JP2017130801A - Communication device, and control method and program for communication device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication device capable of communicating with other communication device simply with a desired security level.SOLUTION: A communication device transmitting a packet to other communication device has: retrieval means for retrieving a security policy SP for use in encryption or authentication of the packet from a security policy database, on the basis of multiple IP addresses owned by the communication device and multiple IP addresses owned by the other communication device; selection means for selecting a SP of highest security level; generation means for generating a packet by using the IP address of the communication device and IP addresses of the other communication device, indicated in the SP selected by the selection means; and transmission means for transmitting the packet, generated by the generation means, to the other communication device.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a communication device, a communication device control method, and a program.

In recent years, there is an increasing need for ensuring security in data transmission / reception via a network. IPsec is a protocol that ensures the security of data flowing on an IP network, and can ensure data confidentiality, data integrity, and source authentication in units of IP packets. IPsec is an abbreviation for Security Architecture for Internet Protocol. IPsec is defined in RFC2401 and the like. RFC is an abbreviation for Request For Comments.
When transmitting an IP packet, a cryptographic communication apparatus that performs cryptographic communication using IPsec searches for an SPD and identifies an SP by an IP address, a communication protocol, or the like. SPD is an abbreviation for Security Policy Database, and SP is an abbreviation for Security Policy. The cryptographic communication apparatus identifies SA (Security Association) required for IPsec processing based on the identified SP policy (setting contents). Then, the encryption communication device transmits the packet after performing encryption / authentication processing using the specified SA.

Further, when receiving an IP packet, the cryptographic communication apparatus searches for SAD (Security Association Database) from the header information of the IPsec packet to identify the SA. Then, the encryption communication device performs encryption (decryption) / authentication processing using the specified SA. Thereafter, the encryption communication device searches the SPD by the IP address or communication protocol of the IP packet obtained as a result of the encryption (decryption) / authentication process, identifies the SP, and performs the reception process according to the policy specified by the SP. Do.
As a method for establishing the SA, there is a manual key setting method for manually setting various SA information on the transmission side and the reception side. The manual key setting method is sometimes referred to as a manual key management method because key exchange is performed manually. As another method for establishing the SA, there is an automatic key exchange method using IKE (Internet Key Exchange Protocol). IKE is specified in particular in RFC 2407 to 2409.

Cryptographic algorithms and shared keys need to be exchanged prior to communication. Also, the shared key needs to be changed frequently in order to maintain the security level. If a manual key setting method (manual key management method) in which key exchange is performed manually is adopted, key exchange is frequently performed, and key exchange takes too much time. On the other hand, when the automatic key management method is adopted, even if the key exchange is frequently performed, the key exchange can be performed automatically.
The SP serving as a rule for applying IPsec communication is an encryption communication device (security communication device) regardless of whether the key management / key setting is automatically performed dynamically or manually performed statically. ) Is statically set by the user or application that manages it.

On the other hand, the cryptographic communication apparatus can hold a plurality of IP addresses. In particular, in IPv6, the cryptographic communication apparatus generally holds a plurality of IP addresses. A recommended rule that defines the priority order (priority) of which IP address should be selected as a source address and a destination address by a cryptographic communication apparatus holding a plurality of IP addresses is defined in RFC3484 and the like. ing. IPv6 is an abbreviation for Internet Protocol Version 6.
The above recommended rule is a rule unrelated to the SP rule. That is, the IP address is selected regardless of the SP rule. Therefore, depending on the SP setting, when the IP address that is the destination of the communication device and the IP address that is the transmission source of the communication device are different, the SP may not be applied. Also, an SP with a low security level (security strength) may be applied. That is, even when communication is performed between the same communication apparatuses, if the IP addresses to be used are different, there is a possibility that communication is performed using communication methods with different security levels.

Furthermore, these IP addresses can be dynamically allocated to communication devices by prefix distribution by DHCP or router. When an IP address is dynamically assigned, there is a possibility that an IP address that was not held at the time of SP determination is selected during communication. In such a case, unless an SP that takes IP address selection into consideration is set, communication is performed at an unintended security level. As described above, the SP requires complicated settings, and the user is required to have advanced knowledge. DHCP is an abbreviation for Dynamic Host Configuration Protocol.
An example of a technique for performing encrypted communication at a desired security level is disclosed in Patent Document 1. In Patent Document 1, when a server device that has received a request from a client device performs a communication performed by specifying an address that does not conform to the security and connection setting information, the server device requests another request from the client device using another address. .

