JP2010187327A - Packet communication apparatus, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent such a circumstance that a packet is discarded by a replay attack prevention function at a reception side even when executing IPsec processing and QoS processing. <P>SOLUTION: A packet communication apparatus includes: a reception means for applying sequence numbers to packets transmitted from a transmission side terminal by IPsec processing, and for receiving the packets transmitted in the order of high priority by performing QoS processing to the packets to which the sequence numbers have been applied; a sequence number applying means for reapplying the sequence numbers applied to the packets received by the reception means into the order that the reception means has received; a check value updating means for updating an integrity check values applied to the packets by recalculating the integrity check values of the packets to which the sequence numbers have been reapplied; and a transmission means for transmitting the packets whose integrity check values have been updated to the reception side terminal. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a packet communication apparatus, a packet communication method, and a packet communication program using the IPsec protocol and QoS control.

  2. Description of the Related Art Conventionally, IPsec (Security Architecture for Internet Protocol; defined in RFCs 2401 to 2412 and RFCs 4301 to 4306) is a representative technique for performing secure communication in information communication on the Internet and corporate networks. In IPsec, information is encrypted from a third party to prevent eavesdropping on the contents of communication, and a keyed hash calculation value for the entire packet is given to prevent tampering. Also, prior to IPsec communication, Authenticate and confirm the sender. Furthermore, a sequence number is assigned to IPsec as a defense function against a replay attack. A replay attack is an attack method that makes it seem as if the data sent from a legitimate partner is received by copying the packet from a legitimate partner and sending it even if there is a mechanism that prevents spoofing and tampering. . The replay attack prevention method in IPsec is to inspect the sequence number given to the packet on the transmission side on the reception side and discard the packet if it is a duplicate or old number in the past.

  On the other hand, in communication over the Internet or corporate network, the amount of communication increases, and packet delay or discard due to retention may occur. In this environment, there is a possibility that a packet that is vulnerable to delay like voice communication or a packet that is difficult to be discarded like life and death monitoring may be delayed or discarded. As a technique for preventing this, there is QoS (Quality of Service) control. QoS control assigns priority according to packet contents, passes packets with higher priority first (priority control), controls transmission amount (bandwidth control), and discards or queues according to packet contents. . For QoS control, prioritization is based on information using the TOS field in the IP packet header, using the VLAN Priority (User 802.1Q) User Priority bit, and OSI layer 3 or higher information. There is something to do.

  As a prior art, in the replay prevention processing of an IPsec packet, in order to provide the replay prevention processing for preventing packet discard even when the reception order is changed depending on the priority set for the packet, the IPsec packet replay prevention processing Even if the reception order by priority is changed by obtaining the priority of the packet from the information protected by the above, and performing the replay prevention process of the packet using the replay prevention window corresponding to the priority of the packet, A reception processing apparatus capable of performing replay prevention processing for preventing packet discard is known (for example, see Patent Document 1).

JP 2006-5425 A

  By the way, if the QoS process is performed after the IPsec process is performed, the order of the IPsec packets is changed by the priority control of the QoS process, the sequence number for preventing the replay attack is changed, or the packet is discarded by the QoS bandwidth control. Wake up and missing sequence numbers. When the sequence number is distorted, the IPsec packet receiving side detects an abnormality in the sequence number, and although it is not a replay attack, it is erroneously determined as a replay attack, and a normal packet is discarded. . In order to avoid such a problem, it is common to stop the replay attack prevention function on the receiving side.

  However, stopping the replay attack prevention function has a problem that it becomes vulnerable to the replay attack and should not be implemented.

  The present invention has been made in view of such circumstances, and when a packet subjected to IPsec processing on the transmission side is subjected to QoS control, the replay attack on the reception side can be stopped without stopping the replay attack prevention function on the reception side. An object of the present invention is to provide a packet communication apparatus, a packet communication method, and a packet communication program that can correct an IPsec sequence number on the transmission side so that erroneous packet discarding by the prevention function is not performed.

