JP4524906B2 - Communication relay device, communication relay method, communication terminal device, and program storage medium - Google Patents

Communication relay device, communication relay method, communication terminal device, and program storage medium Download PDF


Publication number
JP4524906B2 JP2000337392A JP2000337392A JP4524906B2 JP 4524906 B2 JP4524906 B2 JP 4524906B2 JP 2000337392 A JP2000337392 A JP 2000337392A JP 2000337392 A JP2000337392 A JP 2000337392A JP 4524906 B2 JP4524906 B2 JP 4524906B2
Prior art keywords
port number
internal terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
Other languages
Japanese (ja)
Other versions
JP2002141953A5 (en
JP2002141953A (en
伸昌 浅井
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Corp
Original Assignee
Sony Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp filed Critical Sony Corp
Priority to JP2000337392A priority Critical patent/JP4524906B2/en
Publication of JP2002141953A publication Critical patent/JP2002141953A/en
Publication of JP2002141953A5 publication Critical patent/JP2002141953A5/ja
Application granted granted Critical
Publication of JP4524906B2 publication Critical patent/JP4524906B2/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current




  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Communication Control (AREA)
  • Computer And Data Communications (AREA)


現在、爆発的に普及しているインターネットではルーティテングプロトコルとしてIP(InternetProtocol)が用いられている。現在使用されているIPはIPv4であり、発信元/宛先として32ビットからなるアドレス(IPアドレス)が用いられている。インターネット通信においては、32ビットIPアドレスを各発信元/宛先にユニークに割り当てるグローバルIPアドレスを採用し、IPアドレスに応じて、個々の発信元/宛先を判別している。しかし、インターネットの世界は急速に広がりを見せており、IPv4の限られたアドレス空間、すなわちグローバルアドレスの枯渇が問題となってきている。これを解決するためにIETF(Internet Engineering Task Force)では、次世代IPアドレスとしてIPアドレス空間を32ビットから128ビットに拡張する新しいIPv6を提案している。しかし、IPv6への移行には時間を要し、即効性のある対応にはなり難い。
現在のIPv4を用いながらアドレス空間を広げる手法として、プライベートアドレスを用いる方法が提案されている。プライベートアドレスはグローバルアドレスと異なり、一定の組織内で使用されるアドレスである。例えば、ある企業組織内で任意の数のプライベートアドレスを設定して、個々の社員端末にプライベートアドレスを割り当てることができる。このプライベートアドレスを用いた場合は、外部との接続の際にグローバルIPアドレスに変換することが必要となる。それを実現する装置としてNAT(Network Address Translator)がある。
例えば、1つのグローバルIPアドレスをISP(Internet Service Provider)からもらい、LAN内部をDHCP(Dynamic Host Configuration Protocol)サーバによってプライベートIPアドレスで管理する方法がある。この方式はLAN(Local Area Network)内部からWAN(Wide Area Network)へパケットを送出する際、SOHOルータでIPヘッダのソース(src)アドレスをSOHOルータの持つグローバルIPアドレスに変換する方法であり、ベーシックNATと呼ばれる。図1にベーシックNAT方式を使用したシステムを説明する図を示す。図1において、例えば企業内のプライベートアドレスの割り当てられた端末、TCP/IP(Transmission Control Protocol/Internet Protocol)接続端末101〜10nがあり、各端末はLAN120によってNAT130に接続される。NAT130は、インターネット140に接続され、各端末101〜10nのIPアドレスはNAT130によってグローバルアドレスに変換される。
IPマスカレードを用いた通信システム構成を図2に示す。図2においては、インターネット201側にグローバルアドレスが1つあり、例えば企業内のプライベートアドレスの割り当てられた端末であるTCP/IP接続端末が、UDP(User Datagram Protocol)で規定されているポート番号によって識別可能であるとき、TCPやUDPのポート番号を利用することによってそれぞれの端末個々が、1つの共通のグローバルアドレスを利用して通信を実行する構成としたものである。
図3に本発明の通信中継装置および通信端末装置によって構成されるシステムの概要を説明する図を示す。図3は、WAN環境としてのインターネットとLAN環境下の例えばSOHO(Small Office/Home Office)とを、通信中継装置であるネットワーク接続機器としてのルータ(SOHOルータ)により相互接続した環境、すなわち、インターネットにIP接続されたSOHO環境の例である。なお、ここでは、ルータをネットワーク相互間の接続機器の例として説明するが、ゲートウェイその他のネットワーク接続機器も以下の説明と同様の構成を持つ機器として利用可能である。
図3に示すように各家庭、Aさん宅、Bさん宅、あるいはその他、各事業所にはインターネット接続された、通信中継装置としてのSOHOルータ310,320が各々1台設置されている。そのSOHOルータはISP(Internet Service Provider)などからグローバルIPアドレス(IPv4)を1つ、もしくは複数個、付与され、その管理下に通信端末装置として複数のIP端末(PC,モバイル端末など)を管理する。図3では、Aさん宅のSOHOルータ310に、IP端末1,311とIP端末2,312が接続され、Bさん宅のSOHOルータにIP端末としてHTTPサーバ321、FTPサーバ322、RTSPサーバ323が接続された例を示している。
図3の例では、Aさん宅のSOHOルータ310にはグローバルIPアドレス[43.11.XX.XX]が設定され、Bさん宅のSOHOルータ320にはグローバルIPアドレス[43.10.XX.XX]が設定されている。ここで、SOHOルータは、アクセス要求の各ホストに動的にIPアドレスを割り当てるDHCP(Dynamic Host Configuration Protocol)サーバの機能と、ドメイン名とIPアドレスとの対応付け処理を実行するDNS(Domain NameSystem)サーバとしての機能を兼務する。各SOHOルータ310,320の管理下のIP端末は、SOHOルータにより割り当てられるIPアドレスによってルーター、インターネットを介した外部端末との接続が可能となり、様々な処理、例えばメール転送、画像転送などが可能となる。
SOHOルータ310,320は、IP端末接続時にそのプライベートIPアドレスを管理下の各端末311,312,321,322,323に割り振り、その名前を登録する。各SOHOルータ管理下のIP端末では、FTP(File Transfer Protocol)、HTTP(Hyper Text Transfer Protocol)、RTSP(Real-time Streaming Protocol)などのサービスを提供することができる。
本発明の通信中継装置であるネットワーク接続機器としての図3の構成におけるSOHOルータ310,320は、各SOHOルータ管理下のIP端末311,312、321,322,323のSOHOルータ接続時に、その端末で現在提供可能なサービスをSOHOルータ上のサービスアクセス機器リスト管理デーモン(以下、省略してSALd(Service Access Device List Demon)と呼ぶ)に登録する。なお、デーモンとは、システム常駐プログラムであり、アプリケーション・プログラム、またはシステムの状態に応じて自動的に特定の処理を実行するプログラムである。
図5に1つのIP端末上に複数のサービスが存在する場合の、サービス登録の方法を示す。図5は、図3におけるAさん宅のシステム構成を示している。IP端末1,311ではFTP(File Transfer Protocol)、HTTP(Hyper Text Transfer Protocol)、何かしらのその端末独自なサービスが起動されており、端末2,312ではHTTP、RTSP(Real-time Streaming Protocol)のサービスが起動されているとする。
図6に示すように、登録メッセージは、端末に割り当てられたプライベートIPアドレス、端末名、端末属性、サービス名、サービス属性、内部ポート番号によって構成される。プライベートIPアドレスは、SOHOルータ310によって付与されたIPアドレスである。端末名は、SOHOルータ310管理下の各端末を識別する識別名であり、端末属性は、PC(Personal Computer)などの機器の種別を示す。インターネット接続可能な例えばテレビ、ビデオ、サーバ、その他家電製品などIPアドレスの設定により通信可能な機器の種類を示すデータである。サービス名は、IP端末において提供するサービス(アプリケーション)を示している。図6の例では、IP端末1,311は、FTP(File Transfer Protocol)、HTTP(Hyper Text Transfer Protocol)、その他の独自サービスを提供可能なPCである。サービス属性は、FTP,HTTP,独自サービスのサービスの態様を示している。内部ポート番号は、各サービスを識別するための番号として、各サービスに対して設定された番号である。
ネットワーク接続機器(ex.ルータ,ゲートウェイ)のSALdは、管理下IP端末のサービスアクセス機器リストに登録済みのサービス内容を示すメッセージ(KEEP ALIVE)を送信し、管理下IP端末のSALdcはメッセージ(KEEP ALIVE)を受信し、そのサービスが端末側で提供可能であればACKを返す。SALdは所定時間までこのACKを待って、受信できない場合はその内容をサービスアクセス機器リストから削除する。また、SALdcはIP端末で新たに起動されたサービスを監視し、SALdにREGISTERメッセージを送信する。
ネットワーク接続機器(ex.ルータ,ゲートウェイ)のSALdでは管理下IP端末の提供するサービスに対応するWAN側に見せる外部ポートを決定し、SOHOルータのグローバルIPアドレス、外部ポート宛てに到達したパケットのIPヘッダの宛先アドレス/ポート番号(destination address/port)を、各IP端末のプライベートIPアドレス、サービスの内部ポート番号に書き換える様、NAT(Network Address Translator)に設定する。NATに設定する変換テーブルの例を図7に示す。
プライベートIPアドレスは、SOHOルータ310によって付与されたIPアドレスである。端末名は、SOHOルータ310管理下の各端末を識別する識別名であり、端末属性は、PC(Personal Computer)などの機器の種別を示す。サービス名は、IP端末において提供するサービス(アプリケーション)を示している。サービス属性は、FTP,HTTP,独自サービスのサービスの態様を示している。外部ポート番号は、WAN側クライアントに提示スルために、SOHOルータで決めたサービスを識別する番号である。内部ポート番号は、各サービスを識別するための番号として、各サービスに対して設定された番号である。
ステップS102において、新規サービス登録処理でないと判定した場合は、サービス登録IP端末に対するサービスの提供可否の問い合わせとして実行される[KEEP ALIVE]に対する応答[ACK]の受信であるかを判定(S109)する。IP端末は、サービス提供可否の状態情報としてサービス提供可である場合はACKを出力する。ネットワーク接続機器のSALdは、IP端末からACK受信をした場合は、登録サービスに対するACKであるか否かを検証(S110)し、登録サービスである場合は、タイマーのリセット(S111)を行なう。登録サービスに対するACKでない場合は、無効(S112)として扱う。
ステップS109において、[KEEP ALIVE]に対する応答[ACK]の受信でないと判定されると、タイマーイベントであるか否かが判定(S113)され、タイマーイベントである場合は、図11のタイマー処理(S114)が実行される。
図11のタイマーイベント処理について説明する。まずタイマーが0であるか否かが判定(S202)され、0である場合は、登録IP端末に対するサービスの提供可否の問い合わせとして実行される[KEEP ALIVE]をIP端末に送信(S203)する。次に、タイマーが予め定めたIP端末からのACK応答待機時間を超えたか否かを判定(S204)し、超えた場合には、ネットワーク接続機器(ex.ルータ,ゲートウェイ)のSALdの管理する端末管理データ(図8参照)から、登録サービスを削除(S205)し、タイマーを更新(S206)する。なお、図11でのタイマーイベントは、登録IP端末に対するサービスの提供可否の問い合わせとして実行される[KEEP ALIVE]発行処理で起動する周期割り込みイベントである。
SALdは、ネットワーク接続機器(ex.SOHOルータ)のある予約ポートとしてのウェルノウンポート(Well Known Port)にTCP/UDPコネクトするデーモンである。従って、SOHOルータのアドレス(グローバルIPアドレス)とそのポート番号が知られてしまえば、WAN側のいかなる悪意をもったユーザからもアクセスできてしまう。しかし、図9用いて説明したサービスアクセス機器リストに関しては、SOHO環境内の個人もしくは事業主の秘密情報である。ましては外部からそのネットワーク機器にアクセスでき、コントロールされてしまうのはもっての他である。
従って、本システムにおいては、WAN側クライアントからネットワーク接続機器(ex.SOHOルータ)のSALdに対するアクセス時に認証を実行する。具体的には、HTTPd(HTTPデーモン)などが実装しているユーザ、パスワードによる認証を使用し、SALdアクセス時にCGI(Common Gateway Interface)などを使用し、HTTPdサーバが認証を行うディレクトリ以下にアクセスするように構成する。このディレクトリでの認証を事前に登録してあるユーザ名、パスワードにて行い、許可されたユーザに対してのみ、サービスアクセス機器リストを提供する構成とする。
まず、登録要求がIP端末のSALdcからネットワーク接続機器(ex.ルータ、ゲートウェイ)のSALdに送信される登録メッセージは、図6に示す通りである。SALdは、登録メッセージに基づいて、管理データ(図8)を生成し、NAT変換テーブル(図7)を生成し、登録完了メッセージをIP端末のSALdcに送信する。その後は、定期的にサービスの起動状況をKEEP ALIVEの送信、IP端末からのACK受信により監視し、ACKがなかった場合には、管理データから登録サービスを削除する。IP端末のSALdcは、サービス提供可否の状態情報としてサービス提供可である場合にのみACKをSALdに対して出力する。
101〜10n 通信端末
120 LAN
130 NATボックス
140 インターネット
201〜20n 通信端末
220 LAN
230 IPマスカレードボックス
240 インターネット
310 SOHOルータ
311 IP端末1
312 IP端末2
320 SOHOルータ
321 HTTPサーバ
322 FTPサーバ
323 RTSPサーバ
401 SOHOルータ
402 PC1
403 アプリケーションゲートウェイPC2
404 カメラ
405 デッキ
406 USB機器
The present invention relates to a communication relay device, a communication relay method, a communication terminal device, and a program storage medium. More specifically, the present invention relates to a communication relay device, a communication relay method, a communication terminal device, and a program storage medium that associate a private IP address with a global IP address and enable one-to-one access from both.
[Prior art]
Currently, IP (Internet Protocol) is used as a routing protocol in the Internet which has been spreading explosively. Currently used IP is IPv4, and a 32-bit address (IP address) is used as a source / destination. In Internet communication, a global IP address that uniquely assigns a 32-bit IP address to each source / destination is adopted, and each source / destination is determined according to the IP address. However, the Internet world is rapidly expanding, and the limited address space of IPv4, that is, the exhaustion of global addresses has become a problem. In order to solve this problem, the Internet Engineering Task Force (IETF) has proposed a new IPv6 that expands the IP address space from 32 bits to 128 bits as a next generation IP address. However, the transition to IPv6 takes time, and it is difficult to respond immediately.
