JP5036752B2 - INTERNETWORK APPARATUS AND METHOD FOR CONVERTING LOCAL ADDRESS COMMUNICATION PORT NUMBER USED WITH LOCAL ADDRESS AND EACH LOCAL ADDRESS AND GLOBAL ADDRESS AND COMMUNICATION PORT NUMBER IN A GLOBAL ADDRESS USED WITH GLOBAL ADDRESS - Google Patents

Description

  The present invention relates to an internetwork apparatus for connecting a plurality of networks, and in particular, an internetwork apparatus having a function of mutually converting a local address used in a specific network and a global address used for communication between the plurality of networks. And its conversion method.

  Conventionally, when communication is performed between a local network using an arbitrarily assigned local address and a global network connecting a plurality of networks using a global address (hereinafter referred to as the Internet), the local network A device having a function of performing address conversion between a local address and a global address is arranged at the boundary between the network and the Internet, and communication between transmitting and receiving terminals is realized by converting both addresses. This address translation function is called Network Address Translation. In order to effectively use a limited global address, the address translation function that increases the number of connectable ports using the TCP / UDP communication port number is called Network Address and Port Translation (Patent Literature). 1). At present, the address translation function generally refers to the latter Network Address and Port Translation. Also in this specification, the address translation function (hereinafter referred to as NAT) refers to Network Address and Port Translation. Conventionally, such an address conversion function has been used in a router or the like that connects to the Internet from a local network in a small household company.

  On the other hand, in recent years, Internet service providers (hereinafter referred to as ISPs) with a large number of users want to accommodate users by assigning local addresses to routers in their ISP network due to lack of global addresses in IPv4. And the needs have increased. In this case, the NAT function is also required at the connection point (carrier edge) between the ISP and the Internet. The NAT at this position is called Carrier Grade NAT (hereinafter referred to as CGN) because the role and required performance of the NAT for connecting a conventional corporate user or individual user with the ISP are greatly different. The router having the CGN function is required to have carrier performance and reliability. Hereinafter, a router having a CGN function is referred to as an internetwork device.

  In an internetwork apparatus, since the number of sessions handled is enormous and the line is high speed, it is necessary to refer to an enormous address / port conversion table at high speed. However, in conventional methods such as linear search and hash search, if the number of sessions handled is large, the number of accesses to the memory storing the address / port conversion table increases proportionally, and address / port conversion is executed at high speed. There was a problem that it became difficult.

JP-A-11-150566

  The present invention has been made to solve the above-described conventional problems, and is a technique capable of reducing the number of accesses to an address / port conversion table in an internetwork apparatus that converts a local address and a global address. The purpose is to provide.

  In order to solve at least a part of the problems described above, the present invention can take the following forms or application examples.

[Application Example 1]
A local address used in a specific network and a communication port number in a local address used together with each local address, a global address used in communication between a plurality of networks, and a communication port number in a global address used together with each global address. An internetwork device for mutual conversion,
A conversion notation that stores an address / port conversion table that associates a local address pair in which a pair of local address and communication port number in the local address is arranged with a global address pair in which a pair of global address and communication port number in the global address is arranged. And
Based on the address / port conversion table, an address conversion process for mutually converting a local address and a communication port number within a local address and a global address and a communication port number within a global address in a packet transmitted and received by communication between a plurality of networks. And
With
In the address / port conversion table, the conversion notation part stores the local address and the global address side by side for each address group.
In the address group, the local address and the global address are each arranged in a linear manner in a memory space.

  According to the internetwork device of Application Example 1, in the address / port conversion table, the local address and the global address are arranged for each address group, and within the address group, the local address and the global address are linearly respectively. Since they are arranged, the access position in the address / port conversion table can be specified by calculation, and the number of accesses to the address / port conversion table can be reduced.

[Application Example 2]
The internetwork device of claim 1, further comprising:
An extraction unit that extracts an address to be converted and a communication port number in the address from the packet used for the communication;
An address group search unit for searching for an address group to which the extracted address belongs;
A difference calculating unit that calculates a difference between the extracted address and the start address of the address group;
Based on the start address of the address group to which the extracted address belongs, the difference, and the extracted communication port number, the position in the address / port conversion table and the address and the address to be converted A pointer that identifies the position corresponding to the communication port number;
An internetwork device comprising:

  According to the internetwork device of application example 2, the access position in the address / port conversion table is specified based on the head address of the address group to which the extracted address belongs, the difference, and the extracted communication port number. The number of accesses to the address / port conversion table can be reduced.

  Note that the present invention can be realized in various modes. For example, a method and a conversion system for mutually converting a local address used in a specific network and a communication port number in the local address, and a global address and communication port number in the global address used in communication between a plurality of networks Further, the present invention can be realized in the form of an integrated circuit, a computer program, a recording medium on which the computer program is recorded, or the like for realizing the functions of those methods or apparatuses.

