JP2009055418A - Communicating system, relay device, terminal, relay processing method, and its program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress occurrence of sequence abnormality and communication abnormality at a partner terminal while utilizing a communication system by a TCP splicing system in order to suppress relay device load. <P>SOLUTION: A communication system performs a communication request from a terminal and a response via communication management device and performs data communication between terminals via a relay device. The terminal includes a TCP processing part for opening TCP connection between it and the relay device; and an SSL session opening processing part for performing message exchange for opening an SSL session. The relay device includes relay means (packet receiving part, packet allocation part, TCP processing part, SSL session opening processing part, connection coupling information management part, packet allocation information management part, connection management table, header rewriting part and packet transmission part) which acquires destination information for relay and performs data transfer to the destination terminal by rewriting a header of data without performing TCP processing of data between it and the terminal upon transfer of the data. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication system, a relay device, a terminal, a relay processing method, and a program thereof, and more particularly to a communication relay method between terminals connected under a firewall.

  In recent years, from the viewpoint of security, in particular, companies often have firewalls installed for each department and site. Since the firewall is installed for the purpose of preventing attacks from the outside, communication between departments and bases is blocked by the firewall. To realize communication through a firewall, there is a method for realizing communication by changing the firewall setting.

  In this case, the administrator must set permission / non-permission of communication for each user and each communication application, and the management cost is high, and the security cannot be maintained due to a setting error of the administrator, etc. Will occur. Therefore, a relay server is arranged in the global network environment, and communication is performed between the terminal and the relay server for relaying. In this case, between the terminal and the relay server, a communication port permitted by the firewall must be used.

  In this regard, according to Non-Patent Document 1, SSL (Secure Socket Layer) communication using the port 443 of TCP (Transmission Control Protocol) (see Non-Patent Document 2) may be permitted as a firewall operation method. Many. Therefore, communication through a firewall is realized by using SSL communication between the terminal and the relay server and transferring data to the relay destination by the relay server (see Non-Patent Document 1).

  TCP communication is performed between the terminal and the relay server. However, since retransmission control is performed to achieve reliable communication, the relay server has a higher processing load as the number of sessions to be relayed increases. Become. As a TCP communication relay method, there is a TCP splicing method in which a packet is rewritten and relayed to a relay destination connection without performing TCP processing with a high processing load in the relay server as described above (Non-patent Document 3). reference).

According to this method, the operation for establishing a TCP connection is the same as when TCP communication is performed on the transmission side and the reception side, and is performed between the terminal and the relay server. From the data transfer, the above header information is rewritten and transferred. It is carried out. For the purpose of guaranteeing the order, the described sequence numbers are rewritten using the difference value of the initial sequence numbers determined by the connection opening operation between the terminal and the relay server (see f1 to f12 in FIG. 18). ).
Masaya Noribo, “Special feature: I saw how to use it! Production, SSL-VPN (Part 1) Why SSL-VPN? Let's solve simple questions”, [online], June 17, 2007, @IT (Registered trademark), [Search on July 27, 2007], Internet <http://www.atmarkit.co.jp/fnetwork/tokusyuu/25sslvpn/01.html> RFC793, TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION, September 1981 DA Maltz, et al., “TCP Splice application layer proxy performance,” Jornal of High Speed Networks, Volume 8, Issue 3, 1999, p.225-240

  However, the related technology described above has the following problems.

  The first problem is that when performing communication across a firewall using a relay device, when performing relay processing by performing TCP processing in the relay device, the processing load increases because TCP performs retransmission control and flow control. is there.

  The second problem is that when TCP splicing is used as a relay method in firewall crossing communication using a relay device, a TCP packet for establishing an SSL session is exchanged between the terminal and the relay device after the TCP connection is established. Therefore, the difference value of the sequence number of the TCP connection for communication between terminals is different from the difference value of the initial sequence at the time of connection establishment. Therefore, there is a problem that sequence abnormality occurs if the conventional TCP splicing method is applied as it is. In addition, even if data transfer starts, the packet transferred for establishing the SSL session is also received and transferred by the relay device due to retransmission due to packet loss in the network, and a communication error occurs at the partner terminal. There is also a problem.

  An object of the present invention is to use a communication system based on a TCP splicing method in which a packet header is rewritten and relayed to a relay destination connection without performing TCP processing in order to suppress the load on the relay device, and at a sequence abnormality and a partner terminal. Is to suppress the occurrence of communication abnormality.

  In order to achieve the above object, a communication system according to the present invention is a communication system that performs a communication request and response from a terminal via a communication management device, and performs data communication between the terminals via a relay device, The terminal includes a TCP processing unit that establishes a TCP connection for data communication with the relay device, and an SSL session establishment processing unit that exchanges messages for establishing an SSL session for data communication, and the relay device Obtains destination information for relaying data between the terminals, and rewrites the data header to transfer data to the destination terminal without performing TCP processing of data with the terminal during data transfer. It has a relay means.

  The relay device according to the present invention relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication. It is a relay device, acquires destination information for relaying data between the terminals, rewrites the data header without performing data TCP processing with the terminal at the time of data transfer, and sends it to the destination terminal It has a relay means for performing data transfer.

  The terminal according to the present invention acquires destination information for relaying data between terminals, rewrites the header of the data without performing TCP processing of data with the terminal at the time of data transfer, A terminal that performs data communication via a relay device having a relay means for performing data transfer, a TCP processing unit that opens a TCP connection for data communication with the relay device, and an SSL session for data communication And an SSL session establishment processing unit for exchanging messages for this purpose.

  The relay processing method according to the present invention relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication. A relay processing method of a relay device that acquires destination information for relaying data between the terminals and rewrites the data header without performing TCP processing of data with the terminals during data transfer And a relay step for transferring data to the destination terminal.

  The program according to the present invention relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication. A relay processing program for an apparatus, which obtains destination information for relaying data between the terminals in a computer, and performs data TCP processing without performing data TCP processing with the terminals during data transfer. It is characterized in that a relay process for rewriting and transferring data to a destination terminal is executed.