As a method for expanding the address space while using the current IPv4, a method using a private address has been proposed. A private address is an address used in a certain organization, unlike a global address. For example, an arbitrary number of private addresses can be set in a certain company organization, and private addresses can be assigned to individual employee terminals. When this private address is used, it is necessary to convert it to a global IP address when connecting to the outside. There is a NAT (Network Address Translator) as a device that realizes this.
For example, there is a method of obtaining one global IP address from an ISP (Internet Service Provider) and managing the inside of the LAN with a private IP address by a DHCP (Dynamic Host Configuration Protocol) server. This method is a method of converting a source (src) address of an IP header into a global IP address possessed by a SOHO router when sending a packet from inside a LAN (Local Area Network) to a WAN (Wide Area Network). It is called basic NAT. FIG. 1 is a diagram illustrating a system using the basic NAT system. In FIG. 1, for example, there are terminals to which private addresses are assigned in the company, and TCP / IP (Transmission Control Protocol / Internet Protocol) connection terminals 101 to 10 n, and each terminal is connected to the NAT 130 via the LAN 120. The NAT 130 is connected to the Internet 140, and the IP addresses of the terminals 101 to 10n are converted into global addresses by the NAT 130.
The IP address is expressed as a 32-bit address expressed in decimal notation in units of 8 bits. The NAT 130 assigns a preset number of global addresses to the packets from the connection terminals 101 to 10n in the order of arrival. Therefore, communication exceeding the set number of global addresses cannot be executed in parallel. Therefore, the number of communications that can be executed in parallel is limited by the number of global addresses. As described above, since NAT performs processing for associating one global address with one private address, it does not solve the fundamental address exhaustion problem.
In order to further save the global IP address, there is a case where a technique for supporting a plurality of private IP addresses using different TCP ports of one global IP address is sometimes used. The SOHO router converts the source (src) port in addition to the src address so that packets can be sent simultaneously from a plurality of IP terminals in the LAN to the WAN side, and the return packet from the WAN side is viewed by the src port. This is a method called extended NAT, commonly known as IP masquerade, for converting to a private IP address.
A communication system configuration using IP masquerade is shown in FIG. In FIG. 2, there is one global address on the Internet 201 side. For example, a TCP / IP connection terminal, which is a terminal to which a private address in a company is assigned, is identified by a port number defined by UDP (User Datagram Protocol). When it is identifiable, each terminal individually performs communication using one common global address by using a TCP or UDP port number.
IP masquerading enables simultaneous access from multiple terminals to the same terminal on the WAN side. However, in this method, if a session is not first established from the LAN side terminal to the WAN side terminal, the WAN side can connect to the inside of the LAN. Data communication cannot be performed. A method of performing data communication from the WAN side to the LAN side first using NAT has not been proposed. Furthermore, there is no means for providing information about what services are possible from the LAN side to the WAN side. There is an example in which an anonymous FTP server or the like is started up in the LAN. For this purpose, however, the mapping processing configuration in the NAT must be manually set in advance. Also, the client accessing from the WAN side needs to know the existence of the server in advance.
[Problems to be solved by the invention]
The present invention has been made in view of the above-described drawbacks of the prior art, and a communication relay device and a communication relay that make it possible to use a registration service under private address management from the WAN side managed by a global address. It is an object to provide a method, a communication terminal device, and a program storage medium.
[Means for Solving the Problems]
  The first aspect of the present invention is:
  It is a communication relay device that functions as a relay means between an external network and a local network,
  Internal terminal connected to the local networkAnd lower-layer devices connected to the internal terminalAvailable inIndicates serviceService information is acquired and managed for each internal terminal, setting of unique access information corresponding to each of the provided services, in response to an access request to the internal terminal from an external network, the service information, Has a configuration to execute processing to present access information for the serviceAnd
  Access information for the service is:
  It is information set corresponding to the internal port number uniquely set corresponding to each of the provided services, and is an external port number set to a value different from the internal port numberIt is in the communication relay apparatus characterized by this.
Furthermore, in one embodiment of the communication relay device of the present invention, the communication relay device periodically receives service information that can be provided by the internal terminal connected to the local network from the internal terminal, and determines whether the service can be provided. The terminal management data is updated based on the status information, and the service information and access information to be presented to the external network are updated based on the updated terminal management data.
Furthermore, in an embodiment of the communication relay device of the present invention, the communication relay device responds to an access request to the internal terminal from a client via an external network, and corresponds to each service provided by the internal terminal. In response to the internal port number set uniquely, the external port number set to a value different from the internal port number is provided to the client, and an access request using the external port number from the client is provided. Accordingly, it has a configuration for executing conversion processing from an external port number to an internal port number.
Furthermore, in one embodiment of the communication relay device of the present invention, the communication relay device comprises: a. The global IP address of the relay device, b. An external port number set to a value different from the internal port number corresponding to the internal port number set uniquely for each of the services provided by the internal terminal; c. An individually set private IP address of the internal terminal; d. A network address conversion table in which internal port numbers uniquely set corresponding to each of the services provided by the internal terminal are associated with each other, and the communication relay device uses an external port based on the network address conversion table. It is characterized by having a configuration for executing conversion from a global IP address and an external port number of a relay device included in an access request to an internal terminal via a network to a private IP address and an internal port number.
Furthermore, in an embodiment of the communication relay device of the present invention, the communication relay device performs authentication of an access request client in response to an access request to the internal terminal from an external network, on condition that authentication is established, It has a configuration for executing processing for presenting the service information and access information for the service.
Further, in an embodiment of the communication relay device of the present invention, the communication relay device constructs a firewall in which an address of an access request client is set in response to an access request to the internal terminal from an external network, It has the structure which performs the access restriction process based on this.
  Furthermore, the second aspect of the present invention provides
  A communication relay method that functions as a relay means between an external network and a local network,
