JP6330180B2 - Relay device and relay method - Google Patents

Description

  The present invention relates to a relay device and a relay method.

  Generally, a dedicated communication device is disposed at a connection point that connects an internal network (hereinafter also referred to as an internal network) such as an office and an external network (hereinafter also referred to as an external network). Then, by limiting the communication between the networks to a predetermined communication by the dedicated communication device, a difference is provided in the security strength of the two networks.

  Specifically, by requesting the communication terminal newly connected to the internal network to input a dedicated password or requesting the communication terminal to install dedicated software, Increasing the strength of security has been done. In this case, even when the communication terminal communicates only with a specific communication device on the internal network, the password or the like is uniformly requested.

  2. Description of the Related Art Conventionally, when a communication device and a mobile terminal communicate, a technology related to a communication device that determines whether or not to transmit a password for connecting to a network to the mobile terminal according to the type of network to which the communication device belongs Is disclosed (for example, Patent Document 1).

JP 2013-214801 A

  However, according to the technique disclosed in Patent Document 1, when a communication device is connected to the internal network, the communication device notifies the portable terminal of a password for connecting to the internal network. If the password is leaked from the mobile terminal, there is a problem that the security of the internal network is lowered.

  The present invention has been made to solve the above-described problem, and an object of the present invention is to provide a relay device or the like that appropriately performs communication between a communication terminal outside the network and a communication device in the network.

  In order to solve the above problems, a relay device according to an aspect of the present invention includes a first interface connected to a first communication device through a first link, and a second link different from the first link. A second interface connected to a second communication device different from the communication device, and a virtual MAC that is a MAC address used for direct communication with the second communication device among MAC (Media Access Control) addresses of the first communication device A holding unit that holds an address; an address changing unit that changes an address of a frame received by one of the first interface and the second interface; and a frame in which the address changing unit has changed the address, One of the interfaces and the other of the second interfaces different from the one A transfer unit configured to transmit the virtual MAC, the address changing unit, by the address change, (a) a destination address of a frame received by the second interface is held by the holding unit If it is an address, the destination address of the frame is changed to a real MAC address that is a MAC address used for communication with the relay device among the MAC addresses of the first communication device, and (b) the first interface When the destination address of the frame received by the above is the MAC address of the second communication device, the transmission source address of the frame is changed to the virtual MAC address held by the holding unit.

  According to this, the relay device communicates with the second communication device by transmission / reception of the frame using the virtual MAC address, and communicates with the first communication device by transmission / reception of the frame using the actual MAC address. Do. The relay device relays these communications to cause the second communication device (corresponding to a communication terminal outside the network) to communicate with the first communication device (corresponding to a communication device in the network). Can do. Therefore, the relay device can appropriately perform communication between the communication terminal outside the network and the communication device in the network.

  The holding unit further holds an IP (Internet Protocol) address included in a subnetwork to which the first link belongs as a first virtual IP address, and an IP address included in the subnetwork to which the second link belongs. Holding the second virtual IP address, the address changing unit further, (a) when the destination IP address of the frame received by the second interface is the second virtual IP address by the address change, Change the destination IP address of the frame to the IP address of the first communication device, change the source IP address of the frame to the first virtual IP address, and (b) the frame received by the first interface The destination IP address is the first virtual IP address If a scan, changes the source IP address of the frame to the second virtual IP address as well as change the destination IP address to the IP address of the second communication device.

  According to this, the relay apparatus performs transmission / reception of a frame including an IP packet using the virtual IP address with each of the first communication apparatus and the second communication apparatus. Thereby, when a 1st communication apparatus and a 2nd communication apparatus perform IP communication, a 2nd communication apparatus can be made to perform IP communication with a 1st communication apparatus appropriately.

  The relay device further includes a third interface connected to the network through a third link belonging to the same subnetwork as the first link, and the transfer unit further includes the first interface and the third interface. The transmission source address of the frame received by the interface is held as a forwarding table in association with the interface that received the frame, and when the first interface or the third interface receives the frame, the received frame is The frame is transferred by being transmitted through the interface associated with the destination address of the frame in the transfer table.

  According to this, the relay device transfers the frame between the communication device in the network and the first communication device while performing communication between the first communication device and the second communication device, thereby Communication between the communication device and the first communication device can be performed.

  The transfer unit prohibits transmission of a frame received by one of the second interface and the third interface through the other of the second interface and the third interface.

  According to this, the relay device prohibits communication between the second communication device and the communication device in the network, so that the communication partner with which the second communication device can communicate can be limited to only the first communication device. . Therefore, the relay device can appropriately perform communication between the communication terminal outside the network and the communication device in the network while maintaining the security strength of the network.

  The third interface establishes the third link with a third communication device, and the second communication device establishes a fourth communication link with the third communication device. The second link is less secure than the fourth communication link.

  According to this, the relay device establishes a communication link with the second communication device with a security strength lower than that required when the second communication device is connected to the network. Therefore, the second communication device can establish a communication link with the relay device without requiring high security strength and can communicate with the first communication device.

  The second link is different from the first link in the data link layer communication method.