JP 2008-312016 A

However, in the method described in Patent Document 1, it is necessary to deal with each of the server device that receives access and the client device that issues an access request. Therefore, it is required that each of the client device serving as the transmission side and the server device serving as the reception side has a predetermined function. In addition, there is a possibility that the initial request transmitted by the client device has a low security level, and there is a problem that the security level cannot be guaranteed for communication until a re-request is made.
In view of the above problems, an object of the present invention is to facilitate communication with another communication device at a desired security level.

  A communication apparatus according to an aspect of the present invention that achieves the above object is a communication apparatus that transmits a packet to another communication apparatus, and includes a plurality of IP addresses included in the communication apparatus and a plurality included in the other communication apparatus. Search means for searching for setting information used for packet encryption or authentication based on the IP address of the communication apparatus, the IP address of the communication apparatus indicated by the setting information searched by the search means and the other communication apparatus And generating means for generating a packet using the IP address and transmitting means for transmitting the packet generated by the generating means to the other communication device.

  According to the present invention, it is possible to easily communicate with another communication device at a desired security level.

The figure which shows the software structure of the encryption communication apparatus which concerns on embodiment of this invention. The figure which shows the apparatus structural example of the network which the encryption communication apparatus of FIG. 1 connects. The figure which shows the IPsec packet transmission processing flow of the encryption communication apparatus of FIG. The figure which shows the IP address determination processing flow of the encryption communication apparatus of FIG. The figure which shows the hardware constitutions of the encryption communication apparatus of FIG.

DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the accompanying drawings. The embodiment described below is an example as means for realizing the present invention, and should be appropriately modified or changed according to the configuration of the apparatus to which the present invention is applied and various conditions. The present invention is described below. It is not limited to.
Embodiment 1
(Configuration of encryption communication device)
An example of the configuration of the cryptographic communication apparatus 101 according to the first embodiment will be described with reference to FIG.
The cryptographic communication apparatus 101 includes a network interface unit 103, a network protocol processing unit 104, an application processing unit 105, an IKE processing unit 106, an IPsec processing unit 107, and an address management unit 108. The IPsec processing unit 107 includes an SP / SA table management unit 109, an IPsec protocol processing unit 110, and an encryption / authentication processing unit 111.
The network interface unit 103 is an interface unit between the cryptographic communication apparatus 101 and the network 102. The cryptographic communication device 101 is connected to the network 102 via the network interface unit 103 and can communicate with other communication devices (communication counterpart devices) connected to the network 102 by transmitting and receiving data packets.
The network protocol processing unit 104 processes network protocols such as TCP, UDP, and IP. TCP is an abbreviation for Transmission Control Protocol, and UDP is an abbreviation for User Datagram Protocol.

  When the cryptographic communication apparatus 101 receives a packet from another communication apparatus, the network protocol processing unit 104 performs MAC protocol processing and IP protocol processing on the packet received via the network interface unit 103. This packet is then subjected to IPsec reception processing by the IPsec processing unit 107. When the IPsec processing unit 107 completes the IPsec reception processing, the network protocol processing unit 104 again performs protocol processing such as TCP and UDP for the packet. Information relating to packet routing processing is stored in an address management table held by the address management unit 108. The cryptographic communication apparatus 101 sorts packets by referring to the address management table of the address management unit 108. Thereafter, the application processing unit 105 performs application processing on the packet. If the received packet is an IKE packet, the IKE processing unit 106 performs IKE processing.

  When the cryptographic communication device 101 transmits a packet to another communication device, the application processing unit 105 (or IKE processing unit 106) makes a transmission request to the network protocol processing unit 104. In response to the transmission request, the network protocol processing unit 104 performs protocol processing such as TCP, UDP, and IP. When performing the routing process, the application processing unit 105 (or the IKE processing unit 106) acquires an IP address and a MAC address by referring to the routing table and the neighborhood cache held by the address management unit 108. Thereafter, the cryptographic communication device 101 performs IPsec processing in the IPsec processing unit 107, performs IP protocol processing and MAC protocol processing in the network processing unit 104, and transmits the encrypted packet to another communication device through the network interface unit 103. Send.