  Internal terminal connected to the local networkAnd lower-layer devices connected to the internal terminalAvailable inIndicates serviceAcquiring service information and managing it for each internal terminal, and setting unique access information corresponding to each of the services provided by the internal terminal;
  In response to an access request for the internal terminal from an external network, the service information;The service which is information set corresponding to an internal port number set uniquely corresponding to each of the services provided by the internal terminal, and is an external port number set to a value different from the internal port number Access information forPresenting steps,
  The communication relay method is characterized by comprising:
  Furthermore, the third aspect of the present invention providesService information indicating services that can be provided by an internal terminal connected to the local network and a lower-level device connected to the internal terminal is acquired and managed for each internal terminal, and is unique to each of the provided services. Access information is set, and in response to an access request to the internal terminal from an external network, the service information and the access information for the service are presented. The information is information set in correspondence with an internal port number uniquely set corresponding to each of the provided services, and the external port number set to a value different from the internal port number is used as the external port number. Network and saidIn the communication terminal device connected to the local network managed by the communication relay device functioning as a relay means with the local network,
  The communication terminal deviceService information indicating the service that can be provided is registered in the communication relay device as a configuration including service identification data and the internal port number corresponding to the service.It is in the communication terminal device characterized by this.
Furthermore, in an embodiment of the communication terminal apparatus of the present invention, the communication terminal apparatus has a configuration for outputting status information indicating whether or not a service can be provided in response to a request from the communication relay apparatus.
  Furthermore, the fourth aspect of the present invention provides
  A program storage medium for providing a computer program that allows a computer system to execute data communication processing in a communication relay system that functions as a relay means between an external network and a local network, the computer program comprising:
  Internal terminal connected to the local networkAnd lower-layer devices connected to the internal terminalAvailable inIndicates serviceAcquiring service information and managing it for each internal terminal, and setting unique access information corresponding to each of the services provided by the internal terminal;
  In response to an access request for the internal terminal from an external network, the service information;The service which is information set corresponding to an internal port number set uniquely corresponding to each of the services provided by the internal terminal, and is an external port number set to a value different from the internal port number Access information forPresenting and
  Is stored in a program storage medium.
Note that the program storage medium according to the fourth aspect of the present invention is a medium that provides a computer program in a computer-readable format to, for example, a general-purpose computer system that can execute various program codes.
Such a program storage medium defines a structural or functional cooperative relationship between a computer program and a storage medium for realizing a function of a predetermined computer program on a computer system. . In other words, by installing a computer program in the computer system via the storage medium, a cooperative action is exhibited on the computer system, and the same effects as the other aspects of the present invention are obtained. Can do it.
Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings.
[1. System overview]
FIG. 3 is a diagram for explaining the outline of a system constituted by the communication relay device and the communication terminal device of the present invention. FIG. 3 shows an environment in which the Internet as a WAN environment and, for example, a SOHO (Small Office / Home Office) in a LAN environment are interconnected by a router (SOHO router) as a network connection device as a communication relay device, that is, the Internet It is an example of the SOHO environment connected to IP. Here, a router is described as an example of a connection device between networks, but a gateway or other network connection device can also be used as a device having the same configuration as the following description.
As shown in FIG. 3, each home, Mr. A's house, Mr. B's house, or each other office is provided with one SOHO router 310, 320 as a communication relay device connected to the Internet. The SOHO router is assigned one or more global IP addresses (IPv4) from ISP (Internet Service Provider), etc., and manages a plurality of IP terminals (PCs, mobile terminals, etc.) as communication terminal devices under the management. To do. In FIG. 3, IP terminal 1, 311 and IP terminal 2, 312 are connected to the SOHO router 310 of Mr. A's house, and an HTTP server 321, FTP server 322, and RTSP server 323 are connected to the SOHO router of Mr. B's house as IP terminals. A connected example is shown.
In the example of FIG. 3, the global IP address [43.11. XX. XX] is set, and the global IP address [43.10. XX. XX] is set. Here, the SOHO router performs a function of a DHCP (Dynamic Host Configuration Protocol) server that dynamically assigns an IP address to each host of an access request, and a domain name system (DNS) that executes a process of associating a domain name with an IP address. Also functions as a server. The IP terminal managed by each of the SOHO routers 310 and 320 can be connected to an external terminal via the router or the Internet by an IP address assigned by the SOHO router, and can perform various processes such as mail transfer and image transfer. It becomes.
The SOHO routers 310 and 320 allocate their private IP addresses to the managed terminals 311, 312, 321, 322, and 323 and register their names when connecting to the IP terminals. An IP terminal managed by each SOHO router can provide services such as FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol), and RTSP (Real-time Streaming Protocol).
In the example of FIG. 3, the SOHO router 310 of Mr. A's house uses [] for the IP terminals 1, 311 and [192] for the IP terminals 2, 312 as private IP addresses for the managed IP terminals. .168.0.3] is set, and the SOHO router 320 at Mr. B's house uses [] for the HTTP server 321 and [] for the FTP server 322 as private IP addresses for the managed IP terminal. [] and [] are set in the RTSP server 323.
[2. Service registration]
The SOHO routers 310 and 320 in the configuration of FIG. 3 as the network connection device that is the communication relay device of the present invention are connected to the IP terminals 311, 312, 321, 322, and 323 under the management of each SOHO router. The service that can be currently provided is registered in a service access device list management daemon (hereinafter abbreviated as SALd (Service Access Device List Demon)) on the SOHO router. The daemon is a system resident program, and is an application program or a program that automatically executes a specific process in accordance with the state of the system.
The SALd set in the network connection device (ex. Router, gateway, etc.) which is the communication relay device of the present invention hierarchically manages the services that can be provided by each IP terminal in the SOHO environment, and dynamically manages the service contents. It is a program that executes a process of updating to or presenting it to the WAN side.
On the other hand, a service monitoring daemon (SALd client, abbreviated as SALdc for short) is set in an IP terminal managed by a network connection device having SALd. The SALd of a network connection device such as a SOHO router receives a service registration message (REGISTER) from the service monitoring daemon (SALdc) on each IP terminal when the network connection is made or the IP terminal is powered on. SALd receives service registration messages (REGISTER) from all SALdc under internal management, and manages them hierarchically for each terminal.
As an example of hierarchical management of terminal services using a private IP address on the LAN side in a SOHO environment, for example, there is a PC having a function such as an application gateway in the LAN, and a non-IP device ( For example, there is a case of managing devices in an environment connected with a unique data link such as 1394 and USB. FIG. 4 shows an example of a device connection system having a hierarchical structure.
