JP7000090B2 - Packet aggregation device, packet division device, packet communication system, program, packet generation device, packet generation method and communication method - Google Patents

Description

An embodiment of the present invention relates to a packet aggregation device, a packet division device, a packet communication system, a program, a packet generation device, a packet generation method, and a communication method.

In a client-server model system, a large number of axes may occur from the client to the server. In such a case, the load on the network or the server increases. In particular, when processing a large number of small-sized packets, the processing load on the network interface of the server increases.

Japanese Unexamined Patent Application Publication No. 2003-169902

The problem to be solved by the embodiment of the present invention is a packet aggregation device, a packet division device, a packet communication system, a program, a packet generation device, a packet generation method, and a communication method, which reduce the processing load and suppress the deterioration of real-time performance. Is to provide.

The packet processing device of the embodiment includes a receiving unit, a processing unit, and a transmitting unit. The receiving unit receives individual packets. The processing unit generates an aggregated packet that aggregates a plurality of individual packets received by the receiving unit, and encrypts a range of the generated aggregated packets that is determined not to be encrypted. The transmitting unit transmits the aggregated packet encrypted by the processing unit.

The block diagram which shows the main part circuit composition of the communication system which concerns on 1st Embodiment and 2nd Embodiment and the apparatus included in the said communication system. FIG. 3 is a block diagram showing a functional configuration according to the first embodiment of the packet aggregation device in FIG. 1. The flowchart which shows an example of the process which concerns on 1st Embodiment to 3rd Embodiment by the processor provided in the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor provided in the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor provided in the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor provided in the server apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor provided in the server apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment to 3rd Embodiment by the processor provided in the server apparatus in FIG. The figure for demonstrating an example of the aggregated packet which concerns on 1st Embodiment. The figure for demonstrating an example of the aggregated packet which concerns on 2nd Embodiment. FIG. 3 is a block diagram showing a functional configuration according to a third embodiment of the packet aggregation device in FIG. 1. The flowchart which shows an example of the process which concerns on 3rd Embodiment by the processor provided in the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 3rd Embodiment by the processor provided in the packet aggregation apparatus in FIG. The figure for demonstrating an example of the aggregated packet which concerns on 3rd Embodiment. The sequence diagram which shows an example of the information flow of the communication system which concerns on 3rd Embodiment.

Hereinafter, the communication system according to some embodiments will be described with reference to the drawings.
[First Embodiment]
FIG. 1 is a block diagram showing an example of a main circuit configuration of components included in the communication system 1 and the communication system 1 according to the first embodiment. Communication system 1 includes a packet processing device 10, a server device 20, and a client device 30. The communication system 1 is, for example, a server-client model system that communicates between the server device 20 and the client device 30. Note that FIG. 1 shows one packet processing device 10, one server device 20, and three client devices 30, but the number is not limited to these.

The packet processing device 10 and the client device 30 are connected to the network NW1. The network NW1 is typically a communication network including a LAN (local area network). The network NW1 is typically a communication network including a private network such as an intranet. The network NW1 may be a communication network including the Internet. The network NW1 may be a communication network including a WAN (wide area network).
The packet processing device 10 and the server device 20 are connected to the network NW2. The network NW2 is typically a communication network that includes the Internet. The network NW is 1, typically a communication network including a WAN. The network NW2 may be a communication network including a private network such as an intranet. The network NW2 may be a communication network including a LAN.
Each of the network NW1 and the network NW2 may be a communication network including a mobile phone line network, a dedicated line, or another communication network.
Communication on network NW1 and network NW2 is performed by packet communication.

The packet processing device 10 is, for example, a gateway or a router. The packet processing device 10 relays communication between the server device 20 and the client device 30. The packet processing device 10 has a function of aggregating a plurality of packets transmitted from a client device 30 or the like into one packet. A packet in which a plurality of packets are aggregated is hereinafter referred to as an "aggregated packet". Further, a packet that is not an aggregate packet is hereinafter referred to as an "individual packet". Further, the packet processing device 10 has a function of dividing the aggregated packet transmitted from the server device 20 or the like into individual individual packets. Further, the packet processing device 10 has a function of encrypting the aggregated packet and a function of decrypting the encrypted aggregated packet. The packet processing device 10 includes a processor 11, a ROM (read-only memory) 12, a RAM (random-access memory) 13, an auxiliary storage device 14, a first communication I / F (interface) 15, and a second communication I /. Includes F16. The packet processing device 10 is an example of a packet aggregation device. The packet processing device 10 is an example of a packet dividing device. The packet processing device 10 is an example of a packet generation device.

The processor 11 corresponds to a central part of a computer that performs processing such as calculation and control necessary for the operation of the packet processing device 10. The processor 11 controls each unit to realize various functions of the packet processing device 10 based on a program such as system software, application software, or firmware stored in the ROM 12 or the auxiliary storage device 14. The processor 11 is, for example, a CPU (central processing unit), an MPU (micro processing unit), a SOC (system on a chip), a DSP (digital signal processor), a GPU (graphics processing unit), an ASIC (application specific integrated circuit), and the like. PLD (programmable logic device) or FPGA (field-programmable gate array). Alternatively, the processor 11 is a combination of these. The processor 11 is an example of a processing unit. The processor 11 is an example of a first processing unit. The processor 11 is an example of a second processing unit. The processor 11 is an example of a generation unit. The computer centered on the processor 11 is a value example of the processing unit. A computer centered on the processor 11 is an example of a first processing unit. A computer centered on the processor 11 is an example of a second processing unit. A computer centered on the processor 11 is an example of a generator.

The ROM 12 corresponds to the main storage device of a computer centered on the processor 11. The ROM 12 is a non-volatile memory used exclusively for reading data. The ROM 12 stores the above program. Further, the ROM 12 stores data or various set values used by the processor 11 for performing various processes.

The RAM 13 corresponds to the main storage device of a computer centered on the processor 11. The RAM 13 is a memory used for reading and writing data. The RAM 13 is used as a so-called work area or the like for storing data temporarily used by the processor 11 for performing various processes.

The auxiliary storage device 14 corresponds to an auxiliary storage device of a computer centered on the processor 11. The auxiliary storage device 14 is, for example, an EEPROM (electric erasable programmable read-only memory), an HDD (hard disk drive), an SSD (solid state drive), or the like. The auxiliary storage device 14 may store the above program. Further, the auxiliary storage device 14 stores data used by the processor 11 for performing various processes, data generated by the processes of the processor 11, various setting values, and the like.

The program stored in the ROM 12 or the auxiliary storage device 14 includes a program for executing a process described later. As an example, the packet processing device 10 is transferred to the administrator of the packet processing device 10 or the like in a state where the program is stored in the ROM 12 or the auxiliary storage device 14. However, the packet processing device 10 may be transferred to the administrator or the like in a state where the program is not stored in the ROM 12 or the auxiliary storage device 14. Further, the packet processing device 10 may be transferred to the administrator or the like in a state where a program different from the program is stored in the ROM 12 or the auxiliary storage device 14. Then, the program for executing the process described later may be separately transferred to the administrator or the like and written to the ROM 12 or the auxiliary storage device 14 under the operation of the administrator or the serviceman. The transfer of the program at this time can be realized by recording on a removable storage medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or by downloading via a network.

The first communication I / F 15 is an interface for the packet processing device 10 to communicate via the network NW1 or the like. The first communication I / F 15 is an example of a receiving unit that receives individual packets. The first communication I / F 15 is an example of a fourth communication unit that receives individual packets.

The second communication I / F 16 is an interface for the packet processing device 10 to communicate via the network NW2 or the like. The second communication I / F 16 is an example of a transmission unit that transmits an aggregated packet. The second communication I / F 16 is an example of a first communication unit that transmits an aggregated packet to a packet dividing device. The second communication I / F 16 is an example of a second communication unit that receives the aggregated packet.

The server device 20 communicates with a plurality of client devices 30. The server device 20 performs various processes in response to a request transmitted from the client device 30, for example. The server device 20 includes a processor 21, a ROM 22, a RAM 23, an auxiliary storage device 24, and a communication I / F 25. The server device 20 is an example of a packet aggregation device. The server device 20 is an example of a packet splitting device. The server device 20 is an example of a packet generation device.

The processor 21 corresponds to a central part of a computer that performs processing such as calculation and control necessary for the operation of the server device 20. The processor 21 controls each unit to realize various functions of the server device 20 based on a program such as system software, application software, or firmware stored in the ROM 22 or the auxiliary storage device 24. The processor 21 is, for example, a CPU, MPU, SoC, DSP, GPU, ASIC, PLD, FPGA, or the like. Alternatively, the processor 21 is a combination of these. The processor 21 is an example of a processing unit. The processor 21 is an example of a first processing unit. The processor 21 is an example of a second processing unit. The processor 21 is an example of a generation unit. The computer centered on the processor 21 is a value example of the processing unit. A computer centered on the processor 21 is an example of a first processing unit. A computer centered on the processor 21 is an example of a second processing unit. A computer centered on the processor 21 is an example of a generator.

The ROM 22 corresponds to the main storage device of a computer centered on the processor 21. The ROM 22 is a non-volatile memory used exclusively for reading data. The ROM 22 stores the above program. Further, the ROM 22 stores data or various set values used by the processor 21 for performing various processes.

