JP3808839B2 - Content transmission device, content reception device, content transmission method, and content reception method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a content transmission device, a content reception device, a content transmission method, and a content reception method for transmitting content from a transmission device to a reception device.
[0002]
[Prior art]
With the spread of computer networks and the development of digital technology in recent years, products called digital information home appliances are spreading. In addition, with the start of terrestrial digital broadcasting, digital broadcasting compatible TVs, set-top boxes, DVD recorders, and the like are expected to become more widespread in the future.
[0003]
If various digital home appliances can be connected via a network and share digital contents, it is convenient for users.
[0004]
Unlike analog information, digital content has the advantage of being less susceptible to the effects of noise and data degradation, but may be problematic in that it can be copied without degradation from the viewpoint of copyright protection.
[0005]
FIG. 30 is a block diagram showing an overall configuration of a conventional content transmission / reception system having a transmission device and a reception device. 30 is connected to a local area network (hereinafter LAN) 10.
[0006]
A content receiving device B3 (hereinafter simply referred to as a receiving device), a router device C5, and a router device D6 are connected to the LAN 10, and a receiving device F9 is connected to the router device D6 via the Internet 8. . The receiving device E7 is connected to the transmitting device A2 via the router device C5, and the receiving device F9 is connected to the transmitting device A2 via the Internet 8 and the router device D6.
[0007]
Here, consider a case where content is transmitted from the transmitting device A2 to the receiving device B3, the receiving device E7, and the receiving device F9. At this time, what should be noted is the copyright of the content.
[0008]
As described above, the range in which the content is exchanged is within a certain range, for example, within the range of legitimate authority such as the range of private use under Article 30 of the Copyright Act, or within a range narrower than that. For example, it is desirable to prohibit the transmission / reception of content beyond that range.
[0009]
The content shown here refers to digital content such as moving image data and audio data such as MPEG2 and MPEG4 data, or a document such as text data and image data. Here, for the sake of simplicity of explanation, digital contents (hereinafter simply referred to as contents) to be transferred after copyright protection is targeted.
[0010]
In order to protect copyright, the following rules are used for content transmission in the network system of FIG.
(1) In communication within the LAN 10, transmission / reception of content to be copyright protected is permitted. This is because a device connected to the LAN 10 can be regarded as communication within a range enjoyed by individuals and homes.
[0011]
For example, in the environment of FIG. 30, content transmission from the transmitting device A to the receiving device B or the receiving device E connected to the LAN 10 is permitted.
(2) In communication outside the LAN 10, transmission / reception of content that should be protected by copyright is not permitted. Communication outside the LAN 10 indicates open communication via a public network such as the Internet or a telephone network, such as communication from the transmission device A to the reception device F9 shown in FIG. This is because communication outside the LAN 10 to a receiving device or the like connected via the Internet cannot be regarded as communication within a range enjoyed by an individual or at home.
[0012]
Conventionally, as an implementation method for limiting the content distribution range to a range enjoyed by individuals, that is, within the LAN 10, for example, (1) a method of transmitting with a fixed TTL (Time To Live) value of a packet for a destination host (2) A method of checking the value of whether or not the TTL value of a packet transmitted from the transmission side on the receiving side has changed, and (3) a method of combining them are considered.
[0013]
In the environment shown in FIG. 30, in order to limit the transmission / reception of content from the transmitting device to the receiving device within the LAN 10, a method combining the methods (1) and (2) will be described as an example.
[0014]
31 and 32 are sequence diagrams showing the processing procedure of the conventional content transmission / reception system shown in FIG. 30, FIG. 31 shows an example in which there is no change in the communication path between the transmitting device and the receiving device, and FIG. 32 shows the communication route. An example in which there is a change is shown.
[0015]
In FIG. 31, when a connection is established between the transmitting device and the receiving device (step S311), the transmitting device checks the number of hops of the IP packet with the receiving device (steps S312 and S313).
[0016]
In addition, when the transmitting device determines the number of hops when transmitting a packet to the receiving device in advance, the value may be set.
[0017]
Here, the hop count is a TTL value required for an IP packet to reach from one device to the other device.
[0018]
The number of hops is measured by, for example, using an Internet Control Message Protocol (ICMP) packet, increasing the TTL value of the IP packet sequentially from 1, and repeatedly transmitting from one host (in this case, the transmitting device). The process is repeated until the IP packet reaches the other host (in this case, the receiving device) (step S313).
[0019]
There is a program called traceroute as a program for performing such processing. Hereinafter, this method of measuring the number of hops and the communication route is referred to as traceroute.