  According to the present invention, while using a communication system based on a TCP splicing method that rewrites and relays a packet header to a relay destination connection without performing TCP processing in order to suppress the load on the relay device, the sequence abnormality and the counterpart terminal The occurrence of communication abnormality can be suppressed.

  Hereinafter, various embodiments of a communication system, a relay device, a terminal, a relay processing method, and a program thereof according to the present invention will be described with reference to the drawings.

  First, a first embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is an overall configuration diagram of a communication system according to the present embodiment. The communication system shown in the figure includes a relay device 1, a terminal 10, a terminal 11, a firewall device 100, a firewall device 101, and a communication management device 1000. The relay device 1 and the communication management device 1000 are communicably connected to the terminal 10 under the firewall device 100 and the terminal 11 under the firewall device 101, respectively.

  FIG. 2 is a block diagram of the relay device 1. As shown in the figure, the relay device 1 is composed of, for example, a relay server, and includes a packet reception unit 1-1, a packet distribution unit 1-2, a TCP processing unit 1-3, an SSL session establishment processing unit 1-4, A connection connection information management unit 1-5, a packet distribution information management unit 1-6, a connection management table 1-7, a header rewriting unit 1-8, and a packet transmission unit 1-9. Each of these parts 1-1 to 1-9 constitutes the relay means of the present invention.

  The packet receiving unit 1-1 receives the transmitted packet (data). The packet distribution unit 1-2 transfers the received packet to either the TCP processing unit 1-3 or the header rewriting unit 1-8, and transmits the packet transferred from the TCP processing unit 1-3 to the packet transmission unit 1 And the TCP header information of the packet transferred from the packet distribution unit 1-2 is described in the connection management table 1-7. The TCP processing unit 1-3 performs TCP processing on the received packet. The SSL session establishment processing unit 1-4 establishes an SSL session with the terminal. The connection connection information management unit 1-5 manages information indicating which connection is to be combined among the connections established from the terminal. The packet distribution information management unit 1-6 manages conditions for transferring the received packet to either the TCP processing unit 1-3 or the header rewriting unit 1-8. The connection management table 1-7 manages TCP header information of the connection established with the relay apparatus 1. The header rewriting unit 1-8 rewrites the TCP header to relay the connection. The packet transmission unit 1-9 transmits a packet.

  FIG. 3 is a block diagram of the terminal 10. As shown in the figure, the terminal 10 includes a packet reception unit 10-1, a TCP processing unit 10-2, a communication request response unit 10-3, an SSL session establishment unit 10-4, a destination information notification unit 10-5, an application Unit 10-6 and a packet transmission unit 10-7 for transmitting packets.

  The packet receiving unit 10-1 receives the transmitted packet. The TCP processing unit 10-2 performs TCP processing on the received packet. The communication request response unit 10-3 establishes a connection with the communication management apparatus 1000 and exchanges communication request / response messages between terminals connected to the firewall apparatus. The SSL session establishment unit 10-4 establishes an SSL session with the relay device 1. The destination information notifying unit 10-5 notifies the relay device 1 of communication destination information. The application unit 10-6 performs data communication with the destination terminal. The packet transmitter 10-7 transmits a packet. The terminal 11 has the same configuration.

  FIG. 4 is a block diagram of the communication management apparatus 1000. As shown in the figure, the communication management apparatus 1000 is composed of, for example, a communication management server, and includes a message reception unit 1000-1, a registration message processing unit 1000-2, a communication request / response message processing unit 1000-3, and a terminal / relay. It has a device information management table 1000-4 and a message transmission unit 1000-5.

  The message receiving unit 1000-1 receives the transmitted message. The registration message processing unit 1000-2 registers the identification information in the terminal / relay device information management table 1000-4 by looking at the registration message transmitted for registration of the identification information from the terminal. The communication request / response message processing unit 1000-3 receives the communication request / response message from the terminal, describes the identification information of the relay device, and transfers it. The terminal / relay device information management table 1000-4 describes identifiers such as terminals, relay device IP (Internet Protocol) addresses, and port numbers (see FIG. 8 described later). The message transmission unit 1000-5 transmits the message transferred from the communication request / response message processing unit 1000-2.

  Next, the operation of this embodiment will be described.

  Here, a series of registration and communication request / response message exchange operations performed by the terminal 10 and the terminal 11 and the communication management apparatus 1000, followed by the data communication between the terminal 10 and the terminal 11 via the relay apparatus 1. The operation will be described with reference to the drawings.

1) Registration to Communication Management Device to Communication Request Since the terminal 10 and the terminal 11 are connected under the firewall devices 100 and 101, respectively, messages cannot be directly exchanged. Therefore, a request for communication via the relay device 1 and a response to the request are executed via the communication management device 1000.

  First, the operation from the registration operation to the communication management apparatus 1000 to the communication request will be described with reference to FIG. 3, FIG. 4, and FIG.

  As illustrated in FIG. 6, the terminal 10 first transmits a registration message that can be identified, such as an IP address and a port number, to the communication management apparatus 1000 using the communication request / response unit 10-3 (FIG. 6 -a1). reference). The terminal 11 also transmits a similar message (see FIG. 6-a2). The communication management apparatus 1000 that has received the registration message registers it in the terminal / relay apparatus information management table 1000-4 by the registration message processing unit 1000-2 (see FIG. 6A3). This terminal / relay device information management table 1000-4 registers an IP address and a port number for each ID as shown in FIG.

  The terminal 10 establishes a connection with the relay device 1 to perform data communication with identification information such as the IP address of the terminal 11 in order to request communication with the terminal 11 by the communication request / response unit 10-3. The port number to be used is described in the communication request message and transmitted to the communication management apparatus 1000 (see FIG. 6-a4).

