signals to other ports at the same time. Occurs because it is possible.
 このような通信の衝突の発生を減らすために、コリジョン(衝突)ドメインの分割と呼ばれる電気信号の到達範囲を分割する方法や、電気信号の送信可否をホストが確認した後で送信を行う方式などが利用されている。 In order to reduce the occurrence of such communication collisions, a method of dividing the reach of electric signals called division of collision (collision) domains, a method of transmitting after the host confirms whether or not electric signals can be transmitted, etc. Is being used.
 例えば、近年では、ネットワークの伝送速度が上がるに伴い、スイッチングハブと呼ばれる、コリジョン(衝突)ドメインをできるだけ小さくするネットワーク機器が主に利用されている。 For example, in recent years, as the transmission speed of a network increases, a network device called a switching hub that makes a collision (collision) domain as small as possible is mainly used.
 スイッチングハブとは、OSI参照モデルのデータリンク層(レイヤ2)で動作する機器であり、リピータハブの複数のホストの間の通信を中継する機能に加えて、データリンク層のイーサネット(登録商標)フレームのヘッダを解読する機能を持つネットワーク機器である。 The switching hub is a device that operates in the data link layer (layer 2) of the OSI reference model, and in addition to the function of relaying communication between a plurality of hosts of the repeater hub, the data link layer Ethernet (registered trademark) It is a network device with a function to decode the frame header.
 スイッチングハブは、自身のあるポートにホストからのイーサネットフレームを受信すると、イーサネットフレームヘッダに含まれる宛先MAC(Media Access Control)アドレス(フレームの宛先を示すアドレス)を参照し、宛先アドレスに該当するホストが接続されているポートにのみフレームを転送する。このような機能によって、スイッチングハブは、リピータハブの無駄なトラフィックや通信の衝突が発生するという問題を解決している。 When the switching hub receives an Ethernet frame from a host at its own port, it refers to the destination MAC (Media Access Control) address (address indicating the destination of the frame) included in the Ethernet frame header, and the host corresponding to the destination address Only forward frames to the port where is connected. With such a function, the switching hub solves the problem that unnecessary traffic and communication collision of the repeater hub occur.
 しかしながら、スイッチングハブではリピータハブと同様の方式で通信トラフィックをミラーすることはできない。これは、リピータハブは自身のあるポートに受信した電気信号を他の全てのポートに送信したが、スイッチングハブは宛先MACアドレスに該当するホストが接続されているポートにしかフレームを送信しないためである。したがって、スイッチングハブにおいては、トラフィックのミラーを実現する方式としてポートミラー方式が利用されている(非特許文献1参照)。 However, a switching hub cannot mirror communication traffic in the same manner as a repeater hub. This is because the repeater hub sends the electrical signal received at its own port to all other ports, but the switching hub sends frames only to the port to which the host corresponding to the destination MAC address is connected. is there. Therefore, in the switching hub, a port mirror system is used as a system for realizing traffic mirroring (see Non-Patent Document 1).
 ポートミラー方式とは、スイッチングハブのポート単位でトラフィックをミラーするか否かを設定し、ミラーする設定を行ったポートが送信または受信、或いは、送受信するイーサネットフレームを、ミラー先となる通信トラフィックの取り出し専用に割り当てた別のポートに全て複製する方式である。このようなポートミラー方式を用いれば、スイッチングハブでも通信トラフィックのミラーは可能である。 In the port mirror method, it is set whether to mirror traffic in units of ports of the switching hub, and the Ethernet frame transmitted / received / transmitted / received by the port set to mirror is sent to the communication traffic to be mirrored. In this method, all data is copied to another port assigned exclusively for retrieval. If such a port mirror system is used, communication traffic can be mirrored even by a switching hub.
 しかしながら、ポートミラー方式には、以下の2つの問題がある。 However, the port mirror method has the following two problems.
 第一に、ポートミラー機能を有するスイッチングハブ以外では、ミラーできないという問題がある。ポートミラー機能は、付加的機能であるため、このポートミラー機能を持たないスイッチングハブ製品も多い。そして、ポートミラー機能を有する製品は、高機能なスイッチングハブとして高価になる場合がある。特に、ポートミラー機能を持たないスイッチングハブでは、そのスイッチングハブに接続されるある2つのホスト間の通信は、2つのホストが接続されるスイッチングハブのポートの間でのみ中継される。このため、この場合には、スイッチングハブを中継点として折り返すホスト間の通信をミラーして取得することができない。スイッチングハブの通信トラフィックをミラーするためには、ポートミラー機能を有するスイッチングハブを別途用意して、ホスト間の通信経路の途中に挿入する必要がある。 First, there is a problem that mirroring is not possible except for a switching hub that has a port mirror function. Since the port mirror function is an additional function, many switching hub products do not have this port mirror function. A product having a port mirror function may be expensive as a highly functional switching hub. In particular, in a switching hub that does not have a port mirror function, communication between two hosts connected to the switching hub is relayed only between the ports of the switching hub to which the two hosts are connected. For this reason, in this case, it is impossible to mirror and acquire communication between hosts that turn back with the switching hub as a relay point. In order to mirror the communication traffic of the switching hub, it is necessary to prepare a switching hub having a port mirror function and insert it in the middle of the communication path between the hosts.
 第二に、無線通信のコンピュータネットワークである無線LAN(Local Area Network)には、ポートミラー方式を適用することができないという問題がある。有線通信では通信を行うホストとそれを収容するスイッチングハブとの間は、物理的な1本のケーブルによって接続されるため、ポート単位のミラーが可能である。しかしながら、無線通信では、通信を行うホストとそれを収容するアクセスポイント(AP)と呼ばれる機器との間は、無線で接続されるため、電気信号の伝送路は電磁波であり、スイッチングハブに相当する機能は、APの内部に隠蔽されている。そのため、無線LANでは、ポートミラー機能を有する有線のスイッチングハブを無線通信経路の途中に挿入することができない。 Second, there is a problem that the port mirror method cannot be applied to a wireless local area network (LAN) that is a computer network for wireless communication. In wired communication, a host that performs communication and a switching hub that accommodates the host are connected by a single physical cable, so that a mirror in units of ports is possible. However, in wireless communication, since a host that performs communication and a device called an access point (AP) that accommodates the wireless connection are connected wirelessly, an electric signal transmission path is an electromagnetic wave, which corresponds to a switching hub. The function is hidden inside the AP. Therefore, in a wireless LAN, a wired switching hub having a port mirror function cannot be inserted in the middle of a wireless communication path.
 このように、コンピュータネットワークにおける従来の通信トラフィックのミラー方式には、第一の問題として、ポートミラー機能を有するスイッチングハブを別途用意してホスト間の通信経路の途中に挿入しない限り、通信トラフィックをミラーできないという問題がある。また、第二の問題として、無線通信を行う無線LANでは、無線によるホスト間の通信経路にポートミラー機能を有するスイッチングハブを挿入することは不可能であるため、通信トラフィックをミラーできないという問題点がある。 As described above, in the conventional communication traffic mirror method in a computer network, as a first problem, unless a switching hub having a port mirror function is separately prepared and inserted in the middle of a communication path between hosts, communication traffic is not received. There is a problem that cannot be mirrored. As a second problem, in a wireless LAN that performs wireless communication, it is impossible to insert a switching hub having a port mirror function in a wireless communication path between hosts, so that communication traffic cannot be mirrored. There is.
 本発明は、上記に鑑みてなされたものであって、ポートミラー機能を持たないスイッチングハブ、或いは、無線LANのAPを中継点として折り返すホスト間の通信経路に対し、ホスト間の通信トラフィックをミラー可能にする通信装置及び通信方法を提供することを目的とする。 The present invention has been made in view of the above, and mirrors communication traffic between hosts with respect to a communication path between a switching hub that does not have a port mirror function or a host that turns back an AP of a wireless LAN as a relay point. An object of the present invention is to provide a communication device and a communication method that enable the communication device.
 本発明の通信システムは、複数のホストを収容するとともにポートミラー機能を持たないスイッチングハブ或いは無線LANのアクセスポイントである中継装置に接続する通信装置であって、中継装置が収容するホストのIP(Internet Protocol)アドレスとMACアドレスとを対応付けたリストを記憶するメモリと、ホストの通信先のIPアドレスに対応するMACアドレスを、当該通信装置のMACアドレスである偽装MACアドレスに書き換える偽装部と、中継装置から送信された、偽装MACアドレスを宛先MACアドレスとしたイーサネットフレームに対し、リストを検索して、宛先MACアドレスを、該イーサネットフレームのIPアドレスに対応する本来のMACアドレスに書き換える第1の書換部と、第1の書換部において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームの送信元MACアドレスを、偽装MACアドレスに書き換える第2の書換部と、第1の書換部において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームを、ミラートラフィック受信用装置に送信するとともに、第2の書換部において送信元MACアドレスを偽装MACアドレスに書き換えられたイーサネットフレームを、中継装置に送信する送信部と、を有することを特徴とする。 The communication system of the present invention is a communication device that accommodates a plurality of hosts and connects to a switching hub that does not have a port mirror function or a relay device that is an access point of a wireless LAN. A memory for storing a list in which an Internet Protocol) address and a MAC address are associated with each other, a disguised unit that rewrites a MAC address corresponding to an IP address of a communication destination of a host into a disguised MAC address that is the MAC address of the communication device A list is searched for an Ethernet frame transmitted from the relay device with a spoofed MAC address as a destination MAC address, and the destination MAC address is rewritten to an original MAC address corresponding to the IP address of the Ethernet frame. Addressed by the rewriting unit and the first rewriting unit The second rewriting unit that rewrites the source MAC address of the Ethernet frame with the destination MAC address rewritten to the original MAC address to the spoofed MAC address, and the destination MAC address can be rewritten to the original MAC address in the first rewriting unit. A transmitting unit that transmits the Ethernet frame to the mirror traffic receiving device and transmits the Ethernet frame in which the source MAC address is rewritten to the spoofed MAC address in the second rewriting unit to the relay device. Features.
 本発明によれば、ポートミラー機能を持たないスイッチングハブ、或いは、無線LANのAPを中継点として折り返すホスト間の通信経路に対し、ホスト間の通信トラフィックをミラー可能にする。 According to the present invention, communication traffic between hosts can be mirrored with respect to a communication path between a switching hub that does not have a port mirror function or a host that wraps back a wireless LAN AP as a relay point.
