JP2003509969A - Access relay to server network transparent to client network - Google Patents

Abstract

(57) [Summary] The present invention relates to an interconnecting device 4 connected to a client network 13 by a first physical interface 19 and to the server network 3 by a second physical interface 14. The interconnecting device 4 receives a datagram addressed to the server devices 1 and 2 from the client network 13 and transmits a datagram addressed to the server devices 1 and 2 to the server network 3. including. Since the inter-network protocol addresses $ S1, $ S2 of the server devices 1, 2 coupled to the server network 3, are associated with the first physical interface 19, the datagrams going back to the application level at the interconnect device are Is provided transparently to the relay application.

Description

Detailed Description of the Invention

The invention relates to the area of information processing networks. The information processing network
Allows execution of applications distributed to remote devices. These remote devices are connected to the same network or to different networks interconnected by interconnection devices.

A transaction between remote devices is initiated by a client application that sends a request message to a server application that is in a watch state. The client application is placed in a waiting state for a response message to the request message. Upon receiving the request message, the server application generates a response message to send to the client application. The network layer can carry each message as a datagram from the device housing the sending application to the device housing the receiving application. The transport layer can carry messages between the sending application and the network layer and then between the network layer and the receiving application, ie, for example, from a client application to a server application. The application layer relates to the execution of applications in an environment specific to this layer.

If the devices are not physically connected to the same network, the routing protocol at the network layer is from the sending device to the interconnecting device and from the interconnecting device to the receiving device by means of an inter-network protocol address, eg an IP address. Send the datagram to. Upon passing through the interconnect device, the datagram remains at the network layer level. The network between the client device and the interconnection device is called the client network. The network between the server device and the interconnection device is called the server network.

A technical area in which the present invention is particularly concerned relates to interconnecting devices for accommodating relay applications. The relay application is effective in performing processing on the messages exchanged between the client network and the server network. However, the datagram destined for the final receiving device does not, of course, trace back to the application layer of the interconnect device.

According to known prior art, the sending application does not directly address the final receiving application, but addresses the message to the relay application of the interconnection device, and the relay application sends the message according to the processing given to the message. In the message to the relay application, indicate which is the final application sending the message so that can be resent. This is done, for example, in an internet browser, where for a given client application the address of the interconnection device for the network layer and the port number of the relay application for the transport layer are used. , The browser encapsulates the address of the server device and the port number of the final destination application in the datagram addressed to the relay application. However, this requires knowing which relay application the message passes through so as to configure the client device accordingly. As a result, there is a lack of flexibility, which is acceptable for a limited number of applications, but unsatisfactory for a large number of different applications.

Internet address http: // www. pmg. lcs. mit. e
du / cgi-bin / rfc / view? Document RFC19 obtained at 1928
28 describes the protocol "SOCKS v5", and the port number normally used is 1080. "TCP protocol Tunneling
Similarly for the solution known under the name "In Web Proxy Servers" it is necessary to set up a first connection to the relay application and a second connection to connect the relay device to the final device. is there.

In order to overcome the above drawbacks, it is an object of the present invention to allow a client application to easily set up a connection to a server application so that it can do it without using the services of the relay application, and thus the relay application. The use of the application's services is transparent to the client application.

A first object of the present invention is an interconnection device which is coupled to a client network by a first physical interface and is coupled to a server network by a second physical interface, and a server device which is coupled to a server network. At least one inter-network protocol address of the first physical interface is associated with the first physical interface, receives a datagram addressed to the server device from the client network, and transmits a datagram addressed to the server device to the server network. It is characterized by including the relay application of.

Thus, when the datagram reaches the first physical interface with the internetwork protocol address of the server device as the destination address, the interconnection device recognizes by its network layer that it is the destination device of the datagram. To be done. The network layer of the interconnection device then traces the datagram towards the application layer of the interconnection device by simply adhering to the established protocol. Upon receiving this datagram, the relay application may process it and then resend it to the server device, or not. It is completely transparent to the client application.

