JPH11298527A - Network address translation method and apparatus, and server - Google Patents

Abstract

(57) [Summary] [Problem] To use a server, it is possible to freely assign a server address in each closed network, and to perform a common service customized for each closed network without losing the closedness of each closed network. To provide a network address translation method and apparatus, and a server capable of performing the same. SOLUTION: A host 1 (H5) requests a connection to a server 26 using a local address assigned to the server 26 in advance. The root side NAT 30 is a host (H
The network belonging to 5) is authenticated by a network identifier assigned to each network. Next, according to the authenticated affiliated network, the local address previously assigned to the host (H5) is converted into a predetermined global address, and the local address assigned to the server 26 is converted to the server 26. Is converted to a wide-area address assigned in advance.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network address translation method and apparatus, and a server, and more particularly, to a plurality of user terminals connected to a global computer network represented by the Internet and belonging to different closed networks. While maintaining the closedness of the closed network,
A service called a server push type, such as real-time delivery of mail to the user terminal of the closed network,
The present invention relates to a network address translation method and apparatus for providing customized services to individual users, and a server.

[0002]

2. Description of the Related Art In recent years, computer networks such as the Internet have been developed.
Various data such as images and sounds as well as character information are exchanged. In this computer network, a uniquely determined address (for example, an IP address) is assigned to each computer, and the computer is indirectly specified by specifying this address.

[0003] In the case of the above IP address, a 32-bit address is currently used, but with the rapid increase of computers in recent years, there is a shortage of addresses that can be assigned to each computer. In such a situation, a computer connected to a local network (hereinafter referred to as a closed network) provided inside a company, separately from an address (global address) used on the Internet, cannot be identified only inside the company. Assignable addresses (local addresses) are assigned.

In order for a user terminal connected to a closed network to access a server having a global address such as the Internet, the user terminal itself needs to have a global address. However, at present, it is difficult to assign a global address to all user terminals due to a shortage of addresses as described above. Therefore, a local address is assigned to a user terminal in a corporate network or the like, communication with a terminal in the corporate network is performed using the local address, and a host connected to a global network such as the Internet, for example, WWW
When using a (World Wide Web) server or the like, a NAT (Network Address Translator) as shown in FIG.
Communication is carried out via a router having an address translation function called "address translation function".

[0005] FIG. 7 is an explanatory diagram showing how communication is performed via a router having an address translation function called NAT. As shown in FIG. 7, the Internet N1 and the closed network N2 are connected by a NAT 10, and the Internet N1 and the closed network N3 are connected by a NAT 12. Further, the hosts H1 and H2 in FIG. 7 are terminals and the like provided in the closed network N2, and the host H3 is a terminal and the like provided in the closed network N3. In addition, the closed networks N2 and N3 separately assign local addresses to internal terminals.

In this NAT, a connection between hosts is recognized by a set of a network address and a port number of both hosts during communication. By converting the local address of the terminal to the global address assigned to the router or the global address assigned to the router to the local address of the terminal, the terminal having the local address can communicate with the host having the global address. Has been realized.

[0007]

However, in the configuration using the NAT shown in FIG. 7, (1) since the connection between the host and the server is dynamically recognized, the local address is provided from the server having the global address. Push-type services such as distributing information to terminals that are statically assigned are not possible. (2) Since the server cannot perform authentication for each closed network, it is customized for each affiliated terminal. It is difficult to provide services and information. (3) Since the NAT portion is connected to a global address query, there are various problems such as the possibility of unauthorized access.

[0008] Further, as shown in FIG. 8, a device has been devised in which a terminal can be made to appear as if it is connected to a server belonging to its own closed network by tunneling a PPP connection to a server side. . FIG. 8 is an explanatory diagram showing a state in which communication is performed by tunneling the PPP connection to the server side.

In FIG. 8, reference numerals 20 and 22 denote access servers, which connect the Internet N5 and the closed network N6, and connect the Internet N5 and the closed network N7, respectively. Also,
Reference numeral 24 denotes an access server connected to the network to which the server 26 is connected. Further, the host H5 in FIG.
H6 is a terminal or the like provided in the closed network N6, and the host H7 is a terminal or the like provided in the closed network N7.

[0010] In this device, by tunneling the PPP connection to the server side, the terminal can appear as if it is connected to a server belonging to its own closed network. This makes it possible to maintain the closed area and to use the local address assigned in the closed area network as it is.

