JP2011217174A - Communication system, packet transfer method, network exchange apparatus, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To safely connect a terminal connected to the Internet to a private network without the need to construct any particular system at an enterprise side.SOLUTION: In a communication system including an access control device and a network exchange apparatus connected to a plurality of private networks, the network exchange apparatus correspondingly stores therein an IP address of a user terminal corresponding to a user ID, the identification information of an NSP to which the user terminal belongs, the identification information of a connection destination, and an IP address in the connection destination. In the case that a packet is received from the access control device, an NSP of a packet transmission source is identified, a connection destination corresponding to the NSP and a transmission source IP address of the received packet is determined based on the stored information, furthermore, the IP address of the packet is translated into an IP address in the determined connection destination, and a packet after the translation is sent out to the determined connection destination.

Description

  The present invention relates to a technique for distributing packets sent from user terminals to various networks.

  Generally, each company does not use the public network, which is a public network that can be used by anyone, such as the Internet, but establishes a private network that is a closed network that can be used only by employees. , And use it as a corporate dedicated network.

  Each company having such a dedicated network generally has a need to be able to connect to the dedicated network and perform business even from a business trip destination where only the Internet can be used.

  In order to be able to connect to a dedicated network from a terminal connected to the Internet, it is necessary to construct a system for that purpose. For example, in a company, it is necessary to introduce a gateway device at the boundary between a dedicated network and the Internet and introduce dedicated software for connecting to the gateway device on the terminal side. In addition, as a prior art relevant to this application, there exists a technique described in patent document 1, for example.

JP 2008-199497

  However, building a system that enables connection from the Internet to a dedicated network costs a lot of money for each company, and even after the system is built, a large cost is required for managing dedicated software for each gateway device and terminal. There is a problem that it takes.

  The present invention has been made in view of the above points, and a terminal connected to a public network such as the Internet can be used without constructing a special system in each company or introducing dedicated software to the terminal. An object of the present invention is to provide a technology that enables secure connection to a private network of a company or the like.

  In order to solve the above problems, the present invention provides a communication system including an access control device provided at an entrance to a public network and a network switching device connected to a plurality of private networks, the access control device Comprises an access side connection information storage means for storing the IP address of the user terminal associated with the user ID and the connection destination identification information in association with each other, and the network switching device is associated with the user ID. A network-side connection information storage means for storing the IP address of the user terminal, the identification information of the NSP to which the user terminal belongs, the identification information of the connection destination, and the IP address of the connection destination in association with each other, The apparatus receives a packet from the user terminal and refers to the access side connection information storage means. And determining the connection destination corresponding to the source IP address of the received packet, sending the packet to the connection destination, and when the network switching device receives the packet from the access control device, the network switching The apparatus identifies the NSP that is the transmission source of the packet, refers to the network side connection information storage means, determines the connection destination corresponding to the NSP and the transmission source IP address of the received packet, and further The IP address of the packet is converted into an IP address at the determined connection destination, and the converted packet is transmitted to the determined private network of the connection destination.

  The communication system may further include an authentication system including an authentication information storage unit that stores a user ID and identification information of a connection destination network in association with each other, in which case the access control device includes the authentication From the system, the access side receives information including the IP address of the user terminal corresponding to the user ID successfully authenticated and the identification information of the connection destination network corresponding to the user ID, and using the received information, the access side In the connection information storage means, the IP address of the user terminal associated with the user ID and the identification information of the connection destination are stored, and the network switching apparatus corresponds to the user ID that has been successfully authenticated from the authentication system. Information including the IP address of the user terminal, the identification information of the NSP to which the user terminal belongs, and the identification information of the connection destination network corresponding to the user ID And using the received information, the network side connection information storage means stores the IP address of the user terminal associated with the user ID, the identification information of the NSP to which the user terminal belongs, and the connection destination The identification information and the IP address at the connection destination are stored.

  In addition, the network exchange device may include a DNS server information storage unit that stores a connection destination DNS server information list in which an IP address of a DNS server for each connection destination private network is recorded. When a device receives a DNS request packet from the access control device, the device acquires an IP address of a DNS server in a private network to which the DNS request packet is connected from the DNS server information storage unit, and transmits the DNS request packet. The destination IP address is converted into the acquired IP address, and the converted DNS request packet is transmitted toward the connection destination private network.

  The network switching device may identify a source NSP of a packet received from the access control device based on a physical interface that receives the packet or VLAN tag information added to the packet.

  According to the present invention, a terminal connected to a public network such as the Internet can be safely connected to a private network such as a company without constructing a special system in each company or introducing dedicated software to the terminal. It becomes possible to do.