  In the present invention, sequence numbers are assigned by IPsec processing to packets transmitted from a terminal on the transmission side, and QoS processing is performed on packets to which the sequence numbers are assigned. Receiving means for receiving a packet, sequence number giving means for reassigning the sequence number given to the packet received by the receiving means in the order received by the receiving means, and giving the sequence number A check value updating means for recalculating the integrity check value of the corrected packet and updating the integrity check value given to the packet; and a packet on which the integrity check value has been updated And a transmission means for transmitting.

  The present invention is a packet communication device that performs IPsec processing and QoS processing to transmit a packet from a transmitting terminal to a receiving terminal, and receives a packet to be transmitted from the transmitting terminal. An IPsec processing means for outputting a packet subjected to IPsec processing by encrypting the packet, assigning a sequence number, and attaching an integrity check value to the received packet, and a packet subjected to the IPsec processing. Is input, the information of the priority defined in the packet is extracted, the QoS processing means for outputting the packets in the order of the priority, the packet output from the QoS processing means, and the input The sequence number assigned to the packet is reassigned to the sequence number in the order in which the packets are input. Re-calculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet; and the integrity check value is updated. Transmission means for transmitting the received packet to the receiving terminal.

  The present invention is a packet communication device that performs IPsec processing and QoS processing to transmit a packet from a transmitting terminal to a receiving terminal, and receives a packet to be transmitted from the transmitting terminal. Priority extraction means for extracting information on priority defined in the packet, encryption means for performing packet encryption processing on the received packet, and extraction by the priority extraction means Priority output means for outputting the encrypted packets in order of priority based on priority information, and assignment of sequence numbers and integrity check values for the packets output from the priority output means And a sequence number assigning means for transmitting the packet to which the sequence number is assigned to the receiving terminal. That.

  In the present invention, sequence numbers are assigned by IPsec processing to packets transmitted from a terminal on the transmission side, and QoS processing is performed on packets to which the sequence numbers are assigned. A receiving step for receiving a packet, a sequence number giving step for reassigning the sequence number given to the packet received by the receiving step in the order received by the receiving step, and a sequence number giving A check value update step of recalculating the integrity check value of the corrected packet and updating the integrity check value given to the packet; and a packet on which the integrity check value is updated And a transmission step of transmitting to.

  The present invention is a packet communication method for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal, and receiving a packet to be transmitted from the transmitting terminal. An IPsec processing step for outputting a packet subjected to IPsec processing by performing packet encryption, sequence number assignment, and integrity check value assignment for the received packet, and a packet subjected to the IPsec processing. , To extract information on the priority defined in the packet, to output the packets in the order of higher priority, and to input the packet output by the QoS processing step, The sequence number assigned to the packet is added to the sequence in the order in which the packets are input. A check value update step for recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet, and the integrity check. And a transmission step of transmitting the packet with the updated value to the receiving terminal.

  The present invention is a packet communication method for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal, and receiving a packet to be transmitted from the transmitting terminal. A priority extraction step for extracting priority information defined in the packet, an encryption step for performing packet encryption processing on the received packet, and extraction by the priority extraction step A priority output step for outputting the encrypted packets in order of priority based on priority information, and a sequence number and an integrity check value for the packets output by the priority output step A sequence number assigning step for performing transmission, and transmitting a packet to which the sequence number is assigned to the receiving terminal And having a step.

  In the present invention, sequence numbers are assigned by IPsec processing to packets transmitted from a terminal on the transmission side, and QoS processing is performed on packets to which the sequence numbers are assigned. A receiving step for receiving a packet, a sequence number giving step for reassigning the sequence number given to the packet received by the receiving step in the order received by the receiving step, and a sequence number giving A check value update step of recalculating the integrity check value of the corrected packet and updating the integrity check value given to the packet; and a packet on which the integrity check value is updated And a transmission step of transmitting to the computer. To.

  The present invention is a packet communication program for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal, and receiving a packet to be transmitted from the transmitting terminal. An IPsec processing step for outputting a packet subjected to IPsec processing by performing packet encryption, sequence number assignment, and integrity check value assignment for the received packet, and a packet subjected to the IPsec processing. , To extract information on the priority defined in the packet, to output the packets in the order of higher priority, and to input the packet output by the QoS processing step, Reassign the sequence numbers given to the packets in the order in which the packets were entered. A sequence number adding step, a check value updating step for recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet, and the integrity check The transmission step of transmitting the packet with the updated value to the receiving terminal is performed by a computer.

