JP5260487B2 - Address determination device, address determination method, and address determination program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To appropriately solve duplication of an address. <P>SOLUTION: A first address determination part 11 determines a first address for identifying a terminal controlled by other base which becomes a communication partner in predetermined connection between bases in the bases so as to be unique among terminals which can be the communication partner in the bases in a time period utilizing the connection between bases. A second address determination part 12 determines a second address for identifying terminals controlled by the respective bases belonging to the connection between bases in a wide area network so as to be unique among the terminals which can be controlled as the connection between bases in the time period utilizing the connection between bases. An address setting part 13 sets conversion information for converting the first address and the second address to address converters so that the first address and the second address are mutually converted on the boundary of the respective address converters. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to an address determination device, an address determination method, and an address determination program.

  In recent years, services have emerged that provide a collaborative space by connecting multiple locations. In particular, there is a high demand for an on-demand service, that is, a service for connecting between bases in a timely manner upon request. Here, the “base” is an isolated network domain whose reachability is limited by VPN (Virtual Private Network) or geographical conditions. In addition, “inter-base connection” means that information for transferring a packet transmitted from a terminal at a base to a terminal at a base is set in each device existing on the path between the bases. It is interconnecting the bases so that they can communicate with each other. The “collaborative space” is a network domain generated by inter-base connection, and is a network domain having the interconnected range as a new reachable range.

  By the way, when a plurality of bases are connected to each other, addresses must be assigned so that addresses do not overlap. Conventionally, when a plurality of bases are statically connected to each other, address duplication has been solved by designing addresses in advance, for example.

JP 2001-268125 A

Osamu Honda et al., “Prototype Implementation of VPN Realizing Multiple User Assignments”, IEICE Technical Report IN 2004-181 (2005-02), P.A. 43-48 Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Soetsu Iwamura, “Proposal of VPN Connection Management System”, IEICE Technical Report IN 2009-48 (2009-09), P.A. 53-58

  However, when connecting between bases on demand, it is difficult to design an address in advance, and the conventional technique has a problem that it is difficult to appropriately resolve address duplication. This is particularly noticeable when multiple locations belong to multiple collaborative spaces in the same time zone.

  The disclosed technology has been made in view of the above, and an object thereof is to provide an address determination device, an address determination method, and an address determination program capable of appropriately solving address duplication.

  In one aspect, an address determination apparatus, an address determination method, and an address determination program disclosed in the present application provide an address used for inter-base connection to a system that connects a plurality of bases via a wide area network. An address determination device for determining a first address for identifying a terminal under another base which is a communication partner in a predetermined base-to-base connection within the base in the time zone using the base-to-base connection. A first determination means for determining the terminal to be unique among the terminals that can be a communication partner, and a second address for identifying a terminal under each base belonging to the connection between the bases in the wide area network, Second determination means for determining to be unique among terminals that can be controlled as the connection between bases in a time zone using inter-connection, and the first determination The first address determined by the stage and the second address determined by the second determination means are converted to each other with each of the address conversion devices connected to the wide area network and each of the bases as a boundary, And setting means for setting conversion information for converting the first address and the second address in the address conversion device.

  According to one aspect of the address determination device, the address determination method, and the address determination program disclosed in the present application, there is an effect that it is possible to appropriately resolve address duplication.

FIG. 1 is a diagram for explaining a network configuration according to the first embodiment. FIG. 2 is a block diagram illustrating the configuration of the address determination device 10 according to the first embodiment. FIG. 3 is a flowchart of a process procedure performed by the address determination apparatus 10 according to the first embodiment. FIG. 4A is a diagram for explaining the bases belonging to the VPN service. FIG. 4B is a diagram for explaining the bases belonging to the VPN service. FIG. 4C is a diagram for explaining the bases belonging to the VPN service. FIG. 5 is a diagram for explaining a network configuration according to the second embodiment. FIG. 6 is a diagram for explaining an address determination method using Single-NAT. FIG. 7 is a diagram for explaining an address determination method using Twice-NAT. FIG. 8 is a flowchart illustrating the processing procedure of the address determination method according to the second embodiment. FIG. 9 is a diagram for explaining a specific example of the address determination method. FIG. 10 is a diagram for explaining a specific example of the address determination method. FIG. 11 is a diagram for explaining the concept of address determination. FIG. 12 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 13 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 14 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 15 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 16 is a diagram for explaining addresses assigned to interfaces of devices in the second embodiment. FIG. 17 is a block diagram illustrating the configuration of the inter-VPN connection management system 100 according to the second embodiment. FIG. 18 is a diagram for explaining the VPN connection information storage unit 121. FIG. 19 is a diagram illustrating an example of a setting pattern of the collective virtual router. FIG. 20 is a diagram illustrating an example of a setting pattern of the VPN termination device. FIG. 21 is a diagram for explaining the VPN connection request storage unit 123. FIG. 22 is a diagram for explaining the address conversion information storage unit 124. FIG. 23 is a diagram for explaining the routing information storage unit 125. FIG. 24 is a diagram for explaining the routing information storage unit 125. FIG. 25 is a diagram for explaining the attachment storage unit 126. FIG. 26 is a diagram for explaining the pre-configuration information of the collective virtual router. FIG. 27 is a diagram for explaining the pre-setting information of the VPN termination device. FIG. 28 is a diagram for explaining an example of a VPN connection request input screen. FIG. 29 is a flowchart of a process procedure performed by the inter-VPN connection management system 100 according to the second embodiment. FIG. 30 is a flowchart showing the address determination process. FIG. 31 is a diagram for explaining a network configuration according to the third embodiment. FIG. 32 is a block diagram illustrating the configuration of the address determination device 200 according to the third embodiment.

  Hereinafter, embodiments of the address determination device, the address determination method, and the address determination program disclosed in the present application will be described. In addition, this invention is not limited by the following examples.

  An address determination apparatus according to the first embodiment will be described. FIG. 1 is a diagram for explaining a network configuration according to the first embodiment. As illustrated in FIG. 1, the address determination apparatus according to the first embodiment determines an address used for inter-base connection for an inter-VPN connection system that connects a plurality of bases between bases via a wide area network. . The inter-VPN connection system includes a transfer control device, an address translation device, and a VPN termination device.

  Here, the VPN termination device accommodates the base via the access network and terminates the VPN between the accommodated base and the wide area network. The address translation device translates the address of the packet received from the VPN termination device and transmits the packet after the address translation to the transfer control device. The address translation device translates the address of the packet received from the transfer control device, and transmits the packet after the address translation to the VPN termination device. The transfer control device controls packet transfer within the wide area network.

  FIG. 2 is a block diagram illustrating the configuration of the address determination device 10 according to the first embodiment. As illustrated in FIG. 2, the address determination device 10 according to the first embodiment includes a first address determination unit 11, a second address determination unit 12, and an address setting unit 13. As will be described below, the address determination apparatus 10 according to the first embodiment uses the private addresses of the terminals under each base as inputs in order to interconnect the terminals under each base belonging to a predetermined inter-base connection. The addresses for conversion corresponding to these private addresses (hereinafter referred to as “first address”, “second address”) are determined.

  The first address determination unit 11 sets a first address for identifying a terminal under another site that is a communication partner in a predetermined connection between bases in a time zone overlapping with a time zone in which the connection between the bases is used. To be unique among the terminals that can be communication partners in the base. For example, when there are two bases belonging to the connection between bases and one terminal is subordinate to each base, the first address determination unit 11 sets the first address of one terminal for each base and 2 Determine the first address for the terminal. In addition, for example, when a certain base uses a connection between other bases with a plurality of bases in a time zone that overlaps with a time zone in which a predetermined connection between bases is used, All terminals used for connection between other bases are “terminals that can be communication partners in the bases in overlapping time zones”. In addition, the overlapping time zone includes a case where a part of the time zone overlaps and a case where the time zones completely match.

  The second address determination unit 12 sets a second address for identifying a terminal under each base belonging to the inter-base connection in the wide area network between the bases in a time zone overlapping with a time zone in which the inter-base connection is used. It is determined to be unique among terminals that can be controlled as a connection. For example, when there are two bases belonging to the connection between bases and one terminal is subordinate to each base, the second address determination unit 12 determines a second address for two terminals.

  The address setting unit 13 sets conversion information for converting the first address and the second address in the address conversion device so that the first address and the second address are converted from each other with the address conversion device as a boundary. . Here, when the address translation apparatus receives a packet including a first address indicating a destination and a private address indicating a transmission source from the base, the first address is changed to a second address corresponding to the destination indicated by the first address. At the same time, the private address is converted into a second address corresponding to the transmission source indicated by the private address and transferred to the wide area network. Further, when the address translation device receives a packet including the second address indicating the destination and the second address indicating the transmission source from the wide area network, the address translation device corresponds to the destination indicated by the second address. While converting to a private address, the 2nd address which shows this transmission source is converted into the 1st address corresponding to the transmission source which this 2nd address shows, and it transfers to a base. Therefore, for example, the address setting unit 13 sets conversion information between the private address and the second address for a terminal at a certain base, and the first address and the second address for a terminal that is a communication partner for the terminal at this base. Set conversion information.

  FIG. 3 is a flowchart of a process procedure performed by the address determination apparatus 10 according to the first embodiment. As will be described below, the first address determination unit 11 determines the first address, and the second address determination unit 12 determines the second address, but the first address and the first address determined by each unit are determined. The number of two addresses is as follows.

  In other words, the first address for identifying the terminal under the other base that is the communication partner within the base is the destination address of the packet transmitted from this base, and in the base that is the counterpart to this base The number of terminals used for inter-base connection is determined. If the terminal used for inter-base connection at the other party is a plurality of terminals and is determined by the address unit for each terminal, the first of the number of terminals by the address unit for each terminal The address will be determined. On the other hand, when determining by subnet unit, for example, when the subnet address part of the address is determined and the original address is diverted for the host address part, as a result, the first addresses corresponding to the number of terminals are determined. Will be. Note that the first address is determined in this way for all bases belonging to a connection between bases.

  On the other hand, the second address for identifying the terminal under each base belonging to a connection between bases in the wide area network is converted into the destination address and the source address of the packet transmitted from each base belonging to the connection between bases. This is a later destination address and source address, and is determined by the number of all terminals used for connection between certain bases.

  As illustrated in FIG. 3, the address determination device 10 uses the inter-base connection as a first address for identifying a terminal under another base that is a communication partner in a predetermined base-to-base connection. It is determined so as to be unique among terminals that can become communication partners in the base during the time zone overlapping with the zone (step S1). In addition, the address determination device 10 sets the second address for identifying the terminal under each base belonging to the connection between bases in the wide area network between the bases in a time zone overlapping with the time zone using the base connection. It determines so that it may become unique among the terminals which can be controlled as a connection (step S2).

  Then, the address determination device 10 sets conversion information for converting the first address determined in step S1 and the second address determined in step S2 in the address conversion device (step S3). The present invention is not limited to the above processing procedure. For example, when step S1 and step S2 are processed in reverse order, or when step S1 and step S2 are performed in parallel, The same can be applied.

  As described above, according to the first embodiment, an address for identifying a terminal under another base serving as a communication partner within the base and a terminal under each base belonging to the connection between bases within the wide area network. The address can be determined independently. As a result, since the algorithm for determining the address is simplified and automated, address duplication can be appropriately solved without address design in advance. That is, it is possible to appropriately resolve address duplication even when connecting between bases on demand.

  1 illustrates a configuration in which a plurality of VPN termination devices, multiple address conversion devices, and a single transfer control device are installed. The invention is not limited to this. For example, the present invention is similarly applied to a configuration in which a plurality of combinations of VPN termination devices of a plurality of housings, address conversion devices of a plurality of housings, and transfer control devices of one housing are further installed. Can be applied. Further, for example, the present invention is similarly applied to a configuration in which a plurality of housing VPN termination devices, a plurality of housing address conversion devices, and a plurality of housing transfer control devices are installed in combination. Can be applied.

  In addition, for example, a function (a function for accommodating a base and terminating a VPN between the accommodated base and a wide area network) and a function (a function for converting an address) included in the address conversion apparatus are included in the VPN termination apparatus. The present invention can be similarly applied to a configuration in which a device in which the functions of the transfer control device (the function of controlling packet transfer in the wide area network) are accommodated in one housing is installed.

  In FIG. 1, for convenience of explanation, the VPN termination device of one housing accommodates one base, but the present invention is not limited to this, and generally the VPN of one housing is used. A termination device accommodates multiple sites. Here, “accommodates a base” means, for example, a physical connection between a VPN terminal installed in a wide area network and a network device such as a router installed in an access network, and also in the access network. A physical connection between a network device such as an installed router and a network device such as a router installed at a base.

  Here, the aspect of “base” will be described. A “base” may be a terminal rather than a so-called network. For example, the case where the router installed in the base is realized by software in the terminal instead of a physical router is included. In addition, the “base” may be an in-house network of a plurality of local area networks connected by a VPN service provided by a telecommunications carrier or the like.

  4A to 4C are diagrams for explaining the bases belonging to the VPN service. In FIGS. 4A to 4C, two types of dotted lines are used. One is a normal dotted line, and the other is a broken line (a combination of a short line and a long line). The broken lines indicate that a plurality of bases belonging to the same VPN service and a VPN is formed between bases in the same company (for example, C company). On the other hand, the dotted line indicates that the VPNs are connected. For example, connection between a plurality of bases belonging to different VPN services, or connection between VPNs of different companies, even between a plurality of bases belonging to the same VPN service.

  As shown in FIG. 4A, for example, Company C has a base group belonging to the VPN service 1 and a base belonging to the VPN service 3. Since the VPN service 1 and the VPN service 3 are different VPN services, as a result of prior address design in each VPN service, for example, a terminal of a company C base belonging to the VPN service 1 and a C belonging to the VPN service 3 The same private address may be given to the terminal at the company base. On the other hand, Company D has a base belonging to the VPN service 2 and a base belonging to the VPN service 4. Since the VPN service 2 and the VPN service 4 are different VPN services, as a result of prior address design in each VPN service, for example, the terminal of the company D base belonging to the VPN service 2 and the D belonging to the VPN service 4 The same private address may be given to the terminal at the company base.

  The address determination device according to the present invention can determine an address used for inter-base connection for inter-base connection between the base group of the company C and the base group of the company D belonging to different VPN services. That is, a base between a group of companies belonging to the VPN service 1, a company D belonging to the VPN service 2, a company C belonging to the VPN service 3, and a company D belonging to the VPN service 4 For inter-connection, an address used for inter-base connection can be determined.

  As shown in FIG. 4B, for example, Company C has a group of bases grouped by the VPN service 3. On the other hand, Company D has a group of bases grouped by the VPN service 4. The address determination device according to the present invention can determine an address used for inter-base connection even for such inter-base connection between the base group of company C and the base group of company D belonging to different VPN services. .

  As shown in FIG. 4C, for example, Company C and Company D both have base groups grouped by the VPN service 2. The address determination device according to the present invention is such an inter-base connection between the base group of the company C belonging to the same VPN service and the base group of the company D, in other words, between a plurality of base groups belonging to the same VPN termination device. With respect to inter-base connection, an address used for inter-base connection can be determined.