An object of a variant embodiment of the invention is an interconnection device which is coupled to a client network by a first physical interface and to a server network by a second physical interface, the server being coupled to a server network. At least one network-to-network protocol address of the device is associated with a third physical interface different from the first physical interface and the second physical interface, the interconnect device directing data from the client network to the server device. It includes a first relay application that receives the gram and sends a datagram addressed to the server device to the server network.

Here, the network layer protocol assigns the destination address to any one physical interface of the interconnection device, not to the first physical interface for receiving the datagram, so that the application layer of the interconnection device is assigned. I try to go back.

If the interconnection device already has a base address valid for the routing protocol in the client network, for example, the address of the server device is the first physical address in the client network as a synonymous address of the base address of the interconnection device. Associated with the interface.

A second object of the present invention is to execute a relay application between the client network and the server network in the interconnection device, and by the relay application, the client application causes the client application to have a single address in the server network. In a method for processing a datagram destined for a server device having a server network, the address is provided in the server network to a physical interface of an interconnection device that is not coupled to the server network so that a relay application receives the data flam. Characterized by including a first step of associating.

This has the advantage that the relay application does not have to configure or communicate the client application in order to be able to process the datagram. In fact, the client application continues to send the datagram by using the address of the server device. When the datagram arrives at the first physical interface of the interconnect device, the network protocol will naturally cause the datagram to trace back to the application layer of the interconnect device so that the relay application can receive the datagram. .

If the datagram transmitted from the client network to the server network has to be routed by the interconnection device, the method routes the datagram transmitted in the client network to the server device to the interconnection device. The second step precedes the first step. This is the case, for example, if there is not a single interconnection device between the client network and the server network.

Other advantages and details of the embodiments of the present invention will be apparent from the following description with reference to the accompanying drawings.

FIG. 1 shows server devices 1 and 2 and client devices 11 and 12. The devices 1, 2, 11 are connected to the server network 3 by individual physical interfaces 7, 8, 17. The client device 12 is the physical interface 1
8 connects to the client network 13. The networks 3 and 13 are physically different. The interconnection device 4 is connected to the server network 3 by a physical interface 14 and to the network 13 by a physical interface 19.

The applications 5, 6, 15, 16 executed on the devices 1, 2, 11, 12 are in a non-connection mode such as UDP or a connection mode such as TCP according to a protocol.
The transport layers CT communicate with each other. The transport layer CT monitors the network layer CR according to a protocol such as IP.

In the network layer CR, the device 1 is recognized by the address @ S1, the device 2 is recognized by the address @ S2, and the device 11 is recognized by the address @ C1. As is known, each address @ S1, @ S2, and @ C1 has a network field with a common value that identifies the network 3 and a device with a distinct value that identifies each device coupled to the network 3. And fields. Device 1
2 is recognized by the address @ C2 having a network field value that identifies the network 13 and a device field value that identifies the device 12 in the network 13. The interconnection device 4 has a network field value for identifying the network 13, an address @ P1 having a device field value for identifying the interconnection device 4 in the network 13, and a network field value for identifying the network 3.
And the address @ P2 with the device field value identifying the interconnect device 4 in the network 3.

The devices communicate with each other by means of messages circulating in the network as datagrams. FIG. 2 shows an example of a datagram. This datagram, which consists of consecutive bit frames, consists mainly of three consecutive fields. The first field DR is for the network layer protocol. Second field DT
For transport layer protocols that monitor the network layer. The third field DA is for the application layer which monitors the transport layer.
For example, in the case of a request on the web, the field DR contains the source and destination IP addresses, the field DT contains the source and destination TCP port numbers, and the field DA contains HTTP data.

For example, when the client application 15 executed in the client device 11 executes an access request to a file processed by the server application 5 arranged in the server device 1, the application 5 is a layer of the client device 11. The request is transmitted to CT, and the layer CT writes the request in the field DA and the service port number for the application 15 and the service port number for the application 5 in the field DT. The layer CT of the client device 11 transmits the fields DT and DA to the layer CR of the device 11, and the layer CR has the address @ C1 of the client device 11 and the address @S of the server device 1.
1 and are written in the field DR. Next, the layer CR sends the datagram thus configured to the interface 1 of the server device 1 that arrives at the interface 7.
Transmit to 7. The layer CR of the server device 1 recognizes from the address @ S1 that the datagram is addressed to the upper layer of the server device 1 and sets the fields DT and DA to the device 1
Resent to the layer CT. The layer CT retransmits the field DA to the application 5 with the service port number for the application 5 and the application 5 processes the request.