The RAM 23 corresponds to the main storage device of a computer centered on the processor 21. The RAM 23 is a memory used for reading and writing data. The RAM 23 is used as a so-called work area for storing data temporarily used by the processor 21 for performing various processes.

The auxiliary storage device 24 corresponds to an auxiliary storage device of a computer centered on the processor 21. The auxiliary storage device 24 is, for example, an EEPROM, an HDD, an SSD, or the like. The auxiliary storage device 24 may store the above program. Further, the auxiliary storage device 24 stores data used by the processor 21 for performing various processes, data generated by the processes of the processor 21, various setting values, and the like.

The RAM 23 or auxiliary storage device 24 includes a processing buffer and a server aggregation buffer. The processing buffer stores unprocessed packets. The server aggregation buffer stores unaggregated and untransmitted packets.

The program stored in the ROM 22 or the auxiliary storage device 24 includes a program for executing a process described later. As an example, the server device 20 is transferred to the administrator of the server device 20 or the like in a state where the program is stored in the ROM 22 or the auxiliary storage device 24. However, the server device 20 may be transferred to the administrator or the like in a state where the program is not stored in the ROM 22 or the auxiliary storage device 24. Further, the server device 20 may be transferred to the administrator or the like in a state where a program different from the program is stored in the ROM 22 or the auxiliary storage device 24. Then, the program for executing the process described later may be separately transferred to the administrator or the like and written to the ROM 22 or the auxiliary storage device 24 under the operation of the administrator or the serviceman. The transfer of the program at this time can be realized by recording on a removable storage medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or by downloading via a network.

The communication I / F 25 is an interface for the server device 20 to communicate via the network NW2 or the like. The communication I / F 25 is an example of a first communication unit that transmits an aggregated packet to a packet dividing device. The communication I / F 25 is an example of a second communication unit that receives the aggregated packet.

The client device 30 is, for example, an automatic ticket vending machine, a station affairs device such as an automatic checkout machine or an automatic ticket gate, an information device such as a PC (personal computer), a server or a smart phone, or various IoT (internet of things) devices. be. The client device 30 includes a processor 31, a ROM 32, a RAM 33, an auxiliary storage device 34, and a communication I / F 35.

The processor 31 corresponds to a central part of a computer that performs processing such as calculation and control necessary for the operation of the client device 30. The processor 31 controls each unit to realize various functions of the client device 30 based on a program such as system software, application software, or firmware stored in the ROM 32 or the auxiliary storage device 34 or the like. The processor 31 is, for example, a CPU, MPU, SoC, DSP, GPU, ASIC, PLD, FPGA, or the like. Alternatively, the processor 31 is a combination of these.

The ROM 32 corresponds to the main storage device of a computer centered on the processor 31. The ROM 32 is a non-volatile memory used exclusively for reading data. The ROM 32 stores the above program. Further, the ROM 32 stores data or various set values used by the processor 31 to perform various processes.

The RAM 33 corresponds to the main storage device of a computer centered on the processor 31. The RAM 33 is a memory used for reading and writing data. The RAM 33 is used as a so-called work area or the like for storing data temporarily used by the processor 31 for performing various processes.

The auxiliary storage device 34 corresponds to an auxiliary storage device of a computer centered on the processor 31. The auxiliary storage device 34 is, for example, an EEPROM, an HDD, an SSD, or the like. The auxiliary storage device 34 may store the above program. Further, the auxiliary storage device 34 stores data used by the processor 31 for performing various processes, data generated by the processes of the processor 31, various set values, and the like.

The communication I / F 35 is an interface for the client device 30 to communicate via the network NW1 or the like. The communication I / F 35 is an example of a third communication unit that transmits individual packets to the packet aggregation device.

The packet processing device 10 will be further described with reference to FIG. FIG. 2 is a block diagram showing a functional configuration of the packet processing device 10. The same elements as those in FIG. 1 in FIG. 2 are designated by the same reference numerals. The packet processing device 10 includes a first receiving unit 101, an aggregation buffer 102, a cycle management unit 103, a coupling unit 104, a range selection unit 105, an encryption unit 106, a first transmitting unit 107, a second receiving unit 108, and a decoding unit 109. , The division unit 110 and the second transmission unit 111 are included.

The first receiving unit 101 receives individual packets transmitted from the client device 30 and the like. For example, the first communication I / F 15 functions as the first receiving unit 101.

The aggregation buffer 102 stores the individual packets received by the first receiving unit 101. For example, the RAM 13 or the auxiliary storage device 14 functions as the aggregation buffer 102.

The cycle management unit 103 takes out individual packets from the aggregation buffer 102 at regular intervals. For example, the processor 11 functions as a cycle management unit 103.

The coupling unit 104 combines and aggregates a plurality of individual packets taken out by the cycle management unit 103. The coupling unit 104 generates an aggregate packet. For example, the processor 11 functions as a coupling portion 104.

The range selection unit 105 determines and selects the range to be encrypted in the aggregated packet. For example, the processor 11 functions as a range selection unit 105.

The encryption unit 106 encrypts the aggregated packet. Further, the encryption unit 106 generates the MAC (message authentication code) value of the aggregated packet together with the encryption of the aggregated packet. The MAC value is used to verify the integrity of the aggregated packet data, such as detecting tampering with the aggregated packet. For example, the processor 11 functions as an encryption unit 106. The MAC value is an example of a code for guaranteeing data integrity.

The first transmission unit 107 transmits the aggregated packets generated by the cycle management unit 103, the range selection unit 105, the coupling unit 104, and the encryption unit 106 to the server device 20 and the like. For example, the second communication I / F 16 functions as the first transmission unit 107.

The second receiving unit 108 receives the aggregated packet from the server device 20 or the like. For example, the second communication I / F 16 functions as the second receiving unit 108.

The decryption unit 109 decodes the encrypted portion of the aggregated packet received by the second reception unit. Further, the decoding unit 109 verifies the integrity of the data using the MAC value included in the aggregated packet. Further, the decoding unit 109 discards the aggregated packet when the integrity of the data cannot be guaranteed due to falsification of the aggregated packet or the like. For example, the processor 11 functions as a decoding unit 109.

The dividing unit 110 divides the aggregated packet received by the second receiving unit into individual individual packets. For example, the processor 11 functions as a dividing unit 110.

The second transmission unit 111 transmits each of the individual individual packets divided by the division unit 110 to the client device 30 or the like, which is the destination of each individual packet. For example, the first communication I / F 15 functions as the second transmission unit 111.

Hereinafter, the operation of the communication system 1 according to the first embodiment will be described with reference to FIGS. 3 to 8. The content of the process in the following operation description is an example, and various processes that can obtain the same result can be appropriately used. 3 to 5 are flowcharts of processing by the processor 11 of the packet processing device 10. The processor 11 executes this process based on a program stored in the ROM 12 or the auxiliary storage device 14. The processor 11 processes the processes shown in FIGS. 3 to 5 in parallel or in parallel. 6 to 8 are flowcharts of processing by the processor 21 of the server device 20. The processor 21 executes this process based on a program stored in the ROM 22 or the auxiliary storage device 24 or the like. The processor 21 processes the processes shown in FIGS. 6 to 8 in parallel or in parallel. Further, unless otherwise specified, the processor 11 and the processor 21 are assumed to proceed to step S (m + 1) after the processing of step S (m) (m is a natural number).

Each of the plurality of client devices 30 transmits data destined for the server device 20. The data is transmitted as an individual packet. The individual packet is received by the packet processing device 10 via the network NW1.
In step S1 of FIG. 3, the processor 11 waits for the individual packet transmitted from the client device 30 to be received by the first communication I / F 15 (first receiving unit 101). If the individual packet is received, the processor 11 determines Yes in step S1 and proceeds to step S2.

In step S2, the processor 11 stores the individual packets received in step S1 in the aggregation buffer 102. The processor 11 returns to step S1 after step S2.
As described above, the individual packets received by the first communication I / F 15 are accumulated and stored in the aggregation buffer 102 one after another.

On the other hand, in step S11 of FIG. 4, the processor 11 (cycle management unit 103) of the packet processing device 10 resets the first timer. The first timer is a timer for measuring the elapsed time since the packet processing device 10 transmitted the aggregated packet last time. The aggregated packet will be described later.

In step S12, the processor 11 (cycle management unit 103) determines whether or not the time T1 or more has elapsed since the first timer was reset. The time T1 is set in advance by, for example, the administrator of the packet processing device 10. Alternatively, the time T1 may be predetermined by the designer of the packet processing device 10 or the like. If the time T1 has not elapsed since the first timer was reset, the processor 11 determines No in step S12 and proceeds to step S13.

In step S13, the processor 11 determines whether or not the total data capacity of the untransmitted individual packets stored in the aggregation buffer 102 is equal to or greater than the capacity D1. The capacity D1 is set in advance by, for example, the administrator of the packet processing device 10. Alternatively, the capacity D1 may be predetermined by the designer of the packet processing device 10 or the like. The capacity D1 is, for example, an MTU (maximum transmission unit) of aggregated packets generated by the packet processing device 10. If the total data capacity of the untransmitted individual packets stored in the aggregation buffer 102 is not equal to or larger than the capacity D1, the processor 11 determines No in step S13 and returns to step S12. Thus, the processor 11 steps S12 and steps until the time T1 has elapsed since the first timer was reset or the total data capacity of the untransmitted individual packets stored in the aggregation buffer 102 becomes the capacity D1 or more. Repeat S13. That is, the processing of step S12 repeats the processing of steps S14 to S22 at regular intervals.