  According to this, the relay device transmits / receives a frame between the first communication device and the second communication device while absorbing a difference in communication method between the first link and the second link, so that the first communication is performed. Communication between the device and the second communication device can be performed.

  The second link is a communication link for performing Wi-Fi Direct (registered trademark) communication, and the virtual MAC address is converted from the real MAC address by a predetermined method. This is a local MAC address for Direct (registered trademark) communication.

  According to this, the relay device transmits and receives a frame between the first communication device and the second communication device while absorbing a difference in communication method between Wi-Fi Direct (registered trademark) communication and other communication. Thus, communication between the first communication device and the second communication device can be performed.

  A relay method according to an aspect of the present invention is a frame relay method by a relay device, wherein the relay device is connected to a first communication device through a first link and the first link. A second interface connected to a second communication device different from the first communication device through a second link different from the first communication device, and the relay method includes the second communication device among the MAC addresses of the first communication device. A holding step for holding a virtual MAC address that is a MAC address used for direct communication, an address changing step for changing the address of a frame received by one of the first interface and the second interface, and the address changing step. The frame whose address has been changed is sent to the first interface and the second interface. A transfer step in which the transfer is performed by transmission by the other one and the other. In the address change step, the address change causes (a) a destination address of a frame received by the second interface to be in the holding step. When the virtual MAC address is held, the destination address of the frame is changed to a real MAC address that is a MAC address used for communication with the relay device among the MAC addresses of the first communication device, and (b When the destination address of the frame received by the first interface is the MAC address of the second communication device, the transmission source address of the frame is changed to the virtual MAC address held in the holding step.

  According to this, there exists an effect similar to the said relay apparatus.

  The relay device according to the present invention can appropriately perform communication between a communication terminal outside the network and a communication device in the network.

FIG. 1 is a configuration diagram of a communication system according to an embodiment. FIG. 2 is a block diagram illustrating a functional configuration of the relay apparatus according to the embodiment. FIG. 3 is an explanatory diagram of a transfer table held by the transfer unit according to the embodiment. FIG. 4 is an explanatory diagram of a correspondence table held by the changing unit according to the embodiment. FIG. 5 is a schematic diagram illustrating transfer processing by the relay device according to the embodiment. FIG. 6 is a flowchart showing transfer processing by the relay device according to the embodiment. FIG. 7 is a flowchart illustrating transfer processing including address change by the relay device according to the embodiment. FIG. 8 is an explanatory diagram illustrating a MAC address of a frame transferred by the relay device according to the embodiment. FIG. 9 is a detailed network configuration diagram of the communication system according to the embodiment. FIG. 10 is a flowchart showing a network configuration procedure of the communication system according to the embodiment.

  Hereinafter, embodiments will be specifically described with reference to the drawings.

  Each of the embodiments described below shows a preferred specific example of the present invention. The numerical values, shapes, materials, constituent elements, arrangement positions and connecting forms of the constituent elements, steps, order of steps, and the like shown in the following embodiments are merely examples, and are not intended to limit the present invention. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims indicating the highest concept of the present invention are described as optional constituent elements that constitute a more preferable embodiment.

  In addition, the same code | symbol is attached | subjected to the same component and description may be abbreviate | omitted.

(Embodiment)
In the present embodiment, a relay device that appropriately performs communication between a communication terminal outside the network and a communication device in the network will be described. This relay device is a relay device that appropriately performs communication between a communication terminal outside the network and a communication device in the network while maintaining the security strength of the network.

  FIG. 1 is a configuration diagram of a communication system 1 according to the present embodiment.

  As shown in FIG. 1, the communication system 1 includes a relay device 10, an MFP 20 (Multifunction Peripheral), a terminal 30, an AP 40 (Access Point), a PC 50 (Personal Computer), and a LAN 60 (Local Area Network). Is provided.

  The relay device 10 is a relay device for relaying a communication frame (hereinafter also simply referred to as a frame) transmitted and received between the MFP 20 and a communication device connected to the LAN 60. The relay device 10 also relays frames transmitted and received between the terminal 30 and the MFP 20.

  Specifically, the relay device 10 is connected to the AP 40 through the communication link L3, and is further connected to the LAN 60 through the AP 40. The relay device 10 is connected to the MFP 20 through the communication link L1.

  The relay device 10 transfers (bridge transfer) a frame received from the communication link L1 and the communication link L3 by transmitting the frame to the communication link L1 or the communication link L3 according to the destination address of the frame. In other words, the relay device 10 bridge-connects the communication link L1 and the communication link L3. As described above, the relay device 10 has a role of indirectly connecting to the LAN 60 by transferring the communication frame between the MFP 20 that is not directly connected to the LAN 60 and the communication device connected to the LAN 60. Note that the terms “frame destination address” and “frame source address” mean the MAC address described in the field for storing the destination address and source address in the frame, respectively. The communication link L1 corresponds to the first link, and the communication link L3 corresponds to the third link.

  The relay device 10 is connected to the terminal 30 through the communication link L2. The relay device 10 changes the destination address or the transmission source address of the frame received from the communication link L1 and the communication link L2 (hereinafter also referred to as address change), and then the communication link L1 or the communication link. The frame is transferred by transmitting to L2. The method for changing the address will be described in detail later. The communication link L2 corresponds to a second link.

