JP2010220038A - Gateway apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a gateway apparatus securing suitable CPU resources when an encryption packet is transferred via a virtual dedicated communication path formed in a public network. <P>SOLUTION: Arithmetic processing including encryption processing is monitored to calculate a processing load value. The processing load value is compared with a predetermined setting determination value. An encryption algorithm is selected and set, as well as a communication rate, in accordance with a result obtained by the comparison. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a gateway device that forms a tunnel, which is a virtual communication path, in a communication network and relays encrypted packets through the tunnel.

  In recent years, communication using VPN (Virtual Private Network) technology is being introduced from the viewpoint of security. VPN is a technique for performing so-called encapsulation processing on a packet to form a virtual dedicated communication path (so-called tunnel) in the public network, and further performing encryption processing for transmission. There is an advantage that a dedicated communication path can be established at a lower cost compared to introducing a dedicated line between bases.

  Thus, it is essential to perform an encryption process on a packet transmitted / received via a public network. Normally, a CPU (Central Processing Unit) of a gateway device having a VPN function performs encryption processing on a packet, but a certain amount of processing load is generated. In most cases, the CPU executes encryption processing and other applications in parallel, and if the processing load is large, the processing capacity of the CPU may be exceeded. Therefore, it is necessary to adjust the load of encryption processing by the CPU.

  For example, Patent Document 1 discloses a communication device that adjusts the processing load of a CPU by changing an encryption algorithm for performing an encryption process on a packet.

JP 2004-254286 A

  However, since general communication apparatuses such as Patent Document 1 usually have only two or three types of encryption algorithms (for example, 3DES and AES-CBC), only two or three stages of load adjustment can be performed. There was a problem. In addition, when the security policy is set so that only the use of a single encryption algorithm is permitted by the user, there is a problem that the communication apparatus according to Patent Literature 1 cannot perform load adjustment. Furthermore, even if the encryption algorithm is changed, there is a problem that there is no other workaround when the processing load of the entire CPU exceeds its processing capacity.

  The present invention has been made in view of the above-described problems, and secures appropriate CPU resources when communicating encrypted packets via a virtual dedicated communication path formed in a public network. An object of the present invention is to provide a gateway device capable of performing the above.

  A gateway device according to the present invention includes a tunnel forming unit that forms a tunnel in a communication network in response to a tunnel formation command from a communication terminal, and an encryption process for a packet issued from the communication terminal according to a currently set encryption algorithm And a relay unit that relays the encrypted packet via the tunnel, and an algorithm storage that stores at least one usable encryption algorithm Means, a load monitoring unit for monitoring a calculation process including the encryption process and calculating a current processing load value, and the use according to a result obtained by comparing the current processing load value and a setting determination value. One of the possible encryption algorithms is selected and set as the currently set encryption algorithm and the encryption packet Characterized in that it comprises a control unit for setting the bets communication rate, the.

  Further, the gateway device according to the present invention includes a tunnel forming unit that forms a tunnel in a communication network for each tunnel formation command from at least one communication terminal, and a current for each tunnel with respect to a packet issued from the communication terminal. An encryption unit that performs an encryption process according to a set encryption algorithm and obtains an encrypted packet; and a relay unit that relays the encrypted packet via 1 corresponding to the tunnel formation command of the tunnel An algorithm storage means for storing at least one usable encryption algorithm for each of the tunnels; a load monitoring unit for monitoring a calculation process including the encryption process and calculating a current processing load value; The available encryption for each tunnel according to a result obtained by comparing the current processing load value and a setting determination value Characterized in that it comprises a control unit that sets a communication rate of said encrypted packet with 1 to select the sets this as the currently set encryption algorithm of the algorithm.

  According to the gateway device of the present invention, it is possible to secure appropriate CPU resources when communicating encrypted packets via a virtual dedicated communication path formed in the public network.

It is the block diagram which represented the gateway apparatus by a present Example with the communication terminal, the communication network, and the tunnel. It is a block diagram showing the gateway apparatus by a present Example. It is a figure showing a load prediction table. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is a figure showing an example of a data table. It is a sequence diagram showing the production | generation process sequence of the tunnel by a gateway apparatus. It is a sequence diagram showing the encryption algorithm and the band reset process sequence about the tunnel by a gateway apparatus. It is a flowchart showing the CPU load adjustment process routine by an encryption communication management part. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is the figure which represented typically the processing load of CPU which is performing encryption processing and an application. It is a sequence diagram showing the encryption algorithm and the band reset process sequence about the tunnel by a gateway apparatus. It is a flowchart showing the CPU load adjustment process routine by an encryption communication management part.

  Hereinafter, embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

<First embodiment>
FIG. 1 is a network configuration diagram illustrating the gateway device 100 according to the present embodiment together with the gateway device 200, communication terminals 300 and 400, communication networks 500, 600 and 700, and a tunnel 710.

  The gateway device 100 is a gateway device that relays packets between a communication network 500 such as a LAN (Local Area Network) and a communication network 700 such as the Internet. In response to a VPN (Virtual Private Network) tunnel establishment command from a communication terminal 300 such as a personal computer having a communication function, for example, the gateway device 100 is a virtual dedicated communication path between the gateway device 200 and a communication partner. A so-called tunnel 710 is formed. The gateway device 200 relays the packet from the communication terminal 300 to the gateway device 200 via the tunnel 710, and relays the packet from the gateway device 200 that arrives via the tunnel 710 to the communication terminal 300. The gateway device 200 has the same function as the gateway device 100.

  FIG. 2 is a block diagram illustrating the gateway device 100 according to the present embodiment.

  The gateway device 100 includes a resource monitoring unit 110, an encrypted communication management unit 120, a data table 130, a communication unit 140, an arithmetic processing unit 150, a storage unit 160, and a notification unit 170.

  The resource monitoring unit 110 periodically monitors so-called CPU resources, and calculates an average value of processing loads (hereinafter referred to as load average). In this block diagram, the resource monitoring unit 110 monitors the processing load of the arithmetic processing unit 150 and the processing load of an encryption / decryption unit 144 (described later) included in the communication unit 140 to calculate a load average. For convenience of explanation, the arithmetic processing unit 150 and the encryption / decryption unit 144 are separated, but these two functions are included in one CPU.