FIG. 1 is an explanatory diagram showing a network configuration in which an internetwork apparatus 100 according to an embodiment of the present invention is used. 2 is an explanatory diagram showing a configuration of an internetwork device 100. FIG. 4 is an explanatory diagram showing an arrangement of each component of the address / port converter 120 in a processor system. FIG. It is explanatory drawing which shows the structure definition in an Example. It is explanatory drawing which arranged the inner side address group for every set with the same high-order address. It is explanatory drawing which shows the inner side address group search table. It is explanatory drawing which shows the port search pointer 123. FIG. 6 is an explanatory diagram showing an address / port conversion table 124. FIG. It is explanatory drawing which shows the port mapping table 126. FIG. 4 is an explanatory diagram showing an example of address / port conversion by the internetwork apparatus 100. FIG. It is explanatory drawing which shows the reference system of each component in the case of transferring an Outbound packet. It is a flowchart which shows the procedure in the case of transferring an Outbound packet. It is explanatory drawing which shows the reference system of each component in the case of registering a session. It is a flowchart which shows the procedure in the case of registering a session. It is explanatory drawing which shows the reference system of each component in the case of transferring an inbound packet. It is a flowchart which shows the procedure in the case of transferring an inbound packet. It is a graph which compares the transfer performance of an outbound packet for every search method of an address port conversion table. It is a graph which compares the transfer performance of an inbound packet for every search method of an address port conversion table.

Next, embodiments of the present invention will be described in the following order based on examples.
A. Example:
A1. Configuration example of the entire network system:
A2. Configuration of internetwork apparatus 100:
A3. Arrangement of each component in the processor system:
A4. Configuration definition:
A5. Explanation of each component:
A6. Packet forwarding:
A6-1. Forwarding outbound packets:
A6-2. Session registration:
A6-3. Inbound packet forwarding:
A7. effect:
B. Variations:

A. Example:
A1. Configuration example of the entire network system:
FIG. 1 is an explanatory diagram showing a network configuration in which an internetwork apparatus 100 according to an embodiment of the present invention is used. As shown in the figure, the internetwork device 100 of this embodiment is connected to an Internet service provider that accommodates a large number of corporate routers and home routers.

  The conventional Internet service provider 165 accommodates an individual user 156 via a home router 155 having a NAT (Network Address Translation) function, and further accommodates an enterprise user 162 via an enterprise router 150 having a NAT function. is doing. The corporate user 162 constitutes the local network 160. The Internet service provider 165 has a global address and enters the Internet 180 via the carrier edge router 185.

  On the other hand, since the Internet service provider 166 does not have a global address, it is connected to the internetwork device 100 having a CGN (Career Grade NAT) function, and enters the Internet 180 via the carrier edge router 185. ing. The Internet service provider 166 accommodates the individual user 156 via the home router 155 having the NAT function and accommodates the company user 163 via the company router 150 having the NAT function. The same applies to the Internet service provider 167. That is, a user on the downstream side of the internetwork device 100 uses a local address as an IP address, and a site or server on the Internet, that is, a site or server having a global IP address is assigned a global address by the internetwork device 100. It is converted to an address for communication. In the Internet 180, an HTTP server 181 is provided at a position accessible from an individual user or a corporate user. The internetwork device 100 may be included in the carrier edge router 185. Further, the internetwork apparatus 100 may be provided for each Internet service provider.

A2. Configuration of internetwork apparatus 100:
FIG. 2 is an explanatory diagram showing the configuration of the internetwork device 100. The internetwork device 100 is a device that performs communication between the local address network 145 and the global address network 146 by performing address / port conversion. The internetwork apparatus 100 includes an inside unit 105 disposed on the local address network 145 side, an outside unit 110 disposed on the global address network 146 side, and an address / port conversion unit 120 that performs address / port conversion. ing.

  The inside unit 105 includes a packet input unit 101 that receives a packet (hereinafter also referred to as an outbound packet) transmitted from the local address network 145 side, and a packet (hereinafter referred to as an inbound packet) transmitted from the global address network 146 side. (Also referred to as a local address network 145 side) and a route control unit 103 that performs packet routing. The route control unit 103 has a function of routing an outbound packet to the address / port conversion unit 120 and a function of routing an inbound packet from the address / port conversion unit 120 to the packet output unit 102.

  The outside unit 110 includes a packet output unit 106 that outputs an outbound packet to the global address network 146 side, a packet input unit 107 that receives an inbound packet transmitted from the global address network 146, and path control that performs packet routing. Part 108. The route control unit 108 has a function of routing the outbound packet to the packet output unit 106 and a function of routing the inbound packet to the address / port conversion unit 120.