  The communication management apparatus 1000 that has received the communication request message from the terminal 10 adds the identification information of the relay apparatus 1 connected by data communication by the communication request / management message processing unit 1000-3 (see FIG. 6A5). A communication request message is transmitted to the terminal 11 (see FIG. 6-a6). Upon receiving the communication request message, the terminal 11 describes the port number used when establishing a connection with the relay device 1 for data communication, and transmits it to the communication management device 1000 (FIG. 6). See -a7). The communication management apparatus 1000 that has received the communication response message from the terminal 11 adds the identification information of the relay apparatus 1 by the communication request / response message processing unit 1000-3 (see FIG. 6-a8), and sends a response message to the terminal 10. Is transmitted (see FIG. 6-a9). Thereafter, the terminal 10 and the terminal 11 connect to the relay device 1 and perform data communication.

2) Connection to Relay Device to Data Communication The terminal 10 and the terminal 11 connect to the relay device 1 notified from the communication management device 1000 in order to perform communication. Here, since the TCP sequence number is used in the relay processing (header rewriting processing) by the relay device 1, a sequence that proceeds by message exchange will be described later.

  First, the terminal 10 and the terminal 11 establish an SSL session to the relay device 1. In this operation, since the terminal 10 and the terminal 11 perform the same operation, only the operation performed between the terminal 10 and the relay device 1 will be described.

2-1) TCP Connection Opening Operation As illustrated in FIG. 7, the terminal 10 instructs the TCP processing unit 10-2 to open an SSL session with the relay device 1 by using the SSL session opening processing unit 10-4. Upon receiving the instruction, the TCP processing unit 10-2 establishes a TCP connection to the relay device 1, and first, through the packet transmission unit 10-7, sets a SYN (Synchronize flag) in the code bit of the TCP header. A SYN packet set to 1 is transmitted (see FIG. 7-b1). At this time, the terminal 10 determines and transmits an initial sequence number by the TCP processing unit 10-2, and the number is set to 100 (see FIG. 7-b1). Seq # (sequence number: sequence number) and ACK # (acknowledgement number: acknowledgment number) are described in each message in FIG. 7, but Seq # is data in a byte sequence described in each transmitted packet. ACK #, a value sign obtained by adding the sizes of the parts, represents a byte sequence expected to be received next.

  Next, when the relay device 1 receives the SYN packet from the terminal 10 via the packet receiving unit 1-1, the relay device 1 transfers the SYN packet to the TCP processing unit 1-3 via the packet sorting unit 1-2. The IP address, port number, and TCP sequence number described in the header (TCP header and IP header) of the packet transmitted from the terminal are stored in the connection management table 1-7 for each terminal as shown in FIG. (In the example of FIG. 5, the first line is information of the terminal 10 and the second line is information of the terminal 11).

  Thereafter, the packet distribution unit 1-2 describes the header information of the packet from the terminal 10 in the connection management table 1-7. However, the sequence number of the retransmitted packet due to packet loss in the network is not described.

  When the TCP processing unit 1-3 receives the SYN packet via the packet receiving unit 1-1, the relay device 1 receives the SYN ACK packet in which SYN and ACK (acknowledgement flag) in the code bits of the TCP header are set to 1. It is generated and transmitted to the terminal 10 via the packet transmitter 1-7 (see FIG. 7-b2). At this time, the sequence number is Seq # 200, and ACK # is 101, which is the first byte sequence of the sequence number expected to be received next (see FIG. 7-b2).

  Next, when the terminal 10 receives the SYN ACK packet via the packet receiver 10-1, the TCP processor 10-2 generates an ACK packet with ACK in the code bit of the TCP header as 1, Seq # 101 and ACK # 201 are transmitted to the relay apparatus 1 via the packet transmission unit 10-7 (see FIG. 7-b3).

  Next, the relay device 1 receives the ACK packet by the TCP processing unit 1-3 via the packet receiving unit 1-1. At this point, the TCP connection opening operation ends.

2-2) SSL session establishment operation Next, an SSL session is established for communication across the firewall device 100. Here, the SSL session establishment processing unit 10-4 of the terminal 10 and the SSL session establishment processing unit 1-4 of the relay device 1 exchange messages for establishing an SSL session (see FIGS. 7-b4 and b5). At this time, Seq # of terminal 10 proceeds to 7000 and ACK # proceeds to 5001.

  After the establishment of the SSL session, in the terminal 10, the SSL session establishment processing unit 10-4 notifies the destination information notification unit 10-5 of the completion (see FIG. 3). In the relay device 1, the SSL session establishment processing unit 1-4 notifies the connection connection information management unit 1-5 of the completion of the SSL session establishment.

2-3) Message exchange operation for identifying connection to be relayed At the end of SSL session establishment, the relay device 1 cannot determine which connection data should be relayed. Then, a connection pair creation request message describing the destination IP address and the port number acquired by the communication request / response message is notified to the connection connection information management unit 1-5 of the relay device 1 (see FIG. 7-b6).

  At this time, if the connection pair creation request message length is 1000 bytes, the sequence number advances to Seq # 8000 and becomes ACK # 5001. At this time, the connection connection information management unit 1-5 refers to the connection management table 1-7 (see FIG. 5) to identify the connection to be relayed, and uses the same connection pair ID as the connection to be relayed. Identification information is described (in the example of FIG. 5, each connection pair ID of the terminal 10 (first line) and the terminal 11 (second line) is described in the same identification number “X”). Data communication can be started when this pair is created.

2-4) Determination of initial sequence of data transfer and packet distribution operation When data communication is started, the relay device 1 relays the data packet transmitted from the terminal 10 to the terminal 11. In the relay method, the TCP header is rewritten, and the packet on the TCP connection established between the terminal 10 and the relay device 1 is transferred onto the connection established between the terminal 11 and the relay device 1.

  In this header rewriting, the sequence number of the relay destination connection must be rewritten according to the progress. Specifically, when the sequence number of the terminal of the relay destination connection is Seq # 100 and ACK # 200, the packet to be relayed is Seq # because the ACK # is 200, so the 200th and ACK # are Seq Since # is 100, it must be 101.