  The IPsec protocol processing unit 110 performs IPsec protocol processing in packet transmission / reception, and performs IPsec protocol processing such as ESP and AH. In addition, the IPsec protocol processing unit 110 makes a search request for the SP registered in the SP / SA table management unit 109 in order to specify the policy of the transmission / reception packet. The IPsec protocol processing unit 110 also makes a search request for the SA registered in the SP / SA table management unit 109 in order to specify the SA required for the encryption / authentication process. The IPsec protocol processing unit 110 counts the expiration date based on the number of bytes, and updates the expiration date count. ESP is an abbreviation for Encapsulated Security Payload, and AH is an abbreviation for Authentication Header.

  The encryption / authentication processing unit 111 performs encryption / authentication processing based on the SA encryption algorithm, encryption key, authentication algorithm, authentication key, and the like. The SP / SA table management unit 109 performs SP, SA registration, update, deletion, and reference processing from the IKE processing unit. When the packet is transmitted, when the IPsec protocol processing unit 110 and the address management unit 108 make a SA search request and there is no corresponding SA, the SP / SA table management unit 109 sends an SA to the IKE processing unit 106. Notification of negotiations. Further, the SP / SA table management unit 109 detects the software expiration date and makes an SA negotiation request to the IKE processing unit 106. The SP / SA table management unit 109 also manages the SA expiration date when the specified time has elapsed.

  Each functional block shown in FIG. 1 is stored as a program in a storage unit such as a memory 522 (FIG. 5) described later, and is executed by the processor 521. Further, at least a part of the functional blocks shown in FIG. 1 may be realized by hardware. When realized by hardware, for example, a dedicated circuit may be automatically generated on the FPGA from a program for realizing each step by using a predetermined compiler. FPGA is an abbreviation for Field Programmable Gate Array. Further, a Gate Array circuit may be formed in the same manner as an FPGA and realized as hardware. Also, at least a part of the functional blocks shown in FIG. 1 may be realized by ASIC (Application Specific Integrated Circuit).

(Network device configuration)
With reference to FIG. 2, a device configuration example of the network 102 to which the cryptographic communication apparatus 101 is connected will be described. The cryptographic communication device 101 is connected to other devices via the network 102. In the example of FIG. 2, two links each including the first router 203 are formed. A second server device 202, a first router 203, and a second router 204 are connected to one of the two links. The encryption communication device 101 belongs to this link. In addition, the first router 203, the DNS server 205, the DHCP server 206, and the first server device 207 are connected to other links including the first router 203. DNS is an abbreviation for Domain Name System.

  The first router 203 and the second router 204 distribute prefix information for generating a global IP address with IPv6 stateless setting to devices in the link. Therefore, the IPv6 global IP address assigned by the first router 203 and the second router 204 is set in the cryptographic communication apparatus 101. In addition, all devices including the encryption communication device 101 automatically generate a link local address that can communicate only with devices in the link. Therefore, the IPv6 link local address assigned by automatic generation is set in the encryption communication apparatus 101. The DHCP server 206 distributes an IPv6 address and an IPv4 address to each device. Therefore, the IPv4 address and the IPv6 address assigned by the DHCP server 206 are set in the encryption communication apparatus 101.

The first router 203 operates as a relay agent when distributing an address to the link to which the cryptographic communication apparatus 101 belongs. The encryption communication apparatus 101 can manually set an IP address, and can assign an IP address by an input from a user interface (not shown). Therefore, the encryption communication apparatus 101 may be set with an IPv4 address and an IPv6 address that are manually specified (assigned).
The DNS server 205 is a database that manages the association between the host name and the IP address of each device, and returns the association information (information about which IP address corresponds) in response to an inquiry from each device. The cryptographic communication device 101, the first server device 207, and the second server device 202 can set SPs for security communication. In the cryptographic communication apparatus 101, the first server apparatus 207, and the second server apparatus 202, an application that performs IKE processing is operating, and automatically exchanges algorithms and keys used for encryption / authentication based on the set SP. To do.

