Recently, whether in office or at home, a local area network (LAN) and the Internet are generally connected by way of a router having a network address translation function (NAT) or network address port translation function (NAPT).
To communicate between devices connected to the Internet, global IP addresses assigned uniquely around the world are employed. On the other hand, owing to the rapid increase in the number of devices connected to the Internet, the global IP addresses tend to be in shortage. Accordingly, in the LAN of an organization or household not connected to the Internet directly, it is general to use private IP addresses which are unique only within a LAN specified by RFC1918. Private IP addresses are not unique on the Internet, and thus a device having a private IP address cannot communicate with a device connected to the Internet in this state. This problem is solved by the NAT or NAPT function, which can present mutual conversion functions of global IP addresses and private IP addresses so that the devices assigned with the private IP addresses can communicate via the Internet.
The mechanism of NAT function is explained below by referring to a communication sequence diagram in FIG. 8A. A LAN 711 is connected to the Internet 712 by way of a router 703. A device 701 is connected to the LAN 711, and a server 702 is connected to the Internet 712. An IP address of the device 701 is a private IP address “192.168.1.2” and an IP address of the server 702 is supposed to be a global IP address “4.17.168.6.” An Internet side address of the router 703 is a global IP address “202. 224.159.142.” For the sake of explanation, there is only one Internet side address of the router 703.
In this network configuration, to start communication with the server 702, the device 701 first sends an IP packet 704 to the LAN 711. In order to specify the destination of transmission and reception, the IP packet 704 includes fields for holding source IP address (SA), destination IP address (DA), source port (SP), and destination port (DP), and a payload for carrying desired information.
The router 703 detects that the destination of the IP packet 704 is global IP address “4.17.168.6,” and performs going route conversion 708 of the IP packet 704 to transfer it to the Internet 712 as IP packet 705. In going route conversion 708, private IP address “192.168.1.2” in SA field of the IP packet 704 is replaced with the Internet side global IP address “202.224.159.142” of the router 703. At this time, the router 703 stores a set of SA “192.168.1.2” of IP packet 704 and DA “4.17.168.6” of IP packet 705 in NAT table 713 held inside of the router 703 as shown in FIG. 8B.
As a result of conversion 708, the IP packet 705 becomes a packet which can be transferred on the Internet, including only the global IP address. Accordingly, the IP packet 705 is transferred to the intended server 702, and the packet response is processed (S710) in the server 702, and the IP packet 706 of response is returned to the router 703. In the packet response process (S710), the values of SA and DA of the packet are exchanged.
When receiving the IP packet 706, the router 703 compares it with the NAT table 713. As a result of comparison, the DA of the IP packet 706 coincides with the SA of the IP address 705, and it is confirmed to be the response to the packet sent out from the router 703, and returning route conversion 709 is conducted.
In returning route conversion 709, the router 703 replaces the global IP address “202. 224.159.142” in the DA field of the IP packet 706 with the IP address “192.168.1.2” of the device 701 stored in the NAT table 713 on the basis of the IP address “4.17.168.6” in the SA field of the IP packet 706, and transfers it to the LAN 711 as IP packet 707. As a result, the IP packet 707 is transmitted to the device 701, and is received in the device 701 as the response of the IP packet 704.
The NAT table 713 is held during communication, and is discarded when the communication is over. End of communication is usually judged by detection of the syn packet or time out determined by a period for which no communication is made in the case of TCP packet. In case of the UDP packet, it is usually judged by time out. Thus, communication is enabled between the server 702 on the LAN and the device 701 on the Internet.
Thus, by the router having the NAT function, communication between a device on the LAN and a device on the Internet is enabled. However in the mechanism of the NAT, in order that a plurality of devices on the LAN can communicate simultaneously with the devices on the Internet, the NAT router must be assigned with as many global IP addresses as the number of devices to communicate simultaneously, and the reducing effect of global addresses becomes smaller. To solve such problem, the NAPT function is developed by extending the function of the NAT.
The mechanism of the NAPT function is explained by referring to the communication sequence diagram in FIG. 9A. Explanation of the same operation as in the NAT in FIG. 8A is omitted. In the NAT, only the IP address of the IP packet is converted, but in the NAPT, the port is converted at the same time. That is, in going route conversion 808 in FIG. 9A, in addition to the same converting process as in the NAT, a port number not used by a router 803 at the present is selected (herein “100”), and it is replaced with the SP (herein “1”) of an IP packet 804, and is converted into an IP packet 805. At this time, the router 803 stores a set of SP (1) of IP packet 804 and replaced port (100) of the router 803 in NAPT table 813 (see FIG. 9B) in the router 803, in addition to a set of SA “192.168.1.2” of IP packet 804 and DA “4.17.168.6” of IP packet 805.
When receiving the IP packet 806, the router 803 compares the content of the reception packet and the table 813. As a result of comparison, if the DA of the received IP packet 806 coincides with the SA of the IP address 805, and the DP of the IP packet 806 coincides with the SP of the IP address 805, then it is confirmed that the received packet 806 is the response to the packet 805 sent out from the router 803. Hence returning route conversion 809 is conducted. In returning route conversion 809, in addition to the operation of the NAT, the content of the DP (herein “100”) of the IP packet 806 is replaced with the SP (herein “1”) of the saved IP packet 804, and is converted to the IP packet 807. As a result, communication is enabled between the device 801 on the LAN 811 and the server 802 on the Internet 812. According to the NAPT function, when a plurality of devices communicate simultaneously from the LAN side, communications from the device 801 can be distinguished by the port numbers of the router, and therefore even though there is only one global IP address of the router 803, communications can be done simultaneously by the same number of the ports of the router.
In this way, according to the NAT or NAPT technology, it is easy to connect from the device in the LAN having a private IP address to the server on the Internet. On the other hand, it is not easy to connect freely from the device on the Internet whenever desired to the device in the LAN having a private IP address, and hence it was difficult to realize such a function as to control by connecting to electric home appliances at home from a cellular phone via the Internet. This is because the device in the LAN has a private IP address and a packet cannot be sent to the private IP address from the device on the Internet. To solve this problem, a function called static NAT or port forwarding is proposed.
In the static NAT function, the user has to set a static NAT table in the router in advance. The entry of the static NAT table consists of IP address and port of the device in the LAN desired to be connected, and an arbitrary vacant port of the router. When desiring to connect to a device in the LAN from the Internet, the user designates a set of global IP address of the router and a port preset in the static NAT table from the user's terminal to transmits a packet. The router compares the content of the packet received from the user's terminal with the entry of the preset static NAT table, and replaces the transmission destination of the packet with the IP address and port of the device in the LAN in the entry to transfer it.
By such static NAT, it is enabled to communicate from the device on the Internet to a device in the LAN. In the static NAT, however, the user must set a static NAT table beforehand, and the content of this setting is complicated for the end user not having the knowledge of IP address. Besides, if the global IP of the router is dynamically assigned by the PPP or DHCP protocol, it is hard for the user to understand the addresses, and the destination of connection cannot be specified. Still more, the security is lowered because an external packet is transferred into the LAN. Further, if the router managed by the user is connected to the network of the private address of ISP, that is, when there are multiple stages of NATs, then communication from the Internet is not enabled unless the static NAT of the router of the ISP is set. As such there were many problems.
As explained herein, although it is easy to connect from a device in the LAN having a private address to a device on the Internet, it was not easy to connect to a device in the LAN having a private IP address from a device on the Internet when desired. It was hence difficult to realize such a function as to control by connecting to a personal computer (PC) or electric appliance at home from a PC or cellular phone via the Internet.