If the time T1 has elapsed since the first timer was reset while the processor 11 is in the standby state of step S12 and step S13, the processor 11 determines Yes in step S12 and proceeds to step S14.

In step S14, the processor 11 (cycle management unit 103) determines whether or not an untransmitted individual packet is stored in the aggregation buffer 102. If the aggregate buffer 102 does not store an untransmitted individual packet, the processor 11 determines No in step S14 and returns to step S11. That is, if the untransmitted individual packet is not stored in the aggregation buffer 102 even after the time T1 has elapsed since the last aggregation packet was transmitted, the processor 11 resets the first timer. On the other hand, if the untransmitted individual packet is stored in the aggregation buffer 102, the processor 11 determines Yes in step S14 and proceeds to step S15.
Further, if the total data capacity of the untransmitted individual packets stored in the aggregation buffer 102 in the standby state of step S12 and step S13 is equal to or larger than the capacity D1, the processor 11 indicates Yes in step S13. The determination is made and the process proceeds to step S15.

In step S15, the processor 11 (cycle management unit 103) takes out one untransmitted individual packet stored in the aggregation buffer 102. Here, when the individual packet is taken out, the processor 11 makes it known that the individual packet stored in the aggregation buffer 102 has been transmitted. Alternatively, the processor 11 deletes the individual packet from the aggregate buffer. The individual packet is, for example, the first individual packet stored in the untransmitted individual packet stored in the aggregation buffer 102. Then, in step S15, the processor 11 (coupling unit 104) generates an aggregated packet including the fetched packet. An example of the aggregated packet generated here will be described with reference to FIG. FIG. 9 is a diagram for explaining an example of the aggregated packet according to the first embodiment. Note that FIG. 9 shows an aggregated packet in which n individual packets are aggregated, but the aggregated packet generated in step S15 contains only one individual packet. That is, n = 1. Although the aggregated packet of n = 1 does not include a plurality of individual packets, it is referred to as an aggregated packet for convenience. Note that n is a natural number of 1 or more.

As shown in FIG. 9, the processor 11 generates an aggregated packet (b1) by aggregating a plurality of individual packets (a1) and adding a header to the plurality of individual packets (a1). Each of the individual packets (a1) is, for example, a payload. The aggregated packet in which n individual packets are aggregated includes an aggregate header, n individual headers, and n individual packets. The n individual headers and n individual packets follow the aggregate header.
The aggregate header contains information about the entire aggregate packet, such as the number of individual packets contained in the aggregate packet.
Each of the n individual headers is associated one-to-one with each of the n individual packets. That is, for example, the individual header k and the individual packet k are associated with each other. However, k is a natural number of n or less. Each individual header contains information about the associated individual packet, such as the size of the associated individual packet, so that the aggregated packet can be split into individual individual packets. Further, the aggregated packets (b1) are arranged in the order of individual header k, individual packet k, individual header k + 1, individual packet k + 1, .... Pairs of associated individual headers and individual packets are lined up next to each other.
Since n = 1 in step S15, the aggregated packet generated in step S15 includes the aggregated header, the individual header 1, and the individual packet 1.

In step S16, the processor 11 (coupling unit 104) determines whether or not an untransmitted individual packet is stored in the aggregation buffer 102. If the aggregate buffer 102 stores untransmitted individual packets, the processor 11 determines Yes in step S16 and proceeds to step S17.

In step S17, the processor 11 (coupling unit 104) determines whether or not the data capacity of the aggregated packet when the next individual packet is combined with the aggregated packet is equal to or less than the maximum data capacity of the aggregated packet generated by the packet processing device 10. Is determined. The next individual packet is an individual packet to be aggregated next. For example, the next individual packet is the first untransmitted individual packet stored in the aggregation buffer 102. Further, the maximum data capacity of the aggregated packet generated by the packet processing device 10 is predetermined by, for example, the administrator or the designer of the packet processing device 10. Alternatively, the packet processing device 10 automatically determines the maximum data capacity of the aggregated packet generated by the packet processing device 10. The maximum data capacity of the aggregated packet generated by the packet processing device 10 may be an MTU such as the packet processing device 10. If the data capacity of the aggregated packet when the next individual packet is combined is equal to or less than the maximum data capacity of the aggregated packet, the processor 11 determines Yes in step S17 and proceeds to step S18.

In step S18, the processor 11 (coupling unit 104) extracts the next packet from the aggregation buffer 102 and combines the next packet into the aggregation packet. This increases the number of individual packets contained in the aggregated packet by one. Here, when the individual packet is taken out, the processor 11 makes it known that the individual packet stored in the aggregation buffer 102 has been transmitted. Alternatively, the processor 11 deletes the individual packet from the aggregate buffer.

If the aggregate buffer 102 does not store an untransmitted individual packet, the processor 11 determines No in step S16 and proceeds to step S19. If the data capacity of the aggregated packet when the next individual packet is combined exceeds the MTU of the packet processing device 10, the processor 11 determines No in step S17 and proceeds to step S19.
Thus, the processor 11 is in a state where the untransmitted individual packet is not stored in the aggregation buffer 102, or until the data capacity of the aggregation packet when the next individual packet is combined exceeds the MTU of the packet processing device 10. Steps S16 to S18 are repeated. As a result, an aggregated packet is generated in which (the number of times the process of step S18 is performed + 1) individual packets are aggregated.

In step S19, the processor 11 (range selection unit 105) determines the range to be encrypted for the aggregated packet generated by the processes of steps S15 to S18. The scope to be encrypted is the unencrypted part of the aggregated packet. The process of step S19 is performed by the range selection unit 105.
Here, the individual packet may be encrypted or may be in plain text. Therefore, if the individual packet that has been encrypted is further encrypted, it will be doubly encrypted. In the case of double encryption, the time required for encryption and the time required for decryption become longer than in the case of not performing double encryption, and the processing load also increases. Therefore, it is preferable that the processor 11 encrypts only plain text packets. Further, the aggregate header and the individual header are added in step S15 or step S18, and are not encrypted. Therefore, it is preferable to encrypt the aggregate header and the individual header. The processor 11 can know whether or not each individual packet has been encrypted, for example, from the information transmitted from the client device 30 that is the source of the individual packet. When there is an individual packet for which it is unknown whether or not it has been encrypted, the processor 11 considers the packet to be encrypted and does not encrypt the packet. Alternatively, if there is an individual packet for which it is unknown whether or not it has been encrypted, the processor 11 considers the packet to be unencrypted and encrypts the packet. Alternatively, the processor 11 may determine the range including the aggregate header and the individual header and not including the individual packet as the encryption range without determining whether or not the individual packet has been encrypted. This is useful, for example, in communication system 1 in which all individual packets are encrypted by the client device 30 or the like. Further, when the ratio of the encrypted packet among the individual packets included in the aggregated packet is less than or equal to a predetermined ratio, the processor 11 encrypts the entire aggregated packet including the encrypted individual packet. It may be converted. If the percentage of individual encrypted packets in the aggregated packet is small, encrypting the entire aggregated packet may be less expensive than encrypting only the unencrypted part of the aggregated packet. There is.
From the above, the processor 11 determines the aggregated header, the individual header, and the plaintext individual packet as the encryption range for the aggregated packet before encryption. Note that FIG. 9 illustrates a case where the encrypted individual packet 1 and the plain text individual packet 2 are included. Therefore, the range for encrypting the aggregated packet (b1) shown in FIG. 9 includes the aggregated header, the individual header, and the individual packet 2.

In step S20, the processor 11 (encryption unit 106) encrypts the range determined in step S19. Since the processor 11 does not need to be encrypted except for the range to be encrypted, it is copied as shown in FIG. Further, the processor 11 calculates the MAC value together with the encryption. The calculation range of the MAC value may be, for example, the range of encryption or the entire aggregated packet. Further, when the MAC value is given to a part or all of the individual packets before aggregation, the processor 11 sets the individual packets, the aggregation header and the individual packets to which the MAC value is not given, as in the case of encryption. The MAC value may be calculated for the header.
The processor 11 uses, for example, AES (Advanced Encryption Standard) or other encryption for encryption. Further, the processor 11 uses, for example, HMAC (hash-based message authentication code), GMAC (Galois Message Authentication Code), or another MAC value calculation method for calculating the MAC value. Further, when the encryption range and the calculation range of the MAC value are the same, the processor 11 may use CCM (Counter with CBC-MAC), GCM (Galois / Counter Mode) or other authenticated encryption modes. can. By using the encrypted mode with authentication, it is expected that the security will be improved and the efficiency of encryption and calculation of the MAC value will be improved.
The common key used for encryption or the common key used for calculating the MAC value may be shared by exchanging keys when establishing a communication session, or the common key may be stored in the storage device of each node in advance. You may save it and use the key. When exchanging keys, use Diffie-Hellmann key exchange or other key exchange methods.
The processor 11 may use the same encryption key for all the parts to be encrypted by the packet processing device 10 in one aggregate packet.
By performing the processes of steps S19 and S20, the range of the aggregated packets determined to be unencrypted is encrypted.