1 is an overall configuration diagram of a system according to an embodiment of the present invention. 2 is a functional configuration diagram of an access control device 1. FIG. It is a figure which shows the example of the table information in the access control apparatus. 3 is a functional configuration diagram of a network switching device 2. FIG. It is a figure which shows the example of the table information in the network switching apparatus. It is a figure which shows the example of the table information in the authentication apparatus. It is a figure which shows the example of the table information in the authorization information relay apparatus 3. FIG. It is a sequence chart for demonstrating the dynamic setting process in a user authentication stage. It is a flowchart for demonstrating operation | movement of the network switching apparatus 2 which receives authorization information. It is a figure for demonstrating the operation | movement at the time of packet transfer. 4 is a flowchart for explaining packet transfer processing in the network switching apparatus 2; 2 is a diagram illustrating a configuration example of a network switching device 2. FIG. It is a block diagram for explaining packet transfer processing. 2 is a diagram illustrating a configuration example of a network switching device 2. FIG. It is a block diagram for explaining packet transfer processing. It is a figure which shows the example of the table information which the network switching apparatus 2 has for split DNS cancellation | release. It is a sequence chart for demonstrating operation | movement of the system regarding a DNS request | requirement. It is a frame block diagram for explaining processing related to a DNS request. It is a frame block diagram for explaining processing related to a DNS request.

  Embodiments of the present invention will be described below with reference to the drawings.

(System configuration)
FIG. 1 shows an overall configuration diagram of a system according to an embodiment of the present invention. As shown in FIG. 1, this system includes an access control device 1, a network switching device 2, an authorization information relay device 3, and an authentication device 4.

  The access control device 1 is provided at the entrance to a public network (in the present embodiment, the Internet 5) in units of NSP (network service provider). The access control device 1 is connected to each user terminal 6, the Internet 5, the network switching device 2, and the authorization information relay device 3. Processing such as distributing packets received from the user terminal 6 to the Internet 5 or the network switching device 2. I do.

  The network switching device 2 is a device that performs processing such as distributing packets from the user terminal 6 received via the access control device 1 to an appropriate network 7. The network 7 is a private network such as an in-company network. In the example of FIG. 1, the network X of the company X is shown.

  The authorization information relay device 3 transfers the authentication request from the user terminal 6 to the authentication device 4 and transmits the authorization information to the access control device 1 and the network switching device 2 based on the authentication result received from the authentication device 4. And so on. The authentication device 4 is a device that performs user authentication.

  A line connecting the devices shown in FIG. 1 indicates that data communication is possible between the devices. The line used for the data communication may be any line (private line, VPN, etc.) as long as the line is secured. Hereinafter, each device will be described in more detail.

<Access control device 1>
FIG. 2 shows a functional configuration diagram of the access control apparatus 1. As illustrated in FIG. 2, the access control device 1 includes a communication interface unit 11, a passage control unit 12, a route control unit 13, a user authentication control unit 14, and a user communication information management unit 15. The user communication information management unit 15 includes a user communication information storage unit 16.

  The communication interface unit 11 is an interface function unit for performing data communication with the outside. The passage control unit 12 is a functional unit that controls whether or not a received packet is passed and forwarded based on preset table information, and is also referred to as a “firewall”. In addition, the passage control function unit 12 identifies a packet from the user terminal 6 of a user who has not performed login authentication, passes the processing of the packet to the user authentication control unit 14, and sets the user who has succeeded in login authentication. A packet including a packet that is allowed to pass has a function of passing to the route control unit 13.

  The route control unit 13 determines the route of the packet to be sent based on preset table information, packet header information, etc., and sends the packet toward the decided route via the communication interface unit 11. It is a functional part to do. In the present embodiment, the route control unit 13 determines whether the packet is for the Internet 5 or other network (for the network switching device 2), and sends the packet to the route according to the determination.

  The user authentication control unit 14 has a function of transferring an authentication request from the user terminal 6 to the authorization information relay device 3 and passing the authorization information received from the authorization information relay device 3 to the user communication information management unit 15.

  The user communication information management unit 15 stores the authorization information received from the user authentication control unit 14 in the user communication information storage unit 16 as user communication information, and uses the stored user communication information to It has a function for setting the path control 13.

  FIG. 3A shows an example of table information stored in the user communication information storage unit 16. As shown in FIG. 3A, in the user communication information storage unit 16, the IP address of the user terminal 6, information on whether or not the IP address has been authenticated, the user ID (user name), and the connection destination (Internet or non-Internet) is stored.

  FIG. 3B shows an example of table information (information stored in a storage unit such as a memory) that is setting information in the passage control unit 12. As shown in FIG. 3B, the passage control unit 12 is set with an IP address and information indicating whether or not a packet having the IP address is allowed to pass. For example, when the packet is received, the passage control unit 12 searches the table information with the source IP address of the packet, and passes the packet when it is detected that passage is permitted for the IP address. .

