JP2005210380A - Peer-to-peer communication method and communication system - Google Patents

Abstract

P2P CUG communication method and communication capable of avoiding an increase in the number of secure associations (SA) even when the number of communication partners is large when performing peer-to-peer (P2P) closed user group (CUG) communication Provide a system.
In a WAN line 4 of an IP network to which router devices 1-1 to 1-i are connected, an SA is established between neighboring router devices 1-1 to 1-i by an IPSec tunneling mode, and an IP tunnel is established. Is generated. Thus, a logical ring network is configured between the router apparatuses 1-1 to 1-i.
[Selection] Figure 2

Description

  The present invention relates to a peer-to-peer (P2P / Peer To Peer / hereinafter referred to as “P2P”) communication method in a secure closed user group (CUG / Closed Users Group / hereinafter referred to as “CUG”).

  In a communication network using an IP network, IPSec (Security Architecture for the Internet Protocol) using encryption technology is used to realize the integrity and confidentiality of IP packets. This IPSec is a protocol that provides a security service, and has an encryption function and an authentication function for TCP / IP IP user data packets in order to perform secure IP communication (see Non-Patent Documents 1 and 2). ).

  Conventionally, there are a center-end type, a point-to-point type, and a full mesh type in the form of CUG communication by IPSec. In the center end type, a dedicated device that terminates IPSec is installed at a center site, and communication is performed between the dedicated device and a communication terminal or a router device that has IPSec installed at the end site. This center end type is used for a network that forms a corporate network with a clear center location, but is not suitable for P2P communication in which each location is the same.

  On the other hand, the point-to-point type performs communication between communication terminals installed at each end site or between router devices having IPSec. Further, the full mesh type performs communication by applying a point-to-point type communication form to a plurality of grounds. In this full mesh type, when IPsec is applied to P2P communication, each peer needs to establish and maintain a secure association (SA / Security Association / hereinafter referred to as “SA”) with all other peers. . Each peer also needs to set and maintain a routing rule for each ground so that user data packets are sent to the appropriate ground.

Yukio Ito and two others, “Illustration / Standard Latest VPN Handbook”, Hidekazu System, Inc., May 26, 2003, p. 131-141 “Arcstar IP-VPN / IPSec connection function”, [online], Nippon Telegraph and Telephone Corporation, [searched on January 13, 2004], Internet, <URL: http://www.ntt.com/ip-vpn /service/option.html>

  However, in the above-described P2P communication in the full mesh CUG (hereinafter referred to as “P2P / CUG communication”), the SA that needs to be established and held increases in proportion to the number of grounds. There is a problem that a large amount of processor resources and memory resources of the (communication device) are consumed, and the transfer performance of user data packets deteriorates. Further, as the number of grounds increases, there is a problem that the setting of routing rules for each ground becomes complicated.

  As described above, in the conventional full mesh P2P / CUG communication, large-scale P2P / CUG communication is performed from the viewpoints of resource restrictions in the communication terminal and communication device, transfer performance of user data packets, and setting of routing rules. It was difficult to realize.

  Therefore, the present invention has been made in view of the above problems, and a first object thereof is to provide a P2P / CUG communication method and a communication system that can easily expand the communication scale with a small number of SAs and IP tunnels. There is to do.

  A second object of the present invention is to provide a P2P / CUG communication method and a communication system that can easily add a new communication device to the CUG.

  A third object of the present invention is to provide a P2P / CUG communication method and communication system capable of continuously maintaining communication when the communication device is disconnected from the CUG or when the communication device fails. .

  Furthermore, a fourth object of the present invention is to provide a P2P / CUG communication method and a communication system capable of performing high-speed communication between specific communication devices using logical communication means other than IP tunnels.

  In order to achieve the first object, a P2P communication method and communication system according to the present invention includes a communication device or a communication terminal that is a transmission source under an IP network including a plurality of communication devices to which communication terminals are connected. When the user data packet is transmitted from the originating device to the destination communication device or the destination device of the communication terminal, the communication device generates an IP tunnel by IPSec with the adjacent communication device to generate a ring. An IP address of a communication device adjacent to the communication device is configured by encrypting a user data packet generated by configuring the network and using the destination device IP address as the destination IP address and the source device IP address as the source address. Is assigned to the user data packet as a gateway IP address, and the user is transmitted to the communication device addressed to the gateway IP address using the IP tunnel. Characterized by delivering The data packets. The communication device that has received the user data packet decodes the user data packet, compares the destination IP address of the user data packet with the IP address of the communication device of its own, and if the IP address matches, The user data packet is processed assuming that its own communication device is the called device. Further, the destination IP address of the user data packet is compared with the IP address of the communication terminal connected as a subordinate of the communication device, and if the IP address matches, the communication terminal determines that the communication terminal is the destination device. A user data packet is transmitted to the terminal. If the IP addresses do not match, the encrypted user data packet or the undecrypted user data packet is sent to a communication device adjacent to the communication device. Further, when the IP address of the user data packet is compared with the IP address of the communication device connected to the IP address of the communication device or the IP address of the communication terminal connected under the control of the communication device, The received user data packet is discarded.

