JP2019057846A - Packet aggregation device, packet division device, packet communication system, program, packet generation device, packet generation method, and communication method - Google Patents

Abstract

To provide a packet aggregation device, a packet division device, a packet communication system, a program, a packet generation device, a packet generation method, and a communication method that reduce processing load and suppress deterioration of real-time performance.SOLUTION: The packet processing device includes: a receiver, a processor, and a transmitter. The receiver receives an individual packet. The processor generates an aggregated packet in which a plurality of individual packets received by the receiver is aggregated; and encrypts a range determined unencrypted among the generated aggregated packets. The transmitter transmits the aggregated packet encrypted by the processor.SELECTED DRAWING: Figure 9

Description

  Embodiments described herein relate generally to a packet aggregation device, a packet division device, a packet communication system, a program, a packet generation device, a packet generation method, and a communication method.

  In a client server model system or the like, a large number of accessions may occur from a client to a server. In such a case, the load on the network or server increases. In particular, when processing a large amount of small-sized packets, the processing load on the network interface of the server increases.

JP 2003-169092 A

  A problem to be solved by an embodiment of the present invention is a packet aggregation device, a packet division device, a packet communication system, a program, a packet generation device, a packet generation method, and a communication method, which reduce processing load and suppress deterioration in real time. Is to provide.

  The packet processing apparatus according to the embodiment includes a reception unit, a processing unit, and a transmission unit. The receiving unit receives individual packets. The processing unit generates an aggregate packet obtained by aggregating a plurality of individual packets received by the reception unit, and encrypts a range determined to be not encrypted among the generated aggregate packet. The transmission unit transmits the aggregated packet encrypted by the processing unit.

The block diagram which shows the principal part circuit structure of the communication system which concerns on 1st Embodiment and 2nd Embodiment, and the apparatus contained in the said communication system. The block diagram which shows the function structure which concerns on 1st Embodiment of the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 1st Embodiment-3rd Embodiment by the processor with which the packet aggregation apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor with which the packet aggregation apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor with which the packet aggregation apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor with which the server apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 1st Embodiment and 2nd Embodiment by the processor with which the server apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 1st Embodiment-3rd Embodiment by the processor with which the server apparatus in FIG. 1 is provided. The figure for demonstrating an example of the aggregation packet which concerns on 1st Embodiment. The figure for demonstrating an example of the aggregation packet which concerns on 2nd Embodiment. The block diagram which shows the function structure which concerns on 3rd Embodiment of the packet aggregation apparatus in FIG. The flowchart which shows an example of the process which concerns on 3rd Embodiment by the processor with which the packet aggregation apparatus in FIG. 1 is provided. The flowchart which shows an example of the process which concerns on 3rd Embodiment by the processor with which the packet aggregation apparatus in FIG. 1 is provided. The figure for demonstrating an example of the aggregation packet which concerns on 3rd Embodiment. The sequence diagram which shows an example of the information flow of the communication system which concerns on 3rd Embodiment.

Hereinafter, communication systems according to some embodiments will be described with reference to the drawings.
[First Embodiment]
FIG. 1 is a block diagram illustrating an example of a main circuit configuration of components included in the communication system 1 and the communication system 1 according to the first embodiment. The communication system 1 includes a packet processing device 10, a server device 20, and a client device 30. As an example, the communication system 1 is a server client model system that performs communication between the server device 20 and the client device 30. Although FIG. 1 shows one packet processing device 10, one server device 20, and three client devices 30, the number is not limited to these numbers.

The packet processing device 10 and the client device 30 are connected to the network NW1. The network NW1 is typically a communication network including a LAN (local area network). The network NW1 is typically a communication network including a private network such as an intranet. The network NW1 may be a communication network including the Internet. The network NW1 may be a communication network including a WAN (wide area network).
The packet processing device 10 and the server device 20 are connected to the network NW2. The network NW2 is typically a communication network including the Internet. The network NW is 1, typically a communication network including a WAN. The network NW2 may be a communication network including a private network such as an intranet. The network NW2 may be a communication network including a LAN.
Each of the network NW1 and the network NW2 may be a communication network including a mobile phone network, a dedicated line, or another communication network.
Communication on the network NW1 and the network NW2 is performed by packet communication.

  The packet processing device 10 is, for example, a gateway or a router. The packet processing device 10 relays communication between the server device 20 and the client device 30. The packet processing device 10 has a function of aggregating a plurality of packets transmitted from the client device 30 or the like into one packet. A packet in which a plurality of packets are aggregated is hereinafter referred to as “aggregated packet”. Further, packets that are not aggregate packets are hereinafter referred to as “individual packets”. The packet processing device 10 has a function of dividing the aggregate packet transmitted from the server device 20 or the like into individual packets. Further, the packet processing device 10 has a function of encrypting the aggregated packet and a function of decrypting the encrypted aggregated packet. The packet processing device 10 includes a processor 11, a read-only memory (ROM) 12, a random-access memory (RAM) 13, an auxiliary storage device 14, a first communication interface (I / F) 15, and a second communication I / F. Includes F16. The packet processing device 10 is an example of a packet aggregation device. The packet processing device 10 is an example of a packet dividing device. The packet processing device 10 is an example of a packet generation device.

  The processor 11 corresponds to a central part of a computer that performs processing such as calculation and control necessary for the operation of the packet processing apparatus 10. The processor 11 controls each unit to implement various functions of the packet processing apparatus 10 based on a program such as system software, application software, or firmware stored in the ROM 12 or the auxiliary storage device 14. The processor 11 includes, for example, a central processing unit (CPU), a micro processing unit (MPU), a system on a chip (SoC), a digital signal processor (DSP), a graphics processing unit (GPU), an application specific integrated circuit (ASIC), PLD (programmable logic device) or FPGA (field-programmable gate array). Alternatively, the processor 11 is a combination of these. The processor 11 is an example of a processing unit. The processor 11 is an example of a first processing unit. The processor 11 is an example of a second processing unit. The processor 11 is an example of a generation unit. A computer having the processor 11 as a center is an example of the value of the processing unit. A computer having the processor 11 as a center is an example of a first processing unit. A computer having the processor 11 as a center is an example of a second processing unit. A computer having the processor 11 as a center is an example of a generation unit.

  The ROM 12 corresponds to a main storage device of a computer having the processor 11 as a center. The ROM 12 is a non-volatile memory used exclusively for reading data. The ROM 12 stores the above program. The ROM 12 stores data used for the processor 11 to perform various processes, various setting values, and the like.

  The RAM 13 corresponds to a main storage device of a computer having the processor 11 as a center. The RAM 13 is a memory used for reading and writing data. The RAM 13 is used as a so-called work area that stores data temporarily used when the processor 11 performs various processes.

  The auxiliary storage device 14 corresponds to an auxiliary storage device of a computer having the processor 11 as a center. The auxiliary storage device 14 is, for example, an EEPROM (electrically erasable programmable read-only memory), an HDD (hard disk drive), or an SSD (solid state drive). The auxiliary storage device 14 may store the above program. In addition, the auxiliary storage device 14 stores data used when the processor 11 performs various processes, data generated by the processes in the processor 11, various setting values, and the like.

  The program stored in the ROM 12 or the auxiliary storage device 14 includes a program for executing processing to be described later. As an example, the packet processing apparatus 10 is transferred to an administrator of the packet processing apparatus 10 or the like with the program stored in the ROM 12 or the auxiliary storage device 14. However, the packet processing apparatus 10 may be transferred to the administrator or the like in a state where the program is not stored in the ROM 12 or the auxiliary storage device 14. The packet processing apparatus 10 may be transferred to the administrator or the like in a state where a program different from the program is stored in the ROM 12 or the auxiliary storage device 14. A program for executing processing to be described later may be separately transferred to the administrator or the like, and written to the ROM 12 or the auxiliary storage device 14 under the operation of the administrator or a serviceman. Transfer of the program at this time can be realized, for example, by recording on a removable storage medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or by downloading via a network.

  The first communication I / F 15 is an interface for the packet processing apparatus 10 to communicate via the network NW1 or the like. The first communication I / F 15 is an example of a receiving unit that receives individual packets. The first communication I / F 15 is an example of a fourth communication unit that receives individual packets.

  The second communication I / F 16 is an interface for the packet processing apparatus 10 to communicate via the network NW2 or the like. The second communication I / F 16 is an example of a transmission unit that transmits aggregated packets. The second communication I / F 16 is an example of a first communication unit that transmits the aggregated packet to the packet dividing device. The second communication I / F 16 is an example of a second communication unit that receives the aggregated packet.

  The server device 20 communicates with a plurality of client devices 30. For example, the server device 20 performs various processes in response to a request transmitted from the client device 30. The server device 20 includes a processor 21, a ROM 22, a RAM 23, an auxiliary storage device 24, and a communication I / F 25. The server device 20 is an example of a packet aggregation device. The server device 20 is an example of a packet dividing device. The server device 20 is an example of a packet generation device.

  The processor 21 corresponds to a central part of a computer that performs processing such as computation and control necessary for the operation of the server device 20. The processor 21 controls each unit to realize various functions of the server device 20 based on a program such as system software, application software, or firmware stored in the ROM 22 or the auxiliary storage device 24. The processor 21 is, for example, a CPU, MPU, SoC, DSP, GPU, ASIC, PLD, or FPGA. Alternatively, the processor 21 is a combination of these. The processor 21 is an example of a processing unit. The processor 21 is an example of a first processing unit. The processor 21 is an example of a second processing unit. The processor 21 is an example of a generation unit. A computer having the processor 21 as a center is an example of the value of the processing unit. A computer having the processor 21 as a center is an example of a first processing unit. A computer having the processor 21 as a center is an example of a second processing unit. A computer having the processor 21 as a center is an example of a generation unit.

