JP2010057028A - Network address translation control program, network address translation controller, and network address translator control method - Google Patents

Abstract

Provided is a technique for realizing an environment in which communication via a NAT device can be comfortably performed by suppressing both a decrease in entry use efficiency and an increase in inquiry frequency.
A DNS server 11 stores a private address obtained by an FQDN inquiry from a DNS server 21 on the LAN 20 side in a private address cache 11b. An entry creation request for allocating a global address to a private address for the NAT device 30 is performed using the private address stored in the private address cache 11b if it is stored, and if not stored, an inquiry is made to the DNS server 21. Obtain and do. In this way, even if the NAT device 30 does not maintain the entry even after the end of communication, the inquiry frequency for acquiring the private address is suppressed to a low level. Since there is no need to maintain the communication after the end of communication, a decrease in entry utilization efficiency is also suppressed.
[Selection] Figure 1

Description

  The present invention relates to a technique for performing communication between two communication networks whose uniqueness is not guaranteed.

  A unique IP address is assigned as a global address to a node on the Internet. On the other hand, in an organization such as a company, an IP address is uniquely assigned to a node on a constructed communication network as a private address (local address). The private address is valid only within the communication network (eg, LAN) to which it is assigned, and uniqueness with the Internet is not guaranteed. Therefore, a node having a private address and a node on the Internet cannot communicate with each other as they are. Therefore, to enable communication between such different communication networks, private addresses and global addresses are transparently interconverted, that is, private addresses are converted into global addresses and global addresses are converted into private addresses. Network Address Translation (NAT) devices (hereinafter referred to as “NAT devices”) have been commercialized.

  In order to perform mutual conversion of addresses, NAT devices are usually arranged at the boundary between two communication networks that use different addresses (FIG. 1). Address translation is performed with reference to a translation table in which a set of private addresses and corresponding global addresses is registered as an entry. The entry is registered by a request from a DNS (Domain Name System) server on the communication network side where a node that starts communication exists. Therefore, a NAT control device that controls the NAT device is mounted on a DNS server or the like.

  By registering the entry in the conversion table, communication is performed using the global address. Hereinafter, for convenience, it is assumed that a communication network in which a global address is assigned to each node is “WAN”, and a communication network in which a private address is assigned to each node is “LAN”.

When the WAN side node starts communication with the LAN side node, the WAN side DNS server inquires the private address of the node, for example, the DNS server on the LAN side, acquires the private address, and registers the entry as NAT. Request to the device. A conventional DNS server (NAT control device) obtains a global address from the NAT device in response to the request and notifies the WAN side node. For this reason, the global address assigned to the node on the LAN side is saved (cached).
JP 2001-257720 A JP 2004-135008 A Japanese Patent No. 3591420

Conventionally, the following two methods are conceivable as a method for storing the global address of the node on the LAN side.
The first method is simply to cache the WAN side DNS server and the communicating node during the TTL (Time To Live) set when the LAN side DNS server responds to the inquiry.

  The second method is a method in which a global address is cached only by a DNS server on the WAN side without being cached by a node on the WAN side. The cached global address is deleted by the deletion notification of the entry corresponding to the NAT device. Normally, the NAT device deletes the entry registered in the conversion table when the communication ends.

  The first method has a problem that the entry utilization efficiency of the conversion table of the NAT device, that is, the proportion of entries actually used for communication (conversion) among entries registered in the conversion table is reduced. . This is due to caching the global address during TTL at the DNS server and node on the WAN side. More specifically, because the global address is stored elsewhere, the NAT device cannot delete the entry even if communication is completed and the entry is no longer used. There is a limit to the number of entries that can be registered in the conversion table. This is very serious when the ratio of the number of entries that can be registered to the number of nodes (devices) having the possibility of communication is relatively small.

  The second method has a problem that the frequency of inquiries to the DNS server on the LAN side increases, although the entry utilization efficiency of the conversion table of the NAT device does not decrease. The reason is that the DNS server on the WAN side deletes the global address cache in response to the entry deletion notification of the NAT device, so even if there is an inquiry of the same content immediately after that, the inquiry is made again to the DNS server on the LAN side. Because it must be done.

  Both the decrease in entry utilization efficiency and the increase in the inquiry frequency hinder comfortable communication. For this reason, in order to realize an environment in which communication can be performed comfortably, it is important to avoid both a decrease in entry use efficiency and an increase in inquiry frequency.

  An object of the present invention is to provide a technique for realizing an environment in which communication via a NAT device can be comfortably performed by suppressing both a decrease in entry use efficiency and an increase in inquiry frequency.

  In one system to which the present invention is applied, a second address used on the second communication network is assigned to the first address assigned to the first node on the first communication network, and the first address is assigned. And a second address assigned to the first address are assumed to be able to communicate with each other using a network address translation device. A predetermined period after the first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network is acquired. For example, it is stored only during TTL (Time To Live). By the storage, the inquiry frequency for acquiring the first address can be further suppressed. That is, if a second node on the second communication network initiates communication with the first node on the first communication network, that is only when the first address of the first node is not stored. It is only necessary to acquire the first address.

  The assignment of the second address to the first address for the network address translation device is requested using the first address that is stored or newly acquired. The second address assigned to the first address by the network address translation device in response to the request is acquired from the network address translation device and notified to the second node that starts communication.

