JPH10136025A - Inter-network communication repeating method and repeater - Google Patents

Abstract

PROBLEM TO BE SOLVED: To recognize the existence of a machine being a connection request source, without providing a special protocol and to prevent the interruption behavior using a false address. SOLUTION: At the time of repeating a connection request packet 201 from a machine in a first network to a machine in a second network, an echo request 202 whether or not the machine being the connection request source exists in the first network is transmitted to the machine of the connection request source. It is recognized by the presence or absence of an echo response 203 with respect to the echo request 202. Only when the echo response 203 is given, the connection request packet 201 is transferred to the second network. The echo request 202 contains at least one of the content of the communication request packet, or a content obtained by compressing the content, time information, the address of the connection request source, the address of a connection request destination, the application identifier of the connection request source, and the application identifier of the connection request destination, the address of a repeater and a random number.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a relay device and a relay method for connecting two networks, for example, a firewall connecting the Internet, which is a network outside an organization, and the Internet (intranet) within a company. And a relay method.

[0002]

2. Description of the Related Art Conventionally, when data is transferred between two networks, two machines are prepared for data transfer.
The following packet exchanges (so-called "three way hand shake") were performed between (communication connection request source and request destination).

(1) Request source → request destination: connection request packet (2) Request source ← request destination: connection request confirmation packet (3) Request source → request destination: connection confirmation packet On the other hand, a connection request packet from an external network (1) Deny all (2) Permit all (3) Judge according to the network address of the request source / request destination and the connection request destination application The method is representative.

As a method of processing a connection request packet not at the relay device but at the connection request destination, in addition to sending the connection request confirmation packet described above, a predetermined protocol is used to determine whether a connection request machine really exists. After confirming,
A method of processing packets has also been proposed (HK Orman,
The OAKLEY Key Determination Protocol, InternetDra
ft, May 1996, draft-ietf-ipsec-oakley-01.txt).

[0005]

[Problems to be solved by the invention] By the way, "three wa
According to the communication technology called "y hand shake," the requesting machine is virtually inoperable by intentionally sending a large number of connection request packets to the requesting machine to increase the load on the requested machine. Can be. In this case, if the requested machine is, for example, a server that manages one network, it is possible to stop all services provided by that network and disable business. That is, the service or the business activity provided by the requested machine can be obstructed. In fact, a software program for realizing such an action was published in September 1996 (CERT Advisory CA.96-12; TCP SYN
Flooding and IP Spoofing Attacks; September 24,
1996).

As a method of solving such malicious business obstruction, a special protocol for confirming the connection requesting machine is provided in the relay device, and the connection requesting machine is identified by the protocol to increase the load. There is a method of stopping the request for the purpose. However, in the case of the Internet, unlike the public telephone network, the address of the request source included in the connection request packet can be deliberately spoofed, so that if the address is a fake address, the request source cannot be determined.

[0007] Even when the connection request packet is processed by the connection requesting machine instead of the relay device, a special protocol for confirmation is required, and the requesting and requesting machines newly support the protocol. And it was virtually impossible to implement.

An object of the present invention is to provide an inter-network communication relay method capable of confirming that a connection requesting machine exists without providing a special protocol, and preventing a sabotage using a false address. It is to provide a device.

[0009]

The above problem can be prevented to some extent by confirming whether a connection requesting machine really exists. This is because machines that intentionally send request packets are more likely to use addresses that are not on the external network to hide their identity and make attacks more efficient. This is done using echo request / reply packets, which are included as standard in the network protocol and are supported by all existing machines.

More specifically, when relaying a connection request packet from a machine in the first network to a machine in the second network, it is determined whether or not the connection requesting machine exists in the first network. An echo request is sent to the connection requesting machine, the presence or absence of an echo response to the echo request is confirmed, and the connection request packet is transferred to the second network only when the echo response is received.

For example, in the Internet, ICMP (Internet
Control Message Protocol) echoequest / reply. If a protocol already included in such a standard is used, it is not necessary to introduce a new special confirmation protocol, and the existence can be easily confirmed.

[0012] The echo request is to expect that one machine sends certain data to the target machine, and returns the data as it is as a response. To send data, use an echo request packet. The echo response is to return data as it is in response to the transmitted echo request. Use the echo reply packet to send back.

The contents of the data included in the echo request packet are as follows: (1) a connection request packet or a compressed version of the connection request packet, or a connection request source address, a connection request destination address, a connection request source application identifier, a connection request Data including a destination application identifier and a connection request packet identifier; (2) data obtained by adding additional information such as a time, a relay device address, and a random number to the above (1); (3) the above (2) or (3) ), And information that cannot be forged by others using encryption technology.

