1. Field of the Invention
The present invention relates to a packet relaying apparatus and a packet relaying method for providing communication services and more particularly to a packet relaying apparatus and a packet relaying method for relaying of packets among virtual private networks and routing domains.
2. Description of the Related Art
In recent years, with the rapid spread of the Internet, a user (for example, a company or university or the like) can realize communications with each dispersed branch or campus without the use of any virtual path/virtual channel by means of ATM (Asynchronous Transfer Mode) and/or FR (Frame Rely). In this communication, a VPN is sometimes formed. Thereafter, VPN will sometimes be called a virtual private network.
A certain user individually assigns IP addresses for operations only within the network of the user. When private IP addresses are used within such a user network, it is impossible to transmit the packets having the private IP addresses directly to the Internet which has global IP addresses.
This is because private IP addresses and global IP address would overlap on the Internet and thereby it would probably disable normal communication through the Internet.
Therefore, on the occasion of providing communications among respective sites of the private network of such a user, a system will be required in which capsulation (tunneling) with an IP packet having the global IP address, for example, is conducted for the transfer of the IP packet to the Internet in the case of connection to the Internet from the private network within this user. The capsulated packet is received and simultaneously decapsulated in the Internet network connection router of the site in the receiving side and the routing is executed to the destination host within the site at the receiving side.
In this case, a user is requested to install an apparatus for tunneling (capsulation in the transmitting side and decapsulation in the receiving side) the IP packet having the private IP address with the global IP address. Namely, introduction of a new apparatus is necessary.
Moreover, since the processes of capsulation and decapsulation are newly required, there is a possibility for deterioration of performance. In the following explanation, a relaying apparatus will be described as a router in some cases.
Moreover, when a user connects each site to the Internet, the routing control and setting of logical interfaces or the like are more complicated in the router of each site with an increase in the number of combinations of the settings among respective sites. In this case, there arises a problem that much cost will be required for introduction/maintenance and management of the network apparatuses and training of persons in charge of network management.
Therefore, in the case where a user introduces a VPN (“Virtual Private Network”) for providing communications with each site via the Internet, a user can receive provisioned VPN services without any modification of an existing network by entrusting (outsourcing) introduction/maintenance and management of the VPN to a provider (including a carrier in the present invention).
In this VPN service, the tunneling starting/ending functions are realized with a router of the provider. When a certain user has a plurality of sites, the router of the provider comprises a routing control function for each user to determine which network of the destination user site to which the IP packet, received from the user site of the transmission source, should be transmitted through the encapsulation.
This function is provided with a router in the provider through the outsourcing. When the VPN service is available by the provider as explained above, the edge router of the provider transfers the IP packet with the intrinsic routing control function of the user network in separation from the routing control function of the Internet network.
Therefore, for the provider setting of the VPN service provided with the provider is very complicated because independent management of the routing control function is required for each site network of each user.
In some cases, a user can structure the VPN through the Internet but here explanation will be made under the precondition that the provider structures VPN to provide the VPN service to users. From the point of view of the owner of a network, the network in which a plurality of sites are placed under the management of the same owner is called the “Intranet” and which is operated for example by a company as the owner.
The network in which a plurality of sites are not placed in the same owner is called the “Extranet” and is operated, for example, by different independent companies. Moreover, the network can also be sorted from the viewpoint that with which routing domain the intranet and extranet are structured.
Namely, when one network is formed of a single routing domain, this network is called single-domain, while when the network is formed of a plurality of routing domains, this network is called multi-domain. As explained above, an example of the network structure through a combination of the single-domain/multi-domain, intranet/extranet is illustrated in FIG. 1. Like reference codes designate like or equivalent elements throughout the figures.
However, in general, it is a rare case in the Intranet that a plurality of routing domains exist within the network under the management of only one main constitution for management. Therefore, the word “intranet” in this specification suggests the intranet of single-domain.
Moreover, in the extranet, it is often thought that different relaying rule (policy) is used in the respective network placed under the management of a plurality of owners. Therefore, the wording “extranet” used in the following explanation suggests the extranet of multi-domain.
Next, FIG. 2 illustrates how a router accommodating a VPN of a single-domain and a multi-domain structure of FIG. 1 structures the relaying table. FIG. 2 illustrates an example of a structure of the relaying table of the router accommodating the intranet VPN of the single-domain structure connected via the provider. In this figure, a packet receiving unit 113 refers to a domain identification table 109 to identify a transmission source routing domain of the received packet. In case the packet is a routing packet which includes routing information, it is transmitted to an intranet domain routing information processing unit 101.
For example, when the received packet is the routing packet, having routing information, from the routing domain #11 not illustrated, an intranet domain routing information management unit 102 (left side in the figure) receives this routing packet and writes this packet to the intranet domain relaying table 104 (right side in the figure) corresponding to the VPN#11 provided corresponding to each VPN. Namely, in the FIG. 2 a packet from the routing domain #11 can be relayed only to the routing domain #11.
On the other hand, the intranet domain routing information management unit 102 (right side in the figure) corresponding to the routing domain #12 not illustrated, writes the packet data to the intranet domain relaying table 104 (left and right sides in the figure) of VPN#11 and VPN#12. Namely, the packet from the routing domain #12 can be relayed to both routing domain #11 and routing domain #12. Processes for connection and disconnection between the routing domain #11 and routing domain #12 have been conducted in cooperation with the intranet domain relaying table 104 corresponding to the intranet domain routing information management unit 102.
Here, the packet including the IP address of the transmission destination is transmitted to the packet transmitting unit 112 together with the output interface information of the packet transmitting unit 112. The packet transmitting unit 112 selects the designated output interface to transmit the packet. If the transmission destination IP address does not exist in the intranet domain relaying table 104 corresponding to VPN(s), such packet is destroyed.
Each intranet domain relaying table 104 is structured to include the transmission destination IP address, IP address mask information, output interface information and next hop router IP address or the like.
Moreover, the routing domain information in the intranet domain routing information processing unit 101 is included in the routing packet and is periodically transmitted to the packet transmitting unit 112 and the packet transmitting unit 112 distributes the routing packet to the adjacent router.