Even if the network address device side deletes the entry by assigning the second address to the first address at any timing, it does not affect the inquiry frequency of the first address. For this reason, by deleting at the end of the communication, it is possible to minimize the occurrence of a second entry that can be actually allocated but cannot be allocated. Therefore, a decrease in entry utilization efficiency can be minimized. As a result of suppressing both an increase in inquiry frequency and a decrease in entry utilization efficiency, an environment in which communication via the network address translation device can be comfortably realized is realized.

  When the present invention is applied, it is possible to realize an environment in which communication via the NAT device can be comfortably performed by suppressing both the decrease in entry usage efficiency and the increase in inquiry frequency.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
<First Embodiment>
FIG. 1 is a diagram showing a configuration of a communication network system to which a network address translation control device (hereinafter “NAT control device”) according to the first embodiment is applied. In the communication network system, the WAN 10 and the LAN 20 exist as two communication networks having different addresses to be used, and the NAT device 30 is arranged at the boundary between the WAN 10 and the LAN 20. The NAT control apparatus according to the present embodiment is applied in the form of being mounted on the DNS server 11 on the WAN 10 side.

  The DNS server converts the domain name of the computer (node) on the communication network into an IP address. For this reason, a computer whose partner's IP address is not known makes an inquiry (query) to obtain the IP address to the DNS server. In FIG. 1, both the WAN 10 side and the LAN 20 side indicate a node that may make an inquiry and a node that is a target of communication by the inquiry as “host” (host computer). In this way, a node that can start communication among nodes, that is, a node that may make an inquiry to the DNS server, is referred to as a “host” in order to distinguish it from other nodes.

  Both the WAN 10 side and the LAN 20 side can use different private addresses. Here, for convenience of explanation, it is assumed that a global address is used in the WAN 10 and a private address is used in the LAN 20. In FIG. 1, “192.0.2.0/24” and “10.10.10.0.0 / 24” represent a global address and a private address, respectively. The NAT control device according to the present embodiment can be widely used as a device for controlling NAT devices arranged at the boundary of two or more communication networks whose uniqueness is not guaranteed.

  The DNS server 11 on the WAN 10 side includes a NAT control unit 11a that controls the NAT device 30, and the NAT control unit 11a manages the private address cache 11b and the static cache 11c. The caches 11b and 11c correspond to storage areas allocated on a storage device (not shown) such as a semiconductor memory or an external storage device such as a hard disk device.

FIG. 3 shows an example of the contents of the private address cache 11b. FIG. 4 is a diagram illustrating an example of the contents of the static cache 11c.
When the DNS server 11 inquires from the host HS about the IP address specifying the domain name (FQDN: Fully Qualified Domain Name) of the host HA on the LAN 20 side, the DNS server 11 sends the IP address (in this case, the private address) via the NAT device 30. Address) to the DNS server 21 on the LAN 20 side. As a result of the inquiry, the answer obtained from the DNS server 21 is stored. The private address cache 11b is an area for storing the answer (A record). As shown in FIG. 3, the cache 11b stores record type, content (private address), and TTL data for each domain name (FQDN) specified at the time of inquiry. The A record is a record in which information for acquiring an IP address from a domain name is recorded. The NAT control unit 11a stores the answer (A record) for a period indicated by the TTL.

  In order to make an inquiry to the DNS server 21 on the LAN 20 side, information regarding the DNS server 21 is required. The static cache 11c is an area for storing the information. As shown in FIG. 4, the NS record and A record of the DNS server 21 are stored. In the NS record, the domain name is on the LAN 20 side, and the content is the domain name outside the LAN 20.

  An inquiry from the DNS server 11 to the DNS server 21 is made by presenting a domain name (FQDN). In order to answer the inquiry, the DNS server 21 manages a correspondence table of FQDNs and private addresses as shown in FIG. In the correspondence table, for each domain name (FQDN), a private address assigned to the domain name and TTL are registered. Inquiries from the DNS server 11 are made with reference to this correspondence table. The TTL becomes part of the answer to the inquiry.

  The NAT control unit 11a mounted on the DNS server 11 has an address acquisition unit 11f, an address storage unit 11g, an acquisition control unit 11h, an allocation request unit 11i, and a notification unit to enable communication via the NAT device 30. 11j. Each part 11f-j is provided with the following functions, respectively.

  The address acquisition unit 11f makes an inquiry to the DNS server 21 on the LAN 20 side and acquires the A record. The address storage unit 11g stores the acquired A record in the private address cache 11b. The storage is performed for the period indicated by TTL. When the IP address specifying the domain name of the host HA (node) on the LAN 20 side is inquired, the acquisition control unit 11h checks whether the domain name is registered in the private address cache 11b. Only when the domain name is not registered in the cache 11b, an inquiry is made to the DNS server 21 on the LAN 20 side. Thereby, the acquisition of the A record by the address acquisition unit 11f is controlled.

  When the acquisition control unit 11h confirms that the inquired domain name is registered in the cache 11b, the allocation request unit 11i instructs the NAT device 30 to a node having the domain name (for example, the host HA). Request global address assignment. In response to the request, the NAT device 30 returns the assigned global address. The notification unit 11j notifies the returned global address to the node (for example, the host HS) that inquires by specifying the domain name.

  FIG. 2 is a functional configuration diagram of the NAT device 30. The NAT device 30 includes a control reception unit 31 that receives and processes requests from the DNS server 11 and the like. The address pool 22 and the conversion table 33 are managed by the control reception unit 31. The address pool 22 and the conversion table 33 are stored on a storage device (not shown) such as a semiconductor memory.

