RELAY SERVER AND RELAY COMMUNICATION SYSTEM
BACKGROUND OF THE INVENTION
1. Field of the Invention
[000l] Thepresent invention relatestoa relay server that enables
communicationtobeperformedbetweenterminalsconnectedtodifferent
LANs (Local Area Networks).
2. Description of the Related Art
[0002] Conventionally, acommunicationtechnologycalledavirtual
private network (Virtual Private Network, VPN) has been known (for
example, see Japanese Patent Application Laid-Open No. 2002-217938).
The VPN is used for, for example, performing communication via the
internet between terminals that are connected to LANs of a plurality
of branch offices (stations) each located in one of a plurality of
regions. UseoftheVPNenables another L A N l o c a t e d i n a d i s t a n t p l a c e
to be used as if it is a directly-connected network.
[0003] However, this type of system is often rigid, and it is not
easy to build an expandable and flexible system. For example, in the
communication system disclosed in Japanese Patent Application
Laid-Open No. 2002-217938 mentioned above, it is impossible to build
a v i r t u a l n e t w o r k b y u s i n g o n l y s e l e c t p o r t i o n s o f a p p a r a t u s e s i n c l u d e d
in the system. Additionally, even when a virtual network is normally
operatedat an initial stage, there is apossibility that it subsequently
becomes impossible to appropriatelybuildthe virtual network if, for
example, a change in a configuration or setting ofa network apparatus
occurs.
SUMMARY OF THE INVENTION
[0004] In view of the circumstances described above, preferred
embodiments of the present invention provide a relay server that is
able to flexibly deal with a change in a status of a network and start
a virtual network.
[0005] According to a first preferred embodiment of the present
invention, a relay server includes a relay group information storage
unit, a relay server informationstorageunit, aVPNgroupinformation
storage unit, an address filter information storage unit, and a
communication controlunit. Therelay group information storageunit
stores relay group information concerning a relay group including
anotherrelayserverthatismutuallyconnectablewiththerelayserver
itself. Therelayserverinformationstorageunitstoresrelayserver
information including relay server start-up information, client
terminal start-up information, and client terminal registration
information. Therelayserverstart-upinformationconcernstherelay
server belonging to the relay group. The client terminal start-up
information and the client terminal registration information concern
a client terminal that is connected to the relay server belonging to
the relay group. The VPN group information storage unit relates to
a VPN group including routing apparatuses that are communication
apparatuses set as routing points among communication apparatuses
included in a relay communication system based on the relay group
information and the relay server information. The VPN group is
configuredto perform communication in a virtual private network via
theroutingapparatuses. TheVPNgroupinformationstorageunitstores
identification information ofthe routing apparatuses includedinthe
VPNgroupandconnectioninformationindicatingtheroutingapparatuses
that are connectedtoone anothertoestablisha routing session. The
address filter information storage unit stores address filter
information indicating a partner that the routing apparatus is able
to designate as a packet destination, in association with
identification information of the routing apparatus. The
communication control unit is arranged and programmed to perform
control to: cause information stored in the VPN group information
storageunit tobe sharedamongthe routingapparatuses; whenavirtual
p r i v a t e n e t w o r k i s s t a r t e d i n t h e V P N g r o u p , t r a n s m i t t h e a d d r e s s f i l t e r
information tothe other routing apparatuses and receive the address
filter information from the other routing apparatuses, and update a
content stored in the address filter information storage unit based
on the address filter information, and establish a routing session
to route a packet based on the connection information stored in the
VPN group information storage unit; and, after the routing session
is established, refer to a partner that the routing apparatus is able
todesignate as adestinationbasedonthe address filter information,
and perform routing based on a content thus referred to.
[0006] This enables the relay server to establish a VPN with the
routing apparatuses that are selected from the other communication
apparatuses (other relay servers and client terminals) included in
the relay communication system. Therefore, for example, a file can
besharedonlywithanecessarycommunicationapparatus. Additionally,
when a VPN is started in the VPN group, the relay server obtains the
address filter information from the other routing apparatuses.
Accordingly, for example, even in a case where there is a routing
apparatus in which the address filter information has been changed,
a VPN capable of dealing with such a situation can be established.
[0007] In the relay server, it is preferable that the VPN group
information storage unit stores, as the connection information,
identification information of the routing apparatus that takes
initiative toperform a communication control to establish a routing
session and identification information of the routing apparatus that
receives the communication control.
[0008] Accordingly, in a case of establishing a routing session
between two routing apparatuses connected to each other in starting
a VPN in the VPN group, the routing apparatus that should take initiative
toperform the communication control canbe definedin advance. This
can prevent collision of the communication control.
[0009] Preferably, the relay server is configured as follows. In
a case where a destination of a received packet is designated in the
addressfilterinformationassociatedwithidentificationinformation
of the relay server itself, the relay server transmits the packet to
the destination. In a case where a destination of a received packet
is designated in the address filter information associated with
identification information of the routing apparatus different from
the relay server itself, the relay server transmits the packet to the
routing apparatus via a routing session establishedbetweenthe relay
server itselfandthe routingapparatus. Inacasewhereadestination
of a receivedpacket is not designated in the address filter information
associatedwithidentificationinformationoftheroutingapparatuses,
the relay server does not transmit the packet.
[OOlO] This enables the relay server to appropriately perform
routing based on the address filter information.
[ 00111 Preferably, the relay server is configured as follows. In
a case where a state is switched from a first state in which a first
communication apparatus that is the routing apparatus connected to
a wide area communication network via another relay server defines
aVPN group to a second state inwhich a second communication apparatus
that is connected tothe wide area communication networkvia the relay
server itself defines a VPN group, and when the first communication
apparatus in the first state and the second communication apparatus
in the second state have the same identification information; in
starting a virtual private network under the second state, the
communication control unit is programmed to perform a control to
establish a routing sessionbetween a connection partner ofthe first
communicationapparatusinthefirststateandthesecondcommunication
apparatus via the relay server itself.
[0012] Accordingly, even in a case where the configuration of the
VPNgroupis changedbeyondthe relay server, aVPNcapableof flexibly
dealing with such a situation can be established. Additionally, a
VPN can be established in the second state by making effective use
of the VPN group information in the first state.
[0013] Intherelayserver, it ispreferablethat theaddress filter
information storage unit is configured to store a name of a partner
that the routing apparatus is able to designate as a packet destination.
[0014] Accordingly, for example, when referring to the address
filter information, the user can recognize an IP address or the like
of a partner to which a packet can be transmitted, and simultaneously
can recognize a name of the partner, too.
[0015] In the relay server, it is preferable that in a case where,
afteravirtualprivatenetworkis startedintheVPNgroup, theaddress
filter information associatedwith identification information ofthe
relayserveritselfisupdated,thecommunicationcontrolunitperforms
a control to provide a notification of a content of the updating.
[00161 Accordingly, after a virtual private network is started in
the VPN group, the relay server is able toprovide a notification that
theaddress filterinformationassociatedwiththe relay server itself
is updated, to another routing apparatus or the like. This enables
another routing apparatus to take appropriate measures in accordance
with a change of the address filter information.
[0017] In the relay server, it is preferable that in a case where,
after a virtual private network is started in the VPN group, a
notificationthattheaddressfilterinformationisupdatedisreceived,
the communication control unit is programmed to perform, without
stopping the virtual private network, control to: update a content
stored in the address filter information storage unit based on the
content of the updating; and refer to apartner that the routing apparatus
is able to designate as a destination based on an updated version of
the address filter information, andperformroutingbasedona content
thus referred to.
[0018] Accordingly, the number of partners that the routing
apparatus is able todesignateas apacketdestinationcanbeincreased
or decreased while the VPN is maintained.
[0019] In the relay server, it is preferable that in a case where,
after a virtual private network is started in the VPN group, it is
detectedthatacertainroutingapparatusdoesnotfunctionasanentity
of theVPNgroup, the communication control unit is programmed toperform
a control to stop a routing session established with the routing
apparatus, without stopping the virtual private network.
[0020] Accordingly, in a case where it is detected that a certain
routing apparatus does not function as an entity of the VPN group due
to a connection failure, maintenance, or the like, the relay server
can stop a routing session established with the certain routing
apparatus, while maintaining the VPN. This makes it possible to
establish a VPN capable of flexibly dealing with a change in a status.
[0021] Preferably, the relay server is configuredas follows. The
relay server information storage unit stores identification
information of a second relay server that is a relay server different
from the relay server itself, in association with identification
information of a client terminal that is connected to a wide area
communication network via the second relay server. In a case where
it is detected that communication of the second relay server stops,
the communication control unit determines whether or not there is a
client terminal functionin gas a routingpointamong client terminals
connected tothe wide area communication networkvia the second relay
server, based on contents stored in the VPN group information storage
unit and the relay server information storage unit. Then, in a case
where there is any client terminal functioning as a routing point,
the communication control unit is programmed to perform a control to
stop a routing session established with the client terminal.
[0022] Accordingly, merely by detecting that communication of
another relay server stops, the relay server is able to stop a routing
session established with a client terminal that is connected to the
another relay server and that functions as a routing point. This can
eliminate the need for the client terminal to transmit a signal
indicating that it does not function in the VPN group.
[0023] In the relay server, it is preferable that in a case where
it is detected that a certain routing apparatus does not function as
anentityoftheVPNgroup, andwhen, as a result ofthecertain routing
apparatus not functioning as a an entity of the VPN group, the number
ofroutingapparatuses functioningasentitiesoftheVPNgroupbecomes
one, the communication controlunitisprogrammedtoperforma control
to stop the VPN group.
[0024] Accordingly, a VPN that substantially no longer functions
as a network can be automatically stopped.
[0025] In another preferred embodiment of the present invention,
a relay communication system includes a plurality of relay servers
and client terminals. The client terminals are connectable with each
other via the relay servers. The relay server includes a relay group
information storage unit, a relay server information storage unit,
a VPN group information storage unit, an address filter information
storage unit, and a communication control unit. The relay group
information storage unit stores relay group information concerning
a relay group including another relay server that is mutually
connectable with the relay server. The relay server information
storage unit stores relay server information including relay server
start-upinformation, clientterminalstart-upinformation, andclient
terminal registration information. The relay server start-up
information concerns the relay server belonging to the relay group.