  Therefore, it is necessary to grasp and convert the sequence number for starting data relay. If the sequence number cannot be accurately grasped, a sequence shift occurs and a communication error occurs. In addition, since the terminal 10 is exchanging messages with the relay device 1 to establish an SSL session and create a connection pair before the start of data relay, there is a possibility that a TCP packet not related to data may be retransmitted. There is also a problem that communication error occurs when the message is transferred to the destination.

  In the conventional TCP splicing method, when a terminal and a server establish a connection, relay is performed by header rewriting processing based on an initial sequence number determined by both.

  On the other hand, in this embodiment, the following initial sequence determination and packet distribution operation are performed using the TCP splicing method.

  First, the relay device 1 calculates a sequence number at the start of data transfer from the size of a message exchanged with the terminal 10 before starting the data transfer. Further, based on the calculated sequence number, it is determined that a packet with a sequence number smaller than the sequence number is not a packet to be transferred to the destination terminal, and the sequence is sent to the TCP processing unit 1-5 of the relay apparatus 1 A packet with a sequence number equal to or greater than the number is determined as a packet to be transferred to the destination terminal, and transferred to the packet sorting unit 1-8.

  Hereinafter, the flow of the above processing will be specifically described with reference to FIG.

  In FIG. 7, the relay apparatus 1 creates a connection pair creation response message immediately before the start of data communication (see FIG. 7-b7) by the connection connection information management unit 1-5, acquires the message size, and distributes the packet. The information management unit 1-6 is notified (see FIG. 7-b8). Here, the message size is 1000 bytes. When the packet distribution information management unit 1-6 acquires the message size 1000 bytes, the packet distribution information management unit 1-6 refers to the connection management table 1-7, and determines the Seq #, ACK # of the terminal 10 immediately before the data start, that is, the data transfer initial sequence number. Calculate (see FIG. 7-b9). Ssq # is added to the sequence number that is advanced when the connection pair creation request message transmitted from the terminal 10 is received by the connection connection information management unit 1-5 to become 8001, and ACK # is the connection pair creation Since the response message increases in size, it becomes 6001 (see FIGS. 5 and 7-b9).

  Thus, when the data transfer initial sequence number is determined, the packet distribution information management unit 1-6 sends a packet Seq # of 8001 or more to the packet distribution unit 1-2 from the terminal 10 In this case, to the header rewriting unit 1-8, when the number is smaller than 8001, to the TCP processing unit 1-3. Similarly, when the ACK # is 6001 or more, the header rewriting unit 1-8 is smaller than the number 6001. A packet distribution rule is instructed to be transferred to the TCP processing unit 1-3 (see FIG. 7-b10).

  Thereafter, the packet distribution information management unit 1-6 requests the connection connection information management unit 1-5 to transmit a connection pair creation response message (see FIG. 7-b11). The connection connection information management unit 1-5 requested to transmit the connection pair creation response message transfers the message to the terminal 10 (see FIG. 7-b12).

  The reason for determining the data transfer initial sequence number from the message size before transmitting the connection request response message to the TCP processing unit 1-3 is that when the message is TCP segmented from the TCP processing unit 1-3 and transmitted. This is because it is not possible to grasp the timing of whether or not the transmission can be completed, and data transmission is started from the terminal 10 and is prevented from being processed by the TCP processing unit 1-3 of the relay device 1.

  After transmitting the connection pair creation response packet, data is transferred from the terminal 10 to the relay device 1 (see FIG. 7-b13). In this case, as shown in b13 of FIG. 7, the data is Seq # 8001 and ACK # 6001. When the packet distribution unit 1-2 receives the packet, the relay device 1 transfers the packet to the header rewriting unit 1-8 based on the packet distribution rule described above, and the header rewriting unit 1-8 uses the packet destination. Rewrite the sequence number.

  In this case, the connection management information of the terminal 11 corresponds to information on the second row of the connection management table 1-7 shown in FIG. Therefore, the packet destination is rewritten to the IP address 5.6.7.8 and the port number 2000. The sequence number is rewritten based on the difference value between the Seq number and the ACK number.

  That is, the packet indicated by b13 in FIG. 7 subtracts the difference value 6000 (= 8001-2001) between the Seq number of the data transfer initial sequence of the terminal 10 and the ACK number of the data transfer initial sequence number of the terminal 11 from the 8001 number. , 2001 (see FIG. 7-b14). Thereafter, the sequence number of the data packet from the terminal 10 is rewritten to a value obtained by subtracting 4000 from the sequence number. The rewritten packet is transferred to the terminal 11 of the relay destination connection (see FIG. 7-b15). Similarly, in the case of the terminal 11 to the terminal 10, the value is similarly rewritten to the value obtained by adding the difference value 1000 (= 6001 to 5001).

  In the data transfer, since the terminal 10 and the terminal 11 have established an SSL session with the relay device 1, the data portion is encrypted by the encryption method determined at the time of session establishment. Therefore, it is conceivable that the terminal 10 and the terminal 11 are encrypted with different encryption methods. When the data is encrypted with a different encryption method, the terminal cannot decrypt the data and cannot communicate. Therefore, when transmitting data, the application unit 10-6 acquires the SSL header information from the SSL session establishment processing unit 10-4, creates an SSL header from this information, and the data is not encrypted. Alternatively, encryption is performed by an encryption method that can be supported by the terminals 10 and 11.

  Therefore, according to the present embodiment, after the TCP connection is established, the TCP packet is exchanged between the terminal and the relay device, and thereafter, when the TCP packet is transferred to the communication partner, a sequence error does not occur. The initial sequence number for transferring data to the communication partner is acquired.

  That is, in the present embodiment, a sequence number for starting data transfer is acquired using the TCP splicing method, the sequence number described in the packet received by the relay device is compared with the sequence number serving as the boundary, and the relay device It is determined whether to transfer to the internal TCP processing unit, to the header rewriting unit, or to the destination terminal. In this way, a sequence for starting data transfer to the communication partner is obtained, and the processing of the packet received by the relay device is determined as the sequence number to be transferred to the communication partner or in the relay device. Therefore, it is possible to realize relay using a TCP splicing method for suppressing the load on the relay device in communication across the firewall using the relay device that could not be realized conventionally.