FIG. 6 is a diagram illustrating an example of the address pool 32. FIG. 7 is a diagram illustrating an example of the conversion table 33.
The address pool 32 is a collection of allocatable global addresses as shown in FIG. As shown in FIG. 7, the conversion table 33 is a table in which a set of private addresses corresponding to a global address is registered as an entry, and an entry number is assigned to each entry. The entries are classified into static entries that are not deleted even when communication is completed, and dynamic entries that are deleted when communication is completed. The static entry has an entry number of 1, and the entry is for always enabling communication with the DNS server 21. A dynamic entry is generated and registered in response to a request from the DNS server on the WAN 10 or LAN 20 side.

  When an entry is registered in the conversion table 33, the global address stored in the registered entry is deleted from the address pool 32. When deleting an entry registered in the conversion table 33, the global address stored in the entry to be deleted is added to the address pool 32. As such, only global addresses that can be assigned are stored in the address pool 32. The assignment of the global address to the private address is canceled by deleting the entry.

  Next, referring to FIG. 1, the operation of the host HS, the DNS servers 11 and 21, and the NAT device 30 will be described in detail by taking as an example the case where the host HS on the WAN 10 side starts communication with the host HA on the LAN 20 side. .

  When starting communication with the host HA on the LAN 20 side, the host HS first queries the DNS server 11 about the IP address of the host HA (sequence S1). In response to the inquiry, the DNS server 11 refers to the static cache 11c, inquires the DNS server 21 about the IP address of the host HA, and receives a corresponding A record from the DNS server 21 (sequence S2). . The A record thus obtained is stored in the private address cache 11b by the DNS server 11.

  After obtaining the A record, the DNS server 11 requests the NAT device 30 to create an entry, that is, requests assignment of a global address to the private address indicated in the A record, and receives a response (sequence S3). Thereafter, the response result is notified to the host HS (sequence S4).

  FIG. 8 is a diagram for explaining an entry created in response to a request from the DNS server 11. FIG. 8A shows data (private address) input from the DNS server 11 at the time of entry creation request, and FIG. 8B shows an entry created by assigning a global address to the private address, that is, an output when entry creation is successful. FIG. 8C shows output data when no global address is assigned.

  When the NAT device 30 is requested to create an entry, the NAT device 30 refers to the address pool 32 and the conversion table 33 and extracts an unused global address. As a result, if an unused global address can be extracted, the extracted global address is assigned to a private address to create an entry as shown in FIG. 8B and register it in the conversion table 33. On the other hand, if a global address that is not used cannot be extracted, data as shown in FIG. 8C is output, and the DNS server 11 is notified of entry creation failure.

  In this way, in the present embodiment, the DNS server 11 on the WAN 10 side further inquires to the DNS server 21 on the LAN 20 side by inquiring the IP address of the LAN 20 side host HA from the host HS that initiates communication. As a result, the obtained private address of the host HA is stored in the private address cache 11b. The storage is performed for a period specified by TTL. For this reason, when the IP address of the host HA is inquired again from the host HS within that period, it is possible to request the NAT device 30 to create an entry without making an inquiry to the DNS server 21. Therefore, the frequency of inquiries to the DNS server 21 can be further suppressed. In order to further suppress the inquiry frequency, it is possible to avoid the necessity of leaving the entry registered in the conversion table 33 managed by the NAT device 30 even after the communication is completed. As a result, both high entry utilization efficiency and low inquiry frequency can be achieved. As a result, an environment in which communication via the NAT device 30 can be comfortably performed is realized. In order to realize such an environment, the NAT control unit 11a mounted on the DNS server 11, that is, the address acquisition unit 11f, the address storage unit 11g, the acquisition control unit 11h, the allocation request unit 11i, and the notification unit 11j function. .

Hereinafter, operations of the DNS server 11 and the NAT device 30 will be described in detail with reference to flowcharts of the processes illustrated in FIGS. 9 to 11.
FIG. 9 is a flowchart of processing executed by the DNS server 11. This processing is executed when an IP address of a host on the LAN 20 side is inquired from a host existing in the WAN 10. First, the operation of the DNS server 11 will be described in detail with reference to FIG.

  First, in step S11, an FQDN query for inquiring the IP address of the host on the LAN 20 side is received from a host on the WAN 10 side (for example, host HS). This query is the same as a general DNS query. For example, when an IP address of the host HA on the LAN 20 side is inquired from the host HS, hostA1.example.com. Which is the FQDN of the host HS is queried.

  In step S12 following step S11, it is determined by investigating whether or not the queried FQDN exists in the private address cache 11b managed by itself. The search key for this survey is FQDN. If the search key FQDN is present in the cache 11b, the determination is T (TRUE) and the process proceeds to step S15. If the search key FQDN does not exist in the cache 11b, the determination is F (FALSE) and the process proceeds to step S13.

  In step S13, the static cache 11c is referred to and the LAN 20 side DNS server 21 is queried to obtain a private address. In the next step S14, the obtained private address (A record) is stored in the private address cache 11b. If the IP address of the host HS on the LAN 20 side is inquired by the storage, the A record shown in FIG. 3 is stored in the cache 11b. After the storage, the process proceeds to step S15.

  The DNS server 11 obtains “ns1.example.com”, which is the FQDN of the DNS server 21 to be inquired, by referring to the static cache 11c using the domain name “example.com.” Of the queried FQDN as a key. Further, the global address “192.0.2.9” of the DNS server 21 is obtained by referring to the static cache 11c using “ns1.example.com.” As a key. By obtaining the global address in this way, an inquiry is made directly to the DNS server 21 via the NAT device 30.