図1は、実施の形態に係る通信システムの構成を説明する図である。FIG. 1 is a diagram illustrating a configuration of a communication system according to an embodiment. 図2は、図1に示すIP-MACリストのデータ構成の一例を示す図である。FIG. 2 is a diagram showing an example of the data configuration of the IP-MAC list shown in FIG. 図3は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 3 is a diagram for explaining a flow of a mirror process of communication traffic in the communication system according to the embodiment. 図4は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 4 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment. 図5は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 5 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment. 図6は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 6 is a diagram for explaining a flow of mirroring of communication traffic in the communication system according to the embodiment. 図7は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 7 is a diagram for explaining the flow of communication traffic mirroring in the communication system according to the embodiment. 図8は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。FIG. 8 is a diagram for explaining the flow of mirroring of communication traffic in the communication system according to the embodiment. 図9は、実施の形態に係る通信システムのホストスキャン処理の処理手順を示すシーケンス図である。FIG. 9 is a sequence diagram illustrating a processing procedure of host scan processing of the communication system according to the embodiment. 図10は、実施の形態に係る通信システムのミラー処理の処理手順を示すシーケンス図である。FIG. 10 is a sequence diagram illustrating a processing procedure of mirror processing of the communication system according to the embodiment.
 以下、図面を参照して、本発明の一実施形態を詳細に説明する。なお、この実施の形態により本発明が限定されるものではない。また、図面の記載において、同一部分には同一の符号を付して示している。 Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.
[実施の形態]
 本実施の形態では、ホストを収容する中継装置とは別に、中継装置に接続する他の通信装置(後述のスイッチングハブ3)を用いて、ホスト間の通信トラフィックをミラーする通信システムを例に説明する。 [Embodiment]
In this embodiment, a communication system that mirrors communication traffic between hosts using another communication device (a switching hub 3 to be described later) connected to the relay device separately from the relay device that accommodates the host will be described as an example. To do.
[通信システムの構成]
 図1は、実施の形態に係る通信システムの構成を説明する図である。図1に示すように、例えば、実施の形態に係る通信システム100では、2つのホスト1A、1Bと、中継装置2と、スイッチングハブ3とを有する。この中継装置2は、ポートミラー機能を持たない、或いは、無線LANのAPである。そして、スイッチングハブ3は、中継装置2の1つのポートに、有線で接続する。なお、ホストの台数は、一例である。また、ホスト1A,1Bを区別することなく説明する場合には、ホスト1とする。 [Configuration of communication system]
FIG. 1 is a diagram illustrating a configuration of a communication system according to an embodiment. As illustrated in FIG. 1, for example, the communication system 100 according to the embodiment includes two hosts 1 </ b> A and 1 </ b> B, a relay device 2, and a switching hub 3. The relay device 2 does not have a port mirror function or is a wireless LAN AP. The switching hub 3 is connected to one port of the relay device 2 by wire. The number of hosts is an example. Further, the host 1 is used when the hosts 1A and 1B are described without being distinguished.
 ホスト1A、1Bは、中継装置2を中継点として折り返す通信を行う。ホスト1Aは、IPアドレスが「IP_A」であり、MACアドレスが「MAC_A」である。ホスト1Bは、IPアドレスが「IP_B」であり、MACアドレスが「MAC_B」である。 The hosts 1A and 1B perform communication by turning back the relay device 2 as a relay point. The host 1A has an IP address “IP_A” and a MAC address “MAC_A”. The host 1B has an IP address “IP_B” and a MAC address “MAC_B”.
 中継装置2は、ポートミラー機能を持たないスイッチングハブ或いは無線LANのAPである。中継装置2は、一般的なスイッチングハブの機能を有し、受信したイーサネットフレームヘッダに含まれる宛先MACアドレスにしたがって、宛先アドレスに該当するホストが接続されているポートにイーサネットフレームを転送する。図1の例では、ホスト1Aからホスト1Bへの経路は、ホスト1A、中継装置2、ホスト1Bとなる。なお、ポート21Aは、ホスト1Aとの接続用ポートであり、ポート21Bは、ホスト1Bとの接続用ポートであり、ポート22は、スイッチングハブ3との接続用ポートである。 The relay device 2 is a switching hub or a wireless LAN AP that does not have a port mirror function. The relay device 2 has a general switching hub function, and transfers an Ethernet frame to a port to which a host corresponding to the destination address is connected according to the destination MAC address included in the received Ethernet frame header. In the example of FIG. 1, the path from the host 1A to the host 1B is the host 1A, the relay device 2, and the host 1B. The port 21A is a connection port with the host 1A, the port 21B is a connection port with the host 1B, and the port 22 is a connection port with the switching hub 3.
 スイッチングハブ3は、中継装置2がポートミラー機能を持たないスイッチングハブの場合には、送受信のポート36を介して、中継装置2であるスイッチングハブの1つのポート(例えば、ポート22)に、他のホスト1と同様に有線で接続する。また、スイッチングハブ3は、中継装置2が無線LANのAPである場合には、中継装置2であるAPが持つ無線LANと同じIPサブネットに属する有線インターフェース(ポート)に有線で接続する。 When the relay device 2 is a switching hub having no port mirror function, the switching hub 3 is connected to one port (for example, port 22) of the switching hub that is the relay device 2 via the transmission / reception port 36. As with the host 1 in FIG. Further, when the relay device 2 is a wireless LAN AP, the switching hub 3 is connected to a wired interface (port) belonging to the same IP subnet as the wireless LAN of the AP that is the relay device 2 by wire.
 また、スイッチングハブ3は、ポート37を介して、通信装置4と接続する。通信装置4は、ポート37を介して、スイッチングハブ3によってミラーされた通信トラフィックをキャプチャする。 Further, the switching hub 3 is connected to the communication device 4 via the port 37. The communication device 4 captures the communication traffic mirrored by the switching hub 3 via the port 37.
 この通信システム100では、ポートミラー機能を持たないスイッチングハブ、或いは、無線LANのAPである中継装置2を中継点として折り返すホスト1A、1B間の通信経路を、外部のスイッチングハブ3を用いて操作し、ホスト1A、1B間の通信トラフィックをミラー可能にする。 In this communication system 100, a switching hub that does not have a port mirror function or a communication path between hosts 1 </ b> A and 1 </ b> B that turns back a relay device 2 that is a wireless LAN AP as a relay point is operated using an external switching hub 3. The communication traffic between the hosts 1A and 1B can be mirrored.
[スイッチングハブの構成]
 そこで、次に、スイッチングハブ3の構成について説明する。図1に示すように、スイッチングハブ3は、メモリ30、ホストスキャン部31(スキャン部)、偽装ARP(Address Resolution Protocol:アドレス解決プロトコル)リプライ送信部32(偽装部)、宛先MACアドレス書換部33(第1の書換部)、送信元MACアドレス書換部34(第2の書換部)、イーサネットフレーム転送部35(送信部)、ポート36,37を有する。 [Configuration of switching hub]
Therefore, next, the configuration of the switching hub 3 will be described. As shown in FIG. 1, the switching hub 3 includes a memory 30, a host scanning unit 31 (scanning unit), a spoofed ARP (Address Resolution Protocol) reply transmission unit 32 (spoofing unit), and a destination MAC address rewriting unit 33. (First rewriting unit), source MAC address rewriting unit 34 (second rewriting unit), Ethernet frame transfer unit 35 (transmission unit), and ports 36 and 37.
 ホストスキャン部31、偽装ARPリプライ送信部32、宛先MACアドレス書換部33、送信元MACアドレス書換部34及びイーサネットフレーム転送部35の機能は、基板上に形成される。ポート36は、中継装置2接続用のポートである。ポート37は、ミラートラフィック取り出し用に用意されたポートである。ポート37には、例えば、ミラーされたパケットをキャプチャする通信装置4が有線で接続する。 The functions of the host scan unit 31, the spoofed ARP reply transmission unit 32, the destination MAC address rewriting unit 33, the transmission source MAC address rewriting unit 34, and the Ethernet frame transfer unit 35 are formed on the substrate. The port 36 is a port for connecting the relay device 2. The port 37 is a port prepared for taking out mirror traffic. For example, the communication device 4 that captures mirrored packets is connected to the port 37 by wire.
 メモリ30は、基板上に形成されたRAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子で実現される。メモリ30は、スイッチングハブ3の動作処理に関するデータを記憶する。具体的には、メモリ30は、IP-MACリスト301を記憶する。IP-MACリスト301は、中継装置2が収容するミラー対象のホスト1A、1BのIPアドレスとMACアドレスとを対応付けたデータである。 The memory 30 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory) formed on the substrate. The memory 30 stores data related to operation processing of the switching hub 3. Specifically, the memory 30 stores an IP-MAC list 301. The IP-MAC list 301 is data in which the IP addresses of the mirror target hosts 1A and 1B accommodated in the relay apparatus 2 are associated with the MAC addresses.
 図2は、図1に示すIP-MACリスト301のデータ構成の一例を示す図である。図2に示すように、IP-MACリスト301は、ホストのIPアドレスと、MACアドレスとを項目として有する。例えば、IP-MACリスト301には、IPアドレス「IP_A」にMACアドレスが「MAC_A」が対応付けられており、IPアドレス「IP_B」にMACアドレス「MAC_B」が対応付けられている。 FIG. 2 is a diagram showing an example of the data configuration of the IP-MAC list 301 shown in FIG. As shown in FIG. 2, the IP-MAC list 301 includes an IP address of a host and a MAC address as items. For example, in the IP-MAC list 301, the MAC address “MAC_A” is associated with the IP address “IP_A”, and the MAC address “MAC_B” is associated with the IP address “IP_B”.
 ホストスキャン部31は、中継装置2に接続しているホスト1A、1BのIPアドレスとMACアドレスとの組をスキャンし、IPアドレスとMACアドレスとを対応付けたIP-MACリスト301をメモリ30に格納する。 The host scanning unit 31 scans a pair of the IP address and MAC address of the hosts 1A and 1B connected to the relay device 2, and stores an IP-MAC list 301 in which the IP address and the MAC address are associated with each other in the memory 30. Store.
 具体的には、ホストスキャン部31は、予め与えられる、ホスト1A、1Bが属するIPサブネットのネットワークアドレスと、サブネットマスクとの2つの情報から、中継装置2に接続されているホストが持つIPアドレスの値の範囲を計算する。例えば、ネットワークアドレスが「192.168.1.0」でサブネットマスクが「255.255.255.0」であった場合について説明する。この場合には、中継装置2に接続されているIPサブネットのホスト部は、サブネットマスクでマスクされていないアドレス部分、すなわち「192.168.1.X」の第四オクテット部分である「0」~「255」となる。したがって、このIPサブネットに接続するホストは、IPアドレスとして「192.168.1.0」~「192.168.1.255」までの値を取る可能性があることが計算により分かる。 Specifically, the host scanning unit 31 determines the IP address of the host connected to the relay apparatus 2 from two information, which is given in advance, the network address of the IP subnet to which the hosts 1A and 1B belong and the subnet mask. Calculate the range of values of. For example, a case where the network address is “192.168.1.0” and the subnet mask is “255.255.255.0” will be described. In this case, the host part of the IP subnet connected to the relay device 2 is the address part not masked by the subnet mask, that is, the fourth octet part of “192.168.1.X” “0” to “0”. 255 ". Therefore, it can be seen from the calculation that the host connected to this IP subnet may take values from “192.168.1.0” to “192.168.1.255” as IP addresses.
 そして、ホストスキャン部31は、ARP(例えば、[online]、[平成30年5月10日検索]、インターネット<URL:http://www.infraexpert.com/study/tcpip2.html>、及び、[online]、[平成30年5月10日検索]、インターネット<URL:http://www.infraexpert.com/study/dhcpz6.html>参照)と呼ばれる、あるIPアドレスに対応するMACアドレスを取得する通信プロトコルを用いて、ホストが持つ可能性のあるIPアドレスの値の範囲の全てのMACアドレスをスキャンする。 Then, the host scanning unit 31 includes ARP (for example, [online], [search May 10, 2018], Internet <URL: http://www.infraexpert.com/study/tcpip2.html>, and [Online], [May 10, 2018 search], get the MAC address corresponding to an IP address called Internet <URL: http://www.infraexpert.com/study/dhcpz6.html> Scan all the MAC addresses in the range of IP address values that the host may have.