(IPsec packet transmission processing)
Next, IPsec packet transmission processing of the encryption communication apparatus 101 will be described with reference to FIG.
In step S <b> 301, the application processing unit 105 performs packet transmission processing (application transmission processing) to the communication partner, and makes a transmission request to the network protocol processing unit 104. When the IKE processing unit 106 transmits an IKE packet, the IKE processing unit 106 makes a transmission request to the network protocol processing unit 104.
In step S <b> 302, the application processing unit 105 requests the address management unit 108 for IP address determination processing. The request for IP address determination processing to the address management unit 108 may be made by the network protocol processing unit 104 instead of the application processing unit 105.

Here, the IP address determination process (S302) of the address management unit 108 will be described with reference to FIG.
In step S401, the address management unit 108 determines whether the destination information is unicast. If the destination information is not unicast, that is, if the destination information is for multicast or IPv4 broadcast, the process proceeds to S410, and only the source address is determined. If the destination information is unicast, the process proceeds to S402.
In step S <b> 402, the address management unit 108 determines whether designation of destination information is not designation by an IP address but designation by a host name. If the host name is specified, the process proceeds to S403. Otherwise, the process proceeds to S404. That is, if the destination information is specified by an IP address, the process proceeds to S404.
In S404, the address management unit 108 determines whether the destination IP address is a global IP address. In the present embodiment, the IP address type (global IP address, link local address, and other addresses) is determined according to whether the IP address version is IPv6 or IPv4. In S404, if it is determined that the destination IP address is a global IP address, the process proceeds to S405, and the host name (domain name) is reversely acquired from the information designated as the DNS server or the local host. After acquiring the host name, the process proceeds to S403. If the destination IP address is not a global IP address, the process proceeds to S406.

The global IP address is an IP address uniquely assigned to a device connected to the Internet. The above “other addresses” include a loopback address and the like. The loopback address is an IP address indicating the device itself (encrypted communication device 101).
In S406, the address management unit 108 determines whether the destination IP address is a link local address. If the destination IP address is not a link local address, it is determined that the destination IP address is not suitable as a loopback address or a destination address, and the process proceeds to S409. In step S409, an address designated by the application or the like is selected. After S409, the process ends. If the destination IP address is a link local address, the process proceeds to S407.

  In step S407, the address management unit 108 acquires a MAC address corresponding to the destination IP address. When the version of the destination IP address is IPv4, the address management unit 108 refers to the ARP table held by the address management unit 108. When the version of the destination IP address is IPv6, the neighbor cache held by the address management unit 108 is referred to. When information is not held in the ARP table or the neighborhood cache, if the version of the destination address is IPv4, the MAC address resolution processing is performed by the ARP protocol. If the version of the destination address is IPv6, the MAC address resolution process is performed by neighbor search. ARP is an abbreviation for Address Resolution Protocol.

In S408, the address management unit 108 acquires the destination host IP address list by reverse lookup from the MAC address acquired in S407. When the IP address version is IPv4, the IP address list is acquired using the RARP protocol function, and when the IP address version is IPv6, the IP address list is acquired using the reverse neighbor search function. RARP is an abbreviation for Reverse Address Resolution Protocol.
In step S403, the address management unit 108 acquires a list of destination IP addresses from the host name. More specifically, an address list is acquired by making an inquiry to the DNS server and obtaining information set in the local host. After S403, the process proceeds to S410.
In the present embodiment, the list of destination IP addresses is acquired by the above-described flow (S402 to S408). However, any means and configuration may be adopted as long as the list of destination IP addresses can be acquired.

In addition, since the link local address cannot be obtained by inquiry to the DNS server when the destination information is the host name designation or the global IP address designation, the link local address may be obtained by the method shown in S407 and S408. When link local addresses are acquired as a list by the methods of S407 and S408, the processing load increases, but SPs set using link local addresses can also be searched as candidates for address selection.
However, considering the security level, since the security level when a global IP address is specified is generally set higher than the link local address, acquisition of the link local address list may be omitted. . By omitting the acquisition of the link local address list, the processing load can be reduced.