  According to the first feature of the present invention, the communication device can communicate with all peers in the CUG by a minimum number of two SA and IP tunnels. Each peer receives its own user data packet, is addressed to its own communication device, is addressed to its own communication device, is transmitted from its own communication device, or is its own communication device It is possible to determine the transmission destination of the user data packet by determining whether or not the communication terminal is a transmission source.

  In order to achieve the second object, a P2P communication method and a communication system according to the present invention provide a new first communication device between a first communication device and a second communication device constituting the ring network. When the third communication device is added, the IP address of the second communication device is set in the third communication device as the IP address of the communication device adjacent to the third communication device. The IP address of the third communication device is set instead of the IP address of the second communication device already set as the IP address of the communication device adjacent to the first communication device, and the first communication device And the third communication device and between the third communication device and the second communication device, an IP tunnel based on IPSec is generated, and a ring network in which a new third communication device is added is configured. It is characterized by that.

  According to the second feature of the present invention, the addition of a new communication device to the CUG is performed on two communication devices, a third communication device added to the ring network and an existing first communication device, respectively. This can be done by establishing information on adjacent communication devices and SA and IP tunnels. For this reason, even when there are a large number of communication devices constituting the logical ring network, the change of the routing rule of the communication device is localized, and the influence on the entire ring network can be reduced.

  In order to achieve the third object, the P2P communication method and communication system according to the present invention provides a ring network when any one of the plurality of communication devices leaves the ring network. The communication device that constitutes the communication device detects the separation of the adjacent communication device, deletes the IP address of the separated adjacent communication device from the generated route information, selects a new adjacent communication device, and An IP tunnel based on IPSec is generated between adjacent communication devices, and a ring network excluding the disconnected communication device is configured.

  According to the third aspect of the present invention, since the communication device adjacent to the disconnected communication device autonomously establishes the SA and generates the IP tunnel, the ring is not required for the network administrator or the like. The net can be reconfigured. In addition, even when the communication device unintentionally leaves due to a failure of the communication device itself or a communication network, the ring network can be reconfigured autonomously, and communication of the entire CUG does not become disconnected. A highly reliable communication network can be realized.

  In order to achieve the fourth object, a P2P communication method and communication system according to the present invention includes a communication device that is the calling side device or a communication device that is connected to a communication terminal that is the calling side device. In a predetermined case, a user data packet is directly transmitted to a communication device that is a destination device or a communication device that is connected to a communication terminal that is a destination device without using an IP tunnel based on IPSec. To do.

  According to the fourth aspect of the present invention, high-speed communication is possible between specific peers. For example, when exchanging a large capacity file between specific peers, if communication is performed via a logical ring network using an IP tunnel, the ring network is a shared medium, so the bandwidth is reduced by communication between other peers. It will be restricted. In this case, for example, high-speed communication is realized by performing direct communication between peers by an application using a specific port number.

  According to the present invention, since an SA is established between adjacent communication devices and an IP tunnel is generated, a large number of SA and IP tunnels proportional to the number of grounds are not necessary. Accordingly, it is possible to avoid resource constraints, deterioration of packet transfer performance, and complicated setting of routing rules in the communication device, and thus a secure CUG communication network in scalable P2P communication can be configured. Also, user settings for establishing SA and IP tunnels can be simplified.

Hereinafter, embodiments of a P2P / CUG communication method and a communication system according to the present invention will be described with reference to the drawings.
〔System configuration〕
FIG. 1 is a simplified configuration diagram of a ring network of a P2P / CUG communication system according to an embodiment of the present invention. This P2P / CUG communication system includes router devices 1-1 to 1-i, LAN devices 2-1 to 2-j, and information terminals 3-1 to 3-k (where i, j, and k are arbitrary). Represents a natural number.) The router devices 1-1 to 1-i are connected via the WAN line 4, and the router devices 1-1 to 1-i are connected to the LAN devices 2-1 to 2-j, respectively. The LAN device 2-1 is connected to the information terminals 3-1 and 3-2 via the LAN line 5-1, and the LAN device 2-2 is connected to the information terminals 3-3 to 3-5 via the LAN line 5-2. The LAN device 2-3 is connected to the information terminals 3-6 to 3-8 via the LAN line 5-3, and the LAN device 2-j is connected to the information terminal 3-k via the LAN line 5-m. (M represents an arbitrary natural number).

  The router apparatuses 1-1 to 1-i establish an SA with other router apparatuses via the WAN line 4 constituting the router network, which is an IP network such as the Internet, an intranet, or a dedicated line, and establish an IP tunnel. Generate and communicate. The router device communicates with an information terminal such as a personal computer (PC) via a LAN device and a LAN line, or via a LAN line.