  The ROM 22 corresponds to a main storage device of a computer having the processor 21 as a center. The ROM 22 is a non-volatile memory used exclusively for reading data. The ROM 22 stores the above program. The ROM 22 stores data used for the processor 21 to perform various processes, various setting values, and the like.

  The RAM 23 corresponds to a main storage device of a computer having the processor 21 as a center. The RAM 23 is a memory used for reading and writing data. The RAM 23 is used as a so-called work area that stores data temporarily used when the processor 21 performs various processes.

  The auxiliary storage device 24 corresponds to an auxiliary storage device of a computer having the processor 21 as a center. The auxiliary storage device 24 is, for example, an EEPROM, HDD, or SSD. The auxiliary storage device 24 may store the above program. Further, the auxiliary storage device 24 stores data used when the processor 21 performs various processes, data generated by the process in the processor 21, various setting values, and the like.

  The RAM 23 or the auxiliary storage device 24 includes a processing buffer and a server aggregation buffer. The processing buffer stores unprocessed packets. The server aggregation buffer stores unaggregated and untransmitted packets.

  The program stored in the ROM 22 or the auxiliary storage device 24 includes a program for executing processing to be described later. As an example, the server apparatus 20 is transferred to an administrator of the server apparatus 20 in a state where the program is stored in the ROM 22 or the auxiliary storage device 24. However, the server device 20 may be transferred to the administrator or the like in a state where the program is not stored in the ROM 22 or the auxiliary storage device 24. The server device 20 may be transferred to the administrator or the like in a state where a program different from the program is stored in the ROM 22 or the auxiliary storage device 24. A program for executing processing to be described later may be separately transferred to the administrator or the like, and written into the ROM 22 or the auxiliary storage device 24 under the operation of the administrator or a serviceman. Transfer of the program at this time can be realized, for example, by recording on a removable storage medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or by downloading via a network.

  The communication I / F 25 is an interface for the server apparatus 20 to communicate via the network NW2 or the like. The communication I / F 25 is an example of a first communication unit that transmits the aggregated packet to the packet dividing device. The communication I / F 25 is an example of a second communication unit that receives an aggregate packet.

  The client device 30 is, for example, a station service device such as an automatic ticket vending machine, an automatic checkout machine or an automatic ticket gate, an information device such as a PC (personal computer), a server or a smart phone, or various IoT (internet of things) devices. is there. The client device 30 includes a processor 31, a ROM 32, a RAM 33, an auxiliary storage device 34, and a communication I / F 35.

  The processor 31 corresponds to a central part of a computer that performs processing such as calculation and control necessary for the operation of the client device 30. The processor 31 controls each unit to realize various functions of the client device 30 based on a program such as system software, application software, or firmware stored in the ROM 32 or the auxiliary storage device 34. The processor 31 is, for example, a CPU, MPU, SoC, DSP, GPU, ASIC, PLD, or FPGA. Alternatively, the processor 31 is a combination of these.

  The ROM 32 corresponds to a main storage device of a computer having the processor 31 as a center. The ROM 32 is a non-volatile memory used exclusively for reading data. The ROM 32 stores the above program. The ROM 32 stores data used for the processor 31 to perform various processes, various setting values, and the like.

  The RAM 33 corresponds to a main storage device of a computer having the processor 31 as a center. The RAM 33 is a memory used for reading and writing data. The RAM 33 is used as a so-called work area that stores data temporarily used when the processor 31 performs various processes.

  The auxiliary storage device 34 corresponds to an auxiliary storage device of a computer having the processor 31 as a center. The auxiliary storage device 34 is, for example, an EEPROM, HDD, or SSD. The auxiliary storage device 34 may store the above program. In addition, the auxiliary storage device 34 stores data used when the processor 31 performs various processes, data generated by the process in the processor 31, various setting values, and the like.

  The communication I / F 35 is an interface for the client device 30 to communicate via the network NW1 or the like. The communication I / F 35 is an example of a third communication unit that transmits individual packets to the packet aggregation device.

  The packet processing apparatus 10 will be further described with reference to FIG. FIG. 2 is a block diagram illustrating a functional configuration of the packet processing device 10. 2 that are the same as those in FIG. 1 are denoted by the same reference numerals. The packet processing device 10 includes a first receiving unit 101, an aggregation buffer 102, a cycle management unit 103, a combining unit 104, a range selecting unit 105, an encrypting unit 106, a first transmitting unit 107, a second receiving unit 108, and a decrypting unit 109. The dividing unit 110 and the second transmitting unit 111 are included.

  The first receiving unit 101 receives an individual packet transmitted from the client device 30 or the like. For example, the first communication I / F 15 functions as the first reception unit 101.

  The aggregation buffer 102 stores the individual packets received by the first reception unit 101. For example, the RAM 13 or the auxiliary storage device 14 functions as the aggregation buffer 102.

  The cycle management unit 103 extracts individual packets from the aggregation buffer 102 at regular intervals. For example, the processor 11 functions as the cycle management unit 103.

  The combining unit 104 combines and aggregates a plurality of individual packets extracted by the cycle management unit 103. The combining unit 104 generates an aggregate packet. For example, the processor 11 functions as the coupling unit 104.

  The range selection unit 105 determines and selects a range to be encrypted in the aggregated packet. For example, the processor 11 functions as the range selection unit 105.

  The encryption unit 106 encrypts the aggregated packet. The encryption unit 106 generates a MAC (message authentication code) value of the aggregate packet together with the encryption of the aggregate packet. The MAC value is used for verifying the integrity of the data of the aggregate packet such as falsification detection of the aggregate packet. For example, the processor 11 functions as the encryption unit 106. The MAC value is an example of a code for guaranteeing data integrity.

  The first transmission unit 107 transmits the aggregate packet generated by the cycle management unit 103, the range selection unit 105, the combining unit 104, and the encryption unit 106 to the server device 20 or the like. For example, the second communication I / F 16 functions as the first transmission unit 107.

  The second receiving unit 108 receives the aggregate packet from the server device 20 or the like. For example, the second communication I / F 16 functions as the second reception unit 108.

  The decrypting unit 109 decrypts the encrypted part of the aggregate packet received by the second receiving unit. Further, the decoding unit 109 verifies the integrity of the data using the MAC value included in the aggregated packet. Furthermore, the decoding unit 109 discards the aggregate packet when the integrity of the data cannot be guaranteed because the aggregate packet has been tampered with. For example, the processor 11 functions as the decoding unit 109.

  The dividing unit 110 divides the aggregated packet received by the second receiving unit into individual individual packets. For example, the processor 11 functions as the dividing unit 110.

  The second transmitting unit 111 transmits each individual packet divided by the dividing unit 110 to the client device 30 that is the destination of each individual packet. For example, the first communication I / F 15 functions as the second transmission unit 111.

  Hereinafter, operation | movement of the communication system 1 which concerns on 1st Embodiment is demonstrated based on FIGS. Note that the content of the processing in the following description of the operation is an example, and various processing that can obtain the same result can be used as appropriate. 3 to 5 are flowcharts of processing by the processor 11 of the packet processing apparatus 10. The processor 11 executes this processing based on a program stored in the ROM 12 or the auxiliary storage device 14. The processor 11 performs the processes shown in FIGS. 3 to 5 in parallel or in parallel. 6 to 8 are flowcharts of processing by the processor 21 of the server device 20. The processor 21 executes this processing based on a program stored in the ROM 22 or the auxiliary storage device 24. The processor 21 processes the processes shown in FIGS. 6 to 8 in parallel or in parallel. Unless otherwise specified, the processor 11 and the processor 21 proceed to step S (m + 1) after the process of step S (m) (m is a natural number).

Each of the plurality of client devices 30 transmits data destined for the server device 20. The data is transmitted as an individual packet. The individual packet is received by the packet processing apparatus 10 via the network NW1.
In step S <b> 1 of FIG. 3, the processor 11 waits for an individual packet transmitted from the client device 30 to be received by the first communication I / F 15 (first receiving unit 101). If the individual packet is received, the processor 11 determines Yes in step S1, and proceeds to step S2.

In step S <b> 2, the processor 11 stores the individual packet received in step S <b> 1 in the aggregation buffer 102. The processor 11 returns to step S1 after step S2.
As described above, individual packets received by the first communication I / F 15 are accumulated and stored in the aggregation buffer 102 one after another.

  On the other hand, in step S11 of FIG. 4, the processor 11 (period management unit 103) of the packet processing device 10 resets the first timer. The first timer is a timer for measuring an elapsed time since the packet processing apparatus 10 transmitted the previous aggregated packet. The aggregated packet will be described later.

  In step S12, the processor 11 (cycle management unit 103) determines whether or not the time T1 has elapsed since the first timer was reset. Note that the time T1 is set in advance by, for example, an administrator of the packet processing apparatus 10 or the like. Alternatively, the time T1 may be determined in advance by the designer of the packet processing device 10 or the like. If the time T1 has not elapsed since the reset of the first timer, the processor 11 determines No in step S12 and proceeds to step S13.