In the system of FIG. 4, a SOHO router 401 as a network connection device is connected to the Internet, PCs 1 and 402 as IP terminals, PCs 2 and 403 having an application gateway function are connected to the lower side thereof, and non-PCs are connected to the lower side of the PCs 2 and 403. As an IP terminal, a camera 404 connected to the 1394 path, a deck 405, and a USB connection device 406 are connected.
The service performed by the non-IP device is a service of a device below the PCs 2 and 403 of the IP terminal, for example, a video service such as a 1394 DV camera, a video service of a deck, and the like. The SOHO router 401 as a network connection device can perform hierarchical management by registering services provided by IP terminals and non-IP terminals.
FIG. 5 shows a service registration method when a plurality of services exist on one IP terminal. FIG. 5 shows the system configuration of Mr. A's house in FIG. In the IP terminals 1 and 311, FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol), and some other services unique to the terminal are activated. In the terminals 2 and 312, HTTP and RTSP (Real-time Streaming Protocol) are used. Suppose the service is running.
The IP terminals 1 and 311 acquire service (application) information being activated by monitoring the service monitoring daemon (SALdc), and use << FTP, 20>, <HTTP, 80>, <proprietary service, 6001>, and the IP terminals 2, 312 acquire {<HTTP, 80>, <RTSP, 554>}. Each IP terminal REGISTER (registers) these activation service (application) information in the SALd of the network connection device (SOHO router).
FIG. 6 shows an example of a registration message (REGISTER) transmitted from the service monitoring daemon (SALdc1) of the IP terminals 1 and 311 to the SOHO router 310.
As shown in FIG. 6, the registration message includes a private IP address, a terminal name, a terminal attribute, a service name, a service attribute, and an internal port number assigned to the terminal. The private IP address is an IP address assigned by the SOHO router 310. The terminal name is an identification name for identifying each terminal managed by the SOHO router 310, and the terminal attribute indicates the type of device such as a PC (Personal Computer). Data indicating the types of devices that can be connected to the Internet, such as televisions, videos, servers, and other home appliances, that can communicate by setting IP addresses. The service name indicates a service (application) provided in the IP terminal. In the example of FIG. 6, the IP terminals 1 and 311 are PCs that can provide FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol), and other unique services. The service attribute indicates a service mode of FTP, HTTP, or a unique service. The internal port number is a number set for each service as a number for identifying each service.
The SALd of the network connection device (ex. Router, gateway, etc.) receives the registration message as shown in FIG. 6 and registers it as management data (see FIG. 8).
[3. Service Update]
The SALd of the network connection device (ex. Router, gateway) periodically exchanges service information with each SALdc of the managed IP terminal, and updates the contents of the service provided by the IP terminal. The SALd of the network connection device (ex. Router, gateway) periodically checks with the SALdc of the managed IP terminal whether the service registered in the management data of the managed IP terminal can be used effectively. Perform in units of 30 seconds.
The SALd of the network connection device (ex. Router, gateway) transmits a message (KEEP ALIVE) indicating the registered service contents in the service access device list of the managed IP terminal, and the SALdc of the managed IP terminal receives the message (KEEP). ALIVE) and ACK is returned if the service can be provided on the terminal side. SALd waits for this ACK until a predetermined time, and if it cannot receive it, deletes the contents from the service access device list. In addition, SALdc monitors the newly activated service at the IP terminal and sends a REGISTER message to SALd.
[4. Service mapping to NAT]
The SALd of the network connection device (ex. Router, gateway) performs service mapping for presenting various service contents that can be provided by the managed IP terminal to the client on the WAN side. Since each IP terminal on the LAN side is managed by a private IP address, each IP terminal cannot be directly accessed from the WAN side. Therefore, the WAN side client cannot directly inquire of the connection IP terminal in the LAN about the service provided by the connection IP terminal in the LAN.
In order for the WAN-side client to know the service provided by the connected IP terminal in the LAN and to execute the service, it is necessary to respond from the global IP address assigned to the network connection device (ex. Router, gateway) that manages the IP terminal. It is necessary to convert it to the private address of the IP terminal. As shown in the example of the registration message in FIG. 6, each IP terminal may provide a plurality of services such as FTP, HTTP, etc. Therefore, not only the IP address but also the port number information of each service is necessary. It is.
In the SALd of the network connection device (ex. Router, gateway), the external port to be shown on the WAN side corresponding to the service provided by the managed IP terminal is determined, and the global IP address of the SOHO router and the IP of the packet that has reached the external port The destination address / port number (destination address / port) of the header is set to NAT (Network Address Translator) so as to rewrite the private IP address of each IP terminal and the internal port number of the service. An example of the conversion table set in the NAT is shown in FIG.
The example of FIG. 7 is an example of a conversion table set in the SOHO router 310 in the system of FIG. As shown in FIG. 7, a pre-conversion destination IP address, a pre-conversion destination port number, a post-conversion destination IP address, and a post-conversion destination port number are set in the NAT conversion table.
The post-conversion destination IP address is a private IP address assigned to the IP terminals 1 and 311 and the IP terminals 2 and 312 by the network connection device (SOHO router) 310, and the post-conversion port number is the IP address of each IP terminal. This is the internal port number associated with the provided service. These can be acquired from the list based on the registration message of FIG. 6 described above.
The pre-conversion destination IP address is the global IP address of the SOHO router 310. The pre-conversion destination port number is an external port number set by the SOHO router for each service provided by the management IP terminal of the SOHO router 310.
The processing with the NAT and SALd of the SOHO router as the network connection device will be specifically described. The SALd of the SOHO router has terminal management data shown in FIG. 8 as internal data.
The example of FIG. 8 is an example of terminal management data set in the SOHO router 310 in the system of FIG. The terminal management data in FIG. 8 includes a private IP address, a terminal name, a terminal attribute, a service name, a service attribute, an external port number, and an internal port number assigned to the terminal. These data are generated based on the registration message from each management IP terminal described above with reference to FIG.
The private IP address is an IP address assigned by the SOHO router 310. The terminal name is an identification name for identifying each terminal managed by the SOHO router 310, and the terminal attribute indicates the type of device such as a PC (Personal Computer). The service name indicates a service (application) provided in the IP terminal. The service attribute indicates a service mode of FTP, HTTP, or a unique service. The external port number is a number for identifying a service determined by the SOHO router for presentation to the WAN side client. The internal port number is a number set for each service as a number for identifying each service.