  The load average is calculated, for example, as a CPU usage rate, and is, for example, an average value of execution waiting processes during a predetermined period TM. In this case, the user can set the predetermined period TM to a desired value such as 1 second, and the resource monitoring unit 110 calculates the load average for each of the set predetermined periods TM. The higher the load average, the more effective waiting processes and the greater the processing load on the CPU. For example, when performing high-throughput encrypted communication, the load average becomes high.

  The resource monitoring unit 110 gives the load average obtained by the calculation to the resource controller 121 described later included in the encrypted communication management unit 120 for each predetermined period TM. The resource monitoring unit 110 may be a function included in the CPU that realizes the functions of the arithmetic processing unit 150 and the encryption / decryption unit 144, or may be a function implemented in a different microprocessor. There may be.

  The encrypted communication management unit 120 includes a resource controller 121, a key exchange unit 122, an encryption / decryption algorithm setting unit (hereinafter referred to as algorithm setting unit) 123, and a band setting unit 124.

  The resource controller 121 issues instructions to the algorithm setting unit 123, the band setting unit 124, and the key exchange unit 122 based on the load average from the resource monitoring unit 110, and adjusts the load average of the CPU.

  The resource controller 121 determines encryption algorithm, communication rate (hereinafter referred to as bandwidth), tunnel deletion and re-formation based on a load prediction table as shown in FIG. 3, for example.

  FIG. 3 is a diagram illustrating a load prediction table. In the “encryption algorithm” column, the type of the encryption algorithm is set. For example, AES (Advanced Encryption Standard), 3DES (3 (Triple) Data Encryption Standard), DES, and the like. In the “communication bandwidth” column, bandwidths such as 100 Mbps, 80 Mbps, 60 Mbps,... Are set for each encryption algorithm. In the “Load specification value” column, when a packet is encrypted with a certain encryption algorithm when communicating in a certain band, the predicted value of the CPU processing load that will be generated by the encryption processing is standardized. Is set.

  For example, assuming that the processing limit value of the CPU is 100, when communication is performed with the encryption algorithm AES when performing communication at a bandwidth of 100 Mbps, a processing load corresponding to half of the processing limit value of the CPU is generated. When expected, it is preset as the load standard value 50. The CPU processing limit value depends on CPU specifications, the configuration of software for executing other applications, the presence or absence of an accelerator for encryption processing, and the like. Therefore, it is necessary to tune in advance to know how much processing load is generated when using any encryption algorithm and how much processing load is generated when the bandwidth is used according to conditions such as these specifications. Set the load standard value.

  Hereinafter, an example of changing the encryption algorithm and bandwidth by the resource controller 121 will be described.

  4A and 4B are diagrams schematically showing the processing load of the CPU executing the encryption process and the applications A and B. FIG. The vertical axis is a processing load value normalized with the processing limit value of the CPU as 100, for example. Currently, the CPU is performing encryption processing with a bandwidth of 100 Mbps using the encryption algorithm AES, and as shown in FIG. 4A, the current processing load value RA exceeds the upper limit determination value JT. Here, the current processing load value RA is the load average at the current time point notified from the resource monitoring unit 110, and RA = 105. The upper limit determination value is a determination value set in advance by the user, and JT = 100.

  The resource controller 121 determines that the current processing load value RA = 105 exceeds the upper limit determination value JT = 100, and refers to the load prediction table so that the load average is lower than the upper limit determination value JT = 100. Change the encryption algorithm from the currently set AES to 3DES. That is, the resource controller 121 changes the encryption algorithm to 3DES, which has a relatively smaller processing load than AES. In the load prediction table shown in FIG. 3, the load standard value of the encryption algorithm AES and the bandwidth of 100 Mbps is 50, and the load standard value of 3DES and 100 Mbps is 40. As a result, as shown in FIG. 4B, the current processing load value RA = 95 is lower than the upper limit determination value JT = 100. The current processing load value RA = 95 is the load average notified from the resource monitoring unit 110 in the next cycle (after the predetermined period TM has elapsed).

  Note that the resource controller 121 does not change the setting of the encryption algorithm as described above when only one encryption algorithm is set in the “available encryption algorithm” column of the data table 130 described later. .

  FIGS. 5A and 5B are diagrams schematically showing the processing load of the CPU executing the encryption process and the applications A and B as in FIG. As shown in FIG. 5A, the current processing load value RA exceeds the upper limit determination value JT. Here, it is assumed that the current processing load value RA = 105 and the upper limit determination value JT = 100.

  The resource controller 121 determines that the current processing load value RA = 105 exceeds the upper limit determination value JT = 100, and refers to the load prediction table so that the load average is lower than the upper limit determination value JT = 100. The bandwidth is changed from the currently set 100 Mbps to 80 Mbps. That is, the resource controller 121 reduces the bandwidth. In the load prediction table shown in FIG. 3, the load standard value for the encryption algorithm AES and the bandwidth of 100 Mbps is 50, and the load standard value for the AES and 100 Mbps is 40. As a result, as shown in FIG. 5B, the current processing load value RA = 95 falls below the upper limit determination value JT = 100.

  6A, 6B, and 6C are diagrams schematically showing the processing load of the CPU that is executing the encryption process and the applications A and B as in FIG. As shown in FIG. 6A, the current processing load value RA exceeds the upper limit determination value JT. Here, it is assumed that the current processing load value RA = 105 and the upper limit determination value JT = 100.

  The resource controller 121 determines that the current processing load value RA = 105 exceeds the upper limit determination value JT = 100, and refers to the load prediction table so that the load average is lower than the upper limit determination value JT = 100. Change the encryption algorithm from the currently set AES to 3DES. That is, the resource controller 121 changes the encryption algorithm to 3DES, which has a relatively smaller processing load than AES. As a result, as shown in FIG. 5B, although the load of the encryption process decreases, for example, when the execution process load of the application B increases, for example, the current process load value RA = 102, and the upper limit determination is still performed. The value JT = 100 will be exceeded.