  Although FIG. 1 illustrates the configuration in which the address determination device is installed in the wide area network, the present invention is not limited to this. For example, the present invention can be similarly applied to a configuration in which an address determination device is connected to a VPN termination device, an address translation device, and a transfer control device via a monitoring network.

  Moreover, although FIG. 1 illustrates the configuration in which the address determination device for one housing is installed, the present invention is not limited to this. For example, the present invention is similarly applied to a configuration in which an address determination device for a plurality of housings is installed or a configuration in which a part of the address determination device such as a storage unit is installed in another housing. be able to.

[Network Configuration of Example 2]
Next, in the second embodiment, a case where the base is a network and belongs to a VPN service provided by a telecommunications carrier or the like will be described as an example. That is, the inter-base connection in the second embodiment is an “inter-VPN connection” that connects bases belonging to the VPN service. FIG. 5 is a diagram for explaining a network configuration according to the second embodiment. As illustrated in FIG. 5, the inter-VPN connection management system according to the second embodiment includes an address determination device, and the address determination device is an inter-VPN connection system that connects a plurality of bases between VPNs via a wide area network. On the other hand, an address used for connection between VPNs is determined. The inter-VPN connection system includes a collective virtual router, a NAT (Network Address Translation) device, and a VPN termination device.

  Here, the VPN termination device accommodates the base via the access network and terminates the VPN between the accommodated base and the wide area network. Further, the NAT device converts the address of the packet received from the VPN termination device, and transmits the packet after the address conversion to the collective virtual router. Further, the NAT device converts the address of the packet received from the collective virtual router, and transmits the packet after the address conversion to the VPN termination device. The collective virtual router controls packet transfer in the wide area network.

  Further, as illustrated in FIG. 5, a virtual router for connection between VPNs is set in the aggregate virtual router in a time-limited manner according to a connection request between VPNs. That is, the virtual router is routing information set for each connection between VPNs (for each collaborative space), and implements a collaborative space by routing according to the routing information set for a limited time. In the second embodiment, a configuration is also assumed in which one base is assigned to a plurality of cooperating spaces in the same time zone.

  5 illustrates a configuration in which a plurality of VPN termination devices, a plurality of NAT devices, and a collective virtual router in one housing are installed. Is not limited to this. For example, the present invention is similarly applied to a configuration in which a plurality of combinations of VPN termination devices of a plurality of cases, NAT devices of a plurality of cases, and a collective virtual router of one case are further installed. can do. In addition, for example, the present invention is similarly applied to a configuration in which a plurality of casing VPN termination devices, a plurality of casing NAT devices, and a collective virtual router of a plurality of casings are installed in combination. can do.

  Further, for example, a function (a function for accommodating a base and terminating a VPN between the accommodated base and a wide area network), a function (a function for converting an address), and a set of a NAT apparatus The present invention can be similarly applied to a configuration in which an apparatus in which the function of the virtual router (the function of controlling packet transfer in the wide area network) is accommodated in one housing is installed.

  Further, in FIG. 5, for convenience of explanation, the VPN termination device of one casing accommodates one base, but the present invention is not limited to this, and generally the VPN of one casing is used. A termination device accommodates multiple sites. Here, “accommodating a base” means, for example, a physical connection between a VPN termination device installed in a wide area network and a network device such as a router installed in an access network, and also in the access network. A physical connection between a network device such as an installed router and a network device such as a router installed at a base. Note that the base may be one terminal instead of a so-called network. For example, there is a case where a router installed at a base is realized by software in a terminal instead of a physical router.

  5 illustrates a configuration in which the inter-VPN connection management system including the address determination device is installed in the wide area network, but the present invention is not limited to this. For example, the present invention can be similarly applied to a configuration in which an inter-VPN connection management system is connected to a VPN termination device, a NAT device, and a collective virtual router through a monitoring network.

  5 illustrates a configuration in which the inter-VPN connection management system of one housing is installed, but the present invention is not limited to this. For example, the present invention can be applied to a configuration in which an inter-VPN connection management system having a plurality of casings is installed, or a configuration in which a part of the inter-VPN connection management system such as a storage unit is installed in another casing. The same can be applied.

  Here, as illustrated in FIG. 5, the VPN terminating device, the NAT device, and the collective virtual router are physically connected, and the interface setting in the data link layer of OSI (Open Systems Interconnection) is performed in advance. ing. In the second embodiment, a star configuration is assumed as a network configuration for connection between VPNs.

[Address Determination Method in Embodiment 2]
As described above, the inter-VPN connection management system according to the second embodiment includes the address determination device, and the address determination device determines an address used for the connection between VPNs. As a result, according to the second embodiment, it is possible to appropriately resolve address duplication. First, the address determination method in the second embodiment will be described. In the second embodiment, an RFC (Request for Comments) 2663 technique (hereinafter “Twice-NAT”) published by the Internet Engineering Task Force (IETF) is used as an address translation technique. In the following, from the viewpoint of comparison, first, the technology of RFC1631 (hereinafter, “Single-NAT”) will be described, and then, Twice-NAT will be described.

[Address determination method using Single-NAT]
FIG. 6 is a diagram for explaining an address determination method using Single-NAT. The variables used in the following description are defined with reference to FIG. Hereinafter, a base connected between VPNs is referred to as “VPN”. “VPN _i ” is the VPN name, i = 1, 2, 3,. “A _i ” is an address used inside VPN _i (hereinafter “in-site address”). “VRF _m ” is a virtual router name set in the collective virtual router, and m = 1, 2, 3,. VRF is an abbreviation for Virtual Routing and Forwarding. Expression (1-1) is an operator representing address conversion from VPN _i to VRF _m .

Then, the base address a _i of VPN _i is converted to the equation (1-2) when the address is converted for VRF _m . On the other hand, the base address a _j of VPN _j is expressed by equation (1-3) when the address is translated for VRF _m . That is, as illustrated in FIG. 6, in VRF _m , an address for identifying VPN _i is an expression (1-2), and an address for identifying VPN _j is an expression (1-3). Further, in VPN _i , an address for identifying VPN _j as a connection destination is represented by equation (1-3). On the other hand, in VPN _j , an address for identifying VPN _i as a connection destination is represented by equation (1-2).

For example, when the packet to the VPN _j from VPN _i shown in FIG. 6 is transmitted, packets, via the VRF _m, is transmitted as _{VPN i → VRF m → VPN j} . Here, when Single-NAT is used for address conversion, the NAT device converts only the source address and does not convert the destination address, or converts only the destination address and does not convert the source address. . For this reason, the combination of {source address, destination address} is expressed by equation (1-4) in each region in VPN _i , VRF _m , and VPN _j by address conversion. Note that i ≠ j.

  The address must be determined so as to satisfy two conditions of “(1) routing is possible from the VPN side” and “(2) routing is possible from the VPN side”.

Considering "(1) that routing is possible from the VPN side", the condition of (1) is that "the route to the VRF regarding the connection destination that may be accessed simultaneously from VPN _i is different". It becomes the condition. In other words, “a terminal that can be used as a communication partner in the VPN in a time zone that overlaps with a time zone in which the connection between VPNs is used for identifying a terminal under the other VPN as a communication partner in the VPN. It must be determined so as to be unique among the above.

When expressed using the above variables, equation (1-5) is obtained. That is, for example, the destination that may be accessed simultaneously by VPN _i is a VPN _j and VPN _k, via VRF _m and VPN _j, also the connection between the VPN via VRFn the VPN _k ( m ≠ n). Then, in VPN _i , since the address of the connection destination VPN _j is the expression (1-6) and the address of the connection destination VPN _k is the expression (1-7), the above expression (1-5) Indicates that it must be determined to be unique.

Further, considering “(2) that routing is possible from the VPN side”, the condition of (2) is that “the route to the VPN that may simultaneously access VRF _m is different”. It becomes a condition. In other words, “the address for identifying the terminals under each VPN belonging to the connection between VPNs within the wide area network is controlled as the connection between VPNs in a time zone overlapping with the time zone in which the connection between VPNs is used. It must be determined to be unique among terminals that can be performed.

When expressed using the above variables, equation (1-8) is obtained. That is, for example, it is assumed that VPNs that may simultaneously access VRF _m are VPN _i and VPN _j (i ≠ j). Then, in VRF _m , the address for identifying VPN _i is the expression (1-9), and the address for identifying VPN _j is the expression (1-10). Therefore, the above expression (1-8) Indicates that they must be determined to be unique.

  Here, it should be noted that the expression (1-5) uniquely determines an address between different VRFs, while the expression (1-8) uniquely addresses within each VRF. It is a point that represents the determination. Eventually, in order to satisfy the expressions (1-5) and (1-8), it is necessary to satisfy “there is no duplication of addresses among all VRFs that may be accessed simultaneously” (1 ) And (2) are not independent conditions.

For example, if the VRF (group) that VPN ₁ may access at the same time and the VRF (group) that VPN ₂ may access at the same time overlap, VPN ₁ and VPN ₂ will access simultaneously In the VRF (s) that may be, the conditions of (1) and (2) cannot be considered completely independent.

  In addition, in the on-demand inter-VPN connection service, the VRF repeatedly generates and disappears in a timely manner. For this reason, for example, when there are a plurality of VRFs that may be accessed at the same time, or when a new VPN must be accommodated retroactively with respect to a VRF to which an address has already been assigned, etc. Addresses must be managed on the time axis, including the generation and disappearance of VRFs, making it difficult to manage addresses. Furthermore, if the number of VRFs that can be accessed at the same time becomes enormous, addresses may be depleted, and addresses may not be assigned.

[Address determination method using Twice-NAT]
Next, Twice-NAT used in the second embodiment will be described. FIG. 7 is a diagram for explaining an address determination method using Twice-NAT. With reference to FIG. 7, variables used in the following description are defined. “VPN _i ” is the VPN name, i = 1, 2, 3,. “A _i ” is an in-base address used inside VPN _i . “VRF _m ” is a virtual router name, and m = 1, 2, 3,. Expression (2-1) is an operator representing address conversion from VPN _i to VRF _m . Expression (2-2) is an operator representing address conversion from VRF _m to VPN _j . Further, from the definition, equation (2-3) is established, and therefore equation (2-4) is established.

Then, the base address a _i of VPN _i is converted to the expression (2-5) when the address is converted for VRF _m . On the other hand, the site in the address a _j of VPN _j becomes When address translation for VRF _m and (2-6) below. That is, as illustrated in FIG. 7, in VRF _m , an address for identifying VPN _i is an expression (2-5), and an address for identifying VPN _j is an expression (2-6). Further, in VPN _i , an address for identifying VPN _j as a connection destination is represented by equation (2-7) obtained by further performing address conversion from VRF _m to VPN _{i in} equation (2-6). On the other hand, in VPN _j , an address for identifying VPN _i as a connection destination is represented by equation (2-8) obtained by further performing address conversion from VRF _m to VPN _{j in the} equation (2-5).

For example, when the packet to the VPN _j from VPN _i shown in FIG. 7 is transmitted, packets, via the VRF _m, is transmitted as _{VPN i → VRF m → VPN j} . Here, when using Twice-NAT for address conversion, the NAT device converts the source address and the destination address. For this reason, the combination of {source address, destination address} is expressed by equation (2-9) in each area in VPN _i , VRF _m , and VPN _j by address conversion. Note that i ≠ j.

  As with the conditions when using Single-NAT, the addresses are two types: “(1 ′) routing is possible from the VPN side” and “(2 ′) routing is possible from the VRF side”. Must be determined to meet the conditions.

Examining “(1 ′) that routing is possible from the VPN side”, the condition of (1 ′) is the same as the condition when using Single-NAT, that is, “the possibility of simultaneous access from VPN _i. The condition is that the route to the VRF for a certain connection destination is different. In other words, “a terminal that can be used as a communication partner in the VPN in a time zone that overlaps with a time zone in which the connection between VPNs is used for identifying a terminal under the other VPN as a communication partner in the VPN. It must be determined so as to be unique among the above.

When expressed using the above variables, equation (2-10) is obtained. That is, for example, the destination that may be accessed simultaneously by VPN _i is a VPN _j and VPN _k, via VRF _m and VPN _j, also the connection between the VPN via VRFn the VPN _k ( m ≠ n). Then, in VPN _i , the address for identifying the connection destination VPN _j is the equation (2-11), and the address for identifying the connection destination VPN _k is the equation (2-12). The expression −10) represents that these must be determined to be unique.

Also, considering “(2 ′) that routing is possible from the VRF side”, the condition of (2 ′) is the same as the condition when using Single-NAT, that is, “VRF _m can be accessed simultaneously. It is a condition that the route to the VPN having a characteristic is different. In other words, “the address for identifying the terminals under each VPN belonging to the connection between VPNs within the wide area network is controlled as the connection between VPNs in a time zone overlapping with the time zone in which the connection between VPNs is used. It must be determined to be unique among terminals that can be performed.

When expressed using the above variables, the expression (2-13) is obtained as in the case of using Single-NAT. That is, for example, it is assumed that VPNs that may simultaneously access VRF _m are VPN _i and VPN _j (i ≠ j). Then, in VRF _m , the address for identifying VPN _i is the expression (2-14) and the address for identifying VPN _j is the expression (2-15). Therefore, the above expression (2-13) Indicates that they must be determined to be unique.

  Here, it should be noted that the expression (2-10) uniquely determines an address in each VPN, and the expression (2-13) uniquely specifies an address in each VRF. This represents that the condition of the expression (2-10) and the condition of the expression (2-13) are independent conditions. That is, when using Twice-NAT for address translation, the NAT device translates the source address and the destination address, so the NAT side is the boundary and the address system on the base side and the address system on the wide area network side are separated. Can be independent. As a result, the condition (1 ′) and the condition (2 ′) are independent conditions. Therefore, for example, the address system on the base side can be set to IP (Internet Protocol) v4, and the address system on the wide area network side can be set to IPv6.

For this reason, for example, if the VRF (group) that VPN ₁ may access simultaneously and the VRF (group) that VPN ₂ may access simultaneously partially overlap, VPN ₁ and In the VRF (s) that VPN ₂ may access at the same time, the condition (1 ′) and the condition (2 ′) can be considered completely independently. In addition, when a set of VPNs simultaneously accesses different VRFs (multiple belongings), from one of the VPNs, one VPN is connected to one terminal under the other VPN that is the connection target. Different addresses are associated with each other depending on the difference in VRF.

  In addition, in an on-demand inter-VPN connection service, VRFs are repeatedly generated and extinguished in a timely manner, but it is not necessary to consider consistency between VRFs that may access a plurality at the same time, making it difficult to manage addresses. It also eliminates the possibility of running out of addresses.

[Flow chart of address determination method]
Next, a flowchart of the address determination method described above will be described with reference to FIG. FIG. 8 is a flowchart illustrating the processing procedure of the address determination method according to the second embodiment. Between the times t1 to t2, it will be described using an example for accommodating the VPN _j to VRF _m.

  As described above, the condition (2 ′) is a condition determined by each VRF. For this reason, when a new VRF is constructed, it is always possible to pay out an address. On the other hand, when a VPN is newly accommodated in a VRF that has already been constructed, the address can be paid out only when there is an empty address. For this reason, as illustrated in FIG. 8, the address determination device first determines whether or not a new VRF is to be constructed (step S11).