  The DNS server 21 is a general internal DNS server, and has a correspondence table of FQDNs and private addresses as shown in FIG. For this reason, when an inquiry about FQDN is received, the private address is returned with reference to the correspondence table. When the FQDN is “hostA1.example.com.”, The TTL included in this answer is one day as shown in FIG.

In step S15, the NAT device 30 is notified of the private address corresponding to the queried FQDN, thereby requesting that an entry be created and registered in the translation table 33 by assigning a global address. In this entry creation request packet, a private address is stored as shown in FIG.

  In step S16 following step S15, a reply from the NAT device 30 in response to the entry creation request is received, and it is determined whether entry creation has succeeded. At this time, the success or failure of entry creation can be determined by whether or not there is a global address in the return data as shown in FIG. 8B or 8C. If entry creation is successful, the determination is T, and the global address assigned in step S17 is returned to the query source host as a DNS response. At this time, the TTL is set to 0 so that the DNS response is not cached at the query source host. After the reply, the process shown in FIG. On the other hand, if the entry creation fails, the determination is F, and a DNS response code = 3 (the inquired name cannot be found) indicates that an answer to the FQDN queried in step S18 cannot be obtained. Reply to the query source host. At this time, the TTL is set to 0 so that the DNS response is not cached at the query source host. After the reply, the process shown in FIG.

  In this way, the DNS server 11 makes an inquiry for acquiring the private address only when the private address corresponding to the inquired FQDN is not stored in the private address cache 11b. For this reason, the inquiry frequency can be minimized.

  FIG. 10 is a flowchart of processing executed by the NAT device 30 when entry creation is requested from the DNS server 11. Next, the processing will be described in detail with reference to FIG.

  First, in step S21, an entry creation request from the DNS server 11 is accepted. In a succeeding step S22, it is determined whether or not the private address notified by the creation request is already in the conversion table 33. If the private address already exists, the determination is T, and after the global address assigned to the private address is notified to the DNS server 11 in step S25, the processing of FIG. If the private address does not exist, the determination is F, and the process proceeds to step S23.

  In step S 23, it is determined whether there is a global address that can be assigned to the address pool 32. If a global address that can be assigned remains, the determination is T, an entry in which the global address is combined with a private address is created and registered in the conversion table 33 in step S24, and the process proceeds to step S25. If no assignable global address remains, the determination is F, and the DNS server 11 is notified of that in step S26, and then the processing of FIG.

FIG. 11 is a flowchart of processing executed by the NAT device 30 to delete an entry. Finally, the processing will be described in detail with reference to FIG.
First, in step S31, the end of communication is detected on the condition that communication via the NAT device 30 is not performed for a certain period of time. In the subsequent step S32, the communication entry whose end has been detected is deleted from the conversion table 33. Then, the process of FIG. 11 is complete | finished.
In this way, the NAT device 30 deletes the registered entry when the communication ends. For this reason, high entry utilization efficiency is realized.

<Second Embodiment>
DNS may be constructed hierarchically. In that case, it is necessary to make an inquiry for obtaining an IP address (A record) a plurality of times. The DNS on the LAN side is hierarchically constructed, and the DNS server with the FQDN “ns1.example.com” described in the static cache 11c has authority over the domain “example.com.” When the authority of the subdomain “sub.example.com.” Is delegated to the DNS server having “ns2.sub.example.com.” As the FQDN, the FQDN queried from the host on the WAN 10 side is “host-b”. .sub.exapmle.com ", the DNS server 11 needs to make a total of two inquiries. That is, as shown in FIG. 12, the DNS server 11 obtains an NS record with a subdomain “sub.example.com.” And an A record having a private address corresponding to the FQDN of the NS record in the first inquiry. Then, a second inquiry is made with the private address, and the necessary A record is acquired. Therefore, the second embodiment corresponds to the fact that the DNS on the LAN 20 side is constructed hierarchically.

  In the configuration in the second embodiment, the DNS server on the LAN 20 side is different from that in the first embodiment, but the configurations of the DNS server 11 on the WAN 10 side and the NAT device 30 are basically the same as those in the first embodiment. The same. The operation of the DNS server 11 is also mostly the same as in the first embodiment. For this reason, only the parts different from the first embodiment will be described using the reference numerals given in the first embodiment as they are.

  FIG. 13 is a flowchart of processing executed by the DNS server 11 according to the second embodiment. In the second embodiment, a part of the process (FIG. 9) executed by the DNS server 11 is different from the first embodiment. Therefore, the processing will be described in detail with reference to FIG.

  In FIG. 13, the same processing steps as those in the first embodiment are denoted by the same reference numerals as those in FIG. 9. Accordingly, the description will be made in a form that focuses only on the processing steps with reference numerals that do not exist in FIG.

  In the second embodiment, after a query is made to the DNS server on the LAN 20 side in step S13, the process proceeds to step S41, where it is determined whether the answer obtained from the DNS server by the query is an A record. If the answer is an A record, the determination is T and the process proceeds to step S14. If the answer is not an A record, that is, if the answer is an NS record indicating the FQDN of the DNS server in the subdomain as shown in FIG. 12 and an A record indicating the private address corresponding to the FQDN, the determination is made. Becomes F and proceeds to step S42. In step S42, a global address is assigned to the private address indicated by the A record, that is, an entry creation request is made to the NAT device 30, and a DNS server having the private address is inquired. After the inquiry, the process proceeds to step S41 to determine the answer.