  In S410, the address management unit 108 acquires a list of source IP addresses that can be applied (selectable) when transmitting a packet to each IP address from the acquired list of IP addresses. The list of source IP addresses in S410 is acquired by searching the routing table held by the address management unit 108 (routing process). In the process of S410, not all IP addresses assigned to the cryptographic communication device 101 are acquired as a list of source IP addresses, but IP addresses that can be used as source addresses are listed according to the destination IP address. get. For example, when the destination IP address is an IPv6 global IP address, the IPv6 link local address is not selected as the source address.

In step S411, the address management unit 108 combines the IP addresses from the acquired list of destination IP addresses and the list of source IP addresses (creates an IP address pair). The SP is searched from the SP database (SPD) as a search key (search condition) by adding the upper protocol and the port number to this. This process is performed for all combinations (pairs) of IP addresses.
In S412, the address management unit 108 refers to the policy (setting contents) of the SP (hit) obtained by the search, and checks whether the security setting (setting to which IPsec is applied) is set for the SP. If security settings have not been made for all SPs, that is, if the setting is such that IPsec security (encryption and authentication) is not applied, the process proceeds to S413. Note that the case where the security setting is not performed is, for example, the case where BYPASS setting (normal processing without encryption or the like) is performed or the case where DISCARD setting (discard) is performed. In this embodiment, the SP policy (setting contents) is a policy for determining whether or not to apply IPsec, and can be referred to as encryption-related setting. In other words, in this embodiment, in S412, the encryption-related settings that can at least encrypt or authenticate the packet are selected (selected).

In step S413, the address management unit 108 selects a destination IP address and a source IP address according to an existing default address selection rule, and ends the process.
If it is determined in S412 that any one of the SPs has security settings, the process proceeds to S414.
In S414, the address management unit 108 selects the SP with the highest security level from the SPs obtained by the search. The SP having the highest security level can be selected by various methods. For example, when judging only whether or not IPsec is applied, all SPs that are set to apply IPsec are selected. This is because if the setting to apply IPsec is made, the packet can be at least encrypted or authenticated and transmitted to the communication partner apparatus.
When PROTECT is set in IPsec, there are cases where only encryption is enabled, only authentication is enabled, and encryption and authentication are enabled.

  Further, when determining the height (strength) of the security level (security strength), the security protocol set in the SP may be included in the determination criteria. For example, a security protocol such as AH or ESP that is set in a complicated manner is selected as the “SP with the highest security level”, or a security protocol that is enabled is set as “the SP with the highest security level”. It is possible to select as “ That is, the high security strength may be determined based on the number of security protocols to be applied, or the high security level can be determined including encryption and authentication methods. Note that there are cases where the encryption and authentication methods cannot be obtained simply by referring to the SP. In this case, it is necessary to determine the SA including the encryption / authentication method and key with the communication partner using IKE. Among the encryption / authentication methods obtained, the one with the highest security level is selected. Note that a rule for selecting a security policy with a high security level may be separately specified.

  In S415, the address management unit 108 determines whether there are a plurality of combinations of IP addresses corresponding to the SP selected in S414. If there are a plurality of combinations of IP addresses, the process proceeds to S417. When there are a plurality of IP address combinations, for example, when there are a plurality of IP address combinations that match the same SP, or when a SP is searched with a combination of different IP addresses, the security level is determined to be the same. This is a case where there are a plurality of SPs. In S415, if there are not a plurality of combinations of IP addresses, that is, if the combination of IP addresses is limited to one, the process proceeds to S416.

In S416, the address management unit 108 selects the destination IP address and the source IP address used when searching for the SP, and ends the process.
In S417, the address management unit 108 selects a combination of IP addresses having the highest priority (priority) from the combination of a plurality of destination IP addresses and transmission source IP addresses based on the default address selection rule, and performs processing. finish. In the above description, the SP is searched from the combination of the destination IP address and the source IP address. However, the destination IP address or the source IP address is fixed to one address, and the list of the other address is obtained to obtain the SP. You may make it search. For example, when the source IP address is fixed, if security communication by IPsec is applied, the manually set IP address must be selected, and the search key for searching the SP is manually set to the source IP address. Use addresses. By doing so, the SP search process can be made more efficient.