However, when tunneling is performed as shown in FIG. 8, (1) since a local address is freely assigned to a terminal in a closed network, terminals belonging to a plurality of different closed networks assign the same address. Therefore, there is a problem that the connection cannot be correctly recognized because there are a plurality of terminals having the same address. (2) The address indicating the server needs to be common to each closed network, and the existing equipment (3) Even if addresses are dynamically allocated from the server side when a connection is established, it is not only possible to determine which closed network the terminal belongs to, but also because the terminals are dynamically allocated. It is also impossible to distribute information or provide customized services from the server side. (4) Unauthorized access across a closed network via the server side network There are various problems such as the possibility of occurrence.

The present invention has been made in view of the above circumstances, and it is possible to freely assign a server address in each closed network when using a server.
An object of the present invention is to provide a network address translation method and apparatus and a server that can provide a common service customized for each closed network without losing the closedness of each closed network.

[0013]

In order to solve the above-mentioned problems, the present invention provides a step of authenticating a network to which a terminal requesting connection belongs by a network identifier or the like, and Converting the address pre-assigned to the terminal to a predetermined address of the network to which the server belongs; and converting the address pre-assigned to the server to a predetermined address of the network to which the terminal belongs. And
A source address and a destination address of data exchanged between the terminal and the server are converted. Further, the present invention provides a step of authenticating a network to which a terminal requesting a connection to the server belongs by using a network identifier assigned to each network, using a local address previously assigned to the server, Converting a local address pre-assigned to the terminal to a predetermined global address according to a network; and converting the local address allocated to the server to a global address pre-allocated to the server. And converting the data to a unique address, wherein the data sent from the terminal is received by the server using the converted global address. The present invention also provides a step of translating the converted global address of the terminal into a local address pre-assigned to the terminal, and the step of: Converting the data to a local address assigned to a server, wherein the data sent from the server is received by the terminal using the converted local address. Further, the present invention provides an authentication device for authenticating a network to which a terminal that requests connection to the server using a local address assigned to a server in advance using a network identifier assigned to each network, and In accordance with the network to which the terminal belongs, the local address pre-assigned to the terminal is converted into a predetermined global address, and the local address assigned to the server is converted into the global address pre-assigned to the server. And an address translator for translating the data into a unique address, wherein the data transmitted from the terminal is received by the server using the translated global address. Also, the present invention provides the address translator, which translates the translated global address of the terminal into a local address pre-allocated to the terminal and a global address pre-allocated to the server. An address is converted to a local address assigned to the server in advance, and data transmitted from the server is received by the terminal using the converted local address. I do. Further, the present invention provides the authentication device and the address translation device,
A service providing apparatus for providing various services to the closed network, wherein a common service is provided to a plurality of different closed networks using addresses converted by the authentication apparatus and the address conversion apparatus. And Further, the invention is characterized by further comprising a connection device for connecting to the terminal.

That is, according to the present invention, the server providing the common service performs authentication using an identifier indicating to which network the terminal of the connected user belongs. Based on the result of the authentication, an address prepared in advance by the server for the network for the terminal to be connected and an address of the server in the server-side network are respectively transmitted from the terminal to the server or from the server to the terminal. A device equipped with a new NAT function called a Root-Side NAT for translating both the source address and the destination address is provided on the server side, and the access server or terminal of each closed network is connected to the device itself. Is connected by the tunneling technology by PPP,
Solving the above-mentioned problems relating to the use of local addresses.

FIG. 1 is a diagram for explaining the overall configuration of a network to which the method, apparatus and server of the present invention are applied. The feature of the present invention is that the access server 2 shown in FIG.
Device 30 having root-side NAT function in place of 4
Is provided. FIG. 2 is a chart showing an example of addresses assigned in each closed network and the network on the server side. In the configuration as shown in FIG. 1, as shown in FIG. 2, "address 1" is assigned to the host 1 (H5) connected to the server in the closed network A (N6).
It is assumed that “address 2” is assigned to the host 2 (H6) and “address 10” is assigned to the server 10 to be used.

The server 26 is one of the hosts on the server-side network.
6 is “address A” in the network on the server side.
Is given. Further, in the server-side network, an address group is prepared for a terminal connected from the closed network A (N6).
It is assumed that “address b” is assigned to the host 2 (H6) in 5). Further, a PPP connection is established between the terminal and the device 30 having a route side NAT function by a tunneling technique.