  The address / port conversion unit 120 includes an outbound packet transfer unit 121, an inner address group search table 122, a port search pointer 123, an address / port conversion table 124, a session management unit 125, a port mapping table 126, and an aging A management unit 127, an inbound packet transfer unit 128, an outer address group search table 129, and a device control unit 130 are provided. In this embodiment, the local address is also called an inner address, and the global address is also called an outer address.

  Here, a case where a packet is transmitted from the local address network 145 to the global address network 146 (outbound transfer) will be described. The outbound packet transfer unit 121 acquires a transmission source address and a transmission source port number from the outbound packet input from the inside unit 105. Then, the outbound packet transfer unit 121 supplies the acquired transmission source address to the inner address group search table 122 and also supplies the transmission source port number to the port search pointer 123. The inner address group search table 122 performs tree search to determine which inner address group the supplied source address belongs to. The inner address group is a set of inner addresses composed of a plurality of continuous inner addresses, which will be described in detail later. The port search pointer 123 stores pointer information for the address / port conversion table 124 at a position corresponding to the transmission source address and the transmission source port number. The outbound packet transfer unit 121 refers to the address / port conversion table 124 based on the pointer information stored in the port search pointer 123. Then, the outbound packet transfer unit 121 rewrites the transmission source address and the transmission source port number of the outbound packet according to the read address / port conversion information, and outputs the outbound packet to the outside unit 110.

  If the port search pointer 123 does not store pointer information for the address / port conversion table 124, the outbound packet transfer unit 121 requests the session management unit 125 to newly register pointer information. When the session management unit 125 receives a new registration request, the session management unit 125 refers to the position corresponding to the transmission source address in the port mapping table 126. The session management unit 125 registers pointer information in the port search pointer 123 and the address / port conversion table 124 if there is a free communication port assigned to the transmission source address. The aging management unit 127 monitors the usage status of a session and notifies the session management unit 125 of the usage status of the session. When there is an unused communication port, the session management unit 125 deletes the pointer information in the port search pointer 123 and the address / port conversion table 124. The device control unit 130 has a function of notifying a configuration definition described later to each component of the address / port conversion unit 120.

  Next, a case where a packet is transmitted from the global address network 146 to the local address network 145 (Inbound) will be described. The inbound packet transfer unit 128 acquires a destination address and a destination port number from the inbound packet input from the outside unit 110. Then, the inbound packet transfer unit 128 supplies the acquired destination address to the outer address group search table 129. The outer address group search table 129 determines which outer address group to which the supplied destination address belongs by performing a tree search. The outer address group will be described later. The inbound packet transfer unit 128 reads the address / port conversion information stored in the address / port conversion table 124 at the position corresponding to the destination address and the destination port number, and sets the destination address and the destination port number of the inbound packet. Rewrite and output the inbound packet to the inside unit 105.

A3. Arrangement of each component in the processor system:
The internetwork apparatus 100 includes a known processor, memory, and local and global I / Fs in hardware. Among these, in particular, the part that controls address conversion is extracted as a processor system 144 in FIG. FIG. 3 is an explanatory diagram showing the arrangement of each component of the address / port converter 120 in the processor system. The address / port conversion unit 120 can be realized by the processor system 144. The processor system 144 includes a CPU unit 135 and a main memory unit 140. The CPU unit 135 includes a processor core unit 136 and a 2nd cache unit 139. The processor core unit 136 includes an arithmetic processing unit 137, a high-speed SRAM 141, and a 1st cache unit 138.

  The main memory unit 140 stores programs for realizing the functions of the inbound packet transfer unit 121, the outbound packet transfer unit 128, the session management unit 125, and the aging management unit 127 in FIG. The function is realized by the CPU unit 135 executing a program stored in the main memory unit 140. The main memory unit 140 further stores a port search pointer 123, a port mapping table 126, and an address / port conversion table 124 in FIG. The high-speed SRAM 141 stores the inner address group search table 122 and the outer address group search table 129 shown in FIG. Therefore, the arithmetic processing unit 137 can access the inner address group search table 122 and the outer address group search table 129 at high speed. A part of the 1st cache unit 138 may be formed as a scratch pad, and the inner address group search table 122 and the outer address group search table 129 may be stored.

A4. Configuration definition:
FIG. 4 is an explanatory diagram illustrating a configuration definition in the embodiment. The configuration definitions in this embodiment can be classified into a local side configuration definition 200 and a global side configuration definition 230. The local side configuration definition 200 defines inner address groups 211 to 218 in which a plurality of continuous inner addresses are grouped for each network unit. The local configuration definition 200 defines a session limit number 220 per user allocated for each inner address and a spare session number 221 per user. In this embodiment, the session limit number 220 and the backup session number 221 are both 1024. The global side configuration definition 230 defines outer address groups 241 to 244 in which a plurality of continuous outer addresses are grouped for each network unit. In the global side configuration definition 230, a port range 250 is defined as an available port for each outside address. In this example, the port range 250 is from 1024 to 65535. From this port range 250, the port range can be obtained from the following equation (1).
Port range = End port number-Start port number + 1 (1)

  In this specification, as an address group expression format, the inner address group includes A, B, C.I. . . An identifier of H is assigned, and identifiers of α, β, γ, and δ are assigned to the outer address group. The address and band notation in the address group is V. X. Y. Indicated as Z / Prefix. Here, the address is indicated by V (first digit), X (second digit), Y (third digit), and Z (fourth digit) for each upper 8 bits. Prefix represents the size of an address group by a prefix value used in CIDR (Classless Inter-Domain Routing).