In this example, the external port addresses 8000, 8001, and 8002 are assigned to the FTP, HTTP, and unique services of the IP terminals 1 and 311, respectively, and similarly to the HTTP and RTSP of the IP terminals 2 312. The external port addresses are assigned 8003 and 8004, respectively. As the port number assigned to the outside, SALd can freely set an area not used by the kernel or the like, and when the service is terminated, this port number is returned to the pool area. In addition, depending on the service (for example, RTSP or FTP embedded in the message payload such as a service providing port number), it is possible to specify an external port that is an external connection destination and perform REGISTER. As a result, the port number before NAT conversion can be designated, and the designated port number can be embedded in a message payload such as RTSP in advance.
[5. Service Access Device List]
The SALd of the SOHO router as a network connection device holds the terminal management data shown in FIG. 8, and when there is a service request from the client on the WAN side to the management IP terminal of the SOHO router, the service access as shown in FIG. Returns the device list.
As shown in FIG. 9, the service access device list includes a terminal name, a terminal attribute, a service name, and a service attribute as IP terminal information managed by the SOHO router as a network connection device.
The service access device list includes items such as the name of the terminal in the SOHO environment, the attribute of the terminal, the service name, and the attribute of the service as described above. This is to inform the users on the WAN side what network devices exist and what services are operating on them. In addition, address translation by NAT is set at the time of creating the service access device list, but at this point in time, firewall settings for various services from the WAN side are prohibited.
The WAN side client selects a service from the service access device list shown in FIG. 9, notifies the selected service to the SOHO router as the network connection device, and the SOHO router sends the external port number corresponding to the selected service to the requesting client. provide. The SOHO router 310 makes an access request based on the global IP address of the WAN side client and the external port number (pre-conversion destination port number) based on the NAT conversion table of FIG. 7 and the private IP address of the IP terminal and the post-conversion port number. Convert to
It is desirable that the service access device list be presented only to authenticated users on the WAN side. In addition, the authenticated user is stored as user registration data, and all service information is displayed for each user, or only specific services are extracted, and only specific terminal information is collected for user-specific service access. The device list may be generated and presented.
[6. SALd processing]
FIG. 10 shows a service registration flow executed by the SALd of the network connection device (ex. Router, gateway). First, when a SALd event issued periodically is acquired (S101), it is verified whether there is a new service registration message from the managed IP terminal (S102). If there is, an external port for the registration message is set. Set (S103) and set the NAT conversion table. This is a process for generating the table of FIG.
When the setting of the NAT conversion table is successful, a registration completion notification is transmitted to the IP terminal (S105), a registration ID is determined, timer management of a service monitoring process event is started (S106), and terminal management data (see FIG. 8). ) Is generated (S107). If generation of the NAT conversion table fails, registration failure is transmitted (S108), and the process returns to the top of the flow.
If it is determined in step S102 that the process is not a new service registration process, it is determined whether a response [ACK] to [KEEP ALIVE] executed as an inquiry as to whether or not a service registration IP terminal can provide a service is received (S109). . The IP terminal outputs ACK when the service can be provided as the status information indicating whether or not the service can be provided. When the SALd of the network connection device receives an ACK from the IP terminal, the SALd verifies whether it is an ACK for the registration service (S110), and if it is a registration service, resets the timer (S111). If it is not an ACK for the registration service, it is treated as invalid (S112).
If it is determined in step S109 that the response [ACK] to [KEEP ALIVE] is not received, it is determined whether or not it is a timer event (S113). If it is a timer event, the timer process (S114 in FIG. 11) is determined. ) Is executed.
The timer event process of FIG. 11 will be described. First, it is determined whether or not the timer is 0 (S202). If it is 0, [KEEP ALIVE], which is executed as an inquiry as to whether or not to provide a service to the registered IP terminal, is transmitted to the IP terminal (S203). Next, it is determined whether or not the timer has exceeded a predetermined ACK response waiting time from the IP terminal (S204), and if exceeded, the terminal managed by the SALd of the network connection device (ex. Router, gateway) The registration service is deleted from the management data (see FIG. 8) (S205), and the timer is updated (S206). Note that the timer event in FIG. 11 is a periodic interrupt event that is activated in a [KEEP ALIVE] issuing process that is executed as an inquiry as to whether or not a registered IP terminal can provide a service.
[7. User authentication]
SALd is a daemon that performs TCP / UDP connection to a well-known port (Well Known Port) as a reserved port of a network connection device (ex. SOHO router). Therefore, if the address of the SOHO router (global IP address) and its port number are known, it can be accessed from any malicious user on the WAN side. However, the service access device list described with reference to FIG. 9 is confidential information of an individual or business owner in the SOHO environment. In addition, the network device can be accessed and controlled from the outside.
Accordingly, in this system, authentication is executed when the WAN side client accesses the SALd of the network connection device (ex. SOHO router). Specifically, it uses user / password authentication implemented by HTTPd (HTTP daemon), etc., and uses CGI (Common Gateway Interface) etc. during SALd access to access the directory under which the HTTPd server authenticates. Configure as follows. Authentication in this directory is performed with a user name and password registered in advance, and a service access device list is provided only to authorized users.
Therefore, in order to connect to, for example, an IP terminal managed by a SOHO router as a network connection device for performing user authentication, user registration with the SOHO router is required. Note that it is not always necessary to execute user registration and authentication processing in an environment that allows free access.
[8. Service selection, firewall settings]
An authenticated user on the WAN side can obtain a service access device list (see FIG. 9) from SALd using a protocol that extends HTTP or the like. This list is written using HTML or the like, and the user can select a specified service item from the list. When SALd receives a service item designated by the user, the source (src) IP address (and source (src) port number) of the session from that user is sent to the firewall in the SOHO router, and the network. Access to the communication is permitted with a combination of destination port numbers (external port numbers) corresponding to services specified by the service access device list provided by the connected device (ex. Router, gateway). For example, if the client (IP address is on the WAN side selects the FTP service of the IP terminal 1 from the service access device list shown in FIG. 9, the firewall setting as shown in FIG. 12 is possible. It becomes. Note that is the global IP address of the SOHO router.
The firewall of FIG. 12 provides the FTP service of the IP terminal 1 to the user whose source IP address is [] as understood from the service of the external port number 8000, that is, the management data shown in FIG. The firewall to allow.
By the way, in the setting of the firewall, as a rule, communication from the WAN side to the LAN side is prohibited in advance. As a result, only the access from the terminal (in some cases, the session) to which the user belongs to the service selected by the authenticated user is permitted, and security against external access to the device in the SOHO environment is enhanced. can do.
As described above, in the system of the present invention, when an authenticated user on the WAN side selects a service, the terminal IP address of the selected user and the global IP address of the SOHO router are selected against the firewall in the SOHO router. The access is permitted by setting a set of external port numbers to the service. Therefore, the external client cannot perform control without permission of the router for the devices in the SOHO LAN, and can perform advanced security management.