  In this case, the resource controller 121 determines that the current processing load value RA = 102 exceeds the upper limit determination value JT = 100, and refers to the load prediction table so that the load average falls below the upper limit determination value JT = 100. For example, the bandwidth is changed from 100 Mbps currently set to 80 Mbps. As a result, as shown in FIG. 6C, the current processing load value RA = 92 falls below the upper limit determination value JT = 100. The above example is an example in which the bandwidth is changed after the encryption algorithm is changed, but the encryption algorithm may be changed after the bandwidth is changed.

  In the above example described with reference to FIGS. 5 and 6, the resource controller 121 changes the bandwidth within a range that does not fall below the minimum guaranteed bandwidth preset by the user. For example, when 10 Mbps is set as the minimum guaranteed bandwidth, even if the resource controller 121 determines that the current processing load value RA does not fall below the upper limit determination value JT unless the bandwidth is set below 10 Mbps, The bandwidth is not set to 10 Mbps or less, and a notification instruction to the notification unit 170 described later and / or a deletion instruction of the tunnel 710 to the key exchange unit 122 is performed.

  As in the above example described with reference to FIGS. 4 to 6, the resource controller 121 refers to the load prediction table, changes the setting of the encryption algorithm and / or the bandwidth, and sets the load average (current processing load value RA). Lower than the upper limit judgment value JT. Thereby, CPU resources can be secured so as not to exceed the processing capacity of the CPU.

  FIGS. 7A and 7B are diagrams schematically showing the processing load of the CPU executing the encryption process and the applications A and B as in FIG. For example, 10 Mbps is preset as the minimum guaranteed bandwidth, and the encryption processing of the bandwidth 10 Mbps by the encryption algorithm DES is currently performed by the CPU. As shown in FIG. 7A, the current processing load value RA = 110 exceeds the upper limit judgment value JT = 100.

  In this case, although the current processing load value RA = 110 exceeds the upper limit determination value JT = 100, the resource controller 121 lowers the bandwidth below this because the bandwidth has already been set to the minimum guaranteed bandwidth 10 Mbps. If it is not determined, the key exchange unit 122 is instructed to delete the tunnel 710. At this time, the resource controller 121 sets 0 Mbps in a “current bandwidth” column of the data table 130 described later. As a result, the CPU processing load is reduced and CPU resources can be secured.

  After the tunnel 710 is deleted, for example, it is assumed that the execution processing load of the applications A and B decreases, and the current processing load value RA is below the re-formation determination value JR as shown in FIG. 7B. The regeneration determination value JR is a value preset by the user.

  In this case, the resource controller 121 determines that the current processing load value RA is lower than the reconfiguration determination value JR, and refers to the load prediction table so that the load average does not exceed the upper limit determination value JT = 100. The encryption algorithm and bandwidth are set, and the key exchange unit 122 is instructed to re-create the previously deleted tunnel 710 (the tunnel in which the “current bandwidth” column of the data table 130 is set to 0 Mbps).

  In the above example described with reference to FIGS. 4 to 7, the resource controller 121 may arbitrarily change the setting of either the encryption algorithm or the band, but performs an encryption process with a security level as high as possible. From the viewpoint of performing high-throughput communication, it is desirable to select the encryption algorithm from a relatively high level and a relatively high band in order from among setting changes in which the load average falls below the upper limit determination value JT. For example, the encryption algorithm is in the order of AES, 3DES, and DES, and the bandwidth is in the order of, for example, 100 Mbps, 80 Mbps, and 60 Mbps.

  The load prediction table shown in FIG. 3 is set with load prediction values for each process. Instead, for example, the load decrease value or the load increase value when the encryption algorithm and / or bandwidth is changed. May be set. In this case, the resource controller 121 changes the encryption algorithm and / or bandwidth based on the difference between the load decrease value or the load increase value and the current processing load value RA. The load prediction table may be stored in, for example, the storage unit 160 such as a hard disk or RAM or another storage medium (not shown), or may be held as data in the resource controller 121. .

  When a plurality of tunnels 71 are formed, the resource controller 121 selects one tunnel according to the priority set in the data table 130 described later, and the encryption algorithm and / or bandwidth for the one tunnel is selected. Change the setting.

  In this way, the resource controller 121 refers to the load prediction table and the data table 130 described later, and determines encryption algorithm and bandwidth settings, tunnel deletion, and re-formation.

  The key exchange unit 122 forms a tunnel 710 in the communication network 700 in response to a tunnel formation command from the communication terminal 300. The key exchange unit 122 forms a tunnel 710 according to a key exchange protocol such as IKE (Internet Key Exchange) or IKEv2. The IKE includes ISAKMP / Oakley and ISAKMP / SKEME. The key exchange unit 122 uses any one of them to exchange a so-called key exchange negotiation packet with the opposite gateway device 200 for tunneling. 710 is formed. Also, the key exchange unit 122 forms the tunnel 710 by appropriately referring to the data table 130 in which data such as a traffic selector is set in advance by the user.

  Further, the key exchange unit 122 exchanges a key exchange negotiation packet with the gateway device 200 in accordance with a tunnel deletion instruction from the resource controller 121 to delete the tunnel 710, and similarly in accordance with a tunnel re-formation instruction. Then, the key exchange negotiation packet is exchanged with the gateway device 200 to form the tunnel 710 again.

  The algorithm setting unit 123 gives an instruction to an encryption / decryption unit 144 (to be described later) so that the packet is encrypted according to the encryption algorithm specified by the resource controller 121. The encryption algorithm is, for example, AES, 3DES, or DES.

  The bandwidth setting unit 124 gives an instruction to the bandwidth control unit 143 to be described later so as to control packet transmission / reception according to the bandwidth (communication rate) designated by the resource controller 121. There is no particular limitation on the band other than the lowest compensation band set by the user.

  Each function of the encrypted communication management unit 120 can be realized by a microprocessor having an arithmetic processing function such as a CPU. In addition, a computer program representing each function of the encrypted communication management unit 120 may be stored in a storage medium such as a hard disk, and may be read and executed by an arithmetic processing unit such as a CPU.

  FIG. 8 is a diagram illustrating an example of the data table 130. The data table 130 is stored in a storage medium such as a hard disk or RAM.

  The “VPN tunnel name” is a unique tunnel identifier set by the user to identify the VPN tunnel. Here, for example, VoIP-tunnel or HTTP-tunnel is used. The “priority” is a priority set when the user issues a tunnel formation command from the communication terminal 300. This priority is used for the resource controller 121 to select one VPN tunnel to be subject to the setting change of the encryption algorithm and the band when a plurality of VPN tunnels are formed. The lower the value, the higher the priority.