From the above configuration definition, the following sizes are determined.
Total number of sessions (maximum number of simultaneous connections) = total number of inner addresses x session limit per user Outer address / port space = total number of outer addresses x port range The outer address / port space satisfies the following conditions Is defined as
Outer address / port space ≥ total number of inner addresses x (number of sessions per user + number of spare sessions per user)

  FIG. 5 is an explanatory diagram in which the inner address group is arranged for each set having the same upper address. The inner address group is defined with an address range having a power of 2 having continuity as a unit. The horizontal direction in FIG. 5 indicates a set having the same upper address, and indicates that each inner address group can be aggregated as one address group having a larger address range.

A5. Explanation of each component:
FIG. 6 is an explanatory diagram showing the inner address group search table 122. The inner address group search table 122 is a table that is referred to when an outbound packet is transferred, and is a table that is defined by a configuration definition. This inner address group search table 122 is a table for specifying an inner address group to which an inner address (source address) included in an Outbound packet belongs by tree search. Specifically, for example, the inner address group search table 122 compares the comparison address with X, Y, Z in order from V (first digit) of the inner address included in the Outbound packet, and the inner address to which the inner address belongs. Identify the group. The comparison address is also the head address of the inner address group. The inner address group search table 122 stores pointer values for each inner address group. This pointer value is a value used when referring to a port search pointer 123, an address / port conversion table 124, and a port mapping table 126 described later. In this embodiment, the pointer value uses 256 (/ 24 prefix) inner addresses as a unit, and the pointer value increases by 1 for 256 inner addresses. As described above, the inner address group search table 122 can acquire the following results by performing a tree search.
・ Start address of address group to which inner address belongs (comparison address)
・ Size of address group to which inner address belongs (from Prefix)
-Position that can be placed in the entire address group to which the inner address belongs (from pointer value)
Note that, similarly to the inner address group search table 122, the outer address group search table 129 performs a tree search for the outer address, and specifies the outer address group to which the outer address belongs.

  FIG. 7 is an explanatory diagram showing the port search pointer 123. The port search pointer 123 is a pointer that is referred to when an outbound packet is transferred, that is, when a source address is a conversion target, and a port offset value to be described later is registered. That is, the port search pointer 123 is a pointer used to refer to a position corresponding to the transmission source address and the transmission source port number in the address / port conversion table 124. The arrangement of the address groups in the port search pointer 123 is the same as the arrangement of the address groups in the inner address group search table 122, and the addresses in the address group are arranged in sequence from the youngest number. In addition, pointers for communication port numbers that may be input (65536 in this embodiment) are stored for one inner address.

  FIG. 8 is an explanatory diagram showing the address / port conversion table 124. The address / port conversion table 124 is a table that is referred to when an outbound packet is transferred (inner address is a comparison target) and an inbound packet is transferred (an outer address is a comparison target), and is an inner address that is address / port conversion information. / Inner port number and outer address / outer port number are stored. The arrangement of the inner address group in the address / port conversion table 124 is the same as that of the inner address group search table 122 and the port search pointer 123, and the addresses in the inner address group are arranged in order from the youngest address. Similarly, the arrangement of the outer address group in the address / port conversion table 124 is the same as that of the outer address group search table 129, and the addresses in the outer address group are arranged in order from the youngest address. That is, the entire configuration of the address / port conversion table 124 is the same as the arrangement of the inner address group search table 122 and the port search pointer 123 when viewed from the local side, and when viewed from the global side, the outer address group search table 129 Same as the list.

  Here, although there are 65536 types of communication port numbers that may be input together with the inner address, the number of communication ports that can be registered in the outer address is limited by the number of sessions per user (in the embodiment, 1024). Therefore, the port number of the inner address is dynamically assigned every time a new packet arrives without being determined by the configuration definition. The port number of the outer address is defined by the port range, the session limit number per user, and the number of spare sessions per user, and the port numbers in the outer address are continuous. In FIG. 8, the reason why the outside port jumps from 2047 to 3072 is that the port number is freed by the number corresponding to the number of backup sessions. This is the same allocation for all boundaries where the inner address increments by one.