  In step S <b> 13, the processor 11 determines whether or not the total data capacity of unsent individual packets stored in the aggregation buffer 102 is greater than or equal to the capacity D <b> 1. The capacity D1 is set in advance by, for example, an administrator of the packet processing apparatus 10 or the like. Alternatively, the capacity D1 may be determined in advance by a designer of the packet processing apparatus 10 or the like. The capacity D1 is, for example, an aggregate packet MTU (maximum transmission unit) generated by the packet processing device 10. If the total data capacity of the unsent individual packets stored in the aggregation buffer 102 is not equal to or larger than the capacity D1, the processor 11 determines No in step S13 and returns to step S12. Thus, the processor 11 continues to step S12 and step S1 until the time T1 has elapsed since the first timer was reset or the total data capacity of unsent individual packets stored in the aggregation buffer 102 is equal to or greater than the capacity D1. Repeat S13. That is, the process of step S14-step S22 is repeated for every fixed period by the process of step S12.

  If the time T1 has elapsed since the first timer was reset when the processor 11 is in the standby state of step S12 and step S13, the processor 11 determines Yes in step S12 and proceeds to step S14.

In step S <b> 14, the processor 11 (cycle management unit 103) determines whether an untransmitted individual packet is stored in the aggregation buffer 102. If an untransmitted individual packet is not stored in the aggregation buffer 102, the processor 11 determines No in step S14 and returns to step S11. That is, the processor 11 resets the first timer if an untransmitted individual packet is not stored in the aggregation buffer 102 even after the time T1 has elapsed since the previous aggregation packet was transmitted. On the other hand, if an untransmitted individual packet is stored in the aggregation buffer 102, the processor 11 determines Yes in step S14 and proceeds to step S15.
On the other hand, if the total data capacity of the unsent individual packets stored in the aggregation buffer 102 when the processor 11 is in the standby state in steps S12 and S13 is greater than or equal to the capacity D1, the processor 11 determines Yes in step S13. Determine and proceed to step S15.

  In step S <b> 15, the processor 11 (cycle management unit 103) extracts one untransmitted individual packet stored in the aggregation buffer 102. Here, when the processor 11 takes out the individual packet, the processor 11 knows that the individual packet stored in the aggregation buffer 102 has been transmitted. Alternatively, the processor 11 deletes the individual packet from the aggregation buffer. The individual packet is, for example, an individual packet stored first among unsent individual packets stored in the aggregation buffer 102. In step S15, the processor 11 (combining unit 104) generates an aggregate packet including the extracted packets. An example of the aggregate packet generated here will be described with reference to FIG. FIG. 9 is a diagram for explaining an example of the aggregate packet according to the first embodiment. FIG. 9 shows an aggregate packet in which n individual packets are aggregated, but only one individual packet is included in the aggregate packet generated in step S15. That is, n = 1. The aggregate packet with n = 1 does not include a plurality of individual packets, but is referred to as an aggregate packet for convenience. Note that n is a natural number of 1 or more.

As illustrated in FIG. 9, the processor 11 generates an aggregate packet (b1) by aggregating a plurality of individual packets (a1) and assigning headers to the plurality of individual packets (a1). Each individual packet (a1) is, for example, a payload. The aggregate packet in which n individual packets are aggregated includes an aggregate header, n individual headers, and n individual packets. n individual headers and n individual packets follow the aggregate header.
The aggregation header includes information regarding the entire aggregate packet, such as the number of individual packets included in the aggregate packet.
Each of the n individual headers is associated with each of the n individual packets on a one-to-one basis. That is, for example, the individual header k and the individual packet k are associated with each other. However, k is a natural number of n or less. Each individual header includes information about the associated individual packet, such as the size of the associated individual packet, so that the aggregated packet can be divided into individual individual packets. The aggregate packet (b1) is arranged in the order of individual header k, individual packet k, individual header k + 1, individual packet k + 1,. A set of associated individual headers and individual packets are arranged next to each other.
In step S15, since n = 1, the aggregate packet generated in step S15 includes the aggregate header, the individual header 1, and the individual packet 1.

  In step S <b> 16, the processor 11 (combining unit 104) determines whether or not unsent individual packets are stored in the aggregation buffer 102. If an untransmitted individual packet is stored in the aggregation buffer 102, the processor 11 determines Yes in step S16 and proceeds to step S17.

  In step S <b> 17, the processor 11 (combining unit 104) determines whether or not the data capacity of the aggregate packet when the next individual packet is combined with the aggregate packet is less than or equal to the maximum data capacity of the aggregate packet generated by the packet processing device 10. Determine. The next individual packet is an individual packet to be aggregated next. For example, the next individual packet is an individual packet stored first among unsent individual packets stored in the aggregation buffer 102. The maximum data capacity of the aggregate packet generated by the packet processing device 10 is determined in advance by, for example, an administrator or a designer of the packet processing device 10. Alternatively, the packet processing device 10 automatically determines the maximum data capacity of the aggregate packet generated by the packet processing device 10. The maximum data capacity of the aggregate packet generated by the packet processing device 10 may be an MTU such as the packet processing device 10. If the data capacity of the aggregate packet when the next individual packet is combined is equal to or less than the maximum data capacity of the aggregate packet, the processor 11 determines Yes in step S17 and proceeds to step S18.

  In step S18, the processor 11 (combining unit 104) extracts the next packet from the aggregation buffer 102, and combines the next packet with the aggregated packet. As a result, the number of individual packets included in the aggregated packet increases by one. Here, when the processor 11 takes out the individual packet, the processor 11 knows that the individual packet stored in the aggregation buffer 102 has been transmitted. Alternatively, the processor 11 deletes the individual packet from the aggregation buffer.

If an untransmitted individual packet is not stored in the aggregation buffer 102, the processor 11 determines No in step S16 and proceeds to step S19. On the other hand, if the data capacity of the aggregate packet when the next individual packet is combined exceeds the MTU of the packet processing device 10, the processor 11 determines No in step S17 and proceeds to step S19.
Thus, the processor 11 is in a state where unsent individual packets are not stored in the aggregation buffer 102 or until the data capacity of the aggregate packet when the next individual packet is combined exceeds the MTU of the packet processing device 10. Steps S16 to S18 are repeated. As a result, an aggregated packet in which (the number of times the process of step S18 has been performed + 1) individual packets is aggregated is generated.

In step S <b> 19, the processor 11 (range selection unit 105) determines a range to be encrypted for the aggregate packet generated by the processing in steps S <b> 15 to S <b> 18. The range to be encrypted is an unencrypted portion of the aggregate packet. The processing in step S19 is performed by the range selection unit 105.
Here, the individual packet may be encrypted or plain text. Therefore, if the encrypted individual packet is further encrypted, it is double-encrypted. When double encryption is performed, the time required for encryption and the time required for decryption become longer and the processing load becomes larger than when double encryption is not performed. For this reason, it is preferable that the processor 11 encrypts only the plain text of the individual packets. Further, the aggregate header and the individual header are given in step S15 or step S18 and are not encrypted. Therefore, it is preferable to encrypt the aggregate header and the individual header. The processor 11 can know whether or not each individual packet has been encrypted from, for example, information transmitted from the client device 30 that is a transmission source of the individual packet. If there is an individual packet for which it is not known whether or not it has been encrypted, the processor 11 regards the packet as being encrypted and does not encrypt it. Alternatively, if there is an individual packet for which it is not known whether or not the packet has been encrypted, the processor 11 regards the packet as not being encrypted and encrypts the packet. Alternatively, the processor 11 may determine a range including the aggregation header and the individual header and not including the individual packet as the encryption range without determining whether or not the individual packet has been encrypted. This is useful, for example, in the communication system 1 in which all individual packets are encrypted by the client device 30 or the like. Further, the processor 11 encrypts the entire aggregated packet including the encrypted individual packet when the ratio of the encrypted packet among the individual packets included in the aggregated packet is equal to or less than a predetermined ratio. May be used. If the percentage of encrypted individual packets in the aggregated packet is small, encrypting the entire aggregated packet may reduce the load compared to encrypting only the unencrypted part of the aggregated packet There is.
As described above, the processor 11 determines the aggregate header, the individual header, and the plaintext individual packet as the encryption range for the aggregate packet before encryption. FIG. 9 illustrates the case where the encrypted individual packet 1 and the plaintext individual packet 2 are included. Therefore, the range for encrypting the aggregate packet (b1) shown in FIG. 9 includes the aggregate header, the individual header, and the individual packet 2.

In step S20, the processor 11 (encryption unit 106) encrypts the range determined in step S19. It should be noted that the processor 11 does not need encryption except for the range to be encrypted, and copies it as shown in FIG. Further, the processor 11 calculates the MAC value together with encryption. The MAC value calculation range may be, for example, an encryption range or the entire aggregate packet. In addition, when the MAC value is assigned to some or all of the individual packets before aggregation, the processor 11 does not assign the MAC value to the individual packet, the aggregation header, and the individual as in the case of encryption. The MAC value may be calculated for the header.
The processor 11 uses, for example, AES (Advanced Encryption Standard) or other encryption for encryption. Further, the processor 11 uses, for example, a hash-based message authentication code (HMAC), a Galois Message Authentication Code (GMAC), or other MAC value calculation methods for calculating the MAC value. Further, when the encryption range and the MAC value calculation range are the same, the processor 11 may use CCM (Counter with CBC-MAC), GCM (Galois / Counter Mode), or other encryption modes with authentication. it can. By using the encryption mode with authentication, it can be expected that the security is improved and that the encryption and the calculation of the MAC value are efficient.
The common key used for encryption or the common key used for calculating the MAC value may be shared by exchanging keys at the time of establishing a communication session, for example, or may be shared in advance in the storage device of each node. You may save it and use that key. When performing key exchange, Diffie-Hellman key exchange or other key exchange methods are used.
It should be noted that the processor 11 may use the same encryption key for all the parts to be encrypted in the packet processing device 10 in one aggregated packet.
By performing the processing of step S19 and step S20, the range determined not to be encrypted among the aggregated packets is encrypted.