When the application 16 executed in the client device 12 makes an access request to a file processed by the application 5 arranged in the server device 1, the application 16 transmits the request to the layer CT of the client device 12. Then, the layer CT writes this in the field DA and the service port number for the application 16 and the service port number for the application 5 in the field DT. The layer CT of the client device 12 transmits the fields DT and DA to the layer CR of the client device 12, and the layer CR sends the address @ C2 of the client device 12 and the address @ S1 of the server device 1 to the field DR.
Write in. The layer CR then forwards the datagram thus constructed to the interface 18, which arrives at the interface 19 of the interconnection device 4, which is declared as a router between the networks 13 and 3.

In the absence of a device according to the invention, the address @ S1 is not an address destined for the interconnection device 4, so that the layer CR of the interconnection device 4 will see that the datagram is an interconnection device 4.
Recognize that it is not addressed to the upper layer of. In that case, the layer CR of the interconnection device 4 is
Look for a row in the routing table that contains the same value as the network field at address @ S1. The row thus found indicates the interface 14 as being the access interface to the network 3. Interconnection device 4
The layer CR retransmits the datagram to the network 3 through the interface 14, and as a result, the datagram arrives at the interface 7 of the server device 1.
In the layer CR of the server device 1, the datagram is sent to the server device 1 by the address @ S1.
Of the server device 1 and recognizes that the fields DT and DA are addressed to the upper layer of the server device 1.
Retransmit to T. With the server port number for application 5, layer CT retransmits field DA to application 5, which handles the request.

In the device according to the invention, the interconnection device 4 comprises an application 22 which acts as a relay server for requests sent from the network 13. The application 22 has a plurality of advantages, and can control access to the devices 1, 2, and 11 connected to the server network 3, for example. Further, it is possible to protect the responses to the preceding requests in the cache memory and reproduce the responses to these new requests without having to send new requests to the server devices 1 and 2.

The plurality of addresses of the layer CR are the physical interface 19 and the normal address @S.
1 and the normal address @ P1 of the server device 1 connected to the network 3. Further, the address @ S2 of the server device 2 can be associated with the physical interface 19. As will be described below, in contrast to the prior art in which the client network decides to use the service of the relay application 22, the server network here associates the physical interface 19 with the address @ S1 so that such use, eg server Determine access to 1.

The application 22 includes an input port 9 having the same number as the input port of the application 5 and an output port 10, and assigns one number to this output port to manage an arbitrary request message addressed to the application 5. be able to.

With this special device, the client device 12 does not need to know that it has set up an intermediate connection with the interconnection device 4. If the application 16 executed on the client device 12 executes a request addressed to the application 5 located on the server device 1, the address @ S1 is now recognized on the network 13 as the address of the interconnection device 4.

In order to execute a request addressed to application 5, application 16
Send the datagram Q on the network 13. Datagram Q is in field C
R contains the addresses @ S1 and @ S2, the transport field contains the port numbers of applications 5 and 16, and the field CA contains the final information addressed to application 5.

When the datagram Q is received at the physical interface 19 of the interconnection device 4,
The network layer CR of the interconnection device 4 recognizes the destination address @ S1 in the field DR as a unique address, and traces the datagram toward the transport layer CT of the interconnection device 4. The transport layer CT recognizes the destination number in the field DT as being the port number 9 of the application 22 and transmits the content of the datagram Q to this application.

The application 22 processes the contents of the field DA of the datagram Q. The processing of the datagram Q by the application 22 is such that the interconnection device 4 responds to the request to its cache memory by, for example, checking the access rights and making a decision whether or not to convey the datagram Q to the server application 5. It consists of checking if it already contains a response.

