1. Field of the Invention
The present invention relates to a packet relaying method in a packet relay network, and more particularly a packet relaying method and packet relaying apparatus in an extranet for interconnecting a plurality of different networks.
2. Description of the Related Art
Today, enterprises and organizations have a plurality of sites in different places, which are interconnected through an IT infrastructure. To achieve such the configuration, there are increased cases of connecting between each site through an IP-VPN (Internet Protocol-Virtual Private Network) being feasible with less cost than the use of dedicated lines. Each site is configured of a subnet group including at least one subnet. Using the IP-VPN conforming to RFC (Request for Comments) 2547 bis by IETF (Internet Engineering Task Force), which has been in wide use in recent years, the sites in different regions can be interconnected using a virtual network overlaid on the Internet. In such a corporate network connected through the VPN, generally, network administrators in the organization coordinate so that assigned addresses are not duplicated in the respective sites within the organization, thereby avoiding the occurrence of contradiction in the corporate network connected through the VPN. Thus, network operation can be simplified using a function of dynamically exchanging routing information of a remote site through the VPN.
Today, for the purpose of business cooperation between different enterprises, etc., there are cases of interconnecting networks of each organization. Such the formation of connection is called extranet. Generally, in a corporate network and a home network, private addresses are set for internal apparatus. In many cases, each network is designed independently, using the same address range in different enterprises. As a result, such a situation that network addresses duplicate among the sites may arise when the extranet is implemented.
Particularly, in an IP-VPN conforming to RFC 2547, routing information within the site is interchanged using the extended BGP (Border Gateway Protocol). When different address ranges are used unintentionally among the sites of different organizations to be connected, interconnectivity can be secured by exchanging routing information in an ordinary manner. However, when network addresses duplicate, because of route contradiction, a problem of communication inability between the sites arises.
As a prior art for connecting the sites having a duplicated address between each other, there is an art called NAT-dst provided by Juniper Networks, Inc. The NAT (Network Address Translation) is an address conversion technique for mutually converting a private IP address, which is valid only within a certain organization, and a global IP address, which is available for an external access to the Internet. According to the above technique, it is necessary to statically set a NAT rule to the gateways locating at the borders of the sites having the duplicated network address (IP address), corresponding to a destination address. In case there are a plurality of sites having duplicated addresses, it is required to set the NAT rules for as many as the number of combinations of the sites, causing a troublesome work for setting. Further, when a network address (IP address) of a site is modified, modification of the gateway settings is necessary, which also causes a complicated work to cope therewith. Accordingly, a method for performing automatic address conversion and setting becomes necessary.
As a method for dynamically generating an address conversion table when communicating through the Internet between the sites possibly having a duplicated address, for example, an invention disclosed in the official gazette of the Japanese Unexamined Patent Publication No. 2004-304235 is known. In the above technique, a domain name system (DNS) is utilized for the signaling of setting.
According to the above invention, a network system includes a private network of transmission source, a private network of destination, and the Internet connecting both the above private networks. Also, a gateway (border router) is provided between each private network and the Internet. The gateway has an address conversion function, as well as a DNS server function within the private network. Further, a DNS server is provided in the Internet. The DNS server resolves a top domain name in the private network, and also resolves a DNS server address for address resolution in the private network. When a terminal in one private network accesses another private address network, the terminal first requests the gateway, which also functions as DNS server in the private network of the transmission source (hereafter referred to as source private network), to resolve the name. The gateway inquires a DNS server in the Internet about a gateway address managing from the top domain to the domain concerned. The gateway of the transmission source (hereafter referred to as source gateway) transmits a name resolution query of the destination address to the destination gateway. In response to the above query, the destination gateway generates an address reachable from the Internet side, corresponding to the destination terminal. The destination gateway then replies the source gateway with the generated address. On receipt of the destination terminal address, the source gateway generates a dummy IP address corresponding to the above received address, and stores the above correspondence into a table. The source gateway also replies the terminal originally issuing the query with the name of the destination terminal together with the correspondence to the dummy IP address. The source terminal transmits to the gateway a packet by specifying the above address as destination address. The gateway then converts the destination address in the packet according to the table, and transmits to the gateway in the remote site. When the packet reaches the generated address, the destination gateway converts the destination address into the destination terminal address corresponding to the received destination address, and then transmits the packet to the terminal.
According to the above method using the DNS, the NAT rule setting can be automated by setting the conversion rule triggered by the DNS at the time of communication between the sites having a duplicated address. However, the address conversion rule is set wastefully at all times, that is, even at the time of communication between the sites having no duplicated address therebetween. In other words, in the method for setting address conversion by use of the DNS, it is not possible to distinguish a case of the NAT rule to be applied from a case not to be applied, based on whether or not the address duplication is existent. When the sites are interconnected through the VPN, address conversion is not always needed at the time of communication, because the connection is not given through the Internet: as long as an address is not duplicated in between the sites, address conversion is unnecessary. Execution of address conversion for the entire addresses wastes gateway resources, and increases a gateway load, which may cause degradation of packet relaying performance.
In addition, according to the above-mentioned method using the DNS, a route becomes necessary in the site for transferring the packet having the converted address from the terminal having been issued the DNS query to the gateway in the site. When there is one gateway, and a default route has been distributed statically to the site, the packet destined to the converted address can be transferred to the gateway. However, when there are a plurality of gateways, using the default route, the packet can only be transferred to one gateway. Further, it is possible to statically distribute the routes to the respective gateways on a basis of each converted address. However, when the number of conversion addresses generated by the DNS increases, and the conversion addresses are generated from a plurality of network address ranges, it becomes necessary to perform static route settings to the gateways for a plurality of times. This produces a troublesome work for the administrator.