WO2015068255A1 - Network system, communication control device, and communication method - Google Patents
Network system, communication control device, and communication method Download PDFInfo
- Publication number
- WO2015068255A1 WO2015068255A1 PCT/JP2013/080211 JP2013080211W WO2015068255A1 WO 2015068255 A1 WO2015068255 A1 WO 2015068255A1 JP 2013080211 W JP2013080211 W JP 2013080211W WO 2015068255 A1 WO2015068255 A1 WO 2015068255A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- vpn
- network
- packet
- address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
Definitions
- the present invention relates to a network system, a communication control device, and a communication method.
- an apparatus for routing a packet from a gateway to an endpoint communicates with an addressing element that associates a private address with an endpoint having a public IP address, and the endpoint's
- a receiver that intercepts a packet that is to be sent to a private address, and a policy that communicates with the receiver and receives the packet and transmits the packet to the endpoint in response to a policy applied to the packet Communicating with an engine, the receiver, the policy engine, and the addressing element, performing network address translation on the packet, and sending the packet to the endpoint is described.
- cloud services The use of cloud computing services (hereinafter referred to as cloud services) is progressing for the purpose of reducing initial introduction costs, realizing cooperation between sites, and realizing fault switching in virtualization.
- cloud services individual user sites that want to use the cloud services under a common information infrastructure across multiple user sites while ensuring security, and want to use information from a bird's-eye view as a whole user site There is a need to provide services for managers by integrating information between them.
- a cloud service provider side network (hereinafter referred to as cloud side NW 51) in the cloud site 2 such as a data center, and the user site 3 are used.
- cloud side NW 51 a cloud service provider side network
- a user side network (hereinafter referred to as a user side NW52) existing in the network is connected by VPN (VPN: [Virtual: Private] Network).
- the present invention has been made based on such a background.
- a network system capable of using a cloud service under a common information infrastructure across a plurality of user sites while ensuring security, and communication. It is an object to provide a control device and a communication method.
- One of the present invention that solves the above problems is a server device connected to a provider network that is a communication network of a provider site that provides an information processing service, and a communicable connection to the provider network via the Internet
- a user device that connects to a user side network that is a communication network of a user site that uses the information processing service, accesses the server device and uses the information processing service, and a provider side that connects to the provider network
- the user-side second address translation device comprises: When receiving a request packet, which is a packet for requesting use of the information processing service, from the user device to the server device via the user-side network, the request packet includes the request packet according to a preset conversion rule.
- the source address described in the private address of the user side network set in the header used for communication in the user side network is converted into the source address expressed in the private address of the provider side network, and the user
- the side VPN device transmits a VPN packet encapsulating the converted request packet to the providing side VPN device via the Internet via the VPN communication, and the providing side VPN device transmits the VPN packet.
- the VPN packet Decapsulates the preparative acquires the request packet, transmitting the request packet acquired, to the server apparatus via the providing-side network.
- FIG. 1 is a diagram illustrating a schematic configuration of a network system 1.
- FIG. 6 is a diagram illustrating a flow of a request packet until a request packet transmitted from a user device 30 is received by the server device 20.
- FIG. FIG. 10 is a diagram for explaining a flow of response packets until a response packet transmitted from the server device 20 is received by the user device 30.
- 4 is an example of a conversion table 400. It is a figure which shows the main function of the user side GW apparatus 31, and the main information which the user side GW apparatus 31 memorize
- FIG. 1 shows a schematic configuration of a network system 1 (information processing system) described as an embodiment.
- the network system 1 is installed in a cloud site 2 (providing site) such as a data center in order to provide a cloud computing service (hereinafter also referred to as “cloud service”) as an information processing service.
- cloud service a cloud computing service
- Device groups information processing devices, communication network devices, etc.
- device groups information processing devices, communication network devices, etc.
- the cloud service is, for example, an ASP service (Application Service Provider Service), SaaS (Software as a Service), PaaS (Platform as a Service), or the like.
- the cloud site 2 includes a server device 20 that realizes a cloud service, a cloud side VPN device 21 (providing side VPN device), and a cloud side NAT device 22 (providing side address translation device).
- the server device 20 is an information processing device (computer) including a central processing unit (CPU, MPU), a storage device (memory (ROM, RAM, etc.), a hard disk drive, an SSD (Solid State Drive), etc.), and a communication device. is there.
- an operating system software that provides a virtualization platform, and various applications (DBMS (Data Base Management System), various Web services, etc.) operate.
- DBMS Data Base Management System
- the cloud site 2 has a network on the provider side of the cloud service (provider network) (hereinafter also referred to as “cloud side NW 51”), to which the server device 20 and the cloud side VPN device 21 are connected.
- the cloud-side NW 51 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), or the like, and can perform communication conforming to TCP / IP.
- the server device 20 sends a packet requesting the use of a cloud service (hereinafter also referred to as “request packet”) sent from the user device 30 via a user-side NW 52, the Internet 5, and the cloud-side NW 51, which will be described later. ) Is executed, the cloud service specified in the request packet is executed, a packet including the execution result and processing completion notification (hereinafter also referred to as “response packet”) is generated, and the request packet is generated. To the user device 30 that is the source of the transmission.
- a cloud service hereinafter also referred to as “request packet”
- the cloud side VPN apparatus 21 realizes VPN communication (VPN: “Virtual” Private ”Network) via the Internet 5.
- the cloud-side VPN apparatus 21 adds authentication information, encrypts, and encapsulates the packet to be transmitted to the Internet 5 (hereinafter, this series of processing is also referred to as “VPN encapsulation”).
- the cloud-side VPN apparatus 21 performs decapsulation, decryption, and authentication processing (hereinafter, this series of processing is also referred to as “VPN decapsulation”) for the packet received from the Internet 5.
- the cloud side NAT device 22 (NAT: Network Address Translation) is connected to the Internet 5 and connected to the cloud side VPN device 21 so as to be communicable, and functions as a relay device for connecting the cloud side NW 51 and the Internet 5.
- the cloud-side NAT device 22 performs mutual conversion between a global IP address in the Internet 5 and a private address (also referred to as “local address”) in the cloud-side NW 51 for packets transmitted and received via the Internet 5. That is, the cloud side NAT device 22 converts the global IP address set in the packet received from the Internet 5 into the private address of the cloud side NW 51. In addition, the cloud side NAT device 22 converts the private address of the cloud side NW 51 set in the packet received from the cloud side VPN device 21 into a global IP address.
- the cloud-side VPN device 21 and the cloud-side NAT device 22 may be realized as the same hardware. For example, they can be replaced with a gateway device having both functions.
- a plurality of cloud side VPN devices 21 and cloud side NAT devices 22 may be provided for the purpose of load distribution and ensuring availability.
- the term “NAT” includes the meaning of so-called “NAPT” (NAPT (Network Address Port Translation)) that converts the port number in addition to the IP address.
- the user site 3 has a network on the user side of the cloud service (hereinafter also referred to as “user side NW 52”), and the user device 30 and the gateway device (hereinafter referred to as “user side GW device”) using the cloud service. 31 ”) and the user side first NAT device 32 (user side first address translation device) are connected.
- the user side NW 52 is, for example, a LAN, a WAN, or the like, and can perform communication complying with TCP / IP.
- the user device 30 is an information processing device (computer) including a central processing unit (CPU, MPU), a storage device (memory (ROM, RAM, etc.), hard disk drive, SSD, etc.), and a communication device.
- CPU central processing unit
- ROM read-only memory
- RAM random access memory
- SSD solid state drive
- an operating system and an application operate to provide the user of the user device 30 with a cloud service usage environment.
- the user device 30 transmits a request packet to the user side GW device 31 and receives a response packet from the user side GW device 31.
- the user side GW apparatus 31 includes a user side VPN apparatus 311 and a user side second NAT apparatus 312 (user side second address translation apparatus).
- the user-side VPN device 311 and the user-side second NAT device 312 may be realized as a plurality of independent hardware connected so as to be communicable, or may be realized by common hardware.
- the user-side VPN device 311 realizes VPN communication via the cloud-side VPN device 21 and the Internet 5.
- the user-side VPN device 311 performs VPN encapsulation on the request packet transmitted to the Internet 5 and performs VPN encapsulation release on the response packet received from the Internet 5.
- the user-side second NAT device 312 is set in a header used for communication of the user-side NW 52 of a request packet transmitted from the user device 30 to the server device 20 in accordance with a conversion rule that is set and stored in advance.
- the transmission source address and the transmission destination address expressed by the private address are converted into the transmission source address and the transmission destination address expressed by the private address in the cloud side NW 51.
- the second NAT device 312 on the user side sets the source address and the destination address described in the private address in the cloud side NW 51, which are set in the header of the response packet sent from the server device 20, in the user side NW 52. It is converted into a source address and a destination address expressed as private addresses.
- the user-side second NAT device 312 transmits the source address represented by the private address in the cloud-side NW 51 in the request packet transmitted from the user device 30 to the server device 20. Since the destination address is set, the cloud side NW 51 can make the request packet appear to the server device 20 as if it was sent from the information processing apparatus connected to the cloud side NW 51.
- the request packet transmitted from the user device 30 connected to each user-side NW 52 is transmitted with a private address in the cloud-side NW 51 so as not to overlap between the user devices 30 Since the original address is set, different user-side NWs 52 can use a common cloud service.
- the user-side second NAT device 312 is installed at each user site 3 by a cloud service provider, for example, and the conversion rules are set by the cloud service provider. For this reason, the service operated at the user site 3 can be easily and inexpensively transferred to the cloud service without forcing the user device 30 or the user-side first NAT device 32 to introduce new software or change settings. be able to.
- the user-side first NAT device 32 shown in FIG. 1 functions as a relay device that connects the user-side NW 52 and the Internet 5.
- the user-side first NAT device 32 performs mutual conversion between a global IP address of the Internet 5 and a private address of the user-side NW 52 for a packet transmitted / received via the Internet 5.
- the user-side first NAT device 32 may exist on the Internet provider side, for example.
- the user-side GW device 31 and the user device 30 have an equal relationship. That is, the user-side first NAT device 32 performs the above-described mutual conversion without distinguishing whether the other party that transmits and receives a packet is the user-side GW device 31 or the user device 30. This means that if there is an existing NAT device that relays between the Internet 5 and the user site 3 at the user site 3, that NAT device can be used as the first NAT device 32 on the user side. If it is not necessary for the user site 3 to provide the function of the user-side first NAT device 32 to other than the cloud service user, the user-side first NAT device 32 is not connected to the user-side NW 52. 32 may be directly connected to the user-side GW apparatus 31.
- the source IP address, the destination IP address, the source port number, and the destination port number set in the header of the packet are referred to as “SIP”, “DIP”, “ Also referred to as “Sport” and “Dport”.
- the contents of the header of the packet described below can be acquired, for example, by connecting a network analyzer (Network Analyzer) to the key points of the cloud side NW 51, the Internet 5, and the user side NW 52 and performing packet analysis. .
- Network Analyzer Network Analyzer
- the network address used in the cloud side NW 51, the Internet 5, and the user side NW 52 is IPv4 (Internet Protocol version 4)
- IPv4 Internet Protocol version 4
- the communication method type of communication protocol
- the network system 1 of the present embodiment is not limited to this, but is an IPv6 (Internet Protocol version 6) -compliant address, MAC address (Media Access Control Address), MPLS (Multi-Protocol Label Labeling) label, etc.
- IPv6 Internet Protocol version 6
- MAC address Media Access Control Address
- MPLS Multi-Protocol Label Labeling
- the user apparatus 30 requests that “SIP: 192.168.0.10”, “DIP: 192.168.0.129”, “Sport: 10000”, “Dport: 1500” are set in the header. It is assumed that the packet 101 is transmitted to the second NAT device 312 on the user side.
- “SIP: 192.168.0.10” is a private address assigned to the user device 30 in the user-side NW 52
- “DIP: 192.168.0.129” is assigned to the user-side second NAT device 312 in the user-side NW 52. Is a private address.
- the user device 30 transmits a request packet in which the private address of the user-side second NAT device 312 is set as a header (S111).
- the user device 30 sets the private address “DIP: 192.168.0.1” of the user-side first NAT device 32 in the header of the packet and sends it to the user NW 52. Send.
- “Sport: 10000” set in the header of the request packet is a value arbitrarily selected by the user device 30 (a value other than the well-known port is selected). It is given by the application for using the operating cloud service.
- “Dport: 1500” is a port number corresponding to the cloud service that the request packet 101 requests to use.
- the user device 30 an application operating on the user device 30
- the user-side second NAT device 312 converts the combination of the private address and port number in the user-side NW 52 specified in the header of the request packet 101 received from the user device 30 to the private address and port in the cloud-side NW 51. Conversion into a combination of numbers (S112).
- the user-side second NAT device 312 sets “SIP: 192.168.0.10” to “SIP: 10.0.0.20”, which is a private address in the cloud-side NW51, and “DIP: 192.168.0.129” to the cloud.
- the private address of the server device 20 on the side NW 51 is converted to “DIP: 10.0.0.10”, “Sport: 10000” to “Sport: 20000”, and “Dport: 1500” to “Dport: 1024”, respectively. .
- “Sport: 20000” set in the header of the request packet 102 is a port number uniquely assigned to the combination of “SIP: 192.168.0.10” and “Sport: 10000” of the packet 101 transmitted by the user device 30. It is.
- the second NAT device 312 on the user side stores in the conversion table 400 the correspondence between the combination of “SIP: 192.168.0.10” and “Sport: 10000” and “Sport: 20000”.
- the user side second NAT device 312 receives the response packet to the request packet, based on the port number “Sport: 20000”, the user side second NAT device 312 receives “SIP: 192.168.0.10” and “Sport” of the user device 30 that transmitted the request packet. : 10000 "is specified, and a response packet is transmitted to the corresponding user device 30.
- “Dport: 1024” is a port number corresponding to the cloud service to be used, and is a port number for the server device 20 to identify the cloud service.
- “Dport: 1500” designated by the user device 30 is automatically converted into a port number for the server device 20 to identify the cloud service in accordance with the conversion rule. This means that, for example, if the port number system on the server device 20 side is changed, it is only necessary to update the conversion rule, and the cloud service port number system is not affected. Can be changed.
- the user-side VPN apparatus 311 VPN-encapsulates the request packet 102 converted by the user-side second NAT apparatus 312 and transmits it to the user-side first NAT apparatus 32 via the user-side NW 52 (S113).
- the user side VPN apparatus 311 includes “SIP: 192.168.0.130”, “DIP: 210.0.”
- a VPN header In the header of the request packet 103 encapsulated in VPN (hereinafter referred to as a VPN header). “0.100”, “Sport: 25000”, and “Dport: 1194” are set.
- SIP: 192.168.0.130 is a private address assigned to the user-side VPN apparatus 311 in the user-side NW 52.
- DIP: 210.0.0.100 is a global IP address on the Internet 5 assigned to the cloud side NAT device 22.
- Sports: 25000 is a port number arbitrarily given by the user-side VPN apparatus 311. This “Sport: 25000” is used when, for example, a plurality of user-side VPN devices 311 are provided in the same user site 3 for the purpose of load distribution, ensuring availability, and the like. Used as an identifying identifier.
- Dport: 1194 is a well-known port assigned to the VPN service.
- the first NAT device 32 on the user side transmits the request packet encapsulated in VPN by the user side VPN device 311 to the cloud side NAT device 22 via the Internet 5 (S114).
- the first NAT device 32 on the user side includes “SIP: 96.50.0.20”, “DIP: 210.0.0.100”, “Sport: 40000” in the header of the request packet 104 transmitted to the Internet 5.
- “SIP: 96.50.0.20” is the global IP address assigned to the first NAT device 32 on the user side on the Internet 5 (if the cloud side VPN device 21 is directly connected to the Internet 5, the cloud side VPN It may be the global IP address of the device 21).
- “Sport: 40000” a value arbitrarily selected by the user-side first NAT device 32 (a value other than the well-known port is selected) is set.
- the first NAT device 32 on the user side stores the correspondence between the combination of “SIP: 10.0.0.130” and “Sport: 25000” of the request packet 103 and the assigned “Sport: 40000”. For example, the user-side first NAT device 32 uses this correspondence when a response packet to the request packet 104 is received.
- the cloud side NAT device 22 When the cloud side NAT device 22 receives the request packet 104 via the Internet 5, the cloud side NAT device 22 converts the global IP address set in the request packet 104 into the private address of the cloud side NW 51, and converts the converted request packet 105 into the cloud It transmits to the cloud side VPN apparatus 21 via the side NW 51 (S115).
- the cloud side NAT device 22 sends the global IP address “SIP: 96.50.0.20” set in the header of the request packet 104 received via the Internet 5 to the cloud side NAT device 22 in the cloud side NW 51. It is converted to "SIP: 10.0.0.15" which is the private address that has been set.
- “DIP: 210.0.0.100” is converted to “DIP: 10.0.0.130” set in the cloud side VPN device 21 in the cloud side NW 51.