  FIG. 3C shows an example of table information (information stored in a storage unit such as a memory) which is setting information in the route control unit 13. As shown in FIG. 3C, in the route control unit 13, an IP address and information indicating a connection destination corresponding to the IP address are set in association with each other. The route control unit 13 refers to the table of FIG. 3C based on the source IP address of the packet to be transmitted, identifies the connection destination corresponding to the IP address, and sends the packet to the connection destination route. Is sent out. The information indicating the connection destination is, for example, information for identifying the physical IF, VLAN ID, or the like, but is not limited to this, and any information may be used as long as the information can determine the route.

  As described above, the information in the user communication information storage unit 16 and each table information may be separated, or only the user communication information storage unit 16 has information, and each unit refers to the user communication information storage unit 16. It is good to do.

  Each functional unit in the access control device 1 can be realized by causing a device such as a computer or a router to execute a program. Further, the program can be recorded and distributed on a recording medium such as a memory.

  The access control device 1 may be realized by a single device (computer, router, etc.), or may be realized by connecting a plurality of devices via a network.

<Network switching device 2>
FIG. 4 shows a functional configuration diagram of the network switching apparatus 2. As illustrated in FIG. 4, the network switching device 2 includes a communication interface unit 21, a passage control unit 22, a route control unit 23, an address conversion unit 24, and a virtual connection session information management unit 25. The virtual connection session information management unit 25 includes a virtual connection session information storage unit 26.

  The communication interface unit 21 is an interface function unit for performing data communication with the outside. The passage control unit 22 is a functional unit that controls whether or not a received packet is passed and forwarded based on preset table information, and is also referred to as a “firewall”.

  The route control unit 23 determines the route of the packet to be sent based on preset table information, packet header information, etc., and sends the packet toward the determined route via the communication interface unit 21. It is a functional part to do. In the present embodiment, the route control unit 23 determines which network the packet is directed to and sends the packet to the route according to the determination.

  The address conversion unit 24 has a function of converting the IP address of a packet based on preset table information, packet header information, and the like.

  The virtual connection session information management unit 25 receives the authorization information from the authorization information relay device 3, stores it in the virtual connection session information storage unit 26 as information constituting the virtual connection session information, and uses the stored information. Thus, it has a function of making settings for the passage control unit 22, the route control unit 23, and the address conversion unit 24.

  FIG. 5A shows an example of table information stored as virtual connection session information in the virtual connection session information storage unit 26. As shown in FIG. 5A, the table information is a table in which user IDs, NSP identification information, NSP IP addresses, connection destination identification information, and connection destination IP addresses are associated with each other. . Among these pieces of information, the user ID, the information identifying the NSP, the IP address in the NSP, and the identification information of the connection destination are information received from the authorization information relay device 3 as authorization information, and the IP address at the connection destination is In the network switching apparatus 2, it is obtained from information stored in advance in a storage means (this will be referred to as an address pool) for each connection destination.

  FIG. 5B shows an example of table information that the passage control unit 22 holds in the storage unit as setting information. As shown in FIG. 5B, the table information is a table in which an IP address, NSP identification information, and information indicating whether or not passage is permitted are associated with each other.

  For example, the communication control unit 22 grasps the transmission source NSP of the packet based on the reception interface of the received packet and refers to the table information based on the transmission source NSP and the source IP address of the packet. Whether or not the packet can pass is determined, and if the packet is allowed to pass, control is performed to pass the packet.

  FIG. 5C shows an example of table information that the route control unit 23 holds in the storage unit as setting information. As shown in FIG. 5C, the table information is information in which an IP address, NSP identification information, and connection destination identification information are associated with each other. For example, the route control unit 23 refers to the table in FIG. 5C from the source IP address of the packet received from the user terminal 6 and the NSP of the transmission source, determines the connection destination of the packet, A packet is transmitted toward the route corresponding to the connection destination.

  FIG. 5D shows an example of table information that the address conversion unit 24 holds in the storage unit as setting information. As shown in FIG. 5D, the table information is a table in which the identification information of the NSP, the IP address of the NSP, the identification information of the connection destination, and the IP address of the connection destination are associated with each other. For example, the address conversion unit 24 acquires the IP address at the connection destination determined from the transmission source NSP and IP address of the packet received from the user terminal 6 from the table, and sets the source IP address of the packet as the IP address at the connection destination. rewrite.

  As described above, the information in the virtual connection session information storage unit 26 and each table information may be separated, or only the virtual connection session information storage unit 26 has information, and each unit has a virtual connection session information storage unit. 26 may be referred to. Further, even when the table information is provided separately from the virtual connection session information storage unit 26, the way of dividing the table information in FIGS. 5B to 5D is an example. For example, FIG. 5C and FIG. The table information may be combined into one table information.

  Each functional unit in the network switching device 2 can be realized by causing a device such as a computer or a router to execute a program. Further, the program can be recorded and distributed on a recording medium such as a memory.

  The network switching device 2 may be realized by a single device (computer, router, etc.), or may be realized by connecting a plurality of devices via a network.