From the above, when the individual packets to be aggregated include encrypted individual packets, the encryption key used for the encryption and the encryption key used for the encrypted part in the packet processing device 10 are different. Become.

In step S21, the processor 11 (encryption unit 106) generates encryption information. Then, the processor 11 adds the generated encryption information to the aggregated packet.
The encrypted information includes IV (initialization vector), TAG and SIZE. IV is the initialization vector used for the encryption in step S19. TAG is the MAC value obtained in step S19. SIZE indicates the data size of the data range R following the encrypted information. However, when exchanging the IV by another method such as authentication, the processor 11 does not necessarily have to include the IV in the encrypted information every time.
By the processing of steps S19 to S21, as shown in FIG. 9, the aggregated packet (c1) after encryption is generated based on the aggregated packet (b1) before encryption.

In step S22, the processor 11 informs the second communication I / F 16 (first transmission unit 107) so as to transmit the encrypted aggregate packet generated by the processes of steps S15 to S21 to the server device 20. To instruct. In response to this instruction, the second communication I / F 16 transmits the aggregated packet to the server device 20. The transmitted aggregated packet is received by the communication I / F 25 of the server device 20. The processor 11 returns to step S11 after the processing of step S22.

On the other hand, in step S101 of FIG. 6, the processor 21 of the server device 20 waits for the aggregated packet to be received by the communication I / F 25. If the aggregated packet is received, the processor 21 determines Yes in step S101 and proceeds to step S102.

In step S102, the processor 21 decodes the aggregated packet received in step S101.
In step S103, the processor 21 verifies the MAC value of the aggregated packet received in step S101. That is, the processor 21 calculates the MAC value of the aggregated packet and verifies whether or not it matches the MAC value included in the aggregated packet.
When the aggregated packet is encrypted in the authenticated encryption mode, the processor 21 performs step S102 and step S103 at the same time.

In step S104, the processor 21 determines whether or not the data integrity of the aggregated packet is guaranteed. If the MAC values match in the verification of the MAC value in step S103, the processor 21 determines No in step S104 and proceeds to step S105.

In step S105, the processor 21 divides the aggregated packet into individual individual packets based on the information included in each header of the aggregated packet.

In step S106, the processor 21 registers each of the individual packets divided in step S105 in the processing buffer. The processor 21 returns to step S101 after the processing of step S106.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S103, the processor 21 determines Yes in step S104 and proceeds to step S107. For example, when the data is rewritten, such as when the aggregated packet has been tampered with, the MAC values do not match.
In step S107, the processor 21 discards the aggregated packet received in step S101.

In step S108, the processor 21 requests the packet processing device 10 to retransmit the entire aggregated packet. The processor 21 returns to step S101 after the processing of step S108.

Further, in step S111 of FIG. 7, the processor 21 determines whether or not an unprocessed packet is stored in the processing buffer. If the unprocessed packet is stored in the processing buffer, the processor 21 determines Yes in step S111 and proceeds to step S112. On the other hand, if the unprocessed packet is not stored in the processing buffer, the processor 21 determines No in step S111 and repeats step S111.

In step S112, the processor 21 takes out one unprocessed packet from the processing buffer and performs processing based on the unprocessed packet. When the processor 21 retrieves an unprocessed packet, the processor 21 makes it known that the unprocessed packet stored in the processing buffer has been processed. Alternatively, the processor 21 deletes the unprocessed packet from the processing buffer. The unprocessed packet is, for example, the first unprocessed packet stored in the unprocessed packet stored in the processing buffer. The process here is the same as the process in which the conventional server device receives the individual packet in the unaggregated state transmitted from the client device 30 and performs the process based on the individual packet.

In step S113, the processor 21 generates a response to be returned to the client device 30 which is the source of the individual packet taken out in step S112, if necessary, based on the processing content of step S112.

When the processor 21 generates a response in step S113, the processor 21 registers the response as a packet in the server aggregation buffer. The processor 21 returns to step S111 after the processing of step S114.

Further, in step S121 of FIG. 8, the processor 21 resets the second timer. The second timer is a timer for measuring the elapsed time since the server device 20 transmitted the aggregated packet last time.

In step S122, the processor 21 determines whether or not the time T2 or more has elapsed since the second timer was reset. The time T2 is set in advance by, for example, the administrator of the server device 20. Alternatively, the time T2 may be predetermined by the designer of the server device 20 or the like. If the time T2 has not elapsed since the second timer was reset, the processor 21 determines No in step S122 and proceeds to step S123.

In step S123, the processor 21 determines whether or not the total data capacity of the untransmitted individual packets stored in the server aggregation buffer is equal to or greater than the capacity D2. The capacity D2 is set in advance by, for example, the administrator of the server device 20. Alternatively, the capacity D2 may be predetermined by the designer of the server device 20 or the like. The capacity D2 is, for example, the MTU of the aggregated packet generated by the server device 20. If the total data capacity of the untransmitted individual packets stored in the server aggregation buffer is not equal to or greater than the capacity D2, the processor 21 determines No in step S123 and returns to step S122. Thus, the processor 21 steps S122 and step until the time T2 has elapsed since the second timer was reset or the total data capacity of the untransmitted individual packets stored in the server aggregation buffer becomes the capacity D2 or more. Repeat S123.

If the time T2 has elapsed since the second timer was reset while the processor 21 is in the standby state of step S122 and step S123, the processor 21 determines Yes in step S122 and proceeds to step S124.

In step S124, the processor 21 determines whether or not an untransmitted individual packet is stored in the server aggregation buffer. If the untransmitted individual packet is not stored in the server aggregation buffer, the processor 21 determines No in step S124 and returns to step S121. That is, if the untransmitted individual packet is not stored in the server aggregation buffer even after the time T2 has elapsed since the last aggregation packet was transmitted, the processor 21 resets the second timer. On the other hand, if the untransmitted individual packet is stored in the server aggregation buffer, the processor 21 determines Yes in step S124 and proceeds to step S125.
Further, if the total data capacity of the untransmitted individual packets stored in the server aggregation buffer in the standby state of step S122 and step S123 is equal to or larger than the capacity D2, the processor 21 sets Yes in step S123. The determination is made and the process proceeds to step S125.

In step S125, the processor 21 retrieves one untransmitted individual packet stored in the server aggregation buffer. Here, when the processor 21 retrieves the individual packet, the processor 21 makes it known that the individual packet stored in the server aggregation buffer has been transmitted. Alternatively, the processor 21 deletes the individual packet from the server aggregation buffer. The individual packet is, for example, the first untransmitted individual packet stored in the server aggregation buffer. The aggregated packet generated here is the same as that generated by the packet processing device 10 in step S15 of FIG.

In step S126 of FIG. 8, the processor 21 determines whether or not an untransmitted individual packet is stored in the server aggregation buffer. If the untransmitted individual packet is stored in the server aggregation buffer, the processor 21 determines Yes in step S126 and proceeds to step S127.

In step S127, the processor 21 determines whether or not the data capacity of the aggregated packet when the next individual packet is combined with the aggregated packet is equal to or less than the maximum data capacity of the aggregated packet generated by the server device 20. The next individual packet is an individual packet to be aggregated next. For example, the next individual packet is the first untransmitted individual packet stored in the server aggregation buffer. Further, the maximum data capacity of the aggregated packet generated by the server device 20 is predetermined by, for example, the administrator or the designer of the server device 20. Alternatively, the server device 20 automatically determines the maximum data capacity of the aggregated packet generated by the server device 20. The maximum data capacity of the aggregated packet generated by the server device 20 may be the MTU of the server device 20. If the data capacity of the aggregated packet when the next individual packet is combined is equal to or less than the maximum data capacity of the aggregated packet generated by the server device 20, the processor 21 determines Yes in step S127 and proceeds to step S128. move on.

In step S128, the processor 21 extracts the next packet from the server aggregation buffer and combines the next packet into the aggregation packet. This increases the number of individual packets contained in the aggregated packet by one. Here, when the processor 21 retrieves the individual packet, the processor 21 makes it known that the individual packet stored in the server aggregation buffer has been transmitted. Alternatively, the processor 21 deletes the individual packet from the aggregate buffer.

If the untransmitted individual packet is not stored in the server aggregation buffer, the processor 21 determines No in step S126 and proceeds to step S129. If the data capacity of the aggregated packet when the next individual packet is combined exceeds the MTU of the server device 20, the processor 21 determines No in step S127 and proceeds to step S129.
Thus, the processor 21 steps until the untransmitted individual packet is not stored in the server aggregation buffer or the data capacity of the aggregate packet when the next individual packet is combined exceeds the MTU of the server device 20. Repeat steps S126 to S128. As a result, an aggregated packet is generated in which (the number of times the process of step S128 is performed + 1) individual packets are aggregated.

In step S129, the processor 21 determines the range to be encrypted with respect to the aggregated packet created by the processes of steps S125 to S128. The processor 21 determines the encryption range in the same manner as that performed by the processor 11 of the packet processing device 10 in step S19 of FIG.

In step S130 of FIG. 8, the processor 21 encrypts the range determined in step S129. The processor 21 performs encryption in the same manner as that performed by the processor 11 of the packet processing device 10 in step S20 of FIG.
By performing the processes of steps S129 and S130, the range of the aggregated packets determined to be unencrypted is encrypted.

