JP2007135035A - Communication device and packet processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To transmit and receive IPsec packets speedily, and also IPsec packets to which an extension header is added. <P>SOLUTION: When the IPsec packet having an extension header is transmitted, a CPU 650 generates an IPv6 encapsulated packet where an internal IP packet is encapsulated and the extension header is added. An IPsec circuit 620 adds an ESP header to the packet, rewrites the information of payload length in an IP header, and generates an IPv6 IPsec packet having the extension header. When the IPv6 IPsec packet having the extension header is received, the IPsec circuit 620 acquires the internal IP packet by decoding processing, and rewrites the next header in the extension header and the payload length in the IP header of the IPsec packet. The IPv6 encapsulated packet having the extension header and the rewritten IP header and the extension with the internal encapsulated IP packet is output to the CPU 650. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a communication apparatus and a packet processing method for transmitting / receiving an IPsec packet.

  In recent years, IPsec (Security Architecture for Internet Protocol), which authenticates and encrypts IP packets, has been used to perform IP (Internet Protocol) communication safely.

FIG. 9 is a diagram for explaining the configuration of an IPsec packet. IPsec has a tunnel mode and a transport mode. Here, only the tunnel mode will be described.
In this specification, data transmitted / received in the data link layer corresponding to the second layer of the OSI (Open Systems Interconnection) reference model is described as a frame, and data transmitted / received in the third layer, that is, from the frame to the MAC (Media A packet excluding an Access Control) header and a VLAN (Virtual Local Area Network) header is described as a packet. For example, an IP packet consists of an IP header and IP data.

  IPsec is configured by adding a protocol such as ESP (Encapsulating Security Payload) to IP. When the transmission / reception data is encrypted, in IPsec in the tunnel mode, the IP packet 710 is encrypted to generate an encrypted packet 720, and a trailer 730 is added. Further, a new IP header 740 and an IPsec header 750 are added to generate an IPsec packet in which the encrypted packet 720 and the trailer 730 are encapsulated. Here, the new IP header 740 set in the IPsec packet is called an outer IP header, and when the outer IP header uses IPv6, it is described as an outer IPv6 header. When ESP is used, an ESP header is used as the IPsec header 750. The ESP header includes an SPI (security parameter index) and a sequence number. The SPI indicates a value used for searching a SAD (Security Association Database) that manages SA (Security Association) that is a logical connection in IPsec. The sequence number indicates the order of packets.

  Examples of algorithms used for encryption include a NULL encryption algorithm (which does not use an encryption function), CBC-AES (Cipher Block Chaining-Advanced Encryption Standard), and the like. When using CBC-AES, an IV (initial vector) 760 that is information used for the next encryption is set between the IPsec header (ESP header) 750 and the encrypted packet 720. When generating the encrypted packet 720, the IP packet 710 is padded and encrypted. The length of padding to the IP packet 710 is determined such that the total length of the generated encrypted packet 720 and trailer 730 is an integral multiple of a predetermined number of bytes. The trailer 730 is data including the padding length and the next header information, and is encrypted except for the NULL encryption algorithm. The padding length indicates the length of padding performed on the IP packet 710 when the encrypted packet 720 is generated. Further, the next header indicates the protocol of the header that comes after the IPsec header (ESP header) 750 in the packet, and in this figure, since it is a tunnel mode, a value indicating IP is set. When performing authentication, an ICV (Integrity Check Value) 770 that is authentication data is added after the trailer 730.

There are two types of configurations of a conventional apparatus equipped with IPsec: a look-aside type and an inline type (see Non-Patent Document 1, for example).
FIG. 10 is a block diagram showing a configuration of a packet transfer apparatus equipped with a look-aside type IPsec circuit. In the figure, a CPU (Central Processing Unit), a first LAN (Local Area Network) port that transmits and receives frames including IPsec packets, a second LAN port that transmits and receives frames including IP packets, and an IPsec circuit are connected via a bus. Connected. In this configuration, the CPU receives an IPsec packet from the first LAN port, performs packet header processing including decapsulation (step S1001), and transfers the encrypted data to the IPsec circuit (step S1002). The IPsec circuit transfers the decrypted data to the CPU (step S1003), and the decrypted IP packet is transferred from the CPU to the second LAN port for transmission processing (step S1004).

  As described above, in the packet transfer apparatus shown in the figure, the CPU transmits / receives an IPsec packet, and only the fixed processing of encryption / decryption / authentication is processed by the IPsec circuit configured by wired logic. Since packet header processing including encapsulation and decapsulation is performed by software executed on the CPU, there is flexibility in that it can cope with various packet formats. However, the received packet data is transferred multiple times between the CPU / memory / IPsec circuit via the bus. For this reason, the bus performance limits the packet processing capability, and the CPU load for packet header processing increases.

  FIG. 11 is a block diagram showing a configuration of a packet transfer apparatus equipped with an inline IPsec circuit. In the figure, a first LAN port for transmitting and receiving a frame including an IPsec packet is directly connected to an IPsec circuit, and a second LAN port for transmitting and receiving a frame including an IPsec packet is connected to the bus. Connected through. In this configuration, the IPsec circuit receives an IPsec packet from the first LAN port, performs packet header processing including decapsulation, and decryption / authentication processing (step S1011), and transfers the decapsulated packet to the CPU (step S1012). ). Then, the IP packet is transferred from the CPU to the LAN port, and transmission processing is performed (step S1013).

As described above, in the packet transfer apparatus shown in the figure, since the IPsec circuit performs not only encryption, decryption, and authentication routine processing but also packet transmission / reception and packet header processing for the packet, there is no CPU interruption, The load is reduced and the number of times packet data is transferred via the bus 962 is reduced.
Tokyo Electron Device Co., Ltd., “Tokyo Electron Device News”, [online], [August 3, 2005], Internet <URL: http://www.teldevice.co.jp/tednews/Vol-78/engineer .html>

  The above-described inline type IPsec circuit can perform high-speed processing. However, since the IPsec circuit is realized by hardware processing, the packet header processing becomes a standard processing, and there is a problem that an exceptional packet structure cannot be handled. In particular, the IPsec circuit of the IPv6 router device processes the tunnel mode IPsec packet. However, since the IPsec circuit performs the encapsulation and decapsulation processing, an extension header is added to the encapsulated outer IPv6 header and transmitted. In addition, when a packet with an extension header added is received, the extension header processing corresponding to the contents of the extension header cannot be performed.

In addition, since the IPsec encapsulation that adds the outer IP header or the like is performed on the received IP packet, the frame length after the IPsec encapsulation becomes larger than the frame length before the IPsec encapsulation, but before and after the IPsec encapsulation. Both frames cannot exceed the maximum frame length of the data link layer. For this reason, when the frame length before IPsec encapsulation is close to the maximum frame length of the data link layer, the frame length after IPsec encapsulation exceeds the maximum frame length. Since it cannot be transmitted as it is, normally, the received IP packet is divided and then encapsulated and transmitted. When the IPsec packet is received, it is decapsulated to obtain the divided IP packets, and these are re-sent. It is configured and returned to the IP packet before division (first method). Alternatively, the received IP packet is encapsulated and transmitted after being divided, and when the divided IPsec packet is received, these are reconstructed and returned to the pre-divided IPsec packet, and then decapsulated into the IP A packet is acquired (second method). Here, since the division processing and the reconfiguration processing are complicated, software processing is preferable to hardware processing in which the circuit scale increases. Also, hardware processing is desirable for IPsec encapsulation and decapsulation processing with a large calculation amount. However, the first method has a problem that it is limited to IPv4 packets in which no division prohibition bit is set. In addition, the second method performs transmission after dividing processing after IPsec processing, and also needs to perform IPsec processing after reconfiguration processing of the received packet. Therefore, between hardware transmission / reception and IPsec processing, There is a problem that inline IPsec processing becomes difficult due to software division processing and reconfiguration processing.
The extension header of the IPv6 packet includes a hop-by-hop option, a destination option, routing, fragment, authentication (Authentication), ESP, and the like. For details, refer to IETF (Internet Engineering Task Force) RFC (Request For Comments) See 2460.

  The present invention has been made in order to solve the above-described problems. The object of the present invention is to perform high-speed IPsec packet transmission / reception processing, as well as transmission / reception processing for IPSec packets with an extension header added and IPsec packets with fragments. It is an object of the present invention to provide a communication apparatus and a packet processing method capable of performing the above.

  In order to solve the above problem, the present invention transmits an IPv6 IPsec packet with an extension header in which an IP packet is an inner IP packet and IPv6 IPsec encapsulation in ESP tunnel mode is performed and an extension header is added to the outer IPv6 packet. The IPv6 encapsulated packet with the extension header added to the IPv6 encapsulated packet obtained by adding the extension header to the IPv6 encapsulated packet obtained by encapsulating the inner IP packet into the IPv6 encapsulated packet. When the IPv6 encapsulated IPsec transmission information is added to the IPv6 packet output by the software processing unit and the IPv6 packet output by the software processing unit. An IPsec processing unit that performs ESP encryption processing on an inner IP packet of the IPv6 packet and outputs the packet as an IPv6 IPsec packet with an extension header; and an interface unit that transmits the IPv6 IPsec packet with an extension header output by the IPsec processing unit; A communication apparatus comprising:

  Also, the present invention provides a communication apparatus that transmits an IPv6 IPsec packet that has been encapsulated with an IPv6 IPsec in ESP tunnel mode using the IP packet as an inner IP packet, and when the length of the IPv6 IPsec packet exceeds the MTU, The packet is IPv6 encapsulated, the IPv6 encapsulated packet is divided into a plurality of fragment IPv6 packets each having a fragment extension header added thereto, and each fragment IPv6 packet is an IPv6 encapsulated packet for IPsec transmission processing. A software processing unit that adds and outputs the IPv6 encapsulated IPsec transmission information indicating, and the fragment IPv6 packet output by the software processing unit to the IPv6 encapsulated I When the sec transmission information is added, the ESP encryption processing is performed on the data after the fragment extension header of the fragment IPv6 packet, and output as an IPv6 IPsec packet, and output by the IPsec processing unit And an interface unit that transmits an IPv6 IPsec packet.

  The present invention also relates to a communication apparatus that receives an IPv6 IPsec packet with an extension header in which an IPv6 IPsec encapsulation in an ESP tunnel mode is performed using an IP packet as an inner IP packet, and an extension header is added to the outer IPv6 packet. An interface unit that receives and outputs an IPsec packet, and detects that the IPv6 IPsec packet output by the interface unit is an IPsec reception processing target packet to which an extension header is added, and includes the detected IPv6 IPsec packet. ESP decryption processing is performed, the IP packet of the ESP payload is set as the inner IP packet, the IPv6 header of the IPv6 IPsec packet has the outer IPv6 header, and the extension header is added. An IPv6 encapsulation packet with a header, an IPv6 encapsulation packet with an extension header, and a predetermined extension header process based on the extension header of the IPv6 encapsulation packet with an extension header output from the IPsec processing unit. And a software processing unit that decapsulates the packet to obtain an inner IP packet.