<Authorization information relay device 3 and authentication device 4>
The authentication device 4 has a function of performing authentication processing using an authentication protocol such as RADIUS. FIG. 6 shows an example of table information stored in the storage unit by the authentication device 4. As shown in FIG. 6, this table information is associated with a user ID, identification information of a destination network, and the like. These pieces of information are information registered in advance by an administrator or the like.

  In FIG. 6, for example, it is shown that the user A is registered so as to be connected to the network X.

  The authorization information relay device 3 transfers the authentication request from the user terminal 6 to the authentication device 4 and transmits the authorization information to the access control device 1 and the network switching device 2 based on the authentication result received from the authentication device 4. It is a device that performs such processing.

  Also, the authentication information relay device 3 matches a part of information transmitted / received with the authentication device 4 using a predetermined authentication protocol based on an authentication request from a certain NSP in accordance with the authentication specification in the NSP, It also has the ability to change to optimize. For example, attribute change or filtering is performed.

  In order to perform such a change or filtering process, the authorization information relay apparatus 3 holds the table information shown in FIG. 7 as an example. As shown in FIG. 7, this table information is information in which NSP identification information, an authentication protocol, and protocol setting information of the NSP are associated with each other. The authorization information relay device 3 determines the NSP from the source IP address or the like of the received packet, refers to the table information, grasps the protocol setting information corresponding to the NSP, and uses the protocol setting information to determine the information described above. Make some changes. The authorization information relay device 3 and the authentication device 4 constitute an authentication system.

(System operation)
Next, the operation of the system according to the present embodiment will be described with reference to the drawings.

<Dynamic setting (provisioning) processing at the user authentication stage>
First, processing executed at the stage of user authentication will be described with reference to a sequence chart of FIG. In this process, information necessary for communication (virtual connection) is dynamically set, and the process here can be called dynamic provisioning.

  In this embodiment, an example using RADIUS (RFC2865) as an authentication protocol will be described, but the authentication protocol is not limited to RADIUS, and other protocols such as DIAMETER (RFC3588) may be used. Good.

  The access control device 1 that receives the authentication request (including the user ID) from the user terminal 6 identifies that the user is unauthenticated, and the user authentication control unit 14 transmits the authentication request to the authorization information relay device 3. (Step 1).

  The authorization information relay device 3 that has received the authentication request transfers the authentication request to the authentication device 4 (step 2). When the authentication is successful, the authentication device 4 acquires the identification information of the connection destination network corresponding to the user ID included in the authentication request from the table information shown in FIG. 6, and the authentication result (authentication) including the identification information of the connection destination (Success response) is transmitted to the authorization information relay device 3 (step 3). If authentication fails, an authentication rejection response is returned.

  In this example, the authentication device 4 includes the identification information of the destination network to which the user can connect in the Filter-ID attribute.

  Subsequently, the authorization information relay device 3 transfers the identification information of the NSP identified from the source IP address of the authentication request and the information included in the authentication success response to the network switching device 2 (step 4). The identification information of the NSP and the information included in the authentication success response are called authorization information.

  Information included in the authentication success response includes a user ID (User-Name attribute), an IP address (Framed-IP-Address attribute), and identification information (Filter-ID attribute) of the connection destination network.

  The operation of the network switching apparatus 2 that receives the above information will be described with reference to the flowchart of FIG.

  In the network switching apparatus 2 that has received the above information in step 101, the virtual connection session management unit 25 acquires the identification information of the connectable network of the user from the Filter-ID attribute (step 102), and sets the address pool. Referring to the IP address in the network is reserved (step 103).

  Then, the virtual connection session information management unit 25 stores the user ID, the NSP identification information, the NSP IP address, the connection destination network identification information, and the connection destination network IP address in the virtual connection session information storage unit 26. At the same time, the table information shown in FIGS. 5B, 5C, and 5D is set in each unit (step 104). However, at this time, the setting ("No") is set so as not to allow the passage control unit 22 to pass the packet. Thereafter, the network switching apparatus 2 returns a confirmation response indicating that the authorization information has been processed normally to the authorization information relay apparatus 3 (step 105). Step 105 in FIG. 9 corresponds to step 5 in the sequence in FIG.

  In the packet switching device 2, if the authorization information is not processed normally, an error is sent to the authorization information relay device 3, and an authentication rejection response is returned from the authorization information relay device 3 to the access control device. Will be.

  In FIG. 8, the authorization information relay device 3 that has received the confirmation response in step 5 transmits an authentication success response including the authorization information to the access control device 1 that is the request source (step 6).

  In the access control apparatus 1 that has received the authentication success response, the user communication information management unit 15 stores table information (1 record) indicating that the authentication has been completed as shown in FIG. While storing in the user communication information storage part 16, the user communication information management part 15 sets the information shown in FIG.3 (b), (c) to each part. Here, the passage control unit 12 is set to allow passage of a packet having the corresponding source IP address.