[0020]
As a result of the measurement, if it is found that the number of hops from the transmission device to the reception device is Y (step S314), the value Z = XY received by the reception device when the transmission device transmits TTL = X to the reception device. Is notified to the receiving device (step S315). The receiving device records this value Z (step S316).
[0021]
Thereafter, it is assumed that the transmitting device transmits all the packets including the content to be transmitted to the receiving device and the data for authentication / key exchange with TTL = X (step S317).
[0022]
In order to limit the content distribution range, the value of X may be set to a value smaller than a normal value, or in some cases, a value equivalent to the hop count Y.
[0023]
The receiving device compares the TTL value of the packet received from the transmitting device with the value Z notified in advance (step S318), and continues the processing if they match. If they do not match, the content reception is stopped and an error is notified to the transmitting device.
[0024]
In FIG. 32, since the communication path changes during communication and the hop count changes accordingly, the hop count of the IP packet from the transmitting device to the receiving device changes from Y to Y ', and the receiving device changes the TTL value. An example is shown in which the reception of content is stopped upon detection of. (S321 to S329).
[0025]
As described above, there are various methods for limiting the distribution range of contents. However, the configuration of devices that implement these methods has not been specifically shown so far. For example, if the distribution range restriction method shown in FIGS. 31 and 32 is easily implemented, the configuration of the transmitting device and the receiving device may become complicated.
[0026]
Generally, a transmitting device transmits and receives various data in addition to transmitting content. If the TTL value of all IP packets transmitted from the transmitting device is changed, the transmitting device may simultaneously transmit data other than data related to copyright protection, which causes inconvenience.
[0027]
For example, suppose that a transmitting device has a function of distributing contents and a function of a Web server at the same time. It is convenient for the user if it is possible to transmit content to the receiving device and simultaneously transmit Web content to the Web client host.
[0028]
However, as described above, the TTL value of the IP packet must be set to a predetermined value for the content to be copyright protected. For web clients that do not need to limit the TTL value, if the TTL value is restricted at the same time, data may be sent to the web client that is located at a hop count greater than or equal to the specified value. There is a risk that the user's convenience may be impaired.
[0029]
One means for avoiding this is to set the TTL value of the IP packet to X for a specific host or a specific connection for transmitting content to the receiving device, and transmit it. Furthermore, since the IP address of the destination receiving device is generally determined dynamically by a protocol such as DHCP, it is not always a fixed address, and the connection used for data transmission / reception changes, so the host and It is desirable that rules for specifying a connection can be dynamically generated and applied.
[0030]
FIG. 33 is a diagram showing a data structure when content is transmitted in the RTP packet format. As shown in FIG. 33, the TTL value 330 is a value included in the IP header.
[0031]
In general, programmers who create content to be transmitted use APIs provided by OS vendors and development support tools when packetizing content data, so the structure and control method of TCP packets and IP packets are detailed. There is no need to pay attention. However, in order to set the TTL value to a specific value for a specific IP packet, a program that directly controls the IP packet processing unit must be written.
[0032]
FIG. 34 is a block diagram showing the internal configuration of the transmitting device when setting the TTL value of an IP packet for a specific connection.
[0033]
As shown in FIG. 34, a content supply unit 340 that supplies content, an encryption processing unit 341 that encrypts the content, an authentication / key exchange processing unit 342 that performs authentication and key exchange, and a packet that transmits the encrypted content A first packet processing unit 343 for converting data, a non-copyright protection data processing unit 344 for processing non-copyright protection data, a second packet processing unit 345 for packetizing non-copyright protection data, and a first The output of the packet processing unit 343 and the second packet processing unit 345 includes a communication processing unit 346 and a network interface unit 347 to which the communication processing unit 346 is connected.
[0034]
The first packet processing unit 343 sets the TTL value to an appropriate value and transmits the packet. Since the second packet processing unit 345 handles data that is not directly related to a packet for transmitting / receiving a copyright-protected content, there is no need to perform a TTL operation.
[0035]
Thus, since the packet processing unit must be configured separately depending on whether the data to be transmitted / received is data related to copyright or not, the configuration of the transmitting device becomes complicated.
[0036]
Next, the receiving device will be described. As with the transmitting device, the receiving device transmits and receives various data in addition to receiving the content. In addition, since the data received by the receiving device includes data other than the content that should be protected by copyright, IP packet processing can be performed depending on the application in order to check the TTL value for a specific packet. It is necessary to change the processing content of the part.