Further, the present invention provides an interface unit that receives and outputs an IPv6 IPsec packet in a communication device that receives an IPv6 IPsec packet that has undergone IPv6 IPsec encapsulation in an ESP tunnel mode using the IP packet as an inner IP packet;
ESP decoding processing is performed on the IPv6 IPsec packet output by the interface unit, and it is detected that a fragment extension header is added to the head of the ESP payload. The detected data is used as the payload, and the IPv6 IPsec packet is detected. An IPv6 header in the outer IPv6 header and outputting a fragment IPv6 packet, and collecting a plurality of the fragmented IPv6 packets divided from one IPv6 packet, reconfiguring the IPv6 packet before the division And detecting that the IPv6 packet is an IPv6 encapsulated packet obtained by encapsulating an IPv6 packet into an IPv6 packet, and decapsulating the detected IPv6 encapsulated packet to obtain an inner IP packet. And Towea processor, a communication device, characterized in that it comprises a.

  Further, the present invention is used for a communication apparatus that performs IPv6 IPsec encapsulation in ESP tunnel mode using an IP packet as an inner IP packet, and transmits an IPv6 IPsec packet with an extension header in which an extension header is added to the outer IPv6 packet. A packet processing method, wherein a software processing unit transmits an IPv6-encapsulated IPsec packet to an IPv6 encapsulated packet with an extension header obtained by adding the extension header to an IPv6 encapsulated packet obtained by encapsulating the inner IP packet with IPv6 IPv6 encapsulated IPsec transmission information indicating that the packet is a processing target is added and output, and the IPsec processing unit transmits the IPv6 encapsulated IPsec transmission to the IPv6 packet output by the software processing unit. When information is added, ESP encryption processing is performed on the inner IP packet of the IPv6 packet, and output as an IPv6 IPsec packet with an extension header. The interface unit has an extension header output by the IPsec processing unit. A packet processing method characterized by transmitting an IPv6 IPsec packet.

  The present invention also relates to a packet processing method used in a communication apparatus for transmitting an IPv6 IPsec packet obtained by encapsulating an IPv6 IPsec in ESP tunnel mode using an IP packet as an inner IP packet, wherein a software processing unit includes the IPv6 IPsec packet. When the length of the packet exceeds the MTU, the inner IP packet is IPv6 encapsulated, the IPv6 encapsulated packet is divided into a plurality of fragment IPv6 packets each having a fragment extension header added thereto, and each of the fragment IPv6 packets has an IPv6 capsule. IPv6 encapsulated IPsec transmission information indicating that the packet is a target packet for IPsec transmission processing is added and output, and the IPsec processing unit outputs the fragment sent by the software processing unit. When IPv6 encapsulated IPsec transmission information is added to the IPv6 packet, ESP encryption processing is performed on the data after the fragment extension header of the fragment IPv6 packet, and output as an IPv6 IPsec packet. An IPv6 IPsec packet output by the IPsec processing unit is transmitted.

  Further, the present invention is used in a communication apparatus that receives an IPv6 IPsec packet with an extension header in which an IPv6 IPsec encapsulation in an ESP tunnel mode is performed using an IP packet as an inner IP packet, and an extension header is added to the outer IPv6 packet. A packet processing method in which an interface unit receives and outputs an IPv6 IPsec packet, and an IPsec processing unit outputs an IPv6 IPsec packet output by the interface unit as a packet subjected to IPsec reception processing to which an extension header is added. , The ESP decoding process is performed on the detected IPv6 IPsec packet, the IP packet of the ESP payload is set as the inner IP packet, and the IPv6 header of the IPv6 IPsec packet is set as the outer I packet. An IPv6 encapsulated packet with an extension header having the extension header added to the v6 header is output, and the software processing unit is based on the extension header of the IPv6 encapsulated packet with an extension header output from the IPsec processing unit. A packet processing method characterized by performing predetermined extension header processing and decapsulating the IPv6 encapsulated packet with extension header to obtain an inner IP packet.

  The present invention also relates to a packet processing method used in a communication apparatus for receiving an IPv6 IPsec packet obtained by performing IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet, wherein the interface unit converts the IPv6 IPsec packet to The IPsec processing unit performs ESP decoding processing on the IPv6 IPsec packet output by the interface unit, detects that a fragment extension header is added to the head of the ESP payload, A fragment IPv6 packet having the detected data as a payload and having an IPv6 header of the IPv6 IPsec packet in an outer IPv6 header is output, and a software processing unit is divided into a plurality of pieces divided from one IPv6 packet. The fragmented IPv6 packet is collected, reassembled to obtain an undivided IPv6 packet, and detected that the IPv6 packet is an IPv6 encapsulated packet obtained by encapsulating an IPv6 packet into an IPv6 packet. A packet processing method characterized in that an IPv6 encapsulated packet is decapsulated to obtain an inner IP packet.

  According to the present invention, the communication apparatus can realize transmission / reception processing by combining hardware processing and software processing for an IPSec packet to which an extension header is added. In the present invention, since the IPv6 encapsulated packet is divided, the inner IP packet is not restricted. That is, for the received packet, reconfiguration processing is performed after IPsec processing, and transmission is performed by performing IPsec processing after splitting processing. Therefore, hardware transmission / reception and IPsec processing are continuously performed, and inline-type IPsec processing is performed. Is possible. In addition, when the IPsec packet generation exceeds the signal length that can be transmitted / received, the transfer target IP packet can be divided and transmitted / received.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
In the present embodiment, data transmitted and received in the data link layer corresponding to the second layer of the OSI (Open Systems Interconnection) reference model is described as a frame, and data transmitted and received in the third layer, that is, MAC (Media Access) from the frame. A packet excluding a (Control) header and a VLAN (Virtual Local Area Network) header is described as a packet.

FIG. 1 is a diagram illustrating a configuration of a communication apparatus according to an embodiment.
IPsec transmitted / received in the present embodiment is transmitted / received by IPv6 and uses ESP (Encapsulating Security Payload) in tunnel mode.
In the figure, an IPsec circuit 620 configured by a wired LAN and a first LAN (Local Area Network) port 610 (interface unit) that transmits and receives a frame including an IPsec (IP Security Architecture for Internet Protocol) packet and performs IPsec processing. (IPsec processing unit) is connected. Further, a second LAN port 640 (interface unit) that transmits and receives a frame including an IP packet, an IPsec circuit 620, and a CPU (Central Processing Unit) 650 (software processing unit) transfer a packet 630 (transfer unit). )It is connected to the.

In this configuration, the IPsec circuit 620 performs decapsulation when an extension header is not added to the IPsec packet in the IPv6 tunnel mode received from the first LAN port 610 (step S1), and the transfer circuit 630 is decapsulated. The IP packet is transferred to the second LAN port 640 (step S2).
On the other hand, when the extension header is added to the outer IPv6 header of the IPsec packet in the IPv6 tunnel mode received in step S1, the IPsec circuit 620 decrypts the encrypted original IP packet, The packet is converted into an IPv6 packet having a format including an extension header and IP data obtained by encapsulating the decrypted IP packet. Hereinafter, a format in which an IP packet is encapsulated in an IPv6 packet in this way is referred to as an “IP in V6 format”. The IPsec circuit 620 transfers the IP in IPv6 format packet to the CPU 650 by the transfer circuit 630 (step S2 ′).

  As described above, when the communication apparatus 100 performs packet transfer by hardware (transfer circuit 630) instead of the CPU 650 in order to perform high-speed packet transfer, the transfer circuit 630 may perform exceptional extension header processing. Since the packet cannot be converted to the IP in IPv6 format, the packet is transferred to the CPU 650, and the normal decapsulated packet is transferred to the LAN port 640 by hardware without going through the CPU 650.

FIG. 2 is a block diagram illustrating a detailed configuration of the communication apparatus 100 connected to a LAN (Local Area Network) and a WAN (Wide Area Network).
The communication apparatus 100 is connected to a physical I / F (Interface) 500 connected to a WAN and a physical I / F 501 connected to a LAN via an interface of GMII (Gigabit Medium Independent Interface) or MII (Medium Independent Interface) standards. The packet transmitted from the LAN side is transferred to the WAN side, and the packet transmitted from the WAN side is transferred to the LAN side. In the communication apparatus 100 of the present embodiment, IPv4 or IPv6 packets are transmitted and received in the network layer corresponding to the third layer of OSI, and Ethernet (registered trademark) frames are transmitted and received in the data link layer corresponding to the second layer of OSI. Do.

  The communication device 100 includes a communication processing circuit 200 composed of semiconductor elements, a CPU 400, and a DDR-SDRAM (Double Data Rate-Synchronous Dynamic Random Access Memory) 300 in order to speed up transfer processing.

  The DDR-SDRAM 300 is a semiconductor memory element, and is divided into areas each having a constant capacity value, for example, 2 kilobytes, and allocates and stores one divided area regardless of whether the frame length is long or short. . Each divided area is associated with a handle number assigned by a handle management unit 255 described later.

  The CPU 400 mainly receives a frame that cannot be transferred by the communication processing circuit 200 from the communication processing circuit 200 and performs processing such as detecting a transfer destination for the received frame based on software that operates in advance. . The driver 400a included in the CPU 400 writes and reads packets input to the CPU 400 by the communication processing circuit 200 to / from the internal memory of the CPU 400, and sets information for controlling the operation of each function unit of the communication processing circuit 200. Perform for each functional unit.

  In the communication processing circuit 200, a WAN MAC (Media Access Control) I / F 205 is a connection interface connected to a physical I / F 500 connected to the WAN. The LAN MAC I / F 275 is a connection interface connected to the physical I / F 501 connected to the LAN. The WAN MAC I / F 205 and the LAN MAC I / F 275 have standards conforming to the above-described GII and MII, and are used for an Ethernet (registered trademark) frame (hereinafter referred to as a frame) to be transmitted and received. 3 compliant MAC processing is performed, and CRC (Cyclic Redundancy Check) processing is performed on a frame transmitted / received to / from the physical I / F 500 or 501.

  The IPsec unit 210 is connected to the WAN MAC I / F 205, the write scheduler unit 215, and the frame generation unit 260. The IPsec unit 210 performs encryption processing on a packet transmitted to the WAN and decryption processing on a packet received from the WAN, based on an RFC processing conforming to RFC (Request for Comments) 2406. Here, RFC2406-compliant IPsec processing refers to RFC2403 / 2404-compliant HMAC-MD5 (Keyed Hashing for Message Authentication Code-Message Digest 5) and HMAC-SHA-1 (HMAC-Secure Hash Algorithm-1) authentication functions, This is encryption and decryption processing for IPv4 and IPv6 packets by using the encryption function of RFC 2410/2451 NULL, CBC-AES (Cipher Block Chaining-Advanced Encryption Standard).

  The write scheduler unit 215 is connected to the IPsec unit 210, the LAN MAC I / F 275, and the CPU I / F 265 connected to the CPU 400, and in a round robin manner, the IPsec unit 210, the LAN MAC I / F 275, In the order of the CPU I / F 265, a frame to which information is added by these three function units (hereinafter, a frame to which information is added by the three function units will be described as frame information) is output.