The client terminal start-up information and the client terminal
registration information concern the client terminal. The VPN group
information storage unit relates to a VPN group including routing
apparatuses that are set as routing points among the relay servers
and the client terminals. The VPN group is configured to perform
communicationinavirtualprivatenetworkviatheroutingapparatuses.
The VPN group information storage unit stores identification
information of the routing apparatuses that define the VPN group and
connection information indicating the routing apparatuses that are
connectedtooneanother. Theaddress filter informationstorageunit
storesaddressfilterinformationindicatingapartnerthattherouting
apparatus is able to designate as apacketdestination, in association
with identification information of the routing apparatus. The
communication control unit is arranged and programmed to perform
control to: cause information stored in the VPN group information
s t o r a g e u n i t t o b e s h a r e d a m o n g t h e r o u t i n g a p p a r a t u s e s ; w h e n a v i r t u a l
p r i v a t e n e t w o r k i s s t a r t e d i n t h e V P N g r o u p , transmittheaddress filter
information to the other routing apparatuses and receive the address
filter information from the other routing apparatuses, and update a
content stored in the address filter information storage unit, and
establish a routing session that enables a packet to be routed based
on the connection information stored in the VPN group information;
and, after the routing session is established, refertoapartnerthat
the routing apparatus is able to designate as a destination based on
the address filter information, andperformroutingbased on a content
thus referred to.
[0026] Accordingly, a VPN can be established by using routing
apparatuses selected from relay servers and client terminals.
Therefore, for example, a file can be shared only with a necessary
apparatus. Additionally, in this relay communication system, when
a VPN is started in the VPN group, the routing apparatuses exchange
the address filter information with each other. Accordingly, for
example, even in a case where there is a routing apparatus in which
the address filter information has been changed, aVPN capable of dealing
with such a situation can be established.
[0027] In the relay communication system, in a case where, after
a virtual private network is started in the VPN group, the address
filter information associated with identification information of the
relay server itself is updated, the communication control unit ofthe
relay server is programmed toperforma control toprovide a notification
of a content of the updating.
[0028] Accordingly, after a virtual private network is started in
theVPNgroup, eachofthe relay servers is able togive anotification
that the address filter information associated with the relay server
itself is updated, to another routing apparatus or the like. This
enables another routing apparatus to take appropriate measures in
accordance with a change of the address filter information.
[0029] In the relay communication system, it is preferable that
in a case where, after a virtual private network is started in the
VPN group, it is detected that a certain routing apparatus does not
function as an entityofthe VPN group, the communication control unit
ofthe relayserverisprogrammedtoperforma control to stopa routing
session established with the certain routing apparatus, without
stopping the virtual private network.
[0030] Accordingly, in a case where it is detected that a certain
routing apparatus does not function as an entity of the VPN group due
to a connection failure, maintenance, or the like, each of the relay
serverscanstoparoutingsessionestablishedwiththecertainrouting
apparatus, while maintaining the VPN. This makes it possible to
establish a VPN capable of flexibly dealing with a change in a status.
[0031] The above and other elements, features, steps,
characteristics and advantages of the present invention will become
moreapparentfromthe followingdetaileddescriptionofthepreferred
embodiments with reference to the attached drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0032] FIG. 1is a diagram for explaining anoverall configuration
of a relay communication system according to a preferred embodiment
of the present invention.
[0033] FIG. 2 is a function block diagram of a relay server.
[0034] FIG. 3 is a diagram showing a content 'of relay group
information.
[0035] FIG. 4 is a diagram showing a content of relay server
information.
[0036] F I G S . 5A-5Darediagrams showing content of client terminal
information.
[0037] F I G . 6 is a diagram showing a content of VPN group information.
[0038] F I G S . 7A and 7B are diagrams showing content stored in an
address filter information storage unit.
[0039] F I G . 8 is a flowchart showing a process for making a VPN
group.
[0040] F I G . 9 is a flowchart showing the former half of a VPN start
process.
[0041] F I G . 10 is a flowchart showing the latter half of the VPN
start process.
[0042] F I G . 11 is a sequence diagram showing a communication process
for making theVPN group anda communication process for updating address
filter information.
100431 F I G . 12 is a sequence diagram showing a communication process
for establishing a routing session and a communication process for
transmitting a packet.
[0044] F I G . 13 is a sequence diagram showing a communication process
performed when a remote login is made.
[0045] F I G . 14 is a sequence diagram showing a communication process
performed when a packet is transmitted via a client terminal that is
currently making a remote login.
[004 61 F I G S . 15A and 15B are diagrams showing a content stored in
the address filter information storage unit after being updated by
address filter information that is made at a time of the remote login.
[0047] FIG. 16 is a sequence diagram showing a communication process
performed when the address filter information is changed after the
VPN is started.
[0048] FIGS. 17A and 17B are diagrams showing content stored in
the address filter information storage unit after address filter
information associated with a relay server 3 is updated.
[0049] FIG. 18 is a flowchart showing the former half of a process
performedwhenanotificationthata routingapparatus stopsis given.
[0050] FIG. 19is a flowchart showing the latter half ofthe process
performed when the notification that the routing apparatus stops is
given.
[0051] FIG. 20 is a sequence diagram showing a communication process
performed when the relay server 3 leaves the VPN.
[0052] FIG. 21 is a sequence diagram showing a communication process
performed when a relay server 2 stops.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0053] Next, preferred embodiments of the present invention will
bedescribedwith reference tothe drawings. Firstly, with reference
to FIG. 1, an outline of a relay communication system 100 according
to apreferredembodimentofthepresent invention will be described.
FIG. 1 is an explanatory diagram showing an overall configuration of
arelaycommunicationsystem100accordingtoonepreferredembodiment
15
of the present invention.
[0054] As shown in FIG. 1, the relay communication system 100
includes a plurality of LANs 10, 20, 30, and 40 that are connected
toaWideAreaNetwork (WAN, wideareacommunicationnetwork) 80. Each
ofthe LANs 10, 20, 30, and 40 preferablyis a relatively small network
locatedinaphysicallyremotelocation. Inthispreferredembodiment,
the internet preferably is used as the WAN 80, for example.
[0055] In the following, a specific description will be given of
each LAN. As shown in FIG. 1, a relay server 1, a client terminal
11, andaprocessing apparatus 12 are connectedtothe LAN10. Arelay
server 2, a client terminal 21, a processing apparatus 22, and a
processing apparatus 23 are connected to the LAN 20. A relay server
3, a client terminal 31, a processing apparatus 32, and a processing
apparatus 33 are connected to the LAN 30. A relay server 4, a client
terminal 41, and a processing apparatus 42 are connected to the LAN
40.
[0056] Each of the relay servers 1, 2, 3, and 4 is connected not
only to each of the LANs 10, 20, 30, and 40 but also to the WAN 80,
and therefore able to communicate not only with the client terminal
connected to the same LAN but also with the relay servers connected
to the other LANs. Accordingly, not only a global IP address but also
a private IP address is provided to each of the relay servers 1, 2,
3, and 4.
[0057] The client terminals 11, 21, 31, and 41 are, for example,
configured as personal computers, which are able to communicate with
one another via the relay servers 1, 2, 3, and 4. The processing
apparatuses 12, 22, 23, 32, 33, and 42 preferably are, for example,
configured as personal computers, which are able to transmit a packet
,'
to the client terminals 11, 21, 31, and 41 via the LANs 10, 20, 30,
1 and 40.
I
I
[0058] Next, the relay servers 1, 2, 3, and 4 will be described.
These four relay servers preferably have substantially the same
configurations except for a portion of the data stored therein.
Therefore, the relay server 1 will be described as a representative.
Firstly, a configuration included in the relay server 1 will be described
with reference to FIG. 2. FIG. 2 is a function block diagram of any
I
I of the relay servers 1, 2, 3, and 4.
I [00591 As shown in FIG. 2, the relay server 1 includes a storage I
, unit 50, a control unit 60, and an interface unit 70.
[00601 Theinterfaceunit70is able to communicate wit ha terminal
within the LAN 10 byusingthe private IP address. The interface unit
70 is also capable of communication through the WAN 80 by using the
global IP address.
[00611 The control unit 60 preferably is, for example, a CPU
programmedtoperformcontrolandcomputationfunctions, andtoexecute
various kindsofprocessingbasedonaprogramreadoutfromthestorage
I unit 50. The control unit 60 is programmed to control various
communicationprocessesin accordancewith aprotocolsuch as TCP/IP,
UDP, or SIP, for example. As shown in FIG. 2, the control unit 60
includes an interface driver 61, a LAN-side IP packet processing unit
62, acommunicationcontrolunit63, andaWAN-sideIPpacketprocessing
unit 64.
[0062] The interface driver 61 is driver software that controls
the interface unit 70. The LAN-side IP packet processing unit 62
performs an appropriate process on a packet received from the LAN 10,
and outputs a result to the communication control unit 63. The WAN-side
IPpacket processing unit 64 performs an appropriate process on a packet
received from the WAN 80, and outputs a result to the communication
control unit 63.
[0063] Thecommunicationcontrolunit63isprogrammedtodetermine
a destination of the received packet based on information indicated
bythepacketandinformationstoredinthestorageunit50, andtransmits
the packet to the determined destination. The communication control
unit 63 is programmed to update a content stored in the storage unit
50 based on information received from another terminal.
[0064] The storage unit 50 is, for example, configured as a hard
disk or a non-volatile RAM, and able to store various types of data.
The storage unit 50 includes a relay group information storage unit
51, a relay server information storage unit 52, a client terminal
information storage unit 53, a VPN group information storage unit 54,
and an address filter information storage unit 55. Hereinafter, a
configuration included in the storage unit 50 will be described with
reference to FIGS. 3 to 7B. FIG. 3 is a diagram showing a content
of relay group information. FIG. 4 is a diagram showing a content
ofrelayserver information. FIGS. 5A-5Darediagramsshowingcontent
of client terminal information. FIG. 6is a diagram showing a content
ofVPNgroupinformation. FIGS. 7Aand7Bis adiagramshowingcontent
of address filter information.