  From the above, when the encrypted individual packets are included in the aggregated individual packets, the encryption key used for the encryption and the encryption key used for the encrypted part in the packet processing device 10 are different. Become.

In step S21, the processor 11 (encryption unit 106) generates encryption information. Then, the processor 11 adds the generated encryption information to the aggregate packet.
The encryption information includes IV (initialization vector), TAG, and SIZE. IV is an initialization vector used for the encryption in step S19. TAG is the MAC value obtained in step S19. SIZE indicates the data size of the data range R that follows the encryption information. However, when the IV is exchanged by another method such as authentication, the processor 11 does not necessarily need to include the IV in the encryption information every time.
Through the processing in steps S19 to S21, as shown in FIG. 9, the encrypted aggregate packet (c1) is generated based on the aggregate packet (b1) before encryption.

  In step S22, the processor 11 sends the second communication I / F 16 (first transmission unit 107) to transmit the encrypted aggregated packet generated by the processing in steps S15 to S21 to the server device 20. Instruct. In response to this instruction, the second communication I / F 16 transmits the aggregated packet to the server device 20. The transmitted aggregated packet is received by the communication I / F 25 of the server device 20. The processor 11 returns to step S11 after the process of step S22.

  On the other hand, in step S101 of FIG. 6, the processor 21 of the server device 20 waits for an aggregate packet to be received by the communication I / F 25. If the aggregated packet is received, the processor 21 determines Yes in step S101 and proceeds to step S102.

In step S102, the processor 21 decodes the aggregate packet received in step S101.
In step S103, the processor 21 verifies the MAC value of the aggregate packet received in step S101. That is, the processor 21 calculates the MAC value of the aggregate packet and verifies whether or not it matches the MAC value included in the aggregate packet.
When the aggregate packet is encrypted in the encryption mode with authentication, the processor 21 performs step S102 and step S103 at the same time.

  In step S104, the processor 21 determines whether the integrity of the data of the aggregated packet is guaranteed. If the MAC values match in the verification of the MAC value in step S103, the processor 21 determines No in step S104 and proceeds to step S105.

  In step S105, the processor 21 divides the aggregated packet into individual packets based on information included in each header of the aggregated packet.

  In step S106, the processor 21 registers each individual packet divided in step S105 in the processing buffer. The processor 21 returns to step S101 after the process of step S106.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S103, the processor 21 determines Yes in step S104 and proceeds to step S107. For example, the MAC values do not match when the data has been rewritten, such as when the aggregate packet has been tampered with.
In step S107, the processor 21 discards the aggregate packet received in step S101.

  In step S108, the processor 21 requests the packet processing device 10 to retransmit the entire aggregated packet. The processor 21 returns to step S101 after the process of step S108.

  In step S111 in FIG. 7, the processor 21 determines whether or not an unprocessed packet is stored in the processing buffer. If an unprocessed packet is stored in the processing buffer, the processor 21 determines Yes in step S111 and proceeds to step S112. On the other hand, if an unprocessed packet is not stored in the processing buffer, the processor 21 determines No in step S111 and repeats step S111.

  In step S112, the processor 21 extracts one unprocessed packet from the processing buffer, and performs processing based on the unprocessed packet. When the processor 21 takes out the unprocessed packet, the processor 21 knows that the unprocessed packet stored in the processing buffer has been processed. Alternatively, the processor 21 deletes the unprocessed packet from the processing buffer. The unprocessed packet is, for example, an unprocessed packet stored first among the unprocessed packets stored in the processing buffer. The process here is the same as the process that the conventional server apparatus receives from the client apparatus 30 the individual packets that are not aggregated and performs the process based on the individual packets.

  In step S113, the processor 21 generates a response to be sent back to the client device 30 that is the transmission source of the individual packet extracted in step S112, as necessary, based on the processing content of step S112.

  In step S114, when the processor 21 generates a response in step S113, the processor 21 registers the response as a packet in the server aggregation buffer. The processor 21 returns to step S111 after the process of step S114.

  In step S121 of FIG. 8, the processor 21 resets the second timer. The second timer is a timer for measuring an elapsed time since the server device 20 transmitted the aggregate packet last time.

  In step S122, the processor 21 determines whether or not the time T2 or more has elapsed since the second timer was reset. The time T2 is set in advance by, for example, an administrator of the server device 20 or the like. Alternatively, the time T2 may be determined in advance by the designer of the server device 20 or the like. If the time T2 has not elapsed since the reset of the second timer, the processor 21 determines No in step S122 and proceeds to step S123.

  In step S123, the processor 21 determines whether or not the total data capacity of unsent individual packets stored in the server aggregation buffer is equal to or larger than the capacity D2. The capacity D2 is set in advance by, for example, an administrator of the server device 20 or the like. Alternatively, the capacity D2 may be determined in advance by the designer of the server device 20 or the like. The capacity D2 is, for example, the MTU of the aggregate packet generated by the server device 20. If the total data capacity of the unsent individual packets stored in the server aggregation buffer is not equal to or greater than the capacity D2, the processor 21 determines No in step S123 and returns to step S122. Thus, the processor 21 performs steps S122 and S122 until the time T2 has elapsed since the second timer was reset or the total data capacity of unsent individual packets stored in the server aggregation buffer becomes equal to or greater than the capacity D2. Repeat S123.

  When the time T2 has elapsed since the second timer was reset when the processor 21 is in the standby state of steps S122 and S123, the processor 21 determines Yes in step S122 and proceeds to step S124.

In step S124, the processor 21 determines whether or not an unsent individual packet is stored in the server aggregation buffer. If an unsent individual packet is not stored in the server aggregation buffer, the processor 21 determines No in step S124 and returns to step S121. That is, the processor 21 resets the second timer if an untransmitted individual packet is not stored in the server aggregation buffer even after time T2 has elapsed since the previous aggregation packet was transmitted. On the other hand, if an unsent individual packet is stored in the server aggregation buffer, the processor 21 determines Yes in step S124 and proceeds to step S125.
On the other hand, if the total data capacity of the unsent individual packets stored in the server aggregation buffer when the processor 21 is in the standby state in steps S122 and S123 is greater than or equal to the capacity D2, the processor 21 determines Yes in step S123. Determine and proceed to step S125.

  In step S125, the processor 21 extracts one unsent individual packet stored in the server aggregation buffer. Here, when the processor 21 takes out the individual packet, the processor 21 knows that the individual packet stored in the server aggregation buffer has been transmitted. Alternatively, the processor 21 deletes the individual packet from the server aggregation buffer. The individual packet is, for example, an individual packet stored first among unsent individual packets stored in the server aggregation buffer. The aggregated packet generated here is the same as that generated by the packet processing apparatus 10 in step S15 in FIG.

  In step S126 of FIG. 8, the processor 21 determines whether or not an unsent individual packet is stored in the server aggregation buffer. If an unsent individual packet is stored in the server aggregation buffer, the processor 21 determines Yes in step S126 and proceeds to step S127.

  In step S127, the processor 21 determines whether or not the data capacity of the aggregate packet when the next individual packet is combined with the aggregate packet is equal to or less than the maximum data capacity of the aggregate packet generated by the server device 20. The next individual packet is an individual packet to be aggregated next. For example, the next individual packet is an individual packet stored first among unsent individual packets stored in the server aggregation buffer. The maximum data capacity of the aggregate packet generated by the server device 20 is determined in advance by, for example, an administrator or a designer of the server device 20. Alternatively, the server device 20 automatically determines the maximum data capacity of the aggregate packet generated by the server device 20. The maximum data capacity of the aggregate packet generated by the server device 20 may be the MTU of the server device 20. If the data capacity of the aggregate packet when the next individual packet is combined is equal to or less than the maximum data capacity of the aggregate packet generated by the server device 20, the processor 21 determines Yes in step S127 and proceeds to step S128. move on.

  In step S128, the processor 21 extracts the next packet from the server aggregation buffer, and combines the next packet with the aggregation packet. As a result, the number of individual packets included in the aggregated packet increases by one. Here, when the processor 21 takes out the individual packet, the processor 21 knows that the individual packet stored in the server aggregation buffer has been transmitted. Alternatively, the processor 21 deletes the individual packet from the aggregation buffer.

If an untransmitted individual packet is not stored in the server aggregation buffer, the processor 21 determines No in step S126 and proceeds to step S129. On the other hand, if the data capacity of the aggregate packet when the next individual packet is combined exceeds the MTU of the server device 20, the processor 21 determines No in step S127 and proceeds to step S129.
Thus, the processor 21 continues until the unsent individual packet is not stored in the server aggregation buffer or the data capacity of the aggregate packet when the next individual packet is combined exceeds the MTU of the server device 20. S126 to step S128 are repeated. As a result, an aggregated packet in which (the number of times the process of step S128 has been performed + 1) individual packets is aggregated is generated.