  The “traffic selector” is information such as a source address, a destination address, an upper layer protocol, and a port number of a packet to be encrypted. In practice, this traffic selector is often held by middleware such as a Linux kernel network stack, for example, and is therefore held in the data table 130 in order to be uniquely associated therewith. Here, for example, 192.168.1.0/24→192.168.2.0: UDP.

  The “currently set encryption algorithm” is an encryption algorithm currently set for each VPN tunnel. “Available encryption algorithm” is an encryption algorithm applicable to each VPN tunnel. These are encryption algorithms such as AES, 3DES, and DES.

  The “minimum guaranteed bandwidth” is the lowest communication rate that the VPN tunnel wants to secure, and is set by the user for each VPN tunnel. Here, for example, 10 Mbps or 3 Mbps. The resource controller 121 does not perform setting that falls below the minimum guaranteed bandwidth when the bandwidth setting is changed. The “current band” is a band currently set for the VPN tunnel, and is a band set by the band setting unit 124 in a band control unit 143 described later.

  The communication unit 140 includes an interface A 141, an interface B 142, a bandwidth control unit 143, an encryption / decryption unit 144, and a relay unit 145.

  The interface A 141 is an interface that transmits and receives packets to and from the gateway device 200 via the tunnel 710 formed in the public network 700 shown in FIG. The interface B 142 is an interface that transmits and receives packets to and from the communication terminal 300 via the public network 500 shown in FIG.

  The bandwidth control unit 143 controls packet transmission / reception according to the bandwidth (communication rate) designated by the bandwidth setting unit 124.

  The encryption / decryption unit 144 performs encryption processing on the packet from the interface A 141 according to the encryption algorithm instructed by the algorithm setting unit 123. Further, the encryption / decryption unit 144 performs a decryption process on the packet from the interface B 142 according to the encryption algorithm instructed by the algorithm setting unit 123. The encryption algorithm is, for example, AES, 3DES, or DES. The encryption / decryption unit 144 reads out data representing these algorithms stored in the storage unit 160, for example, and performs encryption processing. In the block diagram, for convenience of explanation, an encryption / decryption unit 144 and an arithmetic processing unit 150, which will be described later, are illustrated separately, but these blocks are functions within the same CPU.

  The relay unit 145 relays the encrypted packet generated by the encryption process by the encryption / decryption unit 144 via the interface A141 or the interface B142.

  Each function of the bandwidth control unit 143 and the encryption / decryption unit 144 can be realized by a microprocessor having an arithmetic processing function such as a CPU. The functions of the interface A 141, the interface B 142, and the relay unit 145 may be configured according to a general network interface specification. Note that the white arrows shown in FIG. 2 indicate the flow of packets.

  The arithmetic processing unit 150 is an arithmetic processing device such as a CPU that reads application data stored in the storage unit 160 and executes the application. In the block diagram, for convenience of explanation, the arithmetic processing unit 150 and the encryption / decryption unit 144 are shown separately, but these blocks are functions within the same CPU.

  The storage unit 160 is a storage medium such as a hard disk or a RAM that stores application data, encryption algorithm data, and other various data.

  In response to a notification instruction from the resource controller 121, the notification unit 170 notifies the user that a CPU resource cannot be secured unless a certain VPN tunnel is set to be equal to or lower than the minimum guaranteed bandwidth. The notification unit 170 may be a display, for example, and may notify the notification by text display on the screen, or may be a speaker, for example, to notify the notification by voice.

  FIG. 9 is a sequence diagram illustrating a generation processing sequence of the tunnel 710 by the gateway device 100.

  First, the resource monitoring unit 110 periodically monitors CPU resources to calculate a load average (step S101), and notifies the resource controller 121 of this (step S102). Specifically, the resource monitoring unit 110 monitors processing loads in the arithmetic processing unit 150 and the encryption / decryption unit 144. The resource controller 121 holds the load average from the resource monitoring unit 110 as the current processing load value (step S103).

  Next, the resource controller 121 acquires setting data from the data table 130 (step S104). This setting data may be set in advance by the user, or may be set by the user every time a VPN tunnel is formed. Next, the resource controller 121 issues a tunnel formation instruction to the key exchange unit 122 in response to a tunnel formation command from the communication terminal 300 (step S105). The resource controller 121 receives the tunnel formation command via the interface B.

  Next, the resource controller 121 uses the encryption algorithm and the band (communication rate) for performing the encryption process to the packet to be transmitted / received via the VPN tunnel formed by the key exchange unit 122 according to the instruction, the load prediction The determination is made with reference to the table (FIG. 3) and the data table 130 (step S106).

  At that time, the resource controller 121 may arbitrarily change the setting of either the encryption algorithm or the band, but from the viewpoint of performing encryption processing with a security level as high as possible and performing high-throughput communication, Among the setting changes in which the load average falls below the upper limit judgment value JT, it is desirable to select in order from a relatively high level encryption algorithm and a relatively high bandwidth.

  The key exchange unit 122 according to the tunnel formation command from the resource controller 121 starts so-called key exchange negotiation with the opposite gateway device 200 according to a key exchange protocol such as IKE or IKEv2 (step S107). In FIG. 9, the processing of the key exchange unit 122 is shown on the processing line of the resource controller 121. The key exchange unit 122 exchanges a negotiation packet with the gateway device 200 (step S108), and forms the tunnel 710 after completion of the authentication process and the key exchange process (step S109).

  The resource controller 121 notifies the band setting unit 124 of the band determined in step S106 (step S110), and the band setting unit 124 instructs the band control unit 143 to transmit and receive packets in the band ( Step S111). The resource controller 121 stores the encryption algorithm and bandwidth determined in step S106 in the data table 130 (steps S112 and S113).

  Through the processing described above, the gateway device 100 forms a tunnel 710 with the gateway device 200.

  FIG. 10 is a sequence diagram showing an encryption algorithm and band resetting processing sequence for the tunnel 710 by the gateway device 100.