 例えば、ホストスキャン部31が、IPアドレス「192.168.1.1」に対応するMACアドレスを調査する場合には、問い合わせ元のホストスキャン部31自身のMACアドレス「MAC_D」を送信元MACアドレスとして、IPアドレス「192.168.1.1」を持つホストのMACアドレスを応答するように要求するイーサネットフレーム(ARPリクエストと呼ぶ)を中継装置2に接続している全ホスト1A、1Bに対して一斉同報(ブロードキャスト)する。 For example, when the host scan unit 31 investigates the MAC address corresponding to the IP address “192.168.1.1”, the IP address is determined using the MAC address “MAC_D” of the host scan unit 31 itself as the source MAC address as the source MAC address. Broadcasts an Ethernet frame (referred to as an ARP request) requesting to return the MAC address of the host having “192.168.1.1” to all the hosts 1A and 1B connected to the relay apparatus 2 simultaneously. .
 ARPリクエストを受信した全ホスト1A、1Bは、自身のIPアドレスがARPリクエストで問い合わせを受けているIPアドレスと一致するか比較し、一致する場合には自身のMACアドレスをARPリプライとして問い合わせ元に応答するイーサネットフレームを送信する。ARPリプライは中継装置2で受信され、宛先MACアドレス(問い合わせ元)「MAC_D」の接続しているポートに送信される。 All the hosts 1A and 1B that have received the ARP request compare whether or not their own IP address matches the IP address that has been inquired in the ARP request. Send a responding Ethernet frame. The ARP reply is received by the relay device 2 and transmitted to the port to which the destination MAC address (inquiry source) “MAC_D” is connected.
 このようにして、ホストスキャン部31は、ARPによるスキャンを繰り返しIPサブネットの全てのIPアドレスに対して用いることで、中継装置2に接続している全てのホスト1A、1BのIPアドレスとMACアドレスとの組を取得することができる。 In this way, the host scanning unit 31 repeatedly uses ARP scanning for all IP addresses in the IP subnet, so that the IP addresses and MAC addresses of all the hosts 1A and 1B connected to the relay device 2 are obtained. You can get a pair with.
 ホストスキャン部31は、上記の手順で取得した中継装置2に接続しているホストのIPアドレスとMACアドレスとの組のリストであるIP-MACリスト301を、メモリ30に格納する。 The host scan unit 31 stores, in the memory 30, an IP-MAC list 301 that is a list of pairs of IP addresses and MAC addresses of hosts connected to the relay apparatus 2 obtained by the above procedure.
 なお、ホストスキャン部31は、上記で述べたように中継装置2に接続しているホストのIPアドレスとMACアドレスとの組をアクティブにスキャンするだけでなく、ホスト1A、1BがブロードキャストするARPリクエストをパッシブに受信して、ARPリクエストの送信元ホストのIPアドレスとMACアドレスとを、スイッチングハブ3内部のメモリ30に保持することもできる。ただし、この場合には、中継装置2に接続しているホスト全てのIPアドレスとMACアドレスとの組を取得できるとは限らない。 Note that the host scanning unit 31 not only actively scans the set of the IP address and MAC address of the host connected to the relay device 2 as described above, but also the ARP request broadcast by the hosts 1A and 1B. Can be received passively, and the IP address and MAC address of the transmission source host of the ARP request can be held in the memory 30 inside the switching hub 3. However, in this case, it is not always possible to acquire a set of IP addresses and MAC addresses of all the hosts connected to the relay device 2.
 次に、偽装ARPリプライ送信部32について説明する。偽装ARPリプライ送信部32は、ホストの通信先のIPアドレスに対応するMACアドレスを、別のMACアドレス(ここでは偽装MACアドレスと呼ぶ)に書き換える。偽装ARPリプライ送信部32は、偽装アドレスとして、当該通信装置のMACアドレスを用いる。偽装ARPリプライ送信部32は、ARPのARPリプライ部分のみを利用して、あるホストのIPアドレスに対応するMACアドレスを偽装アドレスに書き換える。この機能は、一般には「ARPキャッシュポイズニング」と呼ばれる、ホストが保持しているIPアドレスとMACアドレスとの一時記憶情報(ARPキャッシュと呼ぶ)を強制的に書き換えて不正な通信を行う、コンピュータネットワーク通信に対する攻撃の一種である。 Next, the camouflaged ARP reply transmission unit 32 will be described. The camouflaged ARP reply transmission unit 32 rewrites the MAC address corresponding to the IP address of the host communication destination with another MAC address (referred to as a camouflaged MAC address here). The camouflaged ARP reply transmission unit 32 uses the MAC address of the communication device as the camouflaged address. The camouflaged ARP reply transmission unit 32 rewrites a MAC address corresponding to an IP address of a certain host with a camouflaged address using only the ARP reply portion of the ARP. This function is generally called “ARP cache poisoning”, a computer network that performs illegal communication by forcibly rewriting temporary storage information (referred to as an ARP cache) between an IP address and a MAC address held by a host. A type of attack on communications.
 ホストスキャン部31で説明したように、通常ARP機能は、ARPリクエストとそれに応答するARPリプライによって動作している。しかし、ARPリクエストがない場合でも、ARPリプライのみをホストに送信することにより、標的となるホストのARPキャッシュの内容を書き換えることが可能である。 As described in the host scan unit 31, the normal ARP function operates by an ARP request and an ARP reply responding thereto. However, even when there is no ARP request, it is possible to rewrite the contents of the ARP cache of the target host by transmitting only the ARP reply to the host.
 例えば、図1において、あるホスト(MACアドレスが「MAC_B」とする)がARPキャッシュ内にホスト1のIPアドレス「IP_A」とそれに対応するMACアドレス「MAC_A」とを保持していたとする。正常通信では、ホスト「MAC_B」は、ホスト「IP_A」と通信しようとした場合、宛先MACアドレス「MAC_A」を自身のARPキャッシュから検索、抽出した後、宛先MACアドレスを「MAC_A」としてイーサネットフレームを中継装置2に送信している。 For example, in FIG. 1, it is assumed that a certain host (MAC address is “MAC_B”) holds the IP address “IP_A” of the host 1 and the corresponding MAC address “MAC_A” in the ARP cache. In normal communication, when the host “MAC_B” tries to communicate with the host “IP_A”, after searching and extracting the destination MAC address “MAC_A” from its own ARP cache, the destination MAC address is set to “MAC_A” and the Ethernet frame is transmitted. It is transmitted to the relay device 2.
 この正常状態に対し、偽装ARPリプライ送信部32は、ホスト「IP_A」に対応するMACアドレスを、自身の偽装MACアドレス「MAC_D」であるとするARPリプライを標的となるホスト「MAC_B」に周期的に送信する。この偽装MACアドレスを含むARPリプライを標的となるホスト1に送信する時間周期は、ARPキャッシュの一時記憶が消失しないで維持されるために十分短い時間とする。このように偽装MACアドレスのARPリプライを周期的に送りつけることにより、偽装ARPリプライ送信部32は、強制的に標的となるホスト1のARPキャッシュを書き換えることが可能である。 In response to this normal state, the spoofed ARP reply transmission unit 32 periodically sends the MAC address corresponding to the host “IP_A” to the target host “MAC_B” with the ARP reply indicating that the spoofed MAC address is “MAC_D”. Send to. The time period for transmitting the ARP reply including the spoofed MAC address to the target host 1 is set to a sufficiently short time so that the temporary storage of the ARP cache is maintained without being lost. By periodically sending the ARP reply of the camouflaged MAC address in this way, the camouflaged ARP reply transmission unit 32 can forcibly rewrite the ARP cache of the target host 1.
 偽装MACアドレスを受信した標的となるホストは、あるホストのIPアドレスに対応するMACアドレスを偽装されたMACアドレスとして記憶するので、当該IPアドレス宛のイーサフレームの宛先MACアドレスは偽装MACアドレスとなって送信される。 Since the target host that has received the spoofed MAC address stores the MAC address corresponding to the IP address of a certain host as the spoofed MAC address, the destination MAC address of the Ether frame addressed to the IP address becomes the spoofed MAC address. Sent.
 以上の手順を、偽装ARPリプライ送信部32は、ホストスキャン部31で取得した中継装置2に接続しているホスト1のIPアドレスとMACアドレスとの組に対して実施すると、中継装置2に接続しているホスト1が保持するARPキャッシュの宛先MACアドレスを偽装MACアドレスに書き換えることが可能である。なお、この偽装ARPリプライ送信部32によるARPキャッシュの書き換えは、ホストスキャン部31で取得した中継装置2に接続しているホスト全てに対して実施してもよいし、その一部のホストに対してのみ実施してもよい。スイッチングハブ3では、ARPキャッシュの書き換えを行った宛先MACアドレスの通信のみ、そのトラフィックをミラーすることが可能である。 When the above procedure is performed on the set of the IP address and MAC address of the host 1 connected to the relay device 2 acquired by the host scan unit 31, the camouflaged ARP reply transmission unit 32 connects to the relay device 2. It is possible to rewrite the destination MAC address of the ARP cache held by the host 1 that has been replaced with a spoofed MAC address. The rewriting of the ARP cache by the spoofed ARP reply transmission unit 32 may be performed for all the hosts connected to the relay apparatus 2 acquired by the host scanning unit 31, or for some of the hosts. May be implemented only. The switching hub 3 can mirror the traffic only for the communication of the destination MAC address for which the ARP cache has been rewritten.
 また、ARPキャッシュの書き換えを中継装置2に接続しているホスト全てに対して実施する場合には、以下のように行う。まず、偽装ARPリプライ送信部32は、ホストスキャン部31で取得した中継装置2に接続しているホストのIP-MACリスト301全体を取り出す。次に、偽装ARPリプライ送信部32は、ホスト1のIPアドレスとMACアドレスとの組を一つ選び、各IPアドレスについてARPキャッシュを書き換える操作を、そのIPアドレス以外の全てのホストに対して実施する。偽装ARPリプライ送信部32は、この操作をIP-MACリスト301にある全てのIPアドレスに対して実施することにより、全てのIPアドレスに対応するMACアドレスを偽装MACアドレスに書き換える。これにより、中継装置2に接続しているホスト1全てが通信を行う際に偽装MACアドレスに向けてイーサネットフレームを送信するようになる。 Also, when rewriting the ARP cache to all the hosts connected to the relay device 2, it is performed as follows. First, the camouflaged ARP reply transmission unit 32 extracts the entire IP-MAC list 301 of the hosts connected to the relay device 2 acquired by the host scanning unit 31. Next, the spoofed ARP reply transmission unit 32 selects one set of the IP address and MAC address of the host 1 and performs an operation for rewriting the ARP cache for each IP address for all hosts other than the IP address. To do. The spoofed ARP reply transmission unit 32 performs this operation on all IP addresses in the IP-MAC list 301, thereby rewriting the MAC addresses corresponding to all the IP addresses to the spoofed MAC addresses. As a result, when all the hosts 1 connected to the relay device 2 perform communication, the Ethernet frame is transmitted toward the camouflaged MAC address.
 宛先MACアドレス書換部33は、中継装置2から送信された、偽装MACアドレスを宛先MACアドレスとしたイーサネットフレームに対し、宛先MACアドレスを、該イーサネットフレームのIPアドレスに対応する本来のMACアドレスに書き換える。宛先MACアドレス書換部33は、書き換えの際に、IP-MACリスト301を検索して、イーサネットフレームのIPアドレスに対応する本来のMACアドレスを取得する。 The destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address corresponding to the IP address of the Ethernet frame with respect to the Ethernet frame transmitted from the relay device 2 and having the forged MAC address as the destination MAC address. . At the time of rewriting, the destination MAC address rewriting unit 33 searches the IP-MAC list 301 and acquires the original MAC address corresponding to the IP address of the Ethernet frame.
 宛先MACアドレス書換部33は、受け取ったイーサネットフレームに含まれるIPパケットの宛先IPアドレスを参照し、その値を基に、IP-MACリスト301から、宛先IPアドレスに対応するホスト1のMACアドレスを検索する。この検索によって得られる宛先のIPアドレスとMACアドレスとの組は、本来の正常な通信が行われる場合に用いられる値である。 The destination MAC address rewriting unit 33 refers to the destination IP address of the IP packet included in the received Ethernet frame and, based on the value, determines the MAC address of the host 1 corresponding to the destination IP address from the IP-MAC list 301. Search for. A pair of the destination IP address and the MAC address obtained by this search is a value used when original normal communication is performed.