  In step S129, the processor 21 determines a range to be encrypted for the aggregate packet created by the processing in steps S125 to S128. The processor 21 determines the encryption range in the same manner as the processor 11 of the packet processing apparatus 10 performs in step S19 of FIG.

In step S130 of FIG. 8, the processor 21 encrypts the range determined in step S129. The processor 21 performs encryption in the same manner as that performed by the processor 11 of the packet processing apparatus 10 in step S20 of FIG.
By performing the processing of step S129 and step S130, the range determined not to be encrypted among the aggregated packets is encrypted.

  In step S131 of FIG. 8, the processor 21 generates encryption information. Then, the processor 21 adds the generated encryption information to the aggregate packet. The processor 21 generates encryption information in the same manner as the processor 11 of the packet processing apparatus 10 performs in step S21 of FIG.

  In step S132 of FIG. 8, the processor 21 instructs the communication I / F 25 to transmit the aggregate packet created by the processing of steps S125 to S131 to the packet processing device 10. Upon receiving this instruction, the communication I / F 25 transmits the aggregated packet to the packet processing device 10. The transmitted aggregated packet is received by the second communication I / F 16 of the packet processing device 10. The processor 21 returns to step S121 after the process of step S132.

  On the other hand, in step S31 of FIG. 5, the processor 11 of the packet processing apparatus 10 waits for the aggregated packet to be received by the communication I / F 25 (second receiving unit 108). If the aggregate packet is received, the processor 11 determines Yes in step S31 and proceeds to step S32.

In step S32, the processor 11 (decoding unit 109) decodes the aggregated packet received in step S31.
In step S33, the processor 11 (decoding unit 109) verifies the MAC value of the aggregated packet received in step S31. That is, the processor 11 calculates the MAC value of the aggregate packet and verifies whether or not it matches the MAC value included in the aggregate packet.
When the aggregate packet is encrypted in the encryption mode with authentication, the processor 11 performs step S32 and step S33 at the same time.

  In step S34, the processor 11 (decoding unit 109) determines whether or not the integrity of the data of the aggregated packet is guaranteed. If the MAC values match in the verification of the MAC value in step S33, the processor 11 determines No in step S34 and proceeds to step S35.

  In step S35, the processor 11 (dividing unit 110) divides the aggregate packet into individual packets based on information included in each header of the aggregate packet.

  In step S36, the processor 11 sends the individual packets divided in step S35 to the first communication I / F 15 (second transmission unit 111) so as to transmit the individual packets to the client device 30 that is the destination of each individual packet. Instruct. In response to this instruction, the first communication I / F 15 transmits the individual packet to the client device 30 that is the destination of each individual packet. The processor 11 returns to step S31 after the process of step S36.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S33, the processor 11 determines Yes in step S34 and proceeds to step S37. For example, the MAC values do not match when the data has been rewritten, such as when the aggregate packet has been tampered with.
In step S37, the processor 11 discards the aggregate packet received in step S31.

  In step S38, the processor 11 requests the server device 20 to retransmit the aggregated packet. The processor 11 returns to step S31 after the process of step S38.

According to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 aggregate a plurality of individual packets. As a result, the load on the second communication I / F 16 of the packet communication device 10 and the communication I / F 25 of the server device 20 is reduced.
Further, according to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 encrypt the aggregated packet. Thereby, eavesdropping of header information or the like given to the aggregation protocol can be prevented. Moreover, according to the communication system 1 of 1st Embodiment, the packet communication apparatus 10 and the server apparatus 20 provide a MAC value to an aggregation packet. As a result, the integrity of the data of the aggregate packet can be verified.
Furthermore, according to the communication system 1 of the first embodiment, the packet communication device 10 and the server device 20 encrypt the aggregate packet except for the encrypted portion. For this reason, the packet communication device 10 and the server device 20 can reduce the time required for encryption and the time required for decryption compared to the case where the entire device is encrypted. Thereby, the real-time property of the exchange between the client device 30 and the server device 20 is improved.
As described above, the communication system 1 according to the first embodiment can prevent information leakage and detect data falsification with a minimum load by using an aggregate packet as shown in (c1) of FIG. It becomes. Also, by minimizing the time required for encryption and decryption, it is possible to prevent a decrease in real-time communication performance.

  When the client apparatus 30 is a station service apparatus, the request transmitted from the client apparatus 30 and the response transmitted from the server apparatus 20 have a small data amount and a large number of data transmission / reception times. In addition, in an automatic ticket gate or the like, a real-time property is particularly required. Furthermore, in the communication system 1 including the station service device as the client device 30, the communication content includes information related to money, personal information, and the like, and thus it is necessary to prevent tampering and wiretapping of transmitted data. From the above, when the client device 30 includes a station service device, the communication system 1 of the embodiment is particularly useful. The information transmitted by the automatic ticket gate includes, as an example, entrance station information, entry station information, entry time, entry time, IC card authentication information, amount information, or a plurality of these.

[Second Embodiment]
Since the configuration of the communication system 1 of the second embodiment is the same as that of the first embodiment, description thereof is omitted. In addition, the operations of the packet communication device 10 and the server device 20 of the communication system 1 of the second embodiment are the same as those of the first embodiment, and thus description thereof is omitted. However, in the second embodiment, the generated aggregate packet is different from that in the first embodiment. Hereinafter, the aggregate packet generated in the second embodiment will be described with reference to FIG. FIG. 10 is a diagram for explaining an example of the aggregated packet according to the second embodiment. In FIG. 10, the same elements as those in FIG. 2 of the first embodiment are denoted by the same reference numerals. Description of elements similar to those in FIG. 2 in FIG. 10 may be omitted.

  FIG. 10 illustrates a case where n individual packets including individual packets 1 and 3 that have been encrypted and individual packets 2 and 4 that are plaintext are aggregated. In the aggregate packet of the second embodiment, as shown in (b2), data is arranged in the order of an aggregate header, n individual headers, plaintext individual packets, and encrypted individual packets. That is, the aggregated packet (b2) is arranged such that after the non-encrypted parts are continued, the encrypted parts are continued. As described above, the unencrypted data is continuously arranged, so that the processor 11 and the processor 21 can encrypt the aggregate header, the n individual headers, and the plaintext individual packets at a time. Furthermore, since the encrypted data is continuously arranged, the processor 11 and the processor 21 can copy the encrypted individual packets at a time.

According to the communication system 1 of the second embodiment, the same effect as that of the first embodiment can be obtained.
Also, according to the communication system 1 of the second embodiment, when data to be encrypted is distributed depending on the encryption usage mode, such as CBC, it is necessary to pad a portion that is less than the block length with padding. May cause padding for each individual header. In particular, when the individual packet size is small, the ratio of padding to the entire aggregate packet increases, and the data size of the aggregate packet increases. Therefore, by increasing the data size of the aggregate packet by configuring the aggregate packet by collecting the data to be encrypted in one place in the aggregate packet as in the second embodiment. In addition, since encryption and decryption can be performed at once, an improvement in processing speed can be expected. Therefore, the communication system 1 of the second embodiment can improve the real-time property by using the aggregate packet as shown in (b2) and (c2) in FIG.

[Third Embodiment]
Since the configuration of the communication system 1 of the second embodiment is the same as that of the first embodiment, description thereof is omitted. However, the RAM 13 or the auxiliary storage device 14 of the second embodiment stores the retransmission list and the received list. The retransmission list is a list of individual packets for which the packet processing apparatus 10 requests retransmission. The retransmission list registers the individual packet by storing, for example, a sequence number associated with each individual packet that requests retransmission. The received list is a list of individual packets that have normally arrived at the packet processing apparatus 10. The received list registers the individual packet by storing, for example, a sequence number associated with each normally arrived individual packet. The sequence number is an example of an identifier uniquely assigned to each individual packet.
Further, the packet aggregation device of the third embodiment has a functional configuration as shown in FIG. 11 instead of FIG. FIG. 11 is a block diagram illustrating a functional configuration of the packet processing apparatus 10 according to the third embodiment. The packet processing apparatus 10 according to the third embodiment includes a first receiving unit 101, an aggregation buffer 102, a cycle management unit 103, a combining unit 104, a range selecting unit 105, a first transmitting unit 107, a second receiving unit 108, and a dividing unit. 110, a second transmission unit 111, a redundancy unit 121, an arrival management unit 122, a retransmission request unit 123, an encryption unit 124, and a decryption unit 125.

  The redundancy unit 121 has a function of replicating the aggregate packet passed from the combining unit 104 in order to transmit the encrypted aggregate packet a plurality of times. The redundancy unit 121 has a function of passing the aggregate packet to the first transmission unit 107 a plurality of times and requesting the transmission a plurality of times. For example, the processor 11 functions as the redundancy unit 121.