[0014] Data generation methods that cannot be forged include: (1) a method of applying a one-way function to data obtained by combining data and secret data; and (2) a method of applying data or a result obtained by applying a one-way function to the data. There is a method of encrypting with a key.

There are two types of encryption methods, public key encryption and secret key encryption. In the case of public key encryption, a so-called secret key (private key) known only to the owner is used. Encrypt.

In general, the result of applying the one-way function in (1) and the result of encryption in (2) are called a signature. To check for forged signatures,
(1) The result of applying the one-way function to the data obtained by combining the secret data and the data contained in the echo response packet and the signature contained in the echo response packet are compared. (2) The data included in the echo response packet or the result obtained by applying the one-way function to the data and the result obtained by decrypting the signature are compared. In the case of public key encryption, decryption is performed using a so-called public key.

The one-way function is a function for converting input data into output data of a fixed length, and has the following characteristics.

(1) It is very difficult to guess input data from output data, (2) it is very difficult to find different input data that is the same output data, and the technology related to these signatures is described by Ikeno and Koyama. Since it is described in detail in modern cryptography published by the Institute of Electronics, Information and Communication Engineers, as well as in books on cryptography and information security, detailed description is omitted.

[0019]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

FIG. 1 is a system configuration diagram showing an embodiment of an inter-network communication system to which the present invention is applied.
In FIG. 1, reference numeral 101 denotes a connection request source machine connected to the external network 104. This machine 101
Sends a connection request packet to the connection request destination machine 102 to make a connection request.

Reference numeral 102 denotes a connection destination machine connected to the internal network 105. The machine 102 receives a connection request packet from the connection requesting machine 101 and accepts the connection request.

A relay device 103 connects the external network 104 and the internal network 105, and is a portion to which the present invention is applied. The relay device 103 relays communication packets exchanged between the external network 104 and the internal network 105 in addition to the connection request packet, and can be realized by being incorporated in a relay mechanism such as a firewall, for example. In addition, the present invention is not limited to a configuration in which the relay device is independent, and may be a configuration in which the relay device is incorporated in a communication path to a connection request destination.

Reference numeral 104 denotes an external network, to which the connection request source machine 101 and the relay device 103 are connected.

Reference numeral 105 denotes an internal network to which the connection request destination machine 102 and the relay device 103 are connected.

FIG. 2 illustrates the operation of the relay device 103, and the arrows in the figure indicate the source and destination of the communication packet. For example, the uppermost arrow indicates that the connection request packet is transmitted from the request source machine 101 and received by the relay device 103. Under normal circumstances, the exchange of communication packets occurs in order from top to bottom. 201
Indicates that the connection request packet is a packet received by the relay device 103 on the way from the request source machine 101 to the request destination machine 102.

Reference numeral 202 denotes an echo request packet transmitted from the relay device 103 that has received the connection request packet 201 to the request source machine 101. Note that the echo request packet 202 includes data generated from the connection request packet 201.

Reference numeral 203 denotes an echo response returned from the request source machine 101 to the relay device 203 in response to the echo request packet 202. Note that the echo response packet 203 includes data generated from the connection request packet 201 included in the echo request packet 202.

Reference numeral 204 denotes a connection request packet transmitted from the relay device 103 to the request source 102 in response to the echo response packet 203.

FIG. 3 shows a structure of a general communication packet transmitted / received between the networks 104 and 105. Reference numeral 301 denotes a destination address of the packet. 3
02 is a source address of the packet. Reference numeral 303 denotes a packet identifier indicating the type of the packet. In the present embodiment, types of packets include a connection request, an echo request, and an echo response.

Reference numeral 304 denotes data included in the packet. The content of the data is determined by the type of the packet. In the connection request packet, the application identifier of the connection request destination, in the echo request packet, the data requesting the echo,
The echo reply packet contains the echoed data.

FIG. 4 is a block diagram showing the internal structure of the relay device 103.

In FIG. 4, reference numeral 401 denotes a communication device connected to the external network 104;
The exchange of communication packets with the G.04 is performed. A communication device 402 is connected to the internal network 105 and exchanges communication packets with the internal network 105.

A packet processor 403 processes packets received by the communication devices 401 and 402, assembles / disassembles packets, and sends out the packets to the networks 104 and 105 using the communication devices 401 and 402. .

A signature generator 404 generates a signature to be included in the echo request packet 202. A data compression / decompression device 405 compresses data included in the echo request packet 202 and decompresses data included in the echo response packet 203. A clock 406 holds the current time. A memory 407 stores secret information. This secret information is used by the signature generator 404, and is used to generate a signature of the data included in the echo request packet 202.