  The MFP 20 is a multifunction peripheral device that performs printing based on print data, reads a document, generates read data, and the like. The MFP 20 has a communication function, receives print data via a network, and transmits the generated read data to another device via the network. The MFP 20 corresponds to a first communication device.

  The MFP 20 receives print data from the PC 50 through a communication path that passes through the LAN 60, the AP 40, and the relay apparatus 10, and transmits read data to the PC 50 through the communication path. The MFP 20 receives print data from the terminal 30 via the relay device 10 and transmits read data. As described above, even in a network in which the MFP 20 is not directly connected to the LAN 60, the MFP 20 and the PC 50 can communicate with each other by using the frame transfer by the relay device 10 via the AP 40.

  In the present embodiment, the MFP 20 will be described as an example of a communication device that communicates with the PC 50 and the terminal 30 via the relay device 10. However, even when there is another communication device at the position of the MFP 20, Communication via the relay device 10 in the form is possible.

  The terminal 30 is a communication terminal that performs communication with the MFP 20. The terminal 30 transmits print data to the MFP 20 and receives read data generated by the MFP 20. The terminal 30 establishes a communication link L2 with the relay device 10, and communicates with the MFP 20 via the relay device 10 through the established communication link L2. The terminal 30 communicates with the MFP 20 in a state where communication with the LAN 60 is interrupted by using frame transfer by the relay device 10. As described above, even if the terminal 30 is not directly connected to the LAN 60, the communication between the terminal 30 and the MFP 20 can be appropriately performed by the frame transfer by the relay device 10. The terminal 30 corresponds to a second communication device.

  The AP 40 is a wireless base station device that is connected to the LAN 60 and performs infrastructure mode wireless communication with the relay device 10. The AP 40 establishes a communication link L3 with the relay apparatus 10, and transmits / receives a frame to / from the LAN 60 through the established communication link L3. In addition, although the case where the communication link L3 is a wireless communication link is demonstrated hereafter, the same description is realized even if it is a wired communication link. The AP 40 corresponds to a third communication device.

  Note that a wireless communication link (corresponding to a fourth communication link, not shown) established by the AP 40 with another communication device has a security strength higher than that of the communication link L2 established by the terminal 30 with the relay device 10. You may set it high. In other words, the communication link L2 may have a lower security strength than the wireless communication link that the AP 40 establishes with other communication devices. By doing so, the terminal 30 is useful in that it can connect to the relay device 10 with simpler security settings than the AP 40 and communicate with the MFP 20 via the relay device 10.

  Here, the security strength is an index indicating the degree of security (safety) of a communication link or a network, and a safer communication link or the like is expressed as having a higher security strength. Specifically, a communication link that requires a dedicated password to establish the communication link or the like or that requires installation of dedicated software is expressed as having a higher security strength than a communication link that does not. The

  The PC 50 is a computer connected to the LAN 60. The PC 50 transmits print data to the MFP 20 and receives read data generated by the MFP 20. The PC 50 communicates with the MFP 20 through a communication path that passes through the LAN 60, the AP 40, and the relay device 10.

  The LAN 60 is a wired local area network and is connected to the MFP 20 and the like via the AP 40. The LAN 60 may be connected to an external network (not shown). The LAN 60 is, for example, a wired LAN that conforms to the IEEE 802.3 standard, and is laid in an office or the like.

  In the communication system 1, the network address of the communication link L2 is A, and the network address of the LAN 60 is B. A subnetwork whose network address is A (or B) may be referred to as subnetwork A (or B). In the following description, it is assumed that the IP addresses of the MFP 20, the terminal 30, and the PC 50 are “B.20”, “A.30”, and “B.50”, respectively.

  Hereinafter, the configuration of the relay device 10 will be described in detail.

  FIG. 2 is a block diagram showing a functional configuration of relay apparatus 10 according to the present embodiment.

  As illustrated in FIG. 2, the relay device 10 includes interfaces I1, I2, and I3, a holding unit 101, a transfer unit 102, and an address changing unit 103.

  The interface I1 is a communication interface that establishes a communication link L1 with the MFP 20. The interface I1 is, for example, an interface for wired communication, and more specifically, is, for example, a wired LAN interface that conforms to the IEEE 802.3 standard. The case where the interface I1 is a wired communication interface will be described, but may be a wireless communication interface.

  The interface I2 is a communication interface that establishes a communication link L2 with the terminal 30. The interface I2 is a wireless LAN interface that conforms to the IEEE802.11a, b, g, and n standards, and performs, for example, Wi-Fi Direct (registered trademark) communication that is direct communication with a communication partner. In the following description, the interface I2 is described as an interface that performs Wi-Fi Direct (registered trademark) communication. However, the interface I2 may be an interface that performs other wireless communication (infrastructure mode or ad hoc mode wireless communication), or wired. It may be a communication interface.