  In this manner, in the second embodiment, the processing loop formed in steps S41 and S42 is repeatedly executed until an answer (A record) to the inquiry from the host is obtained. By repeating this, even when the DNS on the LAN 20 side is constructed in a hierarchical manner, it is possible to cope with it.

<Third Embodiment>
The NAT device enables communication between two communication networks whose uniqueness is not guaranteed. In the first embodiment, the NAT device 30 enables communication between the WAN 10 and the LAN 20 as two communication networks. In the third embodiment, communication with another communication network is made possible using another NAT device. In the description of the third embodiment, like the second embodiment, the same reference numerals are used for basically the same components as in the first embodiment, but only the portions different from the first embodiment are noted. To do.

  FIG. 14 is a diagram showing a configuration of a communication network system to which the NAT control apparatus according to the third embodiment is applied. The communication network system is configured to enable communication between the WAN 10 and the LAN 40 via the NAT device 50 by connecting the NAT device 50 to the WAN 10. The LAN 40 has the same configuration as that of the LAN 20, and a DNS server 41 and a host HX exist. In the figure, “192.0.2.254” and “192.0.2.253” indicate global addresses assigned to the NAT devices 30 and 50, respectively.

  In order to enable communication with the LANs 20 and 40 via the two NAT devices 30 and 50, the DNS server 11 equipped with the NAT control device according to the third embodiment has a domain name as shown in FIG. And the NAT device address correspondence table 11d. Based on the correspondence table, the NAT device to be controlled can be specified using the domain name in the FQDN inquired from the host HS as a key.

  FIG. 16 is a flowchart of processing executed by the DNS server 11 according to the third embodiment. In the third embodiment, a part of the process (FIG. 9) executed by the DNS server 11 is different from the first embodiment. Therefore, the process will be described in detail with reference to FIG. The description will be made in such a manner that the processing steps having the same processing contents as those in the first embodiment are given the same reference numerals as those in FIG. 9 and only the processing steps having reference symbols not existing in FIG.

  In the third embodiment, the determination in step S12 is T, or the process proceeds to step S51 upon completion of the process in step S14. In step S51, the correspondence table 11d is searched using the domain name in the FQDN corresponding to the private address confirmed in step S12 or cached in step S14, and the global address of the NAT device is extracted. The NAT device to which the entry creation request is to be transmitted is extracted. The NAT device from which the global address is extracted is determined. The process proceeds to step S15 after the determination.

<Fourth Embodiment>
In the first to third embodiments, the NAT device deletes the entry registered in the conversion table when the communication ends. However, if the number of global addresses that can be allocated or the number of entries that can be registered in the conversion table is relatively large, the usage efficiency does not decrease or the decrease does not occur even if the entry is not deleted due to the end of communication. It can be constrained to be slight. Therefore, in the fourth embodiment, the NAT device keeps the conversion table entry even after the communication is completed depending on the situation, and the NAT control device (DNS server) sets the global address as well as the private address to be stored. It has been made. In the description of the fourth embodiment, like the second and third embodiments, the same reference numerals are used for basically the same components as in the first embodiment, but different parts from the first embodiment. It is done in a form that focuses only on.

FIG. 17 is a diagram for explaining the operation of the conversion table performed when extending the retention period of the registered entry.
In the present embodiment, the entries registered in the conversion table are roughly classified according to whether or not the holding period by holding the communication is extended after the end of communication. Because of this distinction, entries whose retention period is not extended are grouped on the smaller entry number side, and entries whose retention period is extended are continued at the end of entries whose retention period is not extended. To register. The range in which the entries are grouped according to whether or not the retention period is extended is dynamically changed to cope with the change in the number of entries whose retention period is not extended. FIG. 17 shows the contents of the conversion table 33 before and after performing an operation for dynamically changing the range. In the conversion table before operation, an entry whose retention period is extended after entry number 11 is registered. When the retention period of the entry with the entry number 7 is extended, the entry is newly registered as the entry number 10, and an operation for registering the entry previously registered in the entry number 10 as the entry number 7 is performed. By such an operation, the range in which the entry whose retention period is extended is registered is changed. In order to perform such an operation, the entry number located at the head of the entry whose holding period is extended is stored separately.

FIG. 18 is a diagram showing an example of the contents of the global address cache 11 e managed by the DNS server 11.
The DNS server 11 receives a reply from the NAT device 30 that has transmitted the entry creation request. When entry creation is successful, data as shown in FIG. 8B is received from the NAT device 30 as an answer. In response to an inquiry to the DNS server 21, an A record as shown in FIG. 3 is cached in the private address cache 11b. For this reason, in this embodiment, the FQDN and the A record having the global address are cached in the global address cache 11e. The FQDN is used as a key.

  In the fourth embodiment, the DNS server 11 and the NAT device 30 execute the following processing. This will be described in detail with reference to the flowcharts of the processes shown in FIGS. The description will be made in such a manner that only the parts different from the first embodiment are noted by attaching the same reference numerals to the processing steps having the same processing contents as those in the first embodiment.

  FIG. 19 is a flowchart of processing executed by the DNS server 11 according to the fourth embodiment. This processing is executed when an IP address of a host on the LAN 20 side is inquired from a host existing in the WAN 10. First, the operation of the DNS server 11 will be described in detail with reference to FIG.