- the cloud side VPN device 21 When the cloud side VPN device 21 receives the request packet 105 from the cloud side NAT device 22, the cloud side VPN device 21 performs VPN decapsulation on the request packet 105, and transmits the request packet 106 after the VPN encapsulation is released to the server device 20 via the cloud side NW 51. (S116). As shown in the figure, “SIP: 10.0.0.20”, “SIP: 10.0.0.10”, “Sport: 20000” in the header of the request packet 106 transmitted from the cloud side VPN device 21 to the server device 20, and “Dport: 1024” is the same as the header of the request packet 102 generated by the user-side second NAT device 312 previously.
- the server apparatus 20 executes the cloud service for the request packet 106 shown in FIG. 2, a response packet in which the header transmission / reception relationship of the request packet 106 is inverted as its response packet That is, the response packet 201 in which “SIP: 10.0.0.10”, “DIP: 10.0.0.20”, “Sport: 1024”, and “Dport: 20000” are set in its header is transmitted to the cloud side VPN apparatus 21 (S211). ).
- the server device 20 uses, for example, the physical address (for example, MAC address) set in the request packet 106 in the L2 layer (the data link layer (second layer) of the OSI (Open Systems Interconnection) reference model) on the cloud side.
- the user site 3 (user-side NW 52) where the user-side second NAT device 312 serving as the destination of the response packet 201 exists is specified.
- the server device 20 uses the cloud side VPN in the L3 layer (network layer (third layer) of the OSI reference model).
- the user site 3 (user side NW 52) where the user side second NAT device 312 serving as the destination of the response packet exists is specified.
- the cloud side VPN device 21 VPN-encapsulates the response packet 201, and transmits the response packet 202 after the VPN encapsulation to the cloud side NAT device 22 (S212).
- SIP: 10.0.0.130 “DIP: 10.0.0.15”, “Sport: 1194”, and “Dport: 30000” are set in the VPN header.
- SIP: 10.0.0.130 is a private address assigned to the cloud side VPN device 21 in the cloud side NW 51
- “DIP: 10.0.0.15” is assigned to the cloud side NAT device 22 in the cloud side NW 51.
- “Sport: 1194” is a well-known port assigned to the VPN service.
- “Dport: 30000” is a port number arbitrarily given by the cloud side VPN apparatus 21. This port number is, for example, an identifier that identifies each cloud-side VPN device 21 when a plurality of cloud-side VPN devices 21 are provided in the same cloud site 2 for the purpose of load distribution, ensuring availability, etc. Used as
- the cloud side NAT device 22 transmits the response packet 202 encapsulated by the cloud side VPN device 21 to the user side first NAT device 32 via the Internet 5 (S213).
- the cloud side NAT device 22 includes “SIP: 210.0.0.100”, “DIP: 96.50.0.20”, “Sport: 1194” in the header of the response packet 203 transmitted to the Internet 5.
- SIP: 210.0.0.100” is a global IP address assigned to the cloud side NAT device 22 on the Internet 5.
- “DIP: 96.50.0.20” is a global IP address assigned to the first NAT device 32 on the user side on the Internet 5.
- “Sport: 1194” is a well-known port assigned to the VPN service.
- “Dport: 40000” is a value set by the first NAT device 32 on the user side when the request packet 104 is transmitted.
- the user side first NAT device 32 When the user side first NAT device 32 receives the response packet 203 via the Internet 5, the user side first NAT device 32 converts the global IP address set in the response packet 203 into the private address of the user side NW 52, and converts the converted response packet 204 into It transmits to the user side VPN apparatus 311 via the user side NW52 (S214).
- the first NAT device 32 on the user side sets “SIP: 192.168.0.1”, “DIP: 10.0.0.130”, “Sport: 1194”, “Dport: 25000” in the header of the response packet 204. Yes.
- “SIP: 192.168.0.1” is a private address assigned to the user-side first NAT device 32 in the user-side NW 52.
- “DIP: 10.0.0.130” is a private address assigned to the user-side VPN apparatus 311 in the user-side NW 52.
- “Sport: 1194” is a well-known port assigned to the VPN service.
- “Dport: 25000” is set based on the content stored in the first NAT device 32 at the time of transmission of the request packet 104.
- the user-side first NAT device 32 stores the correspondence between the combination of “SIP: 10.0.0.130” and “Sport: 25000” of the request packet 103 and “Sport: 40000” assigned to the request packet 104.
- the first NAT device 32 on the user side obtains a combination of “SIP: 10.0.0.130” and “Sport: 25000” based on “Dport: 40000” of the response packet 203.
- the user-side VPN apparatus 311 cancels the VPN encapsulation of the response packet 204 received by the user-side first NAT apparatus 32, and transmits the response packet 205 after the VPN encapsulation cancellation to the user-side second NAT apparatus 312 (S215).
- the user-side second NAT device 312 Upon receiving the response packet 205, the user-side second NAT device 312 receives the combination of “SIP: 192.168.0.10” and “Sport: 10000” stored when converting the request packet 101 into the request packet 102, and “Sport: 20000”. 2 and the conversion rule, the reverse conversion to S112 in FIG. 2 is performed to convert the header of the response packet 205, and the converted response packet 206 is transmitted to the user apparatus 30 (S216). As shown in the figure, the second NAT device 312 on the user side sends a response packet 206 in which “SIP: 192.168.0.129”, “DIP: 192.168.0.10”, “Dport: 1500”, and “Sport: 10000” are set in the header. This is generated and transmitted to the user device 30.
- FIG. 4 is an example of the conversion table 400 stored in the user-side GW apparatus 31.
- the above-described conversion rule includes an algorithm or a table set so as to generate the result of the conversion table 400.
- the user-side second NAT device 312 (user-side GW device 31) cloud the combination of the private address and port number in the user-side NW 52 specified in the header of the new request packet received from the user device 30 according to the conversion rule.
- the result is stored in the conversion table 400.
- Each record of the conversion table 400 includes a user-side IP address 411 that is a private address in the user-side NW 52 of the user device 30 that has transmitted the received request packet, and a cloud-side IP address that is a private address used by the cloud-side NW 51 for the request packet.
- 412 includes a user-side port number 413 that is a port number set in the received request packet, and a cloud-side port number 414 that is a port number used by the cloud-side NW 51 for the request packet.
- the cloud-side port number 414 corresponds to the type of cloud service, and different user-side port numbers 413 are associated with different cloud-side port numbers 414.
- the conversion rule is set to give a unique cloud-side IP address 412 for each user device 30. Thereby, the uniqueness (uniqueness) of the request packet is ensured in the cloud side NW 51, and the user devices 30 belonging to different user side NWs 52 can simultaneously access the same cloud service.
- the conversion rule may be set so that the same cloud-side IP address 412 is associated with different user-side IP addresses 411 (in the conversion table 400 of FIG. 4, a plurality of user-side IP addresses 411 “192.168. 0.10 ”and“ 192.168.0.11 ”are converted to the same cloud-side IP address 412“ 10.0.0.20 ”).
- FIG. 5 shows main functions of the user-side GW apparatus 31 and main information (data, table) stored in the user-side GW apparatus 31.
- the two devices of the user-side VPN device 311 and the user-side second NAT device 312 provided in the user-side GW device 31 are not distinguished.
- at least one of the user-side second NAT devices 312 is stored.
- the user side GW apparatus 31 provides an interface for maintaining packet control information.
- the packet control information can be set, for example, via a user interface (for example, an input device (keyboard, mouse, etc.), a display device (liquid crystal monitor, etc.)) provided in the user side GW device 31.
- the packet control information is transmitted to the user-side NW 52 by sending an update instruction (for example, an information update packet described later) from the information processing device (maintenance terminal or the like) connected to the cloud-side NW 51 to the user-side GW device 31, for example.
- This can be set by transmitting an update instruction (for example, an information update packet to be described later) from the information processing apparatus (management terminal or the like) to be connected to the user side GW apparatus 31.
- the information processing apparatus (such as a maintenance terminal) connected to the user side GW apparatus 31, the cloud side NW 51, and the information processing apparatus (such as a management terminal) connected to the user side NW 52 have, for example, a screen for accepting setting of packet control information. While displaying on a display device (liquid crystal display or the like), the setting contents of packet control information and an update instruction are accepted.
- a display device liquid crystal display or the like
- the user-side GW apparatus 31 includes an input / output port A351 and an input / output port B352. These are all communication ports provided in the user-side GW device 31 (for example, communication ports provided in a NIC (Network Interface Card)).
- a packet transmitted from the user device 30 arrives at the input / output port A351, and a packet addressed to the user device 30 is transmitted.
- a packet transmitted from the server device 20 arrives at the input / output port B352, and a packet addressed to the server device 20 is transmitted.
- the private address (for example, “192.168.0.129” in FIG. 2 or FIG. 3) of the user-side second NAT device 312 is given to the input / output port A351.
- the private address (for example, “192.168.0.130” in FIG. 2 or FIG. 3) of the user-side VPN device 311 is given to the input / output port B352.
- the user-side GW apparatus 312 is connected to the user-side NW 52 through two communication ports.
- the user-side GW apparatus 312 is connected to the user-side NW 52 and only one communication port. Even when connected with 3 or more communication ports, it is equivalent to the function described in the present embodiment in the user side GW device 31 by appropriately converting the network address and port number. It can have the function of.
- the packet determination unit 353 shown in the figure is whether the packet arriving at the input / output port A351 is a request packet or a packet for updating packet control information (hereinafter referred to as an information update packet). Determine.
- the packet determination unit 353 transmits the request packet to the NAT conversion unit 354.
- the packet determination unit 353 sends the request packet to the information update processing unit 356 shown in FIG.
- the information update packet is transmitted.
- the packet determination unit 353 determines whether the packet received at the input / output port B 352 is a response packet or an information update packet.
- the packet determination unit 353 transmits the response packet to the NAT conversion unit 354 shown in the figure. If it is an information update packet, the packet determination unit 353 transmits the information update packet to the information update processing unit 356.
- the transmission of the information update packet from the cloud site 2 to the user side GW apparatus 31 may be performed by the above-described VPN communication or may be performed using another authentication method. Alternatively, a dedicated physical line connecting the cloud site 2 and the user site 3 may be prepared so that the information update packet may be transmitted from the cloud site 2 to the user side GW device 31.
- the information update processing unit 356 Upon receiving the information update packet from the packet determination unit 353, the information update processing unit 356 updates the packet control information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content. .
- the information update packet received at the input / output port A351 is, for example, transmitted from an information processing apparatus (maintenance terminal or the like) connected to the user side NW52, and the information update packet received at the input / output port B352 is The information is transmitted from the information processing apparatus (management terminal or the like) of the cloud site 2 via the Internet 5.
- the NAT conversion unit 354 sets the combination of the private address and port number in the user-side NW 52 that is set in the request packet sent from the packet determination unit 353 according to the conversion rule 361, and the private address and port number in the cloud-side NW 51. Convert to a combination of In addition, the NAT conversion unit 354 converts the combination of the private address and port number in the cloud side NW 51 set in the response packet sent from the server device 20 according to the conversion rule 361 into the private address and port number in the user side NW 52. Convert to a combination. As described above, the NAT conversion unit 354 records the conversion content (result) in the conversion table 400. The NAT conversion unit 354 transmits the converted request packet to the VPN processing unit 355, and transmits the converted response packet to the input / output port A351.
- the VPN processing unit 355 searches the VPN control information 362 using “SIP” before conversion by the NAT conversion unit 354, which is set in the header of the request packet received from the NAT conversion unit 354, as a key.
- the control method (priority 612, VPN method 613) is acquired. Note that the “SIP” of the request packet before conversion is notified from the NAT conversion unit 354 to the VPN processing unit 355 at any time, for example.
- the VPN processing unit 355 searches for the cloud site side port number 711 of the VPN destination information 363 using “Sport” set in the header of the request packet converted by the NAT conversion unit 354 as a key, and thereby the cloud site side
- the global IP address 712 is acquired.
- the VPN processing unit 355 encapsulates the request packet in accordance with the acquired control method, sets the acquired global IP address in the header “DIP” of the VPN-encapsulated request packet, and sets it from the input / output port B352. Send. On the other hand, the VPN processing unit 355 cancels the VPN encapsulation of the response packet received at the input / output port B 352 and transmits the response packet after the VPN encapsulation cancellation to the packet determination unit 353.
- FIG. 6 shows an example of the VPN control information 362 stored in the user side GW apparatus 31.
- the VPN control information 362 is composed of a plurality of records including items of the user side IP address 611, the priority 612, and the VPN method 613.
- the priority 612 and the VPN method 613 are merely examples of parameters for controlling QoS (Quality of Service) at the time of VPN encapsulation, and the types of parameters for determining the control method of VPN encapsulation are limited to this. Absent.
- QoS Quality of Service
- FIG. 7 shows an example of the VPN destination information 363 stored in the user-side GW apparatus 31.
- the VPN destination information 363 includes a plurality of records including items of a cloud site side port number 711 and a cloud site side global IP address 712.
- a port number used by the server device 20 to identify the cloud service is set.
- the global IP address of the cloud-side NAT device 22 (when the cloud-side VPN device 21 is connected to the Internet 5, the global IP address of the cloud-side VPN device 21) is set in the cloud site-side global IP address 712.
- the plurality of cloud site-side global IP addresses 712 exist because, for example, a plurality of cloud sites 2 and cloud-side NAT devices 22 are provided for the purpose of load distribution and ensuring availability. Further, there may be a case where a plurality of global IP addresses are virtually assigned to the cloud side VPN apparatus 21 or a case where a plurality of VLANs are constructed.
- the cloud site-side global IP address 712 may change dynamically.
- FIG. 8 is a flowchart for explaining processing performed by the user side GW apparatus 31 when a packet arrives at the input / output port A351 of the user side GW apparatus 31.
- the packet determination unit 353 determines whether the received packet is an information update packet or a request packet (S812). When the incoming packet is an information update packet (S812: information update packet), the packet determination unit 353 transmits the information update packet to the information update processing unit 356 (S813). When the incoming packet is a request packet (S812: request packet), the packet determination unit 353 transmits the request packet to the NAT conversion unit 354 (S821).
- the information update processing unit 356 receives the information update packet from the packet determination unit 353, the packet update information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content of the information update packet. Is updated (S814). Thereafter, the process returns to S811.
- the NAT conversion unit 354 uses “SIP” and “Sport” set in the request packet in the cloud side NW 51 in accordance with the conversion rule 361.
- the request packet after conversion is transmitted to the VPN processing unit 355 (S822).
- the VPN processing unit 355 When the VPN processing unit 355 receives the request packet from the NAT conversion unit 354, the VPN processing unit 355 searches the VPN control information 362 using “SIP” of the request packet before conversion in S823 as a key, and performs control for the request packet at the time of VPN encapsulation. A method is acquired (S823).
- the VPN processing unit 355 searches the VPN destination information 363 using the “Sport” of the converted request packet in S823 as a key, and the global IP address on the cloud site 2 side that is the destination of the request packet, that is, the cloud side NAT device 22 (if the cloud side VPN device 21 is directly connected to the Internet 5, the global IP address of the cloud side VPN device 21) is acquired (S824).
- the VPN processing unit 355 VPN-encapsulates the request packet based on the control method acquired in S823, and transmits the request packet after VPN encapsulation from the input / output port B352 to the global IP address acquired in S824. (S825). Thereafter, the process returns to S811.
- the user side GW apparatus 31 When the packet arrives at the input / output port A351 of the user side GW apparatus 31, the user side GW apparatus 31 operates as described above.
- FIG. 9 is a flowchart for explaining processing performed by the user-side GW apparatus 31 when a packet arrives at the input / output port B352 of the user-side GW apparatus 31.
- the VPN processing unit 355 When a packet arrives at the input / output port B 352 (S911), the VPN processing unit 355 first decapsulates the received packet, and transmits the packet after the decapsulation of the VPN to the packet determination unit 353 (S912).
- the packet determination unit 353 determines whether the packet is an information update packet or a response packet (S913). When the incoming packet is an information update packet (S913: information update packet), the packet determination unit 353 transmits the information update packet to the information update processing unit 356 (S914). If the incoming packet is a response packet (S913: response packet), the packet determination unit 353 transmits the response packet to the NAT conversion unit 354 (S921).
- the information update processing unit 356 receives the information update packet from the packet determination unit 353, the packet update information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content of the information update packet. Is updated (S915). Thereafter, the process returns to S911.
- the NAT conversion unit 354 When the NAT conversion unit 354 receives the response packet from the packet determination unit 353, the NAT conversion unit 354 searches the conversion table 400 using “DIP” and “Dport” set therein as a key, and the cloud side NW 51 set in the response packet. "DIP” and “Dport” are converted into “DIP” and “Dport” of the user-side NW 52 (S922). Then, the NAT conversion unit 354 transmits the converted response packet to the corresponding user device 30 from the input / output port A351 (S923). Thereafter, the process returns to S911.
- the user side GW apparatus 31 When the packet arrives at the input / output port B352 of the user side GW apparatus 31, the user side GW apparatus 31 operates as described above.
- the present invention is not limited to the embodiments described above, and includes various modifications.
- the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.
- a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment.
- each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
- each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by a central processing unit (processor).
- Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, and an SSD, or a recording medium such as an IC card, an SD card, and a DVD.
- control lines and information lines indicate what is considered necessary for the explanation, and do not necessarily indicate all the control lines and information lines of the product to which the present invention is applied.
- NAT device names of network devices such as “NAT device”, “gateway device (GW device)”, and “VPN device” in the above description are merely for convenience, and these devices are devices specialized for each function. It can also be configured, or can be configured as a device having a plurality of functions. In addition, an equivalent function may be incorporated in a router device, a switch device, an information processing device, or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
[Problem] To enable the use of a cloud service under a common information platform spanning a plurality of user sites, while ensuring security. [Solution] When a user-side second NAT device (312) of a user-side network (52) receives, from a user device (30), a request packet for an information processing service via the user-side network (52), the transmission source address represented by the private address of the user-side network (52) in the header of the request packet is converted to a transmission source address represented by the private address of a cloud-side network (51) in accordance with preset conversion rules. A user-side VPN device (311) transmits the converted request packet to a cloud-side VPN device (21) by means of VPN communication via the internet (5). The cloud-side VPN device (21) decapsulates received VPN packets to acquire request packets, and transmits the VPN packets to a user device (20) via the cloud-side network (51).
Description
本発明は、ネットワークシステム、通信制御装置、及び通信方法に関する。
The present invention relates to a network system, a communication control device, and a communication method.
特許文献1には、ゲートウェイからエンドポイントまでパケットをルーティングするための装置が、パブリックIPアドレスを有するエンドポイントにプライベートアドレスを関連付けるアドレス指定要素と、該アドレス指定要素と通信し、該エンドポイントの該プライベートアドレスに送信される予定のパケットを傍受する受信機と、該受信機と通信し、該パケットに適用されるポリシーに応答して、該パケットを受信および該パケットを該エンドポイントに送信するポリシーエンジンと、該受信機、該ポリシーエンジン、および該アドレス指定要素と通信し、該パケットに対しネットワークアドレス変換を実行し、該パケットを該エンドポイントに送信することが記載されている。
In Patent Document 1, an apparatus for routing a packet from a gateway to an endpoint communicates with an addressing element that associates a private address with an endpoint having a public IP address, and the endpoint's A receiver that intercepts a packet that is to be sent to a private address, and a policy that communicates with the receiver and receives the packet and transmits the packet to the endpoint in response to a policy applied to the packet Communicating with an engine, the receiver, the policy engine, and the addressing element, performing network address translation on the packet, and sending the packet to the endpoint is described.
初期導入コストの低減、サイト間の連携の実現、仮想化における障害切り替えの実現等を目的として、クラウドコンピューティングサービス(以下、クラウドサービスと称する。)の利用が進んでいる。クラウドサービスの利用に関し、セキュリティを確保しつつ、複数のユーザサイトを跨いだ共通の情報基盤の下でクラウドサービスを利用できるようにし、ユーザサイト全体として俯瞰的に情報を活用したい、個々のユーザサイト間の情報を統合して経営者向けのサービスを提供したいといったニーズが存在する。
The use of cloud computing services (hereinafter referred to as cloud services) is progressing for the purpose of reducing initial introduction costs, realizing cooperation between sites, and realizing fault switching in virtualization. With regard to the use of cloud services, individual user sites that want to use the cloud services under a common information infrastructure across multiple user sites while ensuring security, and want to use information from a bird's-eye view as a whole user site There is a need to provide services for managers by integrating information between them.
こうしたニーズに対応する方法としては、例えば、図10に示すように、データセンタ等のクラウドサイト2におけるクラウドサービスの提供者側のネットワーク(以下、クラウド側NW51と称する。)と、ユーザサイト3ごとに存在するユーザ側のネットワーク(以下、ユーザ側NW52と称する。)をVPN(VPN: Virtual Private Network)によって結ぶことが考えられる。
As a method for meeting such needs, for example, as shown in FIG. 10, a cloud service provider side network (hereinafter referred to as cloud side NW 51) in the cloud site 2 such as a data center, and the user site 3 are used. It is conceivable that a user side network (hereinafter referred to as a user side NW52) existing in the network is connected by VPN (VPN: [Virtual: Private] Network).
しかし個々のユーザサイト3におけるユーザ側NW52では、プライベートアドレスを用いた既存のネットワークが運用されていることが多く、VPNによってサイト間を結んでしまうとユーザサイト3間でプライベートアドレスの重複が生じる可能性がある。尚、重複を避けるためにユーザサイト3におけるプライベートアドレスの体系を変更することも考えられるが、プライベートアドレスの体系を変更することは既存のシステムに対する影響が大きく、設定ミスや考慮不足等によりユーザサイト3の垣根を越えて影響が波及するリスクもある。
However, in the user side NW 52 in each user site 3, an existing network using a private address is often operated, and if the sites are connected by VPN, the private addresses may be duplicated between the user sites 3. There is sex. In order to avoid duplication, it is conceivable to change the private address system in the user site 3, but changing the private address system has a large effect on the existing system. There is also a risk that the impact will spread beyond the three barriers.
本発明はこのような背景に基づきなされたもので、セキュリティを確保しつつ、複数のユーザサイトを跨いだ共通の情報基盤の下でクラウドサービスを利用できるようにすることが可能なネットワークシステム、通信制御装置、及び通信方法を提供することを目的とする。
The present invention has been made based on such a background. A network system capable of using a cloud service under a common information infrastructure across a plurality of user sites while ensuring security, and communication. It is an object to provide a control device and a communication method.
上記課題を解決する本発明のうちの一つは、情報処理サービスを提供する提供サイトの通信ネットワークである提供側ネットワークに接続するサーバ装置と、インターネットを介して前記提供側ネットワークと通信可能に接続する、前記情報処理サービスを利用するユーザサイトの通信ネットワークであるユーザ側ネットワークに接続し、前記サーバ装置にアクセスして前記情報処理サービスを利用するユーザ装置と、前記提供側ネットワークに接続する提供側VPN装置と、前記ユーザ側ネットワークに接続し、前記提供側VPN装置と共に前記インターネットを介したVPN通信を実現するユーザ側VPN装置と、前記ユーザ側ネットワークに接続するユーザ側第2アドレス変換装置と、を備え、前記ユーザ側第2アドレス変換装置は、前記ユーザ装置から、前記サーバ装置に対して前記情報処理サービスの利用を要求するパケットである要求パケットを前記ユーザ側ネットワークを介して受信すると、予め設定された変換規則に従って、当該要求パケットの、前記ユーザ側ネットワークの通信に用いるヘッダに設定されている、前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスに変換し、前記ユーザ側VPN装置は、前記変換後の前記要求パケットをカプセル化したパケットであるVPNパケットを、前記VPN通信によりインターネットを介して前記提供側VPN装置に送信し、前記提供側VPN装置は、前記VPNパケットを受信すると、当該VPNパケットのカプセル化を解除して前記要求パケットを取得し、取得した前記要求パケットを、前記提供側ネットワークを介して前記サーバ装置に送信する。
One of the present invention that solves the above problems is a server device connected to a provider network that is a communication network of a provider site that provides an information processing service, and a communicable connection to the provider network via the Internet A user device that connects to a user side network that is a communication network of a user site that uses the information processing service, accesses the server device and uses the information processing service, and a provider side that connects to the provider network A VPN apparatus, a user-side VPN apparatus that connects to the user-side network and realizes VPN communication with the providing-side VPN apparatus via the Internet, and a user-side second address translation apparatus that connects to the user-side network; The user-side second address translation device comprises: When receiving a request packet, which is a packet for requesting use of the information processing service, from the user device to the server device via the user-side network, the request packet includes the request packet according to a preset conversion rule. The source address described in the private address of the user side network set in the header used for communication in the user side network is converted into the source address expressed in the private address of the provider side network, and the user The side VPN device transmits a VPN packet encapsulating the converted request packet to the providing side VPN device via the Internet via the VPN communication, and the providing side VPN device transmits the VPN packet. The VPN packet Decapsulates the preparative acquires the request packet, transmitting the request packet acquired, to the server apparatus via the providing-side network.
その他本願が開示する課題やその解決方法については、発明の実施形態の欄及び図面により明らかにされる。
Other problems and solutions disclosed in the present application will be clarified in the column of the embodiment of the invention and the drawings.
本発明によれば、セキュリティを確保しつつ、複数のユーザサイトを跨いだ共通の情報基盤の下でクラウドサービスを利用することができる。
According to the present invention, it is possible to use a cloud service under a common information infrastructure across a plurality of user sites while ensuring security.
以下、実施例について図面を用いて説明する。
Hereinafter, examples will be described with reference to the drawings.
図1に実施例として説明するネットワークシステム1(情報処理システム)の概略的な構成を示している。同図に示すように、ネットワークシステム1は、情報処理サービスであるクラウドコンピューティングサービス(以下、「クラウドサービス」とも称する。)を提供すべく、データセンタ等のクラウドサイト2(提供サイト)に設置された装置群(情報処理装置、通信ネットワーク機器等)と、インターネット5を介してクラウドサービスを利用する複数のユーザサイト3の夫々に設置された装置群(情報処理装置、通信ネットワーク機器等)とを含む。クラウドサービスは、例えば、ASPサービス(Application Service Provider Service)、SaaS(Software as a Service)、PaaS(Platform as a Service)等である。
FIG. 1 shows a schematic configuration of a network system 1 (information processing system) described as an embodiment. As shown in the figure, the network system 1 is installed in a cloud site 2 (providing site) such as a data center in order to provide a cloud computing service (hereinafter also referred to as “cloud service”) as an information processing service. Device groups (information processing devices, communication network devices, etc.) and device groups (information processing devices, communication network devices, etc.) installed in each of a plurality of user sites 3 using the cloud service via the Internet 5 including. The cloud service is, for example, an ASP service (Application Service Provider Service), SaaS (Software as a Service), PaaS (Platform as a Service), or the like.
クラウドサイト2には、クラウドサービスを実現するサーバ装置20、クラウド側VPN装置21(提供側VPN装置)、及びクラウド側NAT装置22(提供側アドレス変換装置)が存在する。サーバ装置20は、中央処理装置(CPU、MPU)、記憶装置(メモリ(ROM、RAM等)、ハードディスクドライブ、SSD(Solid State Drive)等)、及び通信装置を備えた情報処理装置(コンピュータ)である。サーバ装置20では、例えば、オペレーティングシステム、仮想化基盤を提供するソフトウエア、各種アプリケーション(DBMS(Data Base Management System)、各種Webサービス等)が動作する。
The cloud site 2 includes a server device 20 that realizes a cloud service, a cloud side VPN device 21 (providing side VPN device), and a cloud side NAT device 22 (providing side address translation device). The server device 20 is an information processing device (computer) including a central processing unit (CPU, MPU), a storage device (memory (ROM, RAM, etc.), a hard disk drive, an SSD (Solid State Drive), etc.), and a communication device. is there. In the server device 20, for example, an operating system, software that provides a virtualization platform, and various applications (DBMS (Data Base Management System), various Web services, etc.) operate.
クラウドサイト2にはクラウドサービスの提供者側のネットワーク(提供側ネットワーク)(以下、「クラウド側NW51」とも称する。)が存在し、これにサーバ装置20とクラウド側VPN装置21が接続する。クラウド側NW51は、例えば、LAN(Local Area Network)、WAN(Wide Area Network)等であり、TCP/IPに準拠した通信が可能である。
The cloud site 2 has a network on the provider side of the cloud service (provider network) (hereinafter also referred to as “cloud side NW 51”), to which the server device 20 and the cloud side VPN device 21 are connected. The cloud-side NW 51 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), or the like, and can perform communication conforming to TCP / IP.
サーバ装置20は、ユーザ装置30から、後述するユーザ側NW52、インターネット5、及びクラウド側NW51を経由して送られてくる、クラウドサービスの利用を要求するパケット(以下、「要求パケット」とも称する。)を受信すると、当該要求パケットに指定されているクラウドサービスを実行し、その実行結果や処理完了通知等を含んだパケット(以下、「応答パケット」とも称する)を生成し、これを上記要求パケットの送信元のユーザ装置30に送信する。
The server device 20 sends a packet requesting the use of a cloud service (hereinafter also referred to as “request packet”) sent from the user device 30 via a user-side NW 52, the Internet 5, and the cloud-side NW 51, which will be described later. ) Is executed, the cloud service specified in the request packet is executed, a packet including the execution result and processing completion notification (hereinafter also referred to as “response packet”) is generated, and the request packet is generated. To the user device 30 that is the source of the transmission.
クラウド側VPN装置21は、インターネット5を介したVPN通信(VPN: Virtual Private Network)を実現する。クラウド側VPN装置21は、インターネット5に送信するパケットについて、認証情報の付加、暗号化、及びカプセル化(以下、この一連の処理を「VPNカプセル化」とも称する。)を行う。またクラウド側VPN装置21は、インターネット5から受信するパケットについて、カプセル化の解除、復号化、及び認証処理(以下、この一連の処理を「VPNカプセル化解除」とも称する。)を行う。
The cloud side VPN apparatus 21 realizes VPN communication (VPN: “Virtual” Private ”Network) via the Internet 5. The cloud-side VPN apparatus 21 adds authentication information, encrypts, and encapsulates the packet to be transmitted to the Internet 5 (hereinafter, this series of processing is also referred to as “VPN encapsulation”). The cloud-side VPN apparatus 21 performs decapsulation, decryption, and authentication processing (hereinafter, this series of processing is also referred to as “VPN decapsulation”) for the packet received from the Internet 5.
クラウド側NAT装置22(NAT:Network Address Translation)は、インターネット5に接続するとともにクラウド側VPN装置21と通信可能に接続し、クラウド側NW51とインターネット5とを接続する中継装置として機能する。クラウド側NAT装置22は、インターネット5を介して送受信するパケットについて、インターネット5におけるグローバルIPアドレスとクラウド側NW51におけるプライベートアドレス(「ローカルアドレス」とも称される。)の相互変換を行う。即ちクラウド側NAT装置22は、インターネット5から受信したパケットについて、これに設定されているグローバルIPアドレスをクラウド側NW51のプライベートアドレスに変換する。またクラウド側NAT装置22は、クラウド側VPN装置21から受信したパケットについて、これに設定されているクラウド側NW51のプライベートアドレスをグローバルIPアドレスに変換する。
The cloud side NAT device 22 (NAT: Network Address Translation) is connected to the Internet 5 and connected to the cloud side VPN device 21 so as to be communicable, and functions as a relay device for connecting the cloud side NW 51 and the Internet 5. The cloud-side NAT device 22 performs mutual conversion between a global IP address in the Internet 5 and a private address (also referred to as “local address”) in the cloud-side NW 51 for packets transmitted and received via the Internet 5. That is, the cloud side NAT device 22 converts the global IP address set in the packet received from the Internet 5 into the private address of the cloud side NW 51. In addition, the cloud side NAT device 22 converts the private address of the cloud side NW 51 set in the packet received from the cloud side VPN device 21 into a global IP address.
クラウド側VPN装置21とクラウド側NAT装置22は同一のハードウエアとして実現されていてもよく、例えば、これらを両者の機能を備えたゲートウェイ装置で代替させることもできる。またクラウド側VPN装置21やクラウド側NAT装置22は、負荷分散や可用性の確保等を目的として夫々複数台設けてもよい。尚、以下の説明において、「NAT」という場合、IPアドレスに加えてポート番号の変換も行う、いわゆる「NAPT」(NAPT(Network Address Port Translation))の意味も含むものとする。
The cloud-side VPN device 21 and the cloud-side NAT device 22 may be realized as the same hardware. For example, they can be replaced with a gateway device having both functions. In addition, a plurality of cloud side VPN devices 21 and cloud side NAT devices 22 may be provided for the purpose of load distribution and ensuring availability. In the following description, the term “NAT” includes the meaning of so-called “NAPT” (NAPT (Network Address Port Translation)) that converts the port number in addition to the IP address.
ユーザサイト3には、クラウドサービスのユーザ側のネットワーク(以下、「ユーザ側NW52」とも称する。)が存在し、これにクラウドサービスを利用するユーザ装置30、ゲートウェイ装置(以下、「ユーザ側GW装置31」とも称する。)、及びユーザ側第1NAT装置32(ユーザ側第1アドレス変換装置)が接続する。ユーザ側NW52は、例えば、LAN、WAN等であり、TCP/IPに準拠した通信が可能である。
The user site 3 has a network on the user side of the cloud service (hereinafter also referred to as “user side NW 52”), and the user device 30 and the gateway device (hereinafter referred to as “user side GW device”) using the cloud service. 31 ”) and the user side first NAT device 32 (user side first address translation device) are connected. The user side NW 52 is, for example, a LAN, a WAN, or the like, and can perform communication complying with TCP / IP.