  When the interface I2 performs Wi-Fi Direct (registered trademark) communication, it is generally not assumed that the frame received by the interface I2 is transmitted by another interface of the relay device 10. Since Wi-Fi Direct (registered trademark) communication is communication assuming direct communication with a terminal serving as a communication partner, frame transfer between devices performing Wi-Fi Direct (registered trademark) communication is unnecessary. It is. On the other hand, the relay apparatus 10 transmits a frame received by the interface I2 through Wi-Fi Direct (registered trademark) communication to the MFP 20 through the interface I1, and receives a frame received from the MFP 20 through the interface I1 through the Wi-Fi interface. By transmitting to the terminal 30 by Direct (registered trademark) communication, communication between the terminal 30 and the MFP 20 is appropriately performed.

  Here, the communication link L2 will be described as an example in which the communication method of the data link layer is a communication link different from the communication link L1. In this case, it is useful in that the relay device 10 can cause communication between the terminal 30 and the MFP 20 by absorbing the difference in the communication method of the data link layer. On the other hand, the communication link L2 may be a communication link whose data link layer communication method is the same as that of the communication link L1.

  The interface I3 is a communication interface that establishes a communication link L3 with the AP 40. The interface I3 is, for example, a wireless communication interface. More specifically, for example, the interface I3 is a wireless LAN interface conforming to the IEEE802.11a, b, g, n standard, and performs wireless communication in the infrastructure mode. Is. The interface I3 is described as a wireless communication interface, but may be a wired communication interface.

  The holding unit 101 is a storage device that holds a virtual address necessary for address change by the address changing unit 103. The holding unit 101 holds a virtual MAC address that is a MAC address used for direct communication with the terminal 30 among the MAC addresses of the MFP 20. Specifically, the virtual MAC address is a MAC address used in the communication link L2, and for the Wi-Fi Direct (registered trademark) obtained by converting the global MAC address of the MFP 20 by a predetermined conversion method. It is a local MAC address. Note that the MAC address of the MFP 20 that is not the virtual MAC address is a real MAC address. The actual MAC address is used for communication between the relay apparatus 10 and the MFP 20, for example, as in the prior art.

  The holding unit 101 holds the IP address included in the subnetwork B to which the communication link L1 belongs as a virtual IP address 1 (also referred to as a first virtual IP address), and the IP included in the subnetwork A to which the communication link L2 belongs. The address is held as a virtual IP address 2 (also referred to as a second virtual IP address).

  The method of using these virtual addresses will be described in detail later.

  The transfer unit 102 is a processing unit that transfers a frame between interfaces by transmitting frames received by the interfaces I1, I2, and I3 through an appropriate interface according to a destination address of the received frame. The transfer unit 102 refers to the reference table at the time of the transfer and selects an appropriate interface. Details of processing such as transfer by the transfer unit 102 will be described in detail later.

  The address changing unit 103 is a processing unit that changes (address changes) the destination address or the source address of the frames received by the interfaces I1 and I2. When the address changing unit 103 changes the address, the correspondence table is referred to. In addition, the address changing unit 103 acquires the virtual address held by the holding unit 101 in order to determine whether or not the frames received by the interfaces I1 and I2 are the target of address change.

  Specifically, the address changing unit 103, when the address change, (a) when the destination address of the frame received by the interface I2 is the virtual MAC address held by the holding unit 101, the destination address of the frame (B) When the destination address of the frame received by the interface I1 is the MAC address of the terminal 30, the virtual MAC that the holding unit 101 holds the source address of the frame is changed. Change to address.

  The address changing unit 103 also changes the destination IP address of the frame to the IP address of the MFP 20 when the destination IP address of the frame received by the interface I2 is the virtual IP address 2 by the address change. And the source IP address of the frame is changed to the virtual IP address 1, and (b) when the destination IP address of the frame received by the interface I1 is the virtual IP address 1, the destination IP address is set to the IP of the terminal 30. In addition to changing to the address, the source IP address of the frame is changed to virtual IP address 2.

  The address changing process by the address changing unit 103 will be specifically described later.

  Hereinafter, the function of each functional block will be described in more detail.

  FIG. 3 is an explanatory diagram of the transfer table 301 held by the transfer unit 102 according to this embodiment.

  The transfer table 301 is a table in which a MAC address and an IP address of a communication device that can communicate via the interface are shown for each interface. The forwarding table 301 associates the interface included in the relay device 10 with the MAC address and IP address of a communication device that can communicate via the interface.

  For example, the line of the interface I1 in the transfer table 301 describes the MAC address of the MFP 20 (denoted as “MAC (MFP 20)”) and the IP address “B.20”. This indicates that the transfer unit 102 can communicate with the MFP 20 via the interface I1, in other words, the MFP 20 exists ahead of the interface I1. The other interface lines in the forwarding table 301 mean the same thing.

  The transfer unit 102 refers to the transfer table 301 to determine the transfer destination interface of the frame received by the interfaces I1, I2, and I3. Here, the frame transfer destination interface is an interface through which the frame is transmitted by the transfer unit 102.

  For example, when a frame whose destination address is MAC (T30) is received by the interface I1, the transfer unit 102 knows that the terminal 30 exists ahead of the interface I2 by referring to the transfer table, and transmits the frame to the interface I2. Transmit by I2.