In the above configuration, the root side NAT
The device 30 having the function of (1) separates a packet transmitted / received between each host and the server 26 in the network on the server 26 side so that communication between hosts belonging to another closed network cannot be performed. Address conversion under the management of The device 30 having the function of the root side NAT prepares an address in advance for each closed network on the server side, and performs not only the conventional authentication for the host as to whether the terminal requesting the connection is correct, but also the connection. Authentication is performed using a network identifier indicating to which closed network the terminal performing the operation belongs.

This network identifier can uniquely determine the network to which the terminal belongs. This may indicate a specific network, or may indicate a region such as an area code of a telephone number. The device 30 assigns an address assigned to the terminal from a group of addresses prepared in advance for the terminal in the closed network based on the result of the authentication. Host 1
When (H5) requests connection to the server 26, the device 30 converts “address 1” into “address a”.

Further, the address of the designated server 26,
That is, in the example of FIG. 2, “address 10” is converted to the address “address A” of the server 26 in the server-side network. As described above, the device 30 having the function of the root side NAT performs the conversion of both the source address and the destination address of the packet under the management of the server.

Next, address conversion in the device 30 having the function of the root side NAT will be described. FIG.
FIG. 3 is a diagram for explaining how address conversion is performed by a device 30 having a root side NAT function. In FIG. 3, NetA is an address group of the network where the server 26 is located in the address space of the server side network, and NetB is prepared in a terminal belonging to the closed network for each closed network in the address space of the server side network. Address group.

In the present specification, compaction (compaction) is performed by associating the address of each terminal in each closed network with an address prepared in advance for each closed network, and the address of the server 26 allocated in each closed network is determined by the server. Conversion to the address of the server 26 in the network on the side is referred to as merge conversion.
In the reverse compaction conversion, which closed network is identified from the address allocated to the terminal, and converted into the address of the terminal in the closed network. In the reverse merge conversion, a server address is converted into a server address in a closed network based on information on a terminal belonging to which closed network obtained from the inverse compaction conversion.

At this time, the source address and the destination address of the packet from each terminal to the server 26 and the packet from the server 26 to each terminal are converted as shown in FIG. FIGS. 4A and 4B are diagrams showing how a source address and a destination address of a packet are converted. FIG. 4A shows a case where an address of a packet transmitted from a terminal to the server 26 is converted, and FIG. This is a case where address conversion of a packet transmitted from 26 to a terminal is performed.

The symbol "S" in the figure indicates a source address,
“D” indicates a destination address. First, as shown in FIG. 4A, the source address S of the packet transmitted from the terminal to the server 26 is compacted by the device 30 having the function of the root side NAT, and the destination address D is changed to the destination address D. Merge conversion is performed. Further, as shown in FIG. 4B, the packet transmitted from the server 26 to the terminal
The source address S is subjected to reverse merge conversion and the destination address D is subjected to reverse compaction conversion by the device 30 having the AT function.

The above conversion is performed as shown in FIG. By prohibiting the connection between the address groups given for each closed network on the server side, the closedness of the closed network can be ensured. Further, it is possible to customize the service provided by the address group assigned to each closed network for each closed network. Finally, the characteristics of the device 30 having the function of the conventional art and the root side NAT are summarized in Table 1 below.

[Table 1] As shown in Table 1, when the conventional NAT shown in FIG. 7 is used and when the PPP tunneling shown in FIG. 8 is used, server push type information distribution and provision of customized service are provided. In order to prevent the occurrence of unauthorized access paths, execution has been impossible or functions have been limited. However, in the present invention, these can be performed without any problem.

[0025]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a network address translation method and apparatus and a server according to an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 5 is a diagram for explaining the overall configuration of a network to which a network address conversion method and apparatus and a server according to an embodiment of the present invention are applied. FIG. 6 is a diagram showing a relationship between a closed network and addresses assigned on the server side and the network.

In FIG. 5, reference numeral N50 denotes the Internet, which is a closed network A (N10), a closed network B (N12), and an ISDN network (N1) via access servers 60, 62 and 64.
4) are respectively connected. A server-side network N20 is connected to the Internet N30 via a root-side NAT 70.
The closed network A (N10) and the closed network B (N12) are, for example, LANs (local networks) provided inside a company. The ISDN (N14) is used for a public line or the like. Further, various servers are provided in the server-side network N20. FIG. 5 shows a case where the Web server 72 is connected as an example.