 宛先MACアドレス書換部33は、受け取ったイーサネットフレームの偽装MACアドレスとなっている宛先MACアドレスを、この本来の正常な通信が行われる場合に用いられる宛先MACアドレスに書き換える。例えば、図1において、ホスト「MAC_B」がホスト「IP_A」と通信しようとして、偽装ARPリプライ送信部32によって書き換えられたホスト「MAC_B」内部のARPキャッシュを参照し、宛先MACアドレスを偽装MACアドレスである「MAC_D」としてイーサネットフレームを送信する。この場合、そのイーサネットフレームは、中継装置2を経由してスイッチングハブ3に届く。このスイッチングハブ3に届いたイーサネットフレームの送信元MACアドレスは、「MAC_B」である。 The destination MAC address rewriting unit 33 rewrites the destination MAC address, which is the forged MAC address of the received Ethernet frame, to the destination MAC address used when the original normal communication is performed. For example, in FIG. 1, the host “MAC_B” tries to communicate with the host “IP_A”, refers to the ARP cache inside the host “MAC_B” rewritten by the spoofed ARP reply transmission unit 32, and sets the destination MAC address as the spoofed MAC address. An Ethernet frame is transmitted as a certain “MAC_D”. In this case, the Ethernet frame reaches the switching hub 3 via the relay device 2. The source MAC address of the Ethernet frame that has reached the switching hub 3 is “MAC_B”.
 宛先MACアドレス書換部33は、そのイーサネットフレームを受け取り、その宛先MACアドレスをホスト「IP_A」の本来のMACアドレスである「MAC_A」に書き換える。宛先MACアドレス書換部33は、宛先MACアドレスを書き換えたイーサネットフレームをイーサネットフレーム転送部35に送る。 The destination MAC address rewriting unit 33 receives the Ethernet frame and rewrites the destination MAC address to “MAC_A” which is the original MAC address of the host “IP_A”. The destination MAC address rewriting unit 33 sends the Ethernet frame with the rewritten destination MAC address to the Ethernet frame transfer unit 35.
 イーサネットフレーム転送部35は、宛先MACアドレス書換部33において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームをポート37から通信装置4に送信する。イーサネットフレーム転送部35の機能は、既存の市中/公開技術のOpen vSwitch(例えば、[online]、[平成30年5月10日検索]、インターネット<URL:https://docs.openvswitch.org/en/latest/tutorials/faucet/>参照)などに実装されている、MACアドレス、IPアドレス、IPポート番号などを参照して、イーサネットフレームやそれに含まれるIPパケットを転送する機能を利用して実現できる。 The Ethernet frame transfer unit 35 transmits the Ethernet frame in which the destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address from the port 37 to the communication device 4. The functions of the Ethernet frame transfer unit 35 are the existing commercial / open technology Open vSwitch (for example, [online], [May 10, 2018 search], Internet <URL: https://docs.openvswitch.org / en / latest / tutorials / faucet />), etc., and refer to MAC addresses, IP addresses, IP port numbers, etc., and use the function to transfer Ethernet frames and IP packets included in them. realizable.
 イーサネットフレーム転送部35は、宛先MACアドレス書換部33で宛先MACアドレスを書き換えたイーサネットフレームを受け取り、そのイーサネットフレームをミラー用に用意されたポート37に送信する。すなわち、イーサネットフレーム転送部35は、宛先MACアドレス書換部33で宛先MACアドレスを書き換えられたイーサネットフレームを、スイッチングハブ3のミラートラフィック取り出し用のポート37に送信することにより、ホスト「MAC_B」からホスト「IP_A」への通信をミラーすることを可能にする。 The Ethernet frame transfer unit 35 receives the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33, and transmits the Ethernet frame to the port 37 prepared for mirroring. That is, the Ethernet frame transfer unit 35 transmits the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33 to the mirror traffic extraction port 37 of the switching hub 3, so that the host “MAC_B” can change the host. Enables communication to "IP_A" to be mirrored.
 そして、イーサネットフレーム転送部35は、これと同時に宛先MACアドレス書換部33で宛先MACアドレスを書き換えた該イーサネットフレームを複製し、送信元MACアドレス書換部34にも転送する。 At the same time, the Ethernet frame transfer unit 35 duplicates the Ethernet frame whose destination MAC address has been rewritten by the destination MAC address rewriting unit 33 and transfers the copied Ethernet frame to the source MAC address rewriting unit 34.
 送信元MACアドレス書換部34は、イーサネットフレーム転送部35から受け取ったイーサネットフレームの送信元MACアドレスを、偽装MACアドレスに書き換える。イーサネットフレーム転送部35から受け取ったイーサネットフレームは、宛先MACアドレス書換部33において宛先MACアドレスを本来のMACアドレスに書き換えられた該イーサネットフレームを複製したものである。送信元MACアドレス書換部34は、イーサネットフレーム転送部35から上記の手順で入力されたイーサネットフレームの送信元MACアドレスを、自身の偽装MACアドレスに書き換える。 The transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the Ethernet frame received from the Ethernet frame transfer unit 35 with a camouflaged MAC address. The Ethernet frame received from the Ethernet frame transfer unit 35 is a copy of the Ethernet frame in which the destination MAC address rewriting unit 33 rewrites the destination MAC address to the original MAC address. The transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the Ethernet frame input by the above procedure from the Ethernet frame transfer unit 35 to its own spoofed MAC address.
 例えば、図1において、宛先MACアドレス書換部33が宛先MACアドレスをホスト「IP_A」の本来のMACアドレスである「MAC_A」に書き換え、さらにイーサネットフレーム転送部35がミラーポートに送信すると同時に複製したイーサネットフレームを、送信元MACアドレス書換部34が受け取る。この場合、送信元MACアドレス書換部34は、その受け取ったイーサネットフレームの送信元MACアドレスを偽装MACアドレス「MAC_D」に書き換える。この結果、当該イーサネットフレームの宛先MACアドレスは「MAC_A」、送信元MACアドレスは偽装MACアドレス「MAC_D」となる。 For example, in FIG. 1, the destination MAC address rewriting unit 33 rewrites the destination MAC address to “MAC_A”, which is the original MAC address of the host “IP_A”, and the Ethernet frame transfer unit 35 transmits the data to the mirror port and duplicates it at the same time. The transmission source MAC address rewriting unit 34 receives the frame. In this case, the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address of the received Ethernet frame to the forged MAC address “MAC_D”. As a result, the destination MAC address of the Ethernet frame is “MAC_A”, and the source MAC address is the spoofed MAC address “MAC_D”.
 これらの処理の後、送信元MACアドレス書換部34は、そのイーサネットフレームをイーサネットフレーム転送部35に送る。 After these processes, the source MAC address rewriting unit 34 sends the Ethernet frame to the Ethernet frame transfer unit 35.
 イーサネットフレーム転送部35は、送信元MACアドレス書換部34において送信元MACアドレスを偽装MACアドレスに書き換えられたイーサネットフレームを受け取り、ポート36から、中継装置2に送信する。この結果、イーサネットフレームは、中継装置2に戻って再度中継装置2に受信され、中継装置2のスイッチングハブ機能によって中継装置2に接続するホスト1に転送される。 The Ethernet frame transfer unit 35 receives the Ethernet frame in which the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address with a camouflaged MAC address, and transmits the received Ethernet frame from the port 36 to the relay device 2. As a result, the Ethernet frame returns to the relay device 2 and is received by the relay device 2 again, and is transferred to the host 1 connected to the relay device 2 by the switching hub function of the relay device 2.
 図1の例では、宛先MACアドレスが「MAC_A」に書き換えられたイーサネットフレームが、送信元MACアドレス書換部34によって、再度中継装置2へ送信される。そのイーサネットフレームを受信した中継装置2は、宛先MACアドレスを参照し、ホスト1Aに対してイーサネットフレームを転送する。これにより、送信元MACアドレスが偽装MACアドレス「MAC_D」に書き換えられた「MAC_B」(ホスト1B)からのイーサネットフレームが、「IP_A」(ホスト1A)に到達する。この時点で、ホスト1Aからは、偽装MACアドレス「MAC_D」から届いたように送信元MACアドレスが見える。 In the example of FIG. 1, the Ethernet frame in which the destination MAC address is rewritten to “MAC_A” is transmitted again to the relay device 2 by the transmission source MAC address rewriting unit 34. The relay apparatus 2 that has received the Ethernet frame refers to the destination MAC address and transfers the Ethernet frame to the host 1A. As a result, the Ethernet frame from “MAC_B” (host 1B) whose source MAC address has been rewritten to the spoofed MAC address “MAC_D” reaches “IP_A” (host 1A). At this point, the source MAC address appears as if it arrived from the spoofed MAC address “MAC_D” from the host 1A.
 以上のようなスイッチングハブ3の一連の動作によって、通信システム100では、中継装置2を中継点として折り返すホスト1A,1B間の通信をミラーすることが可能となる。通信システム100では、ポートミラー機能を有するスイッチングハブを別途用意してホスト間の通信経路の途中に挿入することも不要になる。また、通信システム100では、中継装置2がポートミラー機能を持たないスイッチングハブ或いは無線LANのAPである場合にもミラーすることが可能となる。 By the series of operations of the switching hub 3 as described above, in the communication system 100, it is possible to mirror the communication between the hosts 1A and 1B that turn back with the relay device 2 as a relay point. In the communication system 100, it is not necessary to separately prepare a switching hub having a port mirror function and insert it in the middle of a communication path between hosts. Further, in the communication system 100, mirroring can be performed even when the relay device 2 is a switching hub or a wireless LAN AP that does not have a port mirror function.
[ミラー処理の流れ]
 次に、本実施の形態に係る通信システムの通信トラフィックのミラー処理の流れについて説明する。図3~図8は、実施の形態に係る通信システムの通信トラフィックのミラー処理の流れを説明する図である。 [Flow of mirror processing]
Next, the flow of communication traffic mirror processing of the communication system according to the present embodiment will be described. 3 to 8 are diagrams for explaining the flow of communication traffic mirror processing of the communication system according to the embodiment.
 まず、図3~図8に示す通信システム100Aは、無線LANのAP2Aを中継装置2とする。AP2Aは、無線LANにより接続するホスト1を収容するアクセスポイント機能と、ケーブルでスイッチングハブ3と接続する有線インターフェース(ポート22)とを有する。 First, in the communication system 100A shown in FIGS. 3 to 8, the AP 2A of the wireless LAN is the relay device 2. The AP 2A has an access point function that accommodates the host 1 connected by the wireless LAN, and a wired interface (port 22) that is connected to the switching hub 3 by a cable.
 ホスト1A,1Bは、AP2に、無線LANを介して接続する。ホスト1Aとホスト1Bは、AP2Aを中継点として折り返しの通信を行う。スイッチングハブ3は、AP2Aに接続するホストAP2Aと同じIPサブネットに属する有線インターフェース(ポート22)に接続する。端末4Aは、スイッチングハブ3のポート37に接続して、ミラーされた通信トラフィックをキャプチャする。 Hosts 1A and 1B connect to AP2 via a wireless LAN. Host 1A and host 1B perform return communication using AP 2A as a relay point. The switching hub 3 is connected to a wired interface (port 22) belonging to the same IP subnet as the host AP 2A connected to the AP 2A. Terminal 4A connects to port 37 of switching hub 3 and captures mirrored communication traffic.
 AP2Aは、一般的なスイッチングハブの機能を有し、受信したイーサネットフレームヘッダに含まれる宛先MACアドレスにしたがって、宛先アドレスに該当するホスト1が接続されているポートに、受信したイーサネットフレームを転送する。図1の例と同様に、ホスト1AにはIPアドレス「IP_A」およびMACアドレス「MAC_A」が割り当てられており、ホスト1BにはIPアドレス「IP_B」およびMACアドレス「MAC_B」が割り当てられている。これらのホスト1A,1Bがお互いに通信をする場合には、ARPにより相手のIPアドレスからMACアドレスを解決し、相手のMACアドレスを宛先MACアドレスとするイーサネットフレームを、AP2Aに送信する。 The AP 2A has a general switching hub function, and transfers the received Ethernet frame to the port to which the host 1 corresponding to the destination address is connected according to the destination MAC address included in the received Ethernet frame header. . As in the example of FIG. 1, an IP address “IP_A” and a MAC address “MAC_A” are assigned to the host 1A, and an IP address “IP_B” and a MAC address “MAC_B” are assigned to the host 1B. When these hosts 1A and 1B communicate with each other, the MAC address is resolved from the other party's IP address by ARP, and an Ethernet frame having the other party's MAC address as the destination MAC address is transmitted to AP 2A.