  The CPU I / F 265 is connected to each functional unit of the communication processing circuit 200, the write scheduler unit 215, the memory controller unit 220, and the CPU 400, and inputs a frame output from the CPU 400 to the write scheduler unit 215. When the CPU 400 performs setting for each function unit of the communication processing circuit 200, the CPU I / F 265 inputs setting information to the corresponding function unit. Further, frame information output from the memory controller unit 220 is input to the CPU 400.

  The DDR-SDRAM I / F 225 is connected to the memory controller unit 220 and the DDR-SDRAM 300, and performs frame input / output between the memory controller unit 220 and the DDR-SDRAM 300.

  The memory controller unit 220 is connected to the write scheduler unit 215, the frame generation unit 260, the DDR-SDRAM I / F 225, the parser unit 230, the handle management unit 255, and the QoS unit 250. For the frame information input from the write scheduler unit 215, the memory controller unit 220 stores the DDR-SDRAM I / O in the divided area of the DDR-SDRAM 300 corresponding to the handle number of the empty handle given from the handle management unit 255. Write to the DDR-SDRAM 300 via F225. Further, the memory controller unit 220 adds the handle number given from the handle management unit 255 to the frame information input from the write scheduler unit 215 and outputs the frame information to the parser unit 230. In addition, the memory controller unit 220 reads frame information from the DDR-SDRAM 300 area corresponding to the handle number included in the job information output from the QoS unit 250 described later via the DDR-SDRAM I / F 225, and reads the read frame information. Information based on job information is added to the information and output to the frame generation unit 260 or output to the CPU 400 via the CPU I / F 265.

  The parser unit 230 analyzes the frame information to which the handle number is added by the memory controller unit 220, extracts header information that is information related to transfer processing from the frame information, and the memory controller unit 220 as analysis result information. Is output together with information such as the handle number added.

  The search unit 235 refers to the transfer condition information set in the search unit 235 in advance by the CPU 400 based on the analysis result information input from the parser unit 230 and discards the frame based on the transfer condition information. Filter search result information indicating whether to pass, pass to CPU 400, that is, input to CPU 400, classification search result indicating information such as quality class, and the like, and the detected filter search result information and classification search result Then, a part of the analysis result information input from the parser unit 230, for example, the frame length or the like is output to the CPU transfer determination unit 240. Here, the conditions included in the transfer condition information include a MAC address, an IP address, a port number, and the like, and a search for whether or not the frame header information included in the analysis result information matches these transfer condition information. Done.

  The search unit 235 does not search for a frame in which an error is detected by the parser unit 230 and a frame input from the CPU 400 via the CPU I / F 265. The search includes reception logic I / F search, NAT (Network Address Translation) / NAPT (Network Address Port Translation) search, route search, filter search, and classification search. In each search, all or a part of various types of information included in the analysis result information (target information is different depending on the search), a determination condition set by the CPU 400, and a determination mask for each determination condition (invalidity of the determination condition or It is determined whether or not the rule is configured (a plurality of rules can be set for each search) composed of rules (designation such as invalidity of some bits, and determination conditions without a mask). In the above-described conformity determination, for each determination condition that is not invalidated by the determination mask, a comparison operation is performed to obtain a match / mismatch with the analysis result information obtained by the parser unit 230 from the input frame, and the determination condition Only when a match is obtained for all of the above, it is determined that the rule is satisfied. After that, each search outputs the search result added to the matched rule (when multiple matched rules are found, the priority set for each rule is compared and the rule with higher priority). .

  The determination conditions constituting the rule of the reception logical I / F search are: reception physical I / F, transmission source MAC address, VLAN presence / absence, VLAN ID when VLAN is present, PPPoE presence / absence, PPPoE session ID when PPPoE is present, reception The reception SA number when there is IPsec and reception IPsec is present, and the search results are the reception logical I / F number, the presence / absence of CPU transfer, and the presence / absence of NAT / NAPT. Here, the reception logical I / F number is a number for identifying the logical I / F that has received the packet, and a plurality of logical I / Fs can be set for one physical I / F by VLAN or IPsec VPN. . Further, only the packets obtained as a result of having NAT / NAPT as described above are subjected to NAT / NAPT search (global → local) described later.

  The search conditions constituting the NAT / NAPT search (global → local) rule are the destination IP address and the destination TCP / UDP port number (NAPT only), and the search result is the IP address after replacement and the destination TCP / UDP port. Number (only NAPT). Here, each of route search, filter search, and classification search for a packet subjected to NAT / NAPT search (global → local) is not a destination IP address and a destination TCP / UDP port included in the analysis result information. The destination IP address after replacement, which is the NAT / NAPT search result, and the destination TCP / UDP port are searched for, and a conformance determination with the above-described search rule is made (for a packet for global → local NAT / NAPT, the local address Or a search based on port number). Also, if no matching rule is found in the NAT / NAPT search (global → local) target packet, NAT / NAPT (global → local) search miss hit information is added to the CPU transfer factor. .

  The determination conditions constituting the route search rule are the reception logical I / F number, the transmission source IP address, and the destination IP address, and the search results are the transmission logical I / F number, the destination MAC address, and the MTU (Maximum Transmission Unit). Length, NAT / NAPT presence / absence, MAC address unresolved presence / absence, self presence / absence. Here, the transmission logical I / F number is a number for identifying a logical I / F that transmits a packet (if the reception logical I / F and the transmission logical I / F are the same, the number is also common). Also, only the packets that obtained the result with NAT / NAPT in the above. It becomes a target of the NAT / NAPT search (local → global) described later. Also, the MTU length is compared with the packet length, and if the packet length is longer, information indicating that the MTU length has been exceeded is added to the CPU transfer factor. In addition, the MAC address unresolved information is added to the CPU transfer factor in the packet with the MAC address unresolved. In addition, information about the self-addressed packet is added to the CPU transfer factor for the self-addressed packet.

  The search conditions constituting the NAT / NAPT search (local → global) rule are the transmission source IP address and the transmission source TCP / UDP port number (only NAPT), and the search result is the transmission source IP address after transmission and the transmission. This is the original TCP / UDP port number (only NAPT). If no matching rule is found in the NAT / NAPT search (local → global) target packet, NAT / NAPT (local → global) search miss hit information is added to the CPU transfer factor. The

  The judgment conditions constituting the rules of filter search and classification search are: reception logical I / F number, transmission logical I / F number, VLAN priority, IPv4 / IPv6, transmission source IP address, destination IP address, TOS / traffic class (Uses TOS for IPv4, uses traffic class for IPv6), option / extension header presence / absence, fragment status (no fragment, head / end / intermediate), TOS / traffic class, upper layer protocol, transmission The search is performed using the original port number, the destination port number, the TCP flag, and the ICMP type code as conditions. The filter search result specifies discard / pass / CPU transfer, and the classification search result includes various information related to the quality class (VLAN priority at transmission, presence / absence of remark, TOS / traffic class at remark, specification of queue) Etc.).

  Whether the CPU transfer determination unit 240 assigns information indicating a CPU transfer factor, that is, a CPU transfer factor flag, which will be described later, to the frame detected by the search unit 235 as having a factor to be transferred to the CPU 400 and transfers the frame to the CPU 400. Or the decision result information is output together with the information output from the search unit 235.

  The queue selection unit 245 selects a queue number to be referred to when the QoS unit 250 selects a queue based on the quality class information included in the information input from the CPU transfer determination unit 240 or the logical I / F information of the transmission destination. Information detected and output from the CPU transfer determination unit 240 and the detected queue number are output.

  The QoS unit 250 generates job information based on the information output from the queue selection unit 245, and similarly records the generated job information in the corresponding queue based on the queue number output from the queue selection unit 245. Further, the QoS unit 250 reads job information recorded in the queue based on a predetermined priority for each queue, and outputs the job information to the memory controller unit 220. Further, when outputting to the memory controller unit 220, it outputs it to the handle management 255 in order to return the handle number. Here, the job information refers to the received frame length, transmission frame length, transmission logical I / F, destination MAC address, NAT for frames transmitted from the WAN MAC I / F 205 or LAN MAC I / F 275. It consists of information such as / NAPT designation, quality class corresponding to information such as DSCP and VLAN priority, and handle number. For frames transferred to the CPU 400, job information includes information such as a reception frame length, a transmission frame length, a reception logic I / F, a CPU transfer reason, a quality class, and a handle number.

  The handle management unit 255 is connected to the QoS (Quality of Service) unit 250 and the memory controller unit 220, and the DDR-SDRAM 300 is divided based on the handle numbers corresponding to the divided regions of the DDR-SDRAM 300. Perform airspace management of the area. In this case, the empty / busy management means that an empty handle number is output to the memory controller unit 220 and managed as a handle number in use, and the handle number to be returned by discarding the frame input from the QoS unit 250 or transmission The handle number to be returned is managed as an empty handle number because the area becomes empty. In addition, in the case of a multicast frame, the handle management unit 255 cannot delete the frame until transmission for the number of times of multicasting is completed, so that the QoS unit 250 outputs information on job information output to the memory controller unit 220 as a QoS unit. The number of multicasts determined at the start of transmission is managed by referring to a line branched from a connection line directly connected from 250 to the memory controller unit 220.

  Based on information set in advance from the driver 400a of the CPU 400, the frame generation unit 260 applies a VLAN (Virtual LAN) tag or PPPoE (Point) corresponding to the logical interface of the transmission destination for the frame output from the memory controller unit 220. to Point Protocol over Ethernet: Ethernet is a registered trademark) header and inserts the inserted frame. The frame generator 260 also changes the destination MAC address and the IP address and port number for NAT (Network Address Translation) / NAPT (Network Address Port Translation). Also, the frame generation unit 260 adds IPsec SA (Security Association) information to the frame output to the IPsec unit 210. In addition, the frame generation unit 260 adds a DSCP (DiffServ Code Point) IP packet to the header and a VLAN priority frame header. DSCP and VLAN priority are quality class information that is referred to during priority control. Here, the quality class information is classification information for classifying the type of information included in the transferred frame. When the type of information indicated by the classification information is, for example, voice, the quality class information is a frame having the classification type. Therefore, high-quality communication processing with a small delay is applied.

  Note that the frame determined to be discarded by the CPU transfer determination unit 240 is discarded by either the CPU transfer determination unit 240 or the QoS unit 250.

  Note that the WAN MAC I / F 205 and the LAN MAC I / F 275 as interface units correspond to the first LAN port 610 and the second LAN port 640 in FIG. 1, respectively. The IPsec unit 210 as the IPsec processing unit corresponds to the IPsec circuit 620 in FIG. Further, the CPU 400 as the software processing unit corresponds to the CPU 650 in FIG. In addition, the write scheduler unit 215, the memory controller unit 220, the DDR-SDRAM I / F 225, the parser unit 230, the search unit 235, the CPU transfer determination unit 240, the queue selection unit 245, the QoS unit 250, the handle management unit 255, the frame generation unit 260, CPU I / F 265, and DDR-SDRM 300 correspond to the transfer circuit 630 in FIG. 1.