  Then, the access control device 1 transmits a service start request (billing start request) to the authorization information relay device 3 (step 7), and the authorization information relay device 3 notifies the network switching device 2 of a service start command (step 8). . In the network switching device 2 that has received the service start command, the virtual connection session information management unit 25 allows the setting to pass through so that a packet having the IP address of the user can pass through the pass control unit 22.

  Also, the authorization information relay device 3 returns a service start confirmation response to the access control device 1 (step 9). Further, the authorization information relay device 3 transmits a service start request (billing start request) to the authentication device 4 (step 10), and the authentication device 4 responds that the service has been started (step 11).

  After data communication is performed by the user terminal 6, the access control apparatus 1 transmits a service stop request to the authorization information relay apparatus 3 in response to a logout request from the user terminal 6 (step 12). An end command is transmitted to the network switching device 2 (step 13). Receiving this information, the network switching device 2 rejects the setting in the passage control unit 22 in order to block traffic for the corresponding IP address.

  The authorization information relay device 3 transmits a service suspension request to the authentication device 4 (step 14), and the authentication device 4 sends a response to the service suspension completion confirmation to the authorization information relay device 3 (step 15). 3 forwards a service stop confirmation response to the access control apparatus 1 (step 16).

<Packet transfer operation>
The operation at the time of packet transfer performed after the setting process based on user authentication is completed will be described with reference to FIG.

  In this example, it is assumed that the information shown in FIGS. 3A to 3C is set in the NSP-B access control device 1, and the network switching device 2 has the virtual as shown in FIG. Assume that connection table information and each table information based on this virtual connection session information are set.

  For example, when the NSP-B access control device 1 receives a packet having BBB1 as a source IP address from the user terminal 6 of the user C, the pass control unit 12 of the access control device 1 displays the packet in FIG. The packet is passed from the setting information shown. Further, the route control unit 13 determines that the packet is to be sent to another network other than the Internet based on the table information of FIG. 3C, and sends the packet to the network switching device 2.

  The packet transfer process in the network switching device 2 will be described with reference to the flowchart of FIG.

  In the network switching apparatus 2 that has received the packet from the access control apparatus 1 as described above (step 201), the source (transmission source) NSP is determined based on the physical interface that received the packet or a logical interface such as a VLAN tag. Identify (step 202). In this example, the source NSP is identified as B.

  Then, based on the table information shown in FIG. 5B, the passage control unit 22 of the network switching device 2 determines that the packet with the source IP address BBB1 and the source NSP B is OK. (Step 203). If the corresponding entry is not in the table, or if the entry is not OK, the packet is discarded (step 204).

  Subsequently, the route control unit 23 determines that the connection destination network of the packet is Y by referring to the table information shown in FIG. 5C (step 205). Further, the address conversion unit 24 refers to the table of FIG. 5D, obtains the IP address YYY2 used in the connection destination network for the packet, and sets the source IP address of the packet as the IP address. Conversion to YYY2 is performed (step 206). Then, the route control unit 23 sends the packet whose source IP address is converted to the route corresponding to the network Y (step 207).

  In FIG. 10, in the network switching apparatus 2 when a packet having Y.Y.Y.2 as the destination IP address is received from the network Y, first, it is identified that the source network of the packet is Y. Then, the address conversion unit 24 obtains a destination IP address BBB1 corresponding to a packet whose source network is Y and whose destination IP address is YYY2 by referring to the table of FIG. Convert the destination IP address to BBB1. In addition, the route control unit 23 identifies that the transfer destination NSP of the packet received from the network Y and subjected to the address translation is B.

  Then, the passage control unit 22 determines that the packet whose destination IP address is BBB1 and whose transfer destination NSP is B is passing OK, and the packet is transmitted to the NSP-B via the route control unit 23. Are transferred to the network control device 1.

  In the access control device 1, the passage control unit 12 refers to the table information in FIG. 3B, determines that the packet with the destination IP address BBB1 is passing OK, and transmits the packet to the user terminal 6 of the user C. Is done.

  As described above, in the packet transfer process in the network switching device 2, the connection destination network of the packet and the IP address at the connection destination are determined based on the IP address and the NSP (network). Thereby, even when the same IP address is used between NSPs (networks), a route can be appropriately determined and a packet can be transferred. Further, as described above, a method for identifying a connected NSP (network) may be identified by a physical interface or by a logical interface such as a VLAN tag. Moreover, you may identify using both of these.

(Concrete example)
Next, as a more specific example of the configuration and operation of the network switching device 2, an example in which an NSP or the like is identified by VLAN will be described.

<NSP-> Connected network>
FIG. 12 is a configuration example of the network switching apparatus 2 drawn assuming that a packet is transmitted from the NSP to each destination (connection destination) network.