In step S131 of FIG. 8, the processor 21 generates the encrypted information. Then, the processor 21 adds the generated encryption information to the aggregated packet. The processor 21 generates the encrypted information in the same manner as that performed by the processor 11 of the packet processing device 10 in step S21 of FIG.

In step S132 of FIG. 8, the processor 21 instructs the communication I / F 25 to transmit the aggregated packet created by the processes of steps S125 to S131 to the packet processing device 10. In response to this instruction, the communication I / F 25 transmits the aggregated packet to the packet processing device 10. The transmitted aggregated packet is received by the second communication I / F 16 of the packet processing device 10. The processor 21 returns to step S121 after the processing of step S132.

On the other hand, in step S31 of FIG. 5, the processor 11 of the packet processing device 10 waits for the aggregated packet to be received by the communication I / F 25 (second receiving unit 108). If the aggregated packet is received, the processor 11 determines Yes in step S31 and proceeds to step S32.

In step S32, the processor 11 (decoding unit 109) decodes the aggregated packet received in step S31.
In step S33, the processor 11 (decoding unit 109) verifies the MAC value of the aggregated packet received in step S31. That is, the processor 11 calculates the MAC value of the aggregated packet and verifies whether or not it matches the MAC value included in the aggregated packet.
When the aggregated packet is encrypted in the authenticated encryption mode, the processor 11 performs step S32 and step S33 at the same time.

In step S34, the processor 11 (decoding unit 109) determines whether or not the data integrity of the aggregated packet is guaranteed. If the MAC values match in the verification of the MAC value in step S33, the processor 11 determines No in step S34 and proceeds to step S35.

In step S35, the processor 11 (division unit 110) divides the aggregated packet into individual individual packets based on the information included in each header of the aggregated packet.

In step S36, the processor 11 sends each of the individual packets divided in step S35 to the first communication I / F 15 (second transmission unit 111) so as to transmit to the client device 30 which is the destination of each individual packet. Instruct against. In response to this instruction, the first communication I / F 15 transmits the individual packet to the client device 30 which is the destination of each individual packet. The processor 11 returns to step S31 after the processing of step S36.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S33, the processor 11 determines Yes in step S34 and proceeds to step S37. For example, when the data is rewritten, such as when the aggregated packet has been tampered with, the MAC values do not match.
In step S37, the processor 11 discards the aggregated packet received in step S31.

In step S38, the processor 11 requests the server device 20 to retransmit the aggregated packet. The processor 11 returns to step S31 after the processing of step S38.

According to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 aggregate a plurality of individual packets. As a result, the load on the second communication I / F 16 of the packet communication device 10 and the communication I / F 25 of the server device 20 is reduced.
Further, according to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 encrypt the aggregated packet. This makes it possible to prevent eavesdropping of header information and the like given to the aggregation protocol. Further, according to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 assign a MAC value to the aggregated packet. This makes it possible to verify the data integrity of aggregated packets.
Further, according to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 encrypt the aggregated packet except for the encrypted portion. Therefore, the packet communication device 10 and the server device 20 can reduce the time required for encryption and the time required for decryption as compared with the case where the whole is encrypted. As a result, the real-time property of the communication between the client device 30 and the server device 20 is improved.
From the above, the communication system 1 of the first embodiment can prevent information leakage and detect data falsification with a minimum load by using the aggregated packet as shown in FIG. 9 (c1). It becomes. Further, by minimizing the time required for encryption and decryption, it is possible to prevent deterioration of real-time communication.

When the client device 30 is a station service device, the amount of data in the request transmitted from the client device 30 and the response transmitted from the server device 20 is small, and the number of times of data transmission / reception is large. In addition, real-time performance is particularly required for automatic ticket gates and the like. Further, in the communication system 1 including the station affairs device as the client device 30, since the communication content includes information related to money and personal information, it is necessary to prevent falsification and eavesdropping of the transmitted data. From the above, when the client device 30 includes a station service device, the communication system 1 of the embodiment is particularly useful. The information transmitted by the automatic ticket gate includes, for example, entry station information, entry station information, entry time, entry time, IC card authentication information, amount information, or a plurality of these.

[Second Embodiment]
Since the configuration of the communication system 1 of the second embodiment is the same as that of the first embodiment, the description thereof will be omitted. Further, since the operations of the packet communication device 10 and the server device 20 of the communication system 1 of the second embodiment are the same as those of the first embodiment, the description thereof will be omitted. However, in the second embodiment, the generated aggregate packet is different from the first embodiment. Hereinafter, the aggregated packet generated in the second embodiment will be described with reference to FIG. FIG. 10 is a diagram for explaining an example of the aggregated packet according to the second embodiment. In FIG. 10, the same elements as those in FIG. 2 of the first embodiment are designated by the same reference numerals. The description of the same elements as those in FIG. 2 in FIG. 10 may be omitted.

FIG. 10 illustrates a case where n individual packets including the encrypted individual packet 1 and the individual packet 3 and the plain text individual packet 2 and the individual packet 4 are aggregated. In the aggregated packet of the second embodiment, as shown in (b2), the data is arranged in the order of the aggregated header, n individual headers, the plaintext individual packet, and the encrypted individual packet. That is, the aggregated packet (b2) is arranged so that the unencrypted portion is continuous and then the encrypted portion is continuous. By continuously arranging the unencrypted data in this way, the processor 11 and the processor 21 can encrypt the aggregate header, the n individual headers, and the plaintext individual packet at one time. Further, the continuous arrangement of the encrypted data allows the processor 11 and the processor 21 to copy the encrypted individual packets at one time.

According to the communication system 1 of the second embodiment, the same effect as that of the first embodiment can be obtained.
Further, according to the communication system 1 of the second embodiment, when the data to be encrypted is distributed depending on the cipher usage mode such as CBC, it is necessary to fill the portion less than the block length with padding, depending on the mounting method. May cause padding for each individual header. In particular, when the individual packet size is small, the padding occupies a large proportion of the entire aggregated packet, and the data size of the aggregated packet becomes large. Therefore, by forming the aggregated packet by collecting the data to be encrypted in one place in the aggregated packet as in the second embodiment, it is possible to prevent the data size of the aggregated packet from increasing. In addition, since encryption and decryption can be performed at once, improvement in processing speed can be expected. Therefore, the communication system 1 of the second embodiment can improve the real-time property by using the aggregated packets as shown in FIGS. 10 (b2) and (c2).

[Third Embodiment]
Since the configuration of the communication system 1 of the second embodiment is the same as that of the first embodiment, the description thereof will be omitted. However, the RAM 13 or the auxiliary storage device 14 of the second embodiment stores the retransmission list and the received list. The retransmission list is a list of individual packets for which the packet processing device 10 requests retransmission. The retransmission list registers the individual packet, for example, by storing the sequence number associated with each of the individual packets requesting retransmission. The received list is a list of individual packets that have normally arrived at the packet processing device 10. The received list registers the individual packet, for example, by storing the sequence number associated with each of the individually arrived packets. The sequence number is an example of an identifier uniquely assigned to each individual packet.
Further, the packet aggregation device of the third embodiment has a functional configuration as shown in FIG. 11 instead of FIG. FIG. 11 is a block diagram showing a functional configuration of the packet processing device 10 according to the third embodiment. The packet processing device 10 according to the third embodiment has a first receiving unit 101, an aggregation buffer 102, a cycle management unit 103, a coupling unit 104, a range selection unit 105, a first transmitting unit 107, a second receiving unit 108, and a dividing unit. It includes 110, a second transmission unit 111, a redundancy unit 121, an arrival management unit 122, a retransmission request unit 123, an encryption unit 124, and a decryption unit 125.

The redundancy unit 121 has a function of duplicating the aggregated packet passed from the coupling unit 104 in order to transmit the encrypted aggregated packet a plurality of times. Then, the redundancy unit 121 has a function of passing the aggregated packet to the first transmission unit 107 a plurality of times and requesting the transmission a plurality of times. For example, the processor 11 functions as a redundancy unit 121.

The arrival management unit 122 has a function of managing the number of arrivals of the packet and a function of determining whether to transmit an individual packet to the client device 30. The arrival management unit 122 manages the number of arrivals of the individual packet by using an identifier such as the sequence number of the individual packet passed from the decoding unit 125. Then, when the individual packet arrives for the first time, the arrival management unit 122 calls the second transmission unit 111 to transmit the individual packet to the client device 30. On the other hand, the arrival management unit 122 discards the individual packet when the individual packet arrives for the second time or later. As a result, among the individual packets included in the aggregated packets transmitted a plurality of times, only the first individual packet that arrives can be transmitted to the client device 30. The arrival management unit 122 also has a function of detecting the disappearance of an individual packet from the identifier of the individual packet. That is, for example, when the sequence number is used as the identifier of the individual packet, the arrival management unit 122 determines that the individual packet corresponding to the skipped number has disappeared when the number of the sequence number is skipped. For example, when the sequence numbers of the arrived individual packets are 1, 2, and 4, the arrival management unit 122 determines that the individual packets of the flying sequence number 3 have disappeared. Then, the arrival management unit 122 requests, for example, the retransmission request unit 123 to register the flying sequence number in the retransmission list. Then, when the individual packet of the flying sequence number arrives later, the arrival management unit 122 requests the retransmission requesting unit 123 to delete the flying sequence number from the retransmission list. For example, the processor 11 functions as an arrival management unit 122.