  Note that the transfer unit 102 performs (permits) frame transfer between the interface I1 and the interface I2 and frame transfer between the interface I1 and the interface I3, but the frame between the interface I2 and the interface I3. It is assumed that transfer is not performed (prohibited). Since the transfer unit 102 does not perform frame transfer between the interface I2 and the interface I3, the direct communication between the terminal 30 and the communication device connected to the LAN 60 is blocked, and the security strength in the LAN 60 can be maintained. it can.

  Note that the address changing unit 103 may include a holding unit 101 as one function therein. In this case, there is an advantage that the process in which the address changing unit 103 acquires a virtual address from the holding unit 101 is simplified.

  FIG. 4 is an explanatory diagram of the correspondence table 401 held by the address changing unit 103 according to the present embodiment.

  As shown in FIG. 4, the correspondence table 401 is a table that manages two types of MAC addresses in association with each other. Specifically, the correspondence table 401 is a table that manages a global MAC address and a local MAC address in a one-to-one correspondence.

  Here, the global MAC address corresponds to the above-described real MAC address, and is a MAC address uniquely assigned to the interface. The global MAC address is set so that the global MAC address of one communication device is different from the global MAC address of another communication device.

  On the other hand, the local MAC address corresponds to the above virtual MAC address, and is a unique MAC address in the link. The local MAC address is set to be different from the MAC addresses of other communication devices in the link. The local MAC address is generated by changing the value of a predetermined bit in the global MAC address.

  For example, in the correspondence table 401, “MAC (MFP 20G)” that is the global MAC address of the MFP 20 and “MAC (MFP 20L)” that is the local MAC address of the MFP 20 are managed in a one-to-one correspondence.

  By referring to the correspondence table 401, the address changing unit 103 can know the local MAC address of the communication apparatus from the global MAC address of the communication apparatus. On the other hand, the global MAC address of the communication device can be known from the local MAC address of a certain communication device.

  FIG. 5 is a schematic diagram showing transfer processing by the relay device 10 according to the present embodiment.

  In addition to the IP address and MAC address actually set for the interface, the virtual IP address and virtual MAC address held by the holding unit 101 are assigned to the interfaces I1 and I2. Specifically, a virtual IP address 1 is assigned to the interface I1, and a virtual MAC address and a virtual IP address 2 are assigned to the interface I2. The virtual MAC address assigned to the interface I2 is the local MAC address of the MFP 20.

  The address changing unit 103 changes the address for the frames received from the interfaces I1 and I2, and provides the frame after the address change to the transfer unit 102. The transfer unit 102 transmits the frame received by the interfaces I1 and I2 and the address changed by the address changing unit 103 and the frame received by the interface I3 through an appropriate interface according to the destination address of the received frame. The frame is transferred between the interfaces.

  Hereinafter, the transfer process by the transfer unit 102 will be specifically described.

  FIG. 6 is a flowchart showing transfer processing by the relay device 10 according to the present embodiment. The flowchart shown in FIG. 6 is a transfer process performed on a frame received by the interface I3, and is equivalent to a frame transfer (bridge transfer) by a conventional bridge device.

  The transfer process illustrated in FIG. 6 is a transfer process performed by the transfer unit 102 in communication for the PC 50 to transmit a frame including print data to the MFP 20, for example. The PC 50 needs to hold the IP address of the MFP 20 before performing this communication. In this state, the PC 50 first transmits an ARP request frame for ARP (Address Resolution Protocol) resolution, and transmits a unicast frame including print data after ARP resolution. The following transfer processing is performed for each of these frames.

  In step S101, the interface I3 receives the frame. Assume that the destination address of the received frame is the MAC address of the MFP 20.

  In step S102, the transfer unit 102 refers to the transfer table 301 and determines the transfer destination interface of the frame. Specifically, the transfer unit 102 refers to the transfer table 301 and searches for an interface to which the MFP 20 exists. As a result, it is determined that the MFP 20 exists ahead of the interface I1, and the transfer destination interface of the frame is determined as the interface I1.

  In step S103, the transfer unit 102 provides the frame to the interface I1 that is a transfer destination interface.

  In step S104, the interface I1 transmits the frame. The transmitted frame is received by the MFP 20.

  FIG. 7 is a flowchart showing a transfer process including an address change by the relay device 10 according to the present embodiment. FIG. 8 is an explanatory diagram showing the MAC address of a frame transferred by the relay device 10 according to the present embodiment. With reference to these drawings, a transfer process performed for frames received by the interfaces I1 and I2 will be described. The same processes as those in FIG. 6 are denoted by the same reference numerals and detailed description thereof is omitted.

  The transfer process illustrated in FIG. 7 is a transfer process performed by the transfer unit 102 in communication for the terminal 30 to transmit a frame including print data to the MFP 20, for example. Before performing this communication, the terminal 30 needs to hold the virtual IP address of the MFP 20. In this state, the PC 50 first transmits an ARP request frame for ARP resolution, and transmits a unicast frame including print data after ARP resolution. The following transfer processing is performed for these frames.