 そして、スイッチングハブ3は、AP2Aの有線インタフェースのポート22に接続する。AP2Aから見ると、スイッチングハブ3は、ホスト1A,1Bと同様にAP2Aに接続するホストの1つである。 The switching hub 3 is connected to the port 22 of the wired interface of the AP 2A. When viewed from the AP 2A, the switching hub 3 is one of the hosts connected to the AP 2A in the same manner as the hosts 1A and 1B.
 図3に示すように、通信システム100Aでは、まず、スイッチングハブ3において、ホストスキャン部31が、AP2Aのホストが属しているIPサブネットのネットワークアドレスとサブネットマスクとの2つの情報から、ホスト1のIPアドレスの値の範囲を計算する(図3の(1)参照)。このネットワークアドレスとサブネットマスクとの情報は、スイッチングハブ3の内部の記憶領域に予め記録しておいてもよいし、DHCPプロトコルの応答に含まれるネットワークアドレスとサブネットマスクとを参照して取得してもよい。 As shown in FIG. 3, in the communication system 100A, first, in the switching hub 3, the host scanning unit 31 determines the host 1's information from two pieces of information of the network address and subnet mask of the IP subnet to which the AP 2A host belongs. The range of the IP address value is calculated (see (1) in FIG. 3). The information on the network address and the subnet mask may be recorded in advance in a storage area inside the switching hub 3, or obtained by referring to the network address and subnet mask included in the DHCP protocol response. Also good.
 次に、ホストスキャン部31は、計算した範囲にある全てのIPアドレスに対応するMACアドレスを、ARPを用いてスキャンする(図3の(2)参照)。図3の例では、ホストスキャン部31は、ホスト1AのIPアドレス「IP_A」に対応するMACアドレス「MAC_A」の組を取得する(図3の(3)参照)。そして、ホストスキャン部31は、ホスト1BのIPアドレス「IP_B」に対応するMACアドレス「MAC_B」の組を取得する(図3の(4)参照)。 Next, the host scanning unit 31 scans MAC addresses corresponding to all IP addresses in the calculated range using ARP (see (2) in FIG. 3). In the example of FIG. 3, the host scanning unit 31 acquires a set of MAC addresses “MAC_A” corresponding to the IP address “IP_A” of the host 1A (see (3) of FIG. 3). Then, the host scanning unit 31 acquires a set of MAC addresses “MAC_B” corresponding to the IP address “IP_B” of the host 1B (see (4) in FIG. 3).
 続いて、ホストスキャン部31は、それらのホストIPアドレスとMACアドレスとの組をIP-MACリスト301としてメモリ30に格納する。ホストスキャン部31は、以上の処理を、スイッチングハブ3をAP2Aに接続してミラーを実施する前に1度だけ実施しておけばよい。 Subsequently, the host scan unit 31 stores the set of the host IP address and the MAC address in the memory 30 as the IP-MAC list 301. The host scanning unit 31 only needs to perform the above processing once before connecting the switching hub 3 to the AP 2A and performing mirroring.
 次に、図4~図8を参照して、ホスト1Aを送信元として、ホスト1Bを宛先とする通信をミラーするための処理の流れについて説明する。偽装ARPリプライ送信部32は、メモリ30のIP-MACリスト301を検索して、ホスト1BのIPアドレス「IP_B」を取得する(図4の(1)参照)。同様に、偽装ARPリプライ送信部32は、IP-MACリスト301を検索して、ホスト1AのMACアドレス「MAC_A」を取得する(図4の(2)参照)。 Next, with reference to FIG. 4 to FIG. 8, the flow of processing for mirroring communication with the host 1A as the transmission source and the host 1B as the destination will be described. The camouflaged ARP reply transmission unit 32 searches the IP-MAC list 301 in the memory 30 and acquires the IP address “IP_B” of the host 1B (see (1) in FIG. 4). Similarly, the spoofed ARP reply transmission unit 32 searches the IP-MAC list 301 and acquires the MAC address “MAC_A” of the host 1A (see (2) in FIG. 4).
 そして、偽装ARPリプライ送信部32は、ホスト「IP_B」に対応するMACアドレスを自身の偽装MACアドレス「MAC_D」であるとするARPリプライメッセージと、それを含むイーサネットフレームを作成し、イーサネットフレームのヘッダにある宛先MACアドレスを「MAC_A」に設定する。偽装ARPリプライ送信部32は、作成したイーサネットフレーム(ARPリプライ)をポート36から送信する(図4の(3)参照)。送信されたイーサネットフレームは、AP2Aに届いた後、宛先MACアドレスである「MAC_A」に従ってAP2Aによってホスト1Aが接続する無線LANのチャネルから伝送される。 Then, the spoofed ARP reply transmission unit 32 creates an ARP reply message in which the MAC address corresponding to the host “IP_B” is its own spoofed MAC address “MAC_D” and an Ethernet frame including the ARP reply message, and creates an Ethernet frame header. Is set to “MAC_A”. The camouflaged ARP reply transmission unit 32 transmits the created Ethernet frame (ARP reply) from the port 36 (see (3) in FIG. 4). The transmitted Ethernet frame is transmitted from the wireless LAN channel to which the host 1A is connected by the AP 2A according to the destination MAC address “MAC_A” after reaching the AP 2A.
 偽装ARPリプライを受信したホスト1Aは、ホスト1AのIPアドレス「IP_B」に対応するMACアドレスを偽装MACアドレスである「MAC_D」として書き換える(図4の(4),(5)参照)。ARPキャッシュ書き換え後は、「IP_B」宛のイーサネットフレームの宛先MACアドレスは、「MAC_D」となって送信される。 The host 1A that has received the spoofed ARP reply rewrites the MAC address corresponding to the IP address “IP_B” of the host 1A as “MAC_D”, which is a spoofed MAC address (see (4) and (5) in FIG. 4). After rewriting the ARP cache, the destination MAC address of the Ethernet frame addressed to “IP_B” is transmitted as “MAC_D”.
 ホスト1Aから送信されるホスト1B宛ての無線LANの通信(イーサネットフレーム)は、宛先MACアドレス「MAC_D」を持つため(図5の(6),(7)参照)、AP2Aによって受信された後、AP2Aの有線インタフェース(ポート22)からスイッチングハブ3に向けて転送される(図5の(8)参照)。 Since the wireless LAN communication (Ethernet frame) addressed to the host 1B transmitted from the host 1A has the destination MAC address “MAC_D” (see (6) and (7) in FIG. 5), after being received by the AP 2A, The data is transferred from the wired interface (port 22) of the AP 2A toward the switching hub 3 (see (8) in FIG. 5).
 スイッチングハブ3は、ホスト1B宛てのイーサネットフレームをポート36で受信し、イーサネットフレーム転送部35は、宛先MACアドレス書換部33に、受信したイーサネットフレームを転送する(図5の(9)参照)。 The switching hub 3 receives the Ethernet frame addressed to the host 1B at the port 36, and the Ethernet frame transfer unit 35 transfers the received Ethernet frame to the destination MAC address rewriting unit 33 (see (9) in FIG. 5).
 宛先MACアドレス書換部33は、受け取ったイーサネットフレームに含まれるIPパケットの宛先IPアドレス「IP_B」を取得する。そして、宛先MACアドレス書換部33は、IP-MACリスト301を検索し(図6の(10)参照)、「IP_B」に対応するMACアドレス「MAC_B」を取得する(図6の(11)参照)。続いて、宛先MACアドレス書換部33は、受け取ったイーサネットフレームのヘッダの宛先MACアドレスを「MAC_D」から「MAC_B」に書き換えて(図6の(12)参照)、イーサネットフレーム転送部35に送る。 The destination MAC address rewriting unit 33 acquires the destination IP address “IP_B” of the IP packet included in the received Ethernet frame. Then, the destination MAC address rewriting unit 33 searches the IP-MAC list 301 (see (10) in FIG. 6), and acquires the MAC address “MAC_B” corresponding to “IP_B” (see (11) in FIG. 6). ). Subsequently, the destination MAC address rewriting unit 33 rewrites the destination MAC address in the header of the received Ethernet frame from “MAC_D” to “MAC_B” (see (12) in FIG. 6), and sends it to the Ethernet frame transfer unit 35.
 イーサネットフレーム転送部35は、受け取ったイーサネットフレームをポート37から、ミラー送信する(図7の(13)参照)。端末14は、ミラー送信されたイーサネットフレームを受信し、イーサネットフレームを記録する。この処理によって、通信トラフィックのミラーが可能になる。 The Ethernet frame transfer unit 35 performs mirror transmission of the received Ethernet frame from the port 37 (see (13) in FIG. 7). The terminal 14 receives the Ethernet frame transmitted by mirror transmission and records the Ethernet frame. This process enables communication traffic mirroring.
 これとともに、イーサネットフレーム転送部35は、ホスト1Aとホスト1Bとの間の通信を成立させるため、宛先MACアドレス書換部33から受け取ったイーサネットフレームを複製(図7の(13)参照)する。そして、イーサネットフレーム転送部35は、複製したイーサネットフレームを送信元MACアドレス書換部34に転送する(図7の(14)参照)。 At the same time, the Ethernet frame transfer unit 35 replicates the Ethernet frame received from the destination MAC address rewriting unit 33 (see (13) in FIG. 7) in order to establish communication between the host 1A and the host 1B. Then, the Ethernet frame transfer unit 35 transfers the copied Ethernet frame to the source MAC address rewriting unit 34 (see (14) in FIG. 7).
 続いて、送信元MACアドレス書換部34は、複製されたイーサネットフレームを受け取り、その送信元MACアドレス「MAC_A」を、偽装MACアドレス「MAC_D」に書き換えて(図8の(15)参照)、再度イーサネットフレーム転送部35に転送する(図8の(16)参照)。 Subsequently, the transmission source MAC address rewriting unit 34 receives the copied Ethernet frame, rewrites the transmission source MAC address “MAC_A” with the spoofed MAC address “MAC_D” (see (15) in FIG. 8), and again. The data is transferred to the Ethernet frame transfer unit 35 (see (16) in FIG. 8).
 イーサネットフレーム転送部35は、宛先MACアドレスが「MAC_B」、送信元MACアドレスが「MAC_D」となったイーサネットフレームを、送信元MACアドレス書換部34から受け取り、それをポート36からパケット送信する(図8の(17)参照)。AP2Aは、イーサネットフレームを受信し、宛先MACアドレスである「MAC_B」に従って(図8の(18)参照)、受信したイーサネットフレームを、ホスト1Bが接続する無線LANのチャネルから伝送する(図8の(19)参照)。この結果、ホスト1Bに、ホスト1Aから送信されたパケットが到達する。 The Ethernet frame transfer unit 35 receives the Ethernet frame with the destination MAC address “MAC_B” and the transmission source MAC address “MAC_D” from the transmission source MAC address rewriting unit 34, and transmits the packet from the port 36 (see FIG. 8 (17)). The AP 2A receives the Ethernet frame, and transmits the received Ethernet frame from the channel of the wireless LAN to which the host 1B is connected according to “MAC_B” that is the destination MAC address (see (18) in FIG. 8) (see FIG. 8). (See (19)). As a result, the packet transmitted from the host 1A arrives at the host 1B.
 なお、イーサネットフレームの送信元MACアドレス「MAC_A」を偽装MACアドレス「MAC_D」に書き換える理由を説明する。AP2Aは、ホスト1Aおよびホスト1Bが送信するARPパケット或いはイーサネットフレームの送信元MACアドレスを参照し、自身のポートとそれに接続するホストのMACアドレスとを対応付けて一時的に記憶している。このため、書き換えを行わないと、スイッチングハブ3から受信するポートとホスト1Aから受信するポートとの双方に同じ「MAC_A」が対応付けられてしまう。この状態はループと呼ばれ、一般的なスイッチングハブでは通信不能となるため、同じMACアドレスを複数のポートに対応付けることはできない。 The reason for rewriting the source MAC address “MAC_A” of the Ethernet frame with the spoofed MAC address “MAC_D” will be described. The AP 2A refers to the transmission source MAC address of the ARP packet or Ethernet frame transmitted by the host 1A and the host 1B, and temporarily stores its own port and the MAC address of the host connected thereto in association with each other. For this reason, unless rewriting is performed, the same “MAC_A” is associated with both the port received from the switching hub 3 and the port received from the host 1A. This state is called a loop, and communication cannot be performed with a general switching hub. Therefore, the same MAC address cannot be associated with a plurality of ports.
 スイッチングハブ3は、送信元MACアドレスを「MAC_D」に書き換えることによって、ホスト1A,1Bでは、スイッチングハブ3から受信するポートに「MAC_D」が対応付けられる。これによって、通信システム100Aホストでは、1A,1Bにおいて、同じMACアドレスが複数のポートに対応付けられることはなくなり、一般的なスイッチングハブの通常の転送動作が可能となる。 The switching hub 3 rewrites the source MAC address to “MAC_D”, so that “MAC_D” is associated with the port received from the switching hub 3 in the hosts 1A and 1B. As a result, in the communication system 100A host, in 1A and 1B, the same MAC address is not associated with a plurality of ports, and a normal transfer operation of a general switching hub is possible.
[ホストスキャン処理の処理手順]
 次に、本実施の形態に係る通信システム100のホストスキャン処理の処理手順について説明する。図9は、実施の形態に係る通信システムのホストスキャン処理の処理手順を示すシーケンス図である。 [Host scan processing procedure]