<First Embodiment>
In the first embodiment, an IPsec processing procedure in the communication processing circuit 200 will be described.
First, basic transmission / reception processing of an IPsec packet in the configuration shown in FIG. 1 will be described.
The CPU 650 transfers the packet data to the IPsec circuit 620 by specifying that the IP packet to be transmitted in the IPsec tunnel mode is an IPsec processing target, specifying a tunnel (adding a number set for each tunnel). However, when various extension headers are added to a packet to be transmitted to the IPsec tunnel, the packet is encapsulated in the IP in IPv6 format before the packet data is transferred to the IPsec circuit 620, and further specified in the outer IPv6 header. The packet data to which the extension header is added is transferred, and a flag indicating that the packet is a target of IPsec processing, a tunnel, and the IP in IPv6 format is added.

Further, the CPU 650 reads the IP header of the packet received from each port, determines a port and an IPsec tunnel to be transmitted by a transfer process, and transfers the packet data to a predetermined interface (including the IPsec circuit 620). However, if the received packet has a flag indicating that it is in the IP in IPv6 format, the extension header processing is performed according to the extension header added to the outer IPv6 header, and after decapsulation, the inner IP header or the like is read. Then, the port and IPsec tunnel to be transmitted are determined by the transfer process, and the packet data is transferred to a predetermined interface (including the IPsec processing circuit 620).
As described above, when a received packet to be processed by IPsec is processed by the IPsce circuit 620 (receiving side) and then transferred to the CPU 650 by the transfer circuit 630, the CPU 650 converts the received packet data into the transferred packet data. It is possible to determine the presence / absence of decapsulation by using the added flag indicating IP in IPv6 format. However, a method is also possible in which the IPsec circuit 620 (reception side) does not generate a flag and does not add a flag indicating that the packet is transferred to the CPU 650 in the IP in IPv6 format. In this case, the CPU 650 analyzes the transferred packet data and detects that it is in the IP in IPv6 format.

After receiving processing, the IPsec circuit 620 (receiving side) outputs all received packet data to the transfer circuit 630 regardless of whether or not the packet is input from the CPU 650 to the transfer circuit 630, regardless of whether or not it is an IPsec processing target. To do. The transfer circuit 630 determines whether or not to transfer packet data to the CPU, and transfers only the packet data determined to be transferred to the CPU to the CPU 650. A packet that is determined not to be transferred to the CPU is transmitted from a transmission interface determined by the transfer circuit 630 (or a tunnel in the case of transmission via the IPsce circuit 620).
Note that the transfer circuit 630 can determine the CPU transfer using a flag indicating that the packet is in IP in IPv6 format added to the packet data. However, even if the flag is not added, the transfer circuit 630 can analyze the packet data in the IP in IPv6 format and determine the CPU transfer based on the destination IP address of the outer IPv6 header.

The packet reception operation in the IPsec circuit 620 will be described using the configuration shown in FIG.
The IPsec unit 210 (IPsec circuit 620) stores the destination IPv6 address of the outer IPv6 header and the SPI in the ESP header as SA determination conditions in association with SA (reception). The IPsec unit 210 acquires the SA (reception) in which the destination IP address of the outer IPv6 header extracted from the IPsec packet received from the WAN MAC I / F 205 and the SPI included in the ESP header match the above-described SA determination condition. . For a frame that does not include an IPsec packet or a frame that includes an IPsec packet but does not find a matching SA (reception), the IPsec unit 210 adds information indicating no received IPsec to the frame, and writes a scheduler. To 215. Here, the presence or absence of an extension header other than the ESP header after the outer IPv6 header is detected.

The operation of the IPsec unit 210 for an IPsec packet in which SA (reception) is found will be described below.
In correspondence with SA (reception), the IPsec unit 210 determines the SA processing condition (reception) based on the encryption algorithm, the encryption key (in the case of other than NULL encryption), the authentication algorithm, the authentication key (in the case of authentication), and the presence / absence of anti-replay. ). The IPsec unit 210 acquires SA processing conditions (reception) based on the SA (reception) of the received IPsec packet.

  The IPsec unit 210 performs authentication, decryption, and decapsulation processes using the acquired SA processing condition (reception), and acquires the decrypted inner IP packet. Further, information indicating the presence of received IPsec and a received SA number for identifying SA (reception) are added to the frame including the decrypted inner IP packet, and output to the write scheduler unit 215. Note that when there is anti-replay of the SA processing condition (reception), anti-replay processing is performed. Hereinafter, operations of authentication, decryption, decapsulation, and anti-replay processes will be described.

<Authentication process>
In the authentication process for the received IPsec packet, the ICV is calculated using a predetermined authentication algorithm and authentication key for the data before decryption from the beginning of the ESP header of the IPsec packet to the end of the trailer encrypted, A match with the ICV in the IPsec packet is determined. If a match is obtained in this determination, authentication is successful, and if they do not match, authentication fails. If no authentication is specified as the authentication algorithm, the above-described authentication process is not performed and the authentication is considered successful. A packet that is determined to have failed in the authentication process described above, or when an ICV cannot be obtained from the received IPsec packet (such as when the packet length is too short) is discarded in the IPsec unit 210.

<Decryption process>
In the decryption process for the received IPsec packet, decryption from the encrypted IV immediately after the encrypted IV (immediately after the ESP header if there is no IV such as a NULL encryption or an encryption algorithm in the EBC mode) to the end of the encrypted trailer. The previous data is decrypted using a predetermined encryption algorithm and encryption key. Note that the IV in the IPsec packet is used as the initial value of the decoding operation in the CBC mode. When NULL encryption (no encryption) is designated as the encryption algorithm, the above-described decryption process is not performed. If the data length to be decrypted is not an integral multiple of the block length predetermined by the encryption algorithm, it is discarded in the IPsec unit 210.

<Decapsulation processing; no extension header except ESP>
When there is no extension header other than ESP after the outer IPv6 header, in the decapsulation processing for the received IPsec packet, the outer IP header, ESP header, IV, trailer, and ICV are deleted from the IPsec packet, and the decoded inner IP packet is get. At this time, the pad is deleted based on the decoded pad length of the trailer, and IPv4 or IPv6 is designated as the layer 3 protocol of the frame based on the protocol of the inner IP packet. That is, the Type field of the Ethernet (registered trademark) frame is rewritten to a value corresponding to the protocol of the inner IP packet. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating no IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Decapsulation processing; with extension header excluding ESP>
When there is an extension header other than ESP after the outer IPv6 header, in the decapsulation processing for the received IPsec packet, the ESP header, IV, trailer, and ICV are deleted from the IPsec packet, and after the outer IPv6 header and the outer IPv6 header. The extension header other than ESP is left, and the decrypted inner IP packet is rewritten to an IPv6 encapsulated packet which is an inner IP packet. At this time, the pad is deleted based on the decoded pad length of the trailer, and IPv4 or IPv6 is designated in the next header field in the extension header immediately before the inner IP packet based on the protocol of the inner IP packet. . That is, the next header field of the extension header is rewritten to a value corresponding to the protocol of the inner IP packet. Furthermore, the payload length of the outer IPv6 header is rewritten based on the length from immediately after the outer IPv6 header to the end of the inner IP packet. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating the presence of IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Anti-replay process>
In the anti-replay processing for the received IPsec packet, the success of anti-replay is determined based on the sequence number in the ESP header of the IPsec packet that has been successfully authenticated and the sequence number status information managed by the IPsec unit 210 for each SA (reception). The failure is determined, and the state information of the sequence number is updated (only when the anti-replay process is successful). In this anti-replay process, a sliding reception window is used as the sequence number state information. The right end of the window represents the maximum value of the sequence number for a packet received at this SA and successfully authenticated. Packets containing a sequence number smaller than the left edge of the window are rejected. Packets that fall within the window are checked as received against the list of packets received within the window. If the received packet fits in the window and is new (not checked as already received), or if the received packet is at the right edge of the window, it is determined that anti-replay was successful. The packet determined to have failed in the above is discarded in the IPsec unit 210.

  The operation after the IPsec unit 210 outputs data to the write scheduler unit 215 follows the description of each unit in FIG. However, the IPv6 encapsulated packet output from the IPsec unit 210 when the extension header other than the ESP after the outer IPv6 header is present is determined to be addressed to itself based on the destination IPv6 address in the outer IPv6 header and transferred to the CPU 400. Is done. When information indicating the presence of IPv6 encapsulation is added to the IPv6 encapsulated packet, it may be transferred to the CPU 400 based on the information.

  The CPU 400 receives the IPv6 encapsulated packet with the extension header from the transfer circuit, performs predetermined extension header processing based on the extension header, and decapsulates the IPv6 encapsulated packet with the extension header to obtain the inner IP packet. . The process for the inner IP packet is the same as the process for a normal IP packet.

Next, the packet transmission operation in the IPsec circuit 620 will be described using the configuration shown in FIG.
The IPsec unit 210 (IPsec circuit 620) transmits the information from the frame generation unit 260 from the WAN MAC I / F 205 to which information indicating the presence / absence of transmission IPsec and a transmission SA number for identifying SA (transmission) are added. The input of the power frame is received. When information indicating no transmission IPsec is added, the IPsec unit 210 outputs the frame to the WAN MAC I / F 205 as it is. For frames input from the CPU 400 via the CPU I / F 265, the presence / absence of IPv6 encapsulation is indicated in addition to the information indicating the presence / absence of transmission IPsec and the transmission SA number for identifying SA (transmission). Information is added by the CPU 400. Here, when the above indicates that IPv6 encapsulation is present, these pieces of information are collectively defined as IPv6 encapsulated IPsec transmission information.

  The CPU 400 adds a predetermined extension header and performs IP6 encapsulation on the IP packet to be transmitted, encapsulates the IP packet as an inner IP packet, and encapsulates the IPv6 encapsulated packet with the extension header. An IPv6 encapsulated packet is provided with an L2 header (destination / source MAC address and Ethernet (registered trademark) frame type, etc.), IPv6 encapsulated IPsec transmission information is added, and a transfer circuit via the CPU I / F 265 To enter. It should be noted that an IP packet transmitted by performing IPsec encapsulation without adding an extension header is also encapsulated in IPv6 as an inner IP packet, and an L2 header (destination / source MAC address and Ethernet (registered trademark)) Frame type) and the like, and IPv6 encapsulated IPsec transmission information may be added and input to the transfer circuit via the CPU I / F 265.

  When the frame received by the WAN / LAN physical I / F 500, 501 is transferred in the transfer circuit and input to the IPsec unit 210, the processing of the IPsec unit 210 includes information indicating that there is no IPv6 encapsulation. In this embodiment, the frame is described as a frame to which information indicating that IPv6 encapsulation is not added is added.

The operation of the IPsec unit 210 for a transmission frame when there is transmission IPsec will be described below.
The IPsec unit 210 stores an encryption algorithm, an encryption key (in the case of other than NULL encryption), an authentication algorithm, and an authentication key (in the case of authentication) as SA processing conditions (transmission) in association with SA (transmission). The IPsec unit 210 acquires SA processing conditions (transmission) based on SA (transmission).