  In addition, you may comprise a present Example as follows.

  a) When the relay unit acquires the destination information to be relayed, the relay unit may transmit a message for prompting the terminal to start data transmission.

  b) The relay means may acquire a sequence number for starting data transfer when transmitting a message for prompting the start of data communication to the terminal.

  c) The relay means may obtain the sequence number from the message length when creating a message that prompts the start of data transfer.

  d) Based on the acquired sequence number, the relay means rewrites the header for the data after the sequence number and transfers the data to the destination terminal, and for the data of the sequence number before the sequence number TCP processing may be performed to transfer data to the destination terminal.

  e) The terminal may be configured not to encrypt data with the encryption method determined when the SSL session is established with the relay device.

  Next, a second embodiment of the present invention will be described with reference to the drawings.

  FIG. 9 is an overall configuration diagram of a communication system according to the present embodiment. The communication system shown in the figure includes a relay device 2, a terminal 10, a terminal 11, a firewall 100, a firewall 101, and a communication management device 1000. The difference between the present embodiment and the first embodiment is that the relay device 1 is replaced with the relay device 2.

  FIG. 10 shows an internal block of the relay device 2. As shown in the figure, the relay device 2 is similar to the relay device 1 of the first embodiment in that the packet reception unit 2-1, the packet distribution unit 2-2, the TCP processing unit 2-3, and the SSL session establishment. It includes a processing unit 2-4, a connection connection information management unit 2-5, a packet distribution information management unit 2-7, a connection management table 2-8, a header rewriting unit 2-9, and a packet transmission unit 2-10. In addition, the relay device 2 includes a packet relay unit 2-6 and a process switching sequence calculation unit 2-11. Each of these parts 2-1 to 2-11 constitutes the relay means of the present invention.

  The packet relay unit 2-6 relays the packet transmitted from the TCP processing unit 2-3. The process switching sequence calculation unit 2-11 calculates a process switching sequence from the instruction from the packet distribution management unit 2-7 and the progress of the sequence number described in the connection management table 2-8.

  Next, the operation of this embodiment will be described.

  Also in the present embodiment, a series of operations in which the terminal 10 and the terminal 11 perform data communication via the relay device 2 as in the first embodiment will be described with reference to the drawings.

  Since the operation of the present embodiment has many points in common with the first embodiment, the difference will be described with reference to FIGS. 10, 11, and 12. FIG. Since operations performed between the terminal 10 and the relay device 2 and between the terminal 11 and the relay device 2 are the same, only operations performed between the terminal 10 and the relay device 2 will be described.

1) Operation before starting data transfer In the first embodiment, data is relayed by rewriting the TCP header from the start of data transfer after the session is opened, but in this embodiment, after the session is opened, the relay device 2 Relay is performed via the data relay unit 2-6, and relay is performed by rewriting the TCP header. The difference between this embodiment and the first embodiment is that the terminal 10 transmits a connection pair creation request message.

  In FIG. 12, when the relay apparatus 2 receives the message via the packet receiver 2-1 and the connection connection information management section 2-5 (see FIG. 12-c1), the connection connection information management section 2-5 Thus, the connection pair ID is described and a connection pair creation response message is created (see FIG. 12-c2). Next, the connection connection information management unit 2-5 acquires the created message size (see FIG. 12-c3), calculates a data transfer initial sequence number with reference to the connection management table 2-8, 8 (see FIG. 12-c4). Thereafter, the connection connection information management unit 2-5 transmits a connection pair creation response message to the terminal 10 via the packet transmission unit 2-10 (see FIG. 12-c5). As a result, the terminal 10 starts data transfer (see FIG. 12-c6).

2) Start of data transfer In FIG. 12, the relay device 2 receives the data packet from the terminal 10 by the TCP processing unit 2-3 via the packet receiving unit 2-1 and the packet distribution unit 2-2, and the terminal 10 is transmitted to the data relay unit 2-6 (see FIG. 12-c6). In order to transmit data to the relay destination connection, the data relay unit 2-6 transfers the data to the TCP processing unit 2-3, passes through the packet distribution unit 2-2, and then transmits from the packet transmission unit 2-10 to the terminal 11. Sent. In the communication by this relay method, the process proceeds to Seq # 47000 and ACK # 29001 (see FIG. 12-c6).

3) Instruction for switching relay method (from relay through relay processing unit to relay by header rewriting) In FIG. 12, the packet distribution information management unit 2-7 monitors the resource consumption of the relay device 2 and exceeds a certain level. When the consumption is observed (detected) (see FIG. 12-c7), in order to suppress the resource consumption, the relay by header rewriting is performed from the communication via the data relay unit 2-6 that performs TCP processing with a high resource consumption. A process switching instruction is issued to the packet sorting unit 2-2 so as to switch the process to (see FIG. 12-c8). The resources described here represent a CPU (Central Processing Unit), a memory, and the like. Further, not only resource consumption but also switching of a certain number of communication connections or switching of a certain number of relay traffic may be considered.

4) Acquisition of sequence number at switching of relay method In the first embodiment, only the data transfer start sequence number is acquired, but in this embodiment, the header is changed from data relay via the relay processing unit 2-6. In order to perform relay by rewriting, the relay start sequence number by header rewriting is acquired from the amount of data transferred to the destination terminal via the data relay unit 2-6.

  In FIG. 12, the packet distribution unit 2-2 that has received the above-described processing switching instruction communicates with the processing switching sequence calculation unit 2-11 via the data relay unit 2-6 in communication between the terminal 10 and the terminal 11. The terminal 10 and the terminal 11 calculate how much the Seq number and the ACK number are advanced, and issue an instruction to calculate the process switching initial sequence. The process switching sequence calculation unit 2-11 calculates and determines a process switching sequence number as shown in the first row of the connection management table 2-8 in FIG. 11 (see FIGS. 12-c9 and c10). The calculation method is shown below.