[9. Access to SOHO environment services from WAN users]
The SALd of the network connection device (ex. Router, gateway) receives the selection of the service provided from the WAN side client based on the service access device list, sets the firewall, and then transmits the external port number for that service to the user To do. The user is the external port number, for example
The designated service can be accessed with a URL such as
[] of the URL is a global IP address of the SOHO router, and [8000] is an external port number corresponding to the service.
The SOHO router converts the URL into the private address of the IP terminal providing the service and the internal port number based on the NAT conversion table (FIG. 7), and executes the connection.
[10. Start session]
The WAN side client establishes a session with the service in the SOHO environment using the URL taught from the SALd of the network connection device (ex. Router, gateway), and starts communication.
13 is a sequence diagram summarizing the service registration processing of the internal terminal on the LAN side by SALd of the network connection device (ex. Router, gateway) and the processing for the access request from the WAN side terminal.
The upper part (a) of FIG. 13 is a service registration process of the SALd management IP terminal of the network connection device (ex. Router, gateway).
First, a registration message in which a registration request is transmitted from the SALdc of the IP terminal to the SALd of the network connection device (ex. Router, gateway) is as shown in FIG. The SALd generates management data (FIG. 8) based on the registration message, generates a NAT conversion table (FIG. 7), and transmits a registration completion message to the SALdc of the IP terminal. Thereafter, the service activation status is periodically monitored by sending KEEP ALIVE and receiving ACK from the IP terminal. If there is no ACK, the registered service is deleted from the management data. The SALdc of the IP terminal outputs an ACK to the SALd only when the service can be provided as the service provision availability status information.
FIG. 13B shows processing for a service request from the WAN side client. When the WAN side client requests the network connection device (ex. Router, gateway) to provide the service access device list (FIG. 9), SALd asks the requesting client for the user ID and password and inputs them. User ID. Execute password authentication. Note that other authentication methods such as a public key cryptosystem and a common key cryptosystem may be applied as the authentication mode depending on the security level.
If the authentication is successful, SALd provides the service access device list (FIG. 9) to the requesting client. The client selects a service based on the list, and SALd sets a firewall (see FIG. 12) according to the client's IP address (source address) and the selected service.
Thereafter, the SALd sends the URL as information necessary for accessing the requested service to the requesting client, specifically, the network connection device ex. Router, gateway) global address and URL set with the external port number corresponding to the service.
The WAN side client executes access to the service of the LAN side IP terminal based on the presented URL. At this time, the NAT performs conversion into a private IP address and an internal port number as address conversion using the NAT conversion table shown in FIG.
Thus, according to the system of the present invention, when the service becomes impossible by periodically monitoring the service status of a terminal managed by a network connection device such as a router or gateway, which is a communication relay device Or, when a new service is added, the status is updated, and the data is always kept up-to-date, and the client requests access from an external network such as the Internet. Information on possible services is presented in the service access device list, and the network connection device performs address conversion for the selected service, so that a specific service is designated from the WAN side to the LAN side. Access is possible.
Note that the above configuration is not specific to the IPv4 address environment, and even if a transition to the IPv6 environment is made, the request for not disclosing the network environment inside the SOHO LAN is the same. As a processing configuration for managing the inside of the LAN with an IPv6 link local address and not directly connecting to the outside with the Internet, the processing information for showing the service information inside the LAN to a user having access authority on the WAN side is described above. The configuration of the invention is applicable.
The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.
【The invention's effect】
As described above, according to the communication relay device, the communication relay method, the communication terminal device, and the program storage medium of the present invention, the service status of the terminal managed by the network connection device such as the router or the gateway is periodically changed. The service that can be provided is managed for each terminal, the list of available services is presented to the client requesting access from an external network such as the Internet, and the service selected by the client is displayed. Since the network connection device is configured to connect by performing address conversion, it is possible to access from the WAN side to the LAN side by designating a specific service.
Further, according to the configuration of the present invention, when the service of the communication terminal device becomes impossible or when a new service is added, the state is updated, and the data that is always kept in the latest state is retained. With this configuration, dynamic IP terminal service management can be executed.
Further, according to the configuration of the present invention, since the service access device list is presented to the client from the WAN side only when authentication is performed and the authentication is established, the internal environment of the unauthorized user Leakage is prevented.
[Brief description of the drawings]
FIG. 1 is a diagram for explaining a mode of data communication between a private address and a global address using a conventional NAT.
FIG. 2 is a diagram for explaining a data communication mode between a private address and a global address using a conventional IP masquerade.
FIG. 3 is a diagram showing an example of a system configuration of the present invention.
FIG. 4 is a diagram showing an example of a hierarchical configuration as a system configuration of the present invention.
FIG. 5 is a diagram illustrating service registration processing executed by a service access device list management daemon (SALd) and a service monitoring daemon (SALdc) according to the present invention.
FIG. 6 is a diagram showing an example of a registration message in a service registration process executed by a service access device list management daemon (SALd) and a service monitoring daemon (SALdc) according to the present invention.
FIG. 7 is a diagram showing an example of a NAT conversion table possessed by a network connection device in the configuration of the present invention.
FIG. 8 is a diagram showing an example of terminal management data included in a network connection device in the configuration of the present invention.
FIG. 9 is a diagram showing an example of a service access device list provided by a network connection device in the configuration of the present invention.
FIG. 10 is a flowchart illustrating service registration processing and update processing executed by a network connection device in the configuration of the present invention.
FIG. 11 is a flowchart illustrating timer processing in service registration processing and update processing executed by the network connection device in the configuration of the present invention.
FIG. 12 is a diagram showing an example of a firewall generated by a network connection device in the configuration of the present invention.
FIG. 13 is a diagram showing a processing sequence executed by a network connection device in the configuration of the present invention.
[Explanation of symbols]
101-10n communication terminal
120 LAN
130 NAT box
140 Internet
201-20n communication terminal
220 LAN
230 IP Masquerade Box
240 Internet
310 SOHO router
311 IP terminal 1
312 IP terminal 2
320 SOHO router
321 HTTP server
322 FTP server
323 RTSP server
401 SOHO router
402 PC1
403 Application Gateway PC2
404 camera
405 deck
406 USB device

Claims (10)

It is a communication relay device that functions as a relay means between an external network and a local network,
Service information indicating services that can be provided by an internal terminal connected to the local network and a lower-layer device connected to the internal terminal is acquired and managed for each internal terminal, and each service is provided. to set the specific access information, in response to an access request for the internal terminal from the external network, possess said service information, a configuration for executing the process of presenting the access information to the service,
Access information for the service is:
Information set in correspondence with an internal port number uniquely set corresponding to each of the provided services, and an external port number set to a value different from the internal port number A communication relay device characterized by the above.
The communication relay device is:
Service information that can be provided by an internal terminal connected to the local network is periodically received from the internal terminal, terminal management data is updated based on status information indicating whether the service can be provided, and based on the updated terminal management data. The communication relay device according to claim 1, wherein the communication relay device has a configuration for executing update of service information and access information presented to an external network.
The communication relay device is:
In response to an access request to the internal terminal from a client via an external network, the internal port number corresponds to an internal port number uniquely set for each service provided by the internal terminal. The external port number set to a different value is provided to the client, and conversion processing from the external port number to the internal port number is executed in response to an access request using the external port number from the client. The communication relay device according to claim 1.
The communication relay device is:
a. The global IP address of the relay device,
b. An external port number set to a value different from the internal port number corresponding to the internal port number uniquely set corresponding to each of the services provided by the internal terminal,
c. Private IP address set individually for the internal terminal,
d. An internal port number uniquely set for each of the services provided by the internal terminal,
And a network address conversion table that associates
The communication relay device is:
Configuration for executing conversion from a global IP address and an external port number of a relay device included in an access request to an internal terminal via an external network to a private IP address and an internal port number based on the network address conversion table The communication relay device according to claim 1, comprising:
The communication relay device is:
In response to an access request to the internal terminal from an external network, authentication of the access request client is executed, and processing for presenting the service information and access information for the service is executed on the condition that authentication is established The communication relay device according to claim 1.
The communication relay device is:
2. The apparatus according to claim 1, further comprising a firewall configured to set an address of an access request client in response to an access request to the internal terminal from an external network and executing an access restriction process based on the firewall. The communication relay device described.
A communication relay method that functions as a relay means between an external network and a local network,
Service information indicating services that can be provided by an internal terminal connected to the local network and a lower-layer device connected to the internal terminal is acquired and managed for each internal terminal, and each service provided by the internal terminal is managed. Corresponding steps to set unique access information,
In response to an access request from the external network to the internal terminal, the service information and the information set corresponding to the internal port number set uniquely corresponding to each service provided by the internal terminal Presenting access information for the service that is an external port number set to a value different from the internal port number ;
A communication relay method characterized by comprising:
Service information indicating services that can be provided by an internal terminal connected to the local network and a lower-level device connected to the internal terminal is acquired and managed for each internal terminal, and is unique to each of the provided services. Access information is set, and in response to an access request to the internal terminal from an external network, the service information and the access information for the service are presented. The information is information set in correspondence with an internal port number uniquely set corresponding to each of the provided services, and the external port number set to a value different from the internal port number is used as the external port number. the Rokarune managed by the communication relay device functioning as a relay device of a network and the local network In the connected communication terminal device network,
The communication terminal apparatus registers service information indicating the service that can be provided in the communication relay apparatus as a configuration including service identification data and the internal port number corresponding to the service .
The communication terminal device
9. The communication terminal apparatus according to claim 8 , wherein the communication terminal apparatus has a configuration for transmitting status information indicating whether or not a service can be provided in response to a request from the communication relay apparatus.
A program storage medium for providing a computer program that allows a computer system to execute data communication processing in a communication relay system that functions as a relay means between an external network and a local network, the computer program comprising:
Service information indicating services that can be provided by an internal terminal connected to the local network and a lower-layer device connected to the internal terminal is acquired and managed for each internal terminal, and each service provided by the internal terminal is managed. Corresponding steps to set unique access information,
In response to an access request from the external network to the internal terminal, the service information and the information set corresponding to the internal port number set uniquely corresponding to each service provided by the internal terminal Presenting access information for the service that is an external port number set to a value different from the internal port number ;
The program storage medium characterized by performing this.
JP2000337392A 2000-11-06 2000-11-06 Communication relay device, communication relay method, communication terminal device, and program storage medium Expired - Fee Related JP4524906B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2000337392A JP4524906B2 (en) 2000-11-06 2000-11-06 Communication relay device, communication relay method, communication terminal device, and program storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2000337392A JP4524906B2 (en) 2000-11-06 2000-11-06 Communication relay device, communication relay method, communication terminal device, and program storage medium

