JP2005136739A - Data relay method, data relay device and data relay system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the relay performance of data relay, by executing data relay by using the other logical path, even if communication using one logical path is disconnected due to any failure. <P>SOLUTION: A predetermined SA is decided from among a plurality of SAs established in a backbone network 10 based on preset selector information, and the data relay of a data frame is executed between an IPsec device 20 at a center side and IPsec devices 31 to 34 of the other party, by using the decided SA. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a data relay method, a data relay device, and a data relay that perform data relay by establishing a logical path between a backbone network constructed by a virtual network such as VPN (Virtual Private Network) and a network of a specific user. It is about the system.

  Some conventional VPNs use IPsec (IP security protocol), which adds a security function to TCP / IP (Transmission Control Protocol / Internet Protocol), to ensure security in communication at the IP layer.

  In order to perform data relay using this IPsec, an environmental condition in which communication using TCP / IP is possible between at least two IPsec data relay devices (hereinafter referred to as “IPsec devices”) provided on the virtual network. Therefore, a logical path is established between the IPsec devices, data captured from a specific network is encrypted, and communication is performed with the other IPsec device. In such a data relay, since IPsec apparatuses establish a logical path on a one-to-one basis, it is not suitable for load distribution in which data is allocated to a plurality of paths.

  However, under the recent Internet VPN environment, for example, as shown in Patent Document 1, the IPsec device on the center side has two line resources (different interfaces), and an IP address (global address) is assigned to each interface. For this reason, a device that establishes a logical path with an IPsec device connected to a specific network (base) of each other for each interface and relays data has been used.

JP-A-8-321845

  However, in this IPsec device, for example, when a failure occurs in a physical line in which one logical path is established, communication with a base connected to that line may be interrupted, and data relay There was a problem that the relay performance deteriorated.

  The present invention has been made in view of the above problems, and even when communication using one logical path is interrupted due to a failure, for example, data relay is performed using the other logical path. An object of the present invention is to provide a data relay method, a data relay device, and a data relay system that can improve the relay performance of data relay.

  In order to solve the above-described problems and achieve the object, the data relay method according to the present invention is a data relay between networks of a specific user via a data relay device provided in a backbone network constructed by a virtual network. In a data relay method for establishing a logical path for data relay and performing data relay, a path establishing step for establishing a plurality of logical paths between the networks of the specific user, and based on selection information set in advance, A path determination step for determining a logical path for performing the data relay from among logical paths, and a data relay step for performing data relay using the determined logical path, To do.

  The data relay method according to claim 2 further includes a management step of managing the state of the logical path based on the set selection information in the invention, wherein in the path determination step, The logical path is determined based on the state of the physical path.

  In addition, the data relay method according to claim 3 further includes a notification step of notifying the set selection information in the above invention, wherein the data relay step includes transmitting data transmitted in response to the notification Data relay is performed using the determined logical path.

  The data relay apparatus according to claim 4 is provided in a backbone network constructed by a virtual network, and establishes a logical path for data relay between networks of specific users to perform data relay The path establishment means for establishing a plurality of logical paths between the networks of the specific user, storage means for storing preset selection information, and based on the stored selection information, Among them, the apparatus includes a path determination unit that determines a logical path for performing the data relay, and a data relay unit that performs data relay using the determined logical path.

  The data relay device according to claim 5 is provided in a backbone network constructed by a virtual network, and establishes a logical path for data relay between networks of specific users and performs data relay The path establishment means for establishing the logical path between the networks of the specific user, the logical path established by another data relay device in the same network, and the logical path established by the path establishment means in advance It is characterized by comprising storage means for storing information on the set priority order and data relay means for performing data relay based on the stored priority order information.

  The data relay device according to claim 6 is provided in a backbone network constructed by a virtual network, and establishes a logical path for data relay between networks of specific users and performs data relay A path establishing means for establishing a plurality of the logical paths between the networks of the specific user, a logical path established by another data relay apparatus in the same network, and a logical path established by the path establishing means Storage means for storing information on preset priorities, and a path for determining a logical path for performing the data relaying from the logical paths based on the stored priority information And a data relay means for relaying data using the determined logical path. That.

  According to a seventh aspect of the present invention, in the above invention, the data relay device further comprises notification means for notifying the predetermined user's network of the information on the priority order set in advance.

