JP3972335B2 - Network connection device, communication method, program, and storage medium storing program - Google Patents

Description

  The present invention relates to a network connection device or the like that allows a user to select a security policy for applying / not applying IPsec to a communication data packet.

Conventionally, as a technology related to communication security on the Internet, a technology discussed in the IPsec (Internet Protocol Security) working group of the IETF (The Internet Engineering Task Force) which is an international technical standardization organization of the Internet, for example, Security Architecture fore. The Internet Protocol (security architecture for the Internet protocol), IKE (automatic key exchange protocol Internet Key Exchange), and the like are known (see Non-Patent Document 1 and Non-Patent Document 2).
Here, IPsec is a protocol for encrypting packets on the Internet and performing communication safely. IKE exchanges and shares information such as encryption algorithms and encryption keys before starting communication. This is a protocol that automatically negotiates to do this.
IETF, RFC2401, [online], [searched August 21, 2003], Internet, <URL: http://www.ietf.org/rfc/rfc2401.txt?number=2401> IETF, RFC2409, [online], [searched August 21, 2003], Internet, <URL: ttp: //www.ietf.org/rfc/rfc2409.txt? Number = 2409>

However, in any of the above-described techniques, it is necessary to rewrite the security policy database of both nodes that perform communication in order to change the security policy of IPsec application / non-application of communication data between nodes. It was not possible to change the security policy for IPsec application / non-application only by changing the setting of one of the nodes.
That is, for example, when a user node downloads a large amount of data such as image data from the other node, if the user of that node determines that there is no need to ensure security, the download time The security policy for IPsec application / non-application is dynamically changed only by changing the setting of one node, such as applying IPsec to ensure security when not transmitting IPsec for shortening and transmitting / receiving other data. And could not be changed easily.

  Accordingly, an object of the present invention is to provide a network connection device, a communication method, and the like that can dynamically change (select) only the intention of one node with respect to a security policy for whether or not IPsec is applied in communication between nodes. And

In order to solve the above-described problems, the present invention is a network connection device that performs communication by dynamically changing the application / non-application of IPsec of communication data with a network connection device of a communication partner via a network. An interface unit that performs communication via a network, and for each attribute of the communication data, the communication data processing unit applies IPsec of the communication data, does not apply IPsec, deletes the communication data, A security policy database unit that stores a security policy indicating whether a user of the network connection device can select application / non-application of IPsec of the communication data, and a security that is a connection for performing IPsec communication between the network connection devices Security that stores information about associations I association database unit, by referring to the header information of the communication data indicating the attribute of the communication data, the searching security policy of the communication data from the security policy database portion, of the communication data from the security association database unit Security Search for information on the association, and based on these search results, apply IPsec of the communication data, do not apply IPsec, delete the communication data, or the user of the network connection device policy management unit that determines can choose to apply / non-application of the IPsec, the automatic key exchange protocol, negotiates the network connection device and security association of the communication partner is the negotiation result security A security association processing unit that stores or deletes information related to the association in the security association database unit, an input unit that inputs selection information of IPsec application / non-application of the communication data from the user to the communication data processing unit; And a communication data processing unit that accepts selection information of application / non-application of IPsec of the communication data from a user of the network connection device, generates, deletes, and acquires the communication data, and applies IPsec to the communication data The security association information includes negotiation start information regarding whether or not the network connection device has performed a negotiation process for security association with the network connection device of the communication partner using an automatic key exchange protocol. In addition, the policy management unit searches for information relating to a security association including negotiation start information in the security association database unit, and the first network connection in which the network connection device of the self has performed a security association start process When the information indicating that the device is a device or when the information regarding the security association of the network connection device is not found, the communication data processing unit applies the IPsec of the communication data from the user. to accept the selection information of the non-application, the security association processing unit, the search for information about the security association database unit security association including the negotiation start information, the self When Ttowaku connected device it was confirmed that the first network connection device, for the withdrawal of the security association from the second network connection device is a network connection apparatus of the communication partner of the security association It is characterized in that it does not respond to a negotiation by an automatic key exchange protocol or a negotiation by an automatic key exchange protocol for establishing a new security association from the second network connection device.
Other means for solving the problem will be described in the section of the best mode for carrying out the invention described later.

  In each claim, the network connection device corresponds to a node in an embodiment described later, and is, for example, a router or a personal computer. Further, the network connection device that starts the security association corresponds to an initiator of an embodiment described later. Note that the side (communication partner) that receives this security association negotiation corresponds to a responder. The network is a wired or wireless network, for example, an IP network. IPsec is a protocol that performs encryption processing and authentication processing of IP packets, and includes cases in which either processing is performed in addition to processing in both encryption and authentication.

According to the invention described in claim 2 , claim 4 , claim 6 and claim 7 of the present invention, the network connection device applies IPsec to the communication data (apply IPsec) or does not apply IPsec (bypass). In addition to the security policy of whether to delete the communication data (IPsec) or the communication data, a security policy of dynamically applying IPsec to the communication data can be selected (dynamically applied IPsec). It is possible to dynamically select (change) the application / non-application of IPsec for communication data only by the intention of the user of either one of the network connection devices.

According to the first aspect of the present invention, the information related to the security association (hereinafter abbreviated as “SA”) is the network connection device on the (starter) side where the own network connection device has started the SA. The security association processing unit includes information regarding whether or not the network connection device is an initiator, and if the network connection device of the security association processing unit is the network connection device (initiator) on the side where the SA is started, the communication partner (responder) ) Negotiations based on automatic key exchange protocol (IKE) are not accepted from network connected devices, so only the network initiator of the SA initiator dynamically selects the security policy for applying / not applying IPsec for communication data. (Changed).
That is, among the network connection devices that perform communication, the network connection device on the side that performs the start process of the SA (initiator) takes the initiative of communication by IPsec, and the network connection device on the side that receives the start of the SA (responder) Since the operation is performed in accordance with this, it is possible to prevent the selection of whether to apply IPsec between the two network connection devices is inconsistent, and it is possible to prevent the security policy from being applied / not applied from being determined.
Accordingly, it is possible to change (select) the security policy whether or not IPsec is applied only by the intention of one of the network connection devices.
Note that when the information on the security association is searched and no information on the security association of the network connection device is found, the SA is not established with the network connection device of the communication partner, that is, the own network connection. If the device applies IPsec with the network connection device of the communication partner, the case where the own network connection device becomes the initiator of the SA is shown.

According to the third aspect of the present invention, when the user of the network connection device selects to apply IPsec to the communication data, even if there is no SA of the communication data, the automatic key exchange protocol is used. Since the SA is established, communication data to which IPsec is applied can be transmitted / received to / from the network connection device of the communication partner.
Further, the information regarding the security association includes information regarding whether or not the own network connection device is an SA initiator, and it is possible to confirm that the device is an SA initiator.
That is, among the network connection devices that perform communication, the network connection device on the initiator side of the SA takes the initiative in communication, so there is a conflict between the choices of whether or not IPsec is applied to both network connection devices. It is possible to prevent the security policy from being applied / not applied from being determined. Accordingly, it is possible to change (select) the security policy whether or not IPsec is applied only by the intention of one of the network connection devices.