[0065] The relay group information storage unit 51 stores relay
groupinformationindicatinga relaygroupanda relay server included
in the relay group.
[0066] As shown in FIG. 3, in the relay group information, a group
tag and site tags that are child elements whose parent element is the
group tag are described. In the group tag, group information 511
concerning a relay group is described. As the group information 511,
identification information ("id") of the relay group, a last
modification time ("lastmod"), anda name ("name") ofthe relay group,
are described. In the site tags, group configuration information 512
concerning relay servers included in the relay group is described.
Inthegroupconfigurationinformation512,identificationinformation
("id") of these relayserversisdescribed. Anadditional relay group
can be established. In such a case, a new relay group is given unique
identification information different from those of the other relay
groups. This enables such setting that, for example, data exchange
is performed only within a specific relay group.
[0067] As for this relay group information, the information is
shared among the relay servers 1, 2, 3, and 4 included in this relay
group. In a case where a certain relay server performs a process to
change the relay group, it is transmitted to the other relay servers
and the relay group information is updated. In this manner, the relay
group information is dynamically shared.
[0068] The relay server information storage unit 52 stores relay
serverinformationindicatinganout1ineofarelayserverthatperforms
relay communication and a client terminal that belongs to this relay
server.
[0069] In the relay server information shown in FIG. 4, site tags
each described for each relay server, and node tags that are child
elements whose parent elements are the site tags, are described. In
the site tag, server information 521 concerning the relay server 1
is described. As the server information 521, identification
information ("id") of the relay server, a name ("name") of the relay
server, and start-up information ("stat"), are described. The stat
being "active" indicates that the relay server logs in to the relay
communication system 100, and the stat being blank indicates that the
relay server is logging off. In thenode tag that is the childelement
o f t h e s i t e t a g , b e l o n g i n g i n f o r m a t i o n 5 2 2 i n d i c a t i n g a c l i e n t t e r m i n a l
belonging to the relay server is described. As the belonging
information 522, a name ("group") of the relay group to which a client
terminal belongs, identification information ("id") of the client
terminal, a name ("name") of the client terminal, and identification
information ("site") of the relay server that is a login destination,
are described. When the client terminal does not log in to the relay
server (relay communication system loo), the "site" is blank.
[0070] Communication by the relay group is performed based on the
above-describedrelaygroupinformationandrelayserverinformation,
in the following manner. For example, in a case where a packet is
transmitted from the client terminal 11 to the client terminal 21,
the client terminal 11 firstly transmits a packet to the relay server
1 that is the relay server to which the client terminal 11 itself is
connected. Here, a relay server capable of a packet exchange can be
determined based on the above-described relay group information.
Additionally, the identification information of a client terminal
belonging to the relay server, and whether or not the client terminal
is connected, canbe determinedbasedon the relay server information.
Based on such information, the relay server 1 transmits the packet
to the relay server 2 that is the relay server to which the client
terminal 21 is connected. Then, the relay server 2 transmits the packet
to the client terminal 21. As a result, relay communication can be
performed between client terminals.
[0071] As for the relay server information as well as the relay
group information, the information is shared among the relay servers
1, 2, 3, and 4 included in this relay group. In a case where a certain
relayserverperformsaprocesstochangetherelayserverinformation,
it is transmitted to the other relay servers and the relay server
information is updated. In thismanner, the relay server information
is dynamically shared.
[0072] Theclientterminalinformationstorageunit53storesclient
terminal information that is detailedinformation concerninga client
terminal. Each of the relay servers 1, 2, 3, and 4 stores the client
terminal information concerning only the client terminal belonging
to itself. For example, since the client terminal 11 belongs to the
relay server 1 as shown in FIG. 1, the client terminal information
storage unit 53 included in the relay server 1 stores only the client
terminal information of the client terminal 11.
[0073] Theclientterminalinformationstoredintheclientterminal
information storage unit 53 of the relay server 1 is shown in FIG.
5A. Likewise, the client terminal information stored in the relay
server 2 is shown in FIG. 5B, the client terminal information stored
in the relay server 3 is shown in FIG. 5C, and the client terminal
information stored in the relay server 4 is shown in FIG. 5D.
[0074] In the client terminal information shown in FIGS. 5A-5D,
anodetagisdescribed. Inthenodetag, aprivate IPaddress ("addr")
of a client terminal, a name ("group") of a relay group to which the
client terminal belongs, identification information ("id"), a name
("name"), a passcode ("pass") for logging in to a relay server, and
port information ("port") , are described.
[0075] The VPN group information storage unit 54 stores VPN group
information that is information concerning aVPNgroupincludingrelay
servers that define a relay group and an apparatus (hereinafter referred
to as a routing apparatus) selected from the client terminals. The
VPN group is a group within the relay group. Establishing a routing
session among routing apparatuses can establish a virtual network.
[0076] In the VPN group information shown in FIG. 6, a vnet tag
isdescribed. I n t h e v n e t t a g , V P N g r o u p b a s i c i n f o r m a t i o n 5 4 1 , routing
point information 542, and routing session information 543, are
described. In the VPN group basic information 541, a name ("group")
ofa relay group to which a VPN groupbelongs, identification information
("id") of the VPN group, a last modification time ("lastmod"), and
a name ("name") of the VPN group, are described. In the routing point
information 542, identification information of routing apparatuses
that perform routing at a time of performing communication among VPN
groupsisdescribed. InanexampleshowninFIG. 6,theclientterminal
11, the client terminal 21, and the relay server 3 are described as
the routingapparatuses. In the routing session information 543, the
routing apparatuses connected to one another in the VPN group are
described. In the routing session information 543, the routing
apparatuses are defined such that they are classified into the side
("sp (start point) ") that takes initiative to perform a communication
control andthe side ("ep (endpoint)") that receive st he communication
control during a routing session establishment process for starting
a VPN in the VPN group. In the following description, the routing
apparatus in the side takes initiative to perform the communication
control to establish the routing session may be sometimes referred
toas "startpoint", andtheroutingapparatus intheside that receives
sucha communication controlmaybe sometimes referred to as "endpoint".
[0077] As fortheVPN group informationas well as the relay server
informationandthe relay groupinformation, the information is shared
among the relay servers 1, 2, and 3 included in the VPN group. In
a case where a certain relay server performs a process to change the
VPN group information, it is transmitted to the other relay servers
of the VPN group, and the VPN group information is updated. In this
manner, the VPN group information is dynamically shared. A process
for establishing the VPN group will be described later.
[0078] Theaddressfilterinformationstorageunit55storesaddress
filter information indicating a partner to which a routing apparatus
is able to transmit (transfer) a packet at a time when the routing
apparatus starts a VPN and performs routing.
[0079] FIG. 7A shows a content of the address filter information
associatedwiththeroutingapparatus. As showninFIG. 7A, theclient
terminal 11 is able to transmit (transfer) the received packet to the
processing apparatus 12. The client terminal 21 is able to transmit
the receivedpackettothe processing apparatus 22 and the processing
apparatus 23. The relay server 3 is able to transmit the received
packet to all of the apparatuses connected to the LAN 30.
[0080] As shownin FIG. 7B, the address filter information storage
unit 55 stores identification information of a routing apparatus in
association with an IP address and a name of a partner that can be
designated as a destination of the packet by the routing apparatus.
Any name, such as a name that is easily recognizable by a user, can
be set as the name of the partner that can be designatedas the destination
of the packet. For example, the name can be set in consideration of
a place where the apparatus and the LAN are arranged. Each of the
routing apparatus is configured to display the address filter
information on a display or the like. The address filter information
is exchanged between the routing apparatuses at a time of starting
the VPN.
[0081] The relay servers 1, 2, 3, and 4 are configured as described
above. The client terminals 11, 21, 31, and 41 include storage units
50 and control units 60 preferably having substantially the same
configurations as those of the relay servers 1, 2, 3, and 4, though
a detailed description of the configurations of the client terminals
11, 21, 31, and 41 is omitted.
[0082] Next, a description will be given of a process for
establishing the VPN group and performing routing of a packet in the
established VPN group.
[0083] Firstly, a flow of establishing the VPN group will be
described with reference to FIGS. 8 and 11. FIG. 8 is a flowchart
showingaprocessforestablishingtheVPNgroup. FIG. llisasequence
diagramshowinga communicationprocess f o r e s t a b l i s h i n g t h e V P N g r o u p
and a communication process for updating the address filter
information.
[0084] A user using the relay communication system 100 operates
the client terminals 11, 21, 31, and the like, and thus can display
a VPNgroup setting screen. Here, a case will be described where setting
is performed using the client terminal 11. In the setting screen
displayed on the client terminal 11, a plurality of relay groups.to
which this client terminal 11 belongs are displayed. The user selects,
from the plurality of relay groups, a relay group in which he/she desires
to establish a VPN group (S101).
COO851 After a relay group is selected, a list of identification
information of relay servers'and client terminals that belong to the
selected relay group and are able to function as routing points, is
displayed in a screen of the client terminal 11 (S102). Then, the
user selects the identification information of the relay server and
the client terminal that are to function as the routing points in the
VPN group to be established (S103). In the case described herein,
itisassumedthattheidentificationinformationoftheclientterminal
11, the client terminal 21, and the relay server 3 is selected by the
user.
[0086] Then, the routing session information is establishedbased
ontheselectedroutingpoints (S104). Theidentificationinformation
of the routing points is also establishedbased on the identification
information of the selected relay server and the like (S104).
Identification information of the VPN group, and the like, are added
to these information, and thus the VPN group information shown in FIG.
6 is established. The VPN group information storage unit 54 stores
this VPN group information (S105).