  The present invention is a packet communication program for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal, and receiving a packet to be transmitted from the transmitting terminal. A priority extraction step for extracting priority information defined in the packet, an encryption step for performing packet encryption processing on the received packet, and extraction by the priority extraction step A priority output step for outputting the encrypted packets in order of priority based on priority information, and a sequence number and an integrity check value for the packets output by the priority output step And a sequence number assigning step for transmitting the packet with the sequence number to the receiving terminal. Characterized in that to perform the transmitting step to the computer.

  According to the present invention, since the sequence number of the packet to be transmitted is reassigned on the transmission side, the packet is discarded by the replay attack prevention function on the reception side even if the IPsec processing and the QoS processing are performed. The effect that it can prevent is acquired.

It is a block diagram which shows the structure of one Embodiment of this invention. It is a flowchart which shows operation | movement of the sequence number allocation apparatus 4 shown in FIG. It is explanatory drawing which shows the structure of a packet frame. It is a block diagram which shows the modification of the apparatus shown in FIG. It is explanatory drawing which shows the structure of a packet frame. It is a sequence diagram which shows the processing operation between IPsec apparatuses. It is explanatory drawing which shows the structure of a packet frame. It is explanatory drawing which shows the processing operation | movement of Replay Window. It is explanatory drawing which shows the processing operation | movement of Replay Window. It is explanatory drawing which shows the processing operation | movement of QoS. It is explanatory drawing which shows the processing operation | movement of QoS.

  Hereinafter, a packet communication device according to an embodiment of the present invention will be described with reference to the drawings. Before describing the configuration of the packet communication apparatus, the functions of IPsec and QoS will be briefly described. First, IPsec will be described. IPsec has three characteristics: ensuring the confidentiality of transmission packets, ensuring the integrity of transmission packets, and authenticating the transmission packet source and confirming the transmission source. Confidentiality is to prevent eavesdropping on information in the packet by a third party by encrypting the transmission packet. Completeness is to prevent falsification by calculating the hash value of the entire transmission packet and causing the calculated value to not match when the third party falsifies. The transmission source is confirmed by authenticating the communication partner in performing IPsec communication. At this time, since an encryption key for ensuring confidentiality and a key for hash calculation are sent and received, this ensures that only the communicating parties have information that can be known by each other, and has been authenticated by communicating based on this information. To ensure communication with other parties.

  In addition, there are two types of IPsec protocols, tunnel mode and transport mode. The transport mode is a mode in which IPsec communication is performed only between IPsec devices. The tunnel mode encrypts all original transmission packets when the transmission packet is subjected to IPsec processing, and an IP header used only for communication with an IPsec device is added to the IP header used. Further, an ESP header having information specific to the IPsec protocol is added. The packet frame after the IPsec processing shown in FIG. 5 is sent to the other IPsec device.

  Further, in IPsec, prior to communication, key information and an algorithm to be used necessary for encryption and hash value calculation are negotiated with each other through communication using IPsec as shown in FIG. The algorithm / key information decided by the processing operation shown in FIG. 6 is a security association (hereinafter referred to as SA). A plurality of different SAs can be created between IPsec devices. Also, when connecting to a different IPsec device, a different SA is created. This is stored as a database in the IPsec device, and this database is called SADB (security association database). In order to identify the SA, an SPI (Security Policy Index) value included in the ESP header is used. IPsec communication is performed on this SA, and the encryption key, encryption algorithm, hash key, and hash algorithm are described in SADB searched by the SPI value.

  Next, the replay attack countermeasure sequence number will be described. IPsec communication is protected by the functions of confidentiality, integrity, and partner authentication, but if an attacker copies the data being communicated and sends it to the same partner, the receiving side It is misrecognized as data, undergoes reception processing, and is transmitted to the terminal as usual. Such an attack is called a replay attack. In IPsec communication, in order to prevent this replay attack, the ESP header includes a sequence number that is incremented by 1 for each transmission. By checking this sequence number on the receiving side, it is checked whether a duplicate packet has been received or a packet that has been received in the past due to a replay attack, and if it is detected, the attack is prevented by discarding the packet. be able to. The Replay attack defense method has no problem if the sequence numbers of all the packets are stored. However, if all the numbers are stored, if the amount of data increases, a large amount of memory is consumed, and more time is required for checking. There are problems such as this.