  In addition, the IPsec unit 210 associates SA (transmission) with the destination IP address of the outer IP header, the source IPv6 address, the hop limit, and the traffic class (the traffic class of the inner IP packet is changed to the outer IP header). And the SPI of the ESP header are stored as encapsulation conditions. The IPsec unit 210 acquires an encapsulation condition based on SA (transmission).

  Furthermore, the IPsec unit 210 manages the sequence number in the ESP header of the IPv6 packet to be transmitted in association with SA (transmission). That is, the number of IP packets transmitted for each SA (transmission) is measured and used as a sequence number. The IPsec unit 210 acquires a sequence number based on SA (transmission).

The IPsec unit 210 performs encryption and ICV generation on the IP packet included in the frame input from the frame generation unit 260 using the acquired SA processing condition (transmission), encapsulation condition, and sequence number. Perform each processing of the capsule.
The operations of encryption, ICV generation, and capsule processing will be described below.

<Encryption processing; no IPv6 encapsulation>
When information indicating that there is no IPv6 encapsulation is added, the IPsec unit 210 uses an IP packet included in the frame input from the frame generation unit 260 as an inner IP packet of the IPsec packet. It is added immediately after the IP packet. The trailer is composed of a pad, a pad length of the pad, and an inner IP packet protocol. In the padding process for adding the pad, the total length of the IP packet and the trailer encrypts them. The pad length is acquired so as to be an integral multiple of the block length predetermined by the encryption algorithm.
Next, the IPsec unit 210 encrypts the inner IP packet and the trailer using a predetermined encryption algorithm and encryption key. When the CBC mode cryptographic algorithm is used, IV is required as an initial value of the cryptographic operation, but the previous encrypted result can be used as IV. Further, the IV is inserted immediately before the inner IP packet (only in the case of the CBC mode encryption algorithm). Note that this encryption process is not performed when a NULL encryption (no encryption) is designated as the encryption algorithm.

<Encryption processing with IPv6 encapsulation>
When information indicating that IPv6 encapsulation is present is added, the IPsec unit 210 converts the inner IP packet encapsulated in the IPv6 packet included in the frame input from the frame generation unit 260 as the inner IP packet of the IPsec packet. Therefore, a predetermined trailer is added immediately after the inner IP packet. The trailer includes a pad, a pad length of the pad, and an inner IP packet protocol. In the padding process for adding the pad, the total length of the inner IP packet and the trailer encrypts them. The pad length is acquired so as to be an integral multiple of the block length predetermined by the encryption algorithm. The subsequent encryption processing is the same as the processing in the case where information indicating that IPv6 encapsulation is not added is added.

<ICV generation processing>
In the ICV generation process, the IPsec unit 210 generates and inserts an ESP header based on the acquired encapsulation condition SPI and sequence number. This insertion position is immediately before IV (inner IP packet when there is no IV). Further, ICV is calculated using a predetermined authentication algorithm and authentication key for the data before decryption from the beginning of the ESP header to the end of the trailer, and the calculated ICV is added immediately after the trailer.

<Capsule processing; no IPv6 encapsulation>
When information indicating that IPv6 encapsulation is not present is added, the IPsec unit 210 includes the conditions related to the outer IPv6 header (destination IPv6 address, source IPv6 address, hop limit, traffic class) among the obtained encapsulation conditions. Based on the length from the beginning of the ESP header to the end of the encrypted trailer, an outer IPv6 header is generated and inserted immediately before the ESP header. Further, the protocol of the outer IPv6 header is specified as the layer 3 protocol of the frame. That is, the Type field of the Ethernet (registered trademark) frame is rewritten to a value corresponding to IPv6.

<Capsule processing; with IPv6 encapsulation>
When information indicating that IPv6 encapsulation is present is added, the IPsec unit 210 rewrites the payload length of the outer IPv6 header based on the length from immediately after the outer IPv6 header to the end of the encrypted trailer. Further, the next header field included in the outer IPv6 header or extension header immediately before the ESP header is rewritten to a value indicating ESP.

Next, details of basic transmission / reception processing of an IPsec packet with the configuration of FIG. 2 will be described.
FIG. 3 is a diagram illustrating processing when an IPsec packet that does not have an extension header and does not require fragmentation is transmitted.
When the CPU 400 determines that the IP packet 10 should be transferred using IPsec, the CPU 400 outputs the packet data of the IP packet 10 and the transmission interface information to the write scheduler unit 215 via the CPU I / F 265. The transmission interface information includes a number for specifying a LAN port to be transmitted, presence / absence of IPsec encapsulation (whether it is an IPsec processing target), a number for specifying an IPsec tunnel when IPsec encapsulation is present (IPsec tunnel number) , Information such as a flag indicating whether or not IP in IPv6 is included. The IP packet 10 is an IPv4 or IPv6 packet (hereinafter referred to as “IPv4 / IPv6 packet”). The number designating the IPsec tunnel indicates SA. The packet data of the IP packet 10 is input to the memory controller unit 220 via the CPU I / F unit 265 and the write scheduler unit 215 together with the transmission interface information.

  The memory controller unit 220 writes the packet data of the IP packet 10 to the DDR-SDRAM 300 via the DDR-SDRAM I / F 225. The search unit 235 selects an IP packet transmission job using IPsec, and the CPU transfer determination unit 240 determines that transfer to the CPU 400 is unnecessary. The queue selection unit 245 selects a queue based on the transmission interface information, and the handle number indicating the recording position of the packet data of the IP packet 10 and the transmission interface information are stored in the queue in the selected QoS unit 250. Recorded as a job. The operations of the parser unit 230, the search unit 235, and the CPU transfer determination unit 240 for the packet data transferred from the CPU 400 include various information such as a handle number and transmission interface information necessary for generating the job in the next stage. Just forward. The job output from the QoS unit 250 is output to the memory controller unit 220. Based on this job, packet data is read from the DDR-SDRAM 300 and output to the frame generation unit 260. The frame generation unit 260 generates a transmission frame excluding IPsec encapsulation based on the input job. When the job includes information indicating that IPsec encapsulation is present, the frame generation unit 260 adds an IPsec tunnel number and a flag indicating whether the packet is in IP in IPv6 format to the generated transmission frame. Output to 210 (transmission side).

On the other hand, when a packet received from WAN or LAN is transmitted by IPsec, it operates as follows.
When the WAN MAC I / F 205 receives a packet, it performs MAC processing, CRC processing, and the like on the received packet. The write scheduler unit 215 receives the packet data of the received packet to which the frame information is added by the WAN MAC I / F 205 via the IPsec unit 210. Alternatively, when the LAN MAC I / F 275 receives a packet, it performs MAC processing, CRC processing, and the like on the received packet. The write scheduler unit 215 receives the packet data of the received packet to which the frame information is added by the LAN MAC I / F 275. The packet data of the received packet is input to the memory controller unit 220 through the write scheduler unit 215 together with the frame information.

  The memory controller unit 220 writes the packet data of the received packet to the DDR-SDRAM 300 via the DDR-SDRAM I / F 225. The search unit 235 designates transmission to the IPsec tunnel, and the CPU transfer determination unit 240 determines whether transfer to the CPU 400 is unnecessary. The queue selection unit 245 selects a queue based on the frame information, and the handle number indicating the recording position of the packet data of the received packet and the transmission interface information are recorded as a job in the queue in the selected QoS unit 250. Is done. The job output from the QoS unit 250 is output to the memory controller unit 220. Based on this job, packet data is read from the DDR-SDRAM 300 and output to the frame generation unit 260. The frame generation unit 260 generates a transmission frame excluding IPsec encapsulation based on the input job, and outputs the generated transmission frame together with the IPsec tunnel number to the IPsec unit 210.

The IPsec unit 210 reads out an encryption algorithm and an authentication key using the IPsec tunnel number as a key. If the encryption algorithm is other than the null cipher, the IPsec unit 210 generates the encrypted packet 11 from the IP packet 10 according to the encryption algorithm. Further, the IPsec unit 210 generates and adds the trailer 12, and adds IV 15 before the encrypted packet 11 if the encryption algorithm is other than the null encryption. In the case of authentication, the ICV 16 is added behind the trailer 12. The IPsec unit 210 generates and adds the outer IPv6 header 13 from the IP address corresponding to the IPsec tunnel number and the ESP header 14 from the SPI corresponding to the IPsec tunnel number. As a result, an IPv6 IPsec packet including the outer IPv6 header 13, the ESP header 14, IV15, the encrypted packet 11, the trailer 12, and the ICV 16 is generated.
The IPsec unit 210 outputs, to the WAN MAC I / F 205, a frame that includes the generated IPv6 IPsec packet and includes the L2 header generated from the MAC address corresponding to the IPsec tunnel number. The WAN MAC I / F 205 sends the received frame to the WAN via the physical I / F 500.

FIG. 4 is a diagram illustrating processing when an unfragmented IPsec packet is received.
The IPsec unit 210 receives a frame including an IPv6 IPsec packet from the WAN MAC I / F 205. The IPv6 IPsec packet includes an outer IPv6 header 20, an ESP header 21, IV22, an encrypted packet 23, a trailer 24, and an ICV 25. When recognizing that there is no extension header from the packet header, the IPsec unit 210 acquires the SA, the encryption algorithm, and the authentication key from the SPI included in the ESP header 21. In the case of authentication, the IPsec unit 210 deletes the ICV 25 after authenticating the ICV 25 with the read authentication key. If the encryption algorithm is other than the null encryption, the IPsec unit 210 decrypts the encrypted packet 23 and the trailer 24 using the IV 22 according to the encryption algorithm. Then, according to the padding length indicated by the decrypted trailer 24, the padding is deleted from the decrypted encrypted packet 23 to obtain an IP packet 26 that is an IPv4 / IPv6 packet. The IPsec unit 210 deletes the outer IPv6 header 20 and the ESP header 21, and further deletes the IV 22 in cases other than the null cipher.

  The IPsec unit 210 outputs the frame including the decrypted IP packet 26 and the IPsec tunnel number indicating SA to the write scheduler unit 215. The output frame is written in the DDR-SDRAM 300, and the parser unit 230 performs processing based on the address in the written frame. Then, a job is generated in the search unit 235 and written in the QoS unit 250. The memory controller unit 220 outputs the IP packet 26 read from the DDR-SDRAM 300 and the IPsec tunnel number to the CPU 400 via the CPU I / F 265. Alternatively, the data is output from the frame generation unit 260 to the LAN MAC I / F 275 and transmitted to the LAN.

FIG. 5 is a diagram illustrating processing when an IPsec packet having an extension header and not requiring fragmentation is transmitted.
When the CPU 400 determines that the IP packet 30 that is an IPv4 / IPv6 packet should be transferred using IPsec, the CPU 400 transmits the IPv6 header 31, the extension header 32, and the encapsulated IP via the CPU I / F 265. An IPv6 encapsulated packet with an extension header in the IP in IPv6 format composed of the packet 30, an IPsec tunnel number indicating SA, and a flag indicating the IP in IPv6 format are output to the write scheduler unit 215. The IP address set in the IPv6 header 31 is matched with the IP address of the outer IPv6 header added by IPsec encapsulation. Further, the number of extension headers may be one or more. Information indicating the IPv4 / IPv6 protocol that is the protocol of the IP packet 30 is set in the information of the next header in the extension header 32 immediately before the IP packet 30.