  As shown in FIG. 12, a VLAN switch is provided between the network switching device 2 and the NSP and the connection destination network, and a trunk port of the VLAN switch is connected to a physical interface of the network switching device 2. In FIG. 12, for convenience of illustration, a VLAN switch is provided on each of the side that receives a packet from the user terminal and the side that sends it out, but without distinguishing between the side that receives and the side that sends it out. One VLAN switch may be provided. Also, although physical interfaces A and B are shown, these may also be one physical interface.

  Further, as shown in FIG. 12, the network switching device 2 includes VLAN logical interfaces (vlana, vlanb,... Vlan1, vlan2...) And is combined with physical interfaces in FIG. The illustrated communication interface unit 21 is configured. Hereinafter, the packet (ether frame) transfer operation will be described with reference to the frame configuration diagram shown in FIG.

  In the device configuration of FIG. 12, when the network switching device 2 receives a packet from the access control device 1 on the NSP side, the network switching device 2 identifies the source NSP based on the VLAN tag (A in FIG. 13) attached to the packet, The passage control unit 22 performs packet passage determination using the NSP (A in FIG. 13) and the IP address (B in FIG. 13), and the route control unit 23 refers to the setting table information to determine the corresponding NSP and IP. A connection destination network (C in FIG. 13) corresponding to the address is determined, and the information (VLAN tag) is notified to the VLAN interface.

  The address conversion unit 24 converts the IP address of the packet by referring to the setting table information (D and E in FIG. 13).

  Thereafter, a VLAN tag corresponding to the connection destination network is added to the packet by the VLAN interface (F in FIG. 13), and the packet (Ether frame) is delivered to the connection destination network via the physical interface B.

  More specifically, the connection destination network information (G in FIG. 13) and the ARP table (H in FIG. 13) are set in the route control unit 23 and the like of the network switching device 2, and the next hop in the connection destination network information is set. The MAC address (J in FIG. 13) corresponding to (I in FIG. 13) is set as the destination MAC address of the Ether frame (K in FIG. 13).

  Note that, regarding the received packet, if the passage is not permitted by the passage control unit 22 or if there is no corresponding entry in the table information in the route control unit 23 and the address conversion unit 24, the packet is blocked. It will be discarded.

<Destination network->NSP>
FIG. 14 is a configuration example of the network switching apparatus 2 drawn assuming that a packet is transmitted from the connection destination network to the NSP. The configuration is the same as that shown in FIG. 12, but in this example, the method of illustrating the address translation unit 22 and the route control unit 23 is illustrated in consideration of the operation of transmitting a packet from the connection destination network to the NSP. Different from twelve. The packet (Ether frame) transfer operation will be described below with reference to the frame configuration diagram shown in FIG.

  By routing the IP address that is converted when the user connects to the connection destination network at the opposite router on the connection destination network side, communication from the connection destination network to the user is routed to the network switching device 2.

  As in this example, when a network is distinguished by a VLAN tag, communication from the connection destination network to the network switching apparatus 2 first reaches the VLAN switch shown in FIG. 14, and the VLAN switch adds a tag corresponding to the reception port. Thereafter, the packet is output from the trunk port of the VLAN switch and transferred to the network switching device 2.

  In the network switching device 2 that has received the packet, the source network (connection destination network) is identified by the VLAN tag (A in FIG. 15). Further, the address conversion unit 24 refers to the setting table information, and acquires the IP address (B in FIG. 15) used in the NSP corresponding to the source network and the destination IP address. Then, the destination IP address (C in FIG. 15) of the packet is converted into an IP address (B and D in FIG. 15) in the NSP. The route control unit 23 refers to the setting table information, acquires the identification information (VLAN tag, E in FIG. 15) of the NSP that is the packet transmission destination, and notifies the VLAN interface.

  The passage control unit 22 refers to the setting table information, confirms whether or not passage is permitted for the destination NSP and the destination IP address, and if permitted, passes the packet. Then, the VLAN interface adds identification information (VLAN tag, F in FIG. 15) corresponding to the destination NSP to the packet and sends it out.

  More specifically, the NSP information (G in FIG. 15) and the ARP table (H in FIG. 15) are set in the route control unit 23 and the like of the network switching device 2, and the next hop (N in FIG. 15) is set in the NSP information. The MAC address (J in FIG. 15) corresponding to I) is set as the destination MAC address of the Ethernet frame (K in FIG. 15).

  Then, the VLAN switch transfers a packet received from the network switching device 2 via the trunk port to a port corresponding to the VLAN tag. As a result, the packet is delivered to the access control apparatus 1 of the corresponding NSP, and is transferred to the user terminal 6 from there.

  If passage is not permitted in the passage control unit 22 or if there is no corresponding entry in the table information in the route control unit 23 and the address conversion unit 24, the packet is blocked and discarded. Become.