  FIG. 9 is an explanatory diagram showing the port mapping table 126. The port mapping table 126 is a table that is referred to when a port offset value is not registered in the port search pointer 123 when an outbound packet is transferred. The arrangement of the inner address group in the port mapping table 126 is the same as that of the inner address group search table 122, and the addresses in the inner address group are arranged in order from the youngest address. The port mapping table 126 includes a table that indicates the free state of the port of the outer address that forms a pair with the inner address. In this table, communication ports that can be used with the address are represented by a bitmap. Each time the port assignment is updated, the port mapping table 126 updates the bitmap state while leaving the leading value of the free port.

  When the session limit number per user (determined by the configuration definition) is changed, the size of the usable communication port bitmap per address (user) can be changed. In addition, since the port availability is managed by a bitmap, it is possible to flexibly cope with protocols that need to be assigned with even numbers, odd numbers, and serial numbers, such as RTP and RTCP.

A6. Packet forwarding:
FIG. 10 is an explanatory diagram showing an example of address / port conversion by the internetwork apparatus 100. Hereinafter, as an example, a case will be described in which packet transfer is performed between the local user 151 (10.1.5.195: 15536) and the global server 152 (3x.128.32.8: 80). In FIG. 10 and subsequent figures, (10.1.5.195:15536) indicates (address: port number). Also, addresses starting with 5x and 3x, such as (5x.7.0.29: 7188) and (3x.128.32.8: 80), mean outside addresses. Then, as in (10.1.5.195:15536), an address starting with 10 means an inner address. Note that the “x” written in the outer address is only used to avoid writing a specific global address.

  When the user 151 connected to the local address network 212 transmits a packet to the server 152 connected to the global address network 146 (outbound communication), the internetwork device 100 transmits the source address included in the packet. And the source port number is rewritten to the outer address and the outer port number. That is, the internetwork apparatus 100 rewrites (10.1.5.195:15536) included in the packet to (5x.7.0.29: 7188).

  On the other hand, when the server 152 transmits a packet to the user 151 (inbound communication), the internetwork apparatus 100 rewrites the destination address and the destination port number included in the packet with the inner address and the inner port number. That is, the internetwork apparatus 100 rewrites (5x.7.0.29: 7188) included in the packet to (10.1.5.195:15536). As described above, by performing address conversion by the internetwork apparatus 100, the user 151 connected to the local address network 212 and the server 152 connected to the global address network 146 can communicate with each other.

A6-1. Forwarding outbound packets:
FIG. 11 is an explanatory diagram showing a reference method of each component when forwarding an outbound packet. FIG. 12 is a flowchart showing a procedure in the case of transferring an outbound packet. Prior to packet transfer, the internetwork apparatus 100 recognizes the following.
Unit of pointer in the inner address group search table 122 (256 in the embodiment)
Unit of pointer in outer address group search table 129 (128 in the embodiment)
-Number of inner addresses accommodated per outer address (31 in the embodiment)
Here, accommodation number (integer) = port range / (number of sessions per user + number of spare sessions per user)

In step S <b> 10, the packet input unit 101 receives an outbound packet from the local address network 145. In step S20, the outbound packet transfer unit 121 acquires the transmission source address from the received packet, searches the inner address group to which the transmission source address belongs using the inner address group search table 122, and points to the inner address group. Get the value and start address. In the present embodiment, it is as follows.
Source address: 10.1.5.195
Inner address group: B
Pointer value of inner address group B: 1
Start address of inner address group B: 10.1.5.0

In step S30, the outbound packet transfer unit 121 calculates an inner address offset that is a difference between the source address included in the received packet and the top address of the inner address group. In the present embodiment, it is as follows.
Inner address offset: 195 (= 195-0)

In step S40, the outbound packet transfer unit 121 calculates the start position K1 of the inner address group in the port search pointer 123 based on the following equation (2).
K1 = pointer value of inner address group × pointer unit × number of source ports (2)
In the present embodiment, it is as follows.
Pointer value of inner address group B: 1
Pointer unit: 256 (Prefix: / 24)
Number of source ports: 65536
Top position of the inner address group in the port search pointer 123: 16777216 (= 1 * 256 * 65536)

Further, the outbound packet transfer unit 121 calculates the leading position L1 of the inner address group in the address / port conversion table 124 based on the following equation (3).
L1 = pointer value of inner address group × pointer unit × number of session limit per user (3)
In the present embodiment, it is as follows.
Pointer value of inner address group B: 1
Pointer unit: 256 (Prefix: / 24)
Session limit per user: 1024
Start position of inner address group in address / port conversion table 124:
262144 (= 1 * 256 * 1024)

Further, the outbound packet transfer unit 121 calculates the leading position J1 of the inner address group in the port mapping table 126 based on the following equation (4).
J1 = pointer value of inner address group × pointer unit (4)
In the present embodiment, it is as follows.
Pointer value of inner address group B: 1
Pointer unit: 256 (Prefix: / 24)
Start position of inner address group in port mapping table 126: 256 (= 1 * 256)

