1. Technical Field
Aspects of the present invention relate to a server, and a packet transferring method and a program therefor to relay a packet transmitted and received between client terminals.
2. Description of the Related Art
In recent years, an increase of activities such as collaboration between companies and departments has led to diversification of business forms. Accordingly, there has been a rapid growth of needs for communication between client terminals connected to different company LANs or department LANs (namely, client terminals connected to different private networks). Considering such a background, there has been recently proposed a method for allowing communication between client terminals connected to different private networks. In a general system, communication between client terminals connected to different private networks is implemented via a relay server installed in a global network. A typical system using the above method includes SoftEther, Packetix VPN, OpenVPN and the like.
In general, a firewall that blocks communication from the global network is installed in the private network. The firewall is set to only allow the communication on a specific TCP connection (generally, TCP communication of a destination port number 80 used in Web browsing communication (namely, HTTP communication) and TCP communication of a destination port number 443 (namely, HTTPS communication)). The private network takes an initiative to establish such a specific TCP connection with the global network. Therefore, according to the general system, first, a client terminal on a private network starts to establish a TCP connection with a relay server. After the completion of the establishment of the TCP connection between the client terminal and the relay server, the client terminal and the relay server are already enabled to perform two-way communication. Thereafter, the client terminal transmits data intended to be delivered to a client terminal which is a communication partner, by using the TCP connection established with the relay server. The relay server transmits the received data by using the TCP connection established between the relay server and the client terminal which is the communication partner.
The aforementioned general system is hereinafter referred to as a firewall traversal communication system. According to the firewall traversal communication system, since the relay server terminates the TCP connection when transferring packets between the client terminals, the relay server needs to be subjected to a load for packet retransmission processing and flow control processing.
On the other hand, as a transfer system for data flowing on the TCP connection, there is a TCP splicing system. According to the TCP splicing system, a relay server rewrites the headers of packets and transfers the packets without performing TCP connection termination processing requiring a high processing load (see D. A. Maltz, et al. “TCP splice application layer proxy performance” Journal of High Speed Networks, Volume 8, Issue 3, 1999, p. 225-240; hereinafter “Maltz”), unlike the firewall traversal communication system.
FIG. 8 shows a packet transfer system described in Maltz. In FIG. 8, client terminals A 1000, B 2000 and a relay server 3000 are shown, and the client terminals A 1000 and B 2000 perform communication via the relay server 3000. First, the client terminal A 1000 transmits a SYN message to the relay server 3000 (S1000), and performs 3-Way-Handshake (hereinafter “3WH”) (S1000 to S3000) to establish a TCP connection with the relay server 3000. The relay server 3000 registers information of the TCP connection established with the client terminal A 1000, to a packet transfer table 3100 provided therein. Moreover, after completing the establishment of the TCP connection with the client terminal A 1000, the relay server 3000 transmits a SYN message to the client terminal B 2000 (S4000), and performs 3WH (S4000 to S6000) to establish a TCP connection with the client terminal B 2000. After establishing the TCP connection with both client terminals A 1000 and B 2000, the relay server 3000 starts transferring a packet received from one of the TCP connections to the other connection (S7000).
The packet transfer is specifically performed as follows (S8000 to S9000). In the example of FIG. 8, regarding the two TCP connections established between the relay server 3000 and the respective client terminals A 1000 and B 2000, the following information is registered to the packet transfer table 3100:                Client-side IP address and port number;        Relay server-side IP address and port number; and        Which Seq number of packet is lastly transmitted by each of the client terminals and the relay server by using the TCP connections before start of transfer.        
The relay server 3000 rewrites the Seq number, the Ack number, the transmission source IP address, the destination IP addresses and the port number of the packet received from one of the TCP connections (and a checksum recalculation accompanying the rewriting) and then transfers the rewritten packet to the other TCP connection. The relay server 3000 does not perform: buffering processing for retransmission packets that are prepared for a case of a packet loss, and are needed if the TCP connection is terminated; packet loss detection processing by analyzing the Seq numbers and Ack numbers of the received packets; packet retransmission processing accompanying a packet loss detection; flow control processing and the like. All of these processing are performed by the client terminals. Therefore, in the packet transfer system described in Maltz, a load applied to the relay server is reduced as compared with the firewall traversal communication system.
The problem of the system of the aforementioned Maltz is that no consideration is given to matching of TCP options between the client terminals that perform communication with each other via the relay server.
In general, TCP includes various options such as a maximum segment size (“MSS”), a window scale (“WS”), and a selective acknowledgment (“SACK”). If a communication is performed without any relay server, at the time of 3WH, both terminals serving as end terminals for the TCP connection matches these options by the SYN message and the SYN ACK message. For example, regarding MSS, the two terminals insert desired MSS values into the SYN message and the SYN ACK message, respectively, then transmit these messages, and use a smaller one of the MSS values, presented by themselves, to perform communication after the establishment of the TCP connection. Moreover, regarding WS, the two terminals each insert, into either the SYN message or the SYN ACK message, a flag (“WS use flag”) indicating whether to use WS, and a shift count for a case where the WS is used. Then, when the WS use flag is ON in both terminals, WS is used in the communication after the establishment of the connection, and an advertised window size from the communication partner is calculated using a shift count value notified from the communication partner through either the SYN message or the SYN ACK message. Similarly, regarding SACK, a flag (“SACK use flag”) indicating whether to use SACK is inserted to each of the SYN message and the SYN ACK message. Then, when the SACK use flag is ON in both terminals, SACK is used in the communication after the establishment of the connection.
According to the system described in Maltz, retransmission processing, flow control and the like after 3WH are performed between the client terminals and not between the client terminal and the relay server. Accordingly, the TCP options must be matched between the client terminals.
However, Maltz describes only the point that 3WH is performed between each client terminal and the relay server, and does not refer to the matching of TCP options between the client terminals. And, above described method for matching the TCP option is note be adapted for the system described in Maltz. For example, in FIG. 8, even when both the client terminals A 1000 and B 2000 transmit the SYN message and the SYN ACK message in which the WS use flag is ON at the time of 3WH, but if the relay sever 3000 transmits the SYN message and the SYN ACK message in which the WS use flag is OFF, each client terminal performs flow control without using WS in the TCP connection established with the relay server 3000. Accordingly, there is a possibility that communication throughput between the client terminals will be reduced as compared with the case using WS. Further, when the relay server transmits the SYN message and the SYN ACK message in which the WS use flag is ON to each client terminal, and if the WS use flag is ON at one client terminal while the WS use flag is OFF at the other client terminal, one client terminal intends to perform flow control using WS but the other client terminal intends to perform flow control without using WS. As a result, the flow control cannot be correctly performed between the client terminals. The same can be said to SACK. Particularly, WS and SACK largely affect the throughput of TCP connection. For this reason, when these options cannot be matched, the throughput may be largely reduced.
The above problem is true for a case in the firewall traversal communication system, in which two client terminals take initiatives to establish the TCP connection with the relay server.