  The data relay system according to claim 8 is a data relay system that performs data relay by establishing a logical path for data relay between a backbone network constructed by a virtual network and a network of a specific user. A data relay apparatus according to any one of claims 4 to 7 is provided in a network, and a logical path for performing data relay is determined based on predetermined information set in advance.

  In the data relay method according to the present invention, a logical path is determined from a plurality of logical paths based on selection information set in advance, and data relay is performed using this logical path. Even if communication using the target path is interrupted due to a failure, for example, data relay is performed using the other logical path, so that the relay performance of data relay can be improved.

  In the data relay device according to the present invention, the path determination unit determines a logical path based on the selection information preset and stored in the storage unit, and the data relay unit uses this logical path to perform data relay. Therefore, even if communication using one logical path is interrupted due to a failure, for example, data relay using the other logical path can improve the relay performance of data relay. There is an effect that can be done.

  A data relay system according to the present invention includes the data relay device according to any one of claims 4 to 7, determines a logical path based on predetermined information set in advance, and determines the logical path. Therefore, even if communication using one logical path is interrupted due to a failure, for example, data relay is performed using the other logical path. There is an effect that it can be improved.

  Embodiments of a data relay method, a data relay device, and a data relay system according to the present invention will be described below in detail with reference to the drawings of FIGS. The present invention is not limited to these embodiments, and various modifications can be made without departing from the scope of the present invention.

(Embodiment 1)
FIG. 1 is a system configuration diagram showing the configuration of the data relay system according to the first embodiment of the present invention. In the figure, a backbone network 10 such as the Internet includes a center side IPsec apparatus 20 according to the present invention and an IPsec apparatus 31 connected to each specific network (each network on the A to D base side in this embodiment). To 34 are respectively connected. In this system, a plurality of IPsec logical paths (hereinafter referred to as “SA”; SA: Security Association) are established between the center side and the site side to enable data relay between the center side and the site side. ing.

  In other words, in this embodiment, the IPsec apparatus 20 has two interfaces, and IP addresses (global addresses) “# 1” and “# 2” are assigned to the two interfaces, respectively. In this embodiment, the IPsec apparatus 20 establishes SAs for both the IP addresses “# 1” and “# 2” for each of the networks at the A to D bases. However, only by establishing this SA, as shown in the background art described above, only one communication is effective in TCP / IP communication, and load distribution cannot be functioned.

  Therefore, in this embodiment, in order to make this IPsec load distribution function, load distribution is performed in a selector information table (to be described later) for IPsec load distribution in the IPsec apparatus 20 separately from the normal TCP / IP route information. Flag information is newly provided. In this embodiment, when data is relayed, the transmission destination is switched based on selector information that is selection information that is preset and stored in the selector information table to perform data relay control. .

  FIG. 2 is a configuration diagram showing the configuration of the center side IPsec apparatus 20 shown in FIG. In this figure, the IPsec device 20 includes a route information management table 21, a route search unit 22, a relay route determination unit 23, an IPsec processing unit 24, and a frame relay processing unit 25 that are normally provided in a conventional IPsec device, and are set in advance. Based on the selector information table 26 for storing the selected selector information, the SA state management table 27 for storing the established or unestablished state of the SA, the SA management unit 28 for managing the state of the SA, and the state of the SA. A load distribution processing unit 29 that performs load distribution processing for each destination.

  As shown in FIG. 3, the route information management table 21 includes an IP address of a destination network, in this embodiment, an IP address of all networks, and an IP address of a transmission interface corresponding to this address. Then, the IP address “# 1” is stored. The route search unit 22 searches for route information for the relay frame, and the relay route determination unit 23 determines the relay route based on the search result.

  As shown in FIGS. 4 to 7, the selector information table 26 has a table for storing respective selector information for the A base to the D base shown in FIG. 2. Since the entry items of the respective selector information tables are the same, here, the case of the selector information table directed to the site A in FIG. 4 will be described as a representative. In FIG. 4, as an entry item of the selector information table, the IP address of the transmission interface, in this embodiment, “# 1” and “# 2”, respectively, the IP address of the transmission source network, this embodiment Then, the IP address of the center side network, the IP address of the destination network, in this embodiment, the IP address of the network of the A base and the selector number, in this embodiment, “1”, “1”, Peer numbers “1” and “2”, a load distribution flag, and “target” and “target” in this embodiment are stored. In the selector information table 26, for example, at the initial setting stage, each entry item is previously input and stored by an operator or the like using an input unit such as a keyboard (not shown).

