JP2003283570A - Communication network system and data communication method - Google Patents

Abstract

(57) [Problem] To provide a communication network system and a data communication method capable of accessing a node having no fixed global address from a client by a domain name. A data communication method of a communication network system configured to access a node connected to a predetermined port of a gateway having a non-fixed global address from a client connected to the Internet, wherein the data is transmitted from each node. The non-fixed global address of the gateway is assigned as the address of each node based on the unique information included in the received packet.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication network system and a data communication method, and more particularly to improving access from a client to a node.

[0002]

2. Description of the Related Art FIG. 3 is a block diagram of a conventional communication network system. Internet 10 has
Dynamic DNS (Domain Name System) server (hereinafter D
A DNS server) 20 and a client 30 are connected, and a plurality of private networks 40A,
40B, ... are gateways 41A and 41B, respectively.
Connected through. Then, for example, nodes 42A and 42B are respectively connected to predetermined ports of the gateway 41A of the private network 40A, and nodes 42C and 42D are respectively connected to predetermined ports of the gateway 41B of the private network 40B.

Here, the DDNS server 20 uses the FQDN (Fully
Qualified Domain Name (hereinafter simply referred to as domain name) and the correspondence of the global address, domain name resolution on the Internet. General DNS
The difference from the server is that it is a dynamic DNS client (an entity such as a node that requests to associate its own address with a domain name, hereinafter referred to as a DDNS client).
It is possible to change the correspondence relation of the domain name address and to create a new correspondence relation according to the request from the communication from.

Further, the DDNS server 20 manages the unique information about the DDNS client, and authenticates the DDNS client using it. This avoids attacks such as DNS spoofing.

Note that DNS spoofing is one of fraudulent acts (attack) in which a malicious person registers an address different from the address of the machine corresponding to the domain name and directs it to another machine. For example, the machine A having the domain name “gw-a.etc.jp” has the address A, and the DDNS server 20 has the correspondence gw-a.etc.jp = address A.

However, if a malicious one registers gw-a.etc.jp = address B, the client trying to access machine A cannot access machine A, but access machine B having address B. Will be made to be.

The client 30 is a general term for terminals connected to the Internet 10, such as a personal computer and a mobile phone, and in the present invention, this term is used for an entity that intends to access the node 42 via the Internet 10.

The gateway 41 is a router, a firewall, or the like, and has a global address so that the position on the Internet 10 can be specified. Communication between the Internet 10 and the private network 40 is always performed via this gateway 41. In the present invention, the gateway 41 under the following conditions is particularly targeted. 1) It has a non-fixed global address. 2) Non-fixed addresses can change, but have a static IP masquerade that can forward communications destined for a particular port to a node within the private address. For example, as shown by the line a in FIG. 3, a packet addressed to the port 8080 of the non-fixed global address of the gateway 41 can be transferred to the port 80 of the node 42A.

The node 42 is used as a general term for terminals connected to a network, such as a personal computer and a small device. In the present invention, the node having the following conditions is targeted. 1) It has an effective address (hereinafter referred to as a private address) only in the private network 40. 2) Be sure to use the gateway 41 to access the Internet 10
To access. From the Internet 10 side, static I
Accessed by P Masquerade.

The operation of FIG. 3 will be described. Client 30
When trying to access the node 42A, communicates with the port 8080 of the global address of the gateway 41A. However, since the gateway 41A has only a non-fixed global address, the correspondence between the domain name, which is its identifier, and the global address is not static. For this reason, it is not realistic to use a general DNS that requires manual registration of the correspondence between domain names and addresses. Moreover, since the global address is not fixed, it is difficult for the client 30 to always specify the address of each gateway 41.

Therefore, in order to solve such a problem, a DDNS client (not shown) is generally used to
The non-fixed (changing) address of each gateway 41 is regularly registered in the DDNS server 20. Then, the client 30 uses the domain name corresponding to the address of the gateway 41A registered in the DDNS server 20 so that the node 4 passes through the gateway 41A.
You will have access to 2A.

[0012]

However, in the conventional configuration of FIG. 3, even if the DDNS is used, the client 30 to the node 42
Is difficult to access using a domain name. That is, the DDNS client tries to register its own address in the DDNS server 20. In FIG. 2, if the node 42A has the function of a DDNS client, the private address of the node 42A is registered in the DDNS server 20, but the client 30 naturally uses this address for the node 4
You cannot access 2A.

Although it is desirable for the gateway 41 to have such a DDNS client function, at present, there are very few gateways having a DDNS client function and it is difficult to obtain them. Further, there is no mechanism for the node 42A to know the non-fixed global address of the gateway 41A or there is only an ad hoc countermeasure method.

When the node 42 is a small device, resources such as memory and CPU performance for newly implementing the DDNS client function may be limited.