The retransmission request unit 123 has a function of registering a packet for a retransmission request in the aggregation buffer 102. For example, the retransmission request unit 302 requests all the individual packets specified in the retransmission list to be retransmitted at regular intervals. Alternatively, the retransmission request unit 123 may change the retransmission request interval according to the number of times the retransmission request is transmitted for each individual packet registered in the retransmission list. For example, the retransmission request unit 123 causes the retransmission request to be transmitted as soon as it is detected that the number of the arrived individual packet is skipped for the individual packet in which the number of times the retransmission request packet is transmitted is 0. Then, the more times the retransmission request unit 123 transmits the retransmission request, the longer the time until the next retransmission request is transmitted. Further, in order to prevent the retransmission list from overflowing, the retransmission request unit 123 may unregister the individual packets that do not arrive even after sending the retransmission request a certain number of times from the retransmission list. Alternatively, the retransmission request unit 123 may unregister the individual packets registered in the retransmission list in order from the oldest registration each time the retransmission list is about to overflow. Alternatively, the retransmission request unit 123 may unregister the individual packet having the youngest sequence number among the registered packets each time the retransmission list is about to overflow. For example, the processor 11 functions as a retransmission request unit 123.

Further, in order to transmit the retransmission request even when the packet having the latest sequence number is lost, the arrival management unit 122 periodically acquires the maximum sequence number of the transmitted individual packet from the server device 20. Then, the arrival management unit 122 determines whether or not the acquired sequence number is larger than the maximum sequence number among the arrived individual packets. Then, when the sequence number acquired from the server device 20 is larger, the arrival management unit 122 causes the maximum sequence number + 1 to the acquired sequence number among the arrived individual packets to be registered in the retransmission list. Requests to the retransmission request unit 123.

Further, the retransmission request unit 123 may have a function of explicitly accepting a packet of a retransmission request from the server device 20. When the retransmit request packet is received, the retransmission request unit 123 sets a flag to transmit the transmitted packet included in the aggregation buffer 102 again. As a result, when the cycle management unit 103 takes out the packet to be transmitted from the aggregation buffer 102 to the server device 20, the cycle management unit 103 takes out the packet to which the flag is set. Therefore, the cycle management unit 103 can retransmit the packet in response to the request of the server device 20.

The encryption unit 124 has a function of encrypting the aggregated packet and assigning a plurality of MAC values by a method as described later, which is different from the first embodiment.

The decoding unit 125 has a function of verifying the integrity of data for each of a plurality of MAC values included in the aggregated packet. Further, the decryption unit 125 decodes the encrypted portion of the aggregated packet. Then, the decoding unit 125 has a function of discarding the entire aggregated packet when a falsification is detected in the aggregated header. Further, the decoding unit 125 discards the individual packet in which the falsification is detected among the individual packets included in the aggregated packet. Then, the decoding unit 125 passes the individual packet for which falsification is not detected to the arrival management unit 122.

Hereinafter, the operation of the communication system 1 according to the third embodiment will be described with reference to FIGS. 12 and 13. The content of the process in the following operation description is an example, and various processes that can obtain the same result can be appropriately used. 12 and 13 are flowcharts of processing by the processor 11 of the packet processing device 10.

In the third embodiment, the packet processing device 10 generates and transmits an aggregate packet by the same processing as that shown in FIGS. 3 and 4 as in the first embodiment. Further, the server device 20 generates and transmits aggregate packets by the same processing as that shown in FIGS. 7 and 8 as in the first embodiment. However, in the third embodiment, the generated aggregate packet is different from the first embodiment and the second embodiment. The aggregated packet generated in the third embodiment will be described with reference to FIG. FIG. 14 is a diagram for explaining an example of the aggregated packet according to the third embodiment.

FIG. 14 illustrates a case where n individual packets including the encrypted individual packet 1 and the plain text individual packet 2 are aggregated. The order of the aggregated header, the individual header, and the individual packet of the aggregated packet of the third embodiment is the same as that of the first embodiment as shown in (b3) and (c3), for example. That is, encryption is performed for each individual packet in units of individual packets.
However, the aggregated packet after encryption according to the third embodiment (c3) contains a plurality of MAC values as encrypted information. The processor 11 or the processor 21 calculates and assigns these plurality of MAC values in units of the aggregated packets for which tampering is desired to be detected. For example, the encrypted aggregate packet (c3) of the third embodiment includes, for example, IV, TAGA, TAG0, TAG1, TAG2, ... TAGn and SIZE as the encrypted information.
TAGA is a MAC value for the entire aggregated packet.
TAG0 is the MAC value for the aggregate header.
TAGk (k is a natural number of n or less) is a MAC value of a set of an individual header k and an individual packet k. When the MAC value is already given to the individual packet k, the TAG k may be the MAC value of the individual header k. That is, TAG1 to n are MAC values given in individual packet units.
The MAC value is assigned in units.
The processor 11 (encryption unit 124) or the processor 21 can calculate the MAC value and encrypt the individual packet in order to enable the decryption of another individual packet when a part of the individual packet included in the aggregated packet is tampered with. It is preferable to carry out the conversion in the same unit. Alternatively, the processor 11 (encryption unit 124) or the processor 21 enables decryption of another individual packet when a part of the individual packets included in the aggregated packet is tampered with, so that the CTR (Counter) mode or the like can be used. However, a cipher mode of operation is used, in which each block can be decrypted independently and tampering with other blocks does not affect the decryption result. This is because when the entire aggregated packet is decrypted in a mode such as CBC mode in which encryption is chained, falsification of the front block affects the decryption result of the rear block. Further, the processor 11 (encryption unit 124) or the processor 21 identifies individual packets included in the aggregated packet, and in order to enable processing such as retransmission for each individual packet, a sequence number or the like is added to the individual header. It is preferable to include the identifier of. This sequence number is not reset for each aggregated packet, but is incremented. For example, when the first aggregate packet contains individual packets with sequence numbers 1, 2, and 3, the sequence number of the packet included in the second aggregate packet, which is the next aggregate packet, starts from 4. It will be.

Further, in the third embodiment, the packet processing device 10 and the server device 20 transmit the same aggregated packet a plurality of times in step S22 of FIG. 4 or step S132 of FIG. The number of transmissions is, for example, two. When the packet processing device 10 and the server device 20 have a plurality of routes from the source to the destination of the aggregated packet, the same aggregated packet may be transmitted through a different route for each transmission.

In step S41 of FIG. 12, the processor 11 of the packet processing device 10 waits for the aggregated packet to be received by the second communication I / F 16 (second receiving unit 108). If the aggregated packet is received, the processor 11 determines Yes in step S41 and proceeds to step S42.

In step S42, the processor 11 (decoding unit 125) verifies TAGA, which is the MAC value of the entire aggregated packet. That is, the processor 11 calculates the MAC value of the entire aggregated packet received in step S41, and verifies whether or not it matches the TAGA included in the aggregated packet.

In step S43, the processor 11 (decoding unit 125) determines whether or not the integrity of the data of the entire aggregate packet received in step S41 is guaranteed. If the MAC values match in the verification of the MAC value in step S43, the processor 11 determines No in step S43 and proceeds to step S44.

In step S44, the processor 11 (dividing unit 110) divides the aggregated packet received in step S41 into a set of individual individual headers and individual packets. Here, the pair of the individual header and the individual packet is, for example, a pair of the individual header 1 and the individual packet 1, a pair of the individual header 2 and the individual packet 2, a pair of the individual header n and the individual packet n, and the like. Is.

In step S45, the processor 11 (decoding unit 125) decodes each pair of the individual header and the individual packet divided in step S44.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S43, the processor 11 determines Yes in step S43 and proceeds to step S46. For example, when the data is rewritten, such as when the aggregated packet received in step S41 has been tampered with, the MAC values (TAGA) do not match.
In step S46, the processor 11 (decoding unit 125) decodes the aggregate header.

In step S47, the processor 11 (decoding unit 125) verifies the MAC value of the aggregate header. That is, the processor 11 calculates the MAC value of the aggregation header and verifies whether or not it matches TAG0 included in the aggregation packet received in step S41.

In step S48, the processor 11 (decoding unit 125) determines whether or not the integrity of the data in the aggregate header is guaranteed. If the MAC values match in the verification of the MAC value in step S47, the processor 11 determines No in step S48 and proceeds to step S49.

In step S49, the processor 11 (dividing unit 110) divides the aggregated packet received in step S41 into a set of individual individual headers and individual packets.

In step S50, the processor 11 (decoding unit 125) decodes each pair of the individual header and the individual packet divided in step S49.

In step S51, the processor 11 (decoding unit 125) verifies the MAC value for each pair of the individual header and the individual packet. That is, the processor 11 calculates the MAC value for each pair of individual headers and individual packets, and verifies whether or not they match the TAG for each pair of individual headers and individual packets.

In step S52, the processor 11 (decoding unit 125) discards the pair of the individual header and the individual packet whose data integrity of the aggregate header is not guaranteed. That is, the processor 11 discards the pair of the individual header and the individual packet whose MAC values do not match in step S51. For example, when the data is rewritten, such as when the individual header or the individual packet has been tampered with, the corresponding MAC values (TAG1 to TAGn) do not match.

The processor 11 proceeds to step S53 after the processing of step S45 or step S52.
In step S53, the processor 11 (arrival management unit 122) discards the received individual packet among the individual packets decoded in step S45 or step S50.