Next, a processing procedure of host scan processing of the communication system 100 according to the present embodiment will be described. FIG. 9 is a sequence diagram illustrating a processing procedure of host scan processing of the communication system according to the embodiment.
 通信システム100では、ホストスキャン部31が、AP2Aのホストが属しているIPサブネットのネットワークアドレスとサブネットマスクとの2つの情報から、ホスト1のIPアドレスの値の範囲を計算する(ステップS1)。 In the communication system 100, the host scanning unit 31 calculates the value range of the IP address of the host 1 from two pieces of information, that is, the network address and subnet mask of the IP subnet to which the AP 2A host belongs (step S1).
 そして、ホストスキャン部31は、計算した範囲にある全てのIPアドレスに対応するMACアドレスを、ARPを用いてスキャンする(ステップS2~ステップS5)。そして、ホストスキャン部31は、ホスト1のIPアドレスに対応するMACアドレスの組を取得し(ステップS6)、IP-MACリスト301としてメモリ30に格納する(ステップS7)。 Then, the host scanning unit 31 scans MAC addresses corresponding to all IP addresses in the calculated range using ARP (steps S2 to S5). Then, the host scanning unit 31 acquires a set of MAC addresses corresponding to the IP address of the host 1 (step S6), and stores it in the memory 30 as the IP-MAC list 301 (step S7).
[ミラー処理の処理手順]
 次に、本実施の形態に係る通信システム100のミラー処理の処理手順について説明する。図10は、実施の形態に係る通信システムのミラー処理の処理手順を示すシーケンス図である。図10の例では、ホスト1Aからホスト1B宛に送信される通信トラフィックをミラーする場合について説明する。 [Mirror processing procedure]
Next, a processing procedure for mirror processing of the communication system 100 according to the present embodiment will be described. FIG. 10 is a sequence diagram illustrating a processing procedure of mirror processing of the communication system according to the embodiment. In the example of FIG. 10, a case where communication traffic transmitted from the host 1A to the host 1B is mirrored will be described.
 まず、偽装ARPリプライ送信部32は、メモリ30のIP-MACリスト301を検索して(ステップS11)、ホスト1BのIPアドレス「IP_B」を取得するとともに、ホスト1AのMACアドレス「MAC_A」を取得する(ステップS12)。 First, the spoofed ARP reply transmission unit 32 searches the IP-MAC list 301 in the memory 30 (step S11), acquires the IP address “IP_B” of the host 1B, and acquires the MAC address “MAC_A” of the host 1A. (Step S12).
 そして、偽装ARPリプライ送信部32は、ホスト「IP_B」に対応するMACアドレスを自身の偽装MACアドレス「MAC_D」であるとするARPリプライメッセージと、それを含むイーサネットフレームを作成し、イーサネットフレームのヘッダにある宛先MACアドレスを「MAC_A」に設定する。偽装ARPリプライ送信部32は、作成したイーサネットフレームを、AP2Aを介して、ホスト1Aに、ARPリプライとして送信する(ステップS13,S14)。 Then, the spoofed ARP reply transmission unit 32 creates an ARP reply message in which the MAC address corresponding to the host “IP_B” is its own spoofed MAC address “MAC_D”, and an Ethernet frame including the ARP reply message. Is set to “MAC_A”. The camouflaged ARP reply transmission unit 32 transmits the created Ethernet frame as an ARP reply to the host 1A via the AP 2A (steps S13 and S14).
 ARPリプライを受信したホスト1Aは、ホスト1AのIPアドレス「IP_B」に対応するMACアドレスを偽装MACアドレスである「MAC_D」として書き換える(ステップS15)。ARPキャッシュ書き換え後は、「IP_B」宛のイーサネットフレームの宛先MACアドレスは、「MAC_D」となって送信される。 The host 1A that has received the ARP reply rewrites the MAC address corresponding to the IP address “IP_B” of the host 1A as “MAC_D”, which is a forged MAC address (step S15). After rewriting the ARP cache, the destination MAC address of the Ethernet frame addressed to “IP_B” is transmitted as “MAC_D”.
 ホスト1Aは、ホスト1B宛ての無線LANの通信(イーサネットフレーム)を送信する(ステップS16)。このイーサネットフレームは、宛先MACアドレス「MAC_D」を持つため、AP2Aによって受信された後、スイッチングハブ3に向けて転送される(ステップS17)。 The host 1A transmits wireless LAN communication (Ethernet frame) addressed to the host 1B (step S16). Since this Ethernet frame has the destination MAC address “MAC_D”, the Ethernet frame is received by the AP 2A and then transferred to the switching hub 3 (step S17).
 スイッチングハブ3では、イーサネットフレーム転送部35は、受信したホスト1B宛てのイーサネットフレームを、宛先MACアドレス書換部33に転送する(ステップS18)。 In the switching hub 3, the Ethernet frame transfer unit 35 transfers the received Ethernet frame addressed to the host 1B to the destination MAC address rewriting unit 33 (step S18).
 宛先MACアドレス書換部33は、受け取ったイーサネットフレームに含まれるIPパケットの宛先IPアドレス「IP_B」を取得後、IP-MACリスト301を検索し(ステップS19)、宛先IPアドレス「IP_B」に対応するMACアドレス「MAC_B」を取得する(ステップS20)。続いて、宛先MACアドレス書換部33は、受け取ったイーサネットフレームのヘッダの宛先MACアドレスを「MAC_B」に書き換えて(ステップS21)、イーサネットフレーム転送部35に送る(ステップS22)。 The destination MAC address rewriting unit 33 obtains the destination IP address “IP_B” of the IP packet included in the received Ethernet frame, searches the IP-MAC list 301 (step S19), and corresponds to the destination IP address “IP_B”. The MAC address “MAC_B” is acquired (step S20). Subsequently, the destination MAC address rewriting unit 33 rewrites the destination MAC address in the header of the received Ethernet frame to “MAC_B” (step S21), and sends it to the Ethernet frame transfer unit 35 (step S22).
 イーサネットフレーム転送部35は、受け取ったイーサネットフレームを、ポート37を介して、通信装置4に、ミラー送信する(ステップS23)。これとともに、イーサネットフレーム転送部35は、宛先MACアドレス書換部33から受け取ったイーサネットフレームを複製する(ステップS24)。そして、イーサネットフレーム転送部35は、複製したイーサネットフレームを送信元MACアドレス書換部34に転送する(ステップS25)。 The Ethernet frame transfer unit 35 performs mirror transmission of the received Ethernet frame to the communication device 4 via the port 37 (step S23). At the same time, the Ethernet frame transfer unit 35 duplicates the Ethernet frame received from the destination MAC address rewriting unit 33 (step S24). Then, the Ethernet frame transfer unit 35 transfers the copied Ethernet frame to the source MAC address rewriting unit 34 (step S25).
 続いて、送信元MACアドレス書換部34は、複製されたイーサネットフレームの送信元MACアドレス「MAC_A」を、偽装MACアドレス「MAC_D」に書き換えて(ステップS26)、イーサネットフレーム転送部35に転送する(ステップS27)。 Subsequently, the transmission source MAC address rewriting unit 34 rewrites the transmission source MAC address “MAC_A” of the copied Ethernet frame with the spoofed MAC address “MAC_D” (step S26), and transfers it to the Ethernet frame transfer unit 35 (step S26). Step S27).
 イーサネットフレーム転送部35は、宛先MACアドレスが「MAC_B」、送信元MACアドレスが「MAC_D」となったイーサネットフレームを、ポート36から送信する(ステップS28)。AP2Aは、イーサネットフレームを受信し、宛先MACアドレスである「MAC_B」に従って、受信したイーサネットフレームを、ホスト1Bに転送する(ステップS29)。 The Ethernet frame transfer unit 35 transmits the Ethernet frame having the destination MAC address “MAC_B” and the source MAC address “MAC_D” from the port 36 (step S28). The AP 2A receives the Ethernet frame, and transfers the received Ethernet frame to the host 1B according to “MAC_B” that is the destination MAC address (step S29).
[実施の形態の効果]
 このように、本実施の形態に係るスイッチングハブ3は、IP-MACリスト301を保持する。そして、スイッチングハブ3は、ホスト1の通信先のIPアドレスに対応するMACアドレスを、スイッチングハブ3のMACアドレスである偽装MACアドレスに書き換える偽装ARPリプライ送信部32を有する。そして、スイッチングハブ3は、中継装置2から送信された、偽装MACアドレスを宛先MACアドレスとしたイーサネットフレームに対し、IP-MACリストを検索して、宛先MACアドレスを、該イーサネットフレームのIPアドレスに対応する本来のMACアドレスに書き換える宛先MACアドレス書換部33を有する。 [Effect of the embodiment]
Thus, the switching hub 3 according to the present embodiment holds the IP-MAC list 301. The switching hub 3 includes a forged ARP reply transmission unit 32 that rewrites a MAC address corresponding to the IP address of the communication destination of the host 1 into a forged MAC address that is the MAC address of the switching hub 3. Then, the switching hub 3 searches the IP-MAC list for the Ethernet frame transmitted from the relay device 2 with the forged MAC address as the destination MAC address, and sets the destination MAC address to the IP address of the Ethernet frame. A destination MAC address rewriting unit 33 for rewriting the corresponding original MAC address is provided.
 そして、スイッチングハブ3は、宛先MACアドレス書換部33において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームの送信元MACアドレスを、偽装MACアドレスに書き換える送信元MACアドレス書換部34を有する。そして、スイッチングハブ3は、宛先MACアドレス書換部33において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームを、ミラートラフィック受信用装置に送信するとともに、送信元MACアドレス書換部34において送信元MACアドレスを偽装MACアドレスに書き換えられたイーサネットフレームを、中継装置2に送信するイーサネットフレーム転送部35を有する。 The switching hub 3 has a source MAC address rewriting unit 34 that rewrites the source MAC address of the Ethernet frame, in which the destination MAC address is rewritten to the original MAC address in the destination MAC address rewriting unit 33, to a camouflaged MAC address. The switching hub 3 transmits the Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the destination MAC address rewriting unit 33 to the mirror traffic receiving device, and the transmission source MAC address rewriting unit 34 transmits the transmission source. An Ethernet frame transfer unit 35 that transmits an Ethernet frame in which the MAC address is rewritten to a forged MAC address to the relay device 2 is provided.
 本実施の形態では、上記の機能を有するスイッチングハブ3を、中継装置2に接続することによって、中継装置2を継点として折り返すホスト1A,1B間の通信経路を操作する。この結果、本実施の形態によれば、ポートミラー機能を持たないスイッチングハブ或いは無線LANのアクセスポイントである中継装置2を介するホスト1A、1B間の通信トラフィックをミラー可能にする。また、本実施の形態では、ホスト1A,1B間の通信経路間に他の装置を挿入することも必要ない。 In the present embodiment, by connecting the switching hub 3 having the above function to the relay device 2, the communication path between the hosts 1A and 1B that turns back using the relay device 2 as a joint is operated. As a result, according to the present embodiment, communication traffic between the hosts 1A and 1B via the switching hub that does not have a port mirror function or the relay device 2 that is an access point of a wireless LAN can be mirrored. In this embodiment, it is not necessary to insert another device between the communication paths between the hosts 1A and 1B.
 なお、本発明者によってなされた発明を適用した実施の形態について説明したが、本実施の形態による本発明の開示の一部をなす記述及び図面により本発明は限定されることはない。すなわち、本実施の形態に基づいて当業者等によりなされる他の実施の形態、実施例及び運用技術等は全て本発明の範疇に含まれる。 In addition, although embodiment which applied the invention made by this inventor was demonstrated, this invention is not limited by the description and drawing which make a part of indication of this invention by this embodiment. That is, other embodiments, examples, operation techniques, and the like made by those skilled in the art based on the present embodiment are all included in the scope of the present invention.
 100,100A 通信システム
 1A、1B ホスト
 2 中継装置
 2A AP
 3 スイッチングハブ
 21A,21B,22,36,37 ポート
 30 メモリ
 31 ホストスキャン部
 32 偽装ARPリプライ送信部
 33 宛先MACアドレス書換部
 34 送信元MACアドレス書換部
 35 イーサネットフレーム転送部 100,100 A Communication system 1A, 1B Host 2 Relay device 2A AP
3 switching hub 21A, 21B, 22, 36, 37 port 30 memory 31 host scan unit 32 spoofed ARP reply transmission unit 33 destination MAC address rewriting unit 34 source MAC address rewriting unit 35 Ethernet frame transfer unit