When the application 22 needs to send a request message to the application 5 in order to process the request message sent from the client application 16, the application 22 sends the subsequent data to the transport layer CT of the interconnection device 4. That is, the content of the request placed in the field DA, the input port number of the application 5, the output port number of the application 22 for managing the reply to the request, the inter-network protocol address of the server device 1 @
Notify S1. These data are transmitted to the network layer CR of the interconnection device 4. Upon receiving these data, the network layer CR of the interconnection device 4
Searches its routing table for which network to send the datagram according to the network field of address @ S1. In the example described here, since the network field of the address @ S1 corresponds to the network 3 to which the server device 1 is connected, the layer CR directs the physical interface 14 to the destination address @ S1 and the physical interface 14. 2. Send a datagram containing the associated source address @ P2 in field DR. The datagram reaches the server device 1 and the server application 5 of the server device 1 by the client server 3 in the conventional manner.

The response received by the application 5 through the interface 14 is the address @P
Since 2 is the address of the interconnection device 4, it is traced back to the application 22 by the network layer, and since the port number for response is the number assigned to the port 10 by the application 22, it is traced back to the application 22 by the transport layer CT. Using internal mechanisms for managing requests and responses, application 22 associates the response with the output port number received from application 16. The application 22 informs the transport layer CT of the interconnection device 4 of the subsequent data in order to retransmit the response to the application 16. That is, the contents of the response placed in the field DA, the output port number of the application 16, the input port number of the application 22 that is the same as the input port number of the application 5 for managing the response to the request, the destination network of the client device 12. The inter-protocol address @ C2 and the inter-network protocol address @ S1 of the server device 1. These data are transmitted by the transport layer to the network layer CR of the interconnection device 4. When the network layer CR of the interconnection device 4 receives the above data, it searches its routing table for which network to transmit the datagram according to the network field of the address @ C2. In the example described here, since the network field of the address @ SC2 corresponds to the network 13 to which the client device 12 is connected, the layer CR includes the destination address @ P2 and the source address @ S1 associated with the physical interface 19. And the datagram including the above in the field DR is transmitted to the physical interface 19. The datagram reaches the client device 12 and the client application 16 of the client device 12 by the client network 13 in a conventional manner.

Thus, the application 16 of the client device 12 returns the response from the application 5 in the server device 1 without passing through the application 22. The passage of the application 22 is transparent to the client application 16.

Referring to FIG. 3, the address @ S1 is a physical interface 2 which is different from the interface 14 as described above and here in particular the interface 19.
Associated with 0.

When the datagram is transmitted on the network 13 having the address @ S1, the routing protocol of the network layer CR of the interconnection device 4 receives the address @ P1.
Receives the datagram at the interface 19 with which it is associated. Since the address @ S1 associated with the physical interface 20 is the address of the interconnection device 4, the datagram traces back to the application layer CA of the interconnection device 4.

The relay application 21 processes the request message sent from the received datagram, like the relay application 22 described above. To send the response message to the client device 12, the relay application 22 provides specifically a pilot towards the virtual network to which the physical interface 20 is coupled.

To facilitate the implementation of the invention, the IP address @ S1 is interface 19
Is especially advantageous. In the following simple example, application 1
6 executes the Telnet function as the client application, and the relay application 22 uses the telnetd function as the server application of the application 16 and the Telnet function as the client of the application 5.
Executes the net function. The application 5 executes the telnetd function as a server of the relay application 22. Telnet and telnetd
Telnetd is the terminal of the client device on which the Telnet function is executed.
It is a known function that uses TCP / IP to connect to a server device that executes the function.

Each device goes to a different operating system to follow the device executing the command. The client device 12 is a version 4.1 AIX system (
Registered trademark), and @ C1 = 129.182.51.58 as the IP address
Have. The relay device 4 goes to the AIX system of version 4.2, and has @ P1 = 129.182.51.21 and @ P2 = 192.90.
Has 249.22. The server device 12 goes to the DNS-E device (dedicated),
It has @ S1 = 192.90.249.124 as the IP address. The network 13 has an IP address @ R1 = 129.182.50 and a mask @ M1 = 25.
5.25.254.0, accessible in a known manner.