  First, the resource monitoring unit 110 periodically monitors CPU resources (processing loads in the arithmetic processing unit 150 and the encryption / decryption unit 144) to calculate a load average (step S201), and sends this to the resource controller 121. Notification is made (step S202). The resource controller 121 holds the load average from the resource monitoring unit 110 as the current processing load value (step S203).

  The resource controller 121 compares the load average with the upper limit determination value JT to determine whether it is necessary to reduce the processing load on the CPU (step S204). If the resource controller 121 determines that the load average exceeds the upper limit determination value JT, the resource controller 121 selects one VPN tunnel having a relatively low priority set in the data table 130 as a setting change target tunnel (step S1). S205). Note that when only one VPN tunnel is formed (when only one VPN tunnel is set in the data table 130), the selection is not performed.

  Next, the resource controller 121 refers to the load prediction table (FIG. 3) and the data table 130, and uses one cipher having a processing load relatively smaller than the encryption algorithm currently set for the setting change target tunnel. Select an algorithm. Subsequently, the resource controller 121 instructs the algorithm setting unit 123 to change the setting to the selected encryption algorithm and also instructs the key exchange unit 122 to form a new VPN tunnel (step S206).

  The key exchange unit 122 according to the tunnel formation command from the resource controller 121 starts so-called key exchange negotiation with the opposite gateway device 200 according to a key exchange protocol such as IKE or IKEv2 (step S207). In FIG. 10, the processing of the key exchange unit 122 is shown on the processing line of the resource controller 121. The key exchange unit 122 exchanges a negotiation packet with the gateway device 200 (step S208), and forms a new tunnel after completing the authentication process and the key exchange process (step S209).

  The key exchange unit 122 deletes the conventional tunnel 710 after performing the switching process from the conventional tunnel 710 to the new tunnel. Thereafter, the communication unit 130 exchanges packets with the gateway device 200 through this new tunnel. Thereby, the encryption algorithm can be set and changed while continuing communication via the VPN tunnel.

  Subsequently, the resource controller 121 acquires the current load average from the resource monitoring unit 110 (step S210), and compares the load average with the upper limit determination value JT to further reduce the processing load on the CPU. (Step S211). When the resource controller 121 determines that the load average exceeds the upper limit determination value JT, the resource controller 121 refers to the load prediction table (FIG. 3) and the data table 130, and exceeds the current bandwidth set in the data table 130. Determine low bandwidth. The resource controller 121 sets a band higher than the minimum guaranteed band set in the data table 130.

  The resource controller 121 notifies the band setting unit 124 of the band determined by the resource controller 121 (step S212), and the band setting unit 124 instructs the band control unit 143 to transmit and receive packets in the band. (Step S213). The resource controller 121 stores the encryption algorithm and bandwidth determined in step S106 in the data table 130 (steps S214 and S215).

  Through the processing described above, the gateway device 100 can reset the encryption algorithm and bandwidth for the tunnel 710 formed with the gateway device 200, reduce the processing load on the CPU, and secure CPU resources. .

  FIG. 11 is a flowchart showing a CPU load adjustment processing routine by the encrypted communication management unit 120. Hereinafter, the CPU load adjustment process will be described with reference to FIG. The processing routine can be configured by a computer program. For example, the program stored in a storage medium such as a hard disk may be read and executed by a microprocessor having an arithmetic processing function.

  The encrypted communication management unit 120 executes the routine every time it acquires the load average from the resource controller 121.

  First, the resource controller 121 holds the load average from the resource monitoring unit 110 as the current processing load value (step S301). The resource controller 121 determines whether or not the load average is smaller than the upper limit determination value JT (step S302). If the resource controller 121 determines that the load average is smaller than the upper limit determination value JT, that is, if it is determined that there is no need to reduce the processing load on the CPU, the routine is terminated.

  On the other hand, if the resource controller 121 determines that the load average is larger than the upper limit determination value JT, that is, if it is determined that it is necessary to reduce the processing load on the CPU, is there a plurality of VPN tunnels already formed? Whether or not is determined with reference to the data table 130 (step S303). When a plurality of VPN tunnel names are set in the data table 130, the resource controller 121 sets the VPN tunnel having a relatively low priority (usually the lowest) set in the data table 130 as a target of setting change. Select as a tunnel (step S304). On the other hand, when only one VPN tunnel name is set in the data table 130, the resource controller 121 sets the VPN tunnel as a setting change target tunnel and proceeds to the next step S305.

  The resource controller 121 refers to the data table 130 to determine whether or not the encryption algorithm setting can be changed for the setting change target tunnel (step S305). If only one usable encryption algorithm is set for the setting change target tunnel, the resource controller 121 determines that the setting of the encryption algorithm cannot be changed, and proceeds to step S306.

  On the other hand, when a plurality of usable encryption algorithms are set for the setting change target tunnel in the data table 130, the resource controller 121 determines that the setting can be changed and changes the setting of the encryption algorithm (step S307). ). At this time, the resource controller 121 may arbitrarily change the setting of any one of the encryption algorithms. However, from the viewpoint of performing encryption processing with the highest possible security level, the load average is the upper limit determination value. Of setting changes below JT, it is desirable to select an encryption algorithm with a relatively high level.

  Subsequently, the resource controller 121 acquires the current load average from the resource monitoring unit 110, and determines whether or not this load average is larger than the upper limit determination value JT (step S308). If the resource controller 121 determines that the load average is larger than the upper limit determination value JT, that is, if it is determined that the processing load on the CPU needs to be further reduced, the resource controller 121 changes the bandwidth (step S306). At this time, the resource controller 121 may change the setting of the bandwidth to an arbitrary value. However, from the viewpoint of performing high-throughput communication, among the setting changes in which the load average falls below the upper limit determination value JT, the relatively high bandwidth It is desirable to select in order.

  If the resource controller 121 determines that the set bandwidth has fallen below the minimum guaranteed bandwidth (step S309), the resource controller 121 resets the encryption algorithm and / or bandwidth again (steps S306 and S307). When the setting is performed again, the setting change target tunnels are set in order from the VPN tunnel with the lowest priority set in the data table 130. In other words, for example, the VPN tunnel having the second lowest priority is set as the setting change target tunnel at the first resetting time, and the VPN tunnel having the third lowest priority is set as the setting change target tunnel at the second resetting time. The same applies to subsequent resetting.