  In order to avoid such a problem, a mechanism called “Replay Window” for checking a certain range is provided. In the mechanism of the Replay Window, the sequence number of the received IPsec packet having the largest numerical value is set as the maximum value, and then the sequence number is checked for duplication within a certain range. Data received with a numerical value smaller than the range is determined to be a replay attack in the past data and discarded. Every time the maximum value is updated, the window is shifted to the maximum value and the range is moved. Details of the window operation will be described with reference to FIGS. Here, it is assumed that packets are received in the order of the sequence numbers shown in FIG. 8 (sequence numbers 2, 1, 3, 4, 8, 6, 7, 5), and the window size is 2.

  First, since the packet of sequence number 2 has not been received in the window, reception processing is performed (FIG. 8 (1)). Note that the diagonal lines attached to the packets indicate that they have been received. Subsequently, since the packet of sequence number 1 has not been received in the window, reception processing is performed (FIG. 8 (2)). Next, since the packet with the sequence number 3 is the maximum value, the window is moved, and the packet with the sequence number 3 is not received in the window, and therefore reception processing is performed ((3) in FIG. 8).

  Next, since the packet with the sequence number 4 is the maximum value, the window is moved. Since the packet with the sequence number 4 has not been received in the window, reception processing is performed ((4) in FIG. 8). Subsequently, since the packet with the sequence number 8 is the maximum value, the window is moved. Since the packet with the sequence number 8 has not been received in the window, reception processing is performed (FIG. 9 (5)).

  Next, since the packet of sequence number 6 is a past packet outside the current window, a discarding process is performed (FIG. 9 (6)). Subsequently, the packet with the sequence number 7 is in the current window, and reception processing is performed because it has not been received ((7) in FIG. 9). Since the packet of sequence number 5 is a past packet outside the current window, a discarding process is performed (FIG. 9 (9)).

  As described above, in the control while moving the window, when the order is largely out of order, there is a situation where the packets cannot be received like the packets of the sequence numbers 5 and 6 although they are not received.

  Next, the QoS process will be briefly described. QoS is a technique for ensuring the quality of communication on a communication network. When the amount of communication increases and delays or discards occur in data that cannot be transmitted, or when the network bandwidth (transmission amount for a certain period of time) is determined, but the communication amount exceeds the bandwidth Needs to control the communication data using QoS technology and preferentially flow packets that cause problems due to delay or discard, or if the bandwidth is determined, do not transmit more than the bandwidth. is there. QoS mainly includes priority control (control to prioritize data flowing on the network, transmission from the highest priority to the next device, etc.) and bandwidth control (adjusting the amount of data flowing on the network, constant In order to prevent the above data amount from flowing, control such as queuing and discarding is performed.

  In the priority control, as shown in FIG. 10, the packet to be transmitted is examined to determine the priority. If there is a queue for each priority and there are queues with higher and lower priority at the transmission timing, transmission is performed from the highest priority. Band control is to control the transmission band so as not to be transmitted beyond a predetermined amount. Data that exceeds the bandwidth is queued or discarded.

  Next, the relationship between IPsec processing and QoS control will be described. The sequence number used in the IPsec process is for defense against the replay attack. However, when the order is changed by the QoS control, it may be erroneously recognized as the replay attack. The window size of the replay attack prevention check has a certain width (for example, 32 packets) in consideration of some change of order on the network. However, there is a problem when the order is greatly out of the window size, and there is a problem. For general IPsec devices, it is possible to perform a setting to prevent discarding by stopping the replay prevention function. ing. Of course, if the replay prevention function is stopped, there is a problem that it is impossible to defend against replay attacks.

  For example, in the example shown in FIG. 11, since packets with high priority overtake 50 packets with low priority, packets with low priority sequence numbers 2 and 3 are misrecognized as a replay attack even if they reach the other party. Will be discarded.