ユーザ装置30は、中央処理装置(CPU、MPU)、記憶装置(メモリ(ROM、RAM等)、ハードディスクドライブ、SSD等)、及び通信装置を備えた情報処理装置(コンピュータ)である。ユーザ装置30では、オペレーティングシステムやアプリケーション(クラウドサービスを利用するためのクライアントアプリケーション、Webブラウザ等)が動作し、ユーザ装置30のユーザにクラウドサービスの利用環境を提供する。クラウドサービスの利用に際し、ユーザ装置30は要求パケットをユーザ側GW装置31に送信し、その応答パケットをユーザ側GW装置31から受信する。
The user device 30 is an information processing device (computer) including a central processing unit (CPU, MPU), a storage device (memory (ROM, RAM, etc.), hard disk drive, SSD, etc.), and a communication device. In the user device 30, an operating system and an application (a client application for using the cloud service, a Web browser, etc.) operate to provide the user of the user device 30 with a cloud service usage environment. When using the cloud service, the user device 30 transmits a request packet to the user side GW device 31 and receives a response packet from the user side GW device 31.
ユーザ側GW装置31は、ユーザ側VPN装置311とユーザ側第2NAT装置312(ユーザ側第2アドレス変換装置)を備える。尚、ユーザ側VPN装置311とユーザ側第2NAT装置312は通信可能に接続された複数の独立したハードウエアとして実現されていてもよいし、共通のハードウエアによって実現されていてもよい。
The user side GW apparatus 31 includes a user side VPN apparatus 311 and a user side second NAT apparatus 312 (user side second address translation apparatus). Note that the user-side VPN device 311 and the user-side second NAT device 312 may be realized as a plurality of independent hardware connected so as to be communicable, or may be realized by common hardware.
ユーザ側VPN装置311は、クラウド側VPN装置21とインターネット5を介してVPN通信を実現する。ユーザ側VPN装置311は、インターネット5に送信する要求パケットについてはVPNカプセル化を行い、インターネット5から受信する応答パケットについてはVPNカプセル化解除を行う。
The user-side VPN device 311 realizes VPN communication via the cloud-side VPN device 21 and the Internet 5. The user-side VPN device 311 performs VPN encapsulation on the request packet transmitted to the Internet 5 and performs VPN encapsulation release on the response packet received from the Internet 5.
ユーザ側第2NAT装置312は、予め設定され記憶している変換規則に従い、ユーザ装置30からサーバ装置20に送信される要求パケットのユーザ側NW52の通信に用いるヘッダに設定されている、ユーザ側NW52のプライベートアドレスで表記された送信元アドレス及び送信先アドレスを、クラウド側NW51におけるプライベートアドレスで表記された送信元アドレス及び送信先アドレスに変換する。またユーザ側第2NAT装置312は、サーバ装置20から送られてきた応答パケットのヘッダに設定されている、クラウド側NW51におけるプライベートアドレスで表記された送信元アドレス及び送信先アドレスを、ユーザ側NW52におけるプライベートアドレスで表記された送信元アドレス及び送信先アドレスに変換する。
The user-side second NAT device 312 is set in a header used for communication of the user-side NW 52 of a request packet transmitted from the user device 30 to the server device 20 in accordance with a conversion rule that is set and stored in advance. The transmission source address and the transmission destination address expressed by the private address are converted into the transmission source address and the transmission destination address expressed by the private address in the cloud side NW 51. The second NAT device 312 on the user side sets the source address and the destination address described in the private address in the cloud side NW 51, which are set in the header of the response packet sent from the server device 20, in the user side NW 52. It is converted into a source address and a destination address expressed as private addresses.
このように、本実施例のネットワークシステム1においては、ユーザ側第2NAT装置312が、ユーザ装置30からサーバ装置20に送信される要求パケットに、クラウド側NW51におけるプライベートアドレスで表記された送信元アドレス及び送信先アドレスを設定するので、クラウド側NW51において、当該要求パケットがあたかもクラウド側NW51に接続している情報処理装置から送信されたものであるかのようにサーバ装置20に見せることができる。また複数のユーザ側NW52が存在する場合、個々のユーザ側NW52に接続するユーザ装置30から送信される要求パケットに、ユーザ装置30間で重複しないようにクラウド側NW51におけるプライベートアドレスで表記された送信元アドレスを設定するので、異なるユーザ側NW52が共通のクラウドサービスを利用することが可能となる。このため、例えば、複数のユーザサイトを跨いだ共通の情報基盤の下でクラウドサービスを利用することが可能となり、俯瞰的に情報を活用したい、ユーザサイト3間の情報を統合して経営者向けのサービスを提供したいといったニーズに応えることができる。また複数のユーザサイト3で分散していた情報が共有化されることで、集約された情報に基づく多様なサービスの提供等が可能となる。
As described above, in the network system 1 according to the present embodiment, the user-side second NAT device 312 transmits the source address represented by the private address in the cloud-side NW 51 in the request packet transmitted from the user device 30 to the server device 20. Since the destination address is set, the cloud side NW 51 can make the request packet appear to the server device 20 as if it was sent from the information processing apparatus connected to the cloud side NW 51. When there are a plurality of user-side NWs 52, the request packet transmitted from the user device 30 connected to each user-side NW 52 is transmitted with a private address in the cloud-side NW 51 so as not to overlap between the user devices 30 Since the original address is set, different user-side NWs 52 can use a common cloud service. For this reason, for example, it becomes possible to use a cloud service under a common information infrastructure across multiple user sites, and it is intended for managers to integrate information between user sites 3 to use information from a bird's-eye view. It is possible to meet the needs of providing services. In addition, by sharing the information distributed in the plurality of user sites 3, it becomes possible to provide various services based on the aggregated information.
またユーザ側第2NAT装置312は、例えば、クラウドサービスの提供者によって各ユーザサイト3に設置され、変換規則はクラウドサービスの提供者によって設定される。このため、ユーザ装置30やユーザ側第1NAT装置32に新たなソフトウエアの導入や設定変更等を強いることもなく、ユーザサイト3で運用されていたサービスを容易かつ低コストでクラウドサービスに移行させることができる。
Also, the user-side second NAT device 312 is installed at each user site 3 by a cloud service provider, for example, and the conversion rules are set by the cloud service provider. For this reason, the service operated at the user site 3 can be easily and inexpensively transferred to the cloud service without forcing the user device 30 or the user-side first NAT device 32 to introduce new software or change settings. be able to.
図1に示すユーザ側第1NAT装置32は、ユーザ側NW52とインターネット5を接続する中継装置として機能する。ユーザ側第1NAT装置32は、インターネット5を介して送受信するパケットについて、インターネット5のグローバルIPアドレスとユーザ側NW52のプライベートアドレスとの相互変換を行う。尚、ユーザ側第1NAT装置32は、例えばインターネットプロバイダ側に存在していてもよい。
The user-side first NAT device 32 shown in FIG. 1 functions as a relay device that connects the user-side NW 52 and the Internet 5. The user-side first NAT device 32 performs mutual conversion between a global IP address of the Internet 5 and a private address of the user-side NW 52 for a packet transmitted / received via the Internet 5. The user-side first NAT device 32 may exist on the Internet provider side, for example.
ユーザ側NW52において、ユーザ側GW装置31とユーザ装置30は対等な関係にある。即ちユーザ側第1NAT装置32は、パケットを送受信する相手がユーザ側GW装置31であるかユーザ装置30であるかを区別することなく上記相互変換を行う。これはユーザサイト3にインターネット5とユーザサイト3を中継する既存のNAT装置が存在する場合はそのNAT装置をユーザ側第1NAT装置32として利用できることを意味している。尚、ユーザサイト3においてユーザ側第1NAT装置32の機能をクラウドサービスのユーザ以外に提供する必要がないような場合はユーザ側第1NAT装置32をユーザ側NW52に接続せずにユーザ側第1NAT装置32をユーザ側GW装置31に直接接続するようにしてもよい。
In the user-side NW 52, the user-side GW device 31 and the user device 30 have an equal relationship. That is, the user-side first NAT device 32 performs the above-described mutual conversion without distinguishing whether the other party that transmits and receives a packet is the user-side GW device 31 or the user device 30. This means that if there is an existing NAT device that relays between the Internet 5 and the user site 3 at the user site 3, that NAT device can be used as the first NAT device 32 on the user side. If it is not necessary for the user site 3 to provide the function of the user-side first NAT device 32 to other than the cloud service user, the user-side first NAT device 32 is not connected to the user-side NW 52. 32 may be directly connected to the user-side GW apparatus 31.
続いてパケット(要求パケット及び応答パケット)の流れについて説明する。以下の説明において、パケットのヘッダに設定される、送信元のIPアドレス、宛先のIPアドレス、送信元のポート番号、送信先のポート番号のことを、夫々、「SIP」、「DIP」、「Sport」、「Dport」とも表記する。以下に説明するパケットのヘッダの内容は、例えば、クラウド側NW51、インターネット5、及びユーザ側NW52の要所にネットワークアナライザ(Network Analyzer)を接続してパケット分析を実施することにより取得することができる。
Next, the flow of packets (request packets and response packets) will be described. In the following description, the source IP address, the destination IP address, the source port number, and the destination port number set in the header of the packet are referred to as “SIP”, “DIP”, “ Also referred to as “Sport” and “Dport”. The contents of the header of the packet described below can be acquired, for example, by connecting a network analyzer (Network Analyzer) to the key points of the cloud side NW 51, the Internet 5, and the user side NW 52 and performing packet analysis. .
尚、本実施例では、クラウド側NW51、インターネット5、及びユーザ側NW52で用いられるネットワークアドレスがIPv4(Internet Protocol version 4)である場合を例として説明するが、通信方式(通信プロトコルの種類)はこれに限定されず、IPv6(Internet Protocol version 6)に準拠したアドレス、MACアドレス(Media Access Control address)、MPLS(Multi-Protocol Label Switching)におけるラベル(Label)等、本実施例のネットワークシステム1は、ネットワークアドレスとして他の種類のアドレス体系が用いられている場合も適用することが可能である。
In this embodiment, a case where the network address used in the cloud side NW 51, the Internet 5, and the user side NW 52 is IPv4 (Internet Protocol version 4) will be described as an example. However, the communication method (type of communication protocol) is The network system 1 of the present embodiment is not limited to this, but is an IPv6 (Internet Protocol version 6) -compliant address, MAC address (Media Access Control Address), MPLS (Multi-Protocol Label Labeling) label, etc. The present invention can also be applied to cases where other types of address systems are used as network addresses.
まず図2とともにユーザ装置30から送信された要求パケットがサーバ装置20に受信されるまでの要求パケットの流れについて説明する。同図に示すように、この例では、ユーザ装置30が、ヘッダに「SIP:192.168.0.10」、「DIP:192.168.0.129」、「Sport:10000」、「Dport:1500」が設定された要求パケット101をユーザ側第2NAT装置312に送信した場合を想定している。ここで「SIP:192.168.0.10」は、ユーザ側NW52においてユーザ装置30に付与されているプライベートアドレスであり、「DIP:192.168.0.129」は、ユーザ側NW52においてユーザ側第2NAT装置312に付与されているプライベートアドレスである。このようにユーザ装置30は、サーバ装置20が提供するクラウドサービスを利用する場合、ユーザ側第2NAT装置312のプライベートアドレスをヘッダに設定した要求パケットを送信する(S111)。尚、クラウドサービスとは無関係のパケットをインターネット5に送信する場合、ユーザ装置30は、ユーザ側第1NAT装置32のプライベートアドレス「DIP:192.168.0.1」を当該パケットのヘッダに設定してユーザNW52に送信する。
First, the flow of a request packet until the request packet transmitted from the user device 30 is received by the server device 20 will be described with reference to FIG. As shown in the figure, in this example, the user apparatus 30 requests that “SIP: 192.168.0.10”, “DIP: 192.168.0.129”, “Sport: 10000”, “Dport: 1500” are set in the header. It is assumed that the packet 101 is transmitted to the second NAT device 312 on the user side. Here, “SIP: 192.168.0.10” is a private address assigned to the user device 30 in the user-side NW 52, and “DIP: 192.168.0.129” is assigned to the user-side second NAT device 312 in the user-side NW 52. Is a private address. In this way, when using the cloud service provided by the server device 20, the user device 30 transmits a request packet in which the private address of the user-side second NAT device 312 is set as a header (S111). When transmitting a packet unrelated to the cloud service to the Internet 5, the user device 30 sets the private address “DIP: 192.168.0.1” of the user-side first NAT device 32 in the header of the packet and sends it to the user NW 52. Send.
要求パケットのヘッダに設定されている「Sport:10000」は、ユーザ装置30が任意に選択した値(ウェルノウンポート(well known port)以外の値が選択される)であり、例えば、ユーザ装置30で動作するクラウドサービスを利用するためのアプリケーションによって付与される。「Dport:1500」は、当該要求パケット101が利用を要求するクラウドサービスに対応するポート番号である。このようにユーザ装置30(ユーザ装置30で動作するアプリケーション)は、複数提供されるクラウドサービスの中から利用しようとするクラウドサービスを指定することができる。
“Sport: 10000” set in the header of the request packet is a value arbitrarily selected by the user device 30 (a value other than the well-known port is selected). It is given by the application for using the operating cloud service. “Dport: 1500” is a port number corresponding to the cloud service that the request packet 101 requests to use. As described above, the user device 30 (an application operating on the user device 30) can specify a cloud service to be used from among a plurality of cloud services provided.
続いてユーザ側第2NAT装置312は、変換規則に従い、ユーザ装置30から受信した要求パケット101のヘッダに指定されているユーザ側NW52におけるプライベートアドレスとポート番号の組み合わせをクラウド側NW51におけるプライベートアドレス及びポート番号の組み合わせに変換する(S112)。この例では、ユーザ側第2NAT装置312は、変換規則に従い、「SIP:192.168.0.10」をクラウド側NW51におけるプライベートアドレスである「SIP:10.0.0.20」に、「DIP:192.168.0.129」をクラウド側NW51におけるサーバ装置20のプライベートアドレスである「DIP:10.0.0.10」に、「Sport:10000」を「Sport:20000」に、「Dport:1500」を「Dport:1024」に夫々変換している。
Subsequently, according to the conversion rule, the user-side second NAT device 312 converts the combination of the private address and port number in the user-side NW 52 specified in the header of the request packet 101 received from the user device 30 to the private address and port in the cloud-side NW 51. Conversion into a combination of numbers (S112). In this example, according to the conversion rule, the user-side second NAT device 312 sets “SIP: 192.168.0.10” to “SIP: 10.0.0.20”, which is a private address in the cloud-side NW51, and “DIP: 192.168.0.129” to the cloud. The private address of the server device 20 on the side NW 51 is converted to “DIP: 10.0.0.10”, “Sport: 10000” to “Sport: 20000”, and “Dport: 1500” to “Dport: 1024”, respectively. .
ここで要求パケット102のヘッダに設定される「Sport:20000」は、ユーザ装置30が送信したパケット101の「SIP:192.168.0.10」と「Sport:10000」の組み合わせについて固有に付与されるポート番号である。ユーザ側第2NAT装置312は、「SIP:192.168.0.10」と「Sport:10000」の組み合わせと「Sport:20000」の対応を変換テーブル400に記憶する。ユーザ側第2NAT装置312は、当該要求パケットに対する応答パケットを受信した際、このポート番号「Sport:20000」に基づき、当該要求パケットを送信したユーザ装置30の「SIP:192.168.0.10」と「Sport:10000」を特定し、該当のユーザ装置30に応答パケットを送信する。
Here, “Sport: 20000” set in the header of the request packet 102 is a port number uniquely assigned to the combination of “SIP: 192.168.0.10” and “Sport: 10000” of the packet 101 transmitted by the user device 30. It is. The second NAT device 312 on the user side stores in the conversion table 400 the correspondence between the combination of “SIP: 192.168.0.10” and “Sport: 10000” and “Sport: 20000”. When the user side second NAT device 312 receives the response packet to the request packet, based on the port number “Sport: 20000”, the user side second NAT device 312 receives “SIP: 192.168.0.10” and “Sport” of the user device 30 that transmitted the request packet. : 10000 "is specified, and a response packet is transmitted to the corresponding user device 30.
「Dport:1024」は、利用するクラウドサービスに対応するポート番号であり、サーバ装置20がクラウドサービスを識別するためのポート番号である。このようにユーザ装置30で指定した「Dport:1500」は、変換規則に従い自動的にサーバ装置20がクラウドサービスを識別するためのポート番号に変換される。これは例えば、サーバ装置20側のポート番号の体系が変更になる場合は変換規則を更新するだけでよいことを意味しており、ユーザ装置30に影響を与えることなくクラウドサービスのポート番号の体系を変更することができる。
“Dport: 1024” is a port number corresponding to the cloud service to be used, and is a port number for the server device 20 to identify the cloud service. Thus, “Dport: 1500” designated by the user device 30 is automatically converted into a port number for the server device 20 to identify the cloud service in accordance with the conversion rule. This means that, for example, if the port number system on the server device 20 side is changed, it is only necessary to update the conversion rule, and the cloud service port number system is not affected. Can be changed.