  On the other hand, if the set bandwidth is equal to or greater than the minimum guaranteed bandwidth, the resource controller 121 determines whether or not the load average is greater than the upper limit determination value JT (step S310). If the resource controller 121 determines that the load average is greater than the upper limit determination value JT, that is, if it is determined that the CPU processing load needs to be further reduced, whether or not there is another VPN tunnel that has already been formed. Is determined with reference to the data table 130 (step S311). If a VPN tunnel name different from the name of the tunnel whose setting has been changed in the processing up to step S310 is set in the data table 130, the resource controller 121 determines that the other tunnel exists, and again The process is executed from the process of step S301.

  On the other hand, if the resource controller 121 determines that no other tunnel exists, the resource controller 121 instructs the key exchange unit 122 to delete the VPN tunnel with the lowest priority set in the data table 130 (step S1). S312), the CPU load adjustment processing routine is terminated. The above-described example is an example in which the bandwidth is changed after changing the encryption algorithm setting. However, the flow may be such that the encryption algorithm is changed after the bandwidth setting is changed.

  As described above, according to the gateway device according to the present embodiment, not only the setting of the encryption algorithm type can be changed, but also the band (communication rate) can be changed, so that the CPU processing load can be reduced and adjusted in other stages. Is possible. In addition to the encryption algorithm, the bandwidth can be set and changed, so finer load reduction adjustment is possible. Furthermore, even when only the use of a single encryption algorithm is permitted, the processing load on the CPU can be reduced by adjusting the bandwidth. As described above, according to the gateway device according to the present embodiment, it is possible to secure an appropriate CPU resource when communicating the encrypted packet through the virtual dedicated communication path formed in the public network.

<Second embodiment>
The configuration of the gateway device 100 according to the present embodiment is the same as that of the first embodiment (shown in FIG. 2). Hereinafter, differences from the first embodiment will be mainly described.

  FIGS. 12A and 12B are diagrams schematically showing the processing load of the CPU executing the encryption process and the applications A and B as in FIG. 4 in the first embodiment. Currently, the CPU is performing encryption processing with a bandwidth of 80 Mbps using the encryption algorithm DES, and as shown in FIG. 12A, the current processing load value RA is below the lower limit judgment value JB. Here, it is assumed that the current processing load value RA = 70. Further, the lower limit judgment value JB = 75.

  The resource controller 121 determines that the current processing load value RA = 70 is lower than the lower limit determination value JB = 75, and refers to the load prediction table so that the load average does not exceed the upper limit determination value JT = 100. For example, the encryption algorithm is changed from the currently set DES to AES. That is, the resource controller 121 changes the encryption algorithm to AES, which has a relatively larger processing load than DES. In the load prediction table shown in FIG. 3, the load standard value of the encryption algorithm DES and the bandwidth of 80 Mbps is 20, and the load standard value of AES and 80 Mbps is 40. As a result, as shown in FIG. 12B, the encryption security level can be increased within a range where the current processing load value RA = 90 does not exceed the upper limit determination value JT = 100.

  Note that the resource controller 121 does not change the setting of the encryption algorithm as described above when only one encryption algorithm is set in the “available encryption algorithm” column of the data table 130 described later. .

  13A and 13B are diagrams schematically showing the processing load of the CPU executing the encryption process and the applications A and B, as in FIG. As shown in FIG. 13A, the current processing load value RA is below the lower limit judgment value JB. Here, it is assumed that the current processing load value RA = 70 and the lower limit determination value JB = 75.

  The resource controller 121 determines that the current processing load value RA = 70 is lower than the lower limit determination value JB = 75, and refers to the load prediction table so that the load average does not exceed the upper limit determination value JT = 100. For example, the bandwidth is changed from 60 Mbps to 100 Mbps. That is, the resource controller 121 increases the bandwidth. In the load prediction table shown in FIG. 3, the load standard value of the encryption algorithm DES and the bandwidth of 60 Mbps is 10, and the load standard value of DES and 100 Mbps is 30. As a result, as shown in FIG. 13B, the throughput can be increased in a range where the current processing load value RA = 90 does not exceed the upper limit determination value JT = 100.

  14A, 14B, and 14C are diagrams schematically showing the processing load of the CPU that is executing the encryption process and the applications A and B, as in FIG. As shown in FIG. 14A, the current processing load value RA is below the lower limit judgment value JB. Here, it is assumed that the current processing load value RA = 70 and the lower limit determination value JB = 75.

  The resource controller 121 determines that the current processing load value RA = 70 is lower than the lower limit determination value JB = 75, and refers to the load prediction table so that the load average does not exceed the upper limit determination value JT = 100. For example, the encryption algorithm is changed from the currently set DES to AES. That is, the resource controller 121 changes the encryption algorithm to AES that has a relatively smaller processing load than DES. As a result, as shown in FIG. 14B, although the load of the encryption process is reduced, for example, when the execution of the application B is finished, for example, the current processing load value RA = 70, and the lower limit judgment value JB is still obtained. = 75.

  In this case, the resource controller 121 determines that the current processing load value RA = 70 is lower than the lower limit determination value JB = 75, and refers to the load prediction table so that the load average does not exceed the upper limit determination value JT = 100. In the range, for example, the bandwidth is changed from 80 Mbps to 100 Mbps. As a result, as shown in FIG. 14C, it is possible to increase the security level and throughput of encryption within a range where the current processing load value RA = 90 does not exceed the upper limit determination value JT = 100. The above example is an example in which the bandwidth is changed after the encryption algorithm is changed, but the encryption algorithm may be changed after the bandwidth is changed.

  In the above example described with reference to FIGS. 12 to 14, the resource controller 121 may arbitrarily change the setting of either the encryption algorithm or the band, but performs an encryption process with the highest possible security level. From the viewpoint of performing high-throughput communication, it is desirable to select the encryption algorithm from a relatively high level and a relatively high band in order from among setting changes in which the load average falls below the upper limit determination value JT. For example, the encryption algorithm is in the order of AES, 3DES, and DES, and the bandwidth is in the order of, for example, 100 Mbps, 80 Mbps, and 60 Mbps.