[0037]
The receiving device C7 in FIG. 31 performs a comparison process to determine whether or not the TTL value of the IP packet received from the transmitting device is Z. As shown in FIG. 33, the TTL value is included in the IP header. TTL value confirmation processing must be performed in the IP header processing part, or the TTL value must be extracted from the IP header and passed to the upper protocol.
[0038]
FIG. 35 is a block diagram showing the internal configuration of the receiving device in this case. As shown in FIG. 35, a packet processing unit 353 having a network interface unit 350 connected to a network, a communication processing unit 351 connected thereto, and a packet analysis unit 352 for analyzing a packet received from the communication processing unit 351. A TTL value determination unit 354 that determines a TTL value, an authentication / key exchange processing unit 355 that performs authentication / key exchange processing, an encryption processing unit 356 that performs decryption processing, a content processing unit 357 that performs content processing, And a non-copyright protection data processing unit 358 for processing the non-copyright protection data.
[0039]
The receiving device extracts a TTL value from the IP packet of a specific connection (in this case, a connection for performing transmission / reception of content data and authentication / key exchange required for transmission / reception of content), and determines whether or not it matches a predetermined value. A value determination unit 354 is provided.
[0040]
Similar to the sending device, the developer of the receiving device generally uses the API provided by the OS vendor or development support tool to establish a connection with the sending device to send / receive content and perform authentication / key exchange processing. There is a problem that it is necessary to develop the part that processes the IP header independently without relying on the API, and the configuration of the receiving device as well as the transmitting device becomes complicated.
[0041]
[Non-Patent Document 1]
RFC791 INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION, Sep 1981
[0042]
[Problems to be solved by the invention]
As described above, the method of restricting the distribution range of content by applying special processing to packets for content transmission / reception and authentication / key exchange complicates the configuration of the receiving device and the transmitting device and is difficult to implement. There was a problem of being.
[0043]
The present invention has been made in view of the above points, and an object of the present invention is to provide a content transmission device, a content reception device, a content transmission method, and a content reception capable of protecting the copyright of the content with a simple process. Is to provide a method.
[0044]
[Means for Solving the Problems]
In order to solve the above-described problems, the content transmission device of the present invention establishes a connection between a content supply unit that supplies content to be transmitted to the reception device and the reception device, and performs authentication / key exchange processing. Authentication / key exchange processing means to perform, encryption processing means for encrypting content using a key exchanged between the authentication and key exchange processing means and the receiving device, and content encrypted by the encryption processing means , Packet processing means for converting at least one of authentication / key exchange data output from the authentication / key exchange processing means into an IP packet, and using the connection information, the authentication / A transmission filter setting means for generating a transmission filter rule describing a rule for specifying an IP packet including key exchange data; Filtering processing means for filtering the IP packet packetized by the packet processing means based on the transmission filter rule generated by the filter setting means; Packet changing processing means for changing a predetermined value in the IP packet filtered by the filtering processing means; It is characterized by comprising.
[0045]
Furthermore, the content transmission apparatus of the present invention is characterized in that the predetermined value in the IP packet is a TTL value.
[0046]
Further, in the content transmitting apparatus of the present invention, the connection information includes at least one of a transport layer protocol in the connection, an IP address of the transmitting apparatus and the receiving apparatus, a port number of the transmitting apparatus and the receiving apparatus, and an RTP payload type. It consists of one.
[0047]
The content receiving apparatus of the present invention establishes a connection with the transmitting apparatus, and exchanges between the authentication / key exchange processing means for performing authentication / key exchange processing and the transmitting apparatus with the authentication / key exchange processing means. Encryption processing means for decrypting the content using the generated key, packet processing means for extracting and outputting the payload portion from the IP packet received from the transmitting device, and using the connection information, A reception filter setting unit that generates a reception filter rule for specifying an IP packet including authentication / key exchange data, and a filter for the IP packet processed by the packet processing unit based on the reception filter rule generated by the reception filter setting unit If the specified value in the IP packet is other than the specified value, a filtering process is sent to the authentication / key exchange processing means. A stage is provided.
[0048]
Furthermore, the content receiving apparatus of the present invention is characterized in that the predetermined value in the IP packet is a TTL value.
[0049]
Further, in the content reception device of the present invention, the connection information includes at least one of a transport layer protocol in the connection, an IP address of the transmission device and / or the reception device, a port number of the transmission device and / or the reception device, and a payload type of RTP. It consists of one.