ユーザ側VPN装置311は、ユーザ側第2NAT装置312による変換後の要求パケット102をVPNカプセル化し、これをユーザ側NW52を介してユーザ側第1NAT装置32に送信する(S113)。同図に示すように、この例では、ユーザ側VPN装置311は、VPNカプセル化した要求パケット103のヘッダ(以下、VPNヘッダと称する。)に「SIP:192.168.0.130」、「DIP:210.0.0.100」、「Sport:25000」、「Dport:1194」を設定している。
The user-side VPN apparatus 311 VPN-encapsulates the request packet 102 converted by the user-side second NAT apparatus 312 and transmits it to the user-side first NAT apparatus 32 via the user-side NW 52 (S113). As shown in the figure, in this example, the user side VPN apparatus 311 includes “SIP: 192.168.0.130”, “DIP: 210.0.” In the header of the request packet 103 encapsulated in VPN (hereinafter referred to as a VPN header). “0.100”, “Sport: 25000”, and “Dport: 1194” are set.
ここで「SIP:192.168.0.130」は、ユーザ側NW52においてユーザ側VPN装置311に付与されているプライベートアドレスである。「DIP:210.0.0.100」は、クラウド側NAT装置22に付与されているインターネット5上のグローバルIPアドレスである。「Sport:25000」は、ユーザ側VPN装置311が任意に付与するポート番号である。この「Sport:25000」は、例えば、負荷分散や可用性の確保等を目的として同じユーザサイト3に複数のユーザ側VPN装置311が設けられているような場合に、個々のユーザ側VPN装置311を特定する識別子として利用される。「Dport:1194」は、VPNサービスに割り当てられているウェルノウンポートである。
Here, “SIP: 192.168.0.130” is a private address assigned to the user-side VPN apparatus 311 in the user-side NW 52. “DIP: 210.0.0.100” is a global IP address on the Internet 5 assigned to the cloud side NAT device 22. “Sport: 25000” is a port number arbitrarily given by the user-side VPN apparatus 311. This “Sport: 25000” is used when, for example, a plurality of user-side VPN devices 311 are provided in the same user site 3 for the purpose of load distribution, ensuring availability, and the like. Used as an identifying identifier. “Dport: 1194” is a well-known port assigned to the VPN service.
ユーザ側第1NAT装置32は、ユーザ側VPN装置311によってVPNカプセル化された要求パケットを、インターネット5を介してクラウド側NAT装置22に送信する(S114)。同図に示すように、この例では、ユーザ側第1NAT装置32は、インターネット5に送信する要求パケット104のヘッダに「SIP:96.50.0.20」、「DIP:210.0.0.100」、「Sport:40000」、「Dport:1194」を設定している。ここで「SIP:96.50.0.20」は、インターネット5上でユーザ側第1NAT装置32に付与されているグローバルIPアドレス(クラウド側VPN装置21がインターネット5に直接接続している場合にはクラウド側VPN装置21のグローバルIPアドレスでもよい。)である。「Sport:40000」は、ユーザ側第1NAT装置32が任意に選択した値(ウェルノウンポート以外の値が選択される)が設定される。ユーザ側第1NAT装置32は、要求パケット103の「SIP:10.0.0.130」と「Sport:25000」の組み合わせと、付与した「Sport:40000」との対応を記憶する。ユーザ側第1NAT装置32は、例えば、この対応を当該要求パケット104に対する応答パケットを受信した際に利用する。
The first NAT device 32 on the user side transmits the request packet encapsulated in VPN by the user side VPN device 311 to the cloud side NAT device 22 via the Internet 5 (S114). As shown in the figure, in this example, the first NAT device 32 on the user side includes “SIP: 96.50.0.20”, “DIP: 210.0.0.100”, “Sport: 40000” in the header of the request packet 104 transmitted to the Internet 5. "," Dport: 1194 "is set. Here, “SIP: 96.50.0.20” is the global IP address assigned to the first NAT device 32 on the user side on the Internet 5 (if the cloud side VPN device 21 is directly connected to the Internet 5, the cloud side VPN It may be the global IP address of the device 21). In “Sport: 40000”, a value arbitrarily selected by the user-side first NAT device 32 (a value other than the well-known port is selected) is set. The first NAT device 32 on the user side stores the correspondence between the combination of “SIP: 10.0.0.130” and “Sport: 25000” of the request packet 103 and the assigned “Sport: 40000”. For example, the user-side first NAT device 32 uses this correspondence when a response packet to the request packet 104 is received.
クラウド側NAT装置22は、インターネット5を介して要求パケット104を受信すると、要求パケット104に設定されているグローバルIPアドレスをクラウド側NW51のプライベートアドレスに変換し、変換後の要求パケット105を、クラウド側NW51を介してクラウド側VPN装置21に送信する(S115)。この例では、クラウド側NAT装置22は、インターネット5を介して受信した要求パケット104のヘッダに設定されているグローバルIPアドレス「SIP:96.50.0.20」を、クラウド側NW51においてクラウド側NAT装置22に設定されているプライベートアドレスである「SIP:10.0.0.15」に変換している。また「DIP:210.0.0.100」を、クラウド側NW51においてクラウド側VPN装置21に設定されている「DIP:10.0.0.130」に変換している。
When the cloud side NAT device 22 receives the request packet 104 via the Internet 5, the cloud side NAT device 22 converts the global IP address set in the request packet 104 into the private address of the cloud side NW 51, and converts the converted request packet 105 into the cloud It transmits to the cloud side VPN apparatus 21 via the side NW 51 (S115). In this example, the cloud side NAT device 22 sends the global IP address “SIP: 96.50.0.20” set in the header of the request packet 104 received via the Internet 5 to the cloud side NAT device 22 in the cloud side NW 51. It is converted to "SIP: 10.0.0.15" which is the private address that has been set. Also, “DIP: 210.0.0.100” is converted to “DIP: 10.0.0.130” set in the cloud side VPN device 21 in the cloud side NW 51.
クラウド側VPN装置21は、クラウド側NAT装置22から要求パケット105を受信するとこれについてVPNカプセル化解除を行い、VPNカプセル化解除後の要求パケット106を、クラウド側NW51を介してサーバ装置20に送信する(S116)。尚、同図に示すように、クラウド側VPN装置21がサーバ装置20に送信する要求パケット106のヘッダの「SIP:10.0.0.20」、「SIP:10.0.0.10」、「Sport:20000」、及び「Dport:1024」は、先にユーザ側第2NAT装置312が生成した要求パケット102のヘッダと同一である。
When the cloud side VPN device 21 receives the request packet 105 from the cloud side NAT device 22, the cloud side VPN device 21 performs VPN decapsulation on the request packet 105, and transmits the request packet 106 after the VPN encapsulation is released to the server device 20 via the cloud side NW 51. (S116). As shown in the figure, “SIP: 10.0.0.20”, “SIP: 10.0.0.10”, “Sport: 20000” in the header of the request packet 106 transmitted from the cloud side VPN device 21 to the server device 20, and “Dport: 1024” is the same as the header of the request packet 102 generated by the user-side second NAT device 312 previously.
続いて、図3とともにサーバ装置20から送信された応答パケットがユーザ装置30に受信されるまでの流れについて説明する。同図に示すように、サーバ装置20は、図2に示した要求パケット106についてクラウドサービスを実行すると、応答パケットとして、そのヘッダに上記要求パケット106のヘッダの送受信の関係を反転させた応答パケット、即ち「SIP:10.0.0.10」、「DIP:10.0.0.20」、「Sport:1024」、「Dport:20000」をそのヘッダに設定した応答パケット201を、クラウド側VPN装置21に送信する(S211)。尚、サーバ装置20は、例えば、L2レイヤ(OSI(Open Systems Interconnection)参照モデルのデータリンク層(第2層))にて要求パケット106に設定されていた物理アドレス(例えばMACアドレス)をクラウド側NW51、インターネット5、及びユーザ側NW52の少なくともいずれかに問い合わせることで、応答パケット201の宛先となるユーザ側第2NAT装置312が存在するユーザサイト3(ユーザ側NW52)を特定する。また例えば、クラウド側VPN装置21やクラウド側NAT装置22がルーティング情報を記憶している場合には、サーバ装置20はL3レイヤ(OSI参照モデルのネットワーク層(第3層))にてクラウド側VPN装置21に問い合わせることで応答パケットの宛先となるユーザ側第2NAT装置312が存在するユーザサイト3(ユーザ側NW52)を特定する。
Subsequently, the flow until the user device 30 receives the response packet transmitted from the server device 20 together with FIG. 3 will be described. As shown in FIG. 2, when the server apparatus 20 executes the cloud service for the request packet 106 shown in FIG. 2, a response packet in which the header transmission / reception relationship of the request packet 106 is inverted as its response packet That is, the response packet 201 in which “SIP: 10.0.0.10”, “DIP: 10.0.0.20”, “Sport: 1024”, and “Dport: 20000” are set in its header is transmitted to the cloud side VPN apparatus 21 (S211). ). Note that the server device 20 uses, for example, the physical address (for example, MAC address) set in the request packet 106 in the L2 layer (the data link layer (second layer) of the OSI (Open Systems Interconnection) reference model) on the cloud side. By inquiring at least one of the NW 51, the Internet 5, and the user-side NW 52, the user site 3 (user-side NW 52) where the user-side second NAT device 312 serving as the destination of the response packet 201 exists is specified. Further, for example, when the cloud side VPN device 21 or the cloud side NAT device 22 stores the routing information, the server device 20 uses the cloud side VPN in the L3 layer (network layer (third layer) of the OSI reference model). By inquiring of the device 21, the user site 3 (user side NW 52) where the user side second NAT device 312 serving as the destination of the response packet exists is specified.
クラウド側VPN装置21は、応答パケット201を受信するとこれをVPNカプセル化し、VPNカプセル化後の応答パケット202をクラウド側NAT装置22に送信する(S212)。同図に示すように、この例では、VPNヘッダに「SIP:10.0.0.130」、「DIP:10.0.0.15」、「Sport:1194」、「Dport:30000」を設定している。ここで「SIP:10.0.0.130」は、クラウド側NW51においてクラウド側VPN装置21に付与されているプライベートアドレスであり、「DIP:10.0.0.15」は、クラウド側NW51においてクラウド側NAT装置22に付与されているプライベートアドレスである。「Sport:1194」は、VPNサービスに割り当てられているウェルノウンポートである。「Dport:30000」は、クラウド側VPN装置21が任意に付与するポート番号である。このポート番号は、例えば、負荷分散や可用性の確保等を目的として同じクラウドサイト2に複数のクラウド側VPN装置21が設けられているような場合に、個々のクラウド側VPN装置21を特定する識別子として利用される。
Upon receiving the response packet 201, the cloud side VPN device 21 VPN-encapsulates the response packet 201, and transmits the response packet 202 after the VPN encapsulation to the cloud side NAT device 22 (S212). As shown in the figure, in this example, “SIP: 10.0.0.130”, “DIP: 10.0.0.15”, “Sport: 1194”, and “Dport: 30000” are set in the VPN header. Here, “SIP: 10.0.0.130” is a private address assigned to the cloud side VPN device 21 in the cloud side NW 51, and “DIP: 10.0.0.15” is assigned to the cloud side NAT device 22 in the cloud side NW 51. Private address. “Sport: 1194” is a well-known port assigned to the VPN service. “Dport: 30000” is a port number arbitrarily given by the cloud side VPN apparatus 21. This port number is, for example, an identifier that identifies each cloud-side VPN device 21 when a plurality of cloud-side VPN devices 21 are provided in the same cloud site 2 for the purpose of load distribution, ensuring availability, etc. Used as
クラウド側NAT装置22は、クラウド側VPN装置21によってVPNカプセル化された応答パケット202を、インターネット5を介してユーザ側第1NAT装置32に送信する(S213)。同図に示すように、この例では、クラウド側NAT装置22は、インターネット5に送信する応答パケット203のヘッダに、「SIP:210.0.0.100」、「DIP:96.50.0.20」、「Sport:1194」、「Dport:40000」を設定している。ここで「SIP:210.0.0.100」は、インターネット5上でクラウド側NAT装置22に付与されているグローバルIPアドレスである。また「DIP:96.50.0.20」は、ユーザ側第1NAT装置32にインターネット5上で付与されているグローバルIPアドレスである。「Sport:1194」は、VPNサービスに割り当てられているウェルノウンポートである。「Dport:40000」は、要求パケット104の送信に際してユーザ側第1NAT装置32が設定した値である。
The cloud side NAT device 22 transmits the response packet 202 encapsulated by the cloud side VPN device 21 to the user side first NAT device 32 via the Internet 5 (S213). As shown in the figure, in this example, the cloud side NAT device 22 includes “SIP: 210.0.0.100”, “DIP: 96.50.0.20”, “Sport: 1194” in the header of the response packet 203 transmitted to the Internet 5. "," Dport: 40000 "is set. Here, “SIP: 210.0.0.100” is a global IP address assigned to the cloud side NAT device 22 on the Internet 5. “DIP: 96.50.0.20” is a global IP address assigned to the first NAT device 32 on the user side on the Internet 5. “Sport: 1194” is a well-known port assigned to the VPN service. “Dport: 40000” is a value set by the first NAT device 32 on the user side when the request packet 104 is transmitted.
ユーザ側第1NAT装置32は、インターネット5を介して応答パケット203を受信すると、応答パケット203に設定されているグローバルIPアドレスをユーザ側NW52のプライベートアドレスに変換し、変換後の応答パケット204を、ユーザ側NW52を介してユーザ側VPN装置311に送信する(S214)。この例では、ユーザ側第1NAT装置32は、応答パケット204のヘッダに、「SIP:192.168.0.1」、「DIP:10.0.0.130」、「Sport:1194」、「Dport:25000」を設定している。ここで「SIP:192.168.0.1」は、ユーザ側NW52においてユーザ側第1NAT装置32に付与されているプライベートアドレスである。「DIP:10.0.0.130」は、ユーザ側NW52においてユーザ側VPN装置311に付与されているプライベートアドレスである。「Sport:1194」は、VPNサービスに割り当てられているウェルノウンポートである。「Dport:25000」は、要求パケット104の送信に際してユーザ側第1NAT装置32が記憶した内容に基づき設定する。前述したように、ユーザ側第1NAT装置32は、要求パケット103の「SIP:10.0.0.130」と「Sport:25000」の組み合わせと、要求パケット104に付与した「Sport:40000」の対応を記憶しており、ユーザ側第1NAT装置32は、応答パケット203の「Dport:40000」に基づき「SIP:10.0.0.130」と「Sport:25000」の組み合わせを取得する。
When the user side first NAT device 32 receives the response packet 203 via the Internet 5, the user side first NAT device 32 converts the global IP address set in the response packet 203 into the private address of the user side NW 52, and converts the converted response packet 204 into It transmits to the user side VPN apparatus 311 via the user side NW52 (S214). In this example, the first NAT device 32 on the user side sets “SIP: 192.168.0.1”, “DIP: 10.0.0.130”, “Sport: 1194”, “Dport: 25000” in the header of the response packet 204. Yes. Here, “SIP: 192.168.0.1” is a private address assigned to the user-side first NAT device 32 in the user-side NW 52. “DIP: 10.0.0.130” is a private address assigned to the user-side VPN apparatus 311 in the user-side NW 52. “Sport: 1194” is a well-known port assigned to the VPN service. “Dport: 25000” is set based on the content stored in the first NAT device 32 at the time of transmission of the request packet 104. As described above, the user-side first NAT device 32 stores the correspondence between the combination of “SIP: 10.0.0.130” and “Sport: 25000” of the request packet 103 and “Sport: 40000” assigned to the request packet 104. The first NAT device 32 on the user side obtains a combination of “SIP: 10.0.0.130” and “Sport: 25000” based on “Dport: 40000” of the response packet 203.
ユーザ側VPN装置311は、ユーザ側第1NAT装置32が受信した応答パケット204をVPNカプセル化解除し、VPNカプセル化解除後の応答パケット205をユーザ側第2NAT装置312に送信する(S215)。
The user-side VPN apparatus 311 cancels the VPN encapsulation of the response packet 204 received by the user-side first NAT apparatus 32, and transmits the response packet 205 after the VPN encapsulation cancellation to the user-side second NAT apparatus 312 (S215).
ユーザ側第2NAT装置312は、応答パケット205を受信すると、要求パケット101を要求パケット102に変換する際に記憶した「SIP:192.168.0.10」と「Sport:10000」の組み合わせと「Sport:20000」との対応、及び変換規則に基づき、図2S112とは逆の変換を行って応答パケット205のヘッダを変換し、変換後の応答パケット206をユーザ装置30に送信する(S216)。同図に示すように、ユーザ側第2NAT装置312は「SIP:192.168.0.129」、「DIP:192.168.0.10」、「Dport:1500」、「Sport:10000」をヘッダに設定した応答パケット206を生成してこれをユーザ装置30に送信している。
Upon receiving the response packet 205, the user-side second NAT device 312 receives the combination of “SIP: 192.168.0.10” and “Sport: 10000” stored when converting the request packet 101 into the request packet 102, and “Sport: 20000”. 2 and the conversion rule, the reverse conversion to S112 in FIG. 2 is performed to convert the header of the response packet 205, and the converted response packet 206 is transmitted to the user apparatus 30 (S216). As shown in the figure, the second NAT device 312 on the user side sends a response packet 206 in which “SIP: 192.168.0.129”, “DIP: 192.168.0.10”, “Dport: 1500”, and “Sport: 10000” are set in the header. This is generated and transmitted to the user device 30.