According to the invention described in claim 5 of the present invention, when the user of the network connection device chooses not to apply IPsec to the communication data, even if there is SA of the communication data, the automatic key exchange protocol is used. Since the SA is withdrawn (deleted), communication data to which IPsec is not applied can be exchanged with the network connection device of the communication partner.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  First, a basic configuration and a basic processing procedure of a network connection device (node) according to an embodiment of the present invention will be described with reference to FIGS. 1 to 3, and then a characteristic configuration of the present invention will be described.

<Basic configuration>
The node according to the embodiment of the present invention performs mutual data transmission / reception (communication) between the nodes. For the sake of explanation here, the node on the transmitting side is the node 100A and the node on the receiving side 100 is the node 100B. To do.
Since the transmitting side node 100A and the receiving side node 100B have the same configuration, the configuration of the node 100 (100A, 100B) will be described with reference to FIG. 1 showing the configuration of the transmitting side node 100A.

  The node 100 (100A) performs communication by IPsec of communication data based on the security policy and security association negotiated with the node 100 (100B) which is a communication partner, and the communication data of the node 100 (100B) It has a function to send and receive.

  Therefore, the node 100 includes an interface unit 101 that performs communication via the network 2, a security association database (SAD) unit 102 that stores information on SA for applying IPsec, and communication data for each attribute of communication data. Security policy database (SPD) unit 103 that stores security policies such as whether or not IPsec is applied to communication, communication data processing unit 104 that generates, deletes, and acquires communication data, and applies IPsec of communication data, header of communication data The policy management unit 105 that determines the processing content of the communication data with reference to the information, negotiates to establish the SA with the communication partner node 100 by the automatic key exchange protocol, and the information about the SA that is the negotiation result Generate security etc. Configured to include an input unit 107 for accepting input of various information from the association (SA) the user of the processing unit 106 and the node 100.

  Here, the SA in the present embodiment is a connection for performing communication by IPsec between the nodes 100 (100A, 100B). That is, before starting communication by IPsec between the nodes 100 (100A, 100B), the node 100 (100A, 100B) negotiates an encryption algorithm, an encryption key, and the like using the automatic key exchange protocol (IKE). (100A, 100B) is to share information about the encryption algorithm and the encryption key.

The node 100 (100A, 100B) is a network connection device that transmits and receives communication data via the network 2, and may be a PC (Personal Computer) or a router.
For illustration purposes, only two nodes 100A and 100B are illustrated in FIG. 1 for the sake of illustration, but of course, communication may be performed between three or more nodes 100.

(Security Policy Database Department)
The SPD unit 103 is a security policy (processing contents) of the communication data of the node 100 such that the communication data processing unit 104 discards the communication data packet, applies IPsec (apply IPsec), or does not apply IPsec (bypass IPsec). / Processing policy) is stored (stored). The security policy also includes information on the encapsulation mode, encryption algorithm, and authentication algorithm when the communication data processing unit 104 applies IPsec.
Further, the SPD unit 103 stores the output SPD that stores the security policy of the communication data packet transmitted (output) by the node 100 and the security policy of the communication data (communication data packet) received (input) by the node 100. It consists of two types of SPDs with the stored input SPD.

Table 1 illustrates an output SPD of the node 100. Here, the node 100 is AAA. AAA. AAA. Assume that the IP address is 1.
As illustrated in Table 1, the output SPD includes an item indicating the priority order to which each processing content is applied, an item indicating the start point IP address of the communication data packet to be processed, and an item indicating the end point IP address. , An item indicating a protocol, an item indicating a destination port, and information regarding processing contents applied to communication data packets corresponding to these items (selectors).

  For example, in the output SPD in Table 1, the communication data packet is AAA. AAA. AAA. Start with a network with an IP address of 0/24, and CCC. CCC. CCC. In the case of a communication data packet whose destination is a network with an IP address of 0/24, regardless of the protocol or destination port number (Any), IPsec is applied (apply IPsec), and AAA. AAA. AAA. 1 starting point, CCC. CCC. CCC. The tunnel mode is applied with 1 as the end point, the encryption algorithm is DES-CBC (Data Encryption Standard-Cipher Block Chaining), and the authentication algorithm is HMAC-SHA-1 (Hash Message Authentication Codes-Secure Almost Applied). AAA. AAA. AAA. This indicates a security policy that IPsec is not applied to communication data packets of destinations other than 0/24 (bypass IPsec).

Table 2 illustrates an input SPD of the node 100. As illustrated in Table 2, the input SPD is configured by the same items as the output SPD.
For example, in the input SPD in Table 2, the communication data packet is CCC. CCC. CCC. Start with a network with an IP address of 0/24, AAA. AAA. AAA. In the case of a communication data packet whose destination is a network with an IP address of 0/24, regardless of the protocol or destination port number (Any), IPsec is applied (apply IPsec), and CCC. CCC. CCC. 1 as the starting point, AAA. AAA. AAA. 1 is the end point, the tunnel mode is applied, the encryption algorithm is DES-CBC (Data Encryption Standard-Cipher Block Chaining), and the authentication algorithm is HMAC-SHA-1 (Hash Message Authentication Codes-Secure Hash 1). CCC. CCC. CCC. This indicates a security policy that IPsec is not applied to communication data packets of destinations other than 0/24 (bypass IPsec).

The policy management unit 105, which will be described later, searches the security policy in the SPD unit 103 using the header information of the communication data packet as a selector, and determines the processing content to be applied to the communication data packet.
Further, the information of the SPD unit 103 is input by the user of the node 100 (100A, 100B) via the input unit 107 before applying IPsec between the nodes 100 (100A, 100B). To do.

(Security Association Database Department)
The SAD unit 102 has a function of storing (storing) information on SA of communication data between nodes 100 (100A and 100B) generated by the SA processing unit 106 described later.
Information related to the SA includes the end point IP address (destination IP address) of the communication data, the type of IPsec protocol, the SPI (Security Parameter Index) value that is a value for identifying each SA, the encryption algorithm, and the information related to the encryption key. In addition, various information is described.

  The SAD unit 102 also outputs an SAD for storing the SA related to the communication data packet transmitted (output) by the node 100 and an input SAD for storing the SA of the communication data packet received (input) by the node 100. And two types of SAD.

Table 3 illustrates the output SAD of the node 100. Here, the node 100 is AAA. AAA. AAA. Assume that the IP address is 1.
As illustrated in Table 3, the output SAD includes items indicating parameters such as an end point IP address, an IPsec protocol, and an SPI value of a communication data packet that is an object of SA, an encapsulation mode, an encryption algorithm, It includes an encryption key, an authentication algorithm, information about the authentication key, and the like.

  For example, the output SAD in Table 3 is DDD. DDD. DDD. For a communication data packet having an IP protocol of DDD as an end point, an IPsec protocol of ESP (Encrypted Payload Encapsulated Security Payload), and an SPI value of 3000, the encapsulation mode is the tunnel mode, and the encryption algorithm is DES- It is CBC, the encryption key is XXX, the authentication algorithm is HMAC-SHA-1, and the authentication key indicates that the SA of YYY is established.