[0087] Then, the client terminal 11 transmits the VPN group
information thus established to the other routing apparatuses (the
client terminal 21 and the relay server 3) (S106), and thus provides
a notification that the VPN group is established. Here, as shown in
FIG. 11, transmissionof theVPNgroup information to the client terminal
21isperformedviathe relay server landthe relay server 2 (Sequence
Numberl: createVpnGroup). TransmissionoftheVPNgroupinformation
to the relay server 3 is performed via the relay server 1 (Sequence
Number 2: createVpnGroup).
[00881 As a result, the process for establishing the VPN group is
completed. As shown in the above, in this preferred embodiment,
communication between apparatuses may be sometimes performed via the
relay servers 1, 2, 3, 4. In this respect, in the following description,
a specific description of a communication process performed via the
relay servers 1, 2, 3, 4 is omitted, and it may be expressed as "the
client terminal 11 performs transmission to the client terminal 21",
for example.
[00891 Next, a flow of starting a VPN in the established VPN group
willbedescribedwithreferencetoFIGS. 9to12. FIG. 9isaflowchart
showingthe formerhalfofaVPNstartprocess. FIG. 10 is a flowchart
s h o w i n g t h e l a t t e r h a l f o f t h e V P N s t a r t p r o c e s s . FIG. 12isa sequence
diagram showing a communication process for establishing a routing
session and a communication process for transmitting a packet.
[0090] By operating the client terminals 11, 21, or the like, the
user is able to display the established VPN groups on the screen. Then,
by selecting an appropriate VPN group from the displayed VPN groups
(S201), theuser is abletocausetheVPNstartprocesstobeperformed.
In the description given herein, it is assumed that the user operates
the client terminal 11 and selects the VPN group formed in the
above-described manner (the VPN group in which the client terminal
11, the client terminal 21, and the relay server 3 are routing
apparatuses).
[0091] The client terminal11 firstlyreads out the address filter
information associatedwiththe client terminal1 litself (S202). In
the address filter information associated with the identification
information of the client terminal 11, as shown in FIGS. 7A and 7B,
it is described that packet can be transmitted to the processing
apparatus 12. Then, the client terminal 11 reads out the routingpoints
that belong to the selected VPN group (S203). As a result, based on
the content of the VPN group information shown in FIG. 6, the
identification information of the client terminal 21 and the relay
server 3 is read out.
[0092] Based on the relay server information, the client terminal
11 firstly determines whether or not the client terminal 21 is currently
loggingin (whether the identification information ofthe relay server
is described in "site", or the "site" is blank) (S204). The relay
server information shown in FIG. 4 indicates that the client terminal
a VPN-group start command to the client terminal 21 (Sequence Number
3: startVpn in FIG. 11). At this time, simultaneously, the client
terminal11alsotransmitstheidentificationinformation (VpnGroupID)
of the selected VPN group and the address filter information (addrOl)
associatedwiththeidentificationinformationofthe client terminal
11 to the client terminal 21.
[0093] T h i s e n a b l e s t h e c l i e n t t e r m i n a l 2 1 t o i d e n t i f y t h e V P N g r o u p
for which a start process should be performed and to obtain the latest
address filter associated with the identification information of the
clientterminalll. Theclientterminal2lnotifiestheclientterminal
11 that the client terminal 21 has received the signal, and transmits
the address filter information (addr02) associated with the client
terminal 21 itself to the client terminal 11.
[0094] Upon reception of a response of the client terminal 21 (S206),
the client terminal11 stores the received address filter information
into the address filter information storage unit 55 (S207). Also,
the client terminal 11 registers the client terminal 21 as a routing
point that has been ready for starting the VPN (S208).
[0095] Then, the clientterminallldetermineswhetherornotthere
is any other routing point (S209) . At a time point when the VPN start
process with respect to the client terminal 21 has been completed,
aVPN s t a r t process with r e s p e c t t o t h e r e l a y s e r v e r 3 is not yet performed.
Therefore, t h e c l i e n t t e r m i n a l 1 1 t h e n p e r f o r m s t h e p r o c e s s i n g o f S 2 0 4
t o S208 with r e s p e c t t o t h e r e l a y s e r v e r 3. As a r e s u l t , t h e c l i e n t
terminal 11 t r a n s m i t s t h e VPN s t a r t command and t h e address f i l t e r
information t o t h e r e l a y s e r v e r 3 (Sequence Number 5: s t a r t v p n i n FIG.
11). Then, s i m i l a r l y t o t h e case o f t h e c l i e n t t e r m i n a l 2 1 , t h e c l i e n t
terminal 11 r e c e i v e s t h e address f i l t e r information from t h e r e l a y
s e r v e r 3, and s t o r e s it.
[0096] These transmission and r e c e p t i o n of t h e VPN-group s t a r t
command and t h e address f i l t e r information a r e alsoperformedbetween
t h e c l i e n t terminal 21 and t h e r e l a y s e r v e r 3 (Sequence Number 4 ,
s t a r t v p n ) . I n t h i s m a n n e r , t h e c l i e n t t e r m i n a l l l , t h e c l i e n t terminal
21, and t h e r e l a y s e r v e r 3 can o b t a i n t h e address f i l t e r information
of t h e o t h e r r o u t i n g p o i n t s .
[0097] Thus, i n s t a r t i n g a VPN, each of t h e r o u t i n g apparatuses
is a b l e t o exchange ( o b t a i n ) t h e address f i l t e r information with t h e
o t h e r r o u t i n g a p p a r a t u s e s , and e s t a b l i s h t h e VPN by using t h e l a t e s t
address f i l t e r information. Accordingly, even i n a case where t h e
address f i l t e r information of a p o r t i o n of t h e r o u t i n g apparatuses
I has been changed b e f o r e t h e VPN is s t a r t e d , t h e VPN can be s t a r t e d
under a s t a t e where such a change is r e f l e c t e d i n a l l t h e r o u t i n g
a p p a r a t u s e s . This canprevent i n c o n s i s t e n c y i n t h e r o u t i n g o f a p a c k e t ,
and can improve t h e r e l i a b i l i t y .
[0098] Then, t h e c l i e n t t e r m i n a l 11 e x t r a c t s t h e r o u t i n g s e s s i o n
i n f o r m a t i o n s t o r e d i n t h e V P N g r o u p i n f o r m a t i o n s t o r a g e u n i t 5 4 (S210),
and determines whether or not a routing session in which the client
terminalllitself serves asa startpointisdescribedtherein (S211).
In the routing session information shown in FIG. 6, it is described
that the client terminal11 serves as a start point ina routing session
established with the client terminal 21 and the relay server 3.
[0099] Accordingly, the client terminal 11 firstly selects the
client terminal 21, and determines whether or not the client terminal
21 is a routing point that has been ready for starting the VPN (S212).
Since the client terminal 21 has been ready because of S208 mentioned
above, the client terminal 11 performs a communication control on the
clientterminal21, forestablishingarouting session (S213; Sequence
Number 6: createVpnSsn) .
[00100] Then, the client terminal 11 determines whether or not any
other routing session in which the client terminal 11 itself serves
as a start point of connection is described (S214). At a time point
when the routing session establishment process with respect to the
client terminal 21 has been completed, the routing session
I
i establishment process with respect to the relay server 3 is not yet
performed. Therefore, the client terminal 11 performs, on the relay
server 3, the same communication as the communication performed on
the client terminal 21 (Sequence Number 8: createVpnSsn) . As a result,
a routing session is established between the client terminal 11 and
the relay server 3.
[00101] As shown in FIG. 6, in the routing session information, it
is described that the client terminal 21 should be a start point of
a routing session with the relay server 3. Accordingly, the
communication control to establish the routing session is also
performed from the client terminal 21 toward the relay server 3 (Sequence
Number 7: createVpnSsn) . As a result of the above, routing sessions
canbe establishedbetween the client terminal 11 and the client terminal
21, between the client terminal11 and the relay server 3, andbetween
the client terminal 21 and the relay server 3. Then, a packet routing
control is started (S215). Each of the routing apparatuses does not
perform an initial communication control for establishing a routing
sessionunless it is describedinthe routing session information that
itself should be a start point. This can prevent collision of the
communication control, and can establish a routing session between
apparatuses via a simple control.
[00102] Next, aprocess forroutingapacketbyusingtheestablished
routing session will be described with reference to FIGS. 7A, 7B and
12. In the following, a description will be given of a process that
theclientterminalllperformswhentheclientterminal11functioning
as the routing point receives three kinds of packets, namely, a first
packet to a third packet, from the processing apparatus 12.
[00103] Firstly, a casewillbedescribedwhere a firstpacketwhose
destinationhas an IPaddress of (192.168.2.22) is received (Sequence
Number 9: packetol). The client terminal 11, after receiving this
first packet, compares the IP address of the destination against the
address filter information shownin FIGS. 7Aand7B. Then, the client
terminal 11 detects a routing point that is able to transmit a packet
to the destination indicated in the first packet.
[00104] As shownin FIGS. 7Aand7BI the I P a d d r e s s o f t h e d e s t i n a t i o n
of the first packet is included in the address filter information
I associatedwiththe identification information ofthe client terminal
21. In this case, the client terminal 11 transmits the first packet
to the client terminal 21 via the routing session established with
the client terminal 21.
[00105] The client terminal 21 having received the first packet
compares the IP address of the destination against the address filter
information in the same manner as the client terminal 11 does. Then,
the client terminal 21 detects that the client terminal 21 itself is
described as a routing point that is able to transmit a packet to the
destination of the first packet. In this case, the client terminal
21 transmits the first packet to the processing apparatus 22 that is
the destination.
[00106] Next, a case will be described where a second packet whose
destination has an IP address of (192.168.3.32) is received by the
client terminal 11 (Sequence Number 10: packet02). In the address
filter information shown in FIGS. 7A and 7B, the relay server 3 is
designated as a routing point that is able to transmit a packet to
, the destination indicated in the second packet. Accordingly, the
client terminal 11 transmits the second packet to the relay server
3 via the routing session established with the relay server 3. The
relay server 3 detects that the relay server 3 itself is described
as a routingpointthatis abletotransmitapackettothe destination
indicated in the second packet, and transmits the second packet to
the processing apparatus 32 that is the destination.