When constructing a new VRF (Yes at Step S11), the address determination device determines an address (3-1) expression for identifying the connection destination VPN _j using VRF _m (Step S12).

Subsequently, the address determination apparatus has an expression (3-3) that satisfies the expression (3-2) in another VPN _i (i ≠ j) accommodated in the VRF _m between the times t1 and t2. It is determined whether to do (step S13).

  If it is determined that it exists (Yes at Step S13), it can be paid out (Step S14), and therefore the address determination device determines Expression (3-3) (Step S15). On the other hand, when it is determined that it does not exist (No at Step S13), since the payout is impossible (Step S16), the address determination device makes an error response (Step S17).

On the other hand, when a new VPN is accommodated in the already constructed VRF in step S11 (No in step S11), the address determination device performs (3-4) in the VRF _m between times t1 and t2. It is determined whether there is an expression (3-5) that satisfies the expression (step S18).

If it is determined that it exists (Yes at Step S18), the address determination device then (3−3) inside another VPN _i (i ≠ j) accommodated in the VRF _m during the time t1 to t2. 6) It is determined whether there is an expression (3-7) that satisfies the expression (step S19).

Then, if it is determined that it exists (Yes at Step S19), it can be paid out (Step S20), so the address determination device determines Expressions (3-8) and (3-9) (Step S21). . On the other hand, if it is determined in step S18 that it does not exist (No in step S18) and if it is determined in step S19 that it does not exist (No in step S19), the payout is impossible (step S22). Then, an error response is made (step S23).

  As described above, the condition (1 ′) and the condition (2 ′) can be examined independently, independently and independently, so that the algorithm for determining the address is simplified.

[Specific example of address determination method]
Next, a specific example of the address determination method will be described with reference to FIGS. 9 and 10 are diagrams for explaining a specific example of the address determination method, and FIG. 11 is a diagram for explaining the concept of address determination. First, as illustrated in FIG. 9, “Company A” is a base belonging to “VPN1”, and already uses the inter-VPN connection service. Further, “Company A” has already registered the in-base address in the inter-VPN connection management system when contracting for the inter-VPN connection service. This is because the inter-VPN connection management system allocates addresses that are not used in “Company A” among the addresses that can be used by “Company A” for connection between VPNs. That is, the in-site address is a private address used by “Company A” and is already used by “Company A” or managed as a private address that may be used in the future. Is. Since the in-site address is a private address arbitrarily used in each base, there is a possibility of overlapping between the bases.

  “VPN1” is connected to virtual routers “VRF1” and “VRF2”. In the virtual router “VRF1”, two VPNs are connected in addition to “VPN1”, and in the virtual router “VRF2”, three VPNs are connected in addition to “VPN1”.

  “Company A” is connected to “VRF1” and “VRF2” via “VPN1”. At this time, the routing table of “VPN terminating device 1” describes the routing information of 2 routes for “VRF1” and 3 routes for “VRF2”. In addition, private addresses that “Company A” does not use in-house are used. Since the private address used by “Company A” is registered in advance, the inter-VPN connection management system can obtain an unused private address using this registered content. In order for the “VPN termination device 1” to perform routing to each VRF, these five routes need to be independent.

  “Company A” adds a new virtual router (“VRF3”). In addition to “VPN1”, one VPN is connected to “VRF3”. Therefore, one route is added from “VPN terminating device 1” of “Company A” to “VRF3”. One route to be added must be assigned an address that satisfies both of the following conditions.

  That is, (1) a private address that is not used in “Company A”, and (2) a private address that is not used as a route for the VRF. This time, other than the two routes for “VRF1” and the three routes for “VRF2” are targeted. Here, a in FIG. 10 shows the entire address that can be used by “Company A”. Further, b in FIG. 10 shows a private address used in “Company A”, and is a private address used in “Company A” regardless of the use of the inter-VPN connection system. Further, c in FIG. 10 shows a private address used as a route for the VRF, which is a private address that has already been issued (or reserved) to the “Company A” by the VPN connection management system for the VPN connection system. . If there is no address that can satisfy the above two conditions (d (= a− (b + c) in FIG. 10), a new address cannot be assigned, and the inter-VPN connection management system returns an error response indicating that it cannot be issued. Etc.

  The inter-VPN connection management system searches for and determines an address that has not yet been reserved for using the inter-VPN connection service and that is not in use. That is, the address space is a one-dimensional quantity. Accordingly, as illustrated in FIG. 11, the inter-VPN connection management system searches for an address that has not yet been reserved in the reservation time zone, and uses the searched address for the inter-VPN connection service in the reservation time zone. Determine as the address.

  For example, referring to FIG. 11, when a reservation for an inter-VPN connection service is accepted, one VPN has a 24-bit address mask with a subnet mask of t1 to t1 ′ (one route is connected). It is assumed that one other VPN is reserved). Further, it is assumed that two 24-bit subnet mask address bands (two other VPNs as connection destinations for two routes) are reserved in the time period from t2 to t2 ′. Further, it is assumed that one subnet mask 24-bit address band (one route and one other VPN as a connection destination is reserved) is reserved in the time period from t3 to t3 ′. In FIG. 11, the already reserved address band is indicated by a solid line.

  Here, it is assumed that for the new reservation, it is necessary to pay out address bands for three routes in the time period from t4 to t4 ′. Then, as shown in FIG. 11, the inter-VPN connection management system uses three subnet mask 24-bit address bands that have not been reserved for the time period t4 to t4 ′ as the VPN in the time period t4 to t4 ′. It is determined as an address for using the inter-connection service. In FIG. 11, an address band for a new reservation is indicated by a dotted line.

  As described below, the inter-VPN connection management system 100 according to the second embodiment manages the entire private address as an address that can be used for the inter-VPN connection service. The inter-VPN connection management system 100 searches for an already reserved address on the time axis, and is an address other than the address searched as an already reserved address out of all private addresses, Addresses other than the private addresses used in the above and addresses assigned for the interface of each device are determined as new payout addresses.

  For example, the inter-VPN connection management system 100 stores the information for identifying the inter-VPN connection, the information for identifying the VPN belonging to the inter-VPN connection, and the already reserved address in the storage unit, and stores them in the storage unit. The entire address, the private address used in the base, and the address assigned for the interface of each device may be stored in the storage unit. When the inter-VPN connection management system 100 receives an inter-VPN connection request for requesting an inter-VPN connection, the inter-VPN connection management system 100 searches this storage unit to determine a new payout address. Further, at this time, the inter-VPN connection management system 100 determines, from among the private addresses, for example, an empty address in ascending order of addresses, or an empty address in descending order, or randomly determined. Can do. Further, the address is not limited to the subnet mask of 24 bits, and for example, an address of the subnet mask of 32 bits may be issued. That is, there is no restriction on the subnet mask.

[Setting example of address translation information and routing information in the second embodiment]
Next, an example of setting address translation information and routing information in the second embodiment will be described with reference to FIGS. 12 to 15 are diagrams for explaining an example of setting address translation information and routing information in the second embodiment. Note that the following description is specific to the address determined by the inter-VPN connection management system 100 by examining which device and how the address of a packet sent from a certain terminal to a certain terminal is converted. This will be explained using various values. Therefore, the following description does not necessarily indicate the order of processing or the order of setting.

  First, an assumed network configuration will be described with reference to FIG. As illustrated in FIG. 12, by providing a service for connecting the terminal α of the base “Company A” and the terminal β of the base “B” with the VPN, the bases “Company A” and “Company B” A case where a collaborative space is provided is assumed. As illustrated in FIG. 12, the connection destination ID of the site “Company A” is “UserA-Office”, and the in-site address of the terminal α is “192.168.1.10/24”. Further, the connection destination ID of the site “Company B” is “UserB-Office”, and the in-site address of the terminal β is “192.168.1.10/24”.

  Here, since the in-base address is a private address arbitrarily used in each base, there is a possibility that the base addresses overlap. For example, as illustrated in FIG. 12, the base address “192.168.1.10/24” of the terminal α and the base address “192.168.1.10/24” of the terminal β Are duplicated, and addresses within the site are duplicated. As will be described below, the inter-VPN connection management system determines and pays out an address so that the in-base address is used as it is at the base.

  As illustrated in FIG. 12, the base “Company A” is accommodated in “VPN terminating device 1”, and the base “Company B” is accommodated in “VPN terminating device 2”. Further, as illustrated in FIG. 12, “VPN termination device 1” and “VPN termination device 2” are accommodated in “aggregate virtual router 1”. Further, as illustrated in FIG. 12, the NAT device installed between “VPN termination device 1” and “aggregation virtual router 1” is “NAT device 1”, and “VPN termination device 2” and “aggregation”. The NAT device installed between “virtual router 1” is “NAT device 2”. Further, as illustrated in FIG. 13, the “aggregate virtual router 1” includes a virtual router (““ Company A ”) and a terminal“ B ”at the base“ Company B ”in order to connect between the VPNs. vrf1)) is constructed.

  Here, in the NAT device, address conversion by Twice-NAT is performed. Specifically, the NAT device converts both the source address and the destination address. For this reason, the addresses of the base “Company A”, the base “B company”, and the virtual router (“vrf1”) are not notified to other areas and are used only in each area, and are unique in each area. Addresses can be assigned. In order to satisfy the routing condition, an address other than the in-base address is used as a conversion address. The address conversion can be performed in units of addresses or in units of subnets. However, in the following, description will be made assuming address unit conversion.

  Note that since the address set in the virtual router is not notified to the user base such as the base “Company A” or “Company B” or other virtual routers, a unique address system can be used. For this reason, an IPv6 address may be used.

  The processing outline of the inter-VPN connection management system 100 according to the second embodiment will be described. The inter-VPN connection management system 100 includes: (1) a terminal α at the base “Company A” and a terminal β at the base “Company B”. (2) A virtual router for connecting the terminal α and the terminal β between the VPNs is constructed in the “aggregate virtual router 1”, and (3) the terminal α and the terminal are connected to each other. Address conversion information for address conversion performed in communication with β is generated. (4) Based on the generated address conversion information, each device (“aggregate virtual router 1”, “VPN termination device 1”, “ Routing information to be set in the VPN termination device 2 ”,“ NAT device 1 ”,“ NAT device 2 ”), and (5) setting for each device by the time when the inter-VPN connection service is started (“ collective virtual router 1 ”). 』、 Routing information setting for VPN termination device 1 ”,“ VPN termination device 2 ”,“ NAT device 1 ”,“ NAT device 2 ”, and address conversion information setting for“ NAT device 1 ”and“ NAT device 2 ”) (6) When the time for ending the inter-VPN connection service is reached, the settings made for each device are deleted. Note that not all the processes (1) to (6) must be executed, and (1) to (6) do not necessarily define the order of the processes.

  The generation of the address translation information (3) will be further described. The inter-VPN connection management system 100 (particularly, the address determination device) uses an address for identifying a terminal under another base serving as a communication partner at the base, and a terminal under each base belonging to the inter-VPN connection as a collective virtual router. Address for identification is determined, and address translation information is generated.

  For example, when focusing on the site “Company A” in FIG. 12, “the address for identifying the terminal under the other site as the communication partner at the site” is an address for identifying the terminal β. Therefore, the inter-VPN connection management system 100 determines an address (hereinafter, “first address of the terminal β”) for identifying the terminal β.

  For example, when focusing on the base “Company B” in FIG. 12, “an address for identifying a terminal under another base serving as a communication partner at the base” is an address for identifying the terminal α. . Therefore, the inter-VPN connection management system 100 determines an address for identifying the terminal α (hereinafter, “first address of the terminal α”).

  On the other hand, “the address for identifying the terminal under each base belonging to the connection between VPNs by the collective virtual router” is an address for identifying the terminal α and an address for identifying the terminal β. Accordingly, the inter-VPN connection management system 100 has an address for identifying the terminal α (hereinafter “second address of the terminal α”) and an address for identifying the terminal β (hereinafter “second address of the terminal β”). decide. Subsequently, the inter-VPN connection management system 100 generates address translation information. When addressing the “NAT device 1”, the address conversion information includes conversion between the in-base address of the terminal α and the second address of the terminal α, and the first address of the terminal β and the second address of the terminal β. Specifies the conversion between. When attention is paid to “NAT device 2”, conversion between the in-base address of the terminal β and the second address of the terminal β, and between the first address of the terminal α and the second address of the terminal α Specify conversion.

  Such address translation information is generated, the generated address translation information is set in each NAT device, each NAT device performs address translation according to the set address translation information, and each VPN termination device or virtual router Communication between the terminal α and the terminal β is realized by transferring the packet according to the set routing information. Hereinafter, description will be made while paying attention to how packet address translation is performed in the NAT device.

  As illustrated in FIG. 13, the inter-VPN connection management system 100 collects a virtual router “vrf1” for connecting the terminal α of the base “company A” and the terminal β of the base “company B” between the VPNs. Assume that the virtual router 1 is constructed.

  With reference to FIG. 13, the communication from “terminal α” to “terminal β” is considered as an example. The packet transmitted by “terminal α” is “VPN terminating device 1” → “NAT device 1” → “virtual router (vrf1)” → “NAT device 2” → “VPN terminating device 2” → “terminal β”. Address conversion is performed in each of “NAT device 1” and “NAT device 2”. For this reason, the address of “terminal α” seen from “terminal β” is the address after performing address conversion twice. Similarly, the address of “terminal β” seen from “terminal α” is also the address after performing address conversion twice. On the other hand, in the virtual router, since it has just passed either “NAT device 1” or “NAT device 2”, the address is converted once.

  Considering communication to “NAT device 1”, “terminal α” (192.168.1.10/24) transmits a packet to “terminal β”. Here, a private address that is not used in “Company A” needs to be assigned to the first address of “terminal β”. This is because “VPN termination device 1” needs to route to the virtual router “vrf1” side. Therefore, here, the first address of “terminal β” (the address of “terminal β” as seen from “terminal α”) is “172.16.2.10/24”.

  The “NAT device 1” converts the address on the user “Company A” side into the address on the virtual router “vrf1” side. Since Twice-NAT is used, the address on the virtual router side is not notified to the user side as it is. The address on the virtual router side only needs to be in a state where routing is possible in each virtual router. Note that addresses cannot be duplicated within the same virtual router. Therefore, here, as the address on the virtual router “vrf1” side, the second address of “terminal α” is “10.0.10 / 24”, and the second address of “terminal β” is “10.0. 2.10 / 24 ". That is, the in-base address “192.168.1.10/24” of “terminal α” as the transmission source is converted to the second address “10.0.10.10/24” of “terminal α”, The first address “172.16.2.10/24” of the destination “terminal β” is converted to the second address “10.2.10 / 24” of “terminal β”.

  Next, the packet converted to the address (second address) on the virtual router “vrf1” side is routed in the virtual router “vrf1”. Then, the packet addressed to “terminal β” is transferred to “NAT device 2”. The packet addressed to “terminal β” that has arrived at “NAT device 2” undergoes second address translation. That is, the second address “10.2.10 / 24” of the destination “terminal β” is converted into the base address “192.168.1.10/24” of “terminal β”.