In step S50, the outbound packet transfer unit 121 refers to a location specified by the following expression (5) in the port search pointer 123.
Port search pointer reference position = K1 + K2 + K3 (5)
Where K2 = inner address offset x number of source ports
K3 = source port number In the present embodiment, it is as follows.
Top position of the inner address group in the port search pointer 123: 16777216 (= 1 * 256 * 65536)
Inside address offset: 195
Number of source ports: 65536
Source port number: 15536
Port search pointer reference position: 29572272 (= 16777216 + 195 * 65536 + 15536)

  In step S <b> 60, the outbound packet transfer unit 121 determines whether a port offset value is registered at the reference position of the port search pointer 123. Here, the port offset value is a value used when referring to the address / port conversion table 124. If the port offset value is not registered in step S60, the port offset value is registered in step S62. The registration of the port offset value will be described later.

If the port offset value is registered in step S60, in step S70, the outbound packet transfer unit 121 refers to the location specified by the following expression (6) in the address / port conversion table 124. The outer address / outer port number stored in the reference location is acquired.
Reference location of address / port conversion table 124 = L1 + L2 + L3 (6)
However, L2 = inner address offset × number of sessions per user
L3 = Port offset value In the present embodiment, it is as follows.
Start position of inner address group in address / port conversion table 124:
262144 (= 1 * 256 * 1024)
Inside address offset: 195
Session limit per user: 1024
Port offset value: 20
Reference location of address / port conversion table 124: 461844 (= 262144 + 195 * 1024 + 20)

  In step S80, the outbound packet transfer unit 121 replaces the transmission source address / transmission source port number included in the outbound packet with the acquired outer address / outer port number. In step S <b> 90, the packet output unit 106 transmits an outbound packet to the global address network 146. As shown in FIG. 12, the number of accesses to the main memory unit 140 necessary for outbound transfer is two times, step S50 and step S70.

A6-2. Session registration:
FIG. 13 is an explanatory diagram showing a reference method of each component when registering a session. FIG. 14 is a flowchart showing a procedure for registering a session. In step S64, the outbound packet transfer unit 121 refers to a location specified by the following expression (7) in the port mapping table 126, and refers to an empty port management table (bitmap table) at the specified location. Thus, free port information (port offset) at the inner address is acquired.
Reference position of port mapping table 126 = J1 + J2 (7)
However, J2 = inner address offset In the present embodiment, it is as follows.
Top position of inner address group in port mapping table 126: 256
Inside address offset: 195
Reference position of port mapping table 126: 451

  In step S66, the outbound packet transfer unit 121 sets the source port number included in the packet to the inner port number (unregistered) at the location specified based on the above-described equation (6) in the address / port conversion table 124. In addition to writing, the outside address and outside port number stored in the location are acquired.

  In step S <b> 68, the outbound packet transfer unit 121 registers the acquired port offset value at the location specified based on the above-described equation (5) in the port search pointer 123. As shown in FIG. 14, the number of accesses to the main memory unit 140 required for session registration is three times, and when the number of accesses to the main memory unit 140 required for outbound transfer shown in FIG. 5 times.

A6-3. Inbound packet forwarding:
FIG. 15 is an explanatory diagram showing a reference method of each component when transferring an inbound packet. FIG. 16 is a flowchart showing a procedure when transferring an inbound packet.
In step S <b> 110, the packet input unit 107 receives an inbound packet from the global address network 146.
In step S120, the inbound packet transfer unit 129 acquires the destination address from the received packet, searches the outer address group to which the destination address belongs using the outer address group search table 129, and sets the pointer value of the outer address group and Get the start address. In the present embodiment, it is as follows.
Destination address: 5x.7.0.29
Outer address group: β
Pointer value of outer address group β: 1
Start address of outer address group β: 5x.7.0.0

In step S130, the inbound packet transfer unit 128 calculates an outer address offset that is a difference between the destination address included in the received packet and the head address of the outer address group. In the present embodiment, it is as follows.
Outside address offset: 29 (= 29-0)

In step S140, the inbound packet transfer unit 128 calculates the leading position M1 of the outer address group in the address / port conversion table 124 based on the following equation (8).
M1 = pointer value of outer address group × pointer unit × accommodated number of inner address × session limit number per user (8)
In the present embodiment, it is as follows.
Pointer value of outer address group β: 1
Pointer unit: 128 (Prefix: / 25)
Inner address capacity: 31
Session limit per user: 1024
The leading position of the outer address group in the address / port conversion table 124:
4063232 (= 1 * 128 * 31 * 1024)