  QoS control includes bandwidth control, which controls the amount of data to be transmitted. In IPsec processing, since a packet unique to IPsec is added to a packet transmitted from a terminal, the amount of data increases. If QoS control is performed before IPsec processing so as not to cause out of order due to QoS control, even if QoS control is performed so that the amount of data does not exceed a certain level, the amount of data increases due to IPsec processing. As a result, the bandwidth that should have been controlled is exceeded. Therefore, it is desirable to perform the bandwidth control process in the QoS control after the IPsec process.

  However, when prioritizing QoS control, it is desirable to perform prior to IPsec processing. If you want to use the OSI layer 3 or higher in the data sent by the terminal, if you perform IPsec processing, almost all packets will be encrypted, and the information necessary to prioritize will be lost Because it ends up. What can be used after IPsec processing is about the priority data existing in the TOS field of the IP header, but the IPsec device has the same TOS field in the original IP header as the TOS field in the IP header added by IPsec. It is assumed that a value is written. Depending on the device, the TOS field of the IP header may not be copied. In addition, User Priority information of the VLAN tag (IEEE 802.1Q) of the OSI second layer can be used as information for assigning priority. However, this also requires the IPsec device to pass the VLAN tag to the QoS control device.

  Next, the configuration of the packet communication apparatus will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a packet communication apparatus according to an embodiment of the present invention. In this figure, reference numeral 1 denotes a terminal that transmits information. Reference numeral 2 denotes an IPsec processing apparatus that performs IPsec processing on a packet of information to be transmitted by the terminal 1. Reference numeral 3 denotes a QoS processing device that performs QoS processing on a packet output from the IPsec processing device 2. Reference numeral 4 denotes a sequence number assigning device that assigns a sequence number to a packet output from the QoS processing device 3. Reference numeral 5 denotes a WAN (Wide Area Network). Reference numeral 6 denotes an IPsec processing apparatus that performs IPsec processing on a packet transmitted from the terminal 1 via the WAN 5. Reference numeral 7 denotes a terminal that receives a packet of information transmitted from the terminal 1, and receives a packet output from the IPsec processing apparatus 6 as a packet to be received.

  Reference numeral 41 denotes a packet receiving unit that receives a packet transmitted by the QoS processing device 3. Reference numeral 42 denotes an IPsec analysis unit that analyzes the configuration of a packet received by the packet reception unit 41. Reference numeral 43 denotes an IPsec processing unit that performs IPsec sequence number assignment processing and hash recalculation processing with reference to information on a result of analysis performed by the IPsec analysis unit 42. Reference numeral 44 denotes a packet transmission unit that transmits a packet output from the IPsec processing unit 43. Reference numeral 45 is a SADB (security association database). The sequence number assigning device 4 includes a packet receiving unit 41, an IPsec analyzing unit 42, an IPsec processing unit 43, a packet transmitting unit 44, and an SADB 45.

  Next, the processing operation of each apparatus shown in FIG. 1 will be described. First, a security association is established for performing IPsec communication between the IPsec processing device 2 and the IPsec processing device 6. Then, the IPsec processing apparatus 2 uses the key value and the hash calculation algorithm type of the keyed hash used for the falsification prevention integrity check value calculation in the constructed security association, and the SPI value (Security Policy) for identifying the security association. Index value) is notified to the sequence number assigning device 4. Although this notification method is not particularly limited, it is desirable that the notification is encrypted for security reasons. For example, IPsec communication is configured between the IPsec processing device 2 and the sequence number assigning device 4 and is secured using IPsec. Use a notification method. Since IPsec has an authentication function for identifying a partner, it is possible to avoid passing information to the wrong partner.

  Next, a packet of information to be transmitted from the terminal 1 is transmitted. The transmitted packet is subjected to IPsec processing in the IPsec processing apparatus 2, and packet encryption, sequence number assignment, and tampering prevention integrity check value (ICV: Integrity Check Value) are given. At this time, the sequence number is not the object of encryption but only the protection by this hash. The frame structure of the ESP packet generated here is shown in FIG.

  Next, when the QoS processing device 3 receives the IPsec-processed packet from the IPsec processing device 2, the QoS processing device 3 extracts the priority from the User Priority bit of the VLAN tag or the TOS field in the IP header, and controls the transmission amount. Packets are transmitted according to priority.