  On the other hand, the transmission source address (second address of “terminal α”) is converted to the address of “terminal α” as viewed from “terminal β” (first address of “terminal α” at the base “company B”). . The first address of this “terminal α” is determined based on the same concept as that assigned to “terminal β” in “Company A”. For example, the first address of “terminal α” is “172.16.1.10/24”. Then, the second address “10.0.10.10/24” of “terminal α” as the transmission source is converted to the first address “172.16.1.10/24” of “terminal α”, As a result of such address conversion, the packet transmitted by “terminal α” is transmitted to “terminal β”. When “terminal β” sends a packet addressed to “172.16.1.10/24”, the packet is transmitted to “terminal α”.

  The inter-VPN connection management system manages the address conversion tables of all NAT devices belonging to itself, but transmits only the corresponding address conversion table to each NAT device. The inter-VPN connection management system provides only necessary information to the virtual router. That is, the inter-VPN connection management system transmits only the address of the terminal used in the virtual router “vrf1” to the collective virtual router (for example, “terminal α” = 10.0.10.10, “ Information that terminal β ”= 10.0.2.10.

  Next, an example of additionally accommodating a VPN in an existing virtual router will be described with reference to FIGS. 14 and 15. Assume that “Company C” is added to the virtual router “vrf1” as illustrated in FIG. Note that “Company C” already has “terminal δ” (192.168.1.20/24) connected to the virtual router “vrf2” using “VPN3”. This time, “terminal γ” (192.168.1.10/24) is additionally connected to the virtual router “vrf1”.

  Similarly, the processing outline of the inter-VPN connection management system 100 according to the second embodiment will be described. The inter-VPN connection management system 100 includes: (1) the terminal “γ” of the site “Company C” and the terminal α of the site “Company A”. And an inter-VPN connection request requesting to be added to the inter-VPN connection with the terminal β of the site “Company B”, and (2) an address for address conversion performed in the communication between the terminal α and the terminal γ Generate translation information and address translation information for address translation performed in communication between the terminal β and the terminal γ. (3) Based on the generated address translation information, each device (“collective virtual router 1”) , “VPN termination device 3”, “NAT device 3”) are generated, and (4) the settings (“aggregate virtual router 1”, “VP” are set for each device by the time when the inter-VPN connection service starts. Routing information setting for "Termination device 1", "VPN termination device 2", "VPN termination device 3", "NAT device 1", "NAT device 2", "NAT device 3", "NAT device 1", "NAT Device 2 ”and“ NAT device 3 ”), and (5) the settings made for each device are deleted when it is time to terminate the inter-VPN connection service. Note that not all the processes (1) to (5) must be executed, and (1) to (5) do not necessarily define the order of the processes.

  The generation of the address translation information (2) will be further described. The inter-VPN connection management system 100 (particularly, the address determination device) uses an address for identifying a terminal under another base serving as a communication partner at the base, and a terminal under each base belonging to the inter-VPN connection as a collective virtual router. The address to be identified is determined, and address conversion information is generated.

  For example, when focusing on the site “Company C” in FIG. 14, the “address for identifying the terminal under the other site as the communication partner at the site” is an address for identifying the terminal α and the terminal β. is there. Accordingly, the inter-VPN connection management system 100 has an address for identifying the terminal α (“first address of the terminal α at company C”) and an address for identifying the terminal β (hereinafter referred to as “the terminal β of the terminal β at company C”). One address ").

  Further, for example, when focusing on the site “Company A” in FIG. 14, the address to be newly added as the “address for identifying the terminal under the other site as the communication partner” identifies the terminal γ. It is an address to do. Accordingly, the inter-VPN connection management system 100 determines an address (“first address of the terminal γ at Company A”) for identifying the terminal γ at the base “Company A”.

  Further, for example, when focusing on the base “Company B” in FIG. 14, the address to be newly added as the “address for identifying the terminal under the other base as the communication partner” identifies the terminal γ. It is an address to do. Therefore, the inter-VPN connection management system 100 determines an address (“first address of the terminal γ at company B”) for identifying the terminal γ at the base “company B”.

  On the other hand, an address for identifying the terminal γ (second address of the terminal γ) is newly added as “an address for identifying the terminal under each base belonging to the connection between VPNs by the collective virtual router”. Since “terminal γ” is not yet managed in the virtual router “vrf1”, an address is newly assigned. As an address condition to be allocated, any address that is not used in the virtual router “vrf1” may be used. The base “Company C” is connected to a plurality of virtual routers, but the address in each virtual router is not notified to the base and other virtual routers, so there is no problem unless they are duplicated in the same virtual router. Because. Therefore, here, the second address of “terminal γ” is assumed to be “10.3.10 / 24”.

  Subsequently, the inter-VPN connection management system 100 generates address translation information. When addressing the “NAT device 3”, the address conversion information is the conversion between the base address of the terminal γ and the second address of the terminal γ, the first address of the terminal α and the second address of the terminal α in C And the conversion between the first address of terminal β and the second address of terminal β in C. When attention is paid to “NAT device 1”, the conversion between the first address of terminal γ and the second address of terminal γ in company A is further defined. When attention is paid to “NAT device 2”, the conversion between the first address of terminal γ and the second address of terminal γ in company B is further defined.

  Such address translation information is generated, the generated address translation information is set in each NAT device, each NAT device performs address translation according to the set address translation information, and each VPN termination device or virtual router By transferring the packet according to the set routing information, communication between the terminal α and the terminal γ and communication between the terminal β and the terminal γ are realized. Hereinafter, description will be made while paying attention to how packet address translation is performed in the NAT device.

  Using FIG. 15, the communication from “terminal γ” to “terminal α” will be considered as an example. The packet transmitted by “terminal γ” is “VPN terminating device 3” → “NAT device 3” → “virtual router (vrf1)” → “NAT device 1” → “VPN terminating device 1” → “terminal α”. The address conversion is performed in each of “NAT device 3” and “NAT device 1”. For this reason, the address of “terminal γ” seen from “terminal α” is the address after performing address conversion twice. Note that the address of “terminal α” seen from “terminal γ” is also the address after performing address conversion twice. On the other hand, in the virtual router, since it has just passed either “NAT device 3” or “NAT device 1”, the address is converted once.

  Considering communication to “NAT device 3”, “terminal γ” (192.168.1.10/24) sends a packet to “terminal α”. Here, it is necessary to assign a private address not used in “Company C” to the first address of “terminal α”. In “Company C”, “Terminal δ” is already communicating with “Company D” via the virtual router “vrf2”, and is not used in “Company C” for communication with “Company D”. You are using a private address. Therefore, as the first address assigned to “terminal α”, an address that is not used in “C company” and is not assigned for communication with “D company” is selected. This is because the “VPN termination device 3” needs to route to the virtual router “vrf1” side, and to distinguish which virtual router to route. Therefore, here, the first address of “terminal α” (the address of “terminal α” as seen from “terminal γ”) is “172.16.1.10/24” (for communication with “Company D”). The assigned address is “172.16.4.10/24”).

  The “NAT device 3” converts the address on the user “Company C” side into the address on the virtual router “vrf1” side. That is, the in-base address “192.168.1.10/24” of “terminal γ” as the transmission source is converted into the second address “10.3.10 / 24” of “terminal γ”, The first address “172.16.1.10/24” of the destination “terminal α” is converted to the second address “10.1.10.10/24” of “terminal α”.

  Next, the packet converted to the address (second address) on the virtual router “vrf1” side is routed in the virtual router “vrf1”. Then, the packet addressed to “terminal α” is transferred to “NAT device 1”. The packet addressed to “terminal α” that has arrived at “NAT device 1” undergoes second address translation. That is, the second address “10.1.10 / 24” of the destination “terminal α” is converted to the in-base address “192.168.1.10/24” of “terminal α”.

  On the other hand, the transmission source address (second address of “terminal γ”) is converted to the address of “terminal γ” as viewed from “terminal α” (the first address of “terminal γ” at the base “Company A”). . For example, the first address of “terminal γ” is “172.16.3.10/24”. Then, the second address “10.3.10 / 24” of “terminal γ” as the transmission source is converted to the first address “172.16.3.10/24” of “terminal γ”, As a result of such address conversion, the packet transmitted by “terminal γ” is transmitted to “terminal α”. When “terminal α” sends a packet addressed to “172.16.3.10/24”, the packet is transmitted to “terminal γ”.

[Configuration of a VPN management system according to the second embodiment]
Next, the configuration of the inter-VPN connection management system 100 according to the second embodiment will be described. Note that the inter-VPN connection management system 100 according to the second embodiment reserves in advance a certain amount of addresses to be allocated to the interfaces of the respective devices, and each device is determined when the conversion address is determined. The address set for the interface is also specifically determined. Therefore, in the second embodiment, the conversion address is determined so as not to overlap with an address reserved in advance as an address to be assigned to the interface of each device. Note that the present invention is not limited to this method, and if the address set in the interface of each device is not reserved in advance and is dynamically selected and determined each time, the inter-VPN connection management system 100 When determining the conversion address, make sure that it does not overlap with the address reserved for the interface of each device, or the address set for each device interface (the address in use). do it. First, an address assigned to the interface of each device in the second embodiment will be described with reference to FIG. FIG. 16 is a diagram for explaining addresses assigned to interfaces of devices in the second embodiment.

  First, as the interface address of the virtual router “vrf1”, “10.0.10.97” (“NAT device 1” side) and “10.0.20.97” (“NAT device 2” side) Is used. As the interface address of “NAT device 1”, “10.0.10.98” (virtual router “vrf1” side) and “192.168.3.2” (“VPN termination device 1” side) ) Is used. As the interface address of “VPN terminating device 1”, “192.168.3.1” (“NAT device 1” side) and “192.168.2.1” (“Company A” side) Is used.

  On the other hand, as the interface address of “NAT device 2”, “10.0.20.98” (virtual router “vrf1” side) and “192.168.3.2” (“VPN termination device 2” side) ) Is used. As the interface address of “VPN terminating device 2”, “192.168.3.1” (“NAT device 1” side) and “192.168.2.1” (“Company B” side) Is used.

  FIG. 17 is a block diagram illustrating the configuration of the inter-VPN connection management system 100 according to the second embodiment. As illustrated in FIG. 17, the inter-VPN connection management system 100 according to the second embodiment includes a communication unit 110, an input unit 111, an output unit 112, an input / output control I / F unit 113, and a storage unit 120. And a control unit 130. The address determination device illustrated in FIG. 5 corresponds to a conversion address determination unit 133 and an address conversion information setting unit 134 which will be described later.

  The communication unit 110 is, for example, a general interface for IP communication, and performs communication between a VPN termination device, a NAT device, and a collective virtual router that are targets for setting address translation information and routing information. Note that the inter-VPN connection management system 100 can also communicate with other management terminals, user Web servers, and the like via the communication unit 110, and from other management terminals, user Web servers, and the like. An inter-VPN connection request can also be received.

  The input unit 111 is, for example, a keyboard or a mouse, and receives input of various operations. In the second embodiment, for example, the input unit 111 receives an input of a connection request between VPNs using a keyboard or a mouse. The output unit 112 is a display, for example, and outputs information for various operations. In the second embodiment, the output unit 112 outputs, for example, an input screen for an inter-VPN connection request. The input / output control I / F (Interface) unit 113 controls input / output among the input unit 111, the output unit 112, the storage unit 120, and the control unit 130. The inter-VPN connection management system 100 does not necessarily include the input unit 111 and the output unit 112. For example, the inter-VPN connection management system 100 communicates with other management terminals and user web servers via the communication unit 110 for input / output. Such information may be transmitted and received.

  The storage unit 120 is, for example, a semiconductor memory device such as a random access memory (RAM), a read only memory (ROM), or a flash memory, a hard disk, an optical disk, and the like, and stores various types of information. Specifically, as illustrated in FIG. 17, the storage unit 120 includes an inter-VPN connection information storage unit 121, a setting pattern storage unit 122, an inter-VPN connection request storage unit 123, and an address conversion information storage unit 124. A routing information storage unit 125, an attachment storage unit 126, and a device information storage unit 127.

  The inter-VPN connection information storage unit 121 stores inter-VPN connection information. Here, the inter-VPN connection information includes information for identifying a base, and information for identifying a VPN terminating device, a NAT device, and a collective virtual router that accommodate the base. The VPN connection information also includes other information necessary for creating address translation information and routing information. The inter-VPN connection information storage unit 121 stores the inter-VPN connection information in advance, for example, by being input to the user of the inter-VPN connection management system 100. Further, the inter-VPN connection information stored in the inter-VPN connection information storage unit 121 is used for processing by the virtual router construction unit 132, the translation address determination unit 133, and the routing information generation unit 135, which will be described later. Note that the “users” of the inter-VPN connection management system 100 include operators such as telecommunications carriers and managers such as information system departments in the company. That is, in the following, “operator” means a person in charge of the operation of the inter-VPN connection service, and “manager” means a network administrator who manages the internal network of the base on the company side, for example. Used as

  FIG. 18 is a diagram for explaining the inter-VPN connection information storage unit 121. As illustrated in FIG. 18, for example, the inter-VPN connection information storage unit 121 stores the identification information of the aggregate virtual router and the identification information of the setting pattern of the aggregate virtual router in association with each other as the VPN connection information. For example, the collective virtual router identification information “collective virtual router 1” and the collective virtual router setting pattern identification information “VR-P1” are stored in association with each other. The setting pattern of the collective virtual router identified by “aggregate virtual router 1” indicates that the setting pattern is identified by “VR-P1”.

  In the second embodiment, the VPN terminating device and the collective virtual router are associated in advance, and when the VPN terminating device is uniquely specified, the collective virtual router is also uniquely identified. That is, in the second embodiment, one aggregate virtual router physically and a VPN termination device in which one or a plurality of virtual routers are set in this aggregate virtual router have a relationship specified in advance (note that The present invention is not limited to this. For example, a certain VPN termination device can set a virtual router in each of a plurality of aggregate virtual routers). For this reason, for example, the inter-VPN connection information storage unit 121, as illustrated in FIG. 18, has identification information (connection destination ID) for identifying a base (or a user at the base) for each piece of identification information of the collective virtual router. (IDentifier) and terminal name), VPN type used by the site, identification information of the VPN termination device in which the site is accommodated, identification information of the setting pattern of the VPN termination device, identification information of the NAT device, and A list of associations with the base address used is stored.

  The “connection destination ID” is paid out by the operator of the inter-VPN connection management system 100 when the inter-VPN connection service is contracted, for example, and stored in the inter-VPN connection information storage unit 121. Further, the “terminal name” is heard from the user, for example, at the time of contracting the inter-VPN connection service, and stored in the inter-VPN connection information storage unit 121.

  The “VPN type” is heard from the user, for example, when contracting the connection service between VPNs and stored in the connection information storage unit 121 between VPNs. The “VPN termination device” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “VPN termination device setting pattern” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “NAT device” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “intra-base address” is interviewed by the user, for example, at the time of contracting the inter-VPN connection service, and stored in the inter-VPN connection information storage unit 121.

  For example, the connection destination ID “UserA-Office” and the terminal name “α1 @ vpn1. example. co. jp ”, VPN type“ OpenVPN ”, VPN termination device“ VPN termination device 1 ”, VPN termination device setting pattern“ VPN-P1 ”, NAT device“ NAT device 1 ”, in-site address“ 192.168.1.10 ” / 24 ”will be described. First, the base identified by “UserA-Office” (the terminal name of the terminal used for connection between VPNs is “α1@vpn1.example.co.jp”) indicates that “OpenVPN” is used. In addition, the base identified by “UserA-Office” is accommodated in “VPN terminating device 1”, and “VPN-P1” is used for the setting pattern of the VPN terminating device.