  The input SAD has the same configuration as the output SAD except that it includes an item of the start point IP address instead of the item indicating the end point IP address of the communication data packet that is the target of the SA. Table 4 illustrates input SADs.

  For example, the input SAD in Table 4 is DDD. DDD. DDD. For a communication data packet having an IP protocol of DDD as a starting point and an IPsec protocol of ESP (Encrypted Payload Encapsulated Security Payload) and an SPI value of 3000, the encapsulation mode is the tunnel mode, and the encryption algorithm is DES. -CBC, the encryption key is XXX, the authentication algorithm is HMAC-SHA-1, and the authentication key indicates that the SA of YYY is established.

  The policy management unit 105, which will be described later, refers to the security policy retrieved from the SPD unit 103 and the information regarding the SA retrieved from the SAD unit 102, and generates a new SA to the SA processing unit 106, which will be described later. Request and SA deletion request.

  The information of the SAD unit 102 is automatically set (rewritten) by the SA processing unit 106 using IKE. However, the user of the node 100 (100A, 100B) sets the information manually via the input unit 107 ( Can be rewritten).

(Communication data processor)
The communication data processing unit 104 has a function of generating communication data based on various information input from the input unit 107. Further, the policy management unit 105 is inquired about the processing contents (processing method) of the generated communication data and the communication data output from the interface unit 101, and the processing contents (method) of the communication data output from the policy management unit 105 are inquired. It has a function of deleting communication data or applying IPsec.

  Here, the processing contents of the communication data are, for example, contents such as discarding the communication data packet, applying IPsec (apply IPsec), not applying IPsec (bypass IPsec), and further applying IPsec. Includes an encryption algorithm and an authentication algorithm.

(Policy Management Department)
The policy management unit 105 has a function of determining the processing content of communication data.
More specifically, when the policy management unit 105 receives an inquiry about the communication data processing method from the communication data processing unit 104, the policy management unit 105 refers to the header information indicating the attribute of the communication data, and outputs the SPD unit 103. The security policy of the communication data is searched from the security policy database, and information related to the SA of the communication data is searched from the SAD unit 102 described above. Based on the search result (security policy and SA), the policy management unit 105 determines the processing content of the communication data.
Details of the processing procedure of the policy management unit 105 will be described later in the description of the processing procedure of the nodes 100 (100A, 100B).

(SA processor)
When the SA processing unit 106 receives from the policy management unit 105 an SA generation request for communication data to the counterpart node 100 (100B), the SA processing unit 106 creates an SA of the communication data and performs communication using the automatic key exchange protocol (IKE). SA negotiation is performed with the counterpart node 100 (100B). The SAD unit 102 has a function of storing (registering) information on the SA that is the negotiation result.

  When the SA processing unit 106 receives an SA deletion (withdrawal) request from the policy management unit 105 for communication data with the counterpart node 100 (100B), the SA processing unit 106 communicates with the node 100 (100B) using the automatic key exchange protocol. The node 100 (100B) is notified of withdrawal of the established SA, and has a function of deleting information related to SA of communication data with the counterpart node 100 (100B) from the SAD unit 102 of the node 100 (100A).

  Next, the processing procedure of each component of the node 100 (100A, 100B) will be described with reference to FIGS. Here, a case where the transmission side node 100A transmits communication data to the reception side node 100B will be described as an example.

FIG. 1 is a diagram illustrating a configuration of a transmission side node.
FIG. 2 is a flowchart showing the processing procedure of the transmitting side node.
FIG. 3 is a flowchart showing the processing procedure of the receiving side node.
First, a processing procedure when the node 100A transmits a communication data packet will be described using FIG. 2 with reference to FIG.

(Step S101)
In step S101, the communication data processing unit 104 of the node 100A generates a communication data packet to be transmitted to the node 100B based on the information output from the input unit 107.
Then, the communication data processing unit 104 inquires of the policy management unit 105 about the processing content of the communication data packet. Specifically, the communication data processing unit 104 outputs the header information of the communication data packet of the node 100A to the policy management unit 105.

(Step S102)
The policy management unit 105 uses the information such as the start point IP address, the end point IP address, and the upper layer protocol of the header information of the communication data packet generated in step S101 as a selector from the output SPD of the SPD unit 103 of the node 100A to the security policy ( Search for (Processing content). If the searched security policy (processing content) is to apply IPsec (apply IPsec), the process proceeds to step S103.
If the retrieved security policy is that IPsec is not applied to the communication data packet (bypass IPsec), the process proceeds to step S106, and the communication data packet is transmitted from the interface unit 101 to the node 100B without applying IPsec. . If the retrieved security policy is a communication data packet discard, the process proceeds to step S107, and the communication data packet generated by the communication data processing unit 104 is discarded. That is, the communication data packet is not transmitted to the node 100B.

(Step S103)
In step S103, the policy management unit 105 refers to the security policy searched in step S102 and the header information of the communication data packet, and uses this as a selector from the output SAD of the SAD unit 102 of the node 100A to this communication. Retrieve information about SA in data packet. Here, when the information regarding the SA of this communication data packet is not found in the output SAD (the corresponding Security Association in S103 is not found), the SA of the communication data packet including the header information of this communication data packet is sent to the SA processing unit 106. The data for requesting generation is output, and the process proceeds to step S104. If information related to the SA of this communication data packet is found in the output SAD (S103, there is a Security Association), the process proceeds to step S105.

(Step S104)
In step S104, the SA processing unit 106 that has received the data requesting the generation of the SA of the communication data packet from the policy management unit 105 refers to the header information of the communication data packet included in this data, and performs this communication data using IKE. An SA with the receiving side (communication partner) node 100B regarding the packet is generated.
Specifically, the SA processing unit 106 starts IKE, and various data (encryption algorithm, encryption key) for establishing SA of the communication data packet scheduled to be transmitted to the node 100B via the interface unit 101. Send and receive. That is, the negotiation for establishing the SA with the node 100B is started.
When the SAD unit 102 of the node 100A negotiates with the node 100B and establishes the SA of the communication data packet, information about the SA is generated, the information is stored in the SAD unit 102, and the process proceeds to step S105. .

(Step S105)
In step S105, the policy management unit 105 performs this communication based on the security policy of the communication data packet stored in the output SPD of the SPD unit 103 and the information on the SA of the communication data packet stored in the SAD unit 102. The processing contents (encryption algorithm etc.) of the data packet are determined. Then, this processing content is output to the communication data processing unit 104. Upon receiving this processing content, the communication data processing unit 104 applies IPsec to the communication data packet based on this and transmits it to the node 100B via the interface unit 101.

  Next, a processing procedure when the receiving node 100B receives communication data will be described using FIG. 3 with reference to FIG.

(Step S201)
In step S201, the communication data processing unit 104 of the node 100B receives a communication data packet from the node 100A via the interface unit 101.