  Next, the packet receiving unit 41 receives the packet from the QoS processing device 3 and passes it to the IPsec analyzing unit 42. The IPsec analysis unit 42 refers to the SADB 45, identifies a security association (SA) from the SPI value of the IPsec processed packet, and outputs this SA and the packet to the IPsec processing unit 43. The IPsec processing unit 43 extracts the number from the sequence number associated with the SA analyzed by the IPsec analysis unit 42 and overwrites the sequence number of the packet. Then, after overwriting the sequence number, the IPsec processing unit 43 recalculates the integrity check value (ICV), overwrites the ICV, and delivers the packet to the packet transmission unit 44. The packet transmission unit 44 transmits this packet.

  The packet transmitted from the packet transmission unit 44 is received by the IPsec processing device 6 via the WAN 5, and the received packet is subjected to IPsec processing and delivered to the terminal 7. Thereby, the packet transmitted from the terminal 1 is received by the terminal 7.

  Next, a detailed processing operation of the sequence number assigning device 4 will be described with reference to FIG. First, when the packet receiving unit 41 receives a packet (step S1), the IPsec analyzing unit 42 determines whether or not the received packet is an IPsec packet (step S2). If the result of this determination is not an IPsec packet, the subsequent processing is not performed. On the other hand, if the packet is an IPsec packet, the IPsec analysis unit 42 extracts the SPI value from the ESP header (step S3). Then, the IPsec analysis unit 42 searches the SADB 45 with the SPI value, and extracts the hash algorithm and the hash key (step S4).

  Then, it is determined whether or not there is SADB (step S5). If there is no SADB, the subsequent processing is not performed. On the other hand, if there is SADB, the IPsec processing unit 43 takes out the counter value of the SADB table, writes it in the sequence number of the ESP header, and increments the counter value by “1” (step S6). Subsequently, the IPsec processing unit 43 performs a hash calculation of the IPsec packet by using the hash algorithm and the hash key of the SADB table, and writes it in the ICV (step S7). Next, the packet transmission unit transmits the packet processed in the IPsec process (step S8).

  Next, with reference to FIG. 4, a modification of the apparatus configuration will be described with reference to FIG. The apparatus configuration shown in FIG. 4 is different from the apparatus configuration shown in FIG. 1 in that an IPsec processing apparatus, a QoS processing apparatus, and a sequence number assigning apparatus are housed in the same apparatus IPsec / QoS processing apparatus 8. The processing operation of the apparatus shown in FIG. 4 will be described with reference to FIG.

  First, a security association is established for performing IPsec communication between the IPsec / QoS processing device 8 and the IPsec processing device 6. In the IPsec / QoS processing device 8, the key value, the hash calculation algorithm type, and the SPI value for identifying the security association of the keyed hash used for the falsification prevention integrity check value calculation in the constructed security association (Security Policy Index value) can be referred to in the IPsec sequence number assignment processing.

  The QoS preprocessing unit 81 performs prioritization with reference to the upper layers (three or more layers) of the IP packet before encryption by performing the processing before performing the IPsec processing. The priority assigned in the pre-processing is taken over to the QoS post-processing unit 83, and QoS processing is performed in the post-processing with the priority assigned in the pre-processing. After the QoS pre-processing is completed, the process proceeds to IPsec processing. The IPsec processing unit 82 performs only encryption, and the sequence number is assigned by the sequence number assignment processing unit 84. At this time, the sequence number is not assigned twice. After the IPsec process, the process proceeds to the QoS post-process.

  The QoS post-processing unit 83 controls the transmission amount with the priority given in the QoS pre-processing, and delivers the packet to the sequence number assignment processing unit 84 in accordance with the priority order. The sequence number assignment processing unit 84 specifies a security association (SA) from the IPsec SPI value, assigns a sequence number associated with the SA, calculates an integrity check value (ICV), writes it to the ICV, and transmits it.

  Note that the QoS processing performed by the IPsec / QoS processing device 8 has a function of judging QoS before the IPsec processing and holding the information even after the IPsec processing is performed, and further using the information after the IPsec processing. Since the QoS processing can be performed, the QoS processing can be performed in consideration of an increase in packet data length due to data added by IPsec.