  The memory controller unit 220 writes the IPv6 encapsulated packet with an extension header to the DDR-SDRAM 300 via the DDR-SDRAM I / F 225, and the parser unit 230 outputs the IPsec tunnel number and the flag to the search unit 235. The search unit 235 selects a packet transmission job using IPsec, and the CPU transfer determination unit 240 determines that transfer to the CPU 400 is unnecessary. The QoS unit 250 generates job information and records it in a queue. The frame generation unit 260 outputs the IPsec tunnel number and flag, and the IPv6 encapsulated packet with extension header read out from the DDR-SDRAM 300 by the memory controller unit 220 to the IPsec unit 210.

  The IPsec unit 210 recognizes that the packet is an IPsec processing target and has an extension header, and further recognizes that the packet is in the IP in IPv6 format by the flag. The IPsec unit 210 reads out an encryption algorithm and an authentication key using the IPsec tunnel number (SA) as a key. If the encryption algorithm is other than the null encryption, the IPsec unit 210 generates an encrypted packet 33 from the IP packet 30 according to the encryption algorithm, generates a trailer 34, and adds it to the end of the encrypted packet 33. , IV 38 is added before the encrypted packet 33. In the case of authentication, the ICV 39 is added behind the trailer 34.

  The IPsec unit 210 generates the ESP header 37 and adds it immediately before IV38. Then, the payload length in the IPv6 header 31 is corrected to be the length of the generated IPsec packet to be the outer IPv6 header 35. Further, the next header in the extension header immediately before the ESP header in the extension header 32 is corrected to the information indicating ESP to be the extension header 36. In this way, the IPsec unit 210 generates an IPv6 IPsec packet with an extension header including the outer IPv6 header 35, the extension header 36, the ESP headers 37 and IV38, the encrypted packet 33, the trailer 34, and the ICV 39. The IPsec unit 210 includes the generated IPv6 IPsec packet with an extension header, outputs a frame to which the L2 header generated from the MAC address corresponding to the IPsec tunnel number is added to the WAN MAC I / F 205, and the WAN MAC I / F 205 Sends the received frame to the WAN via the physical I / F 500.

FIG. 6 is a diagram illustrating processing when an IPsec packet having an extension header and not fragmented is received.
The IPsec unit 210 receives a frame including an IPv6 IPsec packet with an extension header from the WAN MAC I / F 205. The IPv6 IPsec packet with an extension header includes an outer IPv6 header 40, an extension header 41, an ESP header 42, IV43, an encrypted packet 44, a trailer 45, and an ICV 46. When the IPsec unit 210 recognizes that there is an extension header from the header of the packet and that there is an extension header, the IPsec unit 210 acquires the SA, the encryption algorithm, and the authentication key from the SPI included in the ESP header 42. When authentication is performed, the IPsec unit 210 deletes the ICV 46 after authenticating the ICV 46 using the read authentication key. Furthermore, if the encryption algorithm is other than the null encryption, the IPsec unit 210 uses the IV 43 to decrypt the encrypted packet 44 and the trailer 45 according to the encryption algorithm. Then, according to the padding length indicated by the decrypted trailer 45, the padding is deleted from the decrypted encrypted packet 44 to obtain the IP packet 49 which is an IPv4 / IPv6 packet, and the IV 43 is deleted.

  The IPsec unit 210 deletes the ESP header 42 and modifies the next header in the extension header immediately before the ESP header 42 in the extension header 41 to information indicating the protocol of the IPv4 / IPv6 packet as the extension header 48. Further, the IPsec unit 210 corrects the payload length in the outer IPv6 header 40 to obtain an IPv6 header 47. As a result, an IPv6 encapsulated packet with an extension header of the IP in IPv6 format including the IPv6 header 47, the extension header 48, and the encapsulated IP packet 49 is generated. The IPsec unit 210 outputs the generated frame including the IPv6 encapsulated packet with the extension header, the flag indicating the IP in IPv6 format, and the IPsec tunnel number indicating the SA to the write scheduler unit 215.

  The frame output from the IPsec unit 210 is written in the DDR-SDRAM 300, and the parser unit 230 performs processing based on the address in the written frame. Then, a job is generated in the search unit 235 and written in the QoS unit 250. The memory controller unit 220 outputs the IPv6 encapsulated packet with extension header, the IPsec tunnel number, and the flag read from the DDR-SDRAM 300 to the CPU 400 via the CPU I / F 265. After executing the extension header processing according to the extension header 48, the CPU 400 deletes the extension header 48 and performs processing using the IP packet 49.

<Second Embodiment>
In the second embodiment, an IPsec process involving a fragment will be described.
When IPsec encapsulation is performed, the packet length increases, so there are cases where the maximum value of data that can be transmitted in one transfer exceeds the maximum transmission unit (MTU). Therefore, the transmission length is set by dividing the packet into a plurality of IPsec packets so as not to exceed the MTU. In the following, a method of packet division at the time of encapsulation of IPsec and a method of packet reconstruction at the time of decapsulation of IPsec will be described.

When an IP packet is encrypted and then encapsulated and divided, a process for further dividing a packet transmitted by the IPsec circuit and a process for reconstructing the divided packet before the IPsec circuit receives the packet are required. Since these processes are difficult to implement in hardware, software processing by the CPU is desirable. However, since the number of packet transfers increases, the high-speed characteristic that is an inline type feature is impaired.
Therefore, in this embodiment, the CPU 650 encapsulates and divides the transfer packet, and then the IPsec circuit 620 encrypts each divided packet. That is, formal encryption / decryption processing can be performed by the IPsec circuit 620 by encryption including the fragment header (inserting the ESP header before the fragment header).

Regarding the communication processing circuit 200 of the communication apparatus according to the second embodiment, differences from the first embodiment will be described.
In the second embodiment, the operation of the IPsec unit 210 for an IPsec packet in which SA (reception) is found differs from the operation in the first embodiment. The operation of the difference between the IPsec unit 210 and the first embodiment will be described below.

First, the difference in IPsec packet reception operation will be described.
In correspondence with SA (reception), the IPsec unit 210 determines the SA processing condition (reception) based on the encryption algorithm, the encryption key (in the case of other than NULL encryption), the authentication algorithm, the authentication key (in the case of authentication), and the presence / absence of anti-replay. ). The IPsec unit 210 acquires SA processing conditions (reception) based on the SA (reception) of the received IPsec packet.

The IPsec unit 210 performs authentication, decryption, and decapsulation processes using the acquired SA processing conditions (reception), and acquires the decrypted inner IP packet. Further, information indicating the presence of received IPsec and a received SA number for identifying SA (reception) are added to the frame including the IP packet and output to the write scheduler unit 215. Note that when there is anti-replay of the SA processing condition (reception), anti-replay processing is performed.
Hereinafter, operations of authentication, decryption, decapsulation, and anti-replay processes will be described.

<Authentication process>
The same processing as in the first embodiment is performed.

<Decryption process>
The same processing as in the first embodiment is performed. However, based on the next header value included in the trailer after decoding, it is detected whether or not a fragment extension header is added to the head of the ESP payload. In the first embodiment, the head of the ESP payload is either the IPv4 header or the IPv6 header of the inner IP packet. In the second embodiment, there is a case of a fragment extension header in addition to the case of the IPv4 header or the IPv6 header. The former case is detected as no fragment extension header, and the latter case is detected as having a fragment extension header. .

<Decapsulation processing; no extension header excluding ESP, no fragment extension header>
When there is no extension header other than ESP after the outer IPv6 header, and when the head of the ESP payload does not have a fragment extension header, in the decapsulation processing for the received IPsec packet, the outer IP header, ESP header, IV, The trailer and ICV are deleted, and the decrypted inner IP packet is acquired. At this time, the pad is deleted based on the decoded pad length of the trailer, and IPv4 or IPv6 is designated as the layer 3 protocol of the frame based on the protocol of the inner IP packet. That is, the Type field of the Ethernet (registered trademark) frame is rewritten to a value corresponding to the protocol of the inner IP packet. Furthermore, the payload length of the outer IPv6 header is rewritten based on the length from immediately after the outer IPv6 header to the end of the inner IP packet. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating no IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Decapsulation processing; no extension header except ESP, with fragment extension header>
When there is no extension header other than ESP after the outer IPv6 header and the beginning of the ESP payload has a fragment extension header, in the decapsulation processing for the received IPsec packet, the ESP header, IV, trailer, and ICV are extracted from the packet. Delete and rewrite a fragment IPv6 packet composed of fragment data having the outer IPv6 header and the fragment extension header decoded as the payload at the head. At this time, the pad is deleted based on the decoded trailer pad length, and the next header field in the outer IPv6 header is rewritten to a value indicating the fragment extension header. Further, the payload length of the outer IPv6 header is rewritten based on the length from immediately after the outer IPv6 header to the end of the fragment data. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating the presence of IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Decapsulation processing; with extension header excluding ESP, without fragment extension header>
If there is an extension header other than ESP after the outer IPv6 header, and the beginning of the ESP payload does not have a fragment extension header, the ESP header, IV, trailer, and ICV are extracted from the packet in the decapsulation for the received IPsec packet. It deletes and leaves the outer IPv6 header and an extension header other than the ESP after the outer IPv6 header, and rewrites the decoded inner IP packet as an IPv6 encapsulated packet. At this time, the pad is deleted based on the decoded pad length of the trailer, and IPv4 or IPv6 is designated in the next header field in the extension header immediately before the inner IP packet based on the protocol of the inner IP packet. . That is, the next header field of the extension header is rewritten to a value corresponding to the protocol of the inner IP packet. Furthermore, the payload length of the outer IPv6 header is rewritten based on the length from immediately after the outer IPv6 header to the end of the inner IP packet. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating the presence of IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Decapsulation processing; with extension header excluding ESP, with fragment extension header>
When there is an extension header other than ESP after the outer IPv6 header and the header of the ESP payload has a fragment extension header, the ESP header, IV, trailer, and ICV are deleted from the packet in the decapsulation for the received IPsec packet. A fragment IPv6 packet comprising an outer IPv6 header, an outer IPv6 header, an extension header other than ESP after the outer IPv6 header, and fragment data having a decoded fragment extension header following the extension header at the head Rewrite to At this time, the pad is deleted based on the decoded trailer pad length, and the next header field in the extension header immediately before the fragment extension header is rewritten to a value indicating the fragment extension header. Further, the payload length of the outer IPv6 header is rewritten based on the length from immediately after the outer IPv6 header to the end of the fragment data. Here, in addition to the information indicating the presence of received IPsec and the received SA number for identifying SA (reception), information indicating the presence of IPv6 encapsulation may be added to the IPv6 encapsulated packet.

<Anti-replay process>
The same processing as in the first embodiment is performed.

  The operation after the IPsec unit 210 outputs data to the write scheduler unit 215 follows the description of each unit shown in FIG. However, the IPv6 encapsulated packet output by the IPsec unit 210 when there is an extension header other than ESP after the outer IPv6 header is determined to be addressed to itself based on the destination IPv6 address in the outer IPv6 header and transferred to the CPU 400. The When information indicating the presence of IPv6 encapsulation is added to the IPv6 encapsulated packet, it may be transferred to the CPU 400 based on the information.