FIG. 5 shows connection request packets 201 and 204.
501 indicates a connection request packet 2
01 is the destination address. In the present embodiment, this is the address of the request destination machine 102. Reference numeral 502 denotes a source address of the connection request packets 202 and 204. In the present embodiment, this is the address of the requesting machine 101.

Reference numeral 503 denotes a connection request packet identifier.
By referring to this, it is understood that this communication packet is the connection request packets 201 and 204.

Reference numeral 504 denotes a request destination application identifier. By referring to this, it is possible to know which application on the request destination machine 102 is making a connection request.

FIG. 6 shows the structure of the echo request packet 202. Reference numeral 601 denotes the destination of the echo request packet. Since this packet is transmitted by the relay device 103 to the requesting machine 101, it is the address of the requesting machine 101.

Reference numeral 602 denotes the source of the echo request packet 202. This packet is the address of the relay device 103 since the relay device 103 transmits the packet to the request source 101 machine. 603 is an echo request identifier. By referring to this, it is understood that this communication packet is the echo request packet 202.

Reference numeral 604 denotes echo request data, which comprises compressed data 605, time 606, and signature 607. 605
Is data obtained as a result of compressing the connection request packet of FIG. Reference numeral 606 denotes a time when the connection request packet is received, a time when the echo request packet is generated, or a time when the echo request packet is transmitted. 607 is the compressed data 60
5 and the time 606. The method for generating the signature will be described later.

FIG. 7 shows the structure of the echo response packet 203.
Is the address of the destination. This packet 203 is the address of the relay device 103 because the requesting machine 101 replies to the relay device 103. Reference numeral 702 denotes the source address of the echo response packet 203. This packet 203 is the address of the requesting machine 101 because the requesting machine 101 replies to the relay device 103. 703 is an echo response packet identifier. By referring to this, it is understood that this communication packet is the echo response packet 203.

Reference numeral 704 denotes echo response data. Since the echo response packet 203 is a response to the echo request packet 202, it should contain the echo request data 604, that is, the compressed data 605, the time 606, and the signature 607 as they are, and 705, 706, and 707, respectively.
Hit.

Next, referring to the flowchart of FIG.
Communication device 40 connected to external network 104
The operation of the relay device 103 in the case where the packet received from No. 1 is a connection request packet to the machine 102 in the internal network 105 will be described. This is the operation of the relay device 103 that transmits the echo request 202 in response to the arrival of the connection request packet 201 in FIG.

First, the packet processor 403 in the relay apparatus 103 compresses the connection request packet 201 itself by using the data compressor / decompressor 405 to reduce the data amount.
(Step 801). By doing so, the communication time in the following steps can be reduced.

Next, a signature is generated using the signature generator 404 based on the compressed data, the current time obtained from the clock 406, and the secret information in the memory 407 of the relay device 103.
(Step 802). As described above, the signature generation method includes (1) a method of applying a one-way function to data obtained by combining data and secret data, and (2) a method of applying data or a result obtained by applying a one-way function to the data. There is a method of encrypting with a secret key. Here, as the fastest method, a one-way function is applied to data obtained by combining the compressed data 605, the time 606, and the secret information 407, and the application result is used as a signature.

Next, the echo request packet 2 having the structure shown in FIG.
02 is assembled and sent to the connection requesting machine 101 using the communication device 401 (step 803). In this case, the request source address 601 of the echo request packet 202 is the same as the request source address 502 of the connection request packet 201, the relay device address 602 is the address of the relay device 103 itself, and the echo request identifier 603 requests the echo of The echo request data 604 includes the compressed data 605 obtained in step 801, the time 606 obtained in step 802, and the signature 607. At time 60
6 and the signature 607 are always the same length.

Next, the operation of the relay device 103 when an echo response corresponding to the echo request returns will be described with reference to the flowchart shown in FIG. In FIG. 2, when the echo response packet 203 is returned to the echo request packet 202, the same connection request packet 204 as the original connection request packet 201 is transmitted to the request destination machine 1.
02 is an operation of the relay apparatus 103 for transferring to the H.02.

First, when the packet processor 403 receives the echo response packet 203 including the echo response identifier 703 from the communication device 401 connected to the external network 104, the packet processor 403 first transmits the echo response data 704 to the relay device 103. It is confirmed whether or not the format corresponds to the echo request data 604 of the echo request packet 202 (step 901). Time 706 and signature 707
Are always the same length, so that the end of the data indicates the signature, time, and compressed data.