If the IP address is determined by the above procedure, the process returns to S303 in FIG.
In step S <b> 303, the network protocol processing unit 104 receives a data (packet) transmission request from the application processing unit 105. At this time, the application processing unit 105 makes a transmission request to the network protocol processing unit 104 using the IP address determined by the address management unit 108. The network protocol processing unit 104 performs TCP or UDP transport layer protocol processing and IP protocol processing specified by the application processing unit 105. Such processing of the network protocol processing unit 104 is referred to as network protocol processing 1 in this embodiment. The network protocol processing unit 104 sends the generated IP packet to the IPsec processing unit 107.
In this embodiment, the application processing unit 105 requests the address management unit 108 to determine an address, and notifies the network protocol processing unit 104 of the determined address. However, the present invention is not limited to such an embodiment. For example, the network protocol processing unit 104 instead of the application processing 105 may make a request for determining an address to the address management unit 108.

In S304, the IPsec processing unit 107 receives the IP packet to be transmitted. Then, the IPsec protocol processing unit 110 makes an SP search processing request to the SP / SA table management unit 109 (based on the packet information) from the packet information such as the IP address, transport layer protocol type, and port number of the IP packet. . Upon receipt of the SP search processing request, the SP / SA table management unit 109 searches whether the SP corresponding to the designated packet information is registered in the SPD, and notifies the IPsec protocol processing unit 110 of the search result. Thus, in the present embodiment, the SP is searched from the packet information.
The SP search process can be omitted by storing and using the SP information specified when the address management unit 108 determines the IP address.

The SP / SA table management unit 109 further searches the SA from the SA information and packet information associated with the SP. When the SA is not registered in the SP / SA table management unit 109, the SP / SA table management unit 109 notifies the IKE processing unit 106 that the SA is not registered, and negotiates the SA. When the SA is specified (acquired) by search or negotiation, the IPsec protocol processing unit 110 performs the ESP or AH IPsec protocol processing designated by the SA. The encryption / authentication processing unit 111 performs encryption and authentication processing in the IPsec protocol processing.
In step S305, the network protocol processing unit 104 receives the IPsec packet subjected to the IPsec processing by the IPsec processing unit 107, and performs IP protocol processing such as fragment processing and MAC header processing on the IPsec packet. In the present embodiment, this IP protocol processing or the like is referred to as network protocol processing 2. Thereafter, the network protocol processing unit 104 sends a packet transmission request to the network interface unit 103.

In step S <b> 306, the network interface unit 103 transmits a packet to the network 102 and ends the process. Through the above steps, the cryptographic communication apparatus 101 performs a packet transmission process using IPsec (secure packet).
An example of what IP address is selected by the cryptographic communication apparatus 101 in the device configuration example of the network 102 in FIG. As described above, the IPv6 global IP address assigned by the first router 203 and the second router 204 and the IPv6 link local address assigned by automatic generation are set in the cryptographic communication apparatus 101. Further, in the cryptographic communication apparatus 101, the IPv4 address and the IPv6 address assigned by the DHCP server 206 are set, or the IPv4 address and the IPv6 address assigned manually are set. Similarly, the IPv6 global IP address assigned by the first router 203 and the IPv6 link local address assigned by automatic generation are set in the first server device 207. Further, the IPv4 address and IPv6 address assigned by the DHCP server 206 are set in the first server device 207, or the IPv4 address and IPv6 address assigned manually are set.

In this situation, IPsec is applied only to communication using the IPv6 address manually assigned to the first server device 207 and the cryptographic communication device 101 as an SP for the cryptographic communication device 101 to communicate with the first server device 207. Suppose a policy is set. Assume that a policy that does not apply IPsec is set for communication using other addresses. At this time, it is assumed that the application designates the IPv6 address assigned by the DHCP server 206 to the first server device 207 as the destination information.
In this case, according to the flow shown in FIG. 4, first, the cryptographic communication device 101 acquires the host name of the first server device 207 from the DNS server 205 (S402), and acquires the IP address list from the host name ( S403). The SP is searched from the list of destination IP addresses and the source IP addresses that can be selected as a result of routing processing assigned to the cryptographic communication apparatus 101 (S411). Then, all the search results of SPs using combinations other than the IPv6 address combinations manually assigned to the first server device 207 and the cryptographic communication device 101 are hit with a policy that does not apply IPsec.