In the client device 12, the following command route add-host 192.90.249.124 129.1
82.51.21 determines that the transmitted datagram passes through the relay device having the address @ P1 in order to reach the server device 1 having the address @ S1.

In the server device 1, the following command route add-net 129.182.50 192.90.249
． 22-netmask 255.255.254.0 determines that the transmitted datagram passes through the relay device at address @ P2 in order to reach any device in the network 13 at address @ R1.

In the client device 12, the following command Telnet 192.90.249.124 activates the Telnet application in order to reach the server device 1 at address @ S1. At this stage, the only device recognized by the IP address @ S1 is the server device 1. The IP layer of the interconnection device 4 routes the datagram sent from the IP layer of the client device 12 toward the IP layer of the server device 1. The IP layer of the server device 1 recognizes the address @ S1 and
The application field of the datagram back to the telnetd application. The telnetd application of the server device 1 sends the following message to the client device 12 on the return path. Trying. ． ． Connected to 192.90.249.124. Escape character is '^]'. $ 0000 ^* DNS-E V3U 1.000 P 1.001 P 2.0
19 P3.010 ^* IMA: BX77SIM 1988/10/21 17:
23 ^*

The display of the above message on the terminal of the client device 12 indicates that this message is in the environment of the DNS system, that is, reaches the server device 1 directly. The relay device 4 is passed only when IP routing is performed.

In the client device 12, the following command Telnet 129.18.251.21 activates the Telnet application in order to reach the relay device 4 with the address @ P1. The IP layer of the interconnection device 4 recognizes the address @ P1 and relay device 4
The application field of the datagram back to the telnetd application. The telnetd application of the interconnection device 4 sends the following message to the client device 12 on the return path. Trying. ． ． Connected to 129.182.51.21. Escape character is '^]'. Telnet (treize) AIX Version 4 (c) Copyrights by IBM and by others
1982, 1996. Login:

The display of the above message on the terminal of the client device 12 indicates that this message is in the environment of the AIX system, that is, reaches the interconnection device 4. As a result, it becomes possible to manage commands from the terminal of the client device 12 executed by the interconnection device 4.

In the interconnection device 4, the interface 19 is referred to as en1 and the following command ifconfig en1 192.90.249.124. alias is the address @ S1 as an additional address associated with the interface 19.
To decide. The interconnection device 4 is the server device 1 by the IP layer in the network 13.
There is no fear of being confused with. This is because the network 13 is physically different from the network 3. Similarly, the following command ifconfig en1 192.90.249.125. alias is the address @ S2 as an additional address associated with the interface 19.
To decide.

Returning to the client device 12, the following command Telnet 192.90.249.124 activates the Telnet application, which has a different effect than described above. The message displayed on the terminal of the client device 12 is as follows. Trying. ． ． Connected to 129.182.51.21. Escape character is '^]'. Telnet (treize) AIX Version 4 (c) Copyrights by IBM and by others
1982, 1996. Login:

The display of the above message on the terminal of the client device 12 indicates that this message is in the environment of the AIX system of the interconnection device 4. Address @ S
Although the request for connection to the telnetd application of the server device 1 was made by the command 1, the command executed the connection to the telnetd application of the interconnection device 4. This is explained by the fact that the IP layer of the interconnection device 4 recognizes the address @ S1 as a unique destination address of the interconnection device 4 without considering the routing to the network 3. Therefore, the IP layer of the interconnection device 4 is directed towards the telnetd application of the interconnection device 4,
The application field of the datagram received by the interface 19 is traced back.

In the interconnection device 4, the following command Telnet 192.90.249.124 activates the Telnet application in order to reach the server device 1 at the address @ S1. At this stage, the IP address @S from the interface 14
The only device recognized by 1 is the server device 1. The IP layer of the server device 1 recognizes the address @ S1 and traces back the application field of the datagram toward the telnetd application of the server device 1. The telnet application of the server device 1 sends the following message to the telnet application of the interconnection device 4 on the return path. Trying. ． ． Connected to 192.90.249.124. Escape character is '^]'. $ 0000 ^* DNS-E V3U 1.000 P 1.001 P 2.0
19 P3.010 ^* IMA: BX77SIM 1988/10/21 17:
23 ^*

This message is retransmitted by the telnetd application of the interconnection device 4 to the telnet application of the client device 12.
The display of this message on the terminal of the client device 12 is
Indicates that the server is in the environment of the DNS system and reaches the server device 1. However, the application field of the datagram is transparent to the client device 12 and traces back to the application layer of the relay device 4.