(Step S202)
In step S202, the communication data processing unit 104 refers to the header information and the like of the communication data packet received in step S201, and applies or does not apply IPsec of this communication data (whether IPsec is applied or not applied). ) Is verified. If IPsec is applied to the communication data packet, the communication data processing unit 104 outputs the header information of the communication data packet to the policy management unit 105, and proceeds to step S203 (IPsec is applied in step S202). . If IPsec is not applied (no IPsec application in step S202), the header information of this communication data packet is output to the policy management unit 105, and the process proceeds to step S207.

(Step S203)
In step S203, the policy management unit 105 uses the information such as the start point IP address, end point IP address, and upper layer protocol included in the header information of the communication data packet received in step S201 as parameters, and inputs to the SAD unit 102 of the node 100B. The SA related to this communication data packet is searched from the SAD for use. If the policy management unit 105 finds the SA of the communication data packet as a result of the search (the corresponding Security Association in S203 is present), the SA regarding the communication data packet is output to the communication data processing unit 104, and the process proceeds to step S206. If the SA of the communication data packet cannot be found (no corresponding Security Association in S203), the process proceeds to step S204.

(Step S204)
In step S204, the communication data processing unit 104 performs processing for removing IPsec of the communication data packet (decoding / authentication processing of the communication data packet) based on the SA regarding the communication data packet searched by the policy management unit 105. Then, the header information of the communication data packet is output to the policy management unit 105.

(Step S205)
In step S205, the policy management unit 105 searches for the security policy of the communication data packet from the input SPD of the SPD unit 103 using the header information of the communication data packet output from the communication data processing unit 104 as a selector. Then, the processing content of the communication data packet is determined based on the searched security policy, and the processing content is output to the communication data processing unit 104.
If the security policy retrieved from the SPD unit 103 is to apply IPsec (apply IPsec), the process proceeds to step S208. If the retrieved security policy is to discard the communication data packet (discard) or not apply IPsec (bypass IPsec), the process proceeds to step S206.

(Step S206)
In step S206, when the communication data processing unit 104 receives the processing content of the communication data packet (discarding the communication data packet) transmitted from the policy management unit 105, the communication data packet is discarded based on this.

(Step S207)
In step S207, in which the communication data packet received by the node 100B does not apply IPsec, the policy management unit 105 uses the header information of the communication data packet as a selector to input the communication data from the input SPD of the SPD unit 103. Retrieve packet security policy. If the security policy retrieved from the SPD unit 103 is not applying IPsec (bypass IPsec), the process proceeds to step S208. If the retrieved security policy is to discard the communication data packet (discard) or apply IPsec (apply IPsec), the process proceeds to step S209.

(Step S208)
In step S208, the processing content of the communication data packet (completion of reception of the communication data packet) based on the security policy (IPsec not applied) retrieved by the policy management unit 105 is determined, and this processing content is transmitted to the communication data processing unit 104. Output. When the communication data processing unit 104 receives the processing content of the communication data packet (completion of reception of the communication data packet) transmitted from the policy management unit 105, the communication data packet is received based on this.

(Step S209)
In step S209, the processing content (communication data packet discard) of the communication data packet based on the security policy searched by the policy management unit 105 is determined, and the processing content is output to the communication data processing unit 104. When the communication data processing unit 104 receives the processing content of the communication data packet transmitted from the policy management unit 105, the communication data processing unit 104 discards the communication data packet based on this.

The basic components and basic processing procedures of the node 100 have been described above by taking as an example the case where the transmitting node 100A transmits communication data to the receiving node 100B.
When the node 100 executes such a processing procedure, the node 100 executes application / non-application of IPsec to the communication data packet based on the security policy stored in the SPD unit 103.

<Characteristic configuration>
Next, a characteristic configuration of the present embodiment of the present invention will be described. Note that the same components as the basic configuration described above are denoted by the same reference numerals, and description thereof is omitted.
The characteristic configuration of the present embodiment is characterized in that the node 100 can dynamically change the security policy for the application / non-application of IPsec to the communication data packet.

  Therefore, the output SPD and the input SPD of the SPD unit 103 of the node 100 in the basic configuration described above apply IPsec (apply IPsec), in which the communication data processing unit 104 discards the communication data packet (apply IPsec), IPsec. In addition to a security policy (processing contents) such as not applying (bypass IPsec), a security policy called dynamically apply IPsec that allows the user of the node 100 to dynamically select whether or not to apply IPsec to a communication data packet is included. Consists of.

  Table 5 is a table illustrating the output SPD of the SPD unit 103 of the node 100 according to the present embodiment. As illustrated in Table 5, the output SPD of this embodiment has the same configuration as the output SPD of the basic configuration, but the selector item is the same, but the user of the node 100 sets the communication data as the processing item to be applied. It is configured with a security policy called dynamically apply IPsec that can dynamically change the application / non-application of IPsec to a packet.

  For example, the SPD for output of the SPD unit 103 exemplified in Table 5 includes a communication data packet of AAA. AAA. AAA. Start with a network with an IP address of 0/24, BBB. BBB. In the case of a communication data packet whose destination is a network with an IP address of 0/24, regardless of protocol or destination port number (Any), the application / non-application of IPsec to the communication data packet is dynamically selected (changed). ) (Dynamically apply IPsec), and the communication data packet is AAA. AAA. AAA. Start with a network with an IP address of 0/24, and CCC. CCC. CCC. In the case of a communication data packet whose destination is a network having an address of 0/24, IPsec is applied (apply IPsec), and AAA. AAA. AAA. This indicates a security policy that IPsec is not applied to communication data packets of destinations other than 0/24 (bypass IPsec).

  The output SPD of the SPD unit 103 has been described above as an example, but the input SPD includes the processing contents of dynamically apply IPsec as in the case of the output SPD.

  As described in the basic configuration, the SAD unit 102 is also composed of two types of SADs, that is, output SAD and input SAD. It further includes information (negotiation start information) regarding whether or not SA negotiation has been started, that is, whether or not its own node 100 is an initiator for establishing SA.

  Table 6 illustrates an output SAD of the node 100 in the present embodiment. As illustrated in Table 6, the output SAD stores information on parameters such as an end point IP address, an IPsec protocol, an SPI value, an encapsulation mode, and an encryption algorithm for each communication data packet that is a target of SA. However, in addition to this, for each SA, the node 100 is an initiator, but also stores information on whether it is a responder (negotiating side, communication partner).

For example, the output SAD in Table 6 is DDD. DDD. DDD. For a communication data packet whose end point is a node with an IP address of DDD, the IPsec protocol is ESP, and the SPI value is 3000, it indicates that its own node 100 is an initiator.
In addition, EEE. EEE. EEE. For a communication data packet whose end point is a node with an IP address of EEE, the IPsec protocol is ESP, and the SPI value is 3010, it indicates that its own node 100 is a responder. That is, the above-described SA indicates that the communication partner node 100 is established as an initiator.

  In addition to the components described in the basic configuration, the input SAD also includes information regarding whether each node 100 is an initiator or a responder for each SA, in the same manner as the output SAD. Is done.