[00107] Next, a case will be described where a third packet whose
destination has an IP address of (192.168.5.51) is received by the
clientterminal11(SequenceNumber11:packet03). Theclientterminal
11comparestheIPaddressofthedestinationagainsttheaddressfilter
information, and consequently detects that no routing point that is
able to transmit a packet to the destination is described. In this
case, t h e c l i e n t t e r m i n a l 1 1 d o e s n o t t r a n s m i t t h e r e c e i v e d t h i r d p a c k e t
to anywhere.
[00108] Thus, in this preferred embodiment, routing object data is
fed through a routing session at an application layer. Therefore,
the above-described routing is different from an ordinary IP routing.
[001091 Inthismanner, routingat theapplicationlayer allows LANs
in distant places to communicate with each other by using the private
IPaddresses without regard toa WAN. Additionally, as describedabove,
the address filter information storage unit 55 can display the name
of a partner that can be designated as the destination of a packet.
This enables the user to easily recognize an apparatus to which the
packet can be transmitted by using the VPN.
[00110] Next, a communication process performed when the client
terminal (first communication apparatus) 21 having logged into the
relay communication system 100 via the relay server 2 logs out and
then login is made from the client terminal (second communication
apparatus) 41 via the relay server 4 by using the same identification
informationwillbedescribedwithreferenceto FIGS. 13 and14. Since
the client terminal 21 and the client terminal 41 are connected to
different LANs, in the following description, login is made from the
client terminal 21 and login from the client terminal 41 may be called
"normal login" and "remote login", respectively.
[00111] FIG. 13 is a sequence diagram showing a communication process
performed when remote login is made. FIG. 14 is a sequence diagram
showingacommunicationprocessperformedwhenapacketistransmitted
via the client terminal 41 that is making the remote login. In a process
which will be described below, processing equivalent to the
above-describedprocessing (the processing shown in FIGS. 11 and 12)
is not described, or may be described in a simplified manner.
[00112] The following case is assumed. Firstly, undera statewhere
thenormal login ismade fromthe clientterminal21, theuser operates
the client terminal 11 and instructs to establish a VPN group. Then,
the client terminal 11, the client terminal 21, and the relay server
3 are selected as routing points of this VPN group. In this case,
similarly to the case shown in FIG. 11, the client terminal 11 transmits,
to the client terminal 21 and the relay server 3, the VPN group
information concerning the VPN group created by the user so as to give
a notification that the VPN group is established (Sequence Numbers
21, 22: createVpnGroup in FIG. 13).
[00113] It is assumed that, after the notification that the
established VPN group is given, the client terminal 21 having made
the normal login logs off from the relay server 2 (Sequence Number
23). In this case, the relay server 2 provides a notification that
the clientterminal21logs off, tothe other communicationapparatuses
(the relay server 1, the client terminal 11, and the relay server 3)
that define the relay group (Sequence Numbers 24, 25: notify logoff) .
The communication apparatuses having received this notification
performaprocess fordeletinglogininformation ("site") oftheclient
terminal 21 which is stored in the relay server information storage
unit 52. As a result, the identification information
"relay-server-2@abc.netU of the relay server 2, which is described
in "site", is cleared. Therefore, "site" becomes blank.
[00114] Here, a case is assumedwhere the client terminal 41 connected
to the LAN 40 logs in to the relay communication system 100 by using
theidentificationinformation(CLIENT-21@relayserver2.abc.net)that
has been set to the client terminal 21 (Sequence Number 26: remotelogin) .
Apasscode corresponding tothis identification information is stored
only in the client terminal information storage unit 53 of the relay
server 2. Therefore, the relay server 4 transmits the inputted
identification information (ID) andpasscode (PWD) tothe relay server
2 (Sequence Number 26.1: remotelogin) . When the relay server 2
authenticates the identification information and the corresponding
passcode, it means that the remote login has been successfully made.
[00115] Inacasewheretheremoteloginhasbeensuccessfullymade,
the relay server 4 provides a notification that the client terminal
41 has logged in to the relay communication system 100 by using the
identification information that has been set to the client terminal
21, to the other communication apparatuses (the relay server 3, the
relay server 2, the relay server 1, and the client terminal 11) (Sequence
Numbers 27, 28, 29: notify remotelogin). The communication
apparatuses having received this notification perform a process for
writing the identification information "relay-server-4@abc.netn of
the relay server 4 into the information (the content of "site" that
is currently blank) that is contained in the belonging information
522 stored in the relay server information storage unit 52 and that
indicates the login destination relay server corresponding to this
identification information.
[00116] After the remote login is made, the user sets the address
filter information in the clientterminal41. It is assumedthatsuch
setting ismade that allow sthe c l i e n t t e r m i n a l 4 1 t o t r a n s m i t a p a c k e t
to the processing apparatus 42, as shown in FIGS. 15A and 15B. The
identification information used forthe client terminal 41to perform
the remote login is the same as the identification information used
forthe c l i e n t t e r m i n a l 2 1 t o p e r f o r m t h e normal login. Accordingly,
the identification information ("client-21grelay-server2.abc.net")
that has been set to the client terminal 21 is described as the
identification informationofthe routingapparatus which is included
in the content (the content shown in FIGS. 15A and 15B) stored in the
address filter information storage unit.
[00117] Next, a flow of starting the VPN after the above-described
remote login is made will be brieflydescribed. When the user instructs
the client terminal 11 to start theVPN, the client terminal 11 transmits
1 the address filter information associated with the client terminal
1 11 itself and the VPN-group start command to the client terminal 41
(Sequence Number 30: startvpn) . The client terminal 41 having received
this notification sends back to the client terminal 11, the address
filter information associated with the client terminal 41 itself
together with an acknowledgement of the start command. The
above-described processing is also performed between the client
terminal 11 and the relay server 3 (Sequence Number 32: startvpn).
[00118] The client terminal 41 also transmits the address filter
information associated with the client terminal 41 itself and the
VPN-group start command to the relay server 3 (Sequence Number 31:
startvpn). T h e r e l a y s e r v e r 3 h a v i n g r e c e i v e d t h i s n o t i f i c a t i o n s e n d s
back to the client terminal 41, the address filter information
associated with the relay server 3 itself together with an
acknowledgement of the start command.
[00119] In this manner, the client terminal 11 and the relay server
3 perform, on t h e c l i e n t terminal 4 1 , t h e same process a s t h e process
performed on t h e c l i e n t terminal 21 i n t h e case shown i n FIGS. 11 and
12. On the o t h e r hand, t h e c l i e n t t e r m i n a l 4 1 performs, v i a t h e r e l a y
s e r v e r 4 , thesameprocessastheprocessperformedviatherelayserver
2 i n t h e c a s e s h o w n i n F I G S . 1 1 a n d 1 2 . A s a r e s u l t , t h e c l i e n t terminal
11 and t h e r e l a y s e r v e r 3 a r e a b l e t o o b t a i n t h e address f i l t e r
information newly set t o t h e c l i e n t terminal 4 1 .
[00120] In t h e same manner a s when t h e VPN is s t a r t e d i n the normal
l o g i n , a r o u t i n g s e s s i o n is e s t a b l i s h e d (Sequence Numbers 33, 34, 35:
c r e a t e v p n s s n ) . I n e s t a b l i s h i n g a r o u t i n g s e s s i o n between the c l i e n t
terminal 4 1 having performed t h e remote l o g i n and each of t h e r o u t i n g
p o i n t s ( t h e c l i e n t t e r m i n a l 11 and t h e r e l a y s e r v e r 3) t h a t have been
c o n n e c t i o n p a r t n e r s o f t h e c l i e n t t e r m i n a l 2 1 d u r i n g t h e n o r m a l l o g i n ,
communicationbetweentheapparatusesisperformedviatherelayserver
4 of t h e LAN 40 t o which t h e c l i e n t t e r m i n a l 4 1 having performed t h e
remote l o g i n is connected (Sequence Numbers 33, 3 4 ) . Then, a packet
r o u t i n g c o n t r o l f o r t h e VPN is s t a r t e d .
[00121] Here, a casewillbedescribedwhere, i n t h e V P N e s t a b l i s h e d
i n t h i s manner, t h e c l i e n t terminal 11 r e c e i v e s a f o u r t h packet whose
d e s t i n a t i o n has an IP address of (192.168.4.42) from t h e processing
apparatus 12 (Sequence Number 36: packet04) . In t h i s case, a s shown
i n FIGS. 15A and 15B, t h e c l i e n t t e r m i n a l 4 1 ( t h e i d e n t i f i c a t i o n
information t h a t has been set t o t h e c l i e n t t e r m i n a l 2 1 ) is designated
a s a r o u t i n g p o i n t t h a t is a b l e t o t r a n s m i t a packet t o t h e d e s t i n a t i o n
indicated in the fourth packet. Accordingly, the client terminal 11
transmits the fourth packet to the client terminal 41 via the routing
session established with the client terminal 41. Then, the client
terminal 41 detects that the client terminal 41 itself is described
as a routingpoint that is able to transmit a packet tothe destination
indicated in the fourth packet, and transmits the fourth packet to
the processing apparatus 42 that is the destination.
[00122] As thus far described, in this preferred embodiment, even
when the remote login is perform, a new VPN can be easily established
by making effective use of the VPN group information that has been
established at a time of the normal login.
[00123] Next, with reference to FIGS. 16, 17A and 17B, a case will
be described where, under a state where the VPN is started in the VPN
group in which the client terminal 11, the client terminal 21, and
the relay server 3 serve as the routing points, the address filter
information associated with the relay server 3 is changed after the
VPNis started. FIG. 16is a sequencediagramshowinga communication
processperformedwhenthe address filter information is changedafter
the VPN is started. FIGS. 17A and 17B are diagrams showing content
storedintheaddress filter informationstorageunit aftertheaddress
filter information associated with the relay server 3 is updated.