  Further, the base identified by “UserA-Office” is accommodated in “NAT device 1”, and the intra-base address “192.168.1.10/24” is used. In the second embodiment, it is assumed that the in-site addresses (private addresses) used in each base overlap each other.

  Returning to FIG. 17, the setting pattern storage unit 122 stores setting patterns of the VPN termination device, the NAT device, and the transfer control device. Specifically, the setting pattern storage unit 122 stores the setting pattern of the VPN termination device in which the setting information to be set in the VPN termination device is standardized according to the type of connection between VPNs. The setting pattern storage unit 122 stores a setting pattern of the collective virtual router in which setting information to be set in the collective virtual router is standardized according to the type of connection between VPNs. In addition, the setting pattern storage unit 122 stores a setting pattern of the NAT device.

  The setting pattern storage unit 122 stores the setting pattern in advance, for example, by being input to the operator of the inter-VPN connection management system 100. The setting pattern stored in the setting pattern storage unit 122 is used for processing by the conversion address determination unit 133 and the routing information generation unit 135, which will be described later.

  FIG. 19 is an example of a setting pattern of the collective virtual router. As illustrated in FIG. 19, for example, the setting pattern storage unit 122 divides the item number for managing each item of the setting pattern as the setting pattern of the collective virtual router and the setting information according to the setting contents. The setting contents, the setting information registration timing, the deletion timing, and the setting contents specifications are stored in association with each other. Of the setting patterns illustrated in FIG. 19, item numbers 1 to 3 are setting information setting patterns, and item number 4 is an option setting information setting pattern. In the second embodiment, when setting information related to an option request is used separately from general setting information, it is referred to as “option setting information”. Although not shown in FIG. 19, the setting pattern storage unit 122 also stores a predetermined command sentence as the setting pattern of the collective virtual router. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the category “virtual router definition” is a setting pattern for defining a “virtual router” that controls packet transfer in a transmission path (VPN) that is virtually constructed based on a connection request between VPNs. The setting content “virtual router name” is the name of the “virtual router” to be set, and it is specified as a specification that it should be set with “half-width alphanumeric characters”. The setting content “virtual router ID” is the ID of the “virtual router” to be set, and should be set in a format in which “16-bit numeric value” and “32-bit numeric value” are connected by “: (colon)”. Is specified as a specification. The specification is defined by, for example, the manufacturer of the corresponding device and is provided to the user of the device. The above is an example, and the present invention is not limited to this. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the classification “I / F setting” is an interface setting pattern set in the “virtual router”. The setting content “IP address” is the IP address to be set for the interface. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. In addition, the specification “I / F designation” specifies that the interface designation should be set in the format of “I / F type number / number / number”. In addition, it is specified as a specification that the setting content “belonging virtual router” should specify a virtual router name for setting an interface. The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 3 will be described. The setting pattern of the classification “virtual router unit routing setting” is a setting pattern of routing information set in “virtual router”. The setting contents “routing setting” should specify the name of the virtual router that sets the routing information. The IP address of the routing information is “number. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. The registration timing “immediately before starting the service” indicates that the information of item number 3 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 3 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 4 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “virtual router”. The setting contents “Filtering (ACL (Access Control List) etc.)”, the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, numbers should be set to a value of “0-255”, port numbers should be set by numbers, and numbers should be “1 to 65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 4 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 4 should be deleted from the VPN terminating device immediately after the service ends.

  FIG. 20 is an example of a setting pattern of the VPN termination device. As illustrated in FIG. 20, for example, the setting pattern storage unit 122 includes, as a setting pattern of the VPN termination device, an item number for managing each item of the setting pattern, a classification for classifying the setting information, and setting contents. The setting information registration timing, the deletion timing, and the setting content specification are stored in association with each other. Of the setting patterns illustrated in FIG. 20, item number 1 is a setting information setting pattern, and item number 2 is a setting pattern of option setting information. Although not shown in FIG. 20, the setting pattern storage unit 122 also stores a predetermined command sentence as the setting pattern of the VPN termination device. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the classification “VPN user setting” is a setting pattern related to a user at a base accommodated in the VPN terminating device based on the connection request between VPNs. The setting content “Authentication ID / Password” is the authentication ID and password issued to the user at the site. The specification stipulates that the authentication ID and password should be set using “single-byte alphanumeric characters” of “128 characters or less”. Has been. Other “authentication information” may be used instead of “authentication ID / password”. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “VPN termination device”. The setting content “Filtering (ACL, etc.)” indicates that the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, numbers should be set to a value of “0-255”, port numbers should be set by numbers, and numbers should be “1 to 65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  Although not shown, the setting pattern storage unit 122 similarly stores the setting pattern of the NAT device. For example, the setting pattern storage unit 122 stores setting information registration timing, deletion timing, and setting content specifications in association with each other. For example, the IP address is “Number. Number. Number. The specification defines that numbers should be set in the form of numbers separated by periods, such as “numbers”, and that numbers should be set to values “0 to 255”. Further, for example, what is to be reflected in the NAT device “immediately before the start of service” and what is to be deleted from the NAT device “immediately after the end of service” is defined as the specification. The setting pattern storage unit 122 also stores a predetermined command sentence as the setting pattern of the NAT device.

  The above setting patterns are merely examples, and it is considered that the setting contents, the setting information registration timing, the deletion timing, the setting contents specifications, and the like differ depending on the type of connection between VPNs. That is, for example, if the type of connection between VPNs is “L3VPN”, a set of IP addresses of the connection destination between VPNs and the connection source between VPNs, IPsec operation setting information (authentication method and encryption algorithm), pre-secret Items such as shared keys can also be standardized into setting patterns. For example, if the type of connection between VPNs is “L2VPN”, items such as IDs such as L2 between the connection destination between VPNs and the connection source between VPNs may be standardized in the setting pattern. Thus, the setting pattern is appropriately standardized according to the type of connection between VPNs.

  Returning to FIG. 17, the inter-VPN connection request storage unit 123 stores inter-VPN connection request information. The inter-VPN connection request storage unit 123 stores the inter-VPN connection request information by being stored by the inter-VPN connection request receiving unit 131 described later. The inter-VPN connection request information stored in the inter-VPN connection request storage unit 123 is used for processing by the virtual router construction unit 132, the translation address determination unit 133, and the routing information generation unit 135, which will be described later.

  FIG. 21 is a diagram for explaining the inter-VPN connection request storage unit 123. As illustrated in FIG. 21, for example, the inter-VPN connection request storage unit 123 uses the service start time to start the inter-VPN connection service and the service end time to end the inter-VPN connection service as the inter-VPN connection request information. And the virtual router name in which the inter-VPN connection is set and the identification information (terminal name) identifying the base (or the user of the base) accommodated in the inter-VPN connection are stored in association with each other.

  For example, service start time “t1”, service end time “t3”, virtual router name “vrf1”, and terminal name “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”in association with each other. From time “t1” to “t3”, “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”is connected to the VPN, and the virtual router name to which the connection between the VPNs is set is“ vrf1 ”. For convenience of explanation, the service start time and service end time are described as “t1”, “t3”, etc., for example, “2009/8/21 13:00” indicates a specific date and time. .

  Returning to FIG. 17, the address translation information storage unit 124 stores reservation information and address translation information. Here, the address translation information refers to the user side address and the virtual router so that the user side address and the virtual router side address determined by the translation address determination unit 133 (to be described later) are mutually converted with the NAT device as a boundary. This is conversion information for converting the side address. The user-side address is an in-base address used at a base and an address for identifying a terminal under another base that is a communication partner at the base. The virtual router side address is an address for identifying a terminal under each base belonging to the connection between VPNs in the wide area network.

  The address conversion information storage unit 124 stores reservation information and address conversion information by being stored by a conversion address determination unit 133 described later. The reservation information and address conversion information stored in the address conversion information storage unit 124 are used for processing by the address conversion information setting unit 134.

  FIG. 22 is a diagram for explaining the address conversion information storage unit 124. As illustrated in FIG. 22, for example, the address translation information storage unit 124 stores, as reservation information, a service start time at which an inter-VPN connection service should be started and a service end time at which an inter-VPN connection service should be ended. . The address translation information storage unit 124 stores address translation information in association with the reservation information. For example, the address translation information storage unit 124 stores, as address translation information, a virtual router name that identifies the connection between VPNs and an address translation table set in the NAT device in association with each other.

  For example, the address translation information stored in association with the service start time “t1” and the service end time “t3” is address translation information related to the virtual router identified by the virtual router name “vrf1”.

  In the NAT device 1, the user side address “192.168.1.10” and the virtual router side address “10.0.10.10” are mutually converted, and the user side address “172.16. 2.10 ”and the virtual router side address“ 10.2.10 ”are mutually converted. Here, the user-side address “192.168.1.10” is the intra-site address used at the site, and the user-side address “172.16.2.10” is the communication partner at the site. This is an address for identifying a terminal under another base.

  Further, in the NAT device 2, the user side address “172.16.1.10” and the virtual router side address “10.0.10.10” are mutually converted, and the user side address “192.168 .. 1.10 ”and virtual router side address“ 10.2.10 ”are mutually converted.

  In FIG. 22, only the address translation information related to the virtual router identified by the virtual router name “vrf1” is illustrated. Address translation information about the router is also stored.

  Although not shown in FIG. 22, the address conversion information storage unit 124 also stores the value of the entire private address and an address reserved in advance as an address assigned to the interface of each device.

  That is, as will be described later, the conversion address determination unit 133 according to the second embodiment uses a base address, an already reserved address, and an address other than the currently used address as a new payout address among all private addresses. decide. Therefore, the address conversion information storage unit 124 stores the value of the entire private address as an initial value, so that the conversion address determination unit 133 refers to the address conversion information storage unit 124 and determines the address for conversion. can do.

  As will be described later, the routing information generation unit 135 in the second embodiment assigns an address to be set to the interface of the collective virtual router, an address to be set to the interface of the VPN terminating device, and an address to be set to the interface of the NAT device. The conversion address determination unit 133 must determine a conversion address so as not to overlap with these addresses assigned to the interface of each device. For this reason, the address conversion information storage unit 124 stores an address reserved in advance as an address assigned to the interface of each device, so that the conversion address determination unit 133 refers to the address conversion information storage unit 124. The address for conversion can be determined so as not to overlap with these addresses assigned (or assigned) to the interface of each device.

  Returning to FIG. 17, the routing information storage unit 125 stores reservation information and routing information. The routing information storage unit 125 stores reservation information and routing information by being stored by a virtual router construction unit 132 and a routing information generation unit 135 described later. The reservation information and routing information stored in the routing information storage unit 125 are used for processing by the routing information setting unit 136.

  23 and 24 are diagrams for explaining the routing information storage unit 125. As illustrated in FIG. 23, for example, the routing information storage unit 125 stores, as reservation information, a service start time at which an inter-VPN connection service should be started and a service end time at which an inter-VPN connection service should be ended. Further, the routing information storage unit 125 stores the routing information in association with the reservation information. For example, the routing information storage unit 125 stores setting information (including routing information) set in the collective virtual router in the form of a setting file, and stores setting information set in the VPN termination device in the form of a setting file. , The setting information set in the NAT device is stored in the form of a setting file.

  For example, FIG. 24A illustrates a part of the setting information set in the collective virtual router. For example, FIG. 24B illustrates a part of the setting information set in the VPN termination device. For example, FIG. 24C illustrates a part of setting information set in the NAT device.

  Returning to FIG. 17, the attachment storage unit 126 stores the attachment for each aggregate virtual router, each VPN termination device, and each NAT device. Here, the attachment is a program for reflecting address translation information to the NAT device, a program for reflecting routing information to the VPN terminal device and the collective virtual router, and an address reflected to the NAT device. A program for deleting conversion information, a program for deleting routing information reflected on a VPN terminating device and an aggregate virtual router.

  The attachment includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and an VPN connection management system 100. And a communication protocol used between the collective virtual routers. In general, the communication protocol is a proprietary communication protocol defined by the vendor of the NAT device, the vendor of the VPN termination device, or the vendor of the collective virtual router. The attachment storage unit 126 stores the attachment in advance, for example, by being input to the operator of the inter-VPN connection management system 100. Further, the attachment stored in the attachment storage unit 126 is used for processing by an address conversion information setting unit 134, a routing information setting unit 136, and a deletion unit 137, which will be described later.

  FIG. 25 is a diagram for explaining the attachment storage unit 126. As illustrated in FIG. 25, for example, the attachment storage unit 126 stores device identification information and attachments of the collective virtual router, the VPN terminal device, or the NAT device in association with each other. For example, the reflection attachment specifies an ID / password for logging in to a NAT device, a VPN termination device, or an aggregate virtual router, a path for storing address conversion information and routing information, and converts the address to the specified path. A command for storing information and routing information, a command for restarting the NAT device, the VPN terminal device, and the collective virtual router are described. Note that address translation information and routing information may be reflected by storing and restarting, or reflected by storing. The reflection attachment includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and a VPN setting system. And a communication protocol used between the collective virtual routers.

  Further, for example, in the attachment for deletion, the address conversion information and the routing information from the path storing the ID / password, the address conversion information and the routing information for logging into the NAT device, the VPN terminal device and the collective virtual router And a command for deleting a NAT device, a VPN terminal device, and a collective virtual router are described. The attachment for deletion includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and a VPN setting system. And a communication protocol used between the collective virtual routers.

  Returning to FIG. 17, the device information storage unit 127 stores the VPN terminal device preset information preset in the VPN terminal device and the aggregate virtual router preset information preset in the aggregate virtual router. The device information storage unit 127 stores, in advance, for example, the setting information of the VPN terminating device and the setting information of the collective virtual router in advance by being input to the operator of the inter-VPN connection management system 100. Further, the preset information stored in the device information storage unit 127 is used for processing by the routing information generation unit 135 described later.

  FIG. 26 is a diagram for explaining the pre-configuration information of the collective virtual router. As illustrated in FIG. 26, for example, the device information storage unit 127 stores a host name (or router name) and a password as pre-configuration information of the collective virtual router. “Host name” is the name of the collective virtual router, for example, “jpn100”. The “password” is a password for logging in to the collective virtual router, for example, a password such as “root”.

  FIG. 27 is a diagram for explaining the pre-setting information of the VPN termination device. As illustrated in FIG. 27, for example, the device information storage unit 127 includes a host name (or router name), a password, a VPN termination device ID, a VPN type, and an IP address for the collective virtual router as pre-configuration information of the VPN termination device. The server mode is stored. Although not shown in FIG. 27, the device information storage unit 127 also stores, for example, a server-side standby IP address, a protocol, a port number, and the like as the preset information.

  “Host name” is the name of the VPN termination device, for example, “jpn1”. The “password” is a password for logging in to the VPN terminal device, and is a password such as “root”, for example. The “VPN termination device ID” is an ID for identifying the VPN termination device, for example, “VPN termination device 1”. The “VPN type” is a VPN type, for example, “OpenVPN”.