  In step S201, the interface I1 or I2 receives the frame.

  In step S202, the address changing unit 103 refers to the correspondence table 401 and determines whether or not the frame received in step S201 (hereinafter also referred to as a received frame) is a target frame for address change. Specifically, the received frame is (1) a frame received by the interface I2, and the destination address is a frame (frame 81 in FIG. 8) that is the local MAC address of the MFP 20, and (2) the interface I1. Is received and the destination address is the frame (frame 83 in FIG. 8) that is the MAC address of the terminal 30, it is determined that the frame is the address change target frame.

  In step S203, the process branches according to the determination result in step S202. That is, if the received frame is the target frame (YES in step S203), the process proceeds to step S204. If the received frame is not the target frame (NO in step S203), the process proceeds to step S211.

  In step S204, the address changing unit 103 changes the destination address or the source address of the received frame.

  Specifically, when the destination address of the received frame is a local MAC address registered in the correspondence table 401 (in the case of (1) above), the address changing unit 103 selects the destination address of the received frame. Is changed to the global MAC address associated with the local MAC address in the correspondence table 401. If the destination address of the received frame is the local MAC address of the MFP 20, the address change converts the destination address of the received frame into the global MAC address of the MFP 20 (frame 82 in FIG. 8).

  In this case, the address changing unit 103 can further determine and convert the following IP address. That is, the address changing unit 103 determines whether or not the destination IP address of the received frame is the virtual IP address 2. When it is determined that the destination IP address of the received frame is the virtual IP address 2, the destination IP address of the received frame is changed to the IP address of the MFP 20, and the source IP address is changed to the virtual IP address 1.

  In addition, when the transmission source address of the received frame is a global MAC address registered in the correspondence table 401 (in the case of (2) above), the address changing unit 103 displays the transmission source of the received frame. The address is changed to the local MAC address associated with the global MAC address in the correspondence table 401. If the source address of the received frame is the global MAC address of the MFP 20, the source address of the received frame is converted to the local MAC address of the MFP 20 by the address change (frame 84 in FIG. 8).

  In this case, the address changing unit 103 can further determine and convert the following IP address. That is, the address changing unit 103 determines whether or not the destination IP address of the received frame is the virtual IP address 1. When it is determined that the destination IP address of the received frame is the virtual IP address 1, the destination IP address of the received frame is changed to the IP address of the terminal 30, and the source IP address is changed to the virtual IP address 2.

  In the above description, the unicast frame whose destination is a unicast address has been described. However, the same applies to a broadcast frame whose destination is a global address and an ARP request and ARP reply frame for ARP resolution. Change the address. These will be described later with reference to FIG.

  When the process of step S204 is completed, the received frame is transmitted by the transfer destination interface through steps S102 to S104, and the transfer process of the received frame is ended.

  In step S211, the transfer unit 102 discards the received frame and ends the transfer process of the received frame. This is because frames that are not subject to address change need not be transferred by the relay device 10.

  Through the series of processes described above, the relay apparatus 10 transfers the frames received by the interfaces I1 and I2 to an appropriate interface after changing the address. That is, unless the relay device 10 performs the address change as described above, appropriate communication between the terminal 30 and the MFP 20 is not performed, and the address change by the relay device 10 does not cause proper communication between the terminal 30 and the MFP 20. It can be said that is realized.

  If the destination address of the frame received by the relay device 10 in step S201 is the global MAC address of the MFP 20, the frame does not correspond to the address change target frame (No in step S203), and the frame is discarded. (Step S211).

  Hereinafter, a detailed network configuration of the communication system 1 including specific settings of the MAC address and the IP address, and a specific example of a frame address change will be described in detail with reference to FIGS. 9 and 10.

  FIG. 9 is a detailed network configuration diagram of the communication system 1 according to the present embodiment. FIG. 9 shows a detailed network configuration of the communication system 1. In FIG. 9, the source MAC address (SMAC (Source MAC)) and the destination MAC address (DMAC) of the unicast frame, the broadcast frame, and the ARP frame that are transmitted and received by the terminal 30 and the MFP 20 via the relay device 10 are shown. (Destination MAC)), source IP address (SIP (Source IP)), and destination IP address (DIP (Destination IP)) are shown.

  Further, each frame shown in FIG. 9 (frames 91, 92, 93, and 94 in FIG. 9) is transferred between the relay device 10 and the terminal 30 according to the present embodiment shown in FIG. 8 frames 81, 82, 83 and 84). In FIG. 9, the MAC address of each frame in FIG. 8 and the IP address of each device (relay device 10, MFP 20, terminal 30, AP 40, and PC 50) are shown. Various frames (unicast frame, broadcast frame, The address change in the relay device 10 will be described more specifically by dividing it into ARP frames).

  In the figure, the MAC address or IP address surrounded by a solid line in the figure showing the interface means the MAC address or IP address actually set for the interface, and the MAC address surrounded by a broken line. The address or IP address means a virtual MAC address or virtual IP address held by the holding unit 101 and virtually assigned to the interface.