  In the technique of Patent Document 1, the reception processing side attempts to avoid a problem that occurs by performing a replay attack prevention check for each priority information. This is effective when a packet that has undergone IPsec processing is subjected to QoS control when the packet passes through the network and the sequence number is incorrect. However, it is possible to perform QoS preprocessing using packet information before IPsec processing, and to perform IPsec processing. It cannot cope with an apparatus that performs IPsec processing and QoS control integrally, such as QoS control performed later. Further, in the method of Patent Document 1, since priority information that can be determined on the receiving side is used, if priority information is lost after the transmitting side assigns priorities, the receiving side determines the priority information. It becomes impossible to discriminate, and a false detection of a replay attack occurs. For example, when User Priority on the VLAN is used as the priority, the VLAN tag itself is lost when transmitting to the Internet, so the priority cannot be determined on the receiving side. In addition, if the priority information used in the QoS processing on the transmission side cannot be completely understood by the reception side, erroneous packet discard due to the replay attack prevention function occurs.

  On the other hand, in the present invention, after the QoS processing on the transmission side, the IPsec sequence number is reassigned, or the IPsec sequence number is assigned after the QoS processing, so that no processing is performed on the reception side. It is possible to eliminate erroneous packet discard due to the replay attack prevention function. The IPsec sequence number is stored in the ESP header included in the IPsec packet and is not the object of encryption. Therefore, it is not necessary to decrypt and reassign the sequence number. However, since it is an object of integrity check, it is necessary to perform keyed hash calculation again. Since the hash calculation used in the integrity check requires a key for each SA (security association) as in encryption, after the sequence number is corrected, the hash is recalculated using this key. The integrity check key is obtained together with the SA information from the IPsec processing apparatus.

  As described above, since the sequence number of the packet is reassigned, the problem that the packet is discarded by the replay attack prevention function on the receiving side can be prevented. In addition, if IPsec processing and QoS control can be performed within one device, data before IPsec processing can be used as a QoS condition, and further, after performing IPsec processing, QoS control using the conditions can be performed. This can be accurately performed by QoS bandwidth control in consideration of an increase in data amount due to processing.

  1 and 4 are recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed. Sequence number assignment processing may be performed. The “computer system” here includes an OS and hardware such as peripheral devices. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  DESCRIPTION OF SYMBOLS 1 ... Terminal, 2 ... IPsec processing apparatus, 3 ... QoS processing apparatus, 4 ... Sequence number allocation apparatus, 41 ... Packet receiving part, 42 ... IPsec analysis part, 43 ... IPsec processing unit, 44 ... packet transmission unit, 45 ... SADB, 5 ... WAN, 6 ... IPsec processing device, 7 ... terminal, 8 ... IPsec / QoS processing device, 81 ... QoS pre-processing unit, 82 ... IPsec processing unit, 83 ... QoS post-processing unit, 84 ... sequence number assignment processing unit

Claims (9)