  FIG. 2 is a block diagram illustrating a functional configuration of the router apparatuses 1-1 to 1-i (hereinafter collectively referred to as “router apparatus 1”) illustrated in FIG. The router device 1 includes a WAN line reception interface 11, a WAN line transmission interface 12, an SA processing unit 13, a WAN side routing processing unit 14, an IPSec decryption unit 15, an IPSec encryption unit 16, a LAN side routing processing unit 17, and a LAN line transmission. An interface 18 and a LAN line reception interface 19 are provided.

  The WAN line reception interface 11 receives user data packets and the like from other router devices via the WAN line 4, and the WAN line transmission interface 12 sends user data packets and the like to other router devices via the WAN line 4. To do. The SA processing unit 13 performs a series of processes such as establishing an SA that is a logical connection in IPSec, generating an IP tunnel, and monitoring the state of the SA.

  The WAN-side routing processing unit 14 has route information including information on the destination route of the user data packet such as the gateway IP address 20 to which the user data packet is transmitted, the own router device IP address 21, and the IP address of the adjacent router device. A table 22, a port number table 25 having numbers assigned in accordance with various services executed by the router device 1 on the WAN line 4 side, and a default router IP address 26 used when performing high-speed communication between specific peers. And determine the route of the user data packet or the like.

  The IPSec decryption unit 15 decrypts the encrypted user data packet into plain text, and the IPSec encryption unit 16 encrypts the plain text user data packet. The LAN side routing processing unit 17 corresponds to the LAN side information terminal IP address table 23 having the IP address of the information terminal under its router device 1 and various services executed by the router device 1 on the LAN line 5 side. And a port number table 24 having numbers allocated in this manner, and determines a route for user data packets and the like.

  The LAN line transmission interface 18 transmits data packets to the information terminal via the LAN line 5, and the LAN line reception interface 19 receives user data packets from the information terminal via the LAN line 5.

〔Communication method〕
Next, the communication method will be specifically described using the information terminal 3-1 and the information terminal 3-6 as examples. The router apparatus 1-1 previously stores the IP address of the router apparatus 1-2 as the adjacent router IP address and the IP address of the router apparatus 1-3 as the next adjacent router IP address in the route information table 22 of the WAN side routing processing unit 14. Addresses and other IP addresses are respectively stored, and the IP addresses of the information terminals 3-1 and 3-2 under the own router device 1-1 are stored in the LAN side information terminal IP address table 23 of the LAN side routing processing unit 17. It is assumed that Similarly, the router apparatus 1-2 stores in advance the IP address of the router apparatus 1-3 as the adjacent router IP address in the route information table 22 of the WAN side routing processing section 14, and the LAN side routing processing section 17 It is assumed that the IP addresses of the information terminals 3-3 to 3-5 subordinate to the own router apparatus 1-2 are stored in the LAN side information terminal IP address table 23. In addition, the router device 1-3 stores in advance the IP address of the router device 1-i as an adjacent router IP address in the route information table 22 of the WAN side routing processing unit 14, and the LAN side routing processing unit 17 Assume that the LAN side information terminal IP address table 23 stores the IP addresses of the information terminals 3-6 to 3-8 under its own router apparatus 1-3. Furthermore, the router device 1-i stores the IP address of the router device 1-1 as an adjacent router IP address in advance in the route information table 22 of the WAN side routing processing unit 14. It is assumed that the IP address of the information terminal 3-k under its own router apparatus 1-i is stored in the LAN side information terminal IP address table 23. Note that the route information stored in the route information table 22 of the WAN side routing processing unit 14 is set by a control packet circulation to be described later.

  The information terminal 3-1 creates a user data packet having the IP address of the information terminal 3-6 as the destination IP address and the own IP address as the source IP address. Then, the user data packet is transmitted to the router device 1-1 via the LAN line 5-1 and the LAN device 2-1.

  The LAN line reception interface 19 of the router device 1-1 receives the user data packet, and the LAN side routing processing unit 17 analyzes the user data packet. Specifically, the LAN side routing processing unit 17 confirms whether or not the destination side IP address of the user data packet is stored in the LAN side information terminal IP address table 23 (the destination side IP address and the LAN side information terminal). It is checked whether or not the IP address stored in the IP address table 23 matches, and it is determined whether or not the user data packet is addressed to the information terminal under its own router device. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-6 is not stored in the LAN side information terminal IP address table 23, and the user data packet is not addressed to the information terminal under its own router. Judge that there is no. Then, the LAN side routing processing unit 17 outputs the user data packet to the IPSec encryption unit 16, and the IPSec encryption unit 16 performs the IPSec encryption.

  The WAN side routing processing unit 14 of the router device 1-1 acquires the IP address of the router device 1-2 that is an adjacent router IP address from the route information table 22, and assigns the IP packet as the gateway IP address 20. Then, the WAN line transmission interface 12 sends the user data packet to the router device 1-2. As a result, the user data packet is sent to the router device 1-2 which is the gateway IP address 20.

  Next, the WAN line reception interface 11 of the router device 1-2 receives the user data packet, and the IPSec decoding unit 15 decodes the user data packet input via the WAN side routing processing unit 14. The LAN side routing processing unit 17 analyzes the user data packet. Specifically, the LAN side routing processing unit 17 checks whether or not the destination IP address of the user data packet is stored in the LAN side information terminal IP address table 23, and the user data packet is subordinate to the own router device. It is determined whether it is addressed to the information terminal. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-6 is not stored in the LAN side information terminal IP address table 23, and the user data packet is not addressed to the information terminal under its own router. Judge that there is no. Then, the LAN side routing processing unit 17 outputs the user data packet to the IPSec encryption unit 16, and the IPSec encryption unit 16 performs the IPSec encryption.

  The WAN side routing processing unit 14 of the router device 1-2 acquires the IP address of the router device 1-3, which is an adjacent router IP address, from the route information table 22, and assigns the IP address as the gateway IP address 20. Then, the WAN line transmission interface 12 sends the user data packet to the router device 1-3.

  Next, the WAN line reception interface 11 of the router apparatus 1-3 receives the user data packet, and the IPSec decoding unit 15 decodes the user data packet input via the WAN side routing processing unit 14. As described above, the LAN side routing processing unit 17 analyzes the user data packet. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-6 is stored in the LAN side information terminal IP address table 23, and the user data packet is addressed to the information terminal under its own router. Judge that there is. The LAN line transmission interface 18 transmits a plain text user data packet to the information terminal 3-6 via the LAN device 2-3 and the LAN line 5-3.

[Communication method / when there is no information terminal on the receiving side]
Next, a communication method when there is no information terminal on the receiving side will be described in detail by taking the information terminal 3-1 and the information terminal 3-x that does not exist in the CUG as an example. The above-described data is stored in the route information table 22 of the WAN side routing processing unit 14 and the LAN side information terminal IP address table 23 of the LAN side routing processing unit 17 in the router apparatuses 1-1 to 1-i, respectively. Shall.

  The information terminal 3-1 creates a user data packet having the IP address of the information terminal 3-x as the destination IP address and the own IP address as the source IP address. Then, the information terminal 3-1 transmits the user data packet to the router device 1-1 via the LAN line 5-1 and the LAN device 2-1.

  The router apparatuses 1-1 and 1-2 execute the same processes as those described above. Similarly, the router devices 1-3 and 1-i also execute the same processing as the processing of the router devices 1-1 and 1-2 described above. In this case, the IP address of the information terminal 3-x that is the destination IP address of the user data packet is not stored in the LAN-side information terminal IP address table 23 of each LAN-side routing processing unit 17. Accordingly, each LAN side routing processing unit 17 determines that the user data packet is not addressed to the information terminal under its own router. Then, the WAN line transmission interface 12 of the router apparatus 1-i sends the user data packet to the router apparatus 1-1.

  Next, the WAN line reception interface 11 of the router device 1-1 receives the user data packet, and the IPSec decoding unit 15 decodes the user data packet input via the WAN side routing processing unit 14. The LAN side routing processing unit 17 analyzes the user data packet. Specifically, the LAN side routing processing unit 17 checks whether or not the IP address of the information terminal 3-1 that is the originating side IP address of the user data packet is stored in the LAN side information terminal IP address table 23. Then, it is determined whether or not the user data packet has visited the ring network. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-1 is stored in the LAN side information terminal IP address table 23, and the user data packet circulates through the ring network. It is determined that there is no destination. Then, the LAN side routing processing unit 17 of the router device 1-1 discards the user data packet.

[Route information acquisition method]
Next, the method by which the router apparatus 1-1 acquires route information will be specifically described. FIG. 3 shows an example of a format of a control packet for collecting route information from each router device. The control packet includes a header 30 having a destination IP address 31 and a source IP address 32 and a payload 33 having an IP address table 34.

  The WAN side routing processing unit 14 of the router device 1-1 adds its own IP address to the end of the IP address table 34 of the payload 33 shown in FIG. 3, and the adjacent router device 1-2 is added to the destination IP address 31 of the header 30. And the own IP address is assigned to the source IP address 32 of the header 30 to create a control packet. Then, the WAN line transmission interface 12 sends a control packet to the router device 1-2 via the WAN line 4. In this case, when the router apparatus 1-1 creates a control packet for the first time, only the IP address of the router apparatus 1-1 is stored in the IP address table 34 of the control packet. It is assumed that the IP address of the adjacent router device 1-2 is preset in the router device 1-1. Hereinafter, similarly, it is assumed that the IP addresses of the adjacent router apparatuses 1-3 to 1-1 are set in advance in the router apparatuses 1-2 to 1-i.

  The WAN line reception interface 11 of the router apparatus 1-2 receives the control packet via the WAN line 4, and the WAN side routing processing unit 14 adds its own IP address to the end of the IP address table 34 of the payload 33, The IP address of the adjacent router device 1-3 is assigned to the destination IP address 31 of the header 30, the own IP address is assigned to the transmission source IP address 32 of the header 30, and a control packet is created. Then, the WAN line transmission interface 12 sends a control packet to the router device 1-3 via the WAN line 4.

  The router devices 1-3 and 1-i execute the same processing as the router devices 1-1 and 1-2, respectively. As a result, the IP addresses of the router apparatuses 1-3 and 1-i are sequentially added to the control packet. Then, the WAN line reception interface 11 of the router apparatus 1-1 receives the control packet from the router apparatus 1-i via the WAN line 4. FIG. 4 shows a configuration of a control packet received by the router device 1-1 after circulating through the ring network. The control packet received by the router device 1-1 includes a header 30 having the IP address of the router device 1-1 as the destination IP address 31, and the IP address of the router device 1-i as the source IP address 32; And a payload 33 having IP addresses of −1 to 1-i in the IP address table 34. If the WAN-side routing processing unit 14 determines that the head of the IP address table 34 of the received control packet is the IP address of the own router device 1-1, the WAN-side routing processing unit 14 generates route information based on the IP address table 34. And stored in the route information table 22 of the WAN side routing processing unit 14.

  Next, the WAN-side routing processing unit 14 of the router device 1-1 deletes the IP address of the own router device 1-1 at the head of the IP address table 34 of the control packet, and appends the own IP address at the end thereof. The IP address of the adjacent router device 1-2 is assigned to the destination IP address 31 of the header 30 again, the own IP address is assigned to the transmission source IP address 32 of the header 30, and a control packet is created. Then, the WAN line transmission interface 12 sends a control packet to the router device 1-2 via the WAN line 4.

  The router devices 1-2 to 1-i execute the same processing as that of the router device 1-1 to generate route information and store the route information in the route information table 22 of the WAN side routing processing unit 14, respectively. By repeating such processing, each of the router devices 1-1 to 1-i can circulate the control packet to the network of the ring network and update the latest route information of the entire ring network.

[How to add a router device]
Next, a method for adding a new router device will be specifically described with the router device 1-y as an example. FIG. 5 is a system configuration diagram when a new router device 1-y is added between the router device 1-3 and the router device 1-i in the P2P / CUG communication system shown in FIG. In FIG. 5, the IP address of the adjacent router device 1-i is set to the new router device 1-y by a network administrator or the like. The router device 1-3 is set with the IP address of the adjacent router device 1-y. Then, the SA processing unit 13 of the router apparatuses 1-3 and 1-y establishes an SA with the adjacent router apparatuses 1-y and 1-i and generates an IP tunnel, thereby creating a new router. A new ring network to which the device 1-y is added is reconfigured. Thus, with these settings, a new router device 1-y can be added to the ring network of the P2P / CUG communication system. That is, each of the router apparatuses 1-1 to 1-3, 1-y, and 1-i can circulate control packets with their own IP addresses in this order. The route information table 22 of the WAN side routing processing unit 14 in −3, 1-i stores the route information to which the new router device 1-y is added. Based on these route information tables 22, user data packets are sent to the ring network.

[How to disconnect the router]
Next, taking the router apparatus 1-3 as an example, a method for detaching the router apparatus will be specifically described. FIG. 6 is a system configuration diagram when the router apparatus 1-3 in the P2P / CUG communication system shown in FIG. 1 leaves the ring network. The SA processing unit 13 of the router device 1-2 detects that the SA with the router device 1-3 has disappeared. The WAN side routing processing unit 14 of the router device 1-2 stores the user data packet in the route information table 22 when sending the user data packet to the WAN line 4 because the SA with the router device 1-3 has disappeared. The IP address of the router device 1-3 that is the head IP address of the adjacent neighbor router is deleted.

  Next, the WAN side routing processing unit 14 of the router apparatus 1-2 acquires the IP address of the router apparatus 1-i stored at the head from the route information table 22 after the deletion, and the router apparatus 1- The IP address of i is selected as the neighboring router IP address. The SA processing unit 13 establishes an SA with the router device 1-i and generates an IP tunnel. Then, the WAN side routing processing unit 14 assigns the IP address of the router device 1-i as the gateway IP address 20. Then, the WAN line transmission interface 12 sends the user data packet to the router apparatus 1-i. On the other hand, the route information of each router apparatus 1-1 to 1-i is sequentially updated by the above-described control packet circulation.

[High-speed communication method between specific peers]
Next, taking the information terminal 3-1 and the information terminal 3-6 as examples, a high-speed communication method between specific peers will be specifically described with reference to FIG. The above-described data is stored in the route information table 22 of the WAN side routing processing unit 14 and the LAN side information terminal IP address table 23 of the LAN side routing processing unit 17 in the router apparatuses 1-1 to 1-i, respectively. It shall be. In addition, it is assumed that the IP address of the router device 1-3 is stored in the default router IP address 26 of the router device 1-1.

  The information terminal 3-1 creates a user data packet with the IP address of the information terminal 3-6 as the called IP address, the own IP address as the calling IP address, and the port number as S. Then, the information terminal 3-1 transmits the user data packet to the router device 1-1 via the LAN line 5-1 and the LAN device 2-1.

  The LAN line reception interface 19 of the router device 1-1 receives the user data packet, and the LAN side routing processing unit 17 analyzes the user data packet. Specifically, the LAN side routing processing unit 17 checks whether or not the destination IP address of the user data packet is stored in the LAN side information terminal IP address table 23, and the user data packet is subordinate to the own router device. It is determined whether it is addressed to the information terminal. Further, it is confirmed whether or not a special port number S is set in the user data packet, and it is determined that either the direct communication of the user data packet or the communication through the ring network using the IP tunnel is performed. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-6 is not stored in the LAN side information terminal IP address table 23, and the user data packet is not addressed to the information terminal under its own router. Judge that there is no. In addition, in order to confirm that a special port number S is set and realize a function corresponding to the port number S stored in the port number table 24, direct communication is performed without performing encryption and WAN side routing processing. Determine to do. Then, the WAN line transmission interface 12 acquires the IP address of the router device 1-3 that is the default router IP address 26, assigns the IP address as a gateway address, and sends the user data packet to the router device 1-3. .

  Next, the user data packet is transferred by the IP transfer function of the WAN line 4. When the WAN line reception interface 11 of the router apparatus 1-3 receives the user data packet and the WAN side routing processing unit 14 confirms that a special port number is set in the user data packet, the port number table 25 In order to realize the function corresponding to the port number S stored in the network, the user data packet is directly output to the LAN side routing processing unit 17 without going through the IPSec decoding unit 15. The LAN side routing processing unit 17 confirms whether or not the destination IP address of the user data packet is stored in the LAN side information terminal IP address table 23, and the user data packet is addressed to the information terminal under its own router device. Determine whether or not. In this case, the LAN side routing processing unit 17 confirms that the IP address of the information terminal 3-6 is stored in the LAN side information terminal IP address table 23, and the user data packet is addressed to the information terminal under its own router. Judge that there is. The LAN line transmission interface 18 transmits the user data packet to the information terminal 3-6 via the LAN device 2-3 and the LAN line 5-3.

  As described above, according to the embodiment of the present invention, the router device 1-1 is connected to the router devices 1-2 and 1-i using the IP tunnel in the tunneling mode of IPSec, and the router device 1-2 is Are connected to router apparatuses 1-3 and 1-1 using IP tunnels in IPSec tunneling mode, and router apparatus 1-3 is connected to router apparatuses 1-i and 1-2 using IP tunnels in IPSec tunneling mode. The router device 1-i is connected to the router devices 1-1 and 1-3 using an IP tunnel in IPSec tunneling mode, and is a logical ring network including the router devices 1-1 to 1-i. Was configured. Thereby, each router apparatus 1-1 to 1-i can perform P2P communication with all the router apparatuses in the CUG through two SA and IP tunnels.

  Further, according to the embodiment of the present invention, the router apparatuses 1-1 to 1-i additionally write their own IP addresses to circulate control packets to the ring network and acquire route information. Thereby, whenever it receives the control packet after a circulation, it can be updated to new route information.

  According to the embodiment of the present invention, when a new router device 1-y is added to the CUG between the router device 1-3 and the router device 1-i, the new router device 1-y and The route information for the two router devices 1-3, 1-i adjacent to each other is changed, and the SA and IP tunnels from the router device 1-y to the router device 1-i and the router device 1-3 to the router device 1-y are changed. Can be established and maintained. As a result, even if there are a large number of router devices that make up a logical ring network, changes to the routing rules are localized and the effect on the entire ring network is reduced, so new router devices can be easily added. it can.

  Further, according to the embodiment of the present invention, when the router device 1-3 is disconnected from the CUG, the router device 1-2 detects the SA and deletes the IP address of the router device 1-3 from the route information table 22. Then, a new router device 1-i is selected to establish an SA and generate an IP tunnel. Thereby, the router apparatus 1-2 can autonomously establish an SA and generate an IP tunnel without disconnecting the communication of the entire communication system, and can reconfigure the ring network.

  In addition, according to the embodiment of the present invention, by using a special port number S, direct communication is performed between peers of the router device without going through a ring network using an IP tunnel. As a result, even when congestion occurs in a part of the ring network, a wide band can be secured and high-speed communication can be realized. Further, the security of peer-to-peer communication can be maintained by applying a secure socket layer (SSL / Secure Sockets Layer) that does not encrypt the port number, for example.

  Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the technical idea thereof. For example, in the above embodiment, as illustrated in FIG. 1, the router devices 1-1 to 1-i are connected to the WAN line 4, and the information terminals 3-1 to 3-k are connected to the LAN lines 5-1 to 5- However, the information terminal may be directly connected to the WAN line 4 by mounting the function of the router device on the information terminal. In this case, a ring network is configured by the router device and the information terminal in which the router device function is implemented. That is, when an information terminal directly connected to the WAN line 4 receives a user data packet via the WAN line 4, the information terminal compares the destination IP address of the user data packet with its own IP address. It is determined whether it is addressed to the information terminal. If the IP addresses match, it is processed as a user data packet addressed to its own information terminal. On the other hand, if the IP addresses do not match, IPSec encryption is performed, and the user data packet is sent to the adjacent router device or another information terminal directly connected to the WAN line 4. In addition, the originating IP address of the user data packet is compared with its own IP address, and if they match, the receiving router device or information terminal is not present and the user data packet is discarded.

  In the above embodiment, when the router apparatuses 1-1 to 1-i determine that the user data packet received from the WAN line 4 is not addressed to the information terminal under its own router, the router apparatus 1-1 to 1-i performs IPSec encryption of the user data packet. The user data packet received from the WAN line 4 is stored before being decrypted, and is stored without decryption, and the stored user data packet before decryption is transmitted. May be sent to the WAN line 4.

  Further, in the above embodiment, the router apparatus 1-1 to 1-i circulates the control packet after adding its own IP address. However, when the circulation cycle is short and the route information is frequently updated. Alternatively, cyclic control may be performed by sending a control packet based on an appropriate timer value.

  In the above-described embodiment, the router device 1-3 has been detached from the CUG and physically removed. However, the router device 1-3 itself or a WAN line 4 may cause a router device 1-3 failure. Even if 1-3 is unintentionally disconnected, the same operation is performed, and the SA can be autonomously established and the IP tunnel can be generated without disconnecting the communication system as a whole, and the ring network can be reconfigured. Can do.

It is the figure which simplified the ring network of the P2P / CUG communication system which concerns on embodiment of this invention. It is a figure which shows the function structure of the router apparatus of FIG. It is a figure which shows the format of a control packet. It is a figure which shows the structure of the control packet after circulating a ring network. It is a figure which shows the P2P communication system at the time of adding a new router apparatus. It is a figure which shows the P2P communication system at the time of separating a router apparatus.

Explanation of symbols

1, 1-1 to 1-i, 1-y router device 2, 2-1 to 2-j LAN device 3, 3-1 to 3-k, 3-x information terminal 4 WAN line 5, 5-1 to 5-m LAN line 11 WAN line reception interface 12 WAN line transmission interface 13 SA processing unit 14 WAN side routing processing unit 15 IPSec decryption unit 16 IPSec encryption unit 17 LAN side routing processing unit 18 LAN line transmission interface 19 LAN line reception interface 20 Gateway IP address 21 Own router IP address 22 Route information table 23 LAN side information terminal IP address table 24, 25 Port number table 26 Default router IP address 30 Header 31 Destination IP address 32 Source IP address 33 Payload 34 IP address table

Claims (16)