  For example, the transmission source MAC address of the unicast frame 91 transmitted from the terminal 30 to the MFP 20 as the destination is the MAC address (MAC (T30)) of the terminal 30, and the destination MAC address is the local MAC address of the MFP 20 (MAC (MFP 20L )). The source IP address of the unicast frame is “A.30”, and the “destination IP address” is “A.10”.

  Thereafter, the interface I2 of the relay device 10 receives the frame transmitted by the terminal 30. The relay device 10 changes the destination MAC address of the frame to the global MAC address (MAC (MFP 20G)) of the MFP 20 by changing the address, and transmits the unicast frame 92 through the interface I1. Thereafter, the MFP 20 receives the frame.

  FIG. 10 is a flowchart showing a network configuration procedure of the communication system according to the present embodiment.

  In step S301, the relay device 10 creates an interface I3 (also referred to as wlan0). Creating an interface means starting to operate the interface as a communicable interface. At this point, it is assumed that the wired network interface I1 has already been created.

  In step S302, the relay device 10 establishes a communication link L3 with the AP 40 through the interface I3.

  In step S303, the relay device 10 starts frame transfer of the frame between the interface I1 and the interface I3. Specifically, the relay device 10 activates the above-described software for bridge transfer, so that when the interface I1 or the interface I3 receives a frame, the relay device 10 can perform the bridge transfer of the frame.

  In step S304, the relay device 10 acquires the IP address of the MFP 20. There are various methods for acquiring the IP address of the MFP 20.

  For example, when the MFP 20 is assigned an IP address from the AP 40 by DHCP (Dynamic Host Configuration Protocol), the relay apparatus 10 analyzes the contents of the DHCP protocol packet (DHCP ACK) including the assigned IP address. To obtain the assigned IP address.

  For example, when the MFP 20 is fixedly assigned a predetermined IP address, the relay apparatus 10 acquires the IP address of the MFP 20 by acquiring the predetermined IP address.

  In step S <b> 305, the relay device 10 acquires the virtual IP address 1 assigned to the interface I <b> 1 and holds it by the holding unit 101. The virtual IP address 1 is an IP address belonging to the same subnetwork B as the communication device connected to the MFP 20 and the LAN 60, and can be selected and used from an IP address excluding the IP address assigned to the MFP 20 and the communication device. . For example, the relay device 10 may permanently assign an IP address that is not included in the IP address range that the AP 40 allocates to the subnetwork by DHCP, or acquires one IP address from the AP 40 by DHCP, The address may be used as the virtual IP address 1.

  In step S306, the relay device 10 creates an interface I2 (also referred to as wlan2).

  In step S307, the relay device 10 establishes a communication link L2 with the terminal 30 through the interface I2.

  In step S <b> 308, the relay device 10 acquires the virtual IP address 2 assigned to the interface I <b> 2 and holds it by the holding unit 101. The virtual IP address 2 is an IP address belonging to the sub-network A to which the communication link L2 belongs, and can be selected and used from an IP address excluding the IP address assigned to the terminal 30.

  In step S309, the relay device 10 starts bridge transfer involving the address change by the address changing unit 103 between the interface I1 and the interface I2.

  Specifically, the communication system 1 shown in FIG. 9 is constructed by the above-described series of procedures.

  The address changing unit 103 appropriately communicates between a communication terminal outside the network and a communication device in the network while maintaining the security strength of the network by changing at least the destination MAC address or the transmission source MAC address of the frame. Can be done. Further, when the terminal 30 and the MFP 20 or the like perform communication by IP, if the destination IP address or the source IP address is converted in addition to the change of the MAC address, the terminal 30 and the MFP 20 or the like There is an advantage that a conventionally used protocol stack can be used as it is.

  As described above, the relay device in the present embodiment communicates with the second communication device by transmitting and receiving a frame using the virtual MAC address, and also performs the first communication by transmitting and receiving a frame using the actual MAC address. Communicate with the device. The relay device relays these communications to cause the second communication device (corresponding to a communication terminal outside the network) to communicate with the first communication device (corresponding to a communication device in the network). Can do. Therefore, the relay device can appropriately perform communication between the communication terminal outside the network and the communication device in the network.

  In addition, the relay device transmits and receives a frame including an IP packet using a virtual IP address with each of the first communication device and the second communication device. Thereby, when a 1st communication apparatus and a 2nd communication apparatus perform IP communication, a 2nd communication apparatus can be made to perform IP communication with a 1st communication apparatus appropriately.

  Further, the relay device transfers the frame between the communication device in the network and the first communication device while performing communication between the first communication device and the second communication device, so that the communication device in the network Communication with the first communication device can be performed.

  Further, the relay device prohibits communication between the second communication device and the communication device in the network, so that the communication partner with which the second communication device can communicate can be limited to only the first communication device. Therefore, the relay device can appropriately perform communication between the communication terminal outside the network and the communication device in the network while maintaining the security strength of the network.

  In addition, the relay device establishes a communication link with the second communication device with a security strength lower than the security strength required when the second communication device is connected to the network. Therefore, the second communication device can establish a communication link with the relay device without requiring high security strength and can communicate with the first communication device.