In step S150, the inbound packet transfer unit 128 calculates the position of the outer address corresponding to the destination address in the address / port conversion table 124 based on the following equation (9).
Position of outer address in address / port conversion table 124 = M1 + M2 (9)
However, M2 = outer address offset × accommodated number of inner addresses × session limit number per user In this embodiment, the following is performed.
The leading position of the outer address group in the address / port conversion table 124:
4063232 (= 1 * 128 * 31 * 1024)
Outside address offset: 29 (= 29-0)
Inner address capacity: 31
Session limit per user: 1024
Location of outer address in address / port conversion table 124:
4983808 (= 4063232 + 29 * 31 * 1024)

In step S160, the inbound packet transfer unit 128 refers to the location specified by the following expression (10) in the address / port conversion table 124, and acquires the inner address / inner port number stored in the reference location. To do.
Reference position of address / port conversion table 124 = M1 + M2 + M3 (10)
However,
M3 = session limit number per user × quotient + remainder quotient = INT {(destination port number−start port number) ÷ (number of sessions limit per user + 1 number of spare sessions per user)}
Remainder = MOD {(destination port number−start port number) ÷ (number of sessions per user + 1 number of spare sessions per user)}
In the present embodiment, it is as follows.
Destination port number: 7188
Start port number: 1024
Session limit per user: 1024
Number of backup sessions per user: 1024
Quotient: 3 (INT {(7188-1024) / (1024 + 1024)})
Extra: 20 (MOD {(7188-1024) / (1024 + 1024)})
Location of outer address in address / port conversion table 124: 4983808
Reference position of address / port conversion table 124: 4986900 (= 4983808 + 1024 * 3 + 20)

  In step S170, the inbound packet transfer unit 128 replaces the destination address / destination port number included in the received packet with the inner address / inner port number stored at the reference position of the address / port conversion table 124. In step S180, the packet output unit 102 transmits an inbound packet to the local address network 145. As shown in FIG. 16, the number of accesses to the main memory unit 140 necessary for inbound transfer is one in step S160.

A7. effect:
FIG. 17 is a graph comparing outbound packet transfer performance for each search method of the address / port conversion table. The horizontal axis in FIG. 17 is the number of active sessions, and the vertical axis is the ratio to the required performance. In FIG. 17, the transfer performance of 5M packets / second is the required performance (100%). FIG. 17 shows the transfer performance when the address / port conversion table reference method in this embodiment is executed, the transfer performance when the linear search is executed, and the transfer performance when the hash search is executed. ing.

1) Linear search Linear search is a method used in home routers that handle a small number of users. First, the registration position of translation information in the address / port translation table is determined in the order of arrival of new packets. Therefore, the assignment of address / port pairs is generally random. Next, the search of the address conversion table at the time of packet transfer is performed by comparing addresses in the old number direction in order from the top of the table. The matched address / port pair is used as the address / port information of the transfer packet. The number of accesses to the address conversion table in one packet transfer in linear search can be obtained by the following calculation formula.
Average number of accesses (Navg1)
Navg1 = (E + 1) / 2
E: Number of registered address / port pairs

2) Hash search (chain method)
Hash search is a method used in enterprise routers that handle a medium number of users. First, the address / port information extracted from the packet is registered in the address / port conversion table. The registration position is a hash value calculated using the address / port information as a key. Therefore, the assignment of address pairs is generally random. In the hash search, since the registration position of the address / port conversion table is determined by the hash value, an address / port conversion table is prepared for each transfer direction (Outbound and Inbound). When the address / port conversion table is shared regardless of the transfer direction, a pointer for replacing the hash value with the corresponding position in the address / port conversion table is provided. In hash search, hashed values may be the same even with different keys, and this is called hash value collision. A chain method is used to handle this collision.

  The chain method is a method in which linked lists are connected when hash values are the same. In the IPv4 NAT, there are 256 tera combinations of address (4 gigabytes) and ports (64 km), so the probability of collision changes depending on how the addresses and ports are biased. Next, the search of the address / port conversion table at the time of packet transfer uses a hash value calculated using the address / port as a key. Since hash value collisions may occur, address matching in the linked list is confirmed, and the matched address pair is used as the address of the transfer packet. The number of accesses to the address translation table in one packet transfer by hash search (chain method) can be obtained by the following calculation formula.

Average number of accesses (Navg2) when address translation tables are used for outbound and inbound
Navg2 = 1 + E / B
E: Number of registered address pairs B: Size of address conversion table: B
Average number of accesses when the address translation table is shared between Outbound and Inbound (Navg3)
Navg3 = 2 + E / B

  When the address / port conversion table is searched by the linear search described above, the ratio to the required performance falls below 100% when the number of active sessions is 1000. When the address / port conversion table is searched by hash search, the ratio to the required performance falls below 100% when the number of active sessions is 10 mega. On the other hand, according to the address / port conversion table reference method according to the present embodiment, the number of accesses to the main memory unit 140 is fixed even when the number of active sessions exceeds 10 megabytes. The ratio is over 100%. Therefore, the internetwork device 100 according to the present embodiment can sufficiently satisfy the demand as an internetwork device (CGN).