Further, the protocol used in the DDNS does not always satisfy the application such as authentication and encryption required by the node 42 in terms of security.
For example, in the case where the node 42 is such that it causes a life-threatening error when a medical-related item or a home electric appliance is mistakenly operated, there is a possibility that an incorrect operation is registered due to an attack such as DNS spoofing, which causes a human error. It may develop into related issues. In such a case, it is necessary to register the address in the DDNS server 20 more safely, but the security level of the protocol used by the DDNS may not be sufficient.

Further, the DDNS server 20 must manage the information about each DDNS client for authentication, but the management becomes complicated when the number of DDNS clients increases. In the case of a DNS server, there is no dynamic update of the "domain name-address" from the client, so there is no need to manage this individual information.

The present invention solves such a conventional problem, and an object thereof is to provide a communication network system and a data communication method capable of allowing a client to access a node having no fixed global address by a domain name. To provide.

[0018]

The invention according to claim 1 which achieves such an object, comprises a private network connected to the Internet via a gateway having a non-fixed global address, and an Internet having a private address. A client application that carries out communication is installed, and a node connected to the gateway and an FQDN (fully decorated domain name) and global address are connected in response to a request from the node connected to the Internet to associate its own address with a domain name. A DDNS (Dynamic Domain Name System) server that has a function of dynamically associating with the Internet, and associating the address of the gateway with the node based on the information obtained by communication from the client application. A central server to be registered in the DDNS server as that address, clients accessing node is connected to the Internet, it is a communication network system characterized in that it is composed of and.

According to a second aspect of the present invention, a private network connected to the Internet via a gateway having a non-fixed global address and a client application having a private address for communicating via the Internet are installed and connected to the gateway. Connected to the Internet, a central server having a portal site connected to the Internet for each private network, and a link to each node, and a client connected to the Internet to access the node. Is a communication network system.

A third aspect of the present invention is a data communication method for a communication network system configured to access a node connected to a predetermined port of a gateway having a non-fixed global address from a client connected to the Internet. Then, based on the unique information contained in the packet transmitted from each node, the non-fixed global address of the gateway is assigned as the address of each node.

According to a fourth aspect of the invention, in the data communication method according to the third aspect, the node is equipped with a client application for transmitting the unique information of the node.

With these, the client can access the node by the domain name.

[0023]

DETAILED DESCRIPTION OF THE INVENTION The present invention will be described in detail below with reference to the drawings. FIG. 1 is a configuration block diagram showing an example of an embodiment of the present invention, and portions common to FIG. 3 are assigned the same reference numerals. The difference from FIG. 3 is that each node 42 is equipped with a client application 43 and that the central server 50 is newly connected to the Internet 10. Regarding the domain name of the node 41, for example, in the case of the node 41A, "node-
a.prv-net-a.jp ”.

The client application 43 communicates with the central server 50. Here, regardless of the content of the communication, the node 42 is authenticated using the unique information of the node 42 in the communication. The purpose of communication may be not only for DDNS registration but also for application data used by the node 42, for example, and security that meets application requirements is realized.

The central server 50 determines the address of each gateway 41 as an address corresponding to the node 42 based on the information (source address, that is, the non-fixed global address of each gateway 41) of the communication packet from each client application 43. Register with the DDNS server 20.

Further, the central server 50 manages the unique information of each node 42, and authenticates the node 42 using this when communicating with the client application 43.

Further, countermeasures against attacks such as DDNS spoofing from the Internet 10 are taken between the central server 50 and the DDNS server 20. For example, if the central server 50 and the DDNS server 20 are in the same private network, or if a VPN (virtual private line) is set between the central server 50 and the DDNS server 20,
Make sure that the communication between the central server 50 and the DDNS server 20 is not directly visible from the Internet 10, or the DDNS server 2
0 is set to allow registration only from a VPN or private network.

The operation of FIG. 1 thus configured will be described by dividing it into the following four steps SP1 to SP4. It should be noted that these steps SP1 to SP4 correspond to step S in FIG.
It corresponds to P1 to SP4.

SP1 <client application 4
3 communicates with the central server 50> The client application 43A installed in the node 42A periodically communicates with the central server 50. The client application 43A communicates with the node 4
The unique information of 2A is included in the packet. The purpose of communication at this time does not matter. In this communication, security that meets application requirements is realized.

The central server 50 includes the unique information of the node 42A managed by itself and the node 42 included in the packet sent from the client application 43A.
Compare the unique information of A. If they match, the process proceeds to step SP2. If they do not match, the packet may be a communication error or a forged packet, so the process does not proceed to step SP2 and the packet is discarded.

SP2 <The central server 50 is the DDNS server 20
Register the address of the gateway 41 in the> The central server 50 uses the source address of the packet received from the client application 43A in step SP1, that is, the non-fixed global address of the gateway 41A as the domain name "node-ap" of the node 42A.
rv-net-a.jp ”and register it in the DDNS server 20. If the source address is “202.32.1” in step SP1.
If it is "92.64", the DDNS server 20 displays "node-a.prv-
The address of "net-a.jp" is registered as "202.32.192.64".