[00124] The user operates, for example, the client terminal 31
connectedtothe relay server 3, andthus canchange the address filter
information associated with the relay server 3. In the following,
a descriptionwill be given of a communication process performedwhen
apartnerthatthe relay server 3 candesignate as apacketdestination
is changed from "all of the apparatuses connected to the LAN 30" into
"the processing apparatus 33", as shown in FIGS. 17A and 17B.
[00125] In a case where the address filter information associated
1
I with the relay server 3 is changed, the relay server 3 provides a
I
notification thereof to the client terminal 11 (Sequence Number 41:
updateFilter). This notification of change of the address filter
information (anda n o t i f i c a t i o n i n d i c a t e d b y s e q u e n c e Number 42 which
will be described later) is performed through a route different from
the routing session. In FIG. 16, the address filter information
! associated with the relay server 3 before being changed is indicated
I
I ! by "addr03", and the address filter information associated with the
relay server 3 after being changed is indicated by "addr05". The client
terminal 11 receives the notification of the change of the address
filter information, and then updates the address filter information
associated with the relay server 3 into the changed version.
[00126] The relay server 3 also provides the notification that the
address filter information associated with the relay server 3 itself
is changed to the client terminal 21, too (Sequence Number 42:
updateFilter) . The client terminal 21 as well as the client terminal
11 updates the address filter information associated with the relay
s e r v e r 3 i n t o t h e c h a n g e d v e r s i o n . Here, a controlbywhichthe client
terminal 11 and the client terminal 21 update the address filter
information is performed without stopping the VPN.
[00127] Here, a case will be described where, under this state, the
client terminal 11 receives a fifth packet whose destination has an
IPaddressof (192.168.3.33) fromtheprocessingapparatus12 (Sequence
Number 43: packet05). This routing control is alsoperformedwithout
stopping the VPN. The destination indicated in the fifth packet is
the processing apparatus 33. The relay server 3 is designated as a
routing point that is able to transmit a packet to the processing
apparatus 33. Accordingly, in the samemanner as the above-described
routing, the fifth packet is transmitted from the client terminal 11
1
I
tothe relayserver3. Then, the relay server 3detectsthatthe relay
server 3 i t s e l f i s d e s c r i b e d a s a r o u t i n g p o i n t t h a t i s able to transmit
a packet to the destination indicated in the fifth packet, and transmits
t h e f i f t h p a c k e t t o t h e p r o c e s s i n g a p p a r a t u s 3 3 t h a t i s t h e d e s t i n a t i o n .
[00128] Next, a case will be described where the client terminal
11 receives a sixth packet whose destination has an IP address of
(192.168.3.32) fromthe processing apparatus 12 (Sequence Number 44:
packet06) . In this case, the client terminal 11 compares the IPaddress
of the destination against the address filter information, and
consequently detects that no routing point that is able to transmit
a packet to the destination is described. In this case, the client
terminal 11 does not transmit the received-sixth packet to anywhere.
[00129] As described above, since the address filter information
is notified and updated, the change of the address filter information
and routing based on the changed address filter information can be
performed without stopping the VPN.
[00130] Next, a communication process performed when the
communication apparatus stops functioning as a VPN entity after the
VPN is started will be described with reference to FIGS. 18 and 19.
FIGS. 18 and 19 are flowcharts showing a process performed when a
notification of stop of the communication apparatus is received.
[00131] Acase where functioning as the VPN entity is stopped includes
various situations conceivable. For example, a situation where the
apparatusleavestheVPNgroup, a situationwhere theapparatus leaves
the relay group, anda situation where the apparatus losesthe ability
to communicate with other apparatuses due to a network failure or the
like, are conceivable. In the following, a process performed when
the client terminal 11 receives the notification will be described
as a representative.
[00132] The client terminal11 determines whether the notification
received from another apparatus is a notification of stopping of the
relay server, a notification of stopping of the client terminal, or
other notifications (S301, S302). In a case where the notification
isthenotificationofstoppingoftherelayserver,theclientterminal
1 1 r e f e r s t o t h e r e l a y s e r v e r i n f o r m a t i o n s t o r e d i n t h e c l i e n t t e r m i n a l
llitself, to thus extracta client terminal that belongs tothis relay
server (S303). Then, the client terminal 11 stores this relay server
and this clientterminalinalistofapparatusestobe stopped (S304).
[00133] In a case where the notification is the notification of
stopping of the client terminal, the client terminal 11 stores this
client terminal in the list of apparatuses to be stopped (S304). In
a case where the notification is neither the notification of stopping
of the relay server nor the notification of stopping of the client
terminal, the client terminal 11 performs processing corresponding
to a content of the notification as appropriate (S305).
[00134] After the list of apparatuses tobe stoppedis made in S304,
the c l i e n t t e r m i n a l l l d e t e r m i n e s whether or not there is anyVPNgroup
in which the VPN is started and processing of S307 to S315 which will
be described later is not completed (S306). In a case where such a
VPN group does not exist, this series of processing is terminated.
[00135] In a case where a VPN group that satisfies the conditions
exists, the client terminal 11 reads out one apparatus described in
the list made in S304 (S307). Then, the client terminal lldetermines
whether or not the read-out apparatus (apparatus to be stopped) is
functioning as a routing point in the VPN that is currently executed
(S308) .
[00136] In a case where the read-out apparatus is functioning as
a routing point, the client terminal 11 determines whether or not two
or more effective routing points remain even if this routing point
actuallystops (S309). Inacasewherethenumberofremainingrouting
points is one or less, there is no significance in continuing the VPN,
and therefore the client terminal 11 performs a VPN stop process (S310) .
Then, the clientterminalllprovides a n o t i f i c a t i o n t o t h e u s e r (S311)
by, forexample, d i s p l a y i n g o n a d i s p l a y t h e i d e n t i f i c a t i o n i n f o r m a t i o n
of the one r o u t i n g apparatus t h a t has been determined a s an e f f e c t i v e
r o u t i n g p o i n t i n S309 and t h e name of a p a r t n e r t h a t t h i s r o u t i n g
apparatus c o u l d d e s i g n a t e a s a p a c k e t d e s t i n a t i o n . Then, t h e process
r e t u r n s t o S306.
[00137] Inacasewheretwoormoreeffective r o u t i n g p o i n t s remain,
the c l i e n t t e r m i n a l 11 determines whether o r not t h e r e is any r o u t i n g
s e s s i o n i n c l u d i n g t h e c l i e n t t e r m i n a l 1 l i t s e l f and t h e r o u t i n g p o i n t
t o be stopped, based on t h e VPN group information (S312). In a case
where such 'a r o u t i n g s e s s i o n e x i s t s , t h e c l i e n t terminal 11 s t o p s t h i s
r o u t i n g s e s s i o n (S313). Then, t h e c l i e n t terminal 11 d e l e t e s t h e
address f i l t e r information a s s o c i a t e d w i t h t h e stopped r o u t i n g p o i n t .
[00138] Through t h e above-described processing of S307 t o S313, a
p r o c e s s w i t h r e s p e c t t o t h e one apparatus t o be stopped is completed.
In a case where it is determined i n S308 t h a t t h e apparatus does not
f u n c t i o n a s a r o u t i n g p o i n t , t h e p r o c e s s i n g o f S309toS313 is skipped.
[00139] Then, whether o r not t h e r e is a non-processed apparatus i n
t h e apparatuses d e s c r i b e d i n t h e list is examined (S314) . In a case
where t h e r e is any r e m a i n i n g a p p a r a t u s , t h e processing of S307 t o S313
is performed with r e s p e c t t o each of such a p p a r a t u s e s . As a r e s u l t ,
t h e apparatuses d e s c r i b e d i n t h e l i s t can be examined one by one, and
i n a c a s e w h e r e t h e a p p a r a t u s f u n c t i o n s a s a r o u t i n g p o i n t , t h e p r o c e s s
f o r stopping t h e r o u t i n g s e s s i o n , o r t h e l i k e , can be performed.
[00140] After the process is completed for all the apparatuses in
the list with respect tothe VPN group, the client terminal llprovides
a notification thereof to the user by, for example, displaying on the
display the identification information of the routing apparatus
functioning as a routing point and the name of a partner that this
routingapparatuscoulddesignateasapacketdestination (S315). Then,
the client terminal 11 returns to S306, and examines whether or not
there is a non-processed VPN group among the VPN groups in which the
VPNs are started. Inacasewhereanynon-processedVPNgroupexists,
the processing of S307 to S315 are performed with respect to this VPN
group. As a result, when there are a plurality of VPN groups in which
VPNs are started, the process concerning the stop of the apparatus
can be appropriately performed with respect to each of the plurality
of VPN groups.
[00141] Next, a case will be considered where the relay server 3
leaves the VPN under a state where the VPN is started in the VPN group
in which the client terminal 11, the client terminal 21, and the relay
server 3 serve as the routing points. How the client terminal 11
operates based on the above-described flow in such a case will be
specifically described. FIG. 20 is a sequence diagram showing a
communication process performed when the relay server 3 leaves the
VPN .
[00142] The relay server 3 provides a notification that the relay
server 3 leaves the VPN group, to the other apparatuses (the client
terminal 11, the relay server 1, the client terminal 21, and the relay
server 2) (Sequence Numbers 51, 52: exitVpn in F I G . 20). Here, in
the apparatuses that receive the notification, the same process is
performed with some exception. Therefore, in the following, only the
process relating mainly to the client terminal 11 will be described.
[00143] The client terminal 11 receives the notification from the
relay server 3, and then determines whether or not this notification
is the notification of stopping of the relay server (S301 in F I G . 19)'.
Here, it is determined that the receivednotification is the one relating
tothe stopping ofthe relay server 3. Therefore, the client terminal
11 refers to the relay server information of the client terminal 11
itself (S303).
[00144] The relay server information shown in F I G . 4 indicates the
c l i e n t t e r m i n a l 3 1 a s a c l i e n t t e r m i n a l t h a t b e l o n g s t o t h e r e l a y s e r v e r
3 to be stopped. When the relay server 3 stops its relay function,
comrnunicationnotonlywiththe relay server 3butalsowiththe client
terminal 31 belonging thereto is disabled. Accordingly, the client
terminal 11 stores the relay server 3 and the client terminal 31 in
the list of apparatuses to be stopped (S304). They may be described
in the list in any order, but in the description herein, the relay
server 3 and the client terminal 31 are described in this order in
the list of apparatuses.