  The arrival management unit 122 has a function of managing the number of arrivals of a packet, and a function of determining whether to transmit an individual packet to the client device 30. The arrival management unit 122 manages the number of arrivals of the individual packet using an identifier such as a sequence number of the individual packet passed from the decoding unit 125. Then, when the individual packet arrives for the first time, the arrival management unit 122 calls the second transmission unit 111 and transmits the individual packet to the client device 30. On the other hand, the arrival management unit 122 discards the individual packet when the individual packet arrives for the second time or later. As a result, among the individual packets included in the aggregate packet transmitted a plurality of times, only the individual packet that arrives first can be transmitted to the client device 30. The arrival management unit 122 also has a function of detecting the loss of the individual packet from the identifier of the individual packet. That is, for example, when the sequence number is used as the identifier of the individual packet, the arrival management unit 122 determines that the individual packet corresponding to the skipped number is lost when the number of the sequence number is skipped. For example, if the sequence number of the arrived individual packet is 1, 2, or 4, the arrival management unit 122 determines that the individual packet with the sequence number 3 that has been lost has been lost. Then, for example, the arrival management unit 122 requests the retransmission request unit 123 to register the flying sequence number in the retransmission list. Then, when an individual packet having a flying sequence number arrives later, the arrival management unit 122 requests the retransmission request unit 123 to delete the flying sequence number from the retransmission list. For example, the processor 11 functions as the arrival management unit 122.

  The retransmission request unit 123 has a function of registering a retransmission request packet in the aggregation buffer 102. For example, the retransmission request unit 302 requests retransmission of all individual packets specified in the retransmission list at regular intervals. Alternatively, the retransmission request unit 123 may change the retransmission request interval for each individual packet registered in the retransmission list according to the number of times the retransmission request is transmitted. For example, the retransmission request unit 123 causes the retransmission request to be transmitted as soon as it is detected that the number of the arrived individual packet is skipped for the individual packet whose number of retransmission request packets is 0. Then, the retransmission request unit 123 increases the time until the next retransmission request is transmitted as the number of times the retransmission request is transmitted increases. Further, the retransmission request unit 123 may deregister the individual packet that does not arrive even if the retransmission request is sent a predetermined number of times in order to prevent the retransmission list from overflowing. Alternatively, every time the retransmission list is about to overflow, the retransmission request unit 123 may deregister individual packets registered in the retransmission list from the oldest registration. Alternatively, every time the retransmission list is about to overflow, the retransmission request unit 123 may deregister the individual packet with the lowest sequence number among the registered ones. For example, the processor 11 functions as the retransmission request unit 123.

  In addition, since the retransmission request is transmitted even when the packet with the latest sequence number is lost, the arrival management unit 122 periodically obtains the maximum sequence number of the transmitted individual packet from the server device 20. Then, the arrival management unit 122 determines whether or not the acquired sequence number is larger than the maximum sequence number of the individual packets that have arrived. Then, when the sequence number acquired from the server device 20 is larger, the arrival management unit 122 causes the maximum sequence number of the individual packets that have arrived + 1 to register the acquired sequence number in the retransmission list. Requests to the retransmission request unit 123.

  The retransmission request unit 123 may have a function of explicitly receiving a retransmission request packet from the server device 20. When receiving the retransmission request packet, the retransmission request unit 123 sets a flag so that the transmitted packet included in the aggregation buffer 102 is transmitted again. As a result, when the cycle management unit 103 extracts a packet to be transmitted from the aggregation buffer 102 to the server device 20, the cycle management unit 103 extracts a packet in which the flag is set. Therefore, the cycle management unit 103 can retransmit a packet in response to a request from the server device 20.

  The encryption unit 124 has a function of performing encryption of aggregated packets, assignment of a plurality of MAC values, and the like by a method described later, which is different from the first embodiment.

  The decoding unit 125 has a function of verifying data integrity for each of a plurality of MAC values included in the aggregate packet. In addition, the decryption unit 125 decrypts the encrypted part of the aggregate packet. The decoding unit 125 has a function of discarding the entire aggregate packet when tampering is detected in the aggregate header. Also, the decoding unit 125 discards the individual packet in which tampering is detected among the individual packets included in the aggregated packet. Then, the decoding unit 125 passes the individual packet for which tampering has not been detected to the arrival management unit 122.

  Hereinafter, the operation of the communication system 1 according to the third embodiment will be described with reference to FIGS. 12 and 13. Note that the content of the processing in the following description of the operation is an example, and various processing that can obtain the same result can be used as appropriate. 12 and 13 are flowcharts of processing by the processor 11 of the packet processing apparatus 10.

  In the third embodiment, the packet processing apparatus 10 generates and transmits an aggregate packet by the same processing as the processing shown in FIGS. 3 and 4 as in the first embodiment. Further, the server device 20 generates and transmits an aggregate packet by the same processing as the processing shown in FIGS. 7 and 8 as in the first embodiment. However, in the third embodiment, the generated aggregate packet is different from that in the first embodiment and the second embodiment. An aggregate packet generated in the third embodiment will be described with reference to FIG. FIG. 14 is a diagram for explaining an example of the aggregated packet according to the third embodiment.

FIG. 14 illustrates a case where n individual packets including the individual packet 1 that has been encrypted and the individual packet 2 that is plaintext are aggregated. The order of the aggregate header, individual header, and individual packet of the aggregate packet of the third embodiment is the same as that of the first embodiment as shown in (b3) and (c3), for example. That is, encryption is performed for each individual packet in units of individual packets.
However, the encrypted aggregate packet of the third embodiment (c3) includes a plurality of MAC values as encryption information. The processor 11 or the processor 21 calculates and assigns the plurality of MAC values in units in which it is desired to detect falsification in the aggregated packet. For example, the encrypted aggregate packet (c3) of the third embodiment includes, for example, IV, TAG, TAG0, TAG1, TAG2,... TAGn and SIZE as the encryption information.
TAGA is a MAC value for the entire aggregated packet.
TAG0 is the MAC value for the aggregate header.
TAGk (k is a natural number equal to or less than n) is a MAC value of a set of an individual header k and an individual packet k. Note that if the MAC value is already assigned to the individual packet k, TAGk may be the MAC value of the individual header k. That is, TAG1 to n are MAC values given in units of individual packets.
The MAC value is assigned in units.
Note that the processor 11 (encryption unit 124) or the processor 21 calculates and encrypts the MAC value in order to enable decryption of another individual packet when some of the individual packets included in the aggregate packet are tampered. It is preferable to perform the conversion in the same unit. Alternatively, the processor 11 (encryption unit 124) or the processor 21 can decrypt another individual packet when a part of the individual packet included in the aggregated packet is tampered. The cipher usage mode is used in which each block can be decrypted independently, and alteration of other blocks does not affect the decryption result. This is because if the entire aggregate packet is decrypted in a mode in which encryption is chained, such as the CBC mode, the alteration of the previous block affects the decryption result of the subsequent block. Further, the processor 11 (encryption unit 124) or the processor 21 identifies individual packets included in the aggregated packet, and in order to perform processing such as retransmission for each individual packet, a sequence number or the like is included in the individual header. Is preferably included. This sequence number is incremented without being reset for each aggregated packet. For example, if the first aggregated packet includes individual packets with sequence numbers 1, 2, and 3, the sequence number of the packet included in the second aggregated packet that is the next aggregated packet starts from 4. It will be.

  In the third embodiment, the packet processing device 10 and the server device 20 transmit the same aggregated packet a plurality of times in step S22 of FIG. 4 or step S132 of FIG. The number of transmissions is, for example, twice. Note that the packet processing device 10 and the server device 20 may transmit the same aggregate packet through different routes for each transmission when there are a plurality of routes from the transmission source to the transmission destination of the aggregate packet.

  In step S41 of FIG. 12, the processor 11 of the packet processing apparatus 10 waits for the aggregated packet to be received by the second communication I / F 16 (second reception unit 108). If the aggregate packet is received, the processor 11 determines Yes in step S41, and proceeds to step S42.

  In step S42, the processor 11 (decoding unit 125) verifies the TAGA that is the MAC value of the entire aggregated packet. That is, the processor 11 calculates the MAC value of the entire aggregate packet received in step S41, and verifies whether or not it matches the TAGA included in the aggregate packet.

  In step S43, the processor 11 (decoding unit 125) determines whether the integrity of the data of the entire aggregate packet received in step S41 is guaranteed. If the MAC values match in the verification of the MAC value in step S43, the processor 11 determines No in step S43 and proceeds to step S44.

  In step S44, the processor 11 (dividing unit 110) divides the aggregated packet received in step S41 into a set of individual headers and individual packets. Here, the group of the individual header and the individual packet is, for example, a group of the individual header 1 and the individual packet 1, a group of the individual header 2 and the individual packet 2, or a group of the individual header n and the individual packet n. It is.

  In step S45, the processor 11 (decoding unit 125) decodes each pair of the individual header and the individual packet divided in step S44.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S43, the processor 11 determines Yes in step S43 and proceeds to step S46. For example, when the data has been rewritten, such as when the aggregate packet received in step S41 has been tampered with, the MAC values (TAGA) do not match.
In step S46, the processor 11 (decoding unit 125) decodes the aggregate header.

  In step S47, the processor 11 (decoding unit 125) verifies the MAC value of the aggregate header. That is, the processor 11 calculates the MAC value of the aggregate header, and verifies whether or not it matches TAG0 included in the aggregate packet received in step S41.

  In step S48, the processor 11 (decoding unit 125) determines whether or not the integrity of the data of the aggregate header is guaranteed. If the MAC values match in the verification of the MAC value in step S47, the processor 11 determines No in step S48 and proceeds to step S49.

  In step S49, the processor 11 (dividing unit 110) divides the aggregate packet received in step S41 into a set of individual headers and individual packets.

  In step S50, the processor 11 (decoding unit 125) decodes each pair of the individual header and the individual packet divided in step S49.