  The “IP address for the collective virtual router” is an IP address to be transferred when a packet sent from the base is sent to the collective virtual router. A virtual router is constructed in the collective virtual router, and the interface of the collective virtual router It is determined only after an IP address is assigned. For this reason, in FIG. 27, it is left blank in the sense that it has not been assigned yet. The server mode is a routing method selected by the VPN terminating device. For example, when OpenVPN is used, the routing method includes “routing” and “bridge”.

  Returning to FIG. 17, the control unit 130 controls various processes executed in the inter-VPN connection management system 100. Specifically, as illustrated in FIG. 17, the control unit 130 includes an inter-VPN connection request reception unit 131, a virtual router construction unit 132, a translation address determination unit 133, an address translation information setting unit 134, A routing information generation unit 135, a routing information setting unit 136, and a deletion unit 137 are included.

  The inter-VPN connection request accepting unit 131 accepts an inter-VPN connection request. Specifically, for example, a Web server for users is installed on a network such as the Internet, and the inter-VPN connection request receiving unit 131 distributes an input screen for users to the Web server. Here, the user input screen is provided by a telecommunications carrier or the like that provides an inter-VPN connection service in order to receive an inter-VPN connection request from a VPN administrator who performs an inter-VPN connection. . Then, for example, an administrator at each site accesses the Web server and inputs an inter-VPN connection request on the user input screen, so that the inter-VPN connection request accepting unit 131 accepts the input of the inter-VPN connection request. The received inter-VPN connection request is stored in the inter-VPN connection request storage unit 123.

  FIG. 28 is a diagram for explaining an example of an input screen for an inter-VPN connection request. For example, the inter-VPN connection request accepting unit 131 first outputs an input screen illustrated in FIG. The input screen is provided with a frame for receiving an input of a virtual router name and a frame for receiving an input of a password. Note that the virtual router name and password are determined off-line between “Company A” and “Company B” scheduled to belong to the same collaborative space, for example. Thus, for example, as illustrated in FIG. 28A, when the administrator of “Company A” inputs the virtual router name “vrf1” and the password, the inter-VPN connection request accepting unit 131 sets the virtual router name as “virtual router name”. vrf1 ”is received, and then information regarding“ Company A ”is received. In the second embodiment, an example in which an input of a virtual router name is accepted as an inter-VPN connection request will be described. However, the present invention is not limited to this, for example, the virtual router name on the inter-VPN connection management system 100 side. May be automatically assigned.

  Further, as illustrated in FIG. 28B, a frame for receiving input of a connection destination ID and a terminal name is provided on the next input screen following the input screen illustrated in FIG. For example, an administrator of “Company A” inputs “UserA-Office” as a connection destination ID and “α1 @ vpn1. example. co. jp ”is input, the inter-VPN connection request accepting unit 131 sets“ α1 @ vpn1... example. co. jp ". For example, when the “More” button is pressed by the administrator, the inter-VPN connection request receiving unit 131 further provides a frame for receiving an input of the terminal name on the input screen.

  In addition, the input screen is provided with a frame for receiving input of the date and time of the reservation time. For example, as illustrated in FIG. 28B, when the administrator inputs a reservation time “2009.8.21 13:00” to “2009.8.21 15:00”, an inter-VPN connection request is accepted. The unit 131 accepts “2009.8.21 13:00” as the inter-VPN connection service start time and “2009.8.21 15:00” as the inter-VPN connection service end time.

  In the input screen illustrated in FIG. 28B, for example, when the “OK” button is pressed by the administrator, the inter-VPN connection request accepting unit 131 ends the acceptance of the inter-VPN connection request. After this, the administrator of “Company B” is similarly designated as “β1 @ vpn2 ..” as a terminal connected between VPNs by the virtual router name “vrf1”. example. co. jp ".

  For example, when the administrator of “Company B” inputs the virtual router name “vrf1” and the password on the input screen, the inter-VPN connection request accepting unit 131 accepts “vrf1” as the virtual router name. Here, for the connection between VPNs identified by the virtual router name “vrf1”, the administrator of “Company A” has already entered the date and time of the reservation time. The accepting unit 131 may output an input screen in a state in which the date and time of the reservation time are input among the input screens illustrated in FIG. Then, for example, an administrator of “Company B” inputs “UserB-Office” as a connection destination ID and “β1 @ vpn2. example. co. jp ”is entered, the inter-VPN connection request accepting unit 131 uses“ β1 @ vpn2. example. co. jp ". Thus, an inter-VPN connection request identified by the virtual router name “vrf1” is accepted as an inter-VPN connection request for connecting “terminal α” and “terminal β”.

  In the second embodiment, the method for inputting the inter-VPN connection request on the user input screen has been described. However, the present invention is not limited to this. For example, an operator such as a telecommunications carrier providing an inter-VPN connection service may directly input an inter-VPN connection request on the input screen output to the output unit 112 of the inter-VPN connection management system 100.

  The virtual router construction unit 132 constructs a virtual router in the collective virtual router based on the inter-VPN connection request. Specifically, the virtual router construction unit 132 determines a virtual router name to be constructed in the collective virtual router based on the inter-VPN connection request accepted by the inter-VPN connection request acceptance unit 131. Further, the virtual router construction unit 132 generates virtual router construction information among the setting information set in the collective virtual router, and stores the generated virtual router construction information in the routing information storage unit 125 together with reservation information. Further, the virtual router construction unit 132 notifies the translation address determination unit 133 that address translation information should be generated.

  For example, the virtual router construction unit 132 periodically refers to the VPN connection request storage unit 123 (illustrated in FIG. 21), compares the current time with the service start time, and constructs a virtual router. It is determined whether or not. For example, the virtual router construction unit 132 compares the current time with the service start time “t1” to determine whether it is time to construct a virtual router.

  Next, when the virtual router construction unit 132 determines that it is time to construct a virtual router, it refers to the inter-VPN connection request storage unit 123 and stores the virtual router name and terminal stored in association with the service start time. Get the name. For example, the virtual router construction unit 132 includes the virtual router name “vrf1” stored in association with the service start time “t1” and the terminal name “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”.

  Then, the virtual router construction unit 132 refers to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18) using the acquired terminal name, and identifies the collective virtual router that accommodates the base identified by the terminal name. The identification information of the setting pattern is acquired. For example, the virtual router construction unit 132 identifies the aggregate virtual router “aggregate virtual router 1” and acquires the setting pattern identification information “VR-P1”.

  Subsequently, the virtual router construction unit 132 refers to the setting pattern storage unit 122 (illustrated in FIG. 19) using the acquired setting pattern identification information, and stores the specification stored in association with the category “virtual router definition”. To get. Here, although not illustrated in FIG. 19, the setting pattern storage unit 122 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information in the collective virtual router for each collective virtual router. . For this reason, the virtual router construction unit 132 also acquires a corresponding predetermined command sentence.

  Then, the virtual router construction unit 132 refers to the VPN connection request storage unit 123 (illustrated in FIG. 21), acquires the service start time and service end time, and stores the acquired service start time and service end time in the routing information. It stores in the part 125 (illustrated in FIG. 23). For example, the virtual router construction unit 132 stores the service start time “t1” and the service end time “t3” in the routing information storage unit 125.

  Next, the virtual router construction unit 132 describes the construction information of the virtual router in a file using the acquired specifications and command statements, and stores the information in the routing information storage unit 125 in association with the service start time and service end time. For example, the virtual router construction unit 132 creates a file in which the virtual router name “vrf1” is described as “ip vrf vrf1” using the acquired predetermined command statement. Further, the virtual router construction unit 132 describes the virtual router ID “100: 10” determined according to the specification illustrated in FIG. 19 as “rd 100: 10” using a predetermined command sentence in the created file. Then, the virtual router construction unit 132 stores the created file in the routing information storage unit 125 in association with the service start time “t1” and the service end time “t3” (see FIG. 24A).

  The conversion address determination unit 133 determines an address used for the connection between VPNs based on the connection request between VPNs. Specifically, the conversion address determination unit 133 determines an address used for the connection between VPNs based on the connection request between VPNs received by the connection request reception unit 131 between VPNs, and generates address conversion information.

  Here, the conversion address determination unit 133 overlaps an address (hereinafter referred to as “first address”) for identifying a terminal under another base serving as a communication partner at the base with a time zone in which the inter-VPN connection is used. It is determined so as to be unique among terminals that can be communication partners within the base corresponding to the time zone. In addition, the conversion address determination unit 133 overlaps an address (hereinafter referred to as “second address”) for identifying a terminal under each base belonging to the inter-VPN connection by the collective virtual router with a time zone in which the inter-VPN connection is used. It is determined to be unique among terminals that can be controlled as connection between VPNs corresponding to the time zone. Also, the translation address determination unit 133 generates address translation information so that the determined two addresses are mutually translated with the NAT device as a boundary.

  Here, it is assumed that the inter-VPN connection management system 100 according to the second embodiment manages the entire private address as an address that can be used for the inter-VPN connection service. That is, in the inter-VPN connection management system 100, as described above, the address conversion information storage unit 124 also stores the value of the entire private address and the address reserved in advance as the address assigned to the interface of each device. Further, the inter-VPN connection management system 100 receives a private address used at each base (“intra-base address in the inter-VPN connection information storage unit 121) for each base by receiving an application from the user in advance. )).

  For this reason, the conversion address determination unit 133 refers to the address conversion information storage unit 124 and searches for an already reserved address on the time axis. Then, when determining the first address, the conversion address determination unit 133 determines, among the entire private addresses, the in-base address, the address that has already been searched for the reserved address in the same time zone, and the interface of each device What is necessary is just to determine an address other than the address reserved beforehand as an address allocated to, as a new payout address. In addition, when determining the second address, the conversion address determination unit 133 is assigned to the address searched as an already reserved address for the same connection between VPNs and the interface of each device when determining the second address. An address other than the previously reserved address may be determined as a new payout address.

  The present invention is not limited to this method. For example, it is assumed that the inter-VPN connection management system 100 manages a private address that can be used at each base by receiving an application from a user in advance. In this case, the conversion address determination unit 133 searches for a reserved address on the time axis, and among the private addresses managed as private addresses that can be used at the base, An address other than the address searched as an already reserved address may be determined as a new payout address. In this case, the inter-VPN connection management system 100 separately stores a private address value that can be used at each site. For example, the inter-VPN connection management system 100 stores the value of the private address that can be used at the base in the inter-VPN connection information storage unit 121.

  Also, the conversion address determination unit 133 stores the generated address conversion information in the address conversion information storage unit 124 together with the reservation information. Also, the conversion address determination unit 133 notifies the routing information generation unit 135 that setting information including routing information should be generated.

  For example, when receiving the notification that the address translation information should be generated from the virtual router construction unit 132, the translation address determination unit 133 refers to the address translation information storage unit 124 (illustrated in FIG. 22) and becomes a communication partner. A first address for identifying a terminal under another base at the base is determined.

  For example, the conversion address determination unit 133 refers to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18) using the terminal name acquired as the VPN connection request, and connects the connection destination ID “UserA- Get Office. Then, the conversion address determination unit 133 searches the address conversion information storage unit 124 using the terminal name belonging to the connection destination ID “UserA-Office”, the service start time “t1”, and the service end time “t3”. If there is address conversion information related to the connection destination ID “UserA-Office” in the overlapping time zone, all of them are acquired. The conversion address determination unit 133 also acquires the value of the entire private address and an address reserved in advance as an address assigned to the interface of each device. At this time, the translation address determination unit 133 searches for address translation information stored in association with all virtual routers.

  Next, the conversion address determination unit 133 analyzes the acquired address conversion information and identifies a terminal under another base serving as a communication partner at the base identified by the connection destination ID “UserA-Office”. All user addresses used as addresses are extracted. Then, the conversion address determination unit 133 preliminarily stores the address assigned to the interface of each device so as not to overlap with the extracted user side address and so as not to overlap with the in-site address (see FIG. 18). The terminal name “β1 @ vpn2 ..” is determined at the base identified by the connection destination ID “UserA-Office” so as not to overlap with the reserved address. example. co. The first address for identifying “jp” is determined. For example, the conversion address determination unit 133 determines “172.16.2.10”.

  Subsequently, the conversion address determination unit 133 determines the connection destination ID “UserA-Office” and the terminal name “α1 @ vpn1. example. co. jp ”is used to refer to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18), and“ NAT device 1 ”and the base address“ 192.168.1.10 ”are acquired. Then, as illustrated in the first line of FIG. 22, the conversion address determination unit 133 associates “NAT device 1” with “192.168.1.10” and “172.16.2.10”. As the user address. The conversion address determination unit 133 similarly determines the first address for the connection destination ID “UserB-Office”, and associates it with “NAT device 2” as illustrated in the first line of FIG. , “172.16.1.10” and “192.168.1.10” are stored as user side addresses.

  In addition, for example, the translation address determination unit 133 refers to the address translation information storage unit 124 (illustrated in FIG. 22), and uses a collective virtual router to identify the terminals under each base belonging to the connection between VPNs. Determine the address.

  For example, the translation address determination unit 133 searches the address translation information storage unit 124 using the virtual router name “vrf1” for identifying the connection between VPNs, the service start time “t1”, and the service end time “t3”. If there is address conversion information related to the virtual router name “vrf1” in the overlapping time zone, all of them are acquired. That is, the translation address determination unit 133 searches for the address translation information stored in association with the virtual router name “vrf1”.

  Next, the translation address determination unit 133 analyzes the acquired address translation information, and extracts all the virtual router side addresses used as address translation information related to the virtual router name “vrf1”. Then, the conversion address determination unit 133 uses the terminal name “α1 @ vpn1” so that it does not overlap with the extracted virtual router side address and also does not overlap with an address reserved in advance as an address assigned to the interface of each device. . example. co. jp "and" β1 @ vpn2. example. co. The second address for identifying the terminal identified by “jp” in the collective virtual router is determined. For example, the conversion address determination unit 133 determines “10.1.10.” And “10.2.10”.

  Subsequently, as illustrated in the first line of FIG. 22, the conversion address determination unit 133 associates “10.0.10” and “NAT device 2” with “NAT device 1” and “NAT device 2”. 10.0.2.10 ”is stored as the virtual router side address.

  Then, the conversion address determination unit 133 generates address conversion information so that the determined two addresses are converted into each other with the NAT device as a boundary. For example, the conversion address determination unit 133 refers to the setting pattern storage unit 122 and acquires a specification of address conversion information and a predetermined command statement for reflecting the address conversion information on the NAT device. Then, the conversion address determination unit 133 generates address conversion information from the address conversion table illustrated in the first line of FIG. 22 using the acquired specification and command statement. In Example 2, since the post-use address can be used again, it is treated as unused.

  The address translation information setting unit 134 sets address translation information in the NAT device. Specifically, the address conversion information setting unit 134 converts the address conversion information so that the first address and the second address determined by the conversion address determination unit 133 are converted to each other with the NAT device as a boundary. Set to NAT device.

  For example, the address translation information setting unit 134 periodically refers to the address translation information storage unit 124 (illustrated in FIG. 22), compares the current time with the service start time, and sets the address translation information at a timing. It is determined whether or not there is. For example, the address conversion information setting unit 134 compares the current time with the service start time “t1” and determines whether it is time to set the address conversion information.