  In this embodiment, among the selector information for the A site, the selector number is set to “1” and “1”, and the peer number is set to “1” and “2”. In the selector information for the B site, the selector information is “2” and “2”, the peer numbers are “3” and “4”, and in the selector information for the C site, the selector information is , “3”, “3”, and the peer number is “5”, “6”. In the selector information for the D site, the selector information is “4”, “4”, and the peer number. Are set to “7” and “8”, respectively.

  Further, as shown in FIG. 8, the SA state management table 27 can establish two SAs for each of the sites A to D, so two SA numbers, one selector number, Two peer numbers and state information indicating the SA state are stored. Here, the SA number is a combination of a selector number and a peer number, and in this embodiment, the same number as the peer number is added. The selector number is a combination of the transmission source network and the transmission destination network, the numbers “1” to “4” described above are appended, and the peer number is determined according to the destination IP network that establishes the SA. Numbers “1” to “8” are appended. In addition, the status information includes information indicating “established” or “not established” of the SA to be set.

  The data relay operation of the IPsec device having such a configuration will be described with reference to the flowchart of FIG. In FIG. 9, in the center side IPsec apparatus 20, when the frame relay processing unit 25 fetches a data frame from the connected network, frame relay processing is started (step 101), and the relay route determination unit 23 performs route search. The unit 22 is made to search the route of the fetched data (step 102), and determines whether there is route information of the relay destination (step 103).

  If the relay destination route information is not searched, the data frame is discarded (step 104). If the relay destination route information is searched, the relay route determination unit 23 In addition to making the determination (step 105), the IPsec processing unit 24 is instructed to search for selector information, and the IPsec processing unit 24 searches for select information in the selector information table 26 (step 106). Then, it is determined whether there is any information that matches the select information in the selector information table 26 (step 107).

  If there is no suitable selector information, the frame is transmitted by designating the transmission interface and the destination based on the route information determined by the relay route determination unit 23 (step 113). If there is suitable selector information, the selector information table for the destination base is searched to determine whether the selector information is a load distribution target (step 108). Data encryption processing is performed (step 112), and frame transmission is performed (step 113). If this frame is a load distribution target, it is next determined whether two SAs have been established (step 109). By determining whether two SAs have been established with the destination base, it is detected that no failure has occurred in any of the lines.

  Here, when a failure occurs in any of the lines and the SA is in an unestablished state, data encryption processing is performed by the IPsec processing unit 24 without performing load distribution processing (step 112). ), Frame transmission is performed (step 113). If two SAs are established, it is determined that the load distribution process is to be performed, and the load distribution process by the load distribution processing unit 29 is executed (step 110). Next, the relay route determination unit 23 re-determines the relay route (step 111), and the IPsec processing unit 24 performs data encryption processing (step 112) to transmit a frame (step 113). When the relay route determination unit 23 performs redetermination of the relay route, for example, calculation using a hash function may be performed, and the SA relay route for data relay may be determined from the calculation result, or may be set in advance. The SA relay route may be used, or different SAs may be used alternately for the captured frames.

  As described above, in this embodiment, a predetermined SA is determined from a plurality of SAs based on selector information set in advance, and data frames are exchanged with the other IPsec apparatus using this SA. Since data relay is performed, in the TCP / IP route information management table, any frame that was relayed via the transmission interface # 1 can be relayed via the other transmission interface # 2. It becomes possible. Therefore, in this embodiment, for example, even when communication using one SA is interrupted due to a failure or the like, data relay can be performed using the other SA, thereby realizing a redundant configuration of data relay. In addition, the relay performance of data relay can be improved.

(Embodiment 2)
FIG. 2 is a system configuration diagram showing the configuration of Embodiment 2 of the data relay system according to the present invention. This embodiment is different from the first embodiment in that two center side IPsec devices are provided, and the transmission interfaces of the respective IPsec devices 20 and 40 have one configuration. In addition, the IPsec devices 20 and 40 are set for each of the bases A to D to determine which IPsec device preferentially relays data in a normal state in which both perform the data relay function normally. Yes.