Publications (3)

Publication Number Publication Date
JP2002141953A JP2002141953A (en) 2002-05-17
JP2002141953A5 JP2002141953A5 (en) 2007-04-26
JP4524906B2 true JP4524906B2 (en) 2010-08-18



Family Applications (1)

Application Number Title Priority Date Filing Date
JP2000337392A Expired - Fee Related JP4524906B2 (en) 2000-11-06 2000-11-06 Communication relay device, communication relay method, communication terminal device, and program storage medium

Country Status (1)

Country Link
JP (1) JP4524906B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE2727322A1 (en) 1976-06-18 1977-12-22 Hitachi Electronics RECORDING DEVICE

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4786081B2 (en) * 2001-08-24 2011-10-05 富士通セミコンダクター株式会社 Home gateway equipment
JP3548157B2 (en) * 2001-12-26 2004-07-28 アライドテレシス株式会社 Relay device, address conversion control method, and program
JP2003348116A (en) 2002-05-28 2003-12-05 Hitachi Ltd Address automatic setting system for in-home network
WO2004023742A1 (en) * 2002-09-02 2004-03-18 Allied Telesis Holdings K.K. Relay equipment, communication system, communication method, and program
KR20050053707A (en) * 2002-09-30 2005-06-08 마츠시타 덴끼 산교 가부시키가이샤 Information processing apparatus and receiving apparatus
US8667170B2 (en) 2004-04-14 2014-03-04 Nippon Telegraph And Telephone Corporation Address conversion method, access control method, and device using these methods
JP4463078B2 (en) * 2004-11-05 2010-05-12 パナソニック株式会社 Information processing apparatus, information processing system, information processing method, and program
JP4654006B2 (en) 2004-11-16 2011-03-16 パナソニック株式会社 Server device, portable terminal, communication system, and program
JP2006180295A (en) * 2004-12-22 2006-07-06 Matsushita Electric Ind Co Ltd Address conversion apparatus and address conversion method
JP4498984B2 (en) * 2005-06-16 2010-07-07 富士通株式会社 Service providing apparatus and communication control program
JP4709607B2 (en) * 2005-08-02 2011-06-22 株式会社東芝 Network home appliance control system
JP4679453B2 (en) * 2006-07-12 2011-04-27 Kddi株式会社 Gateway and program for controlling information devices connected to LAN via WAN
JP5444639B2 (en) 2007-11-20 2014-03-19 パナソニック株式会社 Server device and distributed server system
JP4947118B2 (en) * 2009-10-07 2012-06-06 パナソニック株式会社 Relay device and relay method
JP5260467B2 (en) * 2009-10-19 2013-08-14 日本電信電話株式会社 Access control system and access control method
JP5417163B2 (en) * 2009-12-28 2014-02-12 綜合警備保障株式会社 Security device, security system, and communication method
JP6427891B2 (en) * 2014-02-13 2018-11-28 株式会社リコー Information processing system, information processing method, and program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11122301A (en) * 1997-10-20 1999-04-30 Fujitsu Ltd Address conversion connection device
JP2000138696A (en) * 1998-10-29 2000-05-16 Mitsubishi Materials Corp Network address converter and its recoding medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002141954A (en) * 2000-11-06 2002-05-17 Sony Corp Communication relay device, communication relay method, and program storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11122301A (en) * 1997-10-20 1999-04-30 Fujitsu Ltd Address conversion connection device
JP2000138696A (en) * 1998-10-29 2000-05-16 Mitsubishi Materials Corp Network address converter and its recoding medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE2727322A1 (en) 1976-06-18 1977-12-22 Hitachi Electronics RECORDING DEVICE

Also Published As

Publication number Publication date
JP2002141953A (en) 2002-05-17

Similar Documents

Publication Publication Date Title
JP4524906B2 (en) Communication relay device, communication relay method, communication terminal device, and program storage medium
TWI274491B (en) Network interconnection apparatus, network interconnection method, name resolution apparatus and computer program
US7856023B2 (en) Secure virtual private network having a gateway for managing global ip address and identification of devices
EP2291979B1 (en) Remote access between upnp devices
EP1753180B1 (en) Server for routing a connection to a client device
JP4234482B2 (en) Dynamic DNS registration method, domain name resolution method, proxy server, and address translation device
JP2003348116A (en) Address automatic setting system for in-home network
WO2007068167A1 (en) A method and network device for configuring the domain name in ipv6 access network
JP2006174350A (en) Communication apparatus
WO2005004417A2 (en) Relay device and server, and port forward setting method
JP2003289340A (en) Identifier inquiry method, communication terminal and network system
JPH1051449A (en) Mobile computer support system, its management server, its terminal equipment and address conversion method
CN101410817A (en) Usage of automatic configuration name space of automatic protocol proxy
JP2004120534A (en) Router, repeater and forwarding method
Yan et al. Is DNS ready for ubiquitous Internet of Things?
JP4186733B2 (en) Communication system, terminal, and address generation method
JP2005101890A (en) Device and program for name registration mediation, and for name solution mediation name solution system, and name solution method
JP3616570B2 (en) Internet relay connection method
JP3935823B2 (en) HTTP session tunneling system, method thereof, and program thereof
JP2004007151A (en) Router, ddns client terminal connected to it, and ddns system
JP2005197936A (en) Communication system, registering device, and communication device
JP2002183009A (en) Device and method for providing communication service by individual identifier through internet
JP5231849B2 (en) Device identification method and device identification program.
JP2004120125A (en) Router and method for processing router setting information
JP2008206081A (en) Data relaying apparatus and data relaying method used for multi-homing communication system

Legal Events

Date Code Title Description
A521 Written amendment


Effective date: 20070305

A621 Written request for application examination


Effective date: 20070305

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20090202

A131 Notification of reasons for refusal


Effective date: 20090602

A521 Written amendment


Effective date: 20090729

A131 Notification of reasons for refusal


Effective date: 20100309

A521 Written amendment


Effective date: 20100422

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)


Effective date: 20100511

A01 Written decision to grant a patent or to grant a registration (utility model)


A61 First payment of annual fees (during grant procedure)


Effective date: 20100524

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130611

Year of fee payment: 3

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130611

Year of fee payment: 3

LAPS Cancellation because of no payment of annual fees