内部ネットワーク上のホストを外部から識別するためのMACアドレス中継型NATルータ  [in Japanese] A MAC-address Relaying NAT Router for Host Identification from Outside of Internal Network  [in Japanese]

Access this Article

Search this Article

Abstract

IPv4アドレスの枯渇問題の軽減策の1つとして,NAT(Network Address Translation)がある.NATは複数の内部ホストが1つのグローバルIPアドレスを共用できるため,必要なグローバルIPアドレスの数を節約できる.しかし,外部ネットワーク側では個々の内部ホストを識別できないため,たとえば外部ネットワーク側でアクセス制御を行うと,1台の内部ホストが外部ネットワークに対するアクセス許可を受けただけで他の内部ホストまで外部ネットワークにアクセス可能な状態になるなどの問題が生じる.そこで,本論文ではデータリンク層での送信元識別子である送信元MACアドレスが基本的にはレイヤ2機器のMACアドレス学習機能にしか使われていない点に着目し,内部ホストから送信されたフレームに含まれる送信元MACアドレスをそのまま外部ネットワーク側に中継する機能を持つNATルータを提案する.本提案に基づいて試作したNATルータを評価した結果,MACアドレスに基づいて内部ホストを個別にアクセス制御でき,また十分なスループットが得られることを確認した.As an alleviation method against IPv4 address exhaustion problem, NAT (Network Address Translation) has been commonly used. Since NAT allows many internal hosts to share one single global IP address, it can save the number of required global IP addresses. However, with NAT, each internal host cannot be identified from the external network. Consequently, if access control system on external network would permit network access from one internal host, it automatically would permit all network access from any other internal hosts as well, for example. In this paper, we propose a NAT router with MAC address relaying function that copies the source MAC address of receiving frames sent by internal hosts into frames sent to the external network since source MAC addresses, which are the sender identifiers in data link layer, are basically unused except for MAC address learning function of layer 2 switches. According to the results of experiments, we confirmed that the prototype NAT router with MAC address relaying function allows access to external networks by internal hosts to be controlled individually based on MAC address and obtains high throughput as well.

As an alleviation method against IPv4 address exhaustion problem, NAT (Network Address Translation) has been commonly used. Since NAT allows many internal hosts to share one single global IP address, it can save the number of required global IP addresses. However, with NAT, each internal host cannot be identified from the external network. Consequently, if access control system on external network would permit network access from one internal host, it automatically would permit all network access from any other internal hosts as well, for example. In this paper, we propose a NAT router with MAC address relaying function that copies the source MAC address of receiving frames sent by internal hosts into frames sent to the external network since source MAC addresses, which are the sender identifiers in data link layer, are basically unused except for MAC address learning function of layer 2 switches. According to the results of experiments, we confirmed that the prototype NAT router with MAC address relaying function allows access to external networks by internal hosts to be controlled individually based on MAC address and obtains high throughput as well.

Journal

  • 情報処理学会論文誌

    情報処理学会論文誌 52(3), 1348-1356, 2011-03-15

    情報処理学会

Cited by:  3

Codes

  • NII Article ID (NAID)
    110008507969
  • NII NACSIS-CAT ID (NCID)
    AN00116647
  • Text Lang
    JPN
  • Article Type
    Journal Article
  • ISSN
    1882-7764
  • NDL Article ID
    024154650
  • NDL Call No.
    YH247-743
  • Data Source
    CJPref  NDL  NII-ELS  IR  IPSJ 
Page Top