Now, as shown in FIGS. 4 and 5, a closed network A (N) for tunneling a PPP line to the Web server 72.
In 10), the address “10.0.1.13” is assigned to the terminal 50 provided internally, and the
It is assumed that the address “10.0.2.1” is assigned to the server 72. Actually, the Web server 72 is provided inside the network N20 on the server side. The Web server 72 is assigned an address “192.10.10.1” in the network N20 on the server side, and a plurality of different closed networks (N10 to N10). The service is provided to the terminals 50 to 54 belonging to N14).

In the network N20 on the server side, the closed network A (N10) has an address group "192.10.1.0".
/255.255.255.0 ”, and this address group and closed network A
The address group of the terminal used in (N10) "10.
0.1.0 / 255.255.255.0 ". Similarly, in the network N20 on the server side, the closed network B (N1
In 2), an address group “192.10.2.0/255.255.255.0” is prepared, and this is associated with a terminal address group “10.0.2.0/255.255.255.0” used in the closed network B (N12).

The above address correspondence is performed in the root side NAT 70. The root side NAT 70 has a storage device (not shown) that stores the correspondence between these addresses. In addition, route side NAT70,
An address translation device that translates a source address and a destination address of a packet transmitted from the terminal to the Web server 72 and a packet transmitted from the Web server 72 to the terminal based on the correspondence between the addresses stored in the storage device. (Not shown).

In this address translator, compaction conversion is performed by associating the addresses of the terminals in each closed network with addresses prepared in advance for each closed network, and the address of the server 72 allocated in each closed network is stored on the server side. Merge conversion for converting the address of the server 72 in the network is performed. In addition, it also performs inverse transformation of compaction transformation, that is, inverse compaction transformation, and inverse transformation of merge transformation, that is, inverse merge transformation.

In the above configuration, the root side NAT 7
Reference numeral 0 denotes an authentication device that authenticates, when a connection from the terminal to the Web server 26 is established, to which closed network the terminal that has established the connection belongs using a network identifier indicating the closed network. In this case, if the terminal that has established the connection is the terminal 1 (50), it has an identifier that can uniquely determine that it belongs to the closed network A. Further, if the area code of the caller ID of the terminal that attempted connection is one network identifier, all user terminal groups connected from a certain area can be treated as one closed network.

When a packet is transmitted from the terminal 1 (50) to the Web server 72 after the connection is established, the root side NAT 70 changes the source address of the transmitted packet from "10.0.1.13" to "192.10". .1.13 '' and the destination address from `` 10.0.2.1 '' to `` 192.1
0.10.1 ”. Conversely, terminal 1 from Web server 72
When a packet is transmitted to (50), the root side N
The AT 70 identifies that the transmission destination is the terminal 50 of the closed network A (N10), and converts the destination address of the packet from “192.10.1.13” to “10.0.1.13”. Also, the source address is converted from “192.10.10.1” to “10.0.2.1” from the information that the terminal 50 belongs to the closed network A (N10). Thus, the packet can be distributed to an appropriate PPP line.

Similarly, for the terminal 3 (52) provided in the closed network B (N12) and the terminal 2 (54) provided in the ISDN (N14), the route side NAT 70 is also provided.
Stores the correspondence of the addresses shown in FIG. 6, and performs address conversion based on this. Terminal 3 (5
In the case of 2), the closed network B
(N12), the address of the terminal 52 is allocated from the address group "192.10.2.0/255.255.255.0" prepared for the closed network B (N12), and the closed network B (N12)
Is changed to the address "192.10.10.1" in the server-side network N20, the address "10.0.15.1" allocated to the Web server 72. Also, w
When a packet is transmitted from the eb server 72 to the terminal 3 (52), the root-side NAT 70 similarly performs address conversion.

Here, if communication between networks between the address “192.10.1.0” assigned to the closed network A (N10) and the address “192.10.2.0” assigned to the closed network B (N12) is prohibited, Since communication across a closed network is not performed, the closed area can be maintained. Further, as described above, it is also possible to limit the data that can be accessed by manipulating the address in the root side NAT 70. Furthermore, since the address of the server to be connected can also be managed on the server side, if a plurality of servers are prepared, the load of the server can be distributed if the address is converted according to the load on the server.

As described above, according to the embodiment of the present invention, the route side NAT 70 is provided in the network N20 on the server side, and an address group is prepared for each closed network.
Since the conversion is performed, information distribution from the server side to the terminal and a service customized for each closed network or each region can be realized. Also, since address conversion is managed on the server side, communication between addresses prepared for each closed network can be prohibited, and reading and writing of data in the server can be easily restricted by the address. It is also possible to provide services by a common server while maintaining the closedness of the closed network. Furthermore, since address conversion is managed on the server side, addresses can be freely assigned in each closed network, so that the server can be used with minimal changes to existing facilities.