  Each of the IPsec devices 20 and 40 previously sets and stores the priority set for the bases A to D in the route information management table in the own device, and further stores the route information in the route information management table. A route control protocol, for example, RIP (Routing Information Protocol) or BGP (Border Gateway Protocol) is used for advertisement, and the route information is shared among a plurality of data relay apparatuses.

  In this embodiment, the individual IPsec devices do not exhibit the load distribution function (that is, in this embodiment, the configuration shown in FIG. 2 is the configuration excluding the load distribution processing unit 29). However, the load balancing function can be executed by combining a plurality of IPsec devices and connecting them to the network on the center side. That is, when the IP addresses of the transmission interfaces of the IPsec devices 20 and 40 are set to “# 1” and “# 2”, the path information management table of the IPsec devices 20 and 40 shown in FIGS. An example of the configuration is shown. As shown in FIG. 11, the route information management table of the IPsec apparatus 20 has an IP address of the transmission interface for each of the A to D bases that are the transmission destination networks. In this embodiment, all of them are “# 1” and the corresponding priority. In this embodiment, “priority” information is stored for the A and B sites, and “non-priority” information is stored for the C and D sites. Further, as shown in FIG. 12, the route information management table of the IPsec device 40 corresponds to the IP address of the transmission interface for each of the A to D bases that are the transmission destination networks, and in this embodiment, all correspond to “# 2”. In this embodiment, contrary to the IPsec device, “non-priority” information for the A and B sites, and “priority” information for the C and D sites. Is remembered.

  Further, as shown in FIGS. 13 to 16, the selector information tables of the respective IPsec devices 20 and 40 are composed of the same entry items as those in the first embodiment, and are different in each IPsec device 20 and 40. These entry items are set in the point. Further, the peer number is set for each of the IPsec devices 20 and 40, and all of the load distribution flags are stored as “not applicable”. The same information is stored in the selector information tables for these A to D bases in both the IPsec apparatuses 20 and 40.

  Furthermore, as shown in FIG. 17, the SA state management table of the IPsec apparatus 20 can establish one SA for each of the bases A to D. Therefore, each SA number and selector A number, a peer number, and status information indicating the SA status are stored.

  Furthermore, a frame for advertising route information has a configuration as shown in FIG. FIG. 19 representatively shows an example of a frame configuration used in RIP. In FIG. 19, an RIP frame is provided with a MAC header, an IP header, and UDP from the beginning, and thereafter, the RIP header and RIP data are connected. The RIP data includes a destination network area in which the IP address of the destination network is stored, two must be zero areas in which all “0” information is stored, and a metric area. In this embodiment, a priority is defined for each destination network using a metric area. In this embodiment, when information on the same destination network is received, priority is given to information having a small value in the metric area.

  This RIP frame is also captured in each terminal device of the center side network, and this terminal device selects an IPsec device having a high priority based on this route information, and transmits data to each base. A frame can be transmitted.

  In the data relay operation of the IPsec device having such a configuration, since not all data is load distribution target in the flowchart shown in FIG. 9 (No in step 108), the process proceeds to the encryption processing in the IPsec processing unit. Thus, the frame transmission is performed based on the route information first retrieved from the contents of the route information management table by the relay route determination unit (step 112).

  As described above, in this embodiment, priority information is set in advance in the route information so as to correspond to each base, and based on this information, a data frame transmitted from the network on the center side is set. Since the data is relayed by the IPsec apparatus, it is possible to assign a priority to each destination base and transmit the data frame with load distribution to the corresponding IPsec apparatus. Therefore, in this embodiment, for example, even when communication using the SA established in one IPsec apparatus is interrupted due to a failure or the like, data relay is performed using the SA established in the other IPsec apparatus. As a result, a redundant configuration of data relay can be realized, and the relay performance of data relay can be improved.

  Further, the present invention is not limited to these embodiments, and for example, a plurality of IPsec devices having a plurality of transmission interfaces can be combined. In this case, load distribution within one IPsec device is possible, and load distribution among a plurality of combined IPsec devices is also possible, so that the redundancy of data relay is further improved and data Relay performance can be improved.