図4はユーザ側GW装置31が記憶する変換テーブル400の一例である。尚、前述した変換規則は、この変換テーブル400の結果を生成するように設定されたアルゴリズムやテーブルで構成される。ユーザ側第2NAT装置312(ユーザ側GW装置31)は、ユーザ装置30から受信した新たな要求パケットについて、変換規則に従ってそのヘッダに指定されているユーザ側NW52におけるプライベートアドレスとポート番号の組み合わせをクラウド側NW51におけるプライベートアドレスとポート番号の組み合わせに変換すると、その結果を変換テーブル400に記憶する。
FIG. 4 is an example of the conversion table 400 stored in the user-side GW apparatus 31. Note that the above-described conversion rule includes an algorithm or a table set so as to generate the result of the conversion table 400. The user-side second NAT device 312 (user-side GW device 31) cloud the combination of the private address and port number in the user-side NW 52 specified in the header of the new request packet received from the user device 30 according to the conversion rule. When converted into a combination of a private address and a port number in the side NW 51, the result is stored in the conversion table 400.
変換テーブル400の各レコードは、受信した要求パケットを送信したユーザ装置30のユーザ側NW52におけるプライベートアドレスであるユーザ側IPアドレス411、当該要求パケットについてクラウド側NW51で用いるプライベートアドレスであるクラウド側IPアドレス412、受信した要求パケットに設定されていたポート番号であるユーザ側ポート番号413、当該要求パケットについてクラウド側NW51で用いるポート番号であるクラウド側ポート番号414の各項目を含む。尚、クラウド側ポート番号414は、クラウドサービスの種類に対応しており、異なるクラウド側ポート番号414には異なるユーザ側ポート番号413が対応づけられる。
Each record of the conversion table 400 includes a user-side IP address 411 that is a private address in the user-side NW 52 of the user device 30 that has transmitted the received request packet, and a cloud-side IP address that is a private address used by the cloud-side NW 51 for the request packet. 412 includes a user-side port number 413 that is a port number set in the received request packet, and a cloud-side port number 414 that is a port number used by the cloud-side NW 51 for the request packet. The cloud-side port number 414 corresponds to the type of cloud service, and different user-side port numbers 413 are associated with different cloud-side port numbers 414.
変換規則は、ユーザ装置30ごとに固有のクラウド側IPアドレス412を付与するように設定される。これによりクラウド側NW51において要求パケットの固有性(ユニーク性)が確保され、異なるユーザ側NW52に所属するユーザ装置30が同じクラウドサービスに同時にアクセスすることが可能になる。尚、変換規則は、異なるユーザ側IPアドレス411に同じクラウド側IPアドレス412を対応づけるように設定することも可能である(図4の変換テーブル400では、複数のユーザ側IPアドレス411「192.168.0.10」及び「192.168.0.11」が同じクラウド側IPアドレス412「10.0.0.20」に変換されている)。
The conversion rule is set to give a unique cloud-side IP address 412 for each user device 30. Thereby, the uniqueness (uniqueness) of the request packet is ensured in the cloud side NW 51, and the user devices 30 belonging to different user side NWs 52 can simultaneously access the same cloud service. The conversion rule may be set so that the same cloud-side IP address 412 is associated with different user-side IP addresses 411 (in the conversion table 400 of FIG. 4, a plurality of user-side IP addresses 411 “192.168. 0.10 ”and“ 192.168.0.11 ”are converted to the same cloud-side IP address 412“ 10.0.0.20 ”).
図5にユーザ側GW装置31の主な機能並びにユーザ側GW装置31が記憶する主な情報(データ、テーブル)を示す。尚、同図ではユーザ側GW装置31が備える、ユーザ側VPN装置311とユーザ側第2NAT装置312の2つの装置を区別していない。同図に示す情報(変換規則361(前述した変換規則に相当)、VPN制御情報362、及びVPN宛先情報363。以下、これらをパケット制御情報とも総称する。)は、ユーザ側VPN装置311の構成とユーザ側第2NAT装置312のうちの少なくともいずれかが記憶することになる。
FIG. 5 shows main functions of the user-side GW apparatus 31 and main information (data, table) stored in the user-side GW apparatus 31. In the figure, the two devices of the user-side VPN device 311 and the user-side second NAT device 312 provided in the user-side GW device 31 are not distinguished. The information (conversion rules 361 (corresponding to the conversion rules described above), VPN control information 362, and VPN destination information 363. These are also collectively referred to as packet control information hereinafter) shown in FIG. And at least one of the user-side second NAT devices 312 is stored.
ユーザ側GW装置31は、パケット制御情報を保守するためのインタフェースを提供する。パケット制御情報は、例えば、ユーザ側GW装置31が備えるユーザインタフェース(例えば、入力装置(キーボード、マウス等)、表示装置(液晶モニタ等)等)を介して設定することができる。またパケット制御情報は、例えば、クラウド側NW51に接続する情報処理装置(保守端末等)から更新指示(例えば後述する情報更新パケット)をユーザ側GW装置31に送信することにより、もしくはユーザ側NW52に接続する情報処理装置(管理端末等)からユーザ側GW装置31に更新指示(例えば後述する情報更新パケット)を送信することにより、設定することができる。ユーザ側GW装置31、クラウド側NW51に接続する上記情報処理装置(保守端末等)、及びユーザ側NW52に接続する情報処理装置(管理端末等)は、例えば、パケット制御情報の設定を受け付ける画面を表示装置(液晶ディスプレイ等)に表示しつつ、パケット制御情報の設定内容や更新指示を受け付ける。
The user side GW apparatus 31 provides an interface for maintaining packet control information. The packet control information can be set, for example, via a user interface (for example, an input device (keyboard, mouse, etc.), a display device (liquid crystal monitor, etc.)) provided in the user side GW device 31. The packet control information is transmitted to the user-side NW 52 by sending an update instruction (for example, an information update packet described later) from the information processing device (maintenance terminal or the like) connected to the cloud-side NW 51 to the user-side GW device 31, for example. This can be set by transmitting an update instruction (for example, an information update packet to be described later) from the information processing apparatus (management terminal or the like) to be connected to the user side GW apparatus 31. The information processing apparatus (such as a maintenance terminal) connected to the user side GW apparatus 31, the cloud side NW 51, and the information processing apparatus (such as a management terminal) connected to the user side NW 52 have, for example, a screen for accepting setting of packet control information. While displaying on a display device (liquid crystal display or the like), the setting contents of packet control information and an update instruction are accepted.
同図に示すように、ユーザ側GW装置31は、入出力ポートA351、及び入出力ポートB352を備える。これらはいずれもユーザ側GW装置31が備える通信ポート(例えばNIC(Network Interface Card)が備える通信ポート)である。入出力ポートA351にはユーザ装置30から送信されたパケットが着信し、ユーザ装置30宛のパケットが送信される。入出力ポートB352には、サーバ装置20から送信されたパケットが着信し、サーバ装置20宛のパケットが送信される。入出力ポートA351には、前述したユーザ側第2NAT装置312のプライベートアドレス(例えば、図2又は図3における「192.168.0.129」)が付与される。また入出力ポートB352には、前述したユーザ側VPN装置311のプライベートアドレス(例えば、図2又は図3における「192.168.0.130」)が付与される。尚、本実施例では、このようにユーザ側GW装置312がユーザ側NW52と2つの通信ポートで接続している場合について説明するが、ユーザ側GW装置312がユーザ側NW52と1つの通信ポートのみで接続している場合や3つ以上の通信ポートで接続している場合においても、適切にネットワークアドレスやポート番号の変換を行うことによりユーザ側GW装置31に本実施例で説明する機能と同等の機能を持たせることができる。
As shown in the figure, the user-side GW apparatus 31 includes an input / output port A351 and an input / output port B352. These are all communication ports provided in the user-side GW device 31 (for example, communication ports provided in a NIC (Network Interface Card)). A packet transmitted from the user device 30 arrives at the input / output port A351, and a packet addressed to the user device 30 is transmitted. A packet transmitted from the server device 20 arrives at the input / output port B352, and a packet addressed to the server device 20 is transmitted. The private address (for example, “192.168.0.129” in FIG. 2 or FIG. 3) of the user-side second NAT device 312 is given to the input / output port A351. Further, the private address (for example, “192.168.0.130” in FIG. 2 or FIG. 3) of the user-side VPN device 311 is given to the input / output port B352. In this embodiment, the case where the user-side GW apparatus 312 is connected to the user-side NW 52 through two communication ports will be described. However, the user-side GW apparatus 312 is connected to the user-side NW 52 and only one communication port. Even when connected with 3 or more communication ports, it is equivalent to the function described in the present embodiment in the user side GW device 31 by appropriately converting the network address and port number. It can have the function of.
同図に示すパケット判定部353は、入出力ポートA351に着信したパケットが、要求パケットであるのか、それともパケット制御情報の更新を目的としたパケット(以下、情報更新パケットと称する。)であるのかを判定する。パケット判定部353は、入出力ポートA351に着信したパケットが要求パケットである場合は当該要求パケットをNAT変換部354に送信し、情報更新パケットである場合は同図に示す情報更新処理部356に当該情報更新パケットを送信する。またパケット判定部353は、入出力ポートB352に着信したパケットが、応答パケットであるのか、それとも情報更新パケットであるのかを判定する。パケット判定部353は、応答パケットである場合は当該応答パケットを同図に示すNAT変換部354に送信し、情報更新パケットである場合は情報更新処理部356に当該情報更新パケットを送信する。尚、クラウドサイト2からユーザ側GW装置31への情報更新パケットの送信は、前述したVPN通信により行ってもよいし他の認証方式を利用して行ってもよい。またクラウドサイト2とユーザサイト3を結ぶ専用の物理回線を用意し、これによりクラウドサイト2からユーザ側GW装置31に情報更新パケットを送信するようにしてもよい。
The packet determination unit 353 shown in the figure is whether the packet arriving at the input / output port A351 is a request packet or a packet for updating packet control information (hereinafter referred to as an information update packet). Determine. When the packet received at the input / output port A 351 is a request packet, the packet determination unit 353 transmits the request packet to the NAT conversion unit 354. When the packet is an information update packet, the packet determination unit 353 sends the request packet to the information update processing unit 356 shown in FIG. The information update packet is transmitted. The packet determination unit 353 determines whether the packet received at the input / output port B 352 is a response packet or an information update packet. If it is a response packet, the packet determination unit 353 transmits the response packet to the NAT conversion unit 354 shown in the figure. If it is an information update packet, the packet determination unit 353 transmits the information update packet to the information update processing unit 356. The transmission of the information update packet from the cloud site 2 to the user side GW apparatus 31 may be performed by the above-described VPN communication or may be performed using another authentication method. Alternatively, a dedicated physical line connecting the cloud site 2 and the user site 3 may be prepared so that the information update packet may be transmitted from the cloud site 2 to the user side GW device 31.
情報更新処理部356は、パケット判定部353から情報更新パケットを受信すると、その内容に従ってパケット制御情報(変換規則361、VPN制御情報362、及びVPN宛先情報363のうちの少なくともいずれか)を更新する。尚、入出力ポートA351に着信した情報更新パケットは、例えば、ユーザ側NW52に接続する情報処理装置(保守端末等)から送信されたものであり、また入出力ポートB352に着信した情報更新パケットは、インターネット5を介してクラウドサイト2の情報処理装置(管理端末等)から送信されたものである。
Upon receiving the information update packet from the packet determination unit 353, the information update processing unit 356 updates the packet control information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content. . The information update packet received at the input / output port A351 is, for example, transmitted from an information processing apparatus (maintenance terminal or the like) connected to the user side NW52, and the information update packet received at the input / output port B352 is The information is transmitted from the information processing apparatus (management terminal or the like) of the cloud site 2 via the Internet 5.
NAT変換部354は、変換規則361に従って、パケット判定部353から送られてくる要求パケットに設定されている、ユーザ側NW52におけるプライベートアドレスとポート番号の組み合わせを、クラウド側NW51におけるプライベートアドレスとポート番号の組み合わせに変換する。またNAT変換部354は、変換規則361に従って、サーバ装置20から送られてきた応答パケットに設定されているクラウド側NW51におけるプライベートアドレスとポート番号の組み合わせを、ユーザ側NW52におけるプライベートアドレスとポート番号の組み合わせに変換する。尚、前述したように、NAT変換部354は変換の内容(結果)を変換テーブル400に記録する。NAT変換部354は、変換後の要求パケットについてはVPN処理部355に、変換後の応答パケットについては入出力ポートA351に送信する。
The NAT conversion unit 354 sets the combination of the private address and port number in the user-side NW 52 that is set in the request packet sent from the packet determination unit 353 according to the conversion rule 361, and the private address and port number in the cloud-side NW 51. Convert to a combination of In addition, the NAT conversion unit 354 converts the combination of the private address and port number in the cloud side NW 51 set in the response packet sent from the server device 20 according to the conversion rule 361 into the private address and port number in the user side NW 52. Convert to a combination. As described above, the NAT conversion unit 354 records the conversion content (result) in the conversion table 400. The NAT conversion unit 354 transmits the converted request packet to the VPN processing unit 355, and transmits the converted response packet to the input / output port A351.
VPN処理部355は、NAT変換部354から受信した要求パケットのヘッダに設定されている、NAT変換部354による変換前の「SIP」をキーとしてVPN制御情報362を検索し、それによりVPN通信の制御方法(優先度612、VPN方式613)を取得する。尚、変換前の要求パケットの「SIP」は、例えば、NAT変換部354からVPN処理部355に随時通知される。またVPN処理部355は、NAT変換部354による変換後の要求パケットのヘッダに設定されている「Sport」をキーとしてVPN宛先情報363のクラウドサイト側ポート番号711を検索し、それによりクラウドサイト側グローバルIPアドレス712を取得する。VPN処理部355は、取得した上記制御方法に従って要求パケットをVPNカプセル化し、VPNカプセル化後の要求パケットを、そのヘッダの「DIP」に取得した上記グローバルIPアドレスを設定して入出力ポートB352から送信する。一方、VPN処理部355は、入出力ポートB352に着信した応答パケットをVPNカプセル化解除し、VPNカプセル化解除後の応答パケットをパケット判定部353に送信する。
The VPN processing unit 355 searches the VPN control information 362 using “SIP” before conversion by the NAT conversion unit 354, which is set in the header of the request packet received from the NAT conversion unit 354, as a key. The control method (priority 612, VPN method 613) is acquired. Note that the “SIP” of the request packet before conversion is notified from the NAT conversion unit 354 to the VPN processing unit 355 at any time, for example. Further, the VPN processing unit 355 searches for the cloud site side port number 711 of the VPN destination information 363 using “Sport” set in the header of the request packet converted by the NAT conversion unit 354 as a key, and thereby the cloud site side The global IP address 712 is acquired. The VPN processing unit 355 encapsulates the request packet in accordance with the acquired control method, sets the acquired global IP address in the header “DIP” of the VPN-encapsulated request packet, and sets it from the input / output port B352. Send. On the other hand, the VPN processing unit 355 cancels the VPN encapsulation of the response packet received at the input / output port B 352 and transmits the response packet after the VPN encapsulation cancellation to the packet determination unit 353.
図6にユーザ側GW装置31が記憶するVPN制御情報362の一例を示す。同図に示すように、VPN制御情報362は、ユーザ側IPアドレス611、優先度612、及びVPN方式613の各項目からなる複数のレコードで構成されている。尚、優先度612及びVPN方式613は、VPNカプセル化の際のQoS(Quality of Service)を制御するパラメータの一例に過ぎず、VPNカプセル化の制御方法を決定するパラメータの種類はこれに限られない。
FIG. 6 shows an example of the VPN control information 362 stored in the user side GW apparatus 31. As shown in the figure, the VPN control information 362 is composed of a plurality of records including items of the user side IP address 611, the priority 612, and the VPN method 613. The priority 612 and the VPN method 613 are merely examples of parameters for controlling QoS (Quality of Service) at the time of VPN encapsulation, and the types of parameters for determining the control method of VPN encapsulation are limited to this. Absent.