As described above, one embodiment of the present invention has been described. However, the present invention is not limited to the above embodiment, and can be freely changed within the scope of the present invention. For example, in FIG. 5, the root side NAT 70 only has a function of translating an address. However, the root side NAT 70 has a form of a server that provides various services in addition to the function of translating the address, and is common to different closed networks. A service may be provided. Further, in the above embodiment, the case where the terminal connects to the Web server 72 has been described as an example, but a function of connecting to each terminal from the server side may be provided. Further, the present invention may be a form in which a local address is assigned to only one of the Web server 72 and the terminal, and a form in which a local address is assigned to both. Is also good.

[0037]

As described above, according to the present invention, it is possible to provide a common service customized to each closed network without losing the closed area to terminals in a plurality of closed networks by authentication on a closed network basis. There is an effect that it becomes possible. As this closed network, in addition to the company network, a service customized to each area can be provided by regarding an area having the same area code as one closed network. More specifically, not only terminals that are always connected from the server side, such as notifying that a seat has been secured after applying for a train ticket reservation, but also connecting to the network on demand There is an effect that information distribution called a push type to a terminal can be realized. Furthermore, in each closed network, free addresses can be assigned independently of addresses assigned to other closed networks, so that the server can be used with minimal changes to existing facilities. There is.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating an overall configuration of a network to which a method, an apparatus, and a server according to the present invention are applied.

FIG. 2 is a table showing an example of addresses assigned in each closed network and a server-side network.

FIG. 3 shows a device 30 having a function of a root side NAT.
FIG. 4 is a diagram for explaining how address conversion is performed by the following.

FIG. 4 is a diagram showing how a source address and a destination address of a packet are converted.

FIG. 5 is a diagram for explaining an overall configuration of a network to which a network address conversion method and apparatus and a server according to an embodiment of the present invention are applied;

FIG. 6 is a diagram showing a relationship between a closed network and addresses assigned on a server side and a network.

FIG. 7 is an explanatory diagram showing how communication is performed via a router having an address translation function called NAT.

FIG. 8 is an explanatory diagram showing a state in which communication is performed by tunneling a PPP connection to a server.

[Explanation of symbols]

30, 70: root side NAT (network address translator), 26: server, 72: Web server, N
6, N7, N10, N12 ... closed network, H6, H5, H7
... hosts, 50, 52, 54 ... terminals.

Claims (7)

[Claims] 1. A step of authenticating a network to which a terminal requesting a connection belongs by a network identifier or the like, and, in accordance with the authenticated affiliated network, assigns an address previously assigned to the terminal to a predetermined network to which the server belongs. And a step of converting an address pre-assigned to the server to a predetermined address of the network to which the terminal belongs, and converting data transmitted and received between the terminal and the server. A network address translation method comprising: translating a source address and a destination address. 2. A step of authenticating a network to which a terminal requesting a connection to the server belongs by using a network identifier allocated to each network, using a local address previously allocated to the server; Converting a local address pre-assigned to the terminal to a predetermined global address, and changing the local address allocated to the server to a global address pre-allocated to the server. Converting the data to an address, wherein the data sent from the terminal is received by the server using the converted global address. 3. converting the converted global address of the terminal into a local address pre-allocated to the terminal; and converting the global address pre-allocated to the server.
Converting the data to a local address assigned to the server in advance, wherein the data transmitted from the server is received by the terminal using the converted local address. The network address translation method according to claim 2. 4. An authentication apparatus for authenticating a network to which a terminal requesting connection to the server belongs by using a network identifier allocated to each network, using a local address previously allocated to the server, According to a network, a local address pre-assigned to the terminal is converted into a predetermined global address, and a local address allocated to the server is converted to a global address pre-allocated to the server. An address translator for translating to an address, wherein data sent from the terminal is received by the server using the translated wide area address. 5. The address translator translates the translated global address of the terminal into a local address pre-allocated to the terminal, and a global address pre-allocated to the server. To a local address assigned to the server in advance, and the data sent from the server is received by the terminal using the converted local address. The network address translator according to claim 4. 6. An authentication device and an address translation device according to claim 3, and a service providing device for providing various services to the closed network, wherein the address translated by the authentication device and the address translation device is provided. A server which provides a common service to a plurality of different closed networks using the same. 7. The server according to claim 6, wherein the server further comprises a connection device for connecting to a terminal.