  The Seq number of the process switching sequence number of the terminal 10 is 48001, which is obtained by adding 1 to the Seq number 48000 of the connection of the terminal 10 in the connection management table 2-8. The sequence to be advanced by the data transmitted from the terminal 10 to the relay terminal 11 via the data relay unit 2-6 is changed from the Seq number 48001 of the process switching initial sequence number of the terminal 10 to the Seq number 8001 of the data transfer initial sequence number. It will be 40000.

  Therefore, the ACK number of the process switching sequence number of the terminal 11 is the number 41001 obtained by adding 40000 to the ACK number of the data transfer initial sequence number of the terminal 11. The Seq number of the process switching sequence number of the terminal 11 and the ACK number of the process switching sequence number of the terminal 10 are similarly calculated.

  Thereafter, when receiving a packet from the terminal 10 (see FIG. 12-c11), the relay device 2 transfers the packet from the packet sorting unit 2-2 to the header rewriting unit 2-9 (see FIG. 12-c12), and the header. Is rewritten (see FIG. 12-c13) and transferred to the terminal 11 (see FIG. 12-c14). This rewriting method is performed in the same manner as in the first embodiment with reference to the process switching sequence number.

  According to the present embodiment, in addition to the same effects as those of the first embodiment described above, the resource is effectively utilized by switching from the relay that performs TCP processing to the relay by header rewriting according to the processing load of the relay device. Is possible.

  In addition, you may comprise a present Example as follows.

  a) The relay means acquires destination information to be relayed, performs data TCP processing at the time of data transfer, starts data transfer to the destination terminal, and performs data TCP processing without performing data TCP processing in the middle of data transfer. The data may be rewritten and transferred to the destination terminal.

  b) When the resource consumption over a certain level is observed, the relay means switches from the process of performing the data TCP process to the destination terminal to perform the data transfer to the process of performing the data transfer by rewriting the data header. May be.

  c) When relaying more than a certain number of connections, the relay means switches from processing for performing data TCP processing to the destination terminal to perform data transfer to processing for performing data transfer by rewriting the data header. Also good.

  d) When relaying a traffic amount of a certain level or more, the relay unit switches from a process of performing data TCP processing to the destination terminal to perform data transfer to a process of performing data transfer by rewriting the data header. May be.

  e) When the data transfer process is switched, the relay unit acquires the sequence number that is advanced when performing the data TCP process and performs the data transfer, and rewrites the data header from the sequence number and starts the data transfer. You may acquire the sequence number at the time of doing.

  f) Based on the acquired sequence number, the relay means rewrites the header for the data after the sequence number and transfers the data to the destination terminal, and for the data of the sequence number earlier than the sequence number May perform TCP processing to transfer data to the destination terminal.

  g) The terminal may be configured not to encrypt data with the encryption method determined when the SSL session is established with the relay device.

  Next, a third embodiment of the present invention will be described with reference to the drawings.

  FIG. 14 is an overall configuration diagram of a communication system according to the present embodiment. The communication system shown in the figure includes a relay device 3, a terminal 12, a terminal 13, a firewall device 100, a firewall device 101, and a communication management device 1000. The difference between the present embodiment and the first embodiment is that the relay apparatus 1 is replaced with the relay apparatus 3, the terminal 10 is replaced with the terminal 12, and the terminal 11 is replaced with the terminal 13.

  FIG. 14 shows an internal block of the relay device 3. As shown in the figure, the relay device 3 is similar to the relay device 1 of the first embodiment in that the packet reception unit 3-1, the packet distribution unit 3-2, the TCP processing unit 3-4, and the SSL session establishment. It includes a processing unit 3-5, connection connection information management unit 3-6, packet distribution information management unit 3-7, connection management table 3-8, header rewriting unit 3-9, and packet transmission unit 3-10. In addition, the relay device 2 includes a connection connection initial sequence determination unit 3-3 that determines a sequence at the start of data, as shown in FIG. Each of these parts 3-1 to 3-10 constitutes the relay means of the present invention.

  FIG. 15 shows an internal block of the terminal 12. The same applies to the terminal 13. As with the terminal 10 of the first embodiment, the terminal 12 includes a packet receiving unit 12-1, a TCP processing unit 12-2, a communication request response unit 12-3, an SSL session establishment unit 12-4, and a destination information notification unit. 12-5, application section 12-7, and packet transmission section 12-8. In addition, the terminal 12 includes a data transfer start identifier determination unit 12-6 that determines an identifier indicating the start of data transfer and notifies the relay apparatus 3 of the identifier.

  Next, the operation of this embodiment will be described.

  Also in the present embodiment, a series of operations in which the terminal 10 and the terminal 11 perform data communication via the relay device 2 as in the first embodiment will be described with reference to the drawings.

  Since the operation of this embodiment has many points in common with the first embodiment, the difference will be described with reference to FIGS. 14, 15, 16, and 17. FIG. Since the operations performed between the terminal 12 and the relay device 3 and between the terminal 13 and the relay device 3 are the same, only the operation performed between the terminal 10 and the relay device 2 will be described. The operation of this embodiment differs from that of the first embodiment because the terminal 10 transmits a connection pair creation request message.

  In FIG. 17, the terminal 12 determines the data transfer start identifier by the destination information notifying unit 12-6, describes it in the connection pair creation request message, and connects to the relay device 3 via the packet transmitting unit 12-8. It transmits to the joint information management part 3-6 (refer FIG. 17-d1).

  Next, when the relay device 3 receives the connection pair creation request message via the packet reception unit 3-1, the connection connection information management unit 3-6 sets the data transfer start identifier of the data transfer start message in the message. It is acquired (see FIG. 17-d2), and the identifier is notified to the packet distribution information management unit 3-7 (see FIG. 17-d3).