[0050]
The content transmission apparatus of the present invention includes a content supply means for supplying content to be transmitted to the reception apparatus, an authentication / key exchange processing means for establishing a connection with the reception apparatus and performing authentication / key exchange processing. And an encryption processing means for encrypting the content using the key exchanged with the receiving apparatus by the authentication / key exchange processing means, and a first for framing the input IP packet to the data link layer A communication processing means, a second communication processing means for changing a predetermined value in the input IP packet and framing the data link layer, and at least an authentication / key exchange processing means or encryption according to predetermined routing information A packet processing processing means for converting the output from the processing means into an IP packet and outputting the packet to the first communication processing means or the second communication processing means in accordance with the destination IP address; Transmission filter that performs routing information change processing that changes routing information so that IP packets addressed to the receiving device are output to the second communication processing means among IP packets that have been converted into IP packets by the packet processing means. And setting means.
[0051]
Furthermore, in the content transmission apparatus of the present invention, the transmission filter setting unit uses the connection information, and describes a rule for specifying an IP packet including authentication / key exchange data among IP packets generated by the packet processing means. And a second communication processing unit configured to generate an IP frame framed by the second communication processing unit in the data link layer based on the transmission filter rule generated by the transmission filter setting unit. And a filtering processing function for filtering packets.
[0052]
The content receiving apparatus of the present invention establishes a connection with the transmitting apparatus, and exchanges between the authentication / key exchange processing means for performing authentication / key exchange processing and the transmitting apparatus with the authentication / key exchange processing means. An encryption processing means for decrypting the content using the generated key; a first operation mode for outputting a frame including an IP packet among the received data link layer frames to the first packet processing means; A communication processing means having a second operation mode for outputting a frame including an IP packet to the first packet processing means and outputting all copies of the frame to the second packet processing means; Using this information, a receive filter setting that generates a receive filter rule for identifying IP packets that contain authentication / key exchange data among received IP packets Means, a first packet processing means for extracting and outputting the payload portion of the IP packet from the frame output from the communication processing means, and notifying the communication processing means to operate in the second operation mode for communication. The IP packet payload was extracted from the frame output from the processing means, the IP packet was filtered based on the reception filter rule generated by the reception filter setting means, and the predetermined value in the IP packet was other than the specified value The second packet processing means for notifying the authentication / key exchange processing means.
[0053]
The content transmission apparatus of the present invention includes a content supply means for supplying content to be transmitted to the reception apparatus, an authentication / key exchange processing means for establishing a connection with the reception apparatus and performing authentication / key exchange processing. The encryption processing means for encrypting the content using the key exchanged with the receiving device by the authentication / key exchange processing means, and the packet processing for converting at least the content encrypted by the encryption processing means into an IP packet Means, second packetizing means for packetizing and outputting data relating to authentication / key exchange output from authentication / key exchange processing means in a format different from that of packet processing means, packet processing means and second packet processing Communication processing means for encapsulating the data output from the means in a data link layer frame with different predetermined values. Characterized in that Bei was.
[0054]
The content receiving apparatus of the present invention establishes a connection with the transmitting apparatus, and exchanges between the authentication / key exchange processing means for performing authentication / key exchange processing and the transmitting apparatus with the authentication / key exchange processing means. And a cryptographic processing means for decrypting the content using the generated key, and a payload portion of the frame based on a predetermined value of the frame in the data link layer received from the transmitting device, the first packet processing unit or the second packet A communication processing means for outputting to the processing section; a first packet processing means for extracting and outputting the payload portion of the IP packet from the frame output from the communication processing section; and a second payload from the payload section received from the transmitting apparatus. And second packetizing means for extracting and outputting the part.
[0055]
The receiving device of the present invention establishes a connection with the transmitting device and is exchanged between the authentication / key exchange processing means for performing authentication / key exchange processing and the transmitting device with the authentication / key exchange processing means. An encryption processing means for decrypting the content using the received key, a first operation mode for outputting a frame including an IP packet among the received data link layer frames to the first packet processing means, and A communication processing unit having a second operation mode for outputting a frame including an IP packet to the first packet processing unit and outputting all copies of the frame to the second packet processing unit; A first packet processing means for extracting and outputting the payload portion of the IP packet from the frame output from the means, and a second operation mode for the communication processing means. And a second packet processing means for extracting and outputting the payload portion of the data link frame when a predetermined value is included in the data link frame among the frames output from the communication processing means. It is characterized by that.
[0056]
The content receiving apparatus of the present invention establishes a connection with the transmitting apparatus, