The present invention relates to an address translator for effecting mutual connection among a plurality of communication networks in which address translation is required for discrimination of hosts for mutual communication.
Protocol translation is a known technology which is used to realize communication between a network to which a certain host belongs and a network to which a communication partner belongs under the condition that different communication protocols are used in these networks. For example, as an Internet Protocol (hereinafter referred to as “IP”), the Internet Protocol version 4 (hereinafter, referred to as “IPv4”) is used at present at the every location in the world. However, the is now a concern that there may be a shortage of available addresses and therefore, an the Internet Protocol version 6 (hereinafter referred to as “IPv6”) has been proposed in order to solve this problem.
However, since it is substantially impossible to directly shift the Internet Protocol to IPv6 from IPv4, introduction of a system to connect a network using IPv4 and a network using IPv6 through protocol translation has also been proposed. As an example of practical translation systems, the NAT-PT, which is described in the RFCs (Request For Comments) 2765 and 2766, published from the IETF (Internet Engineering Task Force), and the SOCKS64, which is described in the RFC3089, and the transport relay, which is described in the RFC3142, or the like are known.
These translation systems are basically intended to translate the formats of an IP packet between IPv4 and IPv6. In this case, since address translation is also performed between IPv4 and IPv6, it is necessary to generate a translation rule for the IPv4 address and the IPv6 address before the translation and then maintain the address translation rule. This translation rule is previously set statically in some cases, or it is created dynamically for each generation of a communication. In the latter case, a name resolution of the DNS (Domain Name System) is utilized to start generation of the translation rule.
The DNS is a system used to translate names which are written as a string of characters for easier understanding by people into IP addresses. The operation to translate the names into IP addresses is called name resolution. At present, almost all applications on the Internet obtain the IP addresses of a communication partner by utilizing this DNS.
The IPv4-IPv6 translator always monitors the messages of the DNS that are exchanged to start a communication by utilizing this fact, and it generates the IP address translation rule when the name resolution request message is issued. The practical operations involved in such a communication will be described below, considering the example of a communication that has originated toward an IPv4 host from an IPv6 host.
First, an IPv6 host inquires as to an IPv6 address of the receiving side host from a DNS proxy server. Next, the DNS proxy server also sends an inquiry to the other DNS servers and receives, as a response to this request, the address of the receiving side host. When the received address is the IPv4 address, the DNS proxy server updates the IPv4 address in the response message to a temporary IPv6 address, and then it returns this temporary IPv6 address to the IPv6 host. In this case, the IPv4-IPv6 translator, in cooperation with the DNS proxy server, generates the address translation rule under the correspondence between the IPv4 address before updating and the updated temporary IPv6 address and, thereafter, stores this rule within the server.
The transmitting side IPv6 host transmits IPv6 packets to the temporary IPv6 address of the receiving side host identified by the name solution of the DNS, as described above. At this time, the source address of packets is the IPv6 address of the transmitting side host itself. These IPv6 packets are first received by the IPv4-Ipv6 translator.
Upon reception of the IPv6 packet, the IPv4-IPv6 translator searches first for the IPv4 address corresponding to the destination IPv6 address of the IPv6 packets from a table storing the address translation rule (hereinafter, referred to as the “address translation table”). At this time, since the destination address translation rule is already generated by the name resolution of the is DNS, the object IPv4 address can be obtained.
Next, the IPv4-IPv6 translator searches for the IPv4 address corresponding to the IPv6 address of the transmission source of the IPv6 packets from the address translation table. However, since the translation rule of the transmission source address has not yet been generated at this time, the object IPv4 address cannot be obtained. Therefore, the address translator newly assigns a temporary IPv4 address for the IPv6 address of the transmitting side host and then generates the address translation rule through correspondence between these two addresses and also registers it in the address translation table.
When the translation rule of the transmission source address is generated and the IPv4 address corresponding, respectively, to the transmission source and destination can be obtained, the IPv6 packets are translated to the IPv4 packets, where the transmission source and destination addresses are updated respectively to the corresponding IPv4 address, they and are then transmitted toward the destination. Thereafter, since the translation rule of the transmission source address and destination address is already generated for the packets transmitted between both hosts, the packet translation is performed with reference to the translation rule.
Here, the address translation rule which is generated dynamically is only a temporary rule, and, therefore, this rule is discarded when the communication is terminated.
In the above-described example, the communication toward the IPv4 host from the IPv6 host is discussed, but a communication toward the IPv6 host from the IPv4 host and a communication which requires address translation between the IPv4 hosts (for example, communication between two IPv4 private networks in which addresses may be overlapped) also generate an address translation rule in the sequence described above to realize an communication through the address translation.
In addition, even when the communication protocols other than an IP are used, it is also possible to generate a rule for the mutual translation of a discriminator of hosts, depending on the protocol, in the same manner as that described above by providing a means to establish correspondence between the information to discriminate the host in each protocol, such as the IPv4 address and IPv6 address and the information to uniquely discriminate the host, not depending on the protocol.
As is obvious from the above description, in a communication effect through an address translation, the destination address after update by the address translation process has to be the address given actually to the host (hereinafter referred to as a “native address”). Moreover, the transmission source address before the update by the address translation process also has to be the native address.
If the destination address after an update by the address translation process is a temporary address, the following two kinds of failures may occur.
First, when a host having an address which is matched with the destination address after an update process does not exist, the packets transmitted from the address translator through address translation do not have any destination.
Second, when an address that is preset as a temporary address is overlapped with the address of a host which actually exists, the packets transmitted from the address translator through address translation reach an unexpected destination.
When an address solution provided by the DNS is utilized to start the generation of an address translation rule, a second failure may be expected to occur.
Moreover, if the transmission source address before an update obtained through an address translation process is a temporary address, another host which is given the same address as the transmission source address after the update process can be expected to exist, and, therefore, the hosts in the receiving side consider the packets as being those transmitted from another host. Accordingly, it becomes possible for malicious hosts to make a false access to a certain host or server by pretending to be one of the other actual hosts.
As described above, when the transmission source address before address translation is a temporary address or when the destination address after address translation is a temporary address in a communication which requires address translation, there is a concern that there may be an occurrence of a failure in the network which is accommodating the transmission destination host, because the packets which are given such a destination address actually exist.