  Next, the packet distribution information management unit 3-7 that has acquired the data transfer start identifier instructs the packet distribution unit 3-2 to rewrite the packet after the sequence number of the packet in which the data transfer start identifier is described. The packet distribution rule is instructed to be transferred to the unit 3-9 (see FIG. 17-d4).

  Next, the packet distribution information management unit 3-7 requests the connection connection information management unit 3-6 to transmit a connection pair creation response message to the terminal 12 (see FIG. 17-d5). Thereby, the connection coupling information management unit 3-6 transmits a connection pair creation response message to the terminal 12 via the packet transmission unit 3-10 (see FIG. 17-d6).

  The destination information notifying unit 12-5 that has received the connection pair creation response message instructs the application unit 12-7 to start data transfer.

1) Data transfer start and data transfer start sequence number acquisition operation In this embodiment, when a terminal starts data transfer, it adds identification information indicating the start of data transfer, and receives a packet to which the identification information is added. Thus, it can be determined that the session establishment message exchange for data relay has been completed, and the packet is received without performing the process of calculating the data transfer start sequence number from the message size as in the first embodiment. It is possible to obtain the data transfer start sequence number from the sequence number at that time.

  Hereinafter, the process will be specifically described with reference to FIG.

  In FIG. 17, the terminal 12 acquires the data transfer start identifier from the data transfer start identifier 12-6 by the application unit 12-7 and writes it at the head of the data. The application unit 12-7 transfers the data to the TCP processing unit 12-2 and transmits the data from the packet transmission unit 12-8 to the relay device 3 (see FIG. 17-d7). When the packet distribution unit 3-2 detects the packet in which the data transfer start identifier is described, the relay device 3 refers to the connection management table 3-8 by the connection coupling initial sequence determination unit 3-3, The combined initial sequence is determined (see FIG. 17-d8).

  Here, the connection pair creation response message transmitted from the relay device 3 to the terminal 12 is the last message immediately before the data transfer, and the TCP sequence number (first line in FIG. 16) of the relay device 3 shown in FIG. Represents the TCP sequence number of the relay device 3 immediately before the start of data transfer. Then, the ACK number of the relay device 3 becomes the Seq number of the data transfer start of the terminal 12, and the one added to the Seq number of the relay device becomes the ACK number immediately before the data transfer of the terminal 12 starts. Accordingly, the connection sequence initial sequence numbers are Seq number 8001 and ACK number 6001. The subsequent operations (see FIGS. 17-d9, d10, and d11) are the same as those in the first embodiment.

  According to the present embodiment, in addition to the same effects as those of the first embodiment described above, the header switching sequence number is obtained using the data transfer start identifier, thereby improving the ease.

  In addition, you may comprise a present Example as follows.

  a) The terminal may have means for describing an identifier indicating the start of data transfer in the data when starting the data transfer. The relay means may determine that the data transfer starts when receiving the data in which the identifier is described, rewrite the data header, and transfer the data to the destination terminal.

  b) When receiving the data in which the identifier indicating the start of data transfer is received, the relay means may rewrite the header of the data and obtain a sequence number for performing the data transfer to the destination terminal.

  c) When the relay means receives the data describing the identifier indicating the start of data transfer, the relay means rewrites the header of the data from the sequence number of the data on the relay device side and transmits a sequence number for performing the data transfer to the destination terminal. You may get it.

  d) The terminal may be configured not to encrypt data with the encryption method determined when the SSL session is established with the relay device.

  Note that the hardware and software configurations of the relay device, the terminal, and the communication management device configuring the communication system of each of the above embodiments are not particularly limited as long as the functions of the above-described units can be realized. . For example, the circuit (or program component) may be configured independently for each function of each unit, or may be configured integrally in one circuit. When the functions of the respective units are realized mainly by software processing by a computer (CPU: Central Processing Unit), a program constituting the software and a computer-readable recording medium recording the program are also included in the scope of the present invention.

  The present invention can be applied to the use of a communication system, a relay device, a relay processing method used for them, and a program thereof. In particular, the present invention can be applied to the use of a communication relay method between terminals connected under a firewall apparatus.

1 is a schematic block diagram illustrating an overall configuration of a communication system according to a first embodiment of the present invention. It is a schematic block diagram which shows the internal structure of the relay apparatus shown in FIG. It is a schematic block diagram which shows the internal structure of the terminal shown in FIG. It is a schematic block diagram which shows the internal structure of the communication management apparatus shown in FIG. It is a figure which shows the detail of the connection management table shown in FIG. It is a sequence diagram explaining operation | movement from registration to a communication management apparatus to a communication request | requirement in the communication system which concerns on a 1st Example. It is a sequence diagram explaining operation | movement from the connection to a relay apparatus to data communication in the communication system which concerns on a 1st Example. FIG. 5 is a diagram showing details of a terminal / relay device information management table shown in FIG. 4. It is a figure which shows the whole structure of the communication system which concerns on 2nd Example of this invention. It is a schematic block diagram which shows the internal structure of the relay apparatus shown in FIG. It is a figure which shows the detail of the connection management table shown in FIG. It is a sequence diagram explaining operation | movement of the communication system which concerns on a 2nd Example. It is a figure which shows the whole structure of the communication system which concerns on 3rd Example of this invention. It is a schematic block diagram which shows the internal structure of the relay apparatus shown in FIG. It is a schematic block diagram which shows the internal structure of the terminal shown in FIG. It is a figure which shows the detail of the connection management table shown in FIG. It is a sequence diagram explaining operation | movement of the communication system which concerns on a 3rd Example. It is a sequence diagram explaining operation | movement at the time of using a TCP splicing system as a relay system in the firewall crossing communication using the relay apparatus which concerns on related technology.