The length of the echo response data 704 is short,
If it cannot be separated in this way, it is determined that the packet does not conform to the format, the echo response packet 203 is discarded, and the processing is terminated.

If the format conforms, then the time 7
06 and the current time obtained from the clock 406, and the time 7
If 06 is old and the current time obtained from the time 706 and the clock 406 is within a predetermined time, it is determined that the time is appropriate (step 902). If not, the echo response packet 203 is discarded as time mismatch, and the process is terminated.

If the time is matched, a signature is generated by the signature generator 404 from the compressed data 705, the time 706, and the secret information in the memory 407 of the relay apparatus 103, and the echo response data 704 is generated. Signature 70 included in
7 is confirmed (step 903). If they do not match, the echo response packet 203 is discarded, and the process ends.

If the signatures match, the compressed data 705 is decompressed by the data compression / decompression unit 405, and it is confirmed whether the data corresponds to the connection request packet 201 of FIG. 5 (step 9).
04). The confirmation method is the transmission destination address, that is, the request destination 5
01 is for the machine of the internal network 104, whether the source address, that is, the request source 502 matches the source address 702 of the echo response packet 203, and whether the packet identifier is the connection request packet identifier 503
Judge whether or not. If it cannot be confirmed, the echo response packet 203 is discarded, and the process ends.

When the compressed data 705 is the connection request packet 20
If it is equivalent to 1, finally, the decompressed connection request packet 201 is transmitted as the connection request packet 204 to the request destination machine 102 using the communication device 402 for the internal network 105 (step 905).

As described above, according to the present embodiment, the relay device 103 responds to the connection request from the requesting machine 101.
Issues an echo request, confirms the presence of the requesting machine 101 in the external network 104 based on the echo reply returned as a result, and after this confirmation, sends a connection request from the requesting machine 101 to the request destination machine. Since the data is transferred to the machine 102, the external network 104
A connection request for the purpose of preventing communication from a machine that does not actually exist in the server 102 can be rejected, and execution of a communication obstruction act or a business obstruction act on the requested machine 102 can be disabled.

Also, since the echo request / response packet includes a connection request packet or a compressed version of the connection request packet, the connection request packet is stored between the time when the relay device 103 issues the echo request and the time the response is made. It is not necessary to save the load, and the load on the relay device 103 for this storage can be reduced.

Further, the contents of the echo response include
Since the signature generated using the secret information of No. 3 is included, the echo response cannot be forged. For this reason, it is also possible to prevent a high-level communication sabotage action due to forgery of the echo response. Also, when signing, time information is also added and the echo response packet containing the old time information is discarded, so the replay attack, that is, the old regular echo response is saved and later , It is possible to recognize this, and it is also possible to prevent a high level of communication jamming by duplicating the echo response.

Further, the relay device 103 transmits the requesting machine 1
01 and the destination machine 102, and the echo request / response packet can be a packet included in the standard protocol, for example, an ICMP echo request / response packet of the TCP / IP protocol. Both the original machine 101 and the request destination machine 102 can use the existing standard protocol as it is, and can save the cost of updating.

The echo request / response packet 202,
Although 203 includes data 605 and 705 obtained by compressing the original connection request packet 201, it is obvious that the connection request packet itself may be included. In this case, since the size of the echo request / response packets 202 and 203 becomes large, there is a problem that communication efficiency is reduced. However, if the compression / decompression is eliminated, the relay device 103
In some cases, it is advantageous to include the connection request packet as it is because the load on the connection request is reduced.

As another method, instead of the connection request packet itself, data composed of a connection request source address, a connection request destination address, a connection request source application identifier, a connection request destination application identifier, and a connection request packet identifier are contained in the packet. Obviously, the same applies to the method included in the echo request packet.

In addition, the simplest and most efficient method for generating a signature is adopted, but there is another method for encrypting the result of applying one-way relation to compressed data and time information. As a method of encryption, a method of applying secret key encryption using the secret key of the relay device 103 or a private key (p
There is a method of applying public key cryptography using a private key).

[0061]

As is clear from the above description, according to the present invention, in response to a connection request from a request source, an echo request is transmitted to the request source, and the external network is returned by the echo response returned as a result. After confirming that the request source exists in the network, and after this confirmation, the connection request from the request source is forwarded to the request destination, so that communication from a machine that does not actually exist in the external network It is possible to reject the connection request and disable execution of a communication obstruction act or a business obstruction act for the request destination.

Further, since the echo request / response packet includes a connection request packet or a compressed version of the connection request packet, it is necessary to store the connection request packet between issuing the echo request and responding. And the load for this preservation can be reduced.