  As in the above example described with reference to FIGS. 12 to 14, the resource controller 121 changes the setting of the encryption algorithm and / or bandwidth with reference to the load prediction table, and loads within a range not exceeding the upper limit determination value JT. The average (current processing load value RA) is increased. As a result, it is possible to increase the security level and throughput of encryption within a range that does not exceed the processing capability of the CPU.

  FIG. 15 is a sequence diagram showing an encryption algorithm and band resetting processing sequence for the tunnel 710 by the gateway device 100. Hereinafter, processing steps different from the reset processing sequence (shown in FIG. 10) in the first embodiment will be described.

  In step S404, the resource controller 121 compares the load average with the upper limit determination value JT to determine whether there is a margin in the CPU processing load. If the resource controller 121 determines that the load average is below the lower limit determination value JB, the resource controller 121 selects the VPN tunnel having a relatively high priority set in the data table 130 as a setting change target tunnel (step S1). S405). At this time, if there is a VPN tunnel whose current bandwidth is set to 0 Mbps in the data table 130, the resource controller 121 selects the VPN tunnel as a setting change target tunnel. Note that when only one VPN tunnel is formed (when only one VPN tunnel is set in the data table 130), the selection is not performed.

  Next, the resource controller 121 refers to the load prediction table (FIG. 3) and the data table 130, and uses one cipher having a processing load relatively larger than the encryption algorithm currently set for the setting change target tunnel. Select an algorithm. Subsequently, the resource controller 121 instructs the algorithm setting unit 123 to change the setting to the selected encryption algorithm and also instructs the key exchange unit 122 to form a new VPN tunnel (step S406). The processing in steps S407 to S410 is the same as that in the first embodiment.

  In step S411, the resource controller 121 compares the load average acquired from the resource monitoring unit 110 in step S410 with the lower limit determination value JB, and determines whether there is a further margin in the CPU processing load. When the resource controller 121 determines that the load average is lower than the lower limit determination value JB, the resource controller 121 refers to the load prediction table (FIG. 3) and the data table 130, and exceeds the current bandwidth set in the data table 130. Determine high bandwidth. The processing in steps S412 to S415 is the same as that in the first embodiment.

  Through the processing described above, the gateway device 100 can reset the encryption algorithm and bandwidth for the tunnel 710 formed between the gateway device 200 and the security level and communication throughput in the encryption processing can be improved.

  FIG. 16 is a flowchart showing a CPU load adjustment processing routine by the encrypted communication management unit 120. Hereinafter, the CPU load adjustment process will be described with reference to FIG. The encrypted communication management unit 120 executes the routine every time it acquires the load average from the resource controller 121.

  First, the resource controller 121 holds the load average from the resource monitoring unit 110 as the current processing load value (step S501). The resource controller 121 determines whether or not the load average is larger than the lower limit determination value JB (step S502). When the resource controller 121 determines that the load average is larger than the lower limit determination value JB, that is, when it is determined that the CPU has no sufficient processing load, the resource controller 121 ends the routine.

  On the other hand, when the resource controller 121 determines that the load average is smaller than the lower limit determination value JB, that is, when it is determined that the CPU has a sufficient processing load, whether or not there are a plurality of VPN tunnels already formed. Is determined with reference to the data table 130 (step S503). When a plurality of VPN tunnel names are set in the data table 130, the resource controller 121 preferentially selects a VPN tunnel having a current bandwidth of 0 Mbps set in the data table 130 as a setting change target tunnel. (Step S504). If there is no VPN tunnel having a current bandwidth of 0 Mbps, a VPN tunnel having a relatively low priority (usually the lowest) set in the data table 130 is selected as a setting change target tunnel (step S504). On the other hand, when only one VPN tunnel name is set in the data table 130, the resource controller 121 sets the VPN tunnel as a setting change target tunnel and proceeds to the next step S505.

  The resource controller 121 refers to the data table 130 to determine whether or not the encryption algorithm setting can be changed for the setting change target tunnel (step S505). When only one usable encryption algorithm is set for the setting change target tunnel, the resource controller 121 determines that the setting of the encryption algorithm cannot be changed, and proceeds to step S506.

  On the other hand, when a plurality of usable encryption algorithms are set for the setting change target tunnel in the data table 130, the resource controller 121 determines that the setting can be changed and changes the setting of the encryption algorithm (step S507). ). At this time, the resource controller 121 may arbitrarily change the setting of any one of the encryption algorithms. However, from the viewpoint of performing encryption processing with the highest possible security level, the load average is the upper limit determination value. Of setting changes below JT, it is desirable to select an encryption algorithm with a relatively high level.

  Subsequently, the resource controller 121 acquires the current load average from the resource monitoring unit 110, and determines whether or not the load average is smaller than the lower limit determination value JB (step S508). If the resource controller 121 determines that the load average is smaller than the lower limit determination value JB, that is, if it is determined that there is more room in the CPU processing load, the resource controller 121 changes the bandwidth (step S506). At this time, the resource controller 121 may change the setting of the bandwidth to an arbitrary value. However, from the viewpoint of performing high-throughput communication, among the setting changes in which the load average falls below the upper limit determination value JT, the relatively high bandwidth It is desirable to select in order.

  If the resource controller 121 determines that the load average has exceeded the upper limit determination value JT (step S509), the resource controller 121 resets the encryption algorithm and / or bandwidth (steps S506 and S507). When the setting is performed again, the setting change target tunnels are set in order from the VPN tunnel with the highest priority set in the data table 130. That is, for example, the VPN tunnel having the second highest priority is set as a setting change target tunnel at the first resetting time, and the VPN tunnel having the third highest priority is set as the setting change target tunnel at the second resetting time. The same applies to subsequent resetting.

  On the other hand, when the load average is less than or equal to the upper limit determination value JT, the resource controller 121 determines whether or not the load average is smaller than the lower limit determination value JB (step S510). If the resource controller 121 determines that the load average is smaller than the lower limit determination value JB, that is, if the resource controller 121 determines that there is more room in the CPU processing load, whether or not there is another VPN tunnel that has already been formed. Is determined with reference to the data table 130 (step S511). When a VPN tunnel name different from the name of the tunnel whose setting is changed in the processing up to step S510 is set in the data table 130, the resource controller 121 determines that the other tunnel exists, and again The process is executed from the process of step S501.