When the SA processing unit 106 establishes (establishes) an SA with the counterpart node 100, in addition to information about the SA (encryption algorithm, etc.), the SA processing unit 106 determines whether the node 100 is an initiator or not in the responder. The SAD unit 102 has a function of storing information regarding whether there is any.
In addition to the function of establishing the SA by IKE, the SA processing unit 106 searches (refers to) the information of the SAD unit 102 described above, and confirms that its own node 100 is an initiator. Even if an IKE negotiation for establishing SA or withdrawing (deleting) SA is started from 100, it has a function of not accepting (not responding to) this.
That is, even if data for negotiation by IKE for SA establishment or SA withdrawal (deletion) is received from the responder side node 100, this data is discarded and no subsequent response is made to the responder side node.

  Further, as described in the section of the basic configuration, the SPD for output and the SPD for input of the SPD unit 103 are input by the user of the node 100 via the input unit 107 before performing communication between the nodes 100. Shall be performed.

  Therefore, for example, the user of the node 100 does not want to make the security policy for applying / non-applying IPsec fixed in the items of the selector of the output SPD of the SPD unit 103 of the node 100 and the dynamically apply IPsec of the input SPD. By setting the network information, it is possible to dynamically change (select) the security policy for IPsec application / non-application when data is transmitted to the set network.

  In addition, the input SAD and the output SAD of the SAD unit 102 are also set manually by the user via the input unit 107 as to whether the node 100 becomes an initiator or a responder for each piece of information related to the SA. May be.

In addition, as a result of searching the SAD unit 102 by the policy management unit 105, when the own node 100 becomes the communication initiator (when there is no SA corresponding to the SAD unit 102), the own node 100 is the initiator. Only when the information about the SA of the SAD unit 102 indicates that the node 100 is an initiator, the communication data processing unit 104 uses the node 100 to apply / not apply the IPsec of the communication data packet. It has a function of accepting application selection information.
In this way, it is possible to prevent the node 100 having the initiative to select whether or not to apply IPsec between the nodes 100 performing communication from being determined, so that it is not possible to determine whether or not to apply IPsec.

Next, the processing procedure of each component in this Embodiment is demonstrated using FIGS. 4-7, referring FIGS. 1-3.
FIG. 4 is a diagram showing a processing procedure for transmitting communication data of a node in the present embodiment.
FIG. 5 is a diagram showing a communication data transmission processing procedure of the responder side node in the present embodiment.
FIG. 6 is a diagram showing a processing procedure before reception of communication data of a node in the present embodiment.
FIG. 7 is a diagram showing a processing procedure after receiving communication data of a node in the present embodiment.

  First, a processing procedure in which the node 100 transmits communication data will be described with reference to FIG. Since step S301 is the same processing operation as step S101 of FIG. 2 of the basic processing procedure described above, description thereof will be omitted, and step S302 will be described.

(Step S302)
In step S302, the policy management unit 105 uses the information such as the start point IP address, end point IP address, and upper layer protocol included in the header information of the communication data packet generated in step S301 as a selector to output the SPD unit 103 of the node 100. The security policy is retrieved from the SPD for use.

  Here, if the searched security policy is to select whether to apply IPsec (dynamically apply IPsec), the process proceeds to step S303. If the retrieved security policy is to discard the communication data packet (discard), not apply IPsec (bypass IPsec), or apply IPsec (apply IPsec), the process proceeds to step S311 and the basic configuration described above The same processing procedure as the communication data transmission procedure (basic processing procedure) is performed.

(Step S303)
In step S303, the policy management unit 105 refers to the SAD for output from the SAD unit 102, and confirms whether the node 100 of the communication data packet is a communication entity (initiator) or a communication partner (responder).

Specifically, when the policy management unit 105 searches the SAD unit 102, the SA corresponding to the SAD unit 102 is present, and it is described in the SA that the own node 100 is a responder (or When there is no description that the initiator is an initiator), the policy management unit 105 determines that the node 100 is a responder.
In other cases, the policy management unit 105 determines that the node 100 is an initiator. That is, when the policy management unit 105 searches the SAD unit 102 for SAs related to the communication data packet, there is no SA corresponding to the SAD unit 102, and there is an SA corresponding to the SAD unit 102, and information on the SA When it is described that the own node 100 is an initiator, the policy management unit 105 determines that the own node 100 is an initiator.
In other words, the case where the node is determined to be an initiator is the case where the own node 100 has already established an SA with the communication partner node 100, and the own node 100 is still the communication partner. It is assumed that the SA is not established with the node 100 to become the initiator, but if the IKE is started to the node 100 to be the communication partner after this, the case of becoming an initiator is included.

  If the node 100 is an initiator, the policy management unit 105 outputs to the communication data processing unit 104 that the node 100 is an initiator, and proceeds to step S304. If the node 100 is a responder, the process proceeds to step S401 in FIG. 5 (transmission processing procedure of the responder side node 100) described later.

(Step S304)
In step S304, the communication data processing unit 104, which has confirmed that the node 100 is an initiator in step S303, applies / non-applies IPsec to the communication data packet from the user of the node 100 via the input unit 107. Accept selection information.

  For example, in this case, the selection information for the application / non-application of IPsec may be output to a not-shown output unit (a monitor screen or the like) by a screen prompting the user to select application / non-application of IPsec. . Then, the user inputs selection information on application / non-application of IPsec via the input unit 107, and the selection information is received by the communication data processing unit 104. When the user of the node 100 selects to apply IPsec to the communication data packet (transmission packet), the process proceeds to step S305. If it is selected not to apply IPsec, the process proceeds to step S308.

(Step S305)
In step S305, the communication data processing unit 104 outputs the selection information (IPsec application) input in step S304 and the header information of the communication data packet of the node 100 to the policy management unit 105, and the processing contents of the communication data packet Is inquired to the policy management unit 105. The policy management unit 105 receives the selection information (IPsec application) output in step S303 and the header information of the communication data packet, refers to the header information of the communication data packet, and uses this information as a parameter. Information regarding the SA of this communication data packet is retrieved from the output SAD of the SAD unit 102 of the node 100. Here, when the information regarding the SA of the communication data packet is not found from the output SAD (the corresponding Security Association is not found in S304), the policy management unit 105 sends the header information of the communication data packet to the SA processing unit 106. At the same time, data requesting generation of SA of the communication data packet is output, and the process proceeds to step S306.
If information related to the SA of the communication data packet is found in the output SAD (there is a corresponding Security Association in S304), the process proceeds to step S307.

(Step S306)
In step S306, when the SA processing unit 106 receives data requesting the generation of the SA of the communication data packet from the policy management unit 105, the SA processing unit 106 refers to the header information of the communication data packet included in the data and performs the communication by the IKE. An SA with the communication partner node 100 is generated for the data packet.

  Specifically, the SA processing unit 106 starts IKE and transmits / receives various data (encryption algorithm, encryption key) for establishing SA of the communication data packet scheduled to be transmitted to the node 100, and the interface unit 101. Do through. That is, the negotiation for establishing the SA with the node 100 is started.

  Then, after negotiating with the node 100, the SA processing unit 106 of the node 100 establishes the SA of the communication data packet, generates information related to the SA, stores the information in the SAD unit 102, and proceeds to step S307.

(Step S307)
In step S307, the policy management unit 105 performs this communication based on the security policy of the communication data packet stored in the output SPD of the SPD unit 103 and the information on the SA of the communication data packet stored in the SAD unit 102. The processing contents (encryption algorithm etc.) of the data packet are determined. Then, this processing content is output to the communication data processing unit 104. The communication data processing unit 104 transmits a communication data packet to which IPsec is applied based on the processing content to the communication partner node 100 via the interface unit 101.

  When the node 100 executes such a processing procedure, the communication data packet is dynamically applicable IPsec that allows the user to select application / non-application of IPsec, and use of the node 100 that is an initiator for the communication data packet When the person chooses to apply IPsec, a communication data packet to which IPsec is applied can be transmitted to the node 100 of the communication partner.

(Step S308)
In step S307 in which the user of the node 100 has selected not to apply IPsec to the communication data packet, the selection information output in step S303 (does not apply IPsec) and the header information of the communication data packet are received. Then, similarly to step S304, the header information of the communication data packet is referred to, and the information on the SA of the communication data packet is searched from the output SAD of the SAD unit 102 of the node 100 using this information as a parameter.

  If information related to the SA of this communication data packet is found in the output SAD (there is a corresponding Security Association in S307), the SA processing unit 106 is notified of the SA of the communication data packet along with the header information of this communication data packet. Data for requesting withdrawal (deletion) is output, and the process proceeds to step S309.

  If no information related to the SA of this communication data packet is found from the output SAD (no relevant Association in S307), the policy management unit 105 processes the communication data packet (transmits without applying IPsec). Is output to the communication data processing unit 104, and the process proceeds to step S310.

(Step S309)
In step S309, when the SA processing unit 106 receives data requesting withdrawal (deletion) of the SA of the communication data packet from the policy management unit 105, the SA processing unit 106 refers to the header information of the communication data packet included in this data, and determines the IKE. Thus, the SA established with the counterpart node 100 for the communication data packet is withdrawn (deleted).

  Specifically, the SA processing unit 106 starts IKE and transmits / receives various data (SPI value, etc.) for SA withdrawal (deletion) of communication data packets to / from the communication partner node 100 via the interface unit 101. Do it. That is, negotiation with the communication partner node 100 for SA withdrawal (deletion) is started.

  Then, the SA processing unit 106 of the node 100 performs a notification of deleting (withdrawing) the SA between the nodes 100. Then, the SA processing unit 106 deletes information related to the SA from the SPD unit 103 of its own node 100.

(Step S310)
In step S310, the policy management unit 105 searches the information regarding the SA of the communication data packet again from the SAD unit 102, and applies the processing content (IPsec) of the communication data packet based on the search result (no corresponding SA). Send). Then, this processing content is output to the communication data processing unit 104. Upon receiving the processing content from the policy management unit 105, the communication data processing unit 104 transmits the communication data packet without applying IPsec based on the received processing content.
When the node 100 executes such a processing procedure, the communication data packet is dynamically applicable IPsec that allows the user to select application / non-application of IPsec, and use of the node 100 that is an initiator for the communication data packet When the person chooses not to apply IPsec, the communication data packet can be transmitted to the communication partner node 100 without applying IPsec.

  Next, a procedure for the responder side node 100 to transmit a communication data packet will be described with reference to FIGS. 1 to 3 and FIG.

(Step S401)
In step S401, referring to the header information of the communication data packet received in step S301, using this information as a parameter, information related to the SA of the communication data packet is searched from the output SAD of the SAD unit 102 of the node 100. If information related to the SA of this communication data packet is found from the output SAD (the corresponding Security Association in S401 is present), the process proceeds to step S402. If no information regarding the SA of the communication data packet is found from the output SAD (no corresponding Security Association in S401), the process proceeds to step S403.

(Step S402)
In step S402, the policy management unit 105 transmits a communication data packet to which IPsec is applied to the communication partner node 100 via the interface unit 101 in the same procedure as in step S307 of FIG.

(Step S403)
In step S403, the policy management unit 105 transmits a communication data packet to the communication partner node 100 via the interface unit 101 without applying IPsec in the same procedure as in step S310 of FIG.

  Next, a processing procedure until the node 100 receives communication data will be described with reference to FIGS. First, a processing procedure before the node 100 receives communication data will be described with reference to FIGS. 1 to 3 and FIG.

(Step S501)
In step S501, the user of the node 100 sends information (for example, the start point IP address, the end point IPsec, the upper layer protocol, etc.) regarding the communication data packet to be received to the communication data processing unit 104 via the input unit 107 of the node 100. input. Then, the communication data processing unit 104 inquires of the policy management unit 105 about the processing content of the communication data packet. Specifically, the information input to the communication data processing unit 104 is output to the policy management unit 105 as the processing content of the communication data packet of the node 100.

(Step S502)
In step S502, a security policy is searched from the output SPD of the SPD unit 103 of the node 100 using the information related to the communication data packet input to the communication data processing unit 104 in step S501 as a selector. If the retrieved security policy is dynamically apply IPsec, the process proceeds to step S503. If the retrieved security policy is apply IPsec, discard, or bypass IPsec, the process proceeds to step S511, and processing similar to the basic processing procedure (reception) shown in FIG. 3 is performed.

(Step S503)
In step S503, the policy management unit 105 checks whether its own node 100 is an initiator or a responder by the same processing procedure as in step S303 in FIG.
If the node 100 is an initiator, the policy management unit 105 outputs to the communication data processing unit 104 that the node 100 is an initiator, and proceeds to step S504. If the node 100 is a responder, the process proceeds to step S601 in FIG. 7 (processing procedure after receiving communication data) described later.

  Steps S504 to S505 are the same as the processing steps from step S304 to step S305 in FIG. 4 and thus will not be described. The user of the node 100 has selected to apply IPsec to the communication data packet scheduled to be received. A description will be given from step S506, which is a case where there is no SA corresponding to the SAD unit 102.

(Step S506)
In step S506, as in step S306 in FIG. 4, SA generation by IKE is performed. Specifically, the SA processing unit 106 of the node 100 starts IKE and becomes an initiator, and establishes SA with the transmitting side node 100 which is a responder.

(Step S507)
In step S507, a communication data packet to which IPsec is applied is received from the sender node 100 as a responder via the interface unit 101.

  Since step S508 is the same as step S308 in FIG. 4, the description is omitted and the user has selected not to apply IPsec to the communication data packet scheduled to be received. However, the SAD unit 102 has the corresponding SA. A description will be given starting from step S509.

(Step S509)
In step S509, the SA is deleted by IKE, as in the processing procedure of step S309 in FIG. Specifically, the SA processing unit 106 of the initiator side node 100 starts IKE and transmits a communication data packet to which the IPsec is not applied from the transmission side (responder side) node 100 to the initiator side node 100. As described above, the SA established with the node 100 on the transmission side responder is withdrawn.

(Step S510)
In step S510, a communication data packet to which IPsec is not applied is received from the node 100 on the transmission side (responder side) via the interface unit 101.

  Next, a processing procedure after the node 100 receives communication data will be described with reference to FIG.

(Step S601)
A communication data packet is received from the transmission side node 100 via the interface unit 101 of the node 100.

  The processing procedures of step S602 and step S603 are the same as the processing procedures of step S202 and step S203 of FIG. 3, respectively. The processing procedure of step S604 is the same as the processing procedure of step S204 of FIG. Since the processing procedure is the same as the processing procedure of step S206 in FIG. 3, the description thereof is omitted, and IPsec is applied to the communication data packet received by the user of the node 100, and this communication data packet is retrieved from the SAD unit 102. A description will be given from step S605, which is a processing procedure after input processing (decryption / authentication processing) is performed based on the SA.

(Step S605)
In step S605, the policy management unit 105 searches for the security policy of the communication data packet from the input SPD of the SPD unit 103 using the header information of the communication data packet output from the communication data processing unit 104 in step S604 as a selector. . Then, the processing content of the communication data packet is determined based on the retrieved security policy, and the processing content is output to the communication data processing unit 104. If the security policy retrieved from the SPD unit 103 is “discard”, “bypass IPsec”, or “apply IPsec”, the process proceeds to step S606. If the retrieved security policy is dynamically apply IPsec, the process proceeds to step S610.

(Step S606)
In step S606, the policy management unit 105 performs the same processing as the basic processing procedure of FIG. Specifically, the same processing procedure (processing according to the security policy retrieved from the SPD unit 103) as the processing procedure after step S205 in FIG. 3 is executed.

(Step S608)
In step S608 in which IPsec is not applied to the communication data packet, the policy management unit 105 uses the header information of the communication data packet output from the communication data processing unit 104 in step S604 as a selector, and the SPD for input of the SPD unit 103. To retrieve the security policy of the communication data packet. If the retrieved security policy is dynamically apply IPsec, the process proceeds to step S609.
If the retrieved security policy is “discard”, “bypass IPsec”, or “apply IPsec”, the process proceeds to step S612.
In step S612, the policy management unit 105 performs the same processing as the basic processing procedure of FIG. Specifically, the same processing procedure (processing according to the security policy retrieved from the SPD unit 103) as the processing procedure after step S207 in FIG. 3 is executed.

(Step S609)
In step S609, the policy management unit 105 searches the SA of the communication data packet from the input SAD of the SAD unit 102 of the node 100 using the header information of the communication data packet received in step S601 as a parameter. If the SA of the communication data packet cannot be found as a result of the search (no corresponding Security Association in S609), the process proceeds to step S610. When the policy management unit 105 finds the SA of the communication data packet (the corresponding Security Association in S609), the SA of the communication data packet is output to the communication data processing unit 104, and the process proceeds to step S611.

  In step S610, the reception of the communication data packet is completed in the same manner as in step S208 in FIG. 3, and in step S611, the communication data packet is discarded as in step S209 in FIG.

  When the node 100 executes the processing procedure as described above, the node 100 on the initiator side selects that the user of the node 100 on the initiator side applies IPsec in communication with a security policy of dynamically apply IPsec. A communication data packet to which IPsec is applied can be received from the node 100 on the transmission side which is a responder. If the user of the initiator side node 100 selects not to apply IPsec, a communication data packet to which IPsec is not applied can be received from the transmitting side node 100 as a responder.

  Therefore, according to the configuration and processing procedure as described above, the user (user of the initiator node) can dynamically change the security policy for application / non-application of IPsec to the communication data packet.

  If the user can dynamically change the security policy for applying / not applying IPsec to the communication data packet in this way, for example, when IPsec is required when connecting to the Internet with an information terminal (personal computer) or the like. By applying IPsec only to the network, it is possible to increase the efficiency of data transfer by suppressing the number of IPsec headers added to the communication data packet while ensuring the necessary and sufficient security. In particular, even when a mobile terminal or the like has various communication forms and communication environments depending on the destination, it is possible to improve data efficiency and reduce communication delay time while ensuring necessary and sufficient security. Convenient for terminal users.

  Here, an embodiment in which the configuration and processing means of the node 100 described above are applied to a mobile terminal (MN) and a predetermined node (CN) in Mobile IPv6 communication will be described with reference to FIG.

  Mobile IPv6 is a function that automatically generates an IPv6 (Internet Protocol Version 6) address, and a mobile terminal (MN) is previously assigned an IP address (home network) from its home agent (Home Agent) to its own network (home network). This is a communication method in which an address (HomeAddress: HoA) is received and used as its own address even when it is moved to various networks.

  That is, the mobile terminal (MN) obtains a new IP address (care-of address: CoA) at the destination, but the HA, a mobility anchor point (Mobility Anchor Point) that works similar to HA, and the like are HoA. By having correspondence information between and CoA, the MN can continue communication with the same address even at the destination.

  FIG. 8 is a diagram showing various communication modes when a mobile terminal (MN) communicates with the same communication partner (CN) using Mobile IPv6.

In the communication mode <1> in FIG. 8, the mobile terminal (MN) registers the care-of address (CoA) of the MN, which is an address in the destination network, with the home agent (HA). FIG. 3 is a configuration diagram of a network when performing communication via an HA that manages a CoA of an MN.
In the communication mode <2> in FIG. 8, after the MN registers its own CoA in the HA, the MN further optimizes the communication path between the CN (the MN communicates with the CN without going through the HA). FIG. 3 is a network configuration diagram in a case where a Return Routability Procedure is performed and a MN and a CN communicate directly without going through an HA.
In the communication mode <3> in FIG. 8, the MN registers its own LCoA in the MAP, and further registers the location information (Regional Care of Address: RCoA) of the network (MAP domain) in which the MN currently exists in the HA. After that, the MN and the CN communicate via the MAP that manages the actual location of the MN (Local Care of Address: LCoA) and the HA that manages the location of the network (MAP domain) where the MN exists. It is a network block diagram in the case.
In the communication mode <4> in FIG. 8, the MN registers its location (LCoA) with the MAP, and the MN registers the location (RCCoA) of the network (MAP domain) in which the MN exists with the HA. Then, in order to further optimize the communication path between the MN and the CN (the MN communicates with the CN without going through the HA), the Return Routeability Procedure is performed between the MN and the CN. It is a network block diagram in case MN and CN communicate directly without going through HA.

  In the communication modes <1> to <4> as described above, between the MN 300 and the CN 400 according to the communication environment (whether security is ensured) in the communication sections (1) to (3) shown in FIG. Table 7 shows the security (necessity / unnecessity of IPsec application) required for the communication data packets exchanged by.