  FIG. 18 is a graph comparing inbound packet transfer performance for each search method of the address / port conversion table. The horizontal and vertical axes in FIG. 18 are the same as those in FIG. However, in FIG. 18, the transfer performance of 10 M packets / second is the required performance (100%). This is because inbound transfer, which is a response from the server, requires higher performance. According to FIG. 18, in the linear search and the hash search, when the number of active sessions increases, the ratio to the required performance falls below 100% as in FIG. 17, but the internetwork apparatus 100 according to this embodiment. It can be understood that the ratio to the required performance always exceeds 100%.

  As described above, according to the internetwork device 100 according to the present embodiment, the inner address and the outer address are arranged for each address group, and the inner address and the outer address are arranged in consecutive numbers in the address group. Thus, the reference position in the address / port conversion table 124 can be obtained. Specifically, the reference position in the address / port conversion table 124 can be obtained based on the start position of the address group, the address offset, the port number, and the port offset value. Therefore, according to the internetwork apparatus 100 according to the present embodiment, the number of accesses to the main memory unit 140 storing the address / port conversion table 124 can be fixed, and even if the number of sessions increases, a certain level of transfer performance is achieved. Can be secured. In addition, since a general-purpose, inexpensive, low-speed / large-capacity memory can be adopted for the main memory unit 140, the cost can be reduced.

B. Variations:
The present invention is not limited to the above-described examples and embodiments, and can be implemented in various modes without departing from the gist thereof. For example, the following modifications are possible.

B1. Modification 1:
In the above embodiment, the inner address group search table 122 performs a tree search every 8 bits, but may perform a tree search every 1 bit.

B2. Modification 2:
In the above embodiment, a part of the functions realized by software may be realized by hardware, or a part of the functions realized by hardware may be realized by software.

DESCRIPTION OF SYMBOLS 100 ... Internetwork apparatus 101 ... Packet input part 102 ... Packet output part 103 ... Path control part 105 ... Inside part 106 ... Packet output part 107 ... Packet input part 108 ... Path control part 110 ... Outside part 122 ... Inside address group search Table 123 ... Port search pointer 124 ... Port conversion table 125 ... Session management unit 126 ... Port mapping table 127 ... Aging management unit 129 ... Outside address group search table 130 ... Device control unit 135 ... CPU unit 136 ... Processor core unit 137 ... Calculation Processing unit 138... 1st cache unit 140... Main memory unit 141.
144 ... Processor system 145 ... Local address network 146 ... Global address network 150 ... Corporate router 151 ... User 152 ... Server 155 ... Home router 156 ... Individual user 159 ... Local network 162 ... Corporate user 163 ... Corporate user 165 ... Internet service provider 166 ... Internet service provider 167 ... Internet service provider 180 ... Internet 185 ... Carrier edge router 200 ... Local side configuration definition 211 ... Inside address group 230 ... Global side configuration definition 241 ... Outside address group 250 ... Port range

Claims (3)

A local address used in a specific network and a communication port number in a local address used together with each local address, a global address used in communication between a plurality of networks, and a communication port number in a global address used together with each global address. An internetwork device for mutual conversion,
A conversion notation that stores an address / port conversion table that associates a local address pair in which a pair of local address and communication port number in the local address is arranged with a global address pair in which a pair of global address and communication port number in the global address is arranged. And
Based on the address / port conversion table, an address conversion process for mutually converting a local address and a communication port number within a local address and a global address and a communication port number within a global address in a packet transmitted and received by communication between a plurality of networks. And
With
In the address / port conversion table, the conversion notation part stores the local address and the global address side by side for each address group.
In the address group, the local address and the global address are each arranged in a linear manner in a memory space. The internetwork device of claim 1, further comprising:
An extraction unit that extracts an address to be converted and a communication port number in the address from the packet used for the communication;
An address group search unit for searching for an address group to which the extracted address belongs;
A difference calculating unit that calculates a difference between the extracted address and the start address of the address group;
Based on the start address of the address group to which the extracted address belongs, the difference, and the extracted communication port number, the position in the address / port conversion table and the address and the address to be converted A pointer that identifies the position corresponding to the communication port number;
An internetwork device comprising: A local address used in a specific network and a communication port number in a local address used together with each local address, a global address used in communication between a plurality of networks, and a communication port number in a global address used together with each global address. A method of mutual conversion,
Based on an address / port conversion table that associates a local address pair in which a pair of local address and communication port number in the local address is arranged with a global address pair in which a pair of global address and communication port number in the global address is arranged. A step of mutually converting a local address in a packet transmitted and received in communication between networks and a communication port number in the local address and a global address and a communication port number in the global address;
In the address / port conversion table, the local address and the global address are arranged for each address group,
In the address group, the local address and the global address are each arranged linearly in a memory space.

Images