Claims (6)

  1.  複数のホストを収容するとともにポートミラー機能を持たないスイッチングハブ或いは無線LAN(Local Area Network)のアクセスポイントである中継装置に接続する通信装置であって、
     前記中継装置が収容するホストのIP(Internet Protocol)アドレスとMAC(Media Access Control)アドレスとを対応付けたリストを記憶するメモリと、
     前記ホストの通信先のIPアドレスに対応するMACアドレスを、当該通信装置のMACアドレスである偽装MACアドレスに書き換える偽装部と、
     前記中継装置から送信された、偽装MACアドレスを宛先MACアドレスとしたイーサネットフレームに対し、前記リストを検索して、宛先MACアドレスを、該イーサネットフレームのIPアドレスに対応する本来のMACアドレスに書き換える第1の書換部と、
     前記第1の書換部において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームの送信元MACアドレスを、前記偽装MACアドレスに書き換える第2の書換部と、
     前記第1の書換部において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームを、ミラートラフィック受信用装置に送信するとともに、前記第2の書換部において送信元MACアドレスを前記偽装MACアドレスに書き換えられたイーサネットフレームを、前記中継装置に送信する送信部と、
     を有することを特徴とする通信装置。     A communication device that accommodates a plurality of hosts and connects to a switching hub that does not have a port mirror function or a wireless LAN (Local Area Network) access point,
    A memory for storing a list in which IP (Internet Protocol) addresses and MAC (Media Access Control) addresses of hosts accommodated in the relay device are associated with each other;
    A camouflage unit that rewrites the MAC address corresponding to the IP address of the communication destination of the host into a camouflaged MAC address that is the MAC address of the communication device;
    The Ethernet frame transmitted from the relay device with the spoofed MAC address as the destination MAC address is searched for the list, and the destination MAC address is rewritten to the original MAC address corresponding to the IP address of the Ethernet frame. 1 rewriting part,
    A second rewriting unit that rewrites the source MAC address of the Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the first rewriting unit to the spoofed MAC address;
    The Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the first rewriting unit is transmitted to the mirror traffic receiving device, and the transmission source MAC address is changed to the spoofed MAC address in the second rewriting unit. A transmission unit for transmitting the rewritten Ethernet frame to the relay device;
    A communication apparatus comprising:
  2.  前記中継装置が収容するホストのIPアドレスとMACアドレスとをスキャンし、IPアドレスとMACアドレスとを対応付けたリストを前記メモリに格納するスキャン部をさらに有することを特徴とする請求項1に記載の通信装置。 The apparatus according to claim 1, further comprising: a scan unit that scans an IP address and a MAC address of a host accommodated in the relay apparatus, and stores a list in which the IP address and the MAC address are associated with each other in the memory. Communication equipment.
  3.  前記スキャン部は、予め与えられる、前記ホストが属するIPサブネットのネットワークアドレスと、サブネットマスクとの2つの情報から、前記中継装置に接続されるホストが持つIPアドレスの値の範囲を計算し、ARP(Address Resolution Protocol)を用いて、前記ホストが持つ可能性のあるIPアドレスの値の範囲の全てのMACアドレスをスキャンすることを特徴とする請求項2に記載の通信装置。 The scanning unit calculates a range of IP address values of a host connected to the relay apparatus from two pieces of information, which are given in advance, a network address of an IP subnet to which the host belongs and a subnet mask. The communication apparatus according to claim 2, wherein all MAC addresses in a range of IP address values that the host may have are scanned using (Address Resolution Protocol).
  4.  前記偽装部は、ARPのARPリプライ部分を用いて、前記ホストのARPキャッシュを書き換えて、前記ホストの通信先のIPアドレスに対応するMACアドレスを、当該通信装置のMACアドレスである偽装MACアドレスに書き換えることを特徴とする請求項3に記載の通信装置。 The impersonation unit rewrites the ARP cache of the host using the ARP reply portion of the ARP, and changes the MAC address corresponding to the IP address of the communication destination of the host to the impersonated MAC address that is the MAC address of the communication device. The communication device according to claim 3, wherein the communication device is rewritten.
  5.  前記通信装置は、スイッチングハブであることを特徴とする請求項1~4のいずれか一つに記載の通信装置。 The communication device according to any one of claims 1 to 4, wherein the communication device is a switching hub.
  6.  複数のホストを収容するとともにポートミラー機能を持たないスイッチングハブ或いは無線LANのアクセスポイントである中継装置に接続する通信装置が実行する通信方法であって、
     前記通信装置は、前記中継装置が収容するホストのIPアドレスとMACアドレスとを対応付けたリストを記憶するメモリを有し、
     前記ホストの通信先のIPアドレスに対応するMACアドレスを、当該通信装置のMACアドレスである偽装MACアドレスに書き換える偽装工程と、
     前記中継装置から送信された、偽装MACアドレスを宛先MACアドレスとしたイーサネットフレームに対し、前記リストを検索して、宛先MACアドレスを、該イーサネットフレームのIPアドレスに対応する本来のMACアドレスに書き換える第1の書換工程と、
     前記第1の書換工程において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームの送信元MACアドレスを、前記偽装MACアドレスに書き換える第2の書換工程と、
     前記第1の書換工程において宛先MACアドレスを本来のMACアドレスに書き換えられたイーサネットフレームを、ミラートラフィック受信用装置に送信する第1の送信工程と、
     前記第2の書換工程において送信元MACアドレスを前記偽装MACアドレスに書き換えられたイーサネットフレームを、前記中継装置に送信する第2の送信工程と、
     を含んだことを特徴とする通信方法。     A communication method that is executed by a communication device that accommodates a plurality of hosts and connects to a relay device that is a switching hub or wireless LAN access point that does not have a port mirror function,
    The communication device has a memory for storing a list in which IP addresses and MAC addresses of hosts accommodated in the relay device are associated with each other.
    A camouflaging step of rewriting a MAC address corresponding to an IP address of a communication destination of the host into a camouflaged MAC address that is a MAC address of the communication device;
    The Ethernet frame transmitted from the relay device with the spoofed MAC address as the destination MAC address is searched for the list, and the destination MAC address is rewritten to the original MAC address corresponding to the IP address of the Ethernet frame. 1 rewriting process,
    A second rewriting step of rewriting the source MAC address of the Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the first rewriting step to the spoofed MAC address;
    A first transmission step of transmitting the Ethernet frame in which the destination MAC address is rewritten to the original MAC address in the first rewriting step to the mirror traffic receiving device;
    A second transmission step of transmitting, to the relay device, an Ethernet frame in which the source MAC address is rewritten to the forged MAC address in the second rewriting step;
    The communication method characterized by including.
PCT/JP2019/019400 2018-05-17 2019-05-15 Communication device and communication method WO2019221207A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-095731 2018-05-17
JP2018095731A JP2019201364A (en) 2018-05-17 2018-05-17 Communication apparatus and communication method