図7にユーザ側GW装置31が記憶するVPN宛先情報363の一例を示す。同図に示すように、VPN宛先情報363は、クラウドサイト側ポート番号711、及びクラウドサイト側グローバルIPアドレス712の各項目からなる複数のレコードで構成されている。クラウドサイト側ポート番号711には、サーバ装置20がクラウドサービスの識別に用いるポート番号が設定される。クラウドサイト側グローバルIPアドレス712には、クラウド側NAT装置22のグローバルIPアドレス(クラウド側VPN装置21がインターネット5に接続している場合にはクラウド側VPN装置21のグローバルIPアドレス。)が設定される。尚、クラウドサイト側グローバルIPアドレス712が複数存在するのは、例えば、負荷分散や可用性の確保等を目的として、クラウドサイト2やクラウド側NAT装置22が複数設けられているからである。またクラウド側VPN装置21に仮想的に複数のグローバルIPアドレスが付与されている場合や複数のVLANが構築されている場合もある。クラウドサイト側グローバルIPアドレス712は動的に変化することもある。
FIG. 7 shows an example of the VPN destination information 363 stored in the user-side GW apparatus 31. As shown in the figure, the VPN destination information 363 includes a plurality of records including items of a cloud site side port number 711 and a cloud site side global IP address 712. In the cloud site side port number 711, a port number used by the server device 20 to identify the cloud service is set. The global IP address of the cloud-side NAT device 22 (when the cloud-side VPN device 21 is connected to the Internet 5, the global IP address of the cloud-side VPN device 21) is set in the cloud site-side global IP address 712. The The plurality of cloud site-side global IP addresses 712 exist because, for example, a plurality of cloud sites 2 and cloud-side NAT devices 22 are provided for the purpose of load distribution and ensuring availability. Further, there may be a case where a plurality of global IP addresses are virtually assigned to the cloud side VPN apparatus 21 or a case where a plurality of VLANs are constructed. The cloud site-side global IP address 712 may change dynamically.
続いてユーザ側GW装置31の処理について説明する。図8はユーザ側GW装置31の入出力ポートA351にパケットが着信した際にユーザ側GW装置31が行う処理を説明するフローチャートである。
Next, processing of the user side GW apparatus 31 will be described. FIG. 8 is a flowchart for explaining processing performed by the user side GW apparatus 31 when a packet arrives at the input / output port A351 of the user side GW apparatus 31.
入出力ポートA351にパケットが着信すると(S811:Y)、パケット判定部353が、着信したパケットが、情報更新パケットであるか要求パケットであるかを判定する(S812)。着信したパケットが情報更新パケットである場合(S812:情報更新パケット)、パケット判定部353は当該情報更新パケットを情報更新処理部356に送信する(S813)。着信したパケットが要求パケットである場合(S812:要求パケット)、パケット判定部353は当該要求パケットをNAT変換部354に送信する(S821)。
When a packet arrives at the input / output port A351 (S811: Y), the packet determination unit 353 determines whether the received packet is an information update packet or a request packet (S812). When the incoming packet is an information update packet (S812: information update packet), the packet determination unit 353 transmits the information update packet to the information update processing unit 356 (S813). When the incoming packet is a request packet (S812: request packet), the packet determination unit 353 transmits the request packet to the NAT conversion unit 354 (S821).
情報更新処理部356は、パケット判定部353から情報更新パケットを受信すると、当該情報更新パケットの内容に従ってパケット制御情報(変換規則361、VPN制御情報362、VPN宛先情報363のうちの少なくともいずれか)を更新する(S814)。その後、処理はS811に戻る。
When the information update processing unit 356 receives the information update packet from the packet determination unit 353, the packet update information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content of the information update packet. Is updated (S814). Thereafter, the process returns to S811.
NAT変換部354は、パケット判定部353から要求パケットを受信すると、変換規則361に従い、当該要求パケットに設定されている「SIP」及び「Sport」をクラウド側NW51で用いる「SIP」及び「Sport」に変換し、変換後の要求パケットをVPN処理部355に送信する(S822)。
When receiving the request packet from the packet determination unit 353, the NAT conversion unit 354 uses “SIP” and “Sport” set in the request packet in the cloud side NW 51 in accordance with the conversion rule 361. The request packet after conversion is transmitted to the VPN processing unit 355 (S822).
VPN処理部355は、NAT変換部354から要求パケットを受信すると、S823における変換前の要求パケットの「SIP」をキーとしてVPN制御情報362を検索し、VPNカプセル化に際し当該要求パケットについて実施する制御方法を取得する(S823)。
When the VPN processing unit 355 receives the request packet from the NAT conversion unit 354, the VPN processing unit 355 searches the VPN control information 362 using “SIP” of the request packet before conversion in S823 as a key, and performs control for the request packet at the time of VPN encapsulation. A method is acquired (S823).
またVPN処理部355は、S823における変換後の要求パケットの「Sport」をキーとしてVPN宛先情報363を検索し、当該要求パケットの宛先であるクラウドサイト2側のグローバルIPアドレス、即ちクラウド側NAT装置22のグローバルIPアドレス(クラウド側VPN装置21がインターネット5に直接接続している場合にはクラウド側VPN装置21のグローバルIPアドレス)を取得する(S824)。
The VPN processing unit 355 searches the VPN destination information 363 using the “Sport” of the converted request packet in S823 as a key, and the global IP address on the cloud site 2 side that is the destination of the request packet, that is, the cloud side NAT device 22 (if the cloud side VPN device 21 is directly connected to the Internet 5, the global IP address of the cloud side VPN device 21) is acquired (S824).
続いてVPN処理部355は、S823にて取得した制御方法に基づき当該要求パケットをVPNカプセル化し、VPNカプセル化後の要求パケットを、S824にて取得したグローバルIPアドレス宛に入出力ポートB352から送信する(S825)。その後、処理はS811に戻る。
Subsequently, the VPN processing unit 355 VPN-encapsulates the request packet based on the control method acquired in S823, and transmits the request packet after VPN encapsulation from the input / output port B352 to the global IP address acquired in S824. (S825). Thereafter, the process returns to S811.
ユーザ側GW装置31の入出力ポートA351にパケットが着信するとユーザ側GW装置31は以上のように動作する。
When the packet arrives at the input / output port A351 of the user side GW apparatus 31, the user side GW apparatus 31 operates as described above.
図9はユーザ側GW装置31の入出力ポートB352にパケットが着信した際にユーザ側GW装置31が行う処理を説明するフローチャートである。
FIG. 9 is a flowchart for explaining processing performed by the user-side GW apparatus 31 when a packet arrives at the input / output port B352 of the user-side GW apparatus 31.
入出力ポートB352にパケットが着信すると(S911)、まずVPN処理部355が、着信したパケットをVPNカプセル化解除し、VPNカプセル化解除後のパケットをパケット判定部353に送信する(S912)。
When a packet arrives at the input / output port B 352 (S911), the VPN processing unit 355 first decapsulates the received packet, and transmits the packet after the decapsulation of the VPN to the packet determination unit 353 (S912).
パケット判定部353は、VPNカプセル化解除後のパケットを受信すると、当該パケットが情報更新パケットであるか応答パケットであるかを判定する(S913)。着信したパケットが情報更新パケットである場合(S913:情報更新パケット)、パケット判定部353は当該情報更新パケットを情報更新処理部356に送信する(S914)。また着信したパケットが応答パケットである場合(S913:応答パケット)、パケット判定部353は当該応答パケットをNAT変換部354に送信する(S921)。
When the packet determination unit 353 receives the packet after the VPN decapsulation, the packet determination unit 353 determines whether the packet is an information update packet or a response packet (S913). When the incoming packet is an information update packet (S913: information update packet), the packet determination unit 353 transmits the information update packet to the information update processing unit 356 (S914). If the incoming packet is a response packet (S913: response packet), the packet determination unit 353 transmits the response packet to the NAT conversion unit 354 (S921).
情報更新処理部356は、パケット判定部353から情報更新パケットを受信すると、当該情報更新パケットの内容に従ってパケット制御情報(変換規則361、VPN制御情報362、VPN宛先情報363のうちの少なくともいずれか)を更新する(S915)。その後、処理はS911に戻る。
When the information update processing unit 356 receives the information update packet from the packet determination unit 353, the packet update information (at least one of the conversion rule 361, the VPN control information 362, and the VPN destination information 363) according to the content of the information update packet. Is updated (S915). Thereafter, the process returns to S911.
NAT変換部354は、パケット判定部353から応答パケットを受信すると、これに設定されている「DIP」並びに「Dport」をキーとして変換テーブル400を検索し、応答パケットに設定されているクラウド側NW51の「DIP」並びに「Dport」を、ユーザ側NW52の「DIP」並びに「Dport」に変換する(S922)。そしてNAT変換部354は、変換後の応答パケットを該当のユーザ装置30に入出力ポートA351から送信する(S923)。その後、処理はS911に戻る。
When the NAT conversion unit 354 receives the response packet from the packet determination unit 353, the NAT conversion unit 354 searches the conversion table 400 using “DIP” and “Dport” set therein as a key, and the cloud side NW 51 set in the response packet. "DIP" and "Dport" are converted into "DIP" and "Dport" of the user-side NW 52 (S922). Then, the NAT conversion unit 354 transmits the converted response packet to the corresponding user device 30 from the input / output port A351 (S923). Thereafter, the process returns to S911.
ユーザ側GW装置31の入出力ポートB352にパケットが着信するとユーザ側GW装置31は以上のように動作する。
When the packet arrives at the input / output port B352 of the user side GW apparatus 31, the user side GW apparatus 31 operates as described above.
ところで、本発明は以上に説明した実施例に限定されるものではなく、様々な変形例が含まれる。例えば、上記した実施例は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。またある実施例の構成の一部を他の実施例の構成に置き換えることが可能であり、またある実施例の構成に他の実施例の構成を加えることも可能である。また各実施例の構成の一部について、他の構成の追加・削除・置換をすることが可能である。
By the way, the present invention is not limited to the embodiments described above, and includes various modifications. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. In addition, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
また上記の各構成、機能、処理部、処理手段等は、それらの一部又は全部を、例えば集積回路で設計する等によりハードウエアで実現してもよい。また上記の各構成、機能等は、中央処理装置(プロセッサ)がそれぞれの機能を実現するプログラムを解釈し、実行することによりソフトウエアで実現してもよい。各機能を実現するプログラム、テーブル、ファイル等の情報は、メモリ、ハードディスク、SSD等の記録装置、または、ICカード、SDカード、DVD等の記録媒体に記憶することができる。
In addition, each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. In addition, each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by a central processing unit (processor). Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, and an SSD, or a recording medium such as an IC card, an SD card, and a DVD.
また制御線や情報線は説明上必要と考えられるものを示すものであり、必ずしも本発明が適用される製品の全ての制御線や情報線を示しているとは限らない。
Further, the control lines and information lines indicate what is considered necessary for the explanation, and do not necessarily indicate all the control lines and information lines of the product to which the present invention is applied.
また以上の説明における「NAT装置」、「ゲートウェイ装置(GW装置)」、「VPN装置」等のネットワーク機器の名称は便宜上のものに過ぎず、これらの装置は夫々の機能に特化した装置として構成することもできるし、複数の機能を兼ね備えた装置として構成することもできる。また同等の機能をルータ装置、スイッチ装置、情報処理装置等に組み込んでもよい。
In addition, the names of network devices such as “NAT device”, “gateway device (GW device)”, and “VPN device” in the above description are merely for convenience, and these devices are devices specialized for each function. It can also be configured, or can be configured as a device having a plurality of functions. In addition, an equivalent function may be incorporated in a router device, a switch device, an information processing device, or the like.
1 ネットワークシステム、2 クラウドサイト、3 ユーザサイト、5 インターネット、20 サーバ装置、21 クラウド側VPN装置、22 クラウド側NAT装置、30 ユーザ装置、31 ユーザ側GW装置、311 ユーザ側VPN装置、312 ユーザ側第2NAT装置、351 入出力ポートA、352 入出力ポートB、353 パケット判定部、354 NAT変換部、355 VPN処理部、356 情報更新処理部、361 変換規則、362 VPN制御情報、363 VPN宛先情報、32 ユーザ側第1NAT装置、51 クラウド側NW、52 ユーザ側NW、400 変換テーブル
1 network system, 2 cloud site, 3 user site, 5 internet, 20 server device, 21 cloud side VPN device, 22 cloud side NAT device, 30 user device, 31 user side GW device, 311 user side VPN device, 312 user side 2nd NAT device, 351 input / output port A, 352 input / output port B, 353 packet judgment unit, 354 NAT conversion unit, 355 VPN processing unit, 356 information update processing unit, 361 conversion rule, 362 VPN control information, 363 VPN destination information , 32 User side first NAT device, 51 Cloud side NW, 52 User side NW, 400 Conversion table
Claims (15)
- 情報処理サービスを提供する提供サイトの通信ネットワークである提供側ネットワークに接続するサーバ装置と、
インターネットを介して前記提供側ネットワークと通信可能に接続する、前記情報処理サービスを利用するユーザサイトの通信ネットワークであるユーザ側ネットワークに接続し、前記サーバ装置にアクセスして前記情報処理サービスを利用するユーザ装置と、
前記提供側ネットワークに接続する提供側VPN装置と、
前記ユーザ側ネットワークに接続し、前記提供側VPN装置と共に前記インターネットを介したVPN通信を実現するユーザ側VPN装置と、
前記ユーザ側ネットワークに接続するユーザ側第2アドレス変換装置と、
を備え、
前記ユーザ側第2アドレス変換装置は、前記ユーザ装置から、前記サーバ装置に対して前記情報処理サービスの利用を要求するパケットである要求パケットを前記ユーザ側ネットワークを介して受信すると、予め設定された変換規則に従って、当該要求パケットの、前記ユーザ側ネットワークの通信に用いるヘッダに設定されている、前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスに変換し、
前記ユーザ側VPN装置は、前記変換後の前記要求パケットをカプセル化したパケットであるVPNパケットを、前記VPN通信によりインターネットを介して前記提供側VPN装置に送信し、
前記提供側VPN装置は、前記VPNパケットを受信すると、当該VPNパケットのカプセル化を解除して前記要求パケットを取得し、取得した前記要求パケットを、前記提供側ネットワークを介して前記サーバ装置に送信する
ネットワークシステム。 A server device connected to a provider network that is a communication network of a provider site that provides an information processing service;
Connect to the user side network, which is a communication network of a user site that uses the information processing service, that is communicably connected to the provider side network via the Internet, and uses the information processing service by accessing the server device A user device;
A providing-side VPN device connected to the providing-side network;
A user-side VPN device that connects to the user-side network and realizes VPN communication with the providing-side VPN device via the Internet;
A user-side second address translation device connected to the user-side network;
With
The user-side second address translation device is preset when a request packet, which is a packet requesting the server device to use the information processing service, is received from the user device via the user-side network. According to the conversion rule, the source address indicated by the private address of the user side network, which is set in the header used for communication of the user side network of the request packet, is indicated by the private address of the providing side network. To the source address
The user-side VPN device transmits a VPN packet, which is a packet encapsulating the converted request packet, to the providing-side VPN device via the Internet by the VPN communication,
Upon receiving the VPN packet, the providing-side VPN device releases the encapsulation of the VPN packet, acquires the request packet, and transmits the acquired request packet to the server device via the providing-side network. Network system. - 請求項1に記載のネットワークシステムであって、
前記ユーザ側ネットワークは複数存在し、
前記ユーザ側ネットワークの夫々に接続する、前記ユーザ装置、前記ユーザ側VPN装置、及び前記ユーザ側第2アドレス変換装置を含み、
前記ユーザ側第2アドレス変換装置の夫々の前記変換規則は、前記ユーザ側ネットワークの夫々に接続する前記ユーザ側第2アドレス変換装置が、前記要求パケットのヘッダの前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記ユーザ側ネットワーク間で固有の前記提供側ネットワークのプライベートアドレスに変換するように設定されている
ネットワークシステム。 The network system according to claim 1,
There are a plurality of user side networks,
Including the user device, the user-side VPN device, and the user-side second address translation device connected to each of the user-side networks;
The translation rules of each of the user side second address translation devices are expressed by the user side second address translation device connected to each of the user side networks as a private address of the user side network in the header of the request packet. A network system configured to convert the transmitted source address into a private address of the provider network that is unique among the user networks. - 請求項1又は2に記載のネットワークシステムであって、
前記ユーザ側第2アドレス変換装置は、前記要求パケットを受信すると、予め設定された変換規則に従って、当該要求パケットのヘッダに設定されている送信先ポート番号を、前記サーバ装置が前記情報処理サービスの識別に用いるポート番号である提供サイト側のポート番号に変換する
ネットワークシステム。 The network system according to claim 1 or 2,
When the user-side second address translation device receives the request packet, the server device specifies the destination port number set in the header of the request packet according to a preset translation rule. A network system that converts the port number used for identification into the port number on the providing site. - 請求項3に記載のネットワークシステムであって、
前記ユーザ側VPN装置は、前記サーバ装置が前記情報処理サービスの識別に用いるポート番号と前記提供側VPN装置のグローバルアドレスとの対応を記憶し、前記要求パケットの前記変換後のポート番号に対応する前記グローバルアドレスを宛先として前記VPNパケットを前記VPN通信により送信する
ネットワークシステム。 The network system according to claim 3,
The user-side VPN device stores a correspondence between a port number used by the server device for identifying the information processing service and a global address of the providing-side VPN device, and corresponds to the converted port number of the request packet. A network system for transmitting the VPN packet by the VPN communication with the global address as a destination. - 請求項1又は2に記載のネットワークシステムであって、
前記ユーザ側VPN装置は、前記ユーザ側ネットワークのプライベートアドレスと前記VPN通信の制御方法との対応を記憶し、前記要求パケットの前記変換前の前記ユーザ側ネットワークのプライベートアドレスで表記された前記送信元アドレスに対応する前記制御方法に従って前記VPN通信を行う
ネットワークシステム。 The network system according to claim 1 or 2,
The user-side VPN device stores a correspondence between a private address of the user-side network and a control method of the VPN communication, and the transmission source represented by a private address of the user-side network before the conversion of the request packet A network system for performing the VPN communication according to the control method corresponding to an address. - 請求項1に記載のネットワークシステムであって、
前記ユーザ側ネットワークと前記インターネットとの間に介在し、前記ユーザ側ネットワークと前記インターネットとの間で送受信されるパケットについて、前記ユーザ側ネットワークのプライベートアドレスと前記インターネットのグローバルアドレスとの相互変換を行うユーザ側第1アドレス変換装置を更に備え、
前記ユーザ側VPN装置は、前記ユーザ側第1アドレス変換装置を介して前記提供側VPN装置と前記VPN通信を行う
ネットワークシステム。 The network system according to claim 1,