Packets sent from the sending terminal are assigned a sequence number by IPsec processing, and packets sent in order of priority are received by performing QoS processing on the packets to which the sequence number is assigned. Receiving means;
Sequence number giving means for reassigning the sequence numbers given to the packets received by the receiving means in the order received by the receiving means;
Check value updating means for recalculating the integrity check value of the packet to which the sequence number has been reassigned and updating the integrity check value assigned to the packet;
A packet communication apparatus comprising: a transmission unit configured to transmit the packet with the updated integrity check value to a receiving terminal. A packet communication device that performs IPsec processing and QoS processing to transmit a packet from a transmitting terminal to a receiving terminal,
A packet that has been subjected to IPsec processing by receiving a packet to be transmitted from the terminal on the transmitting side and performing packet encryption, sequence number assignment, and integrity check value addition to the received packet. An IPsec processing means for outputting;
QoS processing means for inputting a packet that has been subjected to the IPsec process, extracting information on priority levels defined in the packet, and outputting packets in order of priority.
A sequence number giving means for inputting a packet output from the QoS processing means, and reassigning the sequence numbers given to the packets in the order in which the packets are inputted;
Check value updating means for recalculating the integrity check value of the packet to which the sequence number has been reassigned and updating the integrity check value assigned to the packet;
A packet communication apparatus comprising: a transmission unit configured to transmit the packet with the updated integrity check value to the receiving terminal. A packet communication device that performs IPsec processing and QoS processing to transmit a packet from a transmitting terminal to a receiving terminal,
A priority extraction means for receiving a packet to be transmitted from the terminal on the transmission side, and extracting information on a priority defined in the packet;
Encryption means for performing packet encryption processing on the received packet;
Priority output means for outputting the encrypted packets in descending order of priority based on the priority information extracted by the priority extraction means;
Sequence number giving means for assigning sequence numbers and integrity check values to packets output from the priority output means;
A packet communication apparatus comprising: a transmission unit configured to transmit the packet with the sequence number to the receiving terminal. Packets sent from the sending terminal are assigned a sequence number by IPsec processing, and packets sent in order of priority are received by performing QoS processing on the packets to which the sequence number is assigned. Receiving step;
A sequence number giving step for reassigning the sequence numbers given to the packets received by the receiving step in the order received by the receiving steps;
A check value update step of recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet;
And a transmission step of transmitting the packet with the updated integrity check value to a receiving terminal. A packet communication method for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal,
A packet that has been subjected to IPsec processing by receiving a packet to be transmitted from the terminal on the transmitting side and performing packet encryption, sequence number assignment, and integrity check value addition to the received packet. An IPsec processing step to output;
A QoS processing step of inputting a packet on which the IPsec processing has been performed, extracting information on the priority defined in the packet, and outputting the packets in order of the priority;
A sequence number assigning step of inputting a packet output by the QoS processing step, and reassigning the sequence number assigned to the packet in the order in which the packets are inputted;
A check value update step of recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet;
And a transmission step of transmitting the packet with the updated integrity check value to the receiving terminal. A packet communication method for performing a IPsec process and a QoS process to transmit a packet from a transmitting terminal to a receiving terminal,
A priority extraction step of receiving a packet to be transmitted from the terminal on the transmission side and extracting information on a priority defined in the packet;
An encryption step for performing packet encryption processing on the received packet;
A priority output step of outputting the encrypted packets in descending order of priority based on the priority information extracted by the priority extraction step;
A sequence number giving step for assigning a sequence number and an integrity check value to the packet output by the priority output step;
And a transmission step of transmitting the packet to which the sequence number is assigned to the terminal on the receiving side. Packets sent from the sending terminal are assigned a sequence number by IPsec processing, and packets sent in order of priority are received by performing QoS processing on the packets to which the sequence number is assigned. Receiving step;
A sequence number giving step for reassigning the sequence numbers given to the packets received by the receiving step in the order received by the receiving steps;
A check value update step of recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet;
A packet communication program that causes a computer to perform a transmission step of transmitting a packet with an updated integrity check value to a receiving terminal. A packet communication program that performs IPsec processing and QoS processing and transmits a packet from a transmitting terminal to a receiving terminal,
A packet that has been subjected to IPsec processing by receiving a packet to be transmitted from the terminal on the transmitting side, and performing packet encryption, sequence number assignment, and integrity check value addition to the received packet. An IPsec processing step to output;
A QoS processing step of inputting a packet on which the IPsec processing has been performed, extracting information on a priority defined in the packet, and outputting the packets in order of the priority;
A sequence number assigning step of inputting a packet output by the QoS processing step, and reassigning the sequence number assigned to the packet in the order in which the packets are input;
A check value update step of recalculating the integrity check value of the packet to which the sequence number has been reassigned, and updating the integrity check value assigned to the packet;
A packet communication program for causing a computer to perform a transmission step of transmitting a packet with the updated integrity check value to the receiving terminal. A packet communication program that performs IPsec processing and QoS processing and transmits a packet from a transmitting terminal to a receiving terminal,
A priority extraction step of receiving a packet to be transmitted from the terminal on the transmission side and extracting information on a priority defined in the packet;
An encryption step for performing packet encryption processing on the received packet;
A priority output step of outputting the encrypted packets in descending order of priority based on the priority information extracted by the priority extraction step;
A sequence number giving step for assigning a sequence number and an integrity check value to the packet output by the priority output step;
A packet communication program causing a computer to perform a transmission step of transmitting a packet to which the sequence number is assigned to the receiving terminal.

Images