  Next, when the address conversion information setting unit 134 determines that it is time to set the address conversion information, the address conversion information setting unit 134 refers to the address conversion information storage unit 124 and sets the address conversion information stored in association with the service start time. get. For example, the address conversion information setting unit 134 acquires an address conversion table stored in association with “NAT device 1” and “NAT device 2”.

  Then, the address conversion information setting unit 134 refers to the attachment storage unit 126 (illustrated in FIG. 25), acquires the corresponding attachment, and transmits the address conversion information to the corresponding NAT device using the acquired attachment. For example, the address conversion information setting unit 134 refers to the attachment storage unit 126 using “NAT device 1” and “NAT device 2” and attaches the attachment “NAT1. exe "and" NAT2. exe ”. Subsequently, the address conversion information setting unit 134 acquires the acquired attachment “NAT1. exe ”, the address translation information stored in association with“ NAT device 1 ”in the address translation information storage unit 124 is transmitted to“ NAT device 1 ”. The address conversion information setting unit 134 also acquires the acquired attachment “NAT2. exe ”, the address conversion information stored in association with“ NAT device 2 ”in the address conversion information storage unit 124 is transmitted to“ NAT device 2 ”.

  In the second embodiment, the address translation information setting unit 134 is described as starting the address translation information setting at the time of starting the inter-VPN connection service, but the present invention is not limited to this. For example, the time required to set the address translation information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the connection service between VPNs. The time obtained by subtracting the predicted time may be used as the time for starting the reflection of the address translation information. For example, when the conversion address determination unit 133 stores the reservation time and the address conversion information in the address conversion information storage unit 124, the conversion address determination unit 133 also stores the time obtained by subtracting the time required to set the address conversion information, The information setting unit 134 may determine whether it is the time and start setting address conversion information.

  The routing information generation unit 135 generates routing information based on the inter-VPN connection request and the address conversion information. Specifically, the routing information generation unit 135 assigns addresses to be set to the interfaces of the respective devices (the collective virtual router, the VPN termination device, and the NAT device) from among the reserved addresses. In addition, the routing information generation unit 135 generates routing information based on the address conversion information determined by the conversion address determination unit 133. Further, the routing information generation unit 135 stores the generated routing information in the routing information storage unit 125 together with the reservation information. In the second embodiment, since the virtual router construction unit 132 has already written the construction information of the virtual router in a file and stored in the routing information storage unit 125, the routing information generation unit 135 includes Routing information (routing information to the VPN terminating device (Next Hop)) is added. Further, the routing information generation unit 135 describes the routing information to the collective virtual router (Next Hop) in the file of the VPN terminating device and the packet transfer information in the file of the NAT device.

  First, generation of the setting information of the collective virtual router will be described. For example, when receiving the notification that the setting information including the routing information should be generated from the translation address determination unit 133, the routing information generation unit 135 refers to the address translation information storage unit 124 (illustrated in FIG. 22), and performs NAT. The address to be set in the device side I / F is determined. For example, the routing information generation unit 135 determines “10.0.10.97” as the I / F on the NAT device 1 side, and “10.0.20.97” as the I / F on the NAT device 2 side. decide.

  In addition, the routing information generation unit 135 refers to the setting pattern storage unit 122 (illustrated in FIG. 19), and stores specifications associated with the categories “I / F setting” and “routing setting for each virtual router”. To get. Here, although not illustrated in FIG. 19, the setting pattern storage unit 122 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information in the collective virtual router for each collective virtual router. . For this reason, the routing information generation unit 135 also acquires a corresponding predetermined command sentence.

  Then, the routing information generation unit 135 reads “Number. Number. Number. The “IP address” is determined in accordance with the “number” specification. Also, for example, the routing information generation unit 135 refers to the setting pattern illustrated in FIG. 19 and determines “I / F designation” according to the specification of “I / F type number / number / number”.

  For example, the routing information generation unit 135 determines “10.0.10.97 255.255.255.0” as the IP address to be set for the interface connected to the NAT device 1, and “GigbitEthernet1” as the I / F designation. / 0/0 "is determined. Further, for example, the routing information generation unit 135 determines “10.0.20.97 255.255.255.0” as the IP address to be set for the interface connected to the NAT device 2, and designates the I / F as the IP address. “Gigabit Ethernet 2/0/0” is determined.

  Next, the routing information generation unit 135 refers to the address translation information storage unit 124 and acquires the virtual router side address stored in association with the NAT device. For example, the routing information generation unit 135 acquires the virtual router side addresses “10.0.10” and “10.2.10” stored in association with the NAT device “NAT device 1”. .

  Then, for example, as shown in FIG. 24A, the routing information generation unit 135 determines “10.0.10.97 255.255.255” determined as the IP address to be set to the interface connected to the NAT device 1. .0 ”is described as“ ip address 10.0.10.97 255.255.255.0 ”using a predetermined command sentence. Further, for example, the routing information generation unit 135 describes “GigabitEthernet1 / 0/0” determined as the I / F designation as “interface GigabitEthernet1 / 0/0” using a predetermined command sentence. In addition, the routing information generation unit 135 describes “ip vrf forwarding vrf1” as a command to make the interface belong to the virtual router “vrf1”. Note that the routing information generation unit 135 also describes the interface connected to the NAT device 2 in the same manner.

  Further, the routing information generating unit 135 describes a routing setting command which is so-called routing information. Here, NextHop is a NAT device. For example, the routing information generation unit 135 uses the virtual router name “vrf1”, “10.0.1.0 255.255.255.0”, and the IP address “10.0.10.98”. , “Ip route vrf vrf 1 10.0.1.0 255.255.255.0 10.0.10.98” is described using a predetermined command sentence in accordance with the specification illustrated in FIG. Note that the routing information generation unit 135 also describes the interface connected to the NAT device 2 in the same manner.

  Next, generation of setting information of the VPN termination device will be described. The routing information generation unit 135 refers to the inter-VPN connection information storage unit 121 using the connection destination ID received by the inter-VPN connection request reception unit 131, and stores the VPN termination device in association with each connection destination ID. The identification information of the setting pattern is acquired. Then, the routing information generation unit 135 refers to the setting pattern storage unit 122 using each of the identification information of the setting pattern of the VPN termination device, and sets the setting from the setting patterns of the VPN termination device stored in the setting pattern storage unit 122. A setting pattern of a VPN termination device to be used for generating information is selected. Then, the routing information generation unit 135 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 135 determines an address to be set in the I / F (base side and aggregate virtual router side) of the VPN termination device, and generates routing information using the determined address. For example, the routing information generation unit 135 generates the routing information of “VPN termination device 1” as shown in FIG. The first four lines in FIG. 24B are commands for setting an address in the interface of “VPN termination device 1”. The fifth line in FIG. 24B is a routing setting command for setting NextHop to “NAT device 1”.

  Next, generation of setting information of the NAT device will be described. Although not shown in FIGS. 19 and 20, the setting pattern storage unit 122 also stores setting patterns of the NAT device. For this reason, for example, the routing information generation unit 135 refers to the inter-VPN connection information storage unit 121 using the connection destination ID received by the inter-VPN connection request reception unit 131 and stores it in association with each connection destination ID. The identification information of the NAT device is acquired. Then, the routing information generation unit 135 refers to the setting pattern storage unit 122 using each of the NAT device setting pattern identification information, and sets the setting information from the NAT device setting patterns stored in the setting pattern storage unit 122. A setting pattern of the NAT device to be used for generation is selected. Then, the routing information generation unit 135 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 135 determines an address to be set in the I / F (base side and aggregate virtual router side) of the NAT device, and generates routing information using the determined address. For example, the routing information generation unit 135 generates the routing information of “NAT device 1” as shown in FIG. The first four lines in FIG. 24C are commands for setting addresses in the interface of “NAT device 1”. The fifth line of FIG. 24C is a routing setting command to the “VPN terminating device 1” side, and sets an address before address conversion. The sixth line in FIG. 24C is a routing setting command to the virtual router “vrf1”, and sets an address after address conversion.

  As described above, in the second embodiment, each piece of setting information is stored in the routing information storage unit 125 in the form of a setting file, for example, as illustrated in FIG. That is, the routing information generation unit 135 stores each of the generated setting information in the routing information storage unit 125 in the form of a setting file. However, the present invention is not limited to this, and a method of storing the generated setting information in a database may be used. Alternatively, the generated setting information may be stored in a file format and stored in a database. According to these methods, since the setting information is stored in a database suitable for search and reference, for example, the routing information generation unit 135 refers to the already generated setting information when generating the setting information. However, it is not necessary to execute the file open process each time, and the process becomes efficient.

  The routing information setting unit 136 sets the routing information in the NAT device, the VPN termination device, and the collective virtual router. For example, the routing information setting unit 136 periodically refers to the routing information storage unit 125 (illustrated in FIG. 23), compares the current time with the service start time, and determines whether the setting information should be set. Determine whether. For example, the routing information setting unit 136 compares the current time with the service start time “t1” and determines whether or not it is time to set the setting information.

  Next, when the routing information setting unit 136 determines that it is time to set the setting information, the routing information setting unit 136 refers to the routing information storage unit 125 and acquires the setting information stored in association with the service start time. For example, the routing information setting unit 136 acquires the setting information stored in association with the service start time “t1”.

  Then, the routing information setting unit 136 refers to the attachment storage unit 126 (illustrated in FIG. 25), acquires the corresponding attachment, and uses the acquired attachment to transfer the corresponding aggregate virtual router, VPN termination device, and NAT device. Send configuration information. For example, the routing information setting unit 136 uses the “aggregate virtual router 1”, “VPN termination device 1”, “VPN termination device 2”, “NAT device 1”, and “NAT device 2” to store the attachment storage unit 126. Refer to the attachment “VR1. exe "," VPN1. exe "," VPN2. exe "," NAT1. exe "and" NAT2. exe ”. Subsequently, the routing information setting unit 136 acquires the acquired attachment “VR1. exe ”is used to transmit the setting information to“ collective virtual router 1 ”. Similarly, the routing information setting unit 136 also transmits setting information to “VPN termination device 1”, “VPN termination device 2”, “NAT device 1”, and “NAT device 2”.

  The attachment may include, for example, a method of setting setting information by remotely operating each device from the inter-VPN connection management system 100 using telnet, SSH (Secure SHell), or the like. .

  In the second embodiment, the routing information setting unit 136 is described as starting the setting information setting at the time of starting the inter-VPN connection service, but the present invention is not limited to this. For example, the time required for setting the setting information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the inter-VPN connection service. The time obtained by subtracting the time may be set as the time for starting the setting information setting. For example, when the virtual router construction unit 132 stores the reservation time and the setting information in the routing information storage unit 125, the virtual router construction unit 132 also stores the time obtained by subtracting the time required for setting the setting information, and the routing information setting unit 136 Then, it may be determined whether it is the time, and setting of setting information may be started.

  The deletion unit 137 deletes address translation information and routing information set in the VPN termination device, the NAT device, and the aggregate virtual router. Specifically, the deletion unit 137 periodically refers to the address translation information storage unit 124 and the routing information storage unit 125 by a timer or polling, and determines whether it is time to end the inter-VPN connection service. . If it is determined that it is the service end time, the attachment storage unit 126 is referred to, and the attachment (for deletion) of the corresponding VPN termination device or aggregate virtual router is acquired. Then, the deletion unit 137 deletes the setting information from the corresponding VPN termination device or the collective virtual router using the corresponding attachment. Note that the deletion unit 137 according to the second embodiment also deletes the reservation information stored in the address conversion information storage unit 124 and the routing information storage unit 125.

[Processing Procedure by VPN Connection Management System According to Second Embodiment]
Next, a processing procedure performed by the inter-VPN connection management system 100 according to the second embodiment will be described with reference to FIGS. 29 and 30. FIG. 29 is a flowchart illustrating a processing procedure performed by the inter-VPN connection management system 100 according to the second embodiment, and FIG. 30 is a flowchart illustrating an address determination process.

  As illustrated in FIG. 29, when the inter-VPN connection management system 100 according to the second embodiment determines that it is time to construct a virtual router (Yes in step S101), the virtual router is constructed (step S102). Specifically, the virtual router construction unit 132 constructs a virtual router.

  Next, the inter-VPN connection management system 100 determines a conversion address (step S103). Specifically, the conversion address determination unit 133 determines the conversion address.

  Subsequently, the inter-VPN connection management system 100 generates routing information (step S104). Specifically, the routing information generation unit 135 generates routing information.

  Then, the VPN connection management system 100 sets address translation information and routing information (step S105). Specifically, the address translation information setting unit 134 sets address translation information for the corresponding NAT device, and the routing information setting unit 136 sets routing information for the corresponding aggregate virtual router and VPN termination device.

  If address translation information and routing information settings are completed by the service start time, when a virtual router is constructed, when address translation information is determined, when routing information is generated, when address translation information and Whether to set the routing information is arbitrary. For example, the setting may be completed at a stage much earlier than the service start time, and communication between VPN connections may not be performed due to firewall settings or the like. In this case, when the service start time is reached, the firewall setting is changed, and connection between VPNs becomes possible.

  Next, step S103 (address determination processing) in FIG. 29 will be described. As will be described below, the conversion address determination unit 133 determines the first address and the second address. The numbers of the first address and the second address are as follows.

  In other words, the first address for identifying the terminal under the other base that is the communication partner at the base is the destination address of the packet transmitted from this base, and at the base that is the counterpart to this base It is determined by the number of terminals used for connection between VPNs. In the case where the terminals used for the connection between VPNs at the partner site are a plurality of terminals and are determined by the address unit for each terminal, the first number corresponding to the number of terminals by the address unit for each terminal. The address will be determined. On the other hand, when determining by subnet unit, for example, when the subnet address part of the address is determined and the original address is diverted for the host address part, as a result, the first addresses corresponding to the number of terminals are determined. Will be.

  On the other hand, the second address for identifying the terminals under each base belonging to the inter-VPN connection by the collective virtual router is obtained by converting the destination address and the source address of the packet transmitted from each base belonging to the inter-VPN connection. This is a later destination address and source address, and is determined by the number of all terminals used for a certain connection between VPNs.

  As illustrated in FIG. 30, first, the translation address determination unit 133 determines whether or not it is a case of newly constructing a virtual router (step S103-1). When a new virtual router is constructed (Yes at Step S103-1), the conversion address determination unit 133 determines a second address for identifying a terminal under each base belonging to the connection between VPNs in the wide area network ( Step S103-2).

  Subsequently, the conversion address determination unit 133 determines whether or not the first address can be paid out (step S103-3). If it is possible (Yes in step S103-3), the first address is determined. Determine (step S103-4). Then, the conversion address determination unit 133 generates address conversion information (step S103-5) and ends the process. On the other hand, if it is not possible (No at Step S103-3), the conversion address determination unit 133 terminates the process by performing an error response or the like.

  On the other hand, when a new VPN is accommodated in the VRF already constructed in step S103-1, (No in step S103-1), the conversion address determination unit 133 determines whether or not the second address can be issued. A determination is made (step S103-6), and if it is possible (Yes at step S103-6), then it is determined whether or not the first address can be paid out (step S103-7).

  If it is possible (Yes at Step S103-7), the conversion address determination unit 133 determines the first address and the second address (Step S103-8), and generates address conversion information (Step S103-). 5) The process is terminated.