(About support for split DNS)
In general, when a user terminal 6 accesses an NSP, a DNS server provided in the NSP is assigned, and by performing access to the DNS server, name resolution of various servers (FQDN resolution) is performed. However, in this embodiment, since a server in the connection destination network (corporate dedicated network) is used, name resolution cannot be performed by the DNS server provided in the NSP. Such a problem is called a split DNS problem.

  In the present embodiment, in order to solve this problem, a DNS request (FQDN resolution inquiry) is sent from the user terminal 6 connected to the connection destination network, and the network exchange apparatus 2 receives the DNS request. In addition, the network switching device 2 sends the DNS request to the DNS server in the connection destination network by converting the destination address of the DNS request. The address conversion unit 24 has a function related to name resolution. This address conversion is performed in addition to the above-described source IP address conversion.

  In the present embodiment, in addition to the information described so far, the network conversion device 2 adds a DNS server list on the NSP side shown in FIG. 16A and a network on the connection destination network side shown in FIG. The DNS server list is recorded and stored in the storage means. The DNS server list on the NSP side shown in FIG. 16A is a list in which the IP address of the DNS server in the NSP is recorded for each NSP, and the DNS server on the connection destination network side shown in FIG. The list is a list in which the IP address of the DNS server in the connection destination network is recorded for each connection destination network.

  When the network switching device 2 receives a DNS request (FQDN resolution request) from the user to the DNS server of the NSP, the network switching device 2 sets the destination IP address so that the request reaches the DNS server in the connection destination network. Convert to IP address. Hereinafter, the operation of the system related to FQDN resolution in this embodiment will be described with reference to the sequence chart of FIG. The configuration of the Ethernet frame shown in FIGS. 18 and 19 is also referred to as appropriate. The following example is an example in which a network is identified by a VLAN. However, as described above, the network identification method is not limited to a VLAN.

  When the network switching device 2 receives the DNS request via the access control device 1 (step 301), the address conversion unit 24 of the network switching device 2 uses the source NSP (A in FIG. 18) and the destination IP address (see FIG. 18). 18B) is in the DNS server list of NSP (FIG. 18C), and if there is such an address, the destination IP address of the DNS request is assigned to the DNS in the destination network (D of FIG. 18). The server IP address (E and F in FIG. 18) is converted (step 302). In addition, the address conversion unit 24 issued a request so that the IP address of the DNS server of the request source, the IP address of the DNS server of the conversion destination, and the IP address of the DNS server of the conversion destination can be returned to the original requested IP address. The IP address in the destination network of the user terminal and the destination network of the user are recorded in the DNS server mapping table (G in FIG. 18). The DNS server mapping table is a table stored in storage means such as a memory.

  Thereafter, the DNS request subjected to address translation is sent to the DNS server of the connection destination network (here, network X) (step 303).

  When the network conversion device 2 receives a DNS response from the DNS server of the connection destination network (step 304), the address conversion unit 24 uses the VLAN tag (VLAN tag of the connection destination network) of the received packet (A in FIG. 19), Based on the source IP address (IP address of the DNS server in the connection destination network) (B in FIG. 19) and the destination IP address (IP address in the connection destination network of the user terminal 6) (C in FIG. 19), Referring to the mapping table (D in FIG. 19), the DNS server IP address (E in FIG. 19) at the requesting NSP is acquired, and the source IP address is converted to the acquired IP address (in FIG. 19). F) (Step 305). The DNS response converted in this way is transmitted to the user terminal 6 via the access control apparatus 1 (step 306).

  When the user logs out, the record related to the user is deleted from each table information in the network exchange device 2.

(Summary of embodiment)
As described above, according to the system in the present embodiment, the authentication device 4 registers which network is connectable for each user ID, and the authorization information (which which is obtained based on the authentication at the time of user authentication) Including information indicating whether connection to the network is possible) is set in the access control device 1 and the network switching device 2 via the authorization information relay device 3.

  According to the setting based on the user ID, the access control device 1 distributes the packet to any one of a public network such as the Internet and a private network such as a corporate network, so that an IP address is assigned to the user terminal 6 in the NSP. It is possible to support both dynamic and specific IP range.

  Further, when there are a plurality of private networks, the network switching device 2 can distribute packets to an appropriate private network for each user ID of a user who is qualified to connect to each private network.

  Further, since the network switching device 2 converts the IP address of the user connected to each private network into an appropriate IP address managed by each private network, communication can be appropriately performed in the private network.

  In addition, since the network switching apparatus 2 determines the route using not only the IP address but also the identification information of the source network, the private IP address defined in RFC 1918 is used in the NSP or private network, and the network Even if there is a possibility of duplicate IP addresses, packets can be distributed appropriately.

  In addition, when the network switching device 2 receives a DNS request for the DNS server of the NSP, it converts it into a DNS request to the DNS server operated in the connection destination network, so that the split DNS problem is solved. .