In step S54, the processor 11 (retransmission request unit 123 and arrival management unit 122) updates the retransmission list and the received list. That is, the processor 11 registers in the received list the sequence number of the individual packet decoded in step S45 or step S50, which is not discarded in either step S52 or step S53. Further, when the same sequence number as the sequence number registered in the received list is registered in the retransmission list, the processor 11 deletes the sequence number from the retransmission list. Further, when the sequence number of the individual packet discarded in step S52 among the individual packets decoded in step S50 is not registered in the received list, the processor 11 registers the sequence number in the retransmission list. Further, if there is a sequence number less than the maximum sequence number registered in the received list that is not registered in the retransmission list or the received list, the processor 11 retransmits the sequence number. Register in the list. In addition, the processor 11 may acquire the maximum sequence number of the transmitted individual packet from the server device 20. Then, if there is a sequence number that is not registered in the retransmission list or the received list among the sequence numbers equal to or less than the maximum sequence number acquired from the server device 20, the processor 11 puts the sequence number in the retransmission list. to register.

In step S55, the processor 11 (retransmission request unit 123) sets each of the individual packets decoded in step S45 or step S50, which were not discarded in either step S52 or step S53, into the individual packets. The first communication I / F 15 (second transmission unit 111) is instructed to transmit to the client device 30 which is the destination. In response to this instruction, the first communication I / F 15 transmits each of the individual packets to the client device 30 which is the destination of each individual packet. The transmitted individual packets are received by the communication I / F 35 of the client device 30 which is the destination. The processor 11 returns to step S41 after the processing of step S55.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S43, the processor 11 determines Yes in step S48 and proceeds to step S56. For example, when the data is rewritten, such as when the aggregate header has been tampered with, the MAC values (TAG0) do not match.
In step S56, the processor 11 (decoding unit 125) discards the aggregated packet received in step S41.

In step S57, the processor 11 (retransmission request unit 123 and arrival management unit 122) updates the retransmission list. That is, if the sequence number of the individual packet included in the aggregated packet discarded in step S56 is not registered in the received list, the processor 11 registers the sequence number in the retransmission list. Further, the processor 11 may acquire the maximum sequence number of the transmitted individual packet from the server device 20. Then, if there is a sequence number that is not registered in the retransmission list or the received list among the sequence numbers equal to or less than the maximum sequence number acquired from the server device 20, the processor 11 puts the sequence number in the retransmission list. to register. The processor 11 returns to step S41 after the processing of step S57.

Further, in step S61 of FIG. 13, the processor 11 resets the third timer. The third timer is a timer for measuring the elapsed time since the packet processing device 10 registered the retransmission request packet in the aggregation buffer 102 last time.

In step S62, the processor 11 waits for the time T3 or more to elapse after resetting the third timer. The time T3 is set in advance by, for example, the administrator of the packet processing device 10. Alternatively, the time T3 may be predetermined by the designer of the packet processing device 10 or the like. If the time T3 or more has elapsed after resetting the third timer, the processor 11 determines Yes in step S62 and proceeds to step S63.

In step S63, the processor 11 registers the retransmission request packet destined for the server device 20 in the aggregation buffer 102. The retransmission request packet contains, for example, a sequence number registered in the retransmission list. The processor 11 registers the retransmission request packet as an individual packet in the aggregation buffer 10, for example. Therefore, the retransmission request packet is aggregated together with other individual packets registered in the aggregation buffer 10 and included in the aggregation packet. Then, the retransmission request packet is transmitted to the server device 20 in a state of being included in the aggregated packet. The processor 11 returns to step S61 after the processing of step S63.
On the other hand, the retransmission request packet is registered in the processing buffer by the processor 21 of the server device 20. Then, the processor 21 registers the individual packet specified by the sequence number included in the retransmission request packet in the server aggregation buffer based on the retransmission request packet registered in the processing buffer in step S112 of FIG. 7. For example, when the individual packet is stored in the server aggregation buffer as a transmitted state, the processor 21 returns the individual packet to the untransmitted state. Alternatively, if the individual packet is not stored in the server aggregation buffer, the processor 21 stores the individual packet in the server aggregation buffer. The processor 21 may select, as the next individual packet, the packet having the youngest sequence number among the untransmitted individual packets stored in the server aggregation buffer.

Further, regarding the server device 20, the processor 21 performs decoding, division, MAC verification, retransmission request, and the like of the aggregated packet by the same processing as those shown in FIGS. 12 and 13. Further, as for the packet processing device 10, when the retransmission request packet is received from the server device 20, the individual packet specified by the sequence number included in the retransmission request packet is transferred to the server device 20 as in the server device 20. Retransmits to the server device 20 by performing the same processing as the processing when the retransmission request packet is received.

The communication performed by the processing of the packet processing device 10 and the server device 20 as described above will be described with reference to FIG. 15 by way of an example. FIG. 15 is a sequence diagram showing an example of the information flow of the communication system 1 according to the third embodiment.

In step ST1, the server device 20 transmits the aggregated packet to the packet processing device 10. As an example, it is assumed that the aggregated packet includes six individual packets of sequence numbers 1 to 6. Further, as an example, the server device 20 shall transmit the aggregated packet twice to the packet processing device 10.

The packet processing device 10 receives the aggregated packet transmitted twice by the server device 20 in step ST1. Here, it is assumed that the individual packets of sequence numbers 4 and 5 have been tampered with among the aggregated packets transmitted for the first time in step ST1. The packet processing device 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing device 10 discards the individual packets of sequence numbers 4 and 5 among the aggregated packets transmitted for the first time in step ST1. Further, it is assumed that among the aggregated packets transmitted for the second time in step ST1, the individual packets having sequence numbers 3 and 5 have been tampered with. The packet processing device 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing device 10 discards the individual packets of sequence numbers 3 and 5 among the aggregated packets transmitted for the second time in step ST1.
Since the individual packets of sequence numbers 1, 2 and 6 have not been tampered with in any of the aggregated packets transmitted twice, they have arrived normally at the packet processing device 10. Since only one of the aggregated packets transmitted twice has been tampered with in the individual packets of sequence numbers 3 and 4, the other packet has arrived normally at the packet processing device 10. However, since the individual packet of sequence number 5 has been tampered with in any of the aggregated packets transmitted twice, it is discarded in any of them.

In step ST2, the packet processing device 10 transmits the normally arriving individual packets of sequence numbers 1 to 4 and 6 to the client device 30 which is the respective destination. It is assumed that the client device 30 shown in FIG. 15 includes one or a plurality of client devices 30.

In step ST3, the packet processing device 10 requests the server device 20 to retransmit the individual packet of sequence number 5, so that the retransmitting request is transmitted to the server device 20.

Upon receiving the retransmission request, the server device 20 generates an aggregate packet including the individual packet of sequence number 5. At this time, it is assumed that the individual packet of sequence number 7 is registered in the server aggregation buffer. Therefore, the server device 20 generates an aggregated packet including the individual packet of sequence number 7 in addition to the individual packet of sequence number 5.
Then, in step ST4, the server device 20 transmits the generated aggregated packet to the packet processing device 10. As an example, the server device 20 shall transmit the generated aggregated packet twice to the packet processing device 10.

The packet processing device 10 receives the aggregated packet transmitted twice by the server device 20 in step ST4. Here, it is assumed that the aggregate header of the aggregated packet transmitted for the first time in step ST4 has been tampered with. The packet processing device 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing device 10 discards the aggregated packet transmitted for the first time in step ST1. Further, it is assumed that the aggregated packet transmitted for the second time in step ST4 has not been tampered with. Therefore, the individual headers of sequence numbers 5 and 7 have arrived normally at the packet processing device 10.

In step ST5, the packet processing device 10 transmits the normally arriving individual packets of sequence numbers 5 and 7 to the client device 30 which is the respective destination.

According to the communication system 1 of the third embodiment, the packet processing device 10 and the server device 20 cannot guarantee the integrity of the data because the individual packets included in the received aggregated packets have been tampered with. In this case, only the falsified individual packet among the aggregated packets is requested to be retransmitted. Therefore, when only a part of the individual packets included in the aggregated packet has been tampered with, it is not necessary to retransmit the entire aggregated packet. On the other hand, conventionally, even if falsification or the like is for a part, it is necessary to retransmit the entire aggregated packet. Therefore, in the communication system 1 of the third embodiment, the amount of data retransmitted is smaller than in the conventional case. In addition, since the frequency of retransmission is reduced, the real-time property is improved as compared with the conventional case.

Further, according to the communication system 1 of the third embodiment, the packet processing device 10 and the server device 20 transmit the aggregated packet a plurality of times at one time. As a result, the packet processing device 10 or the server device 20 that has received the aggregated packet immediately receives the next aggregated packet even if the individual packet included in the first received aggregated packet is discarded. Therefore, the packet processing device 10 or the server device 20 can receive the discarded individual packet immediately after receiving the individual packet retransmitted due to the request for retransmission. This improves real-time performance.

The first to third embodiments can be modified as follows.
The packet processing device 10 may not have a function of connecting to the network NW1, the network NW2, or both. Then, the device connected to the packet processing device 10 may connect to the network NW1, the network NW2, or both, and communicate with the server device 20, the client device 30, and the like.
The packet processing device 10 may be connected to the server device 20 by a bus such as a USB (universal serial bus) without going through the network NW2. Further, the server device 20 may include the packet processing device 10.