User data packets from the communication device that is the transmission source or the originating device of the communication terminal to the communication device that is the transmission destination or the destination device of the communication terminal under an IP network including a plurality of communication devices to which the communication terminal is connected A peer-to-peer communication method for transmitting
The communication device
Create an IP tunnel by IPSec with an adjacent communication device to configure a ring network,
The user data packet generated using the IP address of the called device as the called IP address and the IP address of the calling device as the calling address is encrypted,
The IP address of the communication device adjacent to the communication device is assigned to the user data packet as a gateway IP address,
A peer-to-peer communication method, comprising: transmitting the user data packet to a communication device addressed to a gateway IP address using the IP tunnel. The peer-to-peer communication method according to claim 1,
The communication device that has received the user data packet includes:
Decode the user data packet, compare the destination IP address of the user data packet with the IP address of the communication device of its own,
A peer-to-peer communication method characterized in that if the IP addresses match, the user data packet is processed assuming that the communication device is the called device. The peer-to-peer communication method according to claim 1 or 2,
The communication device that has received the user data packet includes:
Decoding the user data packet, comparing the destination IP address of the user data packet with the IP address of the communication terminal connected as the subordinate of the own communication device,
A peer-to-peer communication method comprising: transmitting a user data packet to a communication terminal assuming that the communication terminal connected as a subordinate of the communication apparatus is a destination apparatus when the IP addresses match. The peer-to-peer communication method according to claim 2 or 3,
The communication device that has received the user data packet includes:
A peer-to-peer communication method, comprising: transmitting an encrypted user data packet or an undecrypted user data packet to a communication device adjacent to the communication device when the IP addresses do not match. The peer-to-peer communication method according to claim 2 or 3,
The communication device that has received the user data packet includes:
Decoding the user data packet, comparing the originating IP address of the user data packet with the IP address of the own communication device or the IP address of the communication terminal connected as a subordinate of the own communication device,
A peer-to-peer communication method, comprising: discarding a received user data packet when the IP addresses match. The peer-to-peer communication method according to any one of claims 1 to 5,
The communication device constituting the ring network is:
A peer-to-peer communication method characterized by sequentially circulating control packets to which an IP address of its own communication device is added to generate route information of the communication devices constituting the ring network. The peer-to-peer communication method according to claim 6,
When a new third communication device is added between the first communication device and the second communication device constituting the ring network,
The IP address of the second communication device is set as the IP address of the communication device adjacent to the third communication device in the third communication device,
In the first communication device, the IP address of the third communication device is set instead of the IP address of the second communication device already set as the IP address of the communication device adjacent to the first communication device. ,
An IP tunnel was created by IPSec between the first communication device and the third communication device and between the third communication device and the second communication device, and a new third communication device was added. A peer-to-peer communication method comprising a ring network. The peer-to-peer communication method according to claim 6,
When any one of the plurality of communication devices leaves the ring network,
The communication device constituting the ring network is:
Detects the separation of an adjacent communication device, deletes the IP address of the separated adjacent communication device from the generated route information, selects a new adjacent communication device, and establishes a connection with the newly adjacent communication device A peer-to-peer communication method comprising: forming an IP tunnel by IPSec and configuring a ring network excluding the disconnected communication device. The peer-to-peer communication method according to any one of claims 1 to 8,
The communication device connected to the communication device that is the calling device or the communication terminal that is the calling device is:
In a predetermined case, a user data packet is directly transmitted to a communication device that is a destination device or a communication device that is connected to a communication terminal that is a destination device without using an IP tunnel based on IPSec. To peer-to-peer communication method. User data packets from the communication device that is the transmission source or the originating device of the communication terminal to the communication device that is the transmission destination or the destination device of the communication terminal under an IP network including a plurality of communication devices to which the communication terminal is connected A peer-to-peer communication system for transmitting
The communication device
A secure processing unit that creates an IP tunnel by IPSec with an adjacent communication device to form a ring network;
An encryption unit for encrypting a user data packet generated using the IP address of the called device as the called IP address and the IP address of the calling device as the calling address;
A first routing processing unit that assigns an IP address of a communication device adjacent to the communication device to a user data packet as a gateway IP address;
A peer-to-peer communication system comprising: a transmission interface for transmitting the user data packet to a communication device addressed to a gateway IP address using the IP tunnel. The peer-to-peer communication system according to claim 10,
The communication device constituting the ring network further includes:
A receiving interface for receiving user data packets;
A decoding unit for decoding the received user data packet;
The destination IP address of the user data packet is compared with the IP address of the own communication device or the IP address of the communication terminal connected as a subordinate of the own communication device, and the IP address of the own communication device is If there is a match, the user data packet is processed as if the communication device of interest is the called device, and if the IP address of the communication terminal matches, the user data is transmitted to the communication terminal as if the communication terminal is the called device. Send a packet,
If the IP addresses do not match,
Second routing processing for sending the user data packet encrypted by the encryption unit or the user data packet before decryption to the communication device adjacent to the communication device via the first routing processing unit and the transmission interface A peer-to-peer communication system comprising a unit. The peer-to-peer communication system according to claim 11,
The second routing processing unit of the communication device configuring the ring network further includes:
Compare the originating IP address of the user data packet with the IP address of the own communication device or the IP address of the communication terminal connected under the control of the own communication device,
A peer-to-peer communication system, wherein when the IP addresses match, the received user data packet is discarded. In the peer-to-peer communication system according to any one of claims 10 to 12,
The first routing processing unit of the communication device constituting the ring network further includes:
A peer-to-peer communication system characterized in that a control packet to which an IP address of its own communication device is added is sequentially circulated to generate route information of the communication device constituting the ring network. The peer-to-peer communication system according to claim 13,
When a new third communication device is added between the first communication device and the second communication device constituting the ring network,
In the secure processing unit of the third communication device, the IP address of the second communication device is set as the IP address of the communication device adjacent to the third communication device, and the second communication adjacent to the third communication device using the IP address. Create an IPSec IP tunnel with the device,
The secure processing unit of the first communication device uses the IP address of the third communication device instead of the IP address of the second communication device already set as the IP address of the communication device adjacent to the first communication device. A ring network in which an IP address is set, an IP tunnel by IPSec is generated between the adjacent third communication apparatuses using the IP address, and a new third communication apparatus is added is configured. Peer-to-peer communication system. The peer-to-peer communication system according to claim 13,
When any one of the plurality of communication devices leaves the ring network,
The first routing processing unit of the communication device constituting the ring network deletes the IP address of the separated adjacent communication device from the generated route information, and selects a new adjacent communication device,
The secure processing unit detects a disconnection of an adjacent communication device, generates an IP tunnel by IPSec with the newly adjacent communication device selected by the routing processing unit, and removes the disconnected communication device A peer-to-peer communication system comprising a network. The peer-to-peer communication system according to any one of claims 10 to 15,
The communication device connected to the communication device that is the calling device or the communication terminal that is the calling device is:
In a predetermined case, a user data packet is directly transmitted to a communication device that is a destination device or a communication device that is connected to a communication terminal that is a destination device without using an IP tunnel based on IPSec. Peer-to-peer communication system.

Images