In communication using Mobile IPv6, as shown in Table 7, even when the MN 300 communicates with the same node CN 400, it is necessary to apply IPsec in each section CN-MN, HA-MN, and MAP-MN on the communication path. Although it changes, in the conventional technology, IPsec application / non-application between CN and MN, between HA and MN, and between MAP and MN is determined in advance assuming a specific communication form / communication environment shown in Table 7. In order to ensure security even in all communication modes / communication environments shown in Table 7, it is always between CN-MN, between HA-MN, MAP, regardless of whether security is already secured or not. -Only operations such as applying IPsec between MNs can be performed.
However, by applying the configuration of the present embodiment in the communication between the nodes (MN300, CN400, HA500, MAP600) and executing the processing procedure, for example, in the communication mode <3> in Table 7, the communication environment is In the case of C, the MN 300 that is a communication subject (initiator side node) does not apply IPsec between CN and MN, applies IPsec between one HA and one MN, and does not apply IPsec between MAP and MN. By selecting IPsec and applying IPsec only to the necessary communication section, while ensuring the necessary and sufficient security level, the number of IPsec headers added to the communication data packet is minimized, so that data transfer is efficiently performed. And the minimum number of encryption / decryption processes in MN, CN, HA, and MAP Since suppress, it is possible to reduce the communication delay time.

  Although a preferred embodiment of the present invention has been described above, the present invention is not limited to this embodiment and can be widely applied without departing from the spirit of the invention. The node 100 according to the embodiment of the present invention can be realized by a computer and a program, and can be provided by recording the program on a computer-readable recording medium. . It is also possible to provide the program through a network.

It is a figure which shows the structure of the node in embodiment of this invention. It is a flowchart figure which shows the process sequence of the node of FIG. It is a flowchart figure which shows the process sequence of the receiving side node of FIG. It is the figure which showed the processing procedure of the communication data transmission of the node in embodiment of this invention. It is the figure which showed the processing procedure of the communication data transmission of the responder side node in this Embodiment. It is the figure which showed the process sequence before reception of the communication data of the node in this Embodiment. It is the figure which showed the process sequence after reception of the communication data of the node in this Embodiment. It is the figure which showed the various communication modes at the time of a mobile terminal (MN) communicating with the same communication partner (CN) by Mobile IPv6.

Explanation of symbols

2 Network 100 (100A, 100B) Node (network connection equipment)
DESCRIPTION OF SYMBOLS 101 Interface part 102 SAD (security association database) part 103 SPD (security policy database) part 104 Communication data processing part 105 Policy management part 106 SA (security association) processing part 107 Input part

Claims (7)

A network connection device that performs communication by dynamically changing application / non-application of IPsec of communication data with a network connection device of a communication partner via a network,
An interface unit for performing communication via a network;
For each attribute of the communication data, the communication data processing unit applies the IPsec of the communication data, does not apply the IPsec, deletes the communication data, or the user of the network connection device determines the IPsec of the communication data. A security policy database section for storing a security policy indicating whether application / non-application can be selected
A security association database unit for storing information relating to a security association which is a connection for performing IPsec communication between the network connection devices;
Referring to the header information of the communication data indicating the attribute of the communication data, the security policy of the communication data is searched from the security policy database unit, and the information about the security association of the communication data is searched from the security association database unit Then, based on these search results, whether to apply IPsec of the communication data, not apply IPsec, delete the communication data, or whether the user of the network connection device applies / non-applies IPsec of the communication data. A policy management unit that determines whether the application can be selected ,
A security association processing unit that performs security association with the network connection device of the communication partner by an automatic key exchange protocol, and stores or deletes information on the security association as a result of the negotiation in the security association database unit;
An input unit for inputting selection information on application / non-application of IPsec of the communication data from the user to the communication data processing unit;
And a communication data processing unit that accepts selection information on application / non-application of IPsec of the communication data from a user of the network connection device, generates, deletes, and acquires the communication data, and applies IPsec to the communication data ,
With
The information on the security association further includes negotiation start information regarding whether or not the network connection device of the self has performed a process of starting a negotiation of a security association with the network connection device of the communication partner by an automatic key exchange protocol,
The policy management unit is a first network connection device in which the network connection device searches for information related to a security association including negotiation start information of the security association database unit, and the network connection device of the self performs a security association start process. When the information to the effect is found, or when the information related to the security association of the network connection device is not found, the communication data processing unit applies the IPsec of the communication data from the user. Accept selection information,
The security association processing unit, the search for information about the security association database unit Security Association including the negotiation start information, when it network connection device of the self is the first network connection device has been confirmed In addition, the negotiation by the automatic key exchange protocol for withdrawing the security association from the second network connection device which is the network connection device of the communication partner of this security association, or a new one from the second network connection device A network connection device characterized by having a configuration that does not respond to negotiation by an automatic key exchange protocol for establishing a security association. A network connection device that performs communication by dynamically changing application / non-application of IPsec of communication data with a network connection device of a communication partner via a network,
For each attribute of communication data, whether to apply IPsec to the communication data, not to apply IPsec, to delete the communication data, or for the user of the network connection device to apply / non-apply IPsec of the communication data Storing a security policy indicating whether it can be selected;
Storing information related to security association including negotiation start information indicating whether or not the network connection device of its own has performed negotiation start processing of security association with the network connection device of the communication partner by an automatic key exchange protocol;
Searching a security policy of the communication data to determine a security policy of the communication data;
Security policy and said determining when said the communication data transmitted and received between the network connection apparatus is capable of selecting / city to apply IPsec, and retrieve information about the security association of the communication data, said self If the information indicating that the network connection device of the first network connection device is the first network connection device that has started the security association is found , or if information about the security association of the network connection device of its own cannot be found,
Negotiation by the automatic key exchange protocol for withdrawing the security association from the second network connection device which is the network connection device of the communication partner of this security association, or a new security association from the second network connection device Accepting selection information on whether or not to apply IPsec to the communication data from a user of the network connection device without responding to a negotiation by an automatic key exchange protocol for establishing
And accepting selection information on whether or not to apply IPsec to the communication data, and when applying IPsec to the communication data is selected, sending and receiving communication data by applying IPsec.
The communication method characterized by performing. In the step of accepting selection information on whether or not to apply IPsec to the communication data, when it is selected to apply IPsec to the communication data, the step of transmitting and receiving the communication data by applying IPsec,
When searching for information related to the security association of the communication data and information related to the security association of the communication data is not found,
For the communication data, establishing a security association with the network connection device of the communication counterpart by an automatic key exchange protocol, and storing information relating to the security association;
The communication method according to claim 2 , further comprising: In the step of accepting selection information on whether or not to apply IPsec to the communication data from a user of the own network connection device, when it is selected not to apply IPsec to the communication data, Transmitting and receiving communication data without applying IPsec;
The communication method according to claim 2 or 3 , further comprising: The step of transmitting and receiving the communication data without applying IPsec,
When information related to the security association of the communication data is searched and information related to the security association of the communication data is found,
With respect to the communication data, an automatic key exchange protocol is used to notify the network connection device of the communication partner that the security association established with the network connection device of the communication partner is withdrawn, and information related to the established security association is deleted. Step,
The communication method according to claim 4 , further comprising: A program that causes the network-connected device to execute each step according to any one of claims 2 to 5 . A storage medium storing the program according to claim 6 .

Images