  In step S51, the processor 11 (decoding unit 125) verifies the MAC value for each pair of the individual header and the individual packet. That is, the processor 11 calculates the MAC value for each pair of individual header and individual packet, and verifies whether or not the TAG for each corresponding pair of individual header and individual packet matches.

  In step S52, the processor 11 (decoding unit 125) discards the set of the individual header and the individual packet whose integrity of the aggregate header data is not guaranteed. That is, the processor 11 discards the pair of the individual header and the individual packet whose MAC values did not match in step S51. For example, when data is rewritten, such as when an individual header or an individual packet is falsified, the corresponding MAC values (TAG1 to TAGn) do not match.

The processor 11 proceeds to step S53 after the process of step S45 or step S52.
In step S53, the processor 11 (arrival management unit 122) discards the received individual packet among the individual packets decoded in step S45 or step S50.

  In step S54, the processor 11 (the retransmission request unit 123 and the arrival management unit 122) updates the retransmission list and the received list. That is, the processor 11 registers, in the received list, the sequence numbers of the individual packets that were not discarded in either step S52 or step S53 among the individual packets decoded in step S45 or step S50. In addition, when the same sequence number as the sequence number registered in the received list is registered in the retransmission list, the processor 11 deletes the sequence number from the retransmission list. Further, when the sequence number of the individual packet discarded in step S52 among the individual packets decoded in step S50 is not registered in the received list, the processor 11 registers the sequence number in the retransmission list. In addition, when there is a sequence number that is not registered in the retransmission list or the received list among the sequence numbers less than the maximum sequence number registered in the received list, the processor 11 retransmits the sequence number. Register to the list. In addition, the processor 11 may obtain the maximum sequence number of the transmitted individual packet from the server device 20. Then, when there is a sequence number that is not registered in the retransmission list or the received list among the sequence numbers equal to or less than the maximum sequence number acquired from the server device 20, the processor 11 stores the sequence number in the retransmission list. sign up.

  In step S55, the processor 11 (retransmission request unit 123) replaces the individual packets that were not discarded in either step S52 or step S53 among the individual packets decoded in step S45 or step S50 with the respective individual packets. The first communication I / F 15 (second transmission unit 111) is instructed to transmit to the destination client device 30. In response to this instruction, the first communication I / F 15 transmits each individual packet to the client device 30 that is the destination of each individual packet. The transmitted individual packets are received by the communication I / F 35 of the client device 30 that is the destination. The processor 11 returns to step S41 after the process of step S55.

On the other hand, if the MAC values do not match in the verification of the MAC value in step S43, the processor 11 determines Yes in step S48 and proceeds to step S56. For example, when the data is rewritten, for example, when the aggregation header is falsified, the MAC value (TAG0) does not match.
In step S56, the processor 11 (decoding unit 125) discards the aggregated packet received in step S41.

  In step S57, the processor 11 (the retransmission request unit 123 and the arrival management unit 122) updates the retransmission list. In other words, when the sequence number of the individual packet included in the aggregate packet discarded in step S56 is not registered in the received list, the processor 11 registers the sequence number in the retransmission list. Further, the processor 11 may acquire the maximum sequence number of the transmitted individual packet from the server device 20. Then, when there is a sequence number that is not registered in the retransmission list or the received list among the sequence numbers equal to or less than the maximum sequence number acquired from the server device 20, the processor 11 stores the sequence number in the retransmission list. sign up. The processor 11 returns to step S41 after the process of step S57.

  In step S61 of FIG. 13, the processor 11 resets the third timer. The third timer is a timer for measuring an elapsed time since the packet processing apparatus 10 registered the previous retransmission request packet in the aggregation buffer 102.

  In step S62, the processor 11 waits for the elapse of time T3 or more after resetting the third timer. Note that the time T3 is set in advance by, for example, an administrator of the packet processing apparatus 10 or the like. Alternatively, the time T3 may be determined in advance by the designer of the packet processing device 10 or the like. If the time T3 or more has elapsed after resetting the third timer, the processor 11 determines Yes in step S62 and proceeds to step S63.

In step S <b> 63, the processor 11 registers a retransmission request packet destined for the server device 20 in the aggregation buffer 102. The retransmission request packet includes, for example, a sequence number registered in the retransmission list. The processor 11 registers, for example, the retransmission request packet as an individual packet in the aggregation buffer 10. Therefore, the retransmission request packets are aggregated together with other individual packets registered in the aggregation buffer 10 and are included in the aggregate packet. Then, the retransmission request packet is transmitted to the server device 20 in a state of being included in the aggregate packet. The processor 11 returns to step S61 after the process of step S63.
On the other hand, the retransmission request packet is registered in the processing buffer by the processor 21 of the server device 20. Then, based on the retransmission request packet registered in the processing buffer in step S112 in FIG. 7, the processor 21 registers the individual packet specified by the sequence number included in the retransmission request packet in the server aggregation buffer. For example, when the individual packet is stored in the server aggregation buffer as a transmitted state, the processor 21 returns the individual packet to an untransmitted state. Alternatively, when the individual packet is not stored in the server aggregation buffer, the processor 21 stores the individual packet in the server aggregation buffer. Note that the processor 21 may select, as the next individual packet, the one with the smallest sequence number among the untransmitted individual packets stored in the server aggregation buffer.

  Also for the server apparatus 20, the processor 21 performs decoding, division, MAC verification, retransmission request, and the like of the aggregated packet by the same processing as the processing shown in FIGS. 12 and 13. Similarly to the server device 20, when the packet processing device 10 receives a retransmission request packet from the server device 20, the individual packet specified by the sequence number included in the retransmission request packet is transmitted to the server device 20. By performing the same processing as when the retransmission request packet is received, the packet is retransmitted to the server device 20.

  Communication performed by the processes of the packet processing apparatus 10 and the server apparatus 20 as described above will be described with reference to FIG. FIG. 15 is a sequence diagram illustrating an example of information flow of the communication system 1 according to the third embodiment.

  In step ST1, the server device 20 transmits the aggregated packet to the packet processing device 10. Note that the aggregated packet includes six individual packets with sequence numbers 1 to 6 as an example. Moreover, the server apparatus 20 shall transmit the said aggregation packet to the packet processing apparatus 10 twice as an example.

The packet processing device 10 receives the aggregate packet transmitted twice by the server device 20 in step ST1. Here, it is assumed that individual packets with sequence numbers 4 and 5 have been tampered with among the aggregated packets transmitted for the first time in step ST1. The packet processing apparatus 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing apparatus 10 discards the individual packets with the sequence numbers 4 and 5 among the aggregated packets transmitted at the first time in step ST1. Further, it is assumed that the individual packets having the sequence numbers 3 and 5 have been tampered among the aggregated packets transmitted for the second time in step ST1. The packet processing apparatus 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing apparatus 10 discards the individual packets having the sequence numbers 3 and 5 among the aggregated packets transmitted at the second time in step ST1.
The individual packets with the sequence numbers 1, 2 and 6 have not been falsified in any of the aggregate packets transmitted twice, and thus have arrived normally at the packet processing device 10. Since only one of the aggregated packets transmitted twice has been tampered with the individual packets with sequence numbers 3 and 4, the other has arrived normally at the packet processing device 10. However, the individual packet with the sequence number 5 is discarded in any one of the aggregated packets transmitted twice.

  In step ST <b> 2, the packet processing device 10 transmits the individual packets having the sequence numbers 1 to 4 and 6 that have arrived normally to the client device 30 that is the respective destination. Note that the client device 30 illustrated in FIG. 15 includes one or more client devices 30.

  In step ST <b> 3, the packet processing device 10 transmits a retransmission request to the server device 20 in order to request the server device 20 to retransmit the individual packet having the sequence number 5.

Receiving the retransmission request, the server device 20 generates an aggregate packet including the individual packet with the sequence number 5. At this time, it is assumed that an individual packet of sequence number 7 is registered in the server aggregation buffer. Accordingly, the server device 20 generates an aggregate packet including an individual packet with a sequence number of 7 in addition to an individual packet with a sequence number of 5.
In step ST4, the server device 20 transmits the generated aggregate packet to the packet processing device 10. In addition, the server apparatus 20 shall transmit the produced | generated said aggregation packet to the packet processing apparatus 10 twice as an example.

  The packet processing device 10 receives the aggregate packet transmitted twice by the server device 20 in step ST4. Here, it is assumed that the aggregate header of the aggregate packet transmitted for the first time in step ST4 has been falsified. The packet processing apparatus 10 can detect this falsification by verifying the MAC value. Therefore, the packet processing device 10 discards the aggregate packet transmitted for the first time in step ST1. Also, it is assumed that the aggregate packet transmitted for the second time in step ST4 has not been tampered with. Therefore, the individual headers with sequence numbers 5 and 7 have arrived normally at the packet processing device 10.

  In step ST5, the packet processing apparatus 10 transmits the individual packets with the sequence numbers 5 and 7 that have arrived normally to the client apparatus 30 that is the destination.

  According to the communication system 1 of the third embodiment, the packet processing device 10 and the server device 20 cannot guarantee data integrity because the individual packets included in the received aggregate packet have been tampered with. In such a case, only the individual packet that has been tampered with in the aggregated packet is requested to be retransmitted. For this reason, when only a part of the individual packets included in the aggregate packet is falsified, it is not necessary to retransmit the entire aggregate packet. On the other hand, conventionally, it is necessary to retransmit the entire aggregated packet even if falsification or the like is for a part. Therefore, in the communication system 1 of the third embodiment, the amount of data to be retransmitted is smaller than in the past. In addition, since the frequency of retransmission is also reduced, the real-time performance is improved as compared with the prior art.