  The CPU 400 inputs a plurality of the fragment IPv6 packets divided from one IPv6 packet from the transfer circuit, reconfigures them, and acquires the pre-division IPv6 packet. Furthermore, it detects that the IPv6 packet is an IPv6 encapsulated packet obtained by encapsulating an IP packet with IPv6, and decapsulates the detected IPv6 encapsulated packet to obtain an inner IP packet. The process for the inner IP packet is the same as the process for a normal IP packet.

Subsequently, differences in the transmission operation of the IPsec packet will be described.
The CPU 400 adds a predetermined extension header and performs an IP encapsulation to send the IP packet as an inner IP packet by IPv6 encapsulation, and adds the extension header to the IPv6 encapsulated packet. L2 header (address / source MAC address and Ethernet (registered trademark) frame type, etc.) is added to the attached IPv6 encapsulated packet, and the IPv6 encapsulated IPsec transmission information is added and transferred via the CPU I / F 265. Input to the circuit.

  In addition, when the length of the packet after IPsec encapsulation exceeds the MTU, the CPU 400 encapsulates the inner IP packet with IPv6, and the IPv6 encapsulated packet is converted into a plurality of fragment IPv6 packets each having a fragment extension header added thereto. The packet is divided, an L2 header is added to each of the fragment IPv6 packets, an IPsec transmission information with IPv6 encapsulation is added, and the packet is input to the transfer circuit via the CPU I / F 265. Note that information for distinguishing the above-described IPv6 encapsulated packet with an extension header from a fragmented IPv6 packet may be added as IPv6 encapsulated IPsec transmission information.

  When the frame received by the WAN / LAN physical I / F 500, 501 is transferred in the transfer circuit and input to the IPsec unit 210, the processing of the IPsec unit 210 includes information indicating that there is no IPv6 encapsulation. In this embodiment, the frame is described as a frame to which information indicating that IPv6 encapsulation is not added is added.

The operation of the IPsec unit 210 for a transmission frame when there is transmission IPsec will be described below.
The IPsec unit 210 stores an encryption algorithm, an encryption key (in the case of other than NULL encryption), an authentication algorithm, and an authentication key (in the case of authentication) as SA processing conditions (transmission) in association with SA (transmission). The IPsec unit 210 acquires SA processing conditions (transmission) based on SA (transmission).

  Further, the IPsec unit 210 copies the destination IPv6 address, the source IPv6 address, the source IPv6 address, the hop limit, and the traffic class (the traffic class of the inner IP packet in the outer IP header) corresponding to SA (transmission). The SPI of the ESP header is stored as an encapsulation condition. The IPsec unit 210 acquires an encapsulation condition based on SA (transmission).

  Furthermore, the IPsec unit 210 manages the sequence number in the ESP header of the IPv6 packet to be transmitted in association with SA (transmission). That is, the number of IP packets transmitted for each SA (transmission) is counted and used as a sequence number. The IPsec unit 210 acquires a sequence number based on SA (transmission).

The IPsec unit 210 performs encryption and ICV generation on the IP packet included in the frame input from the frame generation unit 260 using the acquired SA processing condition (transmission), encapsulation condition, and sequence number. Perform each processing of the capsule.
The operations of encryption, ICV generation, and capsule processing will be described below.

<Encryption processing; no IPv6 encapsulation>
The same processing as in the first embodiment is performed.

<Encryption processing with IPv6 encapsulation>
When information indicating that IPv6 encapsulation is present is added, it is detected whether or not a fragment extension header is included in the extension header following the outer IPv6 header. When the IPv6 encapsulated IPsec transmission information includes information indicating the presence or absence of a fragmented IPv6 packet, the information may be detected based on the information. When there is no fragment extension header due to the detection, the subsequent encryption processing is the same as in the first embodiment.
If the fragment extension header is present by the detection, a predetermined trailer is added immediately after the inner IP packet in order to encapsulate the IPv6 packet data after the fragment extension header. The trailer is composed of a pad, a pad length of the pad, and a next header value indicating a fragment extension header. In the padding process for adding the pad, the total length of the inner IP packet and the trailer is calculated as follows. The pad length is acquired so as to be an integral multiple of the block length predetermined by the encryption algorithm used for encryption. The subsequent encryption processing is the same as the processing in the case where information indicating that IPv6 encapsulation is not added is added.

<ICV generation processing>
The same processing as in the first embodiment is performed.

<Capsule processing; no IPv6 encapsulation>
The same processing as in the first embodiment is performed.

<Capsule processing; with IPv6 encapsulation>
The same processing as in the first embodiment is performed.

FIG. 7 is a diagram illustrating processing when an IPsec packet with a fragment is transmitted.
In the communication apparatus 100 shown in FIG. 2, when the CPU 400 determines that the IP packet 50 that is an IPv4 / IPv6 packet should be transferred using IPsec and determines that the MTU is exceeded by the IPsec processing, the IP packet 50 is divided. Then, the divided IP packet 50a and the divided IP packet 50b are generated. An IPv6 header 51a, an extended header 52a that is a fragment header, and a fragmented IPv6 packet in X in IPv6 format that consists of an encapsulated fragmented IP packet 50a, an IPv6 header 51b, an extended header 52b that is a fragment header, and A fragment IPv6 packet of the X in IPv6 format composed of the encapsulated divided IP packet 50b is generated. The X in IPv6 format indicates an IPv6 packet that includes an extension header and encapsulates the divided IP packet as packet data. The fragment header includes fragment identification numbers and division order information. The CPU 400 outputs a fragment IPv6 packet encapsulating the fragmented IP packet 50a, an IPsec tunnel number indicating SA, and a flag indicating X in IPv6 format to the write scheduler unit 215. Further, the CPU 400 outputs a fragment IPv6 packet encapsulating the fragmented IP packet 50b, an IPsec tunnel number indicating SA, and a flag indicating X in IPv6 format to the write scheduler unit 215.
When a packet received at a LAN port (WAN, LAN) is transmitted by IPsec, if the search unit 235 detects that the MTC is exceeded, the received packet is transferred to the CPU 400. When the CPU 400 recognizes that the transferred received packet exceeds the MTU, the CPU 400 divides the received packet, generates a fragment IPv6 packet that encapsulates the divided received packet, and performs the same processing as described above.

Hereinafter, the processing is described for the fragment IPv6 packet encapsulating the fragmented IP packet 50a, but the same processing is performed for the fragment IPv6 packet encapsulating the fragmented IP packet 50b.
The memory controller unit 220 writes the fragment IPv6 packet in which the divided IP packet 50a is encapsulated into the DDR-SDRAM 300 via the DDR-SDRAM I / F 225, and the parser unit 230 outputs the IPsec tunnel number and the flag to the search unit 235. . The search unit 235 selects a packet transmission job using IPsec, and the CPU transfer determination unit 240 determines that transfer to the CPU 400 is unnecessary. The QoS unit 250 generates job information and records it in a queue. The frame generation unit 260 outputs the IPsec tunnel number, the flag, and the fragment IPv6 packet read from the DDR-SDRAM 300 by the memory controller unit 220 to the IPsec unit 210.

  The IPsec unit 210 recognizes that the packet is an IPsec processing target, includes an extension header, and is in X in IPv6 format. The IPsec unit 210 reads out an encryption algorithm and an authentication key using the IPsec tunnel number (SA) as a key. If the encryption algorithm is other than the null cipher, an encrypted extended header 53a is generated from the extended header 52a, an encrypted divided IP packet 54a is generated from the divided IP packet 50a according to the encryption algorithm, and a trailer 55a is further generated. Are added after the encrypted divided IP packet 54a, and IV 56a is added before the encrypted extension header 53a. In the case of authentication, the ICV 57a is added behind the trailer 55a.

The IPsec unit 210 generates the ESP header 59a and adds it immediately before the IV 56a. Then, the payload length in the IPv6 header 51a is corrected to be the length of the generated IPsec packet to be an IPv6 header 58a. In this manner, the IPsec unit 210 generates an IPv6 IPsec packet including the IPv6 header 58a, the ESP header 59a, the IV 56a, the encrypted extension header 53a, the encrypted divided IP packet 54a, the trailer 55a, and the ICV 57a. The IPsec unit 210 outputs, to the WAN MAC I / F 205, a frame that includes the generated IPv6 IPsec packet and includes the L2 header generated from the MAC address corresponding to the IPsec tunnel number. The WAN MAC I / F 205 sends the received IPsec packet to the WAN via the physical I / F 500.
On the other hand, an IPv6 IPsec packet including an IPv6 header 58b, an ESP header 59b, an IV56b, an encrypted extension header 53b, an encrypted divided IP packet 54b, a trailer 55b, and an ICV 57b is generated by the same processing and sent to the WAN.

  Next, processing when an IPsec packet including a fragmented packet is received will be described. In the configuration shown in FIG. 1, when the IPsec circuit 620 decodes the received IPsec packet and the protocol indicated by the next header read from the trailer is other than IPv4 / IPv6, the outer IPv6 header is not deleted and the ESP extension is not performed. Deletion of header, deletion of IV (only for cases other than null encryption), reading of pad length and next header from trailer, and deletion of trailer. Further, the next header in the header immediately before the ESP extension header is corrected to the protocol indicated by the next header read from the trailer. After the above processing, the packet data is transferred to the CPU 650 by adding a flag indicating that it is an IPsec processing target, specifying a tunnel, and in X in IPv6 format. When the IPsec circuit 620 of the present embodiment is used, the CPU 650 attaches a flag indicating that it is in the X in IPv6 format regardless of the presence or absence of the fragment, and transfers the packet to the IPsec circuit 620, whereby the IPsec transformer Port mode can be realized.

FIG. 8 is a diagram illustrating processing when a fragmented IPsec packet is received.
In the configuration of FIG. 2, the IPsec unit 210 receives a frame including an IPv6 IPsec packet from the WAN MAC I / F 205. The IPv6 IPsec packet includes an outer IPv6 header 70a, an ESP header 71a, IV 72a, an encrypted extension header 73a, an encrypted divided IP packet 74a, a trailer 75a, and an ICV 76a. When the IPsec unit 210 recognizes that the packet is an IPsec processing target from the header of the packet and does not have an extension header, the IPsec unit 210 acquires the SA, the encryption algorithm, and the authentication key from the SPI included in the ESP header 71a. In the case of authentication, the IPsec unit 210 deletes the ICV 76a after authenticating the ICV 76a with the read authentication key. Furthermore, if the encryption algorithm is other than null encryption, the IPsec unit 210 uses the IV 72a to decrypt the encrypted extension header 73a, the encrypted divided IP packet 74a, and the trailer 75a according to the encryption algorithm. When the protocol indicated by the decrypted trailer 75a is other than IPv4 / IPv6, the IPsec unit 210 deletes the ESP header 71a without deleting the outer IPv6 header 70a. Further, in accordance with the padding length indicated by the decrypted trailer 75a, the divided IP packet 78a, which is an IPv4 / IPv6 packet divided by deleting the padding from the decrypted encrypted divided IP packet 74a, is obtained, and the IV 72a is deleted.