Further, since the content of the echo response includes a signature generated using the secret information of the relay device, the echo response cannot be forged. For this reason, it is also possible to prevent a high-level communication sabotage action due to forgery of the echo response.
In addition, when signing, the time information is also added and signed,
Since the echo reply packet containing the old time information is discarded, the replay attack, that is, even if the old legitimate echo reply is stored and transmitted later, the echo reply can be recognized, and the duplicate of the echo reply is recognized. Can also make advanced communication sabotage impossible.

Further, the echo request / response packet is I
Since the corresponding packets included in the standard protocol such as the CMP echo request / response packet can be used, the request source and the request destination can use the existing standard protocol as it is, which has the effect of reducing the cost of updating the protocol. .

[Brief description of the drawings]

FIG. 1 is a system configuration diagram showing an embodiment of an inter-network communication system to which the present invention is applied.

FIG. 2 is a sequence diagram illustrating exchange of packets between a request source, a relay device, and a request destination.

FIG. 3 is a general configuration diagram of a packet.

FIG. 4 is an internal configuration diagram of the relay device.

FIG. 5 is a configuration diagram of a connection request packet.

FIG. 6 is a configuration diagram of an echo request packet.

FIG. 7 is a configuration diagram of an echo response packet.

FIG. 8 is a flowchart illustrating an operation of the relay device that has received the connection request packet.

FIG. 9 is a flowchart illustrating an operation of the relay device that has received the echo response packet.

[Description of sign]

101: connection requesting machine, 102: connection requesting machine, 103: relay device, 104: external network,
105: internal network, 201: connection request packet from the request source to the relay device, 202: echo request packet from the relay device to the request source, 203: echo response packet from the request source to the relay device, 204: request from the relay device Connection request packet that arrives first, 401: communication device with external network, 402: communication device with internal network, 403: packet processor, 404: signature generator,
405: data compression / decompression device, 406: clock, 407 ...
Memory of secret information, 501: destination of connection request packet
(Request destination) address, 502: source of connection request packet
(Request source) address, 503: packet identifier of connection request packet, 504: packet data of connection request packet
(Request destination application identifier), 601: destination (request source) address of the echo request packet, 602: source (relay device) address of the echo request packet, 603: packet identifier of the echo request packet, 604 ... Packet data, 605... Compressed data of the connection request packet which is the first data of the packet data, 6
06: time as the second data of the packet data, 60
7 ... signature, which is the third data of the packet data, 701
… The destination (relay device) address of the echo response packet, 7
02: source (request source) address of the echo response packet,
703: Packet identifier of echo response packet, 704
.., Packet data of the echo response packet, 705, compressed data of the connection request packet, which is the first data of the packet data, 706, time, which is the second data of the packet data, 707, signature, which is the third data of the packet data .

Claims (6)

[Claims] 1. A method of relaying communication between at least two networks, comprising: when relaying a connection request packet from a machine in a first network to a machine in a second network,
Sending an echo request to the connection requesting machine to determine whether the connection requesting machine is in the first network;
It is confirmed by the presence or absence of an echo response to this echo request, and only when there is an echo response, the connection request packet is
A method for relaying communication between networks, characterized in that: 2. The echo request is a content of a communication request packet or a compressed version of the content, time information, a connection request source address, a connection request destination address, a connection request source application identifier, and a connection request destination application. 2. The method according to claim 1, further comprising at least one of an identifier, an address of the relay device, and a random number. 3. A result of applying a one-way function to the contents of the echo request and the secret information, a result of encrypting the contents of the echo request, or a result of applying a one-way function to the contents of the echo request. 3. The method according to claim 2, wherein a result of the encryption is included as the content of the echo request. 4. An apparatus for relaying communication between at least two networks, wherein when relaying a connection request packet from a machine in a first network to a machine in a second network,
Sending an echo request to the connection requesting machine to determine whether the connection requesting machine is in the first network;
It is confirmed by the presence or absence of an echo response to this echo request, and only when there is an echo response, the connection request packet is
An inter-network communication relay device, comprising: means for performing network transfer. 5. The echo request is a content of a communication request packet or a compressed version of the content, time information, a connection request source address, a connection request destination address, a connection request source application identifier, and a connection request destination application. The inter-network communication relay device according to claim 4, further comprising at least one of an identifier, an address of the relay device, and a random number. 6. A result of applying a one-way function to the contents of the echo request and the secret information, a result of encrypting the contents of the echo request, or a result of applying a one-way function to the contents of the echo request. 6. The inter-network communication relay device according to claim 5, wherein a result of the encryption is included as the content of the echo request.