  In the fourth embodiment, the process proceeds to step S61 after step S11. In step S61, it is determined by examining whether or not the queried FQDN exists in the global address cache 11e. When an A record having the FQDN is present in the cache 11e, the determination is T and the process proceeds to step S17. If such an A record does not exist in the cache 11e, the determination is F and the process proceeds to step S12.

  If the determination in step S16 is T, that is, if entry creation by the NAT device 30 is successful, the process proceeds to step S62 in the fourth embodiment. In step S62, an A record having a global address is created by using the cached A record in the private address cache 11b and the data (FIG. 8B) received as a response from the NAT device 30 this time, and the global address is created. Cache in cache 11e. Thereafter, the process proceeds to step S17.

  FIG. 20 is a flowchart of processing executed by the NAT device 30 according to the fourth embodiment when entry creation is requested from the DNS server 11. Next, the processing will be described in detail with reference to FIG.

In the fourth embodiment, when the determination in step S23 is F, that is, when there are no global addresses that can be assigned to the address pool 32, the process proceeds to step S71. In step S71, it is determined whether there is an entry in the conversion table 33 whose retention period is being extended. The entries registered after the entry number held for the operation shown in FIG. 17 are being extended for the holding period. Therefore, when such an entry exists, the determination is T, and after the entry whose retention period is extended is deleted in step S72, the process proceeds to step S24. If there is no entry whose retention period is extended, the determination is F, and the process proceeds to step S26.

  In this way, in this embodiment, when a global address is no longer allocated, if there is an entry whose retention period is extended, that entry is deleted and a global address is allocated. For this reason, it is possible to avoid a decrease in entry utilization efficiency associated with extending the entry retention period.

  FIG. 21 is a flowchart of processing executed by the NAT device 30 according to the fourth embodiment to delete an entry. Finally, the processing will be described in detail with reference to FIG.

  In the fourth embodiment, the process proceeds to step S81 after step S31, and it is determined whether or not the number of global addresses remaining in the address pool 32 is equal to or less than a threshold value a. If the number of global addresses is equal to or less than the threshold value a, the determination is T, and the process proceeds to step S85. Otherwise, the determination is F and the process proceeds to step S82.

  In step S82, it is determined whether the number of entries in the conversion table 33 is greater than the threshold value e. If the number of entries is greater than the threshold value e, the determination is T and the process proceeds to step S85. If the number of entries is equal to or less than the threshold e, the determination is F, and the process proceeds to step S83.

  In step S83, assuming that the holding period of the entry used for the terminated communication may be extended, an operation as shown in FIG. 17 accompanying the extension of the holding period of the entry is performed on the conversion table 33. . In a succeeding step S84, it is determined whether or not communication using any entry registered in the conversion table 33 is newly started. This determination can be made by referring to the header of the packet received by the NAT device 30. If a packet whose destination is the global address of the entry considered to have ended communication is received again, the determination is T and the process returns to step 31. If a packet having such a global address as a transmission destination has not been received, the determination is F and the process returns to step S81. In this way, monitoring is performed so as not to cause a situation in which the global address is reduced due to the extension of the entry holding period.

  On the other hand, in step S85, if there is an entry whose retention period is extended, the entry is selected as a deletion target, and the DNS server 11 is notified that the selected entry is to be deleted. In a succeeding step S86, it waits for reception of a positive response (ACK: ACKnowledgement) by the notification. The process proceeds to step S32 after receiving ACK.

  The processes in steps S85 and S86 are also executed in the process in step S72 in FIG. Accordingly, in FIG. 19, an entry deletion notification may be received from the NAT device 30 before the determination in step S <b> 16 becomes T. The entry deletion notification is received from the NAT device 30 at any time. Therefore, the DNS server 11 responds by a subroutine process that is executed when the entry deletion notification is received. In the subroutine processing, although not shown in particular, the A record storing the global address indicated by the received entry deletion notification is extracted from the global address cache 11e and deleted.

In the fourth embodiment, an entry whose retention period is extended is deleted when there is no global address that can be allocated. However, an entry is deleted before such a situation occurs. Anyway. Such deletion may be realized by causing the NAT device 30 to execute a process as shown in FIG. 22, for example. FIG. 22 is a flowchart showing a modification of the process shown in FIG. 20, and the same reference numerals are given to the same process steps as those in the first embodiment.

  In the process shown in FIG. 22, after executing the process of step S25, the process proceeds to step S91, and it is determined whether or not there is an entry whose retention period is extended. If there is no entry whose retention period is extended, the determination is T, and the processing shown in FIG. If there is an entry whose retention period is extended, the determination is F, and the process proceeds to step S92.

  In step S92, it is determined whether or not the number of global addresses remaining in the address pool 32 is larger than the threshold value a. If the number of global addresses is larger than the threshold value a, the determination is T, and it is not necessary to delete the entry whose retention period is extended, and the processing shown in FIG. If the number of global addresses is less than or equal to the threshold value a, the determination is F, and after the entry whose retention period is extended is deleted in step S93, the process shown in FIG. In step S93, the processes in steps S85 and S86 are also executed. Thereby, on the DNS server 11 side, the A record of the global address cache 11e is deleted in accordance with the deletion of the entry.

  FIG. 23 is a diagram illustrating an example of a hardware configuration of a computer to which the present invention is applicable. Here, with reference to FIG. 23, the configuration of a computer that can be used as the DNS server 11 equipped with the NAT control device will be described in detail.