  The IPsec unit 210 corrects the payload length in the outer IPv6 header 70a to be an IPv6 header 79a. As a result, a fragment IPv6 packet in the X in IPv6 format including the IPv6 header 79a, the extension header 77a obtained by decrypting the encrypted extension header 73a, and the encapsulated divided IP packet 78a is generated. The IPsec unit 210 outputs the frame including the generated fragment IPv6 packet, the flag indicating the X in IPv6 format, and the IPsec tunnel number indicating the SA to the write scheduler unit 215.

  The frame output from the IPsec unit 210 is written in the DDR-SDRAM 300, and the parser unit 230 performs processing based on the address in the written frame. Then, a job is generated in the search unit 235 and written in the QoS unit 250. The memory controller unit 220 outputs the fragment IPv6 packet read from the DDR-SDRAM 300, the IPsec tunnel number, and the flag to the CPU 400 via the CPU I / F 265.

  Subsequently, the IPsec unit 210 receives the IPv6 IPsec including the outer IPv6 header 70b, the ESP headers 71b and IV72b, the encrypted extended header 73b, the encrypted divided IP packet 74b, the trailer 75b, and the ICV 76b from the WAN MAC I / F 205. Receive a frame containing a packet. Then, the IPv6 header 79b obtained by correcting the payload length of the IPv6 header 70b, the extension header 77b obtained by decrypting the encrypted extension header 73b, and the encrypted divided IP packet 74b are obtained by the same processing as described above. The fragmented IPv6 packet composed of the encapsulated divided IP packet 78b is generated and output to the CPU 400 together with the IPsec tunnel number and the flag.

  When receiving the fragment IPv6 packet in which the fragmented IP packets 78a and 78b are encapsulated, the CPU 400 uses the fragment identification number and the information of the fragmentation order in the extension headers 77a and 77b, and the information before the fragment from the fragmented IP packets 78a and 78b. An IP packet 78 is generated.

  According to the above embodiment, the communication device performs high-speed transmission / reception processing by wired logic for an IP packet to which no extension header is added. For an IPSec packet to which an extension header is added, a transmission / reception process can be realized by combining hardware processing and software processing. Further, according to the above embodiment, since the IPv6-encapsulated packet is divided, the inner IP packet is not restricted. That is, for the received packet, reconfiguration processing is performed after IPsec processing, and transmission is performed by performing IPsec processing after splitting processing. Therefore, hardware transmission / reception and IPsec processing are continuously performed, and inline-type IPsec processing is performed. Is possible. In addition, when the IPsec packet generation exceeds the signal length that can be transmitted / received, the transfer target IP packet can be divided and transmitted / received.

It is a block diagram which shows schematic structure of the communication apparatus which concerns on one embodiment of this invention. It is a block diagram which shows the detailed structure of the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet transmission in the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet reception in the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet transmission in the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet reception in the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet transmission in the communication apparatus by the embodiment. It is a figure which shows the process at the time of the IPsec packet reception in the communication apparatus by the embodiment. It is a figure which shows the structure of an IPsec packet. It is a figure which shows the structure of the conventional packet transfer apparatus. It is a figure which shows the structure of the conventional packet transfer apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Communication apparatus, 200 ... Communication processing circuit, 205 ... WAN MAC I / F, 210 ... IPsec part, 215 ... Write scheduler part, 220 ... Memory controller part, 225 ... DDR-SDRAM I / F, 230 ... Parser part 235 ... Search unit, 240 ... CPU transfer determination unit, 245 ... Queue selection unit, 250 ... QoS unit, 255 ... Handle management unit, 260 ... Frame generation unit, 265 ... CPU I / F, 275 ... MAC I / F for LAN F, 300 ... DDR-SDRAM, 400 ... CPU, 500, 501 ... Physical I / F, 610 ... First LAN port, 620 ... IPsec circuit, 630 ... Transfer circuit, 640 ... Second LAN port, 650 ... CPU

Claims (8)

In a communication apparatus for performing IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet and transmitting an IPv6 IPsec packet with an extension header in which an extension header is added to the outer IPv6 packet,
IPv6 encapsulation indicating that an IPv6 encapsulated packet with an extension header added to the IPv6 encapsulated packet obtained by encapsulating the inner IP packet with IPv6 is an IPv6 encapsulated packet to be subjected to IPsec transmission processing A software processing unit for adding and outputting completed IPsec transmission information;
When IPv6 encapsulated IPsec transmission information is added to the IPv6 packet output by the software processing unit, ESP encryption processing is performed on the inner IP packet of the IPv6 packet as an IPv6 IPsec packet with an extension header. An IPsec processing unit to output;
An interface unit for transmitting an IPv6 IPsec packet with an extension header output by the IPsec processing unit;
A communication apparatus comprising: In a communication apparatus that transmits an IPv6 IPsec packet in which an IPv6 IPsec encapsulation in an ESP tunnel mode is performed using an IP packet as an inner IP packet,
When the length of the IPv6 IPsec packet exceeds the MTU, the inner IP packet is IPv6 encapsulated, the IPv6 encapsulated packet is divided into a plurality of fragment IPv6 packets each having a fragment extension header added thereto, and each fragment IPv6 packet is A software processing unit for adding and outputting IPv6 encapsulated IPsec transmission information indicating that the packet is an IPv6 encapsulated IPsec transmission processing target,
When the IPv6 encapsulated IPsec transmission information is added to the fragment IPv6 packet output by the software processing unit, ESP encryption processing is performed on the data after the fragment extension header of the fragment IPv6 packet, and the IPv6 IPsec An IPsec processing unit that outputs the packet;
An interface unit for transmitting an IPv6 IPsec packet output by the IPsec processing unit;
A communication apparatus comprising: In a communication apparatus that receives an IPv6 IPsec packet with an extension header, in which an IPv6 IPsec encapsulation in an ESP tunnel mode is performed using an IP packet as an inner IP packet, and an extension header is added to the outer IPv6 packet.
An interface unit for receiving and outputting an IPv6 IPsec packet;
The IPv6 IPsec packet output by the interface unit is detected to be an IPsec reception processing target packet to which an extension header is added, ESP decoding processing is performed on the detected IPv6 IPsec packet, and the ESP payload An IPsec processing unit that outputs an IPv6 encapsulated packet with an extension header, in which the IP packet is an inner IP packet, the IPv6 header of the IPv6 IPsec packet is an outer IPv6 header, and the extension header is added;
A software processing unit that performs predetermined extension header processing based on an extension header of the IPv6 encapsulated packet with extension header output from the IPsec processing unit, decapsulates the IPv6 encapsulated packet with extension header, and obtains an inner IP packet; ,
A communication apparatus comprising: In a communication device that receives an IPv6 IPsec packet in which an IPv6 IPsec encapsulation in an ESP tunnel mode is performed using an IP packet as an inner IP packet,
An interface unit for receiving and outputting an IPv6 IPsec packet;
ESP decoding processing is performed on the IPv6 IPsec packet output by the interface unit, and it is detected that a fragment extension header is added to the head of the ESP payload. The detected data is used as the payload, and the IPv6 IPsec packet is detected. An IPsec processing unit for outputting a fragmented IPv6 packet having an IPv6 header of
A plurality of fragmented IPv6 packets divided from one IPv6 packet are collected, reconfigured to obtain an undivided IPv6 packet, and the IPv6 packet is an IPv6 encapsulated packet obtained by encapsulating an IPv6 packet into an IPv6 packet. A software processing unit that detects the presence and decapsulates the detected IPv6 encapsulated packet to obtain an inner IP packet;
A communication apparatus comprising: A packet processing method used for a communication apparatus that performs IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet, and transmits an IPv6 IPsec packet with an extension header to which an extension header is added to the outer IPv6 packet. ,
The software processing unit is an IPv6 encapsulated packet for IPsec transmission processing in an IPv6 encapsulated packet with an extension header obtained by adding the extension header to the IPv6 encapsulated packet obtained by encapsulating the inner IP packet with IPv6 Output with the IPv6 encapsulated IPsec transmission information indicating
The IPsec processing unit performs ESP encryption processing on the inner IP packet of the IPv6 packet when the IPv6 encapsulated IPsec transmission information is added to the IPv6 packet output by the software processing unit, and the extension header Output as an attached IPv6 IPsec packet,
The interface unit transmits the IPv6 IPsec packet with an extension header output by the IPsec processing unit.
And a packet processing method. A packet processing method used for a communication device that transmits an IPv6 IPsec packet obtained by performing IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet,
When the length of the IPv6 IPsec packet exceeds the MTU, the software processing unit encapsulates the inner IP packet in IPv6, and divides the IPv6 encapsulated packet into a plurality of fragment IPv6 packets each having a fragment extension header added thereto, IPv6 encapsulated IPsec transmission information indicating that the packet is an IPv6 encapsulated IPsec transmission process target is added to each fragment IPv6 packet and output.
When the IPsec processing unit adds the IPv6 encapsulated IPsec transmission information to the fragment IPv6 packet output by the software processing unit, the ESP encryption processing is performed on the data after the fragment extension header of the fragment IPv6 packet. Output as an IPv6 IPsec packet,
The interface unit transmits the IPv6 IPsec packet output by the IPsec processing unit;
And a packet processing method. A packet processing method used for a communication apparatus that receives an IPv6 IPsec packet with an extension header, which performs IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet, and adds an extension header to the outer IPv6 packet. ,
The interface unit receives and outputs an IPv6 IPsec packet,
An IPsec processing unit detects that an IPv6 IPsec packet output by the interface unit is a packet that is an IPsec reception processing target with an extension header added, and performs an ESP decoding process on the detected IPv6 IPsec packet An IP packet of the ESP payload is set as an inner IP packet, and an IPv6 encapsulated packet with an extension header having the IPv6 header of the IPv6 IPsec packet as an outer IPv6 header and the extension header added thereto is output.
The software processing unit performs predetermined extension header processing based on the extension header of the IPv6 encapsulated packet with extension header output from the IPsec processing unit, decapsulates the IPv6 encapsulated packet with extension header, and converts the inner IP packet get,
And a packet processing method. A packet processing method used for a communication device that receives an IPv6 IPsec packet that has been subjected to IPv6 IPsec encapsulation in an ESP tunnel mode using an IP packet as an inner IP packet,
The interface unit receives and outputs an IPv6 IPsec packet,
An IPsec processing unit performs an ESP decoding process on the IPv6 IPsec packet output from the interface unit, detects that a fragment extension header is added to the head of the ESP payload, and transfers the detected data to the payload. A fragment IPv6 packet having an IPv6 header of the IPv6 IPsec packet as an outer IPv6 header,
The software processing unit collects the plurality of fragmented IPv6 packets divided from one IPv6 packet, performs reconfiguration to obtain an IPv6 packet before the division, and the IPv6 packet encapsulates the IP packet into IPv6 Detecting an IPv6 encapsulated packet and decapsulating the detected IPv6 encapsulated packet to obtain an inner IP packet;
And a packet processing method.

Images