  On the other hand, if the resource controller 121 determines that no other tunnel exists, the CPU load adjustment processing routine is terminated. The above-described example is an example in which the bandwidth is changed after changing the encryption algorithm setting. However, the flow may be such that the encryption algorithm is changed after the bandwidth setting is changed.

  As described above, according to the gateway device according to the present embodiment, not only the setting of the encryption algorithm type but also the setting of the bandwidth (communication rate) can be changed. The encryption security level can be improved and high throughput can be achieved. In addition to the encryption algorithm, the bandwidth can be set and changed, so that finer processing load adjustment is possible, and CPU resources can be utilized to the maximum. Furthermore, even when only the use of a single encryption algorithm is permitted, the CPU processing load can be adjusted by adjusting the bandwidth, and the CPU resources can be utilized more. Thus, CPU resources can be fully utilized while securing appropriate CPU resources when communicating encrypted packets via a virtual dedicated communication path formed in the public network.

100 Gateway Device 110 Resource Monitoring Unit 120 Encrypted Communication Management Unit 121 Resource Controller 122 Key Exchange Unit 123 Encryption / Decryption Algorithm Setting Unit 124 Bandwidth Setting Unit 130 Data Table 140 Communication Unit 141 Interface A
142 Interface B
143 Band control unit 144 Encryption / decryption unit 145 Relay unit 150 Operation processing unit 160 Storage unit 170 Notification unit 200 Gateway device 300, 400 Communication terminal 500, 600, 700 Communication network 710 Tunnel

Claims (19)

A tunnel forming unit that forms a tunnel in the communication network in response to a tunnel formation command from the communication terminal, and performs an encryption process on the packet issued from the communication terminal according to a currently set encryption algorithm, A gateway device including an encryption unit to obtain and a relay unit that relays the encrypted packet through the tunnel,
Algorithm storage means for storing at least one available encryption algorithm;
A load monitoring unit for monitoring a calculation process including the encryption process and calculating a current processing load value;
According to the result obtained by comparing the current processing load value and the setting determination value, one of the available encryption algorithms is selected and set as the currently set encryption algorithm and the encryption And a control unit that sets a packet communication rate.   When the control unit determines that the current processing load value exceeds the upper limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively low encryption processing load. The gateway apparatus according to claim 1, wherein this is set as the currently set encryption algorithm.   The gateway device according to claim 1, wherein the control unit reduces the communication rate when it is determined that the current processing load value exceeds an upper limit determination value that is the setting determination value.   When the control unit determines that the current processing load value exceeds the upper limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively low encryption processing load. The gateway apparatus according to claim 1, wherein the gateway apparatus sets the currently set encryption algorithm and reduces the communication rate.   When the control unit determines that the current processing load value is lower than the lower limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively large encryption processing load. The gateway apparatus according to claim 1, wherein this is set as the currently set encryption algorithm.   The gateway device according to claim 1, wherein the control unit increases the communication rate when it is determined that the current processing load value is below a lower limit determination value that is the setting determination value.   When the control unit determines that the current processing load value is lower than the lower limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively large encryption processing load. The gateway apparatus according to claim 1, wherein this is set as the currently set encryption algorithm and the communication rate is increased.   The tunnel forming unit deletes the tunnel according to a determination result by the control unit that the current processing load value does not fall below an upper limit determination value even if the current setting encryption algorithm and the communication rate are changed. The gateway apparatus according to claim 1, further comprising tunnel deletion means.   The tunnel forming unit further includes a tunnel re-forming unit for re-forming the deleted tunnel according to a determination result by the control unit that the current processing load value is lower than a re-forming determination value. The gateway device according to claim 8. A tunnel forming unit that forms a tunnel in the communication network for each tunnel formation command from at least one communication terminal; and a packet generated from the communication terminal is encrypted according to a currently set encryption algorithm for each tunnel. An encryption unit that obtains an encrypted packet and a relay unit that relays the encrypted packet via one of the tunnels corresponding to the tunnel formation command,
Algorithm storage means for storing at least one available encryption algorithm per tunnel;
A load monitoring unit for monitoring a calculation process including the encryption process and calculating a current processing load value;
According to the result obtained by comparing the current processing load value and the setting determination value, one of the available encryption algorithms is selected for each tunnel and set as the currently set encryption algorithm. And a control unit that sets a communication rate of the encrypted packet. A priority setting means for setting a priority for each tunnel;
The gateway device according to claim 10, wherein the control unit sets the currently set encryption algorithm and the communication rate for one of the tunnels having a relatively low priority.   When the control unit determines that the current processing load value exceeds the upper limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively low encryption processing load. The gateway apparatus according to claim 10 or 11, wherein this is set as the currently set encryption algorithm.   The gateway according to claim 10 or 11, wherein when the control unit determines that the current processing load value exceeds an upper limit determination value that is the setting determination value, the control unit decreases the communication rate. apparatus.   When the control unit determines that the current processing load value exceeds the upper limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively low encryption processing load. The gateway apparatus according to claim 10 or 11, wherein the gateway apparatus sets the currently set encryption algorithm and reduces the communication rate.   When the control unit determines that the current processing load value is lower than the lower limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively large encryption processing load. The gateway apparatus according to claim 10 or 11, wherein this is set as the currently set encryption algorithm.   The gateway according to claim 10 or 11, wherein the control unit increases the communication rate when it is determined that the current processing load value is lower than a lower limit determination value that is the setting determination value. apparatus.   When the control unit determines that the current processing load value is lower than the lower limit determination value that is the setting determination value, the control unit selects one of the available encryption algorithms that has a relatively large processing load. The gateway apparatus according to claim 10 or 11, wherein the gateway apparatus sets the currently set encryption algorithm and increases the communication rate.   The tunnel forming unit is configured to determine whether or not the current processing load value does not fall below an upper limit determination value even if the current setting encryption algorithm and the communication rate are changed. The gateway apparatus according to claim 11, further comprising a tunnel deleting unit that deletes 1 having a relatively low priority.   The tunnel forming unit further includes a tunnel re-forming unit for re-forming the deleted tunnel according to a determination result by the control unit that the current processing load value is lower than a re-forming determination value. The gateway device according to claim 18.

Images