A packet that is interposed between the user side network and the Internet and is transmitted and received between the user side network and the Internet performs mutual conversion between a private address of the user side network and a global address of the Internet. A user-side first address translation device;
The network system in which the user side VPN device performs the VPN communication with the providing side VPN device via the user side first address translation device. - 請求項1又は2に記載のネットワークシステムであって、
前記サーバ装置は、受信した前記要求パケットの前記ヘッダに設定されている、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスを送信先アドレスとしてヘッダに設定した応答パケットを、前記提供側ネットワークを介して前記提供側VPN装置に送信し、
前記提供側VPN装置は、前記応答パケットをカプセル化したパケットであるVPNパケットをVPN通信により前記ユーザ側VPN装置に送信し、
前記ユーザ側VPN装置は、前記VPNパケットを受信するとカプセル化を解除して前記応答パケットを取得し、取得した前記応答パケットを前記ユーザ側第2アドレス変換装置に送信し、
前記ユーザ側第2アドレス変換装置は、前記変換規則を参照し、当該応答パケットのヘッダに設定されている、前記提供側ネットワークのプライベートアドレスで表記された送信先アドレスを、前記ユーザ側ネットワークのプライベートアドレスで表記された送信先アドレスに変換し、変換後の応答パケットを、前記ユーザ側ネットワークを介して前記ユーザ装置に送信する
ネットワークシステム。 The network system according to claim 1 or 2,
The server device sets a response packet set in the header using a transmission source address expressed as a private address of the providing side network set in the header of the received request packet in the providing side network. To the providing VPN device via
The providing side VPN apparatus transmits a VPN packet that is a packet encapsulating the response packet to the user side VPN apparatus by VPN communication,
When receiving the VPN packet, the user side VPN device releases the encapsulation and acquires the response packet, and transmits the acquired response packet to the user side second address translation device,
The second address translation device on the user side refers to the translation rule, and sets the destination address represented by the private address of the provider network, which is set in the header of the response packet, as the private address of the user network. A network system for converting to a destination address represented by an address and transmitting the converted response packet to the user device via the user-side network. - 請求項1に記載のネットワークシステムであって、
前記ユーザ側第2アドレス変換装置は、ユーザインタフェースを介して受け付けた更新指示に応じて、又は、前記提供側ネットワークに接続する情報処理装置もしくは前記ユーザ側ネットワークに接続する情報処理装置から送られてくる更新指示に応じて、前記変換規則を更新する
ネットワークシステム。 The network system according to claim 1,
The user-side second address translation device is sent in response to an update instruction received via a user interface, or sent from an information processing device connected to the providing-side network or an information processing device connected to the user-side network. A network system that updates the conversion rule in response to an update instruction. - 請求項8に記載のネットワークシステムであって、
前記ユーザ側第2アドレス変換装置、又は前記提供側ネットワークに接続する情報処理装置もしくは前記ユーザ側ネットワークに接続する情報処理装置は、前記変換規則の設定を受け付ける画面を表示装置に表示しつつ前記変換規則の設定内容を受け付ける
ネットワークシステム。 The network system according to claim 8, wherein
The second address conversion device on the user side, the information processing device connected to the network on the provider side, or the information processing device connected to the network on the user side displays the screen for accepting the setting of the conversion rule on the display device while performing the conversion A network system that accepts rule settings. - 請求項1又は2に記載のネットワークシステムであって、
前記情報処理サービスはクラウドサービスである
ネットワークシステム。 The network system according to claim 1 or 2,
The information processing service is a cloud service. - 請求項1又は2に記載のネットワークシステムであって、
前記ユーザ側第2アドレス変換装置は、NAT装置又はNAPT装置である
ネットワークシステム。 The network system according to claim 1 or 2,
The user side second address translation device is a NAT device or a NAPT device. - 請求項1に記載のネットワークシステムにおける前記ユーザ側第2アドレス変換装置として機能する通信制御装置であって、
前記ユーザ装置から、前記サーバ装置に対して前記情報処理サービスの利用を要求するパケットである要求パケットを前記ユーザ側ネットワークを介して受信すると、予め設定された変換規則に従って、当該要求パケットの、前記ユーザ側ネットワークの通信に用いるヘッダに設定されている、前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスに変換する
通信制御装置。 A communication control device functioning as the user-side second address translation device in the network system according to claim 1,
When receiving a request packet, which is a packet for requesting use of the information processing service, from the user device to the server device via the user-side network, the request packet includes the request packet according to a preset conversion rule. A communication control device for converting a source address expressed by a private address of the user side network, which is set in a header used for communication of the user side network, into a source address expressed by a private address of the provider side network . - 請求項1に記載のネットワークシステムにおける前記ユーザ側第2アドレス変換装置及び前記ユーザ側VPN装置を備えた通信制御装置であって、
前記ユーザ装置から、前記サーバ装置に対して前記情報処理サービスの利用を要求するパケットである要求パケットを前記ユーザ側ネットワークを介して受信すると、予め設定された変換規則に従って、当該要求パケットの、前記ユーザ側ネットワークの通信に用いるヘッダに設定されている、前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスに変換し、
前記変換後の前記要求パケットをカプセル化したパケットであるVPNパケットを、前記VPN通信によりインターネットを介して前記提供側VPN装置に送信する
通信制御装置。 A communication control device comprising the user-side second address translation device and the user-side VPN device in the network system according to claim 1,
When receiving a request packet, which is a packet for requesting use of the information processing service, from the user device to the server device via the user-side network, the request packet includes the request packet according to a preset conversion rule. A source address represented by a private address of the user side network set in a header used for communication of the user side network is converted into a source address represented by a private address of the provider side network;
A communication control device that transmits a VPN packet, which is a packet obtained by encapsulating the converted request packet, to the providing VPN device via the Internet by the VPN communication. - 請求項12又は13に記載の通信制御装置であって、
前記ユーザ側ネットワークは複数存在し、
前記ユーザ側ネットワークの夫々に接続する、前記ユーザ装置、前記ユーザ側VPN装置、及び前記ユーザ側第2アドレス変換装置を含み、
前記ユーザ側第2アドレス変換装置の夫々の前記変換規則は、前記ユーザ側ネットワークの夫々に接続する前記ユーザ側第2アドレス変換装置が、前記要求パケットのヘッダの前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記ユーザ側ネットワーク間で固有の前記提供側ネットワークのプライベートアドレスに変換するように設定されている
通信制御装置。 The communication control device according to claim 12 or 13,
There are a plurality of user side networks,
Including the user device, the user-side VPN device, and the user-side second address translation device connected to each of the user-side networks;
The translation rules of each of the user side second address translation devices are expressed by the user side second address translation device connected to each of the user side networks as a private address of the user side network in the header of the request packet. A communication control device configured to convert the transmitted source address into a private address of the provider network that is unique between the user networks. - 情報処理サービスを提供する提供サイトの通信ネットワークである提供側ネットワークに接続するサーバ装置と、
インターネットを介して前記提供側ネットワークと通信可能に接続する、前記情報処理サービスを利用するユーザサイトの通信ネットワークであるユーザ側ネットワークに接続し、前記サーバ装置にアクセスして前記情報処理サービスを利用するユーザ装置と、
前記提供側ネットワークに接続する提供側VPN装置と、
前記ユーザ側ネットワークに接続し、前記提供側VPN装置と共に前記インターネットを介したVPN通信を実現するユーザ側VPN装置と、
前記ユーザ側ネットワークに接続するユーザ側第2アドレス変換装置と、
を含んで構成されるネットワークシステムにおける通信方法であって、
前記ユーザ側第2アドレス変換装置が、前記ユーザ装置から、前記サーバ装置に対して前記情報処理サービスの利用を要求するパケットである要求パケットを前記ユーザ側ネットワークを介して受信すると、予め設定された変換規則に従って、当該要求パケットの、前記ユーザ側ネットワークの通信に用いるヘッダに設定されている、前記ユーザ側ネットワークのプライベートアドレスで表記された送信元アドレスを、前記提供側ネットワークのプライベートアドレスで表記された送信元アドレスに変換し、
前記ユーザ側VPN装置が、前記変換後の前記要求パケットをカプセル化したパケットであるVPNパケットを、前記VPN通信によりインターネットを介して前記提供側VPN装置に送信し、
前記提供側VPN装置が、前記VPNパケットを受信すると、当該VPNパケットのカプセル化を解除して前記要求パケットを取得し、取得した前記要求パケットを、前記提供側ネットワークを介して前記サーバ装置に送信する
通信方法。 A server device connected to a provider network that is a communication network of a provider site that provides an information processing service;
Connect to the user side network, which is a communication network of a user site that uses the information processing service, that is communicably connected to the provider side network via the Internet, and uses the information processing service by accessing the server device A user device;
A providing-side VPN device connected to the providing-side network;
A user-side VPN device that connects to the user-side network and realizes VPN communication with the providing-side VPN device via the Internet;
A user-side second address translation device connected to the user-side network;
A communication method in a network system configured to include:
When the user-side second address translation device receives a request packet, which is a packet requesting the server device to use the information processing service, from the user device via the user-side network, a preset value is set. According to the conversion rule, the source address indicated by the private address of the user side network, which is set in the header used for communication of the user side network of the request packet, is indicated by the private address of the providing side network. To the source address
The user side VPN device sends a VPN packet that is a packet encapsulating the converted request packet to the providing side VPN device via the Internet by the VPN communication,
When the providing VPN device receives the VPN packet, it decapsulates the VPN packet to acquire the request packet, and transmits the acquired request packet to the server device via the providing network. Communication method.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2013/080211 WO2015068255A1 (en) | 2013-11-08 | 2013-11-08 | Network system, communication control device, and communication method |
JP2015546220A JPWO2015068255A1 (en) | 2013-11-08 | 2013-11-08 | Network system, communication control apparatus, and communication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2013/080211 WO2015068255A1 (en) | 2013-11-08 | 2013-11-08 | Network system, communication control device, and communication method |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015068255A1 true WO2015068255A1 (en) | 2015-05-14 |
Family
ID=53041057
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/080211 WO2015068255A1 (en) | 2013-11-08 | 2013-11-08 | Network system, communication control device, and communication method |
Country Status (2)
Country | Link |
---|---|
JP (1) | JPWO2015068255A1 (en) |
WO (1) | WO2015068255A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016086232A (en) * | 2014-10-23 | 2016-05-19 | 西日本電信電話株式会社 | Cloud switching system, gateway device and gateway program |
JP2020205590A (en) * | 2016-08-27 | 2020-12-24 | ニシラ, インコーポレイテッド | Extension of network control system to public cloud |
US11343229B2 (en) | 2018-06-28 | 2022-05-24 | Vmware, Inc. | Managed forwarding element detecting invalid packet addresses |
US11374794B2 (en) | 2018-08-24 | 2022-06-28 | Vmware, Inc. | Transitive routing in public cloud |
KR102512037B1 (en) * | 2022-12-27 | 2023-03-20 | 주식회사엔투솔루션 | Two-way communication system using gate server |
US11695697B2 (en) | 2017-08-27 | 2023-07-04 | Nicira, Inc. | Performing in-line service in public cloud |
US11792138B2 (en) | 2016-08-27 | 2023-10-17 | Nicira, Inc. | Centralized processing of north-south traffic for logical network in public cloud |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001016255A (en) * | 1999-06-29 | 2001-01-19 | Nippon Telegr & Teleph Corp <Ntt> | Inter-network communication method and system |
JP2006279771A (en) * | 2005-03-30 | 2006-10-12 | Sanyo Electric Co Ltd | Method and program for packet transmission |
JP2009017429A (en) * | 2007-07-09 | 2009-01-22 | Fujitsu Ltd | Network relay control program, network relay control apparatus, and network relay control method |
JP2010157857A (en) * | 2008-12-26 | 2010-07-15 | Ntt Communications Kk | Vpn connection device, packet control method, and program |
-
2013
- 2013-11-08 WO PCT/JP2013/080211 patent/WO2015068255A1/en active Application Filing
- 2013-11-08 JP JP2015546220A patent/JPWO2015068255A1/en not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001016255A (en) * | 1999-06-29 | 2001-01-19 | Nippon Telegr & Teleph Corp <Ntt> | Inter-network communication method and system |
JP2006279771A (en) * | 2005-03-30 | 2006-10-12 | Sanyo Electric Co Ltd | Method and program for packet transmission |
JP2009017429A (en) * | 2007-07-09 | 2009-01-22 | Fujitsu Ltd | Network relay control program, network relay control apparatus, and network relay control method |
JP2010157857A (en) * | 2008-12-26 | 2010-07-15 | Ntt Communications Kk | Vpn connection device, packet control method, and program |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016086232A (en) * | 2014-10-23 | 2016-05-19 | 西日本電信電話株式会社 | Cloud switching system, gateway device and gateway program |
JP2020205590A (en) * | 2016-08-27 | 2020-12-24 | ニシラ, インコーポレイテッド | Extension of network control system to public cloud |
JP7009014B2 (en) | 2016-08-27 | 2022-01-25 | ニシラ, インコーポレイテッド | Extension of network control system to public cloud |
JP2022058523A (en) * | 2016-08-27 | 2022-04-12 | ニシラ, インコーポレイテッド | Extension of network control system into public cloud |
JP7190595B2 (en) | 2016-08-27 | 2022-12-15 | ニシラ, インコーポレイテッド | Extending network control systems to the public cloud |
US11792138B2 (en) | 2016-08-27 | 2023-10-17 | Nicira, Inc. | Centralized processing of north-south traffic for logical network in public cloud |
US11695697B2 (en) | 2017-08-27 | 2023-07-04 | Nicira, Inc. | Performing in-line service in public cloud |
US11343229B2 (en) | 2018-06-28 | 2022-05-24 | Vmware, Inc. | Managed forwarding element detecting invalid packet addresses |
US11374794B2 (en) | 2018-08-24 | 2022-06-28 | Vmware, Inc. | Transitive routing in public cloud |
US12074731B2 (en) | 2018-08-24 | 2024-08-27 | VMware LLC | Transitive routing in public cloud |
KR102512037B1 (en) * | 2022-12-27 | 2023-03-20 | 주식회사엔투솔루션 | Two-way communication system using gate server |
Also Published As
Publication number | Publication date |
---|---|
JPWO2015068255A1 (en) | 2017-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10469442B2 (en) | Adaptive resolution of domain name requests in virtual private cloud network environments | |
JP6306640B2 (en) | Providing logical networking capabilities for managed computer networks | |
WO2015068255A1 (en) | Network system, communication control device, and communication method | |
US8396954B2 (en) | Routing and service performance management in an application acceleration environment | |
US10623505B2 (en) | Integrating service appliances without source network address translation in networks with logical overlays | |
Nordström et al. | Serval: An {End-Host} stack for {Service-Centric} networking | |
ES2663410T3 (en) | A network controller and a computerized method implemented to automatically define forwarding rules to configure a computer network interconnect device | |
US9491002B1 (en) | Managing communications involving external nodes of provided computer networks | |
JP4146886B2 (en) | Communication module and application program including this communication module | |
JP5679343B2 (en) | Cloud system, gateway device, communication control method, and communication control program | |
JP2013105308A (en) | Load distribution system, load distribution device, load distribution method and load distribution program | |
EP4449251A1 (en) | Encrypted data packet forwarding | |
WO2023020606A1 (en) | Method, system and apparatus for hiding source station, and device and storage medium | |
Ranjbar et al. | Domain isolation in a multi-tenant software-defined network | |
US10382330B2 (en) | System for the routing of data to computer networks | |
US10924397B2 (en) | Multi-VRF and multi-service insertion on edge gateway virtual machines | |
CN113824808B (en) | Method and system for network address translation penetration using an intermediate meeting proxy | |
US12088493B2 (en) | Multi-VRF and multi-service insertion on edge gateway virtual machines | |
JP2017208718A (en) | Communication device and communication method | |
KR20170006950A (en) | Network flattening system based on sdn and method thereof | |
Köstler et al. | Network Federation for Inter-cloud Operations | |
US20170005985A1 (en) | Scalable access to firewall-protected resources | |
Fowler | Cloud network engineering | |
JP2019121910A (en) | Malware inspection support program, malware inspection support method and communication device | |
KR20120000171A (en) | Virtual private network system processing equal user ip and method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13897174 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015546220 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13897174 Country of ref document: EP Kind code of ref document: A1 |