SP3 <The client 30 inquires about the address of the gateway 41> The client 30 asks the DDNS server 20 to access the node 42A, the domain name of the node 42A,
In other words, inquire the address of "node-a.prv-net-a.jp". On the other hand, the DDNS server 20 makes the step SP2.
The unfixed global address of the gateway 41A registered by the central server 50 is answered.

SP4 <client 30 is node 42A
The client 30 can access the port 80 of the node 42A by accessing the port “8080” of the address of the gateway 41A obtained in step SP3.

All of these steps SP1 to SP4 do not have to be performed in order. SP1-SP
2, SP3-SP4 are performed in order, but SP
The order in which the 1-SP2 set and the SP3-SP4 set operate is not limited. Further, the operation of SP3-SP4 is the same as the conventional operation.

By providing the client application 43 and the central server 50 as shown in FIG. 1, even in the conventional configuration in which it is difficult to use DDNS, the domain name is assigned from the client 30 to the node 42 by using the DDNS. Can now be accessed using.

When the data for the application is regularly transmitted and received between the node 42 (client application 43) and the central server 50, the DDNS of the DDNS is based on the application data without special preparation of the DDNS client. Registration is possible. As a result, resources such as the memory and the disk of the node 42 are not wasted, and the network traffic can be reduced.

The node 42 does not depend on the security level of the protocol used by the DDNS, and can register the address in the DDNS server 20 with the security level that meets the requirements (authentication, encryption, etc.) of the application in which it is used. Becomes

Instead of the node 42 or the gateway 41, the central server 50 registers the address in the DDNS server 20. That is, it replaces the DDNS client. This allows the DDNS server 20 to manage only the information of the central server 50 for authentication. Further, by restricting access to the DDNS server 20, security when registering in the DDNS server 20 is improved.

FIG. 2 is a block diagram showing another embodiment of the present invention, in which the same parts as those in FIG. 1 are designated by the same reference numerals. The difference from FIG. 1 is that the DDNS server 20 is omitted and the portal server 51 is provided in the central server 50.

The portal site 51 is the central server 50
Is a page configured based on a source address transmitted from the client application 43 during communication and a port number for accessing each node 42 set by the administrator of the gateway 41, and is configured for each private network 40. And has a link to each node 42 in the private network 40.
Although this link is displayed on the page by the domain name of the node 42, the entity describes the non-fixed global address of the gateway 41, that is, the port number for accessing the node 42.

The operation of FIG. 2 will be described separately in step SP1 in which the client 30 accesses the portal site 51 and step SP2 in which the client 30 accesses the node 42 via the portal site 51.

SP1 <Client 30 Accesses Portal Site 51> First, the client 30 accesses the portal site 51 of the private network 40 to which the node 42 to be accessed, which is constructed on the central server 50, belongs.

SP2 <Accessing the node 42 via the portal site 51> Next, the link of the node 42 to be accessed described on the portal site 51 is followed to access the target node 42.

By configuring as shown in FIG. 2, the port number for accessing each node 42 can be hidden by the portal site 51, and the client 30
Can access the node 42 without being aware of the port number. The user of the node 42 managing the plurality of nodes 42 can collectively identify and manage the registration information of all the nodes 42 at the portal site 51.
Also, access to each node 42 becomes easy.

[0045]

As described above, according to the present invention,
A communication network system can be realized in which a client can access a node that does not have a fixed global address by a domain name.

[Brief description of drawings]

FIG. 1 is a configuration block diagram of a conventional communication network system.

FIG. 2 is a configuration block diagram showing an example of an embodiment of the present invention.

FIG. 3 is a configuration block diagram showing another embodiment of the present invention.

[Explanation of symbols]

10 Internet 20 Dynamic DNS server 30 clients 40 private network 41 gateway 42 nodes 43 Client Application 50 control server 51 Portal site

Claims (4)

[Claims] 1. A private network connected to the Internet via a gateway having a non-fixed global address, and a client application having a private address for communicating via the Internet are installed and connected to a predetermined port of the gateway. Nodes and FQDNs that are connected to the Internet in response to a request from the node to map its own address to a domain name
A DDNS (Dynamic Domain Name System) server having the function of dynamically associating a (fully decorated domain name) with a global address, and an address of the gateway based on information obtained by communication from the client application connected to the Internet. A communication network system comprising a central server that registers in the DDNS server as an address corresponding to the node, and a client that is connected to the Internet and that accesses the node. 2. A private network connected to the Internet via a gateway having a non-fixed global address, and a client application having a private address for communicating via the Internet are installed and connected to a predetermined port of the gateway. A node, a central server having a portal site connected to the Internet and having a link to each node formed for each private network, and a client connected to the Internet for accessing the node. Communication network system. 3. A data communication method of a communication network system configured to access a node connected to a predetermined port of a gateway having a non-fixed global address from a client connected to the Internet, the method comprising: A data communication method characterized by allocating a non-fixed global address of a gateway as an address of each node based on unique information contained in a transmitted packet. 4. The data communication method according to claim 3, wherein the node is equipped with a client application for transmitting the unique information of the node.