  In addition, the relay device transmits and receives a frame between the first communication device and the second communication device while absorbing a difference in communication method between the first link and the second link, thereby Communication with two communication devices can be performed.

  In addition, the relay device transmits and receives a frame between the first communication device and the second communication device while absorbing the difference in communication method between Wi-Fi Direct (registered trademark) communication and other communication, Communication between the first communication device and the second communication device can be performed.

  In the above-described embodiment, each component may be configured with dedicated hardware, or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

  Although the relay device and the like of the present invention have been described based on the embodiment, the present invention is not limited to this embodiment. Unless it deviates from the meaning of this invention, the form which carried out the various deformation | transformation which those skilled in the art can think to this embodiment, and the structure constructed | assembled combining the component in different embodiment is also contained in the scope of the present invention. .

  The present invention can be used for a relay device or the like that appropriately performs communication between a communication terminal outside the network and a communication device in the network. Specifically, it can be used for communication devices such as a network bridge device, a communication media conversion device, and a router device.

DESCRIPTION OF SYMBOLS 1 Communication system 10 Relay apparatus 20 MFP
30 terminals 40 AP
50 pcs
60 LAN
101 Holding Unit 102 Transfer Unit 103 Address Changing Unit 301 Transfer Table 401 Correspondence Table I1, I2, I3 Interface L1, L2, L3 Communication Link

Claims (7)

A relay device,
A first interface connected to the first communication device through the first link;
A second interface connected to a second communication device different from the first communication device through a second link different from the first link;
A third interface connected to the network through a third link belonging to the same subnetwork as the first link;
A holding unit that holds a virtual MAC address that is a MAC address used for direct communication with the second communication device among MAC (Media Access Control) addresses of the first communication device;
An address changing unit for changing an address of a frame received by one of the first interface and the second interface;
A transfer unit that transfers the frame in which the address change unit has changed the address by transmitting the frame different from the one of the first interface and the second interface;
The address changing unit performs the address change,
(A) When the destination address of the frame received by the second interface is the virtual MAC address held by the holding unit, the destination address of the frame is the MAC address of the first communication device. Change to a real MAC address that is a MAC address used for communication with the relay device,
(B) When the destination address of the frame received by the first interface is the MAC address of the second communication device, the source address of the frame is changed to the virtual MAC address held by the holding unit And
The transfer unit further includes:
Transferring frames between the first interface and the third interface;
A relay device that prohibits transmission of a frame received by one of the second interface and the third interface through the other of the second interface and the third interface . The holding unit further includes:
Holding an IP (Internet Protocol) address included in the subnetwork to which the first link belongs as a first virtual IP address, holding an IP address included in the subnetwork to which the second link belongs as a second virtual IP address;
The address changing unit further changes the address,
(A) When the destination IP address of the frame received by the second interface is the second virtual IP address, the destination IP address of the frame is changed to the IP address of the first communication device and the frame Change the source IP address to the first virtual IP address,
(B) When the destination IP address of the frame received by the first interface is the first virtual IP address, the destination IP address is changed to the IP address of the second communication device and the source IP of the frame The relay device according to claim 1, wherein an address is changed to the second virtual IP address. Before Symbol transfer unit further,
The transmission source address of the frame received by the first interface and the third interface is stored as a forwarding table in association with the interface that has received the frame,
3. When the first interface or the third interface receives a frame, the received frame is transferred by being transmitted by an interface associated with the destination address of the frame in the transfer table. 4. Relay device. The third interface has established the third link with a third communication device;
The second communication device is capable of establishing a fourth communication link with the third communication device;
The relay device according to claim 1, wherein the second link has a lower security strength than the fourth communication link. The second link, the relay device according to any one of claims communication method of the data link layer is different from the first link 1-4. The second link is a communication link for performing Wi-Fi Direct (registered trademark) communication,
The virtual MAC address, said in a predetermined manner was converted from the real MAC address, Wi-Fi Direct (TM) is a local MAC address for communication according to any one of claims 1 to 5 Relay device. A frame relay method by a relay device,
The relay device is
A first interface connected to the first communication device through the first link;
A second interface connected to a second communication device different from the first communication device through a second link different from the first link ;
A third interface connected to the network through a third link belonging to the same subnetwork as the first link ,
The relay method is:
Holding a virtual MAC address that is a MAC address used for direct communication with the second communication device among the MAC addresses of the first communication device;
An address changing step for changing an address of a frame received by one of the first interface and the second interface;
A transfer step in which the frame whose address has been changed in the address change step is transferred by being transmitted by the other one different from the one of the first interface and the second interface,
In the address change step, by the address change,
(A) When the destination address of the frame received by the second interface is the virtual MAC address held in the holding step, the relay destination of the MAC address of the first communication device is used as the relay address. Change to the real MAC address that is the MAC address used for communication with the device,
(B) When the destination address of the frame received by the first interface is the MAC address of the second communication device, the transmission source address of the frame is changed to the virtual MAC address held in the holding step ;
In the transferring step,
Transferring frames between the first interface and the third interface;
A relay method for prohibiting transmission of a frame received by one of the second interface and the third interface through the other of the second interface and the third interface .

Images