The above-mentioned manual operation method can be implemented by a program executed by the application layer of the interconnection device 4.

The destination datagram of the server device 1 passing through the IP layer of the interconnection device 4 traces back to the application layer of the interconnection device 4, since the address @ S1 is associated with the physical interface of the interconnection device 4. In order to avoid a collision with the server device 1 in the network 3, it is preferable not to bind the address @ S1 to the interface 14. Referring to FIG. 3, the address @ S1 is set to interface 1
It can be associated with a physical interface other than 9, eg physical interface 20.

The special processing example by the relay application 22 described here has special advantages. When associating the encryption key with the address @ S1 and encrypting the request from the client device 12 and the response addressed to the client device 12, the decryption of the request and the encryption of the response can be performed by the interconnection device 4. Data is,
It can be decrypted and circulated in the server network 3 without risk.
Therefore, the encrypted resources and the decryption resources are concentrated in the interconnection device 4,
The resources usable for the server function are left in the server device 1 to the maximum extent. The relay application 22 can also re-encrypt the response before sending it on the network 13.

[Brief description of drawings]

[Figure 1]   It is a figure which shows an example of the interconnection device provided with two physical interfaces.

[Fig. 2]   It is a figure which shows an example of a datagram.

[Figure 3]   It is a figure which shows an example of the interconnection device provided with three physical interfaces.

Claims (7)

[Claims] 1. An interconnection device (4) coupled to a client network (13) by a first physical interface (19) and to a server network (3) by a second physical interface (14). , At least one inter-network protocol address (@ S1, @ S2) of the server device (1, 2) coupled to the server network (3) different from the interconnection device (4)
Receives a datagram associated with the first physical interface (19) and addressed to the server device (1, 2) from the client network (13),
An interconnection device (4) comprising a first relay application (22) for transmitting a datagram addressed to a server device (1, 2) to a server network (3). 2. An interconnection device (4) coupled to a client network (13) by a first physical interface (19) and to a server network (3) by a second physical interface (14). , At least one inter-network protocol address (@ S1, @ S2) of the server device (1, 2) coupled to the server network (3) different from the interconnection device (4)
Of the first physical interface (19) and the second physical interface (
A datagram associated with a third physical interface (20) different from 14) and addressed to the server device (1, 2) is received from the client network (13) and is sent to the server network (3). 2) An interconnection device (4) comprising a first relay application (22) for transmitting a datagram addressed to it. 3. The address (@ S1, @ S2) is associated with the first physical interface (19) as a synonymous address of the base address (@ P1) of the interconnection device (4) in the client network (13). Interconnect device (4) according to claim 1, characterized in that it is provided. 4. The client network (1) in the interconnection device (4).
3) and a server network (3) execute a relay application (22), and the relay application causes the client application (16) in the client network (13) to be different from the interconnection device (4). A method for enabling processing of a datagram transmitted to the server device (1) of the address (@ S1) of (3), wherein the relay application (22)
In order to be able to process the datagram, the client application (16
) Or receiving the datagram without transmitting information to the client application, the address (@) to the physical interface (19, 20) of the interconnection device (4) not coupled to the server network (3). S1
) Associating a first step. 5. A first step is preceded by a second step of routing a datagram destined for a server device (1) transmitted in a client network (13) towards an interconnection device (4). The method according to claim 4, characterized in that 6. The relay application (22) has an encryption key so that the encrypted message sent from the client network (13) is decrypted and transmitted by the server network (3). Interconnect device (4) according to claim 1 or 2. 7. The relay application (22) comprises a server network (3).
) Sends unencrypted messages from the client network (
Interconnect device (4) according to claim 1 or 2, characterized in that it comprises an encryption key so as to be encrypted and transmitted in 13).