  The computer shown in FIG. 23 has a CPU 61, a memory 62, an input device 63, an output device 64, an external storage device 65, a medium drive device 66, and a network connection device 67, which are connected to each other by a bus 68. It has become. The configuration shown in the figure is an example, and the present invention is not limited to this.

The CPU 61 controls the entire computer.
The memory 62 is a memory such as a RAM that temporarily stores a program or data stored in the external storage device 65 (or the portable recording medium MD) during program execution, data update, or the like. The CPU 61 performs overall control by reading the program into the memory 62 and executing it.

  The input device 63 is an interface connected to an operation device such as a keyboard and a mouse. A user operation on the operation device is detected, and the detection result is notified to the CPU 61.

  The output device 64 is a display control device connected to, for example, a display device. The network connection device 67 is for communicating with an external device via a communication network such as an intranet or the Internet. The external storage device 65 is, for example, a hard disk device. Mainly used for storing various data and programs.

The medium driving device 66 accesses a portable recording medium MD such as an optical disk or a magneto-optical disk.
The private cache 11b, the static cache 11c shown in FIG. 1, the correspondence table 11d shown in FIG. 14, and the global address cache 11e shown in FIG. 18 are stored in, for example, the memory 62 or the external storage device 65. The NAT control unit 11a in each of the first to fourth embodiments is stored in the external storage device 65 or the recording medium MD, or the program for controlling the NAT device 30 acquired by the network connection device 67 (network address conversion). This is realized by reading the control program) into the memory 62 and executing it by the CPU 61.

  The computer having the configuration shown in FIG. 23 can be used as the NAT device 30 by further adding the network connection device 67. Similarly, the NAT device 30 in each of the first to fourth embodiments reads a program stored in the external storage device 65 or the recording medium MD or acquired by the network connection device 67 to the memory 62 and the CPU 61 It is realized by executing.

The following additional notes are further disclosed with respect to the embodiment including the above modification.
(Appendix 1)
A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. A computer used as a network address translation control device for controlling a network address translation device that mutually translates the second address;
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition function,
An address storage function for storing the first address acquired by the address acquisition function on a storage device accessible by the computer for a predetermined period;
When a second node on the second communication network initiates communication with the first node on the first communication network, the first address of the first node is stored on the storage device. An acquisition control function for acquiring the first address by the address acquisition function,
A request function for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control function;
As a result of the request by the request function, the network address translation device acquires the second address assigned to the first address from the network address translation device, and notifies the second node that starts the communication Function and
Network address translation control program for realizing
(Appendix 2)
Another address storage function for storing in the storage device the second address assigned to the first address by the request, obtained from the network address translation device by the notification function;
A second address assigned to the first address of the first node when the second node on the second communication network initiates communication with the first node on the first communication network; A communication control function that controls the acquisition control function, the request function, and the notification function based on the determination result;
The network address translation control program according to appendix 1, further realizing the above.
(Appendix 3)
The network address translation device maintains the assignment of the second address to the first address according to the request based on a situation in which the second address is assigned after the communication is completed,
The other address storage function is configured to delete, from the storage device, the second address to be deassigned in response to the notice of deassignment from the network address translation device.
The network address conversion control program according to appendix 2, characterized in that:
(Appendix 4)
When the communication control function determines that the second address assigned to the first address of the first node is not stored on the storage device, the communication control function enables the acquisition control function and the request function. The second address acquired from the network address translation device by the request function is notified to the second node by the notification means, and the second address assigned to the first address of the first node is If it is determined that the second address is stored on the storage device, the second node stored on the storage device is notified to the second node by the notification unit.
The network address conversion control program according to appendix 2, characterized in that:
(Appendix 5)
A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. In the network address translation control device for controlling the network address translation device that mutually translates the second address,
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition means;
Address storage means for storing the first address acquired by the address acquisition means for a predetermined period;
When a second node on the second communication network initiates communication with the first node on the first communication network, the first address of the first node is stored on the storage device. Acquisition control means for causing the address acquisition means to acquire the first address on the condition that
Request means for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control means;
As a result of the request by the request means, the network address translation device acquires the second address assigned to the first address from the network address translation device, and notifies the second node that starts the communication Means,
A network address translation control device comprising:
(Appendix 6)
A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. A network address translation device that translates between the second address and a second address by a computer,
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition process;
An address storing step of storing the first address acquired by the address acquiring step on a storage device accessible by the computer for a predetermined period;
When a second node on the second communication network initiates communication with the first node on the first communication network, the first address of the first node is stored on the storage device. An acquisition control step for causing the address acquisition means to acquire the first address on the condition that
A requesting step for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control step;
As a result of the request in the requesting step, the network address translator obtains a second address assigned to the first address from the network address translator, and notifies the second node that starts the communication. Process,
A network address translation device control method comprising:
(Appendix 7)
A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. A computer used as a network address translation device that mutually translates the second address;
An allocation function for allocating a second address to the first address in response to a request from a network address translation control device existing in one of the first and second communication networks;
A first notification function for notifying the network address translation control device of an allocation result by the allocation function;
The allocation of the second address to the first address by the allocation function is based on the situation of the second address that can be allocated after the communication involving the mutual conversion using the second address is completed. An allocation maintenance function to maintain,
Based on the situation, when the allocation of the maintained second address is canceled by the allocation maintaining function, a second notification for notifying the network address translation control device of the second address to be canceled Function and
A program to realize
(Appendix 8)
A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. In the network address translation device that mutually translates the second address,
Allocating means for allocating a second address to the first address in response to a request from a network address translation control device existing in one of the first and second communication networks;
First notifying means for notifying the network address translation control device of the assignment result by the assigning means;
The assignment of the second address to the first address by the assigning means is based on the situation of the second address that can be assigned after the communication involving mutual conversion using the second address is completed. Quota maintenance means to maintain;
A second notification for notifying the network address translation control device of a second address to be released when the assignment maintaining unit releases the maintained second address assignment based on the situation; Means,
A network address translation device comprising:

It is a figure which shows the structure of the communication network system to which the network address translation control apparatus (NAT control apparatus) by 1st Embodiment was applied. 2 is a functional configuration diagram of a NAT device 30. FIG. It is a figure which shows the example of the content of the private address cache 11b. It is a figure which shows the example of the content of the static cache 11c. It is a figure which shows the example of a correspondence table of FQDN and private address which the DNS server 21 by the side of LAN20 manages. 3 is a diagram illustrating an example of an address pool 32. FIG. It is a figure which shows an example of the conversion table. It is a figure explaining the entry created by the request | requirement from the DNS server. It is a flowchart of the process which the DNS server 11 performs. 6 is a flowchart of processing executed by the NAT device 30 when entry creation is requested from the DNS server 11. It is a flowchart of the process which the NAT apparatus 30 performs in order to delete an entry. It is a figure which shows the example of an answer obtained by an inquiry, when DNS is constructed | assembled hierarchically. It is a flowchart of the process which the DNS server 11 performs (2nd Embodiment). It is a figure which shows the structure of the communication network system to which the NAT control apparatus by 3rd Embodiment was applied. It is a figure which shows the correspondence table 11d example of the domain name and the address of a NAT apparatus which the DNS server 11 manages. It is a flowchart of the process which the DNS server 11 performs (3rd Embodiment). It is a figure explaining operation of the conversion table performed when extending the retention period of the registered entry. It is a figure which shows the example of the content of the global address cache 11e which the DNS server 11 manages. It is a flowchart of the process which the DNS server 11 performs (4th Embodiment). 14 is a flowchart of processing executed by the NAT device 30 when entry creation is requested from the DNS server 11 (fourth embodiment). It is a flowchart of the process which the NAT apparatus 30 performs in order to delete an entry (4th Embodiment). It is a flowchart of the process which the NAT apparatus 30 performs when entry creation is requested | required from the DNS server 11 (modification of 4th Embodiment). It is a figure which shows an example of the hardware constitutions of the computer which can apply this invention.

Explanation of symbols

10 WAN
11, 21, 41 DNS server 11a NAT controller 11b Private address cache 11c Static cache 11d Domain name and NAT device address correspondence table 11e Global address cache 20, 40 LAN
30, 50 NAT device 31 Control accepting unit 32 Address pool 33 Translation table HS, HA, HX Host (node)

Claims (5)

A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. A computer used as a network address translation control device for controlling a network address translation device that mutually translates the second address;
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition function,
An address storage function for storing the first address acquired by the address acquisition function on a storage device accessible by the computer for a predetermined period;
When a second node on the second communication network initiates communication with the first node on the first communication network, the first address of the first node is stored on the storage device. An acquisition control function for acquiring the first address by the address acquisition function,
A request function for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control function;
As a result of the request by the request function, the network address translation device acquires the second address assigned to the first address from the network address translation device, and notifies the second node that starts the communication Function and
Network address translation control program for realizing Another address storage function for storing in the storage device the second address assigned to the first address by the request, obtained from the network address translation device by the notification function;
A second address assigned to the first address of the first node when the second node on the second communication network initiates communication with the first node on the first communication network; A communication control function that controls the acquisition control function, the request function, and the notification function based on the determination result;
The network address translation control program according to claim 1, further comprising: The network address translation device maintains the assignment of the second address to the first address according to the request based on a situation in which the second address is assigned after the communication is completed,
The other address storage function is configured to delete, from the storage device, the second address to be deassigned in response to the notice of deassignment from the network address translation device.
The network address conversion control program according to claim 2, wherein: A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. In the network address translation control device for controlling the network address translation device that mutually translates the second address,
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition means;
Address storage means for storing the first address acquired by the address acquisition means for a predetermined period;
A second node on the second communication network is a first node on the first communication network.
Acquisition control means for acquiring the first address on the condition that the first address of the first node is not stored on the storage device when communication with the node is started When,
Request means for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control means;
As a result of the request by the request means, the network address translation device acquires the second address assigned to the first address from the network address translation device, and notifies the second node that starts the communication Means,
A network address translation control device comprising: A second address used on a second communication network is assigned to a first address assigned to a first node on the first communication network, and assigned to the first address and the first address. A network address translation device that translates between the second address and a second address by a computer,
An address for obtaining a first address assigned to the first node that communicates with the second node on the second communication network among the first nodes existing on the first communication network. Acquisition process;
An address storing step of storing the first address acquired by the address acquiring step on a storage device accessible by the computer for a predetermined period;
When a second node on the second communication network initiates communication with the first node on the first communication network, the first address of the first node is stored on the storage device. An acquisition control step for causing the address acquisition means to acquire the first address on the condition that
A requesting step for requesting the network address translation device to assign the second address to the first address whose acquisition is controlled by the acquisition control step;
As a result of the request in the requesting step, the network address translator obtains a second address assigned to the first address from the network address translator, and notifies the second node that starts the communication. Process,
A network address translation device control method comprising:

Images