  On the other hand, an SP that hits using a manually assigned IPv6 address combination matches the policy to which IPsec is applied. Since one SP to which IPsec is applied is hit (S415: No), it is determined that the security strength of this SP is the highest, and the IP address used for this search is selected (S416). That is, the packet is generated using the IP address selected by this processing flow, not the IP address designated by the application as the destination information. As a result, communication to which IPsec is applied becomes possible.

As described above, in this embodiment, when the encryption communication apparatus 101 determines an IP address of a packet generated when communicating with another communication apparatus (communication partner apparatus), a destination that can communicate with the same communication partner apparatus. The SP is searched from the list of IP addresses and source IP addresses. Then, the policy with the strongest security strength is selected from the SPs obtained as a result of the search, and a packet is generated using the IP address used to identify the SP. In this way, a packet conforming to the SP is generated by determining the IP address based on the security strength of the SP and generating the packet. In other words, the SP is selected from the SPs obtained by the search based on the security strength, a packet is generated using the destination IP address and the source IP address that match the selected SP, and other communication is performed. Sending to the device.
In the present invention, the SP may be applied by any procedure as long as the SP can be applied using destination information that can communicate with the same communication partner as described above.

Also, in order to improve the efficiency of processing, the SP is searched using the IP address uniquely determined once before acquiring the IP address list, and if the policy has a security strength higher than the standard, the IP address The packet may be generated without acquiring the list. This makes it possible to efficiently generate packets while keeping the security level constant.
In other words, in the present invention, an SP (policy that can at least encrypt or authenticate a packet) having a security strength equal to or higher than a predetermined strength is selected, and a destination IP address and a source IP address that match the selected SP, A packet may be generated using and transmitted to the communication apparatus partner. Since a packet is generated and transmitted based on an SP having a security strength equal to or higher than a predetermined strength, it is possible to communicate with a communication partner device while maintaining a predetermined security level. An SP having a security strength equal to or higher than a predetermined strength is, for example, an SP in which at least one of encryption and authentication is enabled in the PROTECT setting. When there are a plurality of SPs having a security strength equal to or higher than a predetermined strength, an SP having a stronger security strength may be selected.
In the above-described embodiment, the policy having the highest security level (strength) is selected. However, the policy having the highest security level need not be selected as long as it can be transmitted by encrypting and authenticating the packet. Also good. For example, a policy having the second highest security level may be selected as long as it is a policy in which a packet can be transmitted after being encrypted or authenticated.

  According to the present embodiment, even if the cryptographic communication apparatus 101 holds a plurality of IP addresses and an SP that is unaware of this is set, when communicating with the same communication partner, security can be achieved without being conscious of the address. A strong policy can be applied. A policy with a high security strength is a policy with the highest security strength or a policy having a security strength higher than a predetermined strength. As a result, even if the IP address specified by the security administrator for the SP is different from the IP address used for communication, communication using the IP address based on the SP is possible. Even when a dynamically assigned IP address that does not correspond to an SP is preferentially used, communication with a security level can be maintained in communication with the other party to which the SP is set. Further, when a global IP address is designated as a transmission destination, the SP is not searched by a combination of IP addresses based on link local addresses, so that the IP address determination process can be performed efficiently.

FIG. 5 shows an example of the hardware configuration of the cryptographic communication apparatus 101. The encryption communication apparatus 101 includes a processor 521, a memory 522, a key management unit 523, an encryption / decryption device 524, a data path control unit 525, a MAC unit 526, and a PHY unit 527.
The processor 521 performs various protocol processes for data communication with the communication partner apparatus. The processor 521 also issues a data transmission instruction to the communication partner apparatus. Further, the processor 521 searches the memory 522 for various information necessary for data communication with the communication partner apparatus. The processor 521 may perform application processing such as data display and printing.