1 is a system configuration diagram showing a configuration of a first embodiment of a data relay system according to the present invention. It is a block diagram which shows the structure of the IPsec apparatus of the center side shown in FIG. FIG. 3 is a configuration diagram illustrating an example of a configuration of a route information management table illustrated in FIG. 2. It is a block diagram which shows an example of a structure of the selector information table toward A base | sauce among the selector information tables shown in FIG. Similarly, it is a block diagram which shows an example of a structure of the selector information table toward B base in the selector information table. Similarly, it is a block diagram which shows an example of a structure of the selector information table toward C base | sauce among selector information tables. Similarly, it is a block diagram showing an example of a configuration of a selector information table directed to a D site in the selector information table. Similarly, it is a block diagram which shows an example of a structure of SA state management table. 2 is a flowchart for explaining a data relay operation of the IPsec apparatus shown in FIG. It is a system block diagram which shows the structure of Embodiment 2 of the data relay system concerning this invention. It is a block diagram which shows an example of a structure of the routing information management table of the IPsec apparatus shown in FIG. Similarly, it is a block diagram which shows the other example of a structure of a path | route information management table. It is a block diagram which shows an example of a structure of the selector information table toward A base | substrate among the selector information tables of the IPsec apparatus shown in FIG. Similarly, it is a block diagram which shows an example of a structure of the selector information table toward B base in the selector information table. Similarly, it is a block diagram which shows an example of a structure of the selector information table toward C base | sauce among selector information tables. Similarly, it is a block diagram showing an example of a configuration of a selector information table directed to a D site in the selector information table. Similarly, it is a block diagram which shows an example of a structure of SA state management table. Similarly, it is a block diagram which shows the other example of a structure of SA state management table. FIG. 10 is a frame configuration diagram showing a frame configuration of RIP used in the data relay system shown in FIG. 9.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Backbone network 20,31-34,40 IPsec apparatus 21 Path information management table 22 Path search part 23 Relay route determination part 24 IPsec processing part 25 Frame relay processing part 26 Selector information table 27 SA state management table 28 SA management part 29 Load Distributed processing section

Claims (8)

In a data relay method for establishing a logical path for data relay between specific user networks via a data relay device provided in a backbone network constructed by a virtual network and performing data relay,
Establishing a plurality of logical paths between the networks of the specific users;
A path determination step for determining a logical path for performing the data relay out of the logical paths based on selection information set in advance;
A data relay step of relaying data using the determined logical path;
A data relay method comprising: The data relay method includes a management step of managing the state of the logical path based on the set selection information.
The data relay method according to claim 1, further comprising: determining a logical path based on a state of the logical path in the path determining step. The data relay method includes a notification step of notifying the set selection information.
The data relay method according to claim 1, further comprising: in the data relay step, data transmitted in response to the notification is relayed using the determined logical path. In a data relay apparatus that is provided in a backbone network constructed by a virtual network and establishes a logical path for data relay between networks of specific users and performs data relay,
Path establishing means for establishing a plurality of logical paths between the networks of the specific users;
Storage means for storing selection information set in advance;
Path determining means for determining a logical path for performing the data relay out of the logical paths based on the stored selection information;
Data relay means for relaying data using the determined logical path;
A data relay device comprising: In a data relay apparatus that is provided in a backbone network constructed by a virtual network and establishes a logical path for data relay between networks of specific users and performs data relay,
Path establishment means for establishing the logical path between the networks of the specific users;
Storage means for storing logical paths established by other data relay devices in the same network, and information on preset priorities of logical paths established by the path establishment means;
Data relay means for relaying data based on the stored priority information;
A data relay device comprising: In a data relay apparatus that is provided in a backbone network constructed by a virtual network and establishes a logical path for data relay between networks of specific users and performs data relay,
Path establishment means for establishing a plurality of the logical paths between the networks of the specific users;
Storage means for storing logical paths established by other data relay devices in the same network, and information on preset priorities of logical paths established by the path establishment means;
Path determining means for determining a logical path for performing the data relay out of the logical paths based on the stored priority information;
Data relay means for relaying data using the determined logical path;
A data relay device comprising: The data relay device
A notification means for notifying the information of the preset priority to the network of the specific user;
The data relay device according to any one of claims 4 to 6, further comprising: In a data relay system that relays data by establishing a logical path for data relay between a backbone network constructed by a virtual network and a network of a specific user,
The data relay device according to any one of claims 4 to 7 is provided in the backbone network.
A data relay system comprising: determining a logical path for performing data relay based on predetermined information set in advance.

Images