  Further, according to the communication system 1 of the third embodiment, the packet processing device 10 and the server device 20 transmit the aggregated packet a plurality of times at a time. Thus, the packet processing device 10 or the server device 20 that has received the aggregate packet immediately receives the next aggregate packet even when the individual packet included in the aggregate packet received for the first time is discarded. Therefore, the packet processing apparatus 10 or the server apparatus 20 can receive the discarded individual packet immediately after receiving the individual packet retransmitted due to the request for retransmission. Thereby, real-time property improves.

The first to third embodiments can be modified as follows.
The packet processing apparatus 10 may not have a function of connecting to the network NW1, the network NW2, or both. A device connected to the packet processing device 10 may connect to the network NW1, the network NW2, or both to communicate with the server device 20 or the client device 30.
The packet processing device 10 may be connected to the server device 20 via a bus such as a USB (universal serial bus) without going through the network NW2. Further, the server device 20 may incorporate the packet processing device 10.

  In step S13, the processor 11 may determine whether or not the number of untransmitted individual packets stored in the aggregation buffer 102 has reached a predetermined number or more instead of the capacity D1. In step S123, the processor 21 may determine whether or not the number of unsent individual packets stored in the server aggregation buffer is equal to or greater than a predetermined number, instead of the capacity D2. The above aspect can be used when the data size of the individual packet is almost constant.

  The processor 11 or the processor 21 may extract all the packets to be aggregated from the aggregation buffer 102 or the server aggregation buffer, and then perform aggregation.

  When only one individual packet is transmitted, the packet processing device 10 or the server device 20 may transmit the packet as it is without forming an aggregate packet.

  The communication system 1 according to the first embodiment may be in a mode that does not request retransmission of a discarded packet. That is, the processor 11 skips step S38 and proceeds to step S31. Further, the processor 21 skips step S108 and proceeds to step S101.

  In the first to third embodiments, an example in which there is one server device 20 has been described. However, a plurality of server devices 20 may be connected to the network NW. In this case, the packet processing device 10 aggregates the received individual packets, for example, only for the same destination server device 20. That is, the packet processing device 10 generates and transmits an aggregate packet for each destination.

  Using a plurality of packet processing devices 10, for example, communication between two points can be made efficient. For example, the first packet processing device 10 and a plurality of devices that can communicate with the first packet processing device 10 (hereinafter referred to as “device a”) are located at the point A, and the second packet processing device 10 and the second packet. It is assumed that a plurality of devices (hereinafter referred to as “device b”) capable of communicating with the processing device 10 are installed at the B point. In this case, the first packet processing device 10 transmits to the second packet processing device 10 an aggregate packet obtained by aggregating individual packets destined for the device b and transmitted from the plurality of devices a. Then, the second packet processing device 10 divides the received aggregated packet into individual packets, and transmits each individual packet to the device b that is each destination. In addition, the second packet processing device 10 transmits to the first packet processing device 10 an aggregate packet obtained by aggregating individual packets destined for the device a and transmitted from the plurality of devices b. Then, the first packet processing device 10 divides the received aggregated packet into individual packets, and transmits each individual packet to each destination device a.

  The communication system 1 shown in the first to third embodiments is a server client model, but is not limited to the server client model.

  The communication system 1 may guarantee and verify the integrity of data using other than the MAC. For example, the communication system 1 uses a message integrity code (MIC). The MIC is an example of a code for guaranteeing data integrity.

  The packet processing device 10 and the server device 20 may add an error correction code to the aggregated packet.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

DESCRIPTION OF SYMBOLS 1 ... Communication system, 10 ... Packet aggregation apparatus, 11, 21, 31 ... Processor, 12, 22, 32 ... ROM, 13, 23, 33 ... RAM, 14, 24, 34 ... Auxiliary storage device , 15... First communication I / F, 16... Second communication I / F, 20... Server device, 25 and 35 .. Communication I / F, 30. Receiving unit 102 ... Aggregation buffer 103 ... Period management unit 104 ... Combining unit 105 ... Range selection unit 106, 124 ... Encryption unit 107 ... First transmission unit 108 ... First 2 receiving unit 109 109 125 decoding unit 110 dividing unit 111 second transmission unit 121 redundancy unit 122 retransmission request unit 123 arrival management unit

Claims (20)

A receiver for receiving individual packets;
A processing unit that generates an aggregate packet that aggregates a plurality of individual packets received by the reception unit, and that encrypts a range that is determined not to be encrypted among the generated aggregate packet;
And a transmission unit that transmits the aggregated packet encrypted by the processing unit.   The processing unit assigns a code for guaranteeing data integrity to a range determined to have no code for guaranteeing data integrity in the generated aggregate packet. Item 4. The packet aggregation device according to Item 1.   The packet aggregation device according to claim 1 or 2, wherein the processing unit generates an aggregation packet so that portions determined to be not encrypted are continuous. The processor is
The aggregate packet is encrypted in units of individual packets included in the aggregate packet,
The packet aggregation device according to claim 1 or 2, wherein a code for guaranteeing data integrity is assigned to the aggregated packet in units of individual packets included in the aggregated packet.   5. The packet aggregation device according to claim 1, wherein the processing unit controls the transmission unit to cause the aggregation packet to be transmitted a plurality of times.   The packet aggregation device according to claim 5, wherein the processing unit controls the transmission unit to transmit the aggregated packet through at least two types of routes.   From the aggregate packet generated and transmitted by the packet aggregator that generates an aggregate packet in which a plurality of individual packets are aggregated and encrypts a range determined to be not encrypted among the generated aggregate packets, the aggregate packet A packet dividing apparatus comprising a processing unit for dividing the individual packets included in the packet.   The packet division device according to claim 7, wherein when the aggregate packet includes an individual packet whose data integrity is not guaranteed, the packet division apparatus according to claim 7, wherein the individual packet whose data integrity is not guaranteed is discarded.   The packet division device according to claim 7 or 8, wherein when the integrity of the data of the aggregate header included in the aggregate packet is not guaranteed, the entire aggregate packet is discarded. Of the individual packets included in the aggregated packet, record an individual packet that guarantees data integrity as having arrived,
The packet division device according to claim 7, wherein among the individual packets included in the aggregated packet, the individual packet recorded as having arrived is discarded. The aggregate packet is given an identifier to each individual packet included in the aggregate packet by the packet aggregation device,
11. The method according to claim 7, wherein the processing unit determines a transmitted and unarrived individual packet based on the identifier, and requests the packet aggregation device to retransmit the unarrived individual packet. The packet dividing apparatus as described. Including a packet aggregator and a packet divider,
The packet aggregation device includes:
A first processing unit that generates an aggregate packet by aggregating a plurality of individual packets, and encrypts a range determined to be not encrypted among the generated aggregate packets;
A first communication unit that transmits an aggregated packet in which a plurality of individual packets are aggregated to a packet division device,
The packet dividing device includes:
A second communication unit that receives the aggregate packet transmitted from the packet aggregation device;
A packet communication system comprising: a second processing unit that divides the individual packet included in the aggregated packet from the aggregated packet received by the second communication unit. A computer with a packet aggregator
A program that functions as a processing unit that aggregates a plurality of individual packets, generates an aggregate packet including the plurality of individual packets, and encrypts a range determined to be not encrypted among the generated aggregate packets. A computer provided in the packet splitting device,
The aggregated packet is generated from the aggregated packet generated and transmitted by the packet aggregating apparatus that generates an aggregated packet by aggregating a plurality of individual packets, and encrypts a range determined to be not encrypted among the generated aggregated packets. A program for dividing the individual packet included in the program to function as a processing unit. A generation unit that generates aggregate packet data in which a plurality of packets are aggregated,
In the aggregate packet data, each of the plurality of packets includes a header portion and a payload portion, and a plurality of payload portions included in the aggregate packet data are encrypted with a plurality of keys, and a plurality of packets included in the aggregate packet data are included. The packet generator is encrypted with the same key.   The packet generation device according to claim 15, wherein the aggregated packet data includes a plurality of the header portions continuous.   The packet generation device according to claim 15, wherein the aggregated packet data is provided with a code and an identifier for guaranteeing data integrity for each of the packets. A packet generation method for generating aggregate packet data in which a plurality of packets are aggregated,
In the aggregate packet data, each of the plurality of packets includes a header portion and a payload portion, and a plurality of payload portions included in the aggregate packet data are encrypted with a plurality of keys, and a plurality of packets included in the aggregate packet data are included. A packet generation method in which the header part is encrypted with the same key. A computer included in the packet generator
Let it function as a generator that generates aggregate packet data in which multiple packets are aggregated,
In the aggregate packet data, each of the plurality of packets includes a header portion and a payload portion, and a plurality of payload portions included in the aggregate packet data are encrypted with a plurality of keys, and a plurality of packets included in the aggregate packet data are included. A program whose header part is encrypted with the same key. A plurality of individual packets are aggregated, and the individual packets receive an aggregate packet to which a code for guaranteeing data integrity is provided in units of individual packets;
A communication method of requesting retransmission of the individual packet whose data integrity is not guaranteed when the received aggregate packet includes the individual packet whose data integrity is not guaranteed.