In step S13, the processor 11 may determine whether or not the number of untransmitted individual packets stored in the aggregation buffer 102 exceeds a predetermined number instead of the capacity D1. Further, in step S123, the processor 21 may determine whether or not the number of untransmitted individual packets stored in the server aggregation buffer exceeds a predetermined number instead of the capacity D2. The above aspect can be used when the data size of the individual packet is almost constant.

The processor 11 or the processor 21 may take out all the packets to be aggregated from the aggregation buffer 102 or the server aggregation buffer, and then perform the aggregation.

When the packet processing device 10 or the server device 20 transmits only one individual packet, the packet processing device 10 or the server device 20 may transmit the packet as it is without forming it into an aggregate packet.

The communication system 1 of the first embodiment may be in a mode that does not require the retransmission of the discarded packet. That is, the processor 11 skips step S38 and proceeds to step S31. Further, the processor 21 skips step S108 and proceeds to step S101.

In the first to third embodiments, an example in which the server device 20 is one is shown. However, a plurality of server devices 20 may be connected to the network NW. In this case, the packet processing device 10 aggregates the received individual packets, for example, only for those having the same destination server device 20. That is, the packet processing device 10 generates and transmits an aggregated packet for each destination.

By using a plurality of packet processing devices 10, for example, communication between two points can be made more efficient. For example, a plurality of devices (hereinafter referred to as “device a”) capable of communicating with the first packet processing device 10 and the first packet processing device 10 are located at point A, and the second packet processing device 10 and the second packet. It is assumed that a plurality of devices (hereinafter referred to as "device b") capable of communicating with the processing device 10 are installed at the point B. In this case, the first packet processing device 10 transmits to the second packet processing device 10 an aggregated packet that is transmitted from a plurality of devices a and aggregates individual packets destined for the device b. Then, the second packet processing device 10 divides the received aggregated packet into individual individual packets, and transmits each individual packet to each destination device b. Further, the second packet processing device 10 transmits an aggregated packet transmitted from a plurality of devices b, which is a collection of individual packets destined for the device a, to the first packet processing device 10. Then, the first packet processing device 10 divides the received aggregated packet into individual individual packets, and transmits each individual packet to each destination device a.

The communication system 1 shown in the first to third embodiments is a server-client model, but is not limited to the server-client model.

Communication system 1 may guarantee and verify the integrity of data by using a method other than MAC. For example, the communication system 1 uses a MIC (message integrity code). The MIC is an example of a code for guaranteeing the integrity of data.

The packet processing device 10 and the server device 20 may add an error correction code to the aggregated packet.

Although some embodiments of the present invention have been described, these embodiments are presented as examples and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other embodiments, and various omissions, replacements, and changes can be made without departing from the gist of the invention. These embodiments and variations thereof are included in the scope and gist of the invention, and are also included in the scope of the invention described in the claims and the equivalent scope thereof.

1 ... Communication system, 10 ... Packet aggregator, 11,21,31 ... Processor, 12,22,32 ... ROM, 13,23,33 ... RAM, 14,24,34 ... Auxiliary storage device , 15 ... 1st communication I / F, 16 ... 2nd communication I / F, 20 ... server device, 25, 35 ... communication I / F, 30 ... client device, 101 ... 1st Receiving unit, 102 ... Aggregation buffer, 103 ... Periodic management unit, 104 ... Joining unit, 105 ... Range selection unit, 106, 124 ... Encryption unit, 107 ... First transmitting unit, 108 ... 2 Receiver unit, 109, 125 ... Decryption unit, 110 ... Division unit, 111 ... Second transmission unit, 121 ... Redundancy unit, 122 ... Retransmission request unit, 123 ... Arrival management unit

Claims (19)

A receiver that receives individual packets and
An aggregated packet is generated by aggregating a plurality of individual packets received by the receiving unit so that the unencrypted portion is continuous, and the range of the generated aggregated packets determined to be unencrypted is encrypted. With the processing unit
A packet aggregation device including a transmission unit that transmits the aggregated packet encrypted by the processing unit. The processing unit assigns a code for guaranteeing data integrity to a range of the generated aggregate packets for which a code for guaranteeing data integrity is not assigned. Item 1. The packet aggregation device according to item 1. The processing unit
The aggregated packet is encrypted for each individual packet included in the aggregated packet, and the aggregated packet is given a code for guaranteeing data integrity for each individual packet included in the aggregated packet. The packet aggregating device according to claim 1 or 2. The packet aggregation device according to any one of claims 1 to 3 , wherein the processing unit controls the transmission unit so that the aggregated packet is transmitted a plurality of times. The packet aggregation device according to claim 4 , wherein the processing unit controls the transmission unit so that the aggregated packet is transmitted by at least two types of routes. Generated by a packet aggregator that generates an aggregated packet that aggregates a plurality of individual packets so that the unencrypted parts are continuous, and encrypts the range of the generated aggregated packets that is determined to be unencrypted. A packet dividing device including a processing unit that divides the individual packet included in the aggregated packet from the aggregated packet transmitted and transmitted. The packet splitting device according to claim 6 , wherein when the aggregated packet includes an individual packet whose data integrity is not guaranteed, the individual packet whose data integrity is not guaranteed is discarded. The packet splitting device according to claim 6 or 7 , wherein the entire aggregated packet is discarded when the integrity of the data of the aggregated header included in the aggregated packet is not guaranteed. Of the individual packets included in the aggregated packet, the individual packet whose data integrity is guaranteed is recorded as arrived.
The packet dividing device according to any one of claims 6 to 8 , which discards the individual packets recorded as arrived among the individual packets included in the aggregated packets. The aggregated packet is given an identifier to each of the individual packets included in the aggregated packet by the packet aggregation device.
The processing unit determines an individual packet that has been transmitted and has not arrived by the identifier, and requests the packet aggregation device to retransmit the individual packet that has not arrived, according to any one of claims 6 to 9 . The packet segmentation device described. Including packet aggregator and packet divider
The packet aggregator is
A first processing unit that generates an aggregated packet in which a plurality of individual packets are aggregated so that an unencrypted portion is continuous, and encrypts a range of the generated aggregated packets determined to be unencrypted. When,
A first communication unit that transmits an aggregated packet in which a plurality of individual packets are aggregated to a packet dividing device is provided.
The packet splitting device is
A second communication unit that receives the aggregated packet transmitted from the packet aggregater, and
A packet communication system including a second processing unit that divides the individual packet included in the aggregated packet from the aggregated packet received by the second communication unit. The computer that the packet aggregator has
A plurality of individual packets are aggregated so that the unencrypted part is continuous to generate an aggregated packet including a plurality of individual packets, and the range determined to be unencrypted among the generated aggregated packets is encrypted. A program that can be encrypted and function as a processing unit. The computer that the packet divider has
Generated by a packet aggregator that generates an aggregated packet that aggregates a plurality of individual packets so that the unencrypted parts are continuous, and encrypts the range of the generated aggregated packets that is determined to be unencrypted. A program that functions as a processing unit that divides the individual packet included in the aggregated packet from the aggregated packet that has been transmitted. An aggregated packet data is generated by aggregating a receiving unit that receives a packet and a plurality of packets received by the receiving unit so that an unencrypted portion is continuous, and encryption of the generated aggregated packet data is performed. It has a generator that encrypts the range determined to be unfinished.
In the aggregated packet data, each of the plurality of packets includes a header unit and a payload unit, and a plurality of payload units included in the aggregated packet data are encrypted with a plurality of keys and are included in the aggregated packet data. A packet generator whose header is encrypted with the same key. The packet generation device according to claim 14 , wherein the aggregated packet data has a plurality of the header portions continuous. The packet generator according to claim 14 , wherein the aggregated packet data is provided with a code and an identifier for guaranteeing the integrity of the data for each of the packets. A range of the aggregated packet data that is determined to be unencrypted is generated by generating aggregated packet data in which packets are received and a plurality of received packets are aggregated so that the unencrypted portion is continuous. It is a packet generation method that encrypts
In the aggregated packet data, each of the plurality of packets includes a header unit and a payload unit, and a plurality of payload units included in the aggregated packet data are encrypted with a plurality of keys and are included in the aggregated packet data. Packet generation method in which the header part of is encrypted with the same key. The computer that the packet generator has
An aggregated packet data is generated by aggregating a receiving unit that receives a packet and a plurality of packets received by the receiving unit so that an unencrypted portion is continuous, and encryption of the generated aggregated packet data is performed. Encrypts the range determined to be unfinished, makes it function as a generator, and
In the aggregated packet data, each of the plurality of packets includes a header part and a payload part, and a plurality of payload parts included in the aggregated packet data are encrypted with a plurality of keys, and a plurality of the aggregated packet data included in the aggregated packet data. A program whose header part is encrypted with the same key. An aggregated packet is generated in which a plurality of individual packets are aggregated so that the unencrypted portion is continuous, and the range of the aggregated packets determined to be unencrypted is encrypted, and the individual packet is individualized. Receives the aggregated packet coded to guarantee data integrity on a packet-by-packet basis.
A communication method for requesting retransmission of the individual packet whose data integrity is not guaranteed when the received aggregate packet includes the individual packet whose data integrity is not guaranteed.

Images