[00145] Then, the client terminal 11 proceeds to the determination
of S306, and examines a VPN group in which the VPN is started. As
a result, it is determined that there is a VPN group (here, the VPN
group in which the client terminal 11, the client terminal 21, and
the relay server 3 serve as the routing points) in which the VPN is
started. Accordingly, the client terminal 11 reads out, one by one,
the apparatuses described in the list of apparatuses to be stopped
which has been made in S304 (S307).
[00146] Since the relay server 3 and the client terminal 31 are
described in this order in the list, the relay server 3 is firstly
readout. I n t h e d e t e r m i n a t i o n o f S 3 0 8 , t h e c l i e n t t e r m i n a l l l r e f e r s
to the VPN group information shown in FIG. 6 and detects that this
relay server 3 is a routing point.
[00147] Then, t h e c l i e n t t e r m i n a l 1 1 d e t e r m i n e s w h e t h e r o r n o t t h e r e
will be two or more effective routing points after the relay server
3 stops (S309). In the above-described case, even though the relay
server 3 stops, two routing points (that is, the client terminal 11
andtheclientterminal21) remain. Therefore, theVPNisnotstopped,
and the process proceeds to S312.
[00148] Then, the client terminal 11 makes the determination of S312.
Here, the VPN group information shown in FIG. 6 indicates that there
is a routing session including the client terminal 11 itself and the
relay server 3. Accordingly, the client terminal 11 stops the
corresponding routing session (S313; SequenceNumber 51: closeVpnSsn
in FIG. 20).
[00149] Then, the client terminal 11 proceeds to the determination
of S314. Since there is a non-processed apparatus (client terminal
31) in the list of apparatuses to be stopped, the process returns to
S307. In the processing of S307, the client terminal 31 is read out
from the list. Since this client terminal 31 does not function as
aroutingpoint (S308), theprocessingofS309toS313isnotperformed.
The client terminal 11 proceeds to the determination of S314, and it
is determined that there is no longer a non-processed apparatus in
the list. Then, the client terminal 11 provides a notification to
the user by, for example, displaying on the display the routing
apparatuses (the client terminal 11 and the client terminal 21)
functioningasroutingpointsandthenamesofpartners (theprocessing
apparatus12,theprocessingapparatus22, andtheprocessingapparatus
23) that this routingapparatus coulddesignateasapacketdestination
(S315). Then, the process returns to S306. Since a non-processed
VPN group no longer remains, the process is terminated.
[00150] The apparatuses other than the client terminal 11 also
receive the notification from the relay server 3, and perform the same
process as described above. Accordingly, the routing session
established between the client terminal 21 and the relay server 3 is
stopped (Sequence Number 52: closeVpnSsn in FIG. 20). Each of the
routing apparatuses deletes the address filter information associated
withthestoppedroutingpoint. Theaddress filterinformationdeleted
at this time is processed such that the user can no longer refer to
this address filter information.
[00151] Performing the process in the above-described manner can
reduce the number of routing points without performing such a
complicated process that the VPN is once stopped and then started again.
[00152] A case will be described where, after the above-described
process, the client terminal 21 receives a seventh packet whose
destination has an IP address of (192.168.3.31) from the processing
apparatus 22 (Sequence Number 53: packet07). The client terminal 21
compares the IP address ofthe destination against the address filter
information. Since the address filter information associated with
the relay server 3 has been deleted as a result of the above-described
process, the client terminal 21 determines that no routing point that
is able to transmit apacket to the destination is described. Therefore,
the client terminal 21 does not transmit the received seventh packet
to anywhere.
[00153] Next, with reference to FIGS. 18, 19, and 21, a case will
bedescribedwhere, aftertherelayserver3leavestheVPNasdescribed
above, the relay server 2 also logs out from the relay group. FIG.
21 is a sequence diagram showing a communication process performed
when the relay server 2 stops.
[00154] Beforebreakingtheconnection, the relayserver2provides
anotification that the relay server 2 will stop, to the other apparatuses
(the relay server 1, the client terminal 11, the client terminal 21,
and the relay server 3) (Sequence Numbers 54, 55, 56:
notifyServerLogout). The other apparatuses receive this stop, and
perform the same process as described above.
[00155] In the description herein, the relay server 2 is stopped.
Therefore, t h e c l i e n t t e r m i n a l 2 l b e l o n g i n g t o t h e relayserver2loses
the function as a routing point. Accordingly, since the relay server
3 has been already stopped, only one effective routing point, namely,
only the client terminal 11, remains. Thus, there is no significance
as the VPN. Hence, the apparatus having received the notification
fromthe relay server 2makesthedeterminationof S309 andas a result
proceeds to S310, in which a VPN termination process is performed.
Additionally, the client terminal 11 provides a notification to the
user by, for example, displaying on the display the routing apparatus
(client terminal 11) functioning as an effective routing point and
the name of a partner (processing apparatus 12) that this routing
apparatus could designate as a packet destination (S311). In the
following, a case where this VPN termination process is performed by
the client terminal 21 will be described with reference to FIG. 21.
[00156] The client terminal 21 transmits, to the client terminal
11 and the relay server 3, the identification information of the VPN
group and a notification that the VPN is terminated (Sequence Numbers
57, 58: stop~pn.) Based on the identification information of the VPN
group received from the client terminal 21, the client terminal 11
and the relay server 3 can recognize which VPN group is terminated.
[00157] The client terminal 21 receives a signal indicating an
a c k n o w l e d g e m e n t o f t h e t e r m i n a t i o n o f t h e V P N fromthe client terminal
11 and the relay server 3, and then transmits a routing-session
termination command to the client terminal 11 (Sequence Number 59:
closeVpnSsn).
[00158] In the above-described manner, the routing session
established between the client terminal 11 and the client terminal
21 can be terminated. Thus, the VPN in the VPN group is terminated.
[00159] As illustrated above, the relay server 3 of this preferred
embodiment preferably includes the relay group information storage
unit 51, the relay server information storage unit 52, the VPN group
information storage unit 54, the address filter information storage
unit 55, and the communication control unit 63. The relay group
information storageunit 51stores relay group informationconcerning
a relay group including another relay server (relay servers 1, 2, 4)
that is mutually connectable with itself (relay server 3). The relay
server information storage unit 52 stores relay server information
including relay server start-up information, client terminal start-up
information, andclientterminalregistrationinformation. Therelay
server start-up information concerns the relay server belonging to
the relay group. The client terminal start-up information and the
client terminal registration information concern a client terminal
that is connected to the relay server belonging to the relay group.
The VPN group information storage unit 54 relates to a VPN group
configured to perform communication in a VPN via communication
apparatuses that are set as routing points among the communication
apparatuses included i n t h e r e l a y communication system 100. The VPN
g r o u p i n f o r m a t i o n s t o r a g e u n i t 5 4 s t o r e s t h e r o u t i n g p o i n t information
542 and the r o u t i n g s e s s i o n information 543. The r o u t i n g p o i n t
information 542 i n c l u d e s i d e n t i f i c a t i o n information of t h e r o u t i n g
apparatusesthatformtheVPNgroup. The r o u t i n g s e s s i o n information
543 includes information o f t h e r o u t i n g a p p a r a t u s e s t h a t a r e connected
t o o n e a n o t h e r . Theaddress f i l t e r i n f o r m a t i o n s t o r a g e u n i t 5 5 s t o r e s
the address f i l t e r information i n d i c a t i n g a p a r t n e r t h a t t h e r o u t i n g
apparatus is a b l e t o d e s i g n a t e a s a p a c k e t d e s t i n a t i o n , i n a s s o c i a t i o n
with i d e n t i f i c a t i o n information of t h e r o u t i n g a p p a r a t u s . The
communication c o n t r o l u n i t 63 is programmed t o perform c o n t r o l t o :
cause information s t o r e d i n t h e VPN group information s t o r a g e u n i t
54 t o b e s h a r e d among t h e r o u t i n g apparatuses; when a VPN is s t a r t e d
i n t h e VPN group, t r a n s m i t t h e address f i l t e r information t o t h e o t h e r
r o u t i n g apparatuses and r e c e i v e t h e address f i l t e r information from
t h e o t h e r r o u t i n g a p p a r a t u s e s , andupdate a content s t o r e d i n t h e address
f i l t e r information s t o r a g e u n i t 55 based on t h e address f i l t e r
information, a n d e s t a b l i s h a r o u t i n g s e s s i o n f o r r o u t i n g a p a c k e t b a s e d
o n t h e routingsessioninformation s t o r e d i n t h e V P N g r o u p i n f o r m a t i o n
s t o r a g e u n i t 54; and, a f t e r t h e r o u t i n g s e s s i o n is e s t a b l i s h e d , r e f e r
t o a p a r t n e r t h a t t h e r o u t i n g apparatus is a b l e t o d e s i g n a t e a s a
d e s t i n a t i o n based on t h e address f i l t e r information, and perform
r o u t i n g based on a content thus r e f e r r e d t o .
[00160] This enables t h e r e l a y s e r v e r 3 t o e s t a b l i s h a VPN with t h e
client terminal 11 and the client terminal 21 that are selected from
theothercommunicationapparatusesincludedintherelaycommunication
system, and to share a file, for example. Additionally, when a VPN
is started in the VPN group, the relay server 3 obtains the address
filter information fromthe client terminal1 land the client terminal
21. Accordingly, for example, even in a case where the address filter
information in the client terminal 11 is changed from that of the
previously- establishedVPN, itispossibleto flexiblydealwith such
a change in a status and establish a VPN.
[00161] Moreover, in this preferred embodiment, in a case where,
afteraVPNis startedintheVPNgroup, theaddress filter information
associated with the identification information of the relay server
1, 2, 3, 4 itself is updated, the communication control unit 63 of
the relay server 1, 2, 3, 4 is able to perform a control for providing
a notification of a content of the updating.