Publications (1)

Publication Number Publication Date
WO2019221207A1 true WO2019221207A1 (en) 2019-11-21

Family

ID=68540331

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/019400 WO2019221207A1 (en) 2018-05-17 2019-05-15 Communication device and communication method

Country Status (2)

Country Link
JP (1) JP2019201364A (en)
WO (1) WO2019221207A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000183936A (en) * 1998-12-10 2000-06-30 Hitachi Cable Ltd Port mirror ring function adding device
JP2005518762A (en) * 2002-02-26 2005-06-23 ネットピア・ドット・コム・インコーポレイテッド Network connection blocking system and method
JP2006074705A (en) * 2004-09-06 2006-03-16 Internatl Business Mach Corp <Ibm> Device for controlling communication service
JP2008109357A (en) * 2006-10-25 2008-05-08 Matsushita Electric Works Ltd Packet transfer device and packet transfer method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000183936A (en) * 1998-12-10 2000-06-30 Hitachi Cable Ltd Port mirror ring function adding device
JP2005518762A (en) * 2002-02-26 2005-06-23 ネットピア・ドット・コム・インコーポレイテッド Network connection blocking system and method
JP2006074705A (en) * 2004-09-06 2006-03-16 Internatl Business Mach Corp <Ibm> Device for controlling communication service
JP2008109357A (en) * 2006-10-25 2008-05-08 Matsushita Electric Works Ltd Packet transfer device and packet transfer method

Also Published As

Publication number Publication date
JP2019201364A (en) 2019-11-21

Similar Documents

Publication Publication Date Title
US9876706B2 (en) Relay system and switching device for a layer 3 network
EP3026872B1 (en) Packet forwarding method, apparatus, and system
US9900178B2 (en) Device arrangement and method for implementing a data transfer network used in remote control of properties
US9178818B2 (en) Communication apparatus
US9363094B2 (en) Relay system and switching device
JP2011515945A (en) Method and apparatus for communicating data packets between local networks
US20060280138A1 (en) Wireless access point repeater
CN107094110B (en) DHCP message forwarding method and device
US7921458B2 (en) Packet routing method, computer system, and computer product
CN102025734A (en) Method, system and switch for preventing MAC address spoofing
CN111953607B (en) Method and device for updating route
EP2211509A2 (en) Network communication node
CN102546308B (en) The method and system of neighbor uni-cast agency is realized based on duplicate address detection
CN113726632B (en) Message forwarding method and device
CN114172750A (en) Network communication method, device and storage medium based on encryption mechanism
CN107426346B (en) Method and system for two-layer message to safely pass through three-layer network
WO2019221207A1 (en) Communication device and communication method
CN107508811B (en) UNP-based secure registration query method and system
JP2003087271A (en) Method for evading infinite packet transfer in wireless lan system, infinite packet transfer evading processing program, recording medium with the program recorded thereon, radio repeater and wireless lan system
JP4591338B2 (en) Communications system
CN101854306A (en) Exchange routing search method and system
JP4923977B2 (en) Terminal accommodating apparatus, packet path switching method, and packet path switching program
WO2015184979A1 (en) Methods and devices for processing packet, sending information, and receiving information
JP6417720B2 (en) Communication apparatus, network system, address resolution control method and program
CN106452992B (en) Method and device for realizing remote multi-homing networking

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19802840

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19802840

Country of ref document: EP

Kind code of ref document: A1