  If it is not possible in Step S103-6 (No in Step S103-6) or not possible in Step S103-7 (No in Step S103-7), the conversion address determination unit 133 performs an error response, etc. To finish the process. Since the second address only needs to be determined so as to be unique among the connection destinations set as the same virtual router in the same time zone, a situation in which payout is not possible (a situation in which step S103-6 is negative) Hardly occurs. Of course, when the number of connected terminals is enormous, it may be possible that the second address cannot be paid out.

[Effect of Example 2]
As described above, according to the second embodiment, the conversion address determination unit 133 determines the first address for identifying the terminal under the other base that is the communication partner in the predetermined connection between VPNs in the base. It is determined to be unique among terminals that can be communication partners in the base in the time zone in which the connection between VPNs is used. In addition, the conversion address determination unit 133 controls the second address for identifying the terminals under each base belonging to the inter-VPN connection in the wide area network as the inter-VPN connection in the time zone in which the inter-VPN connection is used. To be unique among the possible terminals. In addition, the address conversion information setting unit 134 converts the first address and the second address into address conversion information for converting the first address and the second address so that the first address and the second address are converted to each other with the NAT device as a boundary. Set to the NAT device.

  In addition, according to the second embodiment, the inter-VPN connection information storage unit 121, the address translation information storage unit 124, and the like have a virtual router name that identifies the inter-VPN connection and time zone information that indicates a time zone in which the inter-VPN connection is used. (Service start time, service end time), a connection destination ID for identifying a base belonging to the connection between VPNs, and the first address and the second address are stored in association with each other. Then, when receiving the inter-VPN connection request, the conversion address determining unit 133 uses the terminal name specified in the inter-VPN connection request to change the inter-VPN connection information storage unit 121, the address conversion information storage unit 124, etc. The first address is determined so as not to overlap with the first address stored in association with the time zone information indicating the time zone that overlaps at least the time zone specified in the inter-VPN connection request. The translation address determination unit 133 searches the inter-VPN connection information storage unit 121 and the address translation information storage unit 124 using the virtual router name specified in the inter-VPN connection request, and at least makes an inter-VPN connection request. The second address is determined so as not to overlap the second address stored in association with the time zone information indicating the time zone overlapping with the designated time zone.

  For this reason, according to the second embodiment, an address for identifying a terminal under another base serving as a communication partner at each base and a terminal under each base belonging to the connection between VPNs in the wide area network are identified. The address to be used can be determined independently. As a result, since the algorithm for determining the address is simplified and automated, address duplication can be appropriately solved without address design in advance. In other words, even when connecting between VPNs on demand, it becomes possible to appropriately resolve address duplication.

  As a result, it is possible to automatically and immediately resolve address duplication that had to be designed in advance by SEs (Systems Engineers) in the past, and on-demand VPN connection Can be realized.

  In addition, in the above, the case where the terminal with one base is multiply belonging to a plurality of cooperating spaces in overlapping time zones has not been described with a specific example. Hereinafter, a specific example will be described. As will be described below, the inter-VPN connection management system 100 according to the second embodiment can correctly determine an address even when a single site belongs to a plurality of cooperating spaces.

  For example, it is assumed that an inter-VPN connection identified by the virtual router name “vrf1” and an inter-VPN connection identified by the virtual router name “vrf2” are established in the collective virtual router. Further, these VPN connections are established in overlapping time zones.

  Here, it is assumed that the terminal A1 at the base A, the terminal β1 at the base B, and the terminal γ1 at the base C belong to the connection between VPNs identified by the virtual router name “vrf1”. Further, it is assumed that the terminal α1 at the base A and the terminal γ1 at the base C belong to the connection between VPNs identified by the virtual router name “vrf2”. That is, the terminal α1 at the site A has multiple assignments in the overlapping time zone to the inter-VPN connection identified by the virtual router name “vrf1” and the inter-VPN connection identified by the virtual router name “vrf2”. In addition, the terminal γ1 at the site C also has multiple assignments to the inter-VPN connection identified by the virtual router name “vrf1” and the inter-VPN connection identified by the virtual router name “vrf2” in the overlapping time zone.

  The inter-VPN connection management system 100, for example, for the inter-VPN connection identified by the virtual router name “vrf1”, for the base A, the first address “address B1” for identifying the terminal β1 and the terminal γ1 The first address “address C1” for identifying is issued. Further, for the base B, a first address “address A1” for identifying the terminal α1 and a first address “address C2” for identifying the terminal γ1 are paid out. Further, for the base C, a first address “address A2” for identifying the terminal α1 and a first address “address B2” for identifying the terminal β1 are paid out.

  For the inter-VPN connection identified by the virtual router name “vrf2”, the first address “address C3” for identifying the terminal γ1 is issued for the base A. Further, for the base C, the first address “address A3” for identifying the terminal α1 is paid out.

  As described above, the inter-VPN connection management system 100 determines the first address so as to be unique among the terminals that can be communication partners in the base in the time zone in which the inter-VPN connection is used. Even if the “terminal that can be a communication partner” is the same terminal, the inter-VPN connection management system 100 determines the first address without being conscious of whether or not it is the same terminal. As a result, the inter-VPN connection management system 100 pays out the first address so as to be unique for each inter-VPN connection even if the “terminal that can be a communication partner” is the same terminal. In other words, the inter-VPN connection management system 100 pays out a different address to one terminal under another VPN serving as a communication partner at one base point depending on the difference in inter-VPN connection. For this reason, according to the second embodiment, it is possible to correctly determine an address even when a single base belongs to a plurality of cooperating spaces.

  Next, an inter-VPN connection management system and an address determination device according to the third embodiment will be described with reference to FIGS. FIG. 31 is a diagram for explaining a network configuration according to the third embodiment. As illustrated in FIG. 31, in the third embodiment, an address determination device is provided separately from the inter-VPN connection management system, and the address determined by the address determination device is notified to the inter-VPN connection management system and used. The Note that the address determination device according to the third embodiment is not necessarily based on the inter-VPN connection management system, and the address determined by the address determination device may be used in another system.

  FIG. 32 is a block diagram illustrating the configuration of the address determination device 200 according to the third embodiment. As illustrated in FIG. 32, the address determination apparatus 200 according to the third embodiment includes a communication unit 210, an input unit 211, an output unit 212, an input / output control I / F unit 213, a storage unit 220, and a control. Unit 230.

  The storage unit 220 includes an address conversion information storage unit 221 and an attachment storage unit 222. The address translation information storage unit 221 corresponds to the address translation information storage unit 124 described in the second embodiment and has a similar function. Further, the attachment storage unit 222 corresponds to the attachment storage unit 126 described in the second embodiment and has the same function.

  The control unit 230 includes a conversion address determination unit 231 and an address conversion information setting unit 232. The conversion address determination unit 231 corresponds to the conversion address determination unit 133 described in the second embodiment and has a similar function. That is, the conversion address determination unit 231 receives notification of necessary information from the inter-VPN connection management system, determines an address based on this information, and generates address conversion information. The address translation information setting unit 232 corresponds to the address translation information setting unit 134 described in the second embodiment and has a similar function.

  That is, the address determination device 200 according to the third embodiment is obtained by separating a part of functions provided in the inter-VPN connection management system 100 according to the second embodiment into another physical casing. Further, the address determination device 200 according to the third embodiment does not necessarily have to include each unit illustrated in FIG. 32, or may include another unit. For example, if the address determination device 200 notifies the result of determination to the inter-VPN connection management system after the address determination by the conversion address determination unit 231, the address conversion information storage unit 221, the attachment storage unit 222, and the address conversion It is not necessary to provide the information setting unit 232. In this case, the address conversion information notified from the address determination device 200 may be stored on the inter-VPN connection management system side, and settings for the NAT device may be performed based on the address conversion information.

  The address determination device 200 according to the third embodiment does not include the routing information generation unit 135 and the routing information setting unit 136 that are included in the inter-VPN connection management system 100 according to the second embodiment. Good. In this case, the address determination device 200 can also generate routing information using the address conversion information determined by the conversion address determination unit 231 and set the generated routing information in the corresponding device.

  Although the first to third embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments.

[Network configuration]
In the above embodiment, a star type network configuration is assumed, but the present invention is not limited to this, and the present invention can be similarly applied to a full mesh type network configuration.

[Others]
In addition, among the processes described in the above embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, a VRF (VPN routing and forwarding table) may be applied as an example of a transfer control device, and as a result, a plurality of transfer control devices are virtually operated in one transfer control device. be able to. Further, all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic Can be realized as

  The address determination method described in the above embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via an IP network such as the Internet. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM (Compact Disk Read Only Memory), an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk). It can also be executed by being read from a recording medium by a computer.

DESCRIPTION OF SYMBOLS 10 Address determination apparatus 11 1st address determination part 12 2nd address determination part 13 Address setting part

Claims (9)

An address determination device for determining an address used for inter-base connection for a system that connects a plurality of bases via a wide area network,
A first address for identifying a terminal under another base that is a communication partner in a connection between predetermined bases in the base, among terminals that can be a communication partner in the base in a time zone in which the connection between bases is used A first determining means for determining to be unique;
A second address for identifying a terminal under each base belonging to the inter-base connection in the wide area network is set for each time base and for each inter-base connection in the wide area network in a time zone in which the inter-base connection is used. Second determining means for determining the uniqueness within the router to be
The first address determined by the first determining means and the second address determined by the second determining means are mutually converted with the address conversion devices connected to the wide area network and the respective bases as boundaries. An address determination device comprising: setting means for setting, in the address conversion device, conversion information for converting the first address and the second address. The inter-base connection information for identifying the inter-base connection, the time zone information indicating the time zone in which the inter-base connection is used, the base information for identifying the base belonging to the inter-base connection, and determined by the first determining means Storage means for storing the first address and the second address determined by the second determination means in association with each other,
When the first determination unit receives a connection request for requesting connection between sites, the first determination unit searches the storage unit for each site using the site information specified in the connection request, and at least specified in the connection request. The first address is determined so as not to overlap with the first address stored in association with the time zone information indicating the time zone overlapping with the time zone,
The second determining means searches the storage means using the base-to-base connection information specified in the connection request, and at least time zone information indicating a time zone overlapping with the time zone specified in the connection request The address determination device according to claim 1, wherein the second address is determined so as not to overlap with the second address stored in association with each other. When a packet including a first address indicating a destination and a private address indicating a transmission source is received from the base, the first address is converted into a second address corresponding to the destination indicated by the first address, and the private address is When the packet including the second address indicating the destination and the second address indicating the source is received from the wide area network, the packet is converted to the second address corresponding to the source indicated by the private address and transferred to the wide area network. Is converted to a private address corresponding to the destination indicated by the second address, and the second address indicating the source is converted to a first address corresponding to the source indicated by the second address Between multiple sites via a wide area network Against LAN-to-LAN systems continue, an address decision device for determining said first address and said second address,
The first address for identifying a terminal under another site that is a communication partner in a predetermined inter-site connection within the base is a terminal that can be a communication partner in the base in the time zone in which the inter-base connection is used. A first determining means for determining to be unique at
The second address for identifying a terminal under each base belonging to the inter-base connection in the wide area network is set for each time-limited and inter-base connection in the wide area network in a time zone in which the inter-base connection is used. A second determining means for determining to be unique within the set router ;
A setting unit configured to set, in the address conversion device, conversion information for converting the first address determined by the first determination unit and the second address determined by the second determination unit. Address determination device. The inter-base connection information for identifying the inter-base connection, the time zone information indicating the time zone in which the inter-base connection is used, the base information for identifying the base belonging to the inter-base connection, and determined by the first determining means Storage means for storing the first address and the second address determined by the second determination means in association with each other,
When the first determination unit receives a connection request for requesting connection between sites, the first determination unit searches the storage unit for each site using the site information specified in the connection request, and at least specified in the connection request. The first address is determined so as not to overlap with the first address stored in association with the time zone information indicating the time zone overlapping with the time zone,
The second determining means searches the storage means using the base-to-base connection information specified in the connection request, and at least time zone information indicating a time zone overlapping with the time zone specified in the connection request The address determination device according to claim 3, wherein the second address is determined so as not to overlap with the second address stored in association with each other. An address determination method for determining an address used for inter-base connection for a system that connects a plurality of bases via a wide area network,
Computer
A first address for identifying a terminal under another base that is a communication partner in a connection between predetermined bases in the base, among terminals that can be a communication partner in the base in a time zone in which the connection between bases is used A first determination step for determining the uniqueness;
A second address for identifying a terminal under each base belonging to the inter-base connection in the wide area network is set for each time base and for each inter-base connection in the wide area network in a time zone in which the inter-base connection is used. And a second determination step for determining the address so as to be unique within the router . When the first determination step receives a connection request for requesting inter-base connection, inter-base connection information for identifying the inter-base connection, time zone information indicating a time zone in which the inter-base connection is used, and the inter-base connection A storage unit that stores the base information for identifying the base belonging to the connection, the first address determined in the first determination step, and the second address determined in the second determination step in association with each other, Search for each site using the site information specified in, and at least do not overlap with the first address stored in association with the time zone information indicating the time zone that overlaps the time zone specified in the connection request To determine the first address and
In the second determination step, the storage unit is searched using the inter-base connection information specified in the connection request, and at least time zone information indicating a time zone overlapping with the time zone specified in the connection request The address determination method according to claim 5, wherein the second address is determined so as not to overlap with the second address stored in association with each other. When a packet including a first address indicating a destination and a private address indicating a transmission source is received from the base, the first address is converted into a second address corresponding to the destination indicated by the first address, and the private address is When the packet including the second address indicating the destination and the second address indicating the source is received from the wide area network, the packet is converted to the second address corresponding to the source indicated by the private address and transferred to the wide area network. Is converted to a private address corresponding to the destination indicated by the second address, and the second address indicating the source is converted to a first address corresponding to the source indicated by the second address Between multiple sites via a wide area network Against LAN-to-LAN systems continue, an address decision method for determining the said first address and said second address,
Computer
The first address for identifying a terminal under another site that is a communication partner in a predetermined inter-site connection within the base is a terminal that can be a communication partner in the base in the time zone in which the inter-base connection is used. A first determination step for determining the uniqueness in
The second address for identifying a terminal under each base belonging to the inter-base connection in the wide area network is set for each time-limited and inter-base connection in the wide area network in a time zone in which the inter-base connection is used. A second determination step of determining the address so as to be unique within the router to be set . When the first determination step receives a connection request for requesting inter-base connection, inter-base connection information for identifying the inter-base connection, time zone information indicating a time zone in which the inter-base connection is used, and the inter-base connection A storage unit that stores the base information for identifying the base belonging to the connection, the first address determined in the first determination step, and the second address determined in the second determination step in association with each other, Search for each site using the site information specified in, and at least do not overlap with the first address stored in association with the time zone information indicating the time zone that overlaps the time zone specified in the connection request To determine the first address and
In the second determination step, the storage unit is searched using the inter-base connection information specified in the connection request, and at least time zone information indicating a time zone overlapping with the time zone specified in the connection request The address determination method according to claim 7, wherein the second address is determined so as not to overlap with the second address stored in association with each other.   An address determination program for causing a computer to function as the address determination device according to claim 1.

Images