The memory 522 stores data used for application processing, various parameters used for data communication with a communication partner apparatus, programs for realizing various flowcharts, and the like. The memory 522 stores various information necessary for data communication with the communication partner device and data to be communicated. The key management unit 523 manages an encryption key used for data communication with the communication partner apparatus. The encryption key is stored in the memory 522, for example. The encryption / decryption device 524 uses the encryption key managed by the key management unit 523 to encrypt and decrypt data communicated with the communication partner device.
The data path control unit 525 controls data transfer between the memory 522 and the MAC unit 526. The MAC unit 526 performs protocol processing of the MAC layer corresponding to the lower sublayer of the data link layer (second layer) of the OSI reference model. The PHY unit 527 performs protocol processing and electrical signal processing of the PHY (physical) layer located in the first layer of the OSI reference model. The OSI reference model is a model established by the International Organization for Standardization, in which the communication functions that a computer should have are divided into a hierarchical structure. OSI is an abbreviation for Open System Interconnection.

A bus 528 connects various hardware in the cryptographic communication apparatus 101. The network 102 connects the encryption communication device 101 and a communication partner device. The network 102 may be wired or wireless.
The software configuration in FIG. 1 is realized by the processor 521 reading the program stored in the memory 522 in FIG. The plurality of software blocks shown in FIG. 1 may be configured as one software block, or one software block may be configured as a plurality of software blocks. Also, some or all of the software blocks in FIG. 1 may be configured as hardware.
In the above, the security communication by IPsec has been described, but the present invention can also be used when a protocol other than IPsec is used.

(Other embodiments)
The present invention supplies a program that realizes one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in the computer of the system or apparatus read and execute the program This process can be realized. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

  DESCRIPTION OF SYMBOLS 101 ... Encryption communication apparatus, 104 ... Network protocol processing part, 107 ... IPsec processing part, 108 ... Address management part

Claims (12)

A communication device that transmits a packet to another communication device,
Search means for searching for setting information used for packet encryption or authentication based on a plurality of IP addresses of the communication device and a plurality of IP addresses of the other communication devices;
Generating means for generating a packet using the IP address of the communication device indicated by the setting information searched by the search means and the IP address of the other communication device;
Transmitting means for transmitting the packet generated by the generating means to the other communication device;
A communication apparatus comprising:   The communication device according to claim 1, wherein the setting information is information for applying IPsec (Security Architecture for Internet Protocol). When a plurality of the setting information is searched by the search means, one of the plurality of setting information searched for based on a security strength of a packet generated based on the plurality of searched setting information. A selection means for selecting the setting information;
The generation unit generates a packet using an IP address of the communication device and an IP address of the other communication device indicated in the setting information selected by the selection unit. Or the communication apparatus of 2.   The communication apparatus according to claim 3, wherein the security strength is determined based on a number of security protocols to be applied.   The communication apparatus according to claim 3, wherein the security strength is determined based on an encryption or authentication scheme of an applied security protocol.   6. The communication apparatus according to claim 4, wherein the security protocol includes an Authentication Header and an Encapsulated Security Payload. An obtaining unit for obtaining a first list indicating an IP address included in the communication device and a second list indicating an IP address included in the other communication device;
The search unit searches for setting information used for packet encryption or authentication based on the first list and the second list acquired by the acquisition unit. The communication device according to any one of the above.   8. The communication apparatus according to claim 7, wherein the first list is a list of IP addresses obtained by routing processing from IP addresses of the other communication apparatuses.   The said acquisition means acquires the said 2nd list | wrist using a DNS (Domain Name System) server, when the said other communication apparatus is designated by the host name, The Claim 7 or 8 characterized by the above-mentioned. Communication device.   When the other communication device is designated by a global IP address, the acquisition unit acquires a host name from a DNS (Domain Name System) server, and uses the host name to obtain a list of IP addresses of the other communication devices. The communication device according to claim 7, wherein the communication device is acquired. A communication device control method for transmitting a packet to another communication device,
Retrieving setting information used for packet encryption or authentication based on a plurality of IP addresses possessed by the communication device and a plurality of IP addresses possessed by the other communication device;
Generating a packet using the IP address of the communication device and the IP address of the other communication device indicated in the retrieved setting information;
Transmitting the generated packet to the other communication device;
A control method characterized by comprising:   The program for functioning a computer as a communication apparatus of any one of Claim 1 to 10.

Images