  With the above configuration, a user terminal connected to a public network such as the Internet can be safely put into a private network of a company or the like without having to build a special system in each company or introducing dedicated software to the user terminal. It becomes possible to connect.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 1 Access control apparatus 2 Network switching apparatus 3 Authorization information relay apparatus 4 Authentication apparatus 5 Internet 6 User terminal 7 Private network 11 Communication interface part 12 Passing control part 13 Route control part 14 User authentication control part 15 User communication information management part 16 User Communication information storage unit 21 Communication interface unit 22 Pass control unit 23 Route control unit 24 Address conversion unit 25 Virtual connection session information management unit 26 Virtual connection session information storage unit

Claims (7)

A communication system comprising an access control device provided at an entrance to a public network and a network switching device connected to a plurality of private networks,
The access control device includes an access-side connection information storage unit that stores an IP address of a user terminal associated with a user ID and identification information of a connection destination in association with each other,
The network switching device stores the IP address of the user terminal associated with the user ID, the identification information of the NSP to which the user terminal belongs, the identification information of the connection destination, and the IP address of the connection destination in association with each other. Network side connection information storage means for
The access control apparatus receives a packet from the user terminal, refers to the access side connection information storage unit, determines a connection destination corresponding to a transmission source IP address of the received packet, and sends a packet to the connection destination. Send
When the network switching device receives the packet from the access control device, the network switching device identifies the NSP that is the transmission source of the packet, and refers to the network side connection information storage unit, thereby Determine the connection destination corresponding to the source IP address of the NSP and the received packet, further convert the IP address of the packet to the IP address at the determined connection destination, and convert the converted packet to the determined connection destination A communication system characterized by being sent to a private network. The communication system further includes an authentication system including an authentication information storage unit that stores a user ID and identification information of a connection destination network in association with each other,
The access control device receives, from the authentication system, information including an IP address of a user terminal corresponding to a user ID that has been successfully authenticated and identification information of a connection destination network corresponding to the user ID. Using the information, the access side connection information storage means stores the IP address of the user terminal associated with the user ID and the identification information of the connection destination,
The network switching device includes, from the authentication system, an IP address of a user terminal corresponding to a user ID that has been successfully authenticated, identification information of an NSP to which the user terminal belongs, and identification information of a connection destination network corresponding to the user ID And using the received information, in the network side connection information storage means, the IP address of the user terminal associated with the user ID, and the identification information of the NSP to which the user terminal belongs The communication system according to claim 1, wherein the connection destination identification information and the IP address at the connection destination are stored. The network switching device includes a DNS server information storage unit storing a connection destination DNS server information list in which the IP address of the DNS server for each connection destination private network is recorded,
The network switching device, when receiving a DNS request packet from the access control device, obtains an IP address of a DNS server in a private network to which the DNS request packet is connected from the DNS server information storage unit, and The communication system according to claim 1 or 2, wherein a transmission destination IP address of the packet is converted into the acquired IP address, and the converted DNS request packet is sent to the private network of the connection destination. . The network switching device identifies a source NSP of a packet received from the access control device based on a physical interface that receives the packet or VLAN tag information added to the packet. The communication system according to any one of the above. A packet transfer method executed by a communication system including an access control device provided at an entrance to a public network and a network switching device connected to a plurality of private networks,
The access control device includes an access-side connection information storage unit that stores an IP address of a user terminal associated with a user ID and identification information of a connection destination in association with each other,
The network switching device stores the IP address of the user terminal associated with the user ID, the identification information of the NSP to which the user terminal belongs, the identification information of the connection destination, and the IP address of the connection destination in association with each other. Network side connection information storage means for
The access control apparatus receives a packet from the user terminal, refers to the access side connection information storage unit, determines a connection destination corresponding to a transmission source IP address of the received packet, and sends a packet to the connection destination. Send
When the network switching device receives the packet from the access control device, the network switching device identifies the NSP that is the transmission source of the packet, and refers to the network side connection information storage unit, thereby Determine the connection destination corresponding to the source IP address of the NSP and the received packet, further convert the IP address of the packet to the IP address at the determined connection destination, and convert the converted packet to the determined connection destination A packet transfer method characterized by sending data to a private network. The network switching device used in a communication system comprising an access control device provided at an entrance to a public network and a network switching device connected to a plurality of private networks,
A connection information storage means for storing the IP address of the user terminal associated with the user ID, the identification information of the NSP to which the user terminal belongs, the identification information of the connection destination, and the IP address at the connection destination;
The packet transmitted from the user terminal is received from the access control device, the NSP that is the transmission source of the packet is identified, and the connection information storage unit is referred to, thereby transmitting the NSP and the transmission source IP address of the received packet. Route control means for determining a connection destination corresponding to
By referring to the connection information storage means, the address conversion means for converting the IP address of the packet into the IP address at the connection destination determined by the route control means,
And a communication means for sending the converted packet to the determined private network of the connection destination.   The program for functioning a computer as each means in the said network switching apparatus of Claim 6.

Images