Explanation of symbols

1, 2, 3 Relay device 10, 11, 12, 13 Terminal 100, 101 Firewall device 1000 Communication management device

Claims (26)

A communication system that performs a communication request and response from a terminal via a communication management device and performs data communication between the terminals via a relay device,
The terminal includes a TCP processing unit that establishes a TCP connection for data communication with the relay device, and an SSL session establishment processing unit that performs message exchange for establishing an SSL session for data communication,
The relay device acquires destination information for relaying data between the terminals, rewrites the data header without performing data TCP processing with the terminal during data transfer, and transmits data to the destination terminal. A communication system comprising relay means for performing transfer.   The communication system according to claim 1, wherein the relay unit transmits a message for prompting the terminal to start data transmission when the relay destination information is acquired.   3. The communication system according to claim 1, wherein the relay unit acquires a sequence number for starting data transfer when transmitting a message for prompting the start of data communication to the terminal. 4.   4. The communication system according to claim 1, wherein the relay unit acquires the sequence number from the message length when creating a message that prompts the start of data transfer. 5.   The relay means, based on the acquired sequence number, rewrites the header for the data after the sequence number and transfers the data to the destination terminal, and for the data of the sequence number before the sequence number 5. The communication system according to claim 3 or 4, wherein a TCP process is performed to transfer data to a destination terminal.   The relay means acquires destination information to be relayed, performs data TCP processing at the time of data transfer, starts data transfer to the destination terminal, and rewrites the data header without performing data TCP processing in the middle of the data transfer 2. The communication system according to claim 1, wherein data is transferred to a destination terminal.   When observing resource consumption of a certain level or more, the relay unit switches from a process of performing data TCP processing to the destination terminal to perform data transfer to a process of performing data transfer by rewriting the data header. The communication system according to claim 6.   When the relay means relays more than a certain number of connections, the relay means switches from a process of performing data TCP processing to the destination terminal to perform data transfer to a process of performing data transfer by rewriting the data header. The communication system according to claim 6.   When relaying a traffic amount of a certain level or more, the relay unit switches from a process of performing data TCP processing to the destination terminal to perform data transfer to a process of performing data transfer by rewriting the data header. The communication system according to claim 6.   When the data transfer process is switched, the relay unit obtains a sequence number that is advanced when data transfer is performed by performing data TCP processing, and starts data transfer by rewriting the data header from the sequence number. The communication system according to claim 6, wherein a sequence number for acquiring the sequence number is acquired.   The relay means, based on the acquired sequence number, rewrites the header for the data after the sequence number and transfers the data to the destination terminal, and for the data of the sequence number before the sequence number The communication system according to claim 6 or 10, wherein TCP communication is performed to transfer data to a destination terminal. The terminal has means for describing an identifier indicating the start of data transfer in data at the start of data transfer,
2. The communication system according to claim 1, wherein when the relay unit receives data in which the identifier is described, the relay unit determines that data transfer is started, rewrites a header of the data, and performs data transfer to a destination terminal. .   13. The relay unit obtains a sequence number for performing data transfer to a destination terminal by rewriting a data header when receiving data in which an identifier indicating the start of data transfer is received. The communication system according to 1.   When the relay unit receives data in which an identifier indicating the start of data transfer is received, the sequence number for rewriting the data header and transferring the data to the destination terminal from the data sequence number on the relay device side The communication system according to claim 12, wherein the communication system is acquired.   13. The communication system according to claim 1, wherein the terminal does not encrypt data by an encryption method determined when an SSL session is established with the relay device. 13. A relay device that relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication,
Relay means for acquiring destination information for relaying data between the terminals and performing data transfer to the destination terminal by rewriting the data header without performing data TCP processing with the terminal during data transfer A relay apparatus comprising:   The relay means acquires destination information to be relayed, performs data TCP processing at the time of data transfer, starts data transfer to the destination terminal, and rewrites the data header without performing data TCP processing in the middle of the data transfer The relay apparatus according to claim 16, wherein the data transfer to the destination terminal is performed. The terminal has means for describing an identifier indicating the start of data transfer in data at the start of data transfer,
17. The relay apparatus according to claim 16, wherein the relay unit determines that data transfer starts when data having the identifier described therein is received, rewrites the header of the data, and transfers the data to a destination terminal. . Relay means for acquiring destination information for relaying data between terminals and performing data transfer to the destination terminal by rewriting the data header without performing data TCP processing with the terminal during data transfer A terminal that performs data communication via a relay device having
A TCP processing unit for establishing a TCP connection for data communication with the relay device;
A terminal having an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication.   The terminal according to claim 19, further comprising means for describing an identifier indicating the start of data transfer in the data at the start of data transfer. A relay processing method for a relay device that relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication. And
A relay step of acquiring destination information for relaying data between the terminals and performing data transfer to the destination terminal by rewriting the data header without performing data TCP processing with the terminal during data transfer A relay processing method comprising:   The relay step acquires destination information to be relayed, performs data TCP processing at the time of data transfer, starts data transfer to the destination terminal, and rewrites the data header without performing data TCP processing in the middle of the data transfer The relay processing method according to claim 21, wherein data transfer to a destination terminal is performed. The terminal has means for describing an identifier indicating the start of data transfer in data at the start of data transfer,
The relay process according to claim 21, wherein the relay step determines that data transfer is started when data having the identifier described therein is received, rewrites the header of the data, and performs data transfer to the destination terminal. Method. A relay processing program for a relay device that relays data communication between terminals having a TCP processing unit for establishing a TCP connection for data communication and an SSL session establishment processing unit for exchanging messages for establishing an SSL session for data communication. And
Destination information for relaying data between the terminals is acquired by the computer, and data transfer to the destination terminal is performed by rewriting the data header without performing data TCP processing with the terminal during data transfer. A program that executes a relay process to be performed.   The relay processing acquires destination information to be relayed, performs data TCP processing at the time of data transfer, starts data transfer to the destination terminal, and rewrites the data header without performing data TCP processing in the middle of the data transfer 25. The program according to claim 24, wherein data is transferred to a destination terminal. The terminal has means for describing an identifier indicating the start of data transfer in data at the start of data transfer,
25. The program according to claim 24, wherein the relay processing determines that data transfer is started when data having the identifier described therein is received, rewrites the header of the data, and performs data transfer to the destination terminal.

Images