[00162] Accordingly, after a VPN is started in the VPN group, the
relay server 3 or the like is able to provide a notification that the
address filter information associatedwith the relay server 3 is updated,
toanotherroutingapparatusorthelike. Thisenablesanotherrouting
apparatus to take appropriate measures in accordance with a change
of the address filter information.
[00163] F u r t h e r m o r e , i n t h i s p r e f e r r e d e m b o d i m e n t , i n a c a s e w h e r e ,
after a VPN is started in the VPN group, it is detected that a certain
routing apparatus does not function as an entity of the VPN group,
the communication control unit 63 of the relay server 1, 2, 3, 4 is
able to perform a control to stop a routing session established with
the certain routing apparatus, without stopping the virtual private
network.
[00164] Accordingly, for example, in a case where it is detected
that the relay server 3 does not function as an entity ofthe VPNgroup
d u e t o a c o n n e c t i o n f a i l u r e , m a i n t e n a n c e , orthelike, theotherrouting
apparatusescanstoproutingsessionsestablishedwiththerelayserver
3, while maintaining the VPN. This makes it possible to establish
a VPN capable of flexibly dealing with a change in a status.
[00165] While preferred embodiments of the present invention have
beendescribedabove,theabove-describedconfigurationscanbechanged,
for example, as follows.
[00166] Aformat inwhich the above-describedrelaygroup information,
relay server information, client terminal information, VPN group
information, address filter information, and the like, are stored is
not limited to XML format. These kinds of information can be stored
in any appropriate format.
[00167] Instead of the configuration of the above-described
preferred embodiments, a configuration is also acceptable in which
an external server used for communication between relay servers is
placedontheinternetandcausedtoexerta functionasanSIP (Session
Initiation Protocol) server so as to perform communication.
[00168] While preferred embodiments of the present invention have
been described above, it is to be understood that variations and
modifications will be apparent to those skilled in the art without
departing fromthe scope and spirit ofthe present invention. The scope
of the present invention, therefore, is to be determined solely by
the following claims.

WHAT IS CLAIMED IS:
1. A relay server comprising:
a relay group information storage unit that stores relay group
information concerning a relay group including another relay server
that is mutually connectable with the relay server;
arelayserverinformationstorageunitthatstoresrelayserver
information including relay server start-up information, client
terminal start-up information, and client terminal registration
information,therelayserverstart-upinformationconcerningtherelay
server belonging to the relay group, the client terminal start-up
information and the client terminal registration information
concerning a client terminal that is connected to the relay server
belonging to the relay group;
aVPNgroupinformation s t o r a g e u n i t t h a t r e l a t e s t o a V P N g r o u p
includingroutingapparatusesthatarecommunicationapparatusesbeing
set as routing points among communication apparatuses included in a
relay communication systembased on the relay group information and
therelay server information, theVPNgroupbeingconfiguredtoperform
communicationinavirtualprivatenetworkviatheroutingapparatuses,
the VPN group information storage unit storing identification
information of the routing apparatuses included in the VPN group and
connection information indicating the routing apparatuses that are
connected to one another to establish a routing session;
an address filter information storage unit that stores address
filter information indicating a partner that the routing apparatus
is able to designate as a packet destination, in association with
identification information of the routing apparatus; and
acommunicationcontrolunitarrangedandprogrammedtoperform
control to:
cause information storedin the VPN group information storage
unit to be shared among the routing apparatuses;
when a virtual private network is started in the VPN group,
transmit the address filter information to the other routing
apparatuses and receive the address filter information fromthe other
routing apparatuses, andupdate a content storedinthe address filter
information storage unit based on the address filter information, and
57
establish a routing session for routing a packet based on the connection
information stored in the VPN group information storage unit; and
after the routing session is established, refer to a partner
that the routing apparatus is able to designate as a destinationbased
on the address filter information, andperformroutingbasedon a content
thus referred to.
2. The relay server according to claim 1, wherein the VPN group
information storage unit stores, as the connection information,
identification information of the routing apparatus that takes
initiative to perform a communication control to establish a routing
session and identification information of the routing apparatus that
receives the communication control.
3. The relay server according to claim 1, wherein
inacasewhereadestinationofa receivedpacketisdesignated
in the address filter information associated with identification
information oftherelay server itself, the communication control unit
is programmed to transmit the packet to the destination;
inacasewhereadestinationofa receivedpacketisdesignated
in the address filter information associated with identification
information ofthe routing apparatus different fromthe relay server
itself, the communication control unit is programmed to transmit the
packet to the routing apparatus via a routing session established
between the relay server itself and the routing apparatus;
in a case where a destination of a received packet is not
designated in the address filter information associated with
identification information of the routing apparatuses, the
communication control unit is programmed not to transmit the packet.
4. The relay server according to claim 1, wherein
in a case where a state is switched from a first state in which
afirstcommunicationapparatusthatistheroutingapparatusconnected
toawide area communicationnetworkvia another relay server defines
a VPN group into a second state in which a second communication apparatus
that is connectedto the wide area communication networkvia the relay
server itself defines a VPN group; and
5 8
when the first communication apparatus in the first state and
the second communication apparatus in the second state have the same
identification information;
in starting a virtual private network under the second state,
the communication control unit is programmed to perform a control to
establish a routing sessionbetween a connection partner of the first
comunicationapparatusinthefirststateandthesecondcommunication
apparatus via the relay server itself.
5. The relay server according to claim 1, wherein the address
filter information storage unit is configured to store a name of a
partner that the routing apparatus is able to designate as a packet
destination.
6. The relay server according to claim 1, wherein in a case
where, after a virtual private network is started in the VPN group,
the address filter information associated with identification
information of the relay server itself is updated, the communication
control unit isprogrammedtoperforma control toprovideanotification
of a content of the updating.
7. The relay server according to claim 6, wherein
in a case where, after a virtual private network is started
in the VPN group, a notification that the address filter information
is updated is received, the communication control unit is programmed
toperform, without stopping the virtual private network, control to:
updateacontentstoredintheaddressfilterinformationstorage
unit based on the content of the updating; and
refer toapartner that the routing apparatus is able todesignate
as a destination based on an updated version of the address filter
information, and perform routing based on a content thus referred to.
8. The relay server according to claim 1, wherein in a case
where, after a virtual private network is started in the VPN group,
it is detected that a certain routing apparatus does not function as
anentityoftheVPNgroup,thecommunicationcontrolunitisprogramed
to perform a control to stop a routing session established with the
59
certain routing apparatus, without stopping the virtual private
network.
9. The relay server according to claim 8, wherein
therelayserverinformationstorageunitstoresidentification
information of a second relay server that is a relay server different
from the relay server itself, in association with identification
information of a client terminal that is connected to a wide area
communication network via the second relay server;
in a case where it is detected that communication of the second
relay server stops, the communication control unit is programmed to
determine whether or not there is a client terminal functioning as
a routing point among client terminals connected to the wide area
communication network via the second relay server, based on contents
stored in the VPN group information storage unit and the relay server
information storage unit;
in a case where there is any client terminal functioning as
a routing point, the communication control unit is programmed to perform
a control tostopa routingsessionestablishedwiththe client terminal.
10. The relay server according to claim 8, wherein
in a case where it is detected that a certain routing apparatus
does not function as an entity of the VPN group; and
when, as a result of the certain routing apparatus not
functioning as an entity of the VPN group, the number of routing
apparatuses functioning as entities of the VPN group becomes one;
thecommunicationcontrolunitisprogrammedtoperformacontrol
to stop the VPN group.
11. A relay communication system comprising:
a plurality of relay servers; and
client terminals that are connectable with each other via the
relay servers; wherein
each of the plurality of relay servers includes:
a relay group information storageunit that stores relay
group information concerning a relay group including another relay
server that is mutually connectable with the relay server;
60
a relay server information storage unit that stores relay
serverinformationincludingrelayserverstart-upinformation, client
terminal start-up information, and client terminal registration
information,therelayserverstart-upinformationconcerningtherelay
server belonging to the relay group, the client terminal start-up
information and the client terminal registration information
concerning the client terminal;
a VPN group information storage unit that relates to
a V P N g r o u p i n c l u d i n g r o u t i n g a p p a r a t u s e s t h a t a r e s e t a s r o u t i n g p o i n t s
among the relay servers and the client terminals, the VPN group being
configuredto perform communication in a virtual private network via
theroutingapparatuses,theVPNgroupinformationstorageunitstoring
identification information ofthe routing apparatusesincludedinthe
VPNgroupandconnectioninformationindicatingtheroutingapparatuses
that are connected to one another;
an address filter information storage unit that stores
address filter information indicating a partner that the routing
apparatus is able todesignate as apacketdestination, in association
with identification information of the routing apparatus; and
a communication control unit that is programmed to
perform control to:
cause information stored in the VPN group
information storage unit to be shared among the routing apparatuses;
when a virtual private network is started in the
VPNgroup, transmit theaddress filter informationtothe other routing
apparatuses and receive the address filter information fromthe other
routingapparatuses, andupdatea content storedintheaddress filter
information storage unit based on the address filter information, and
establish a routing session that enables a packet to be routed based
on the connection information stored in the VPN group information
storage unit; and
after the routing session is established, refer
to a partner that the routing apparatus is able to designate as a
destination based on the address filter information, and perform
routing based on a content thus referred to.
12. The relay communication systemaccording to claim 11, wherein
61
in a case where, after a virtual private network is started in the
VPN group, the address filter information associated with
identification informationofthe relay server itself is updated, the
communicationcontrolunitoftherelayserverisprogrammedtoperform
a control to provide a notification of a content of the updating.
13. The relay communication systemaccording to claimll, wherein
in a case where, after a virtual private network is started in the
VPN group, it is detected that a certain routing apparatus does not
functionas anentityoftheVPNgroup, thecommunicationcontrol unit
of the relay server is programmed to perform a control to stop a routing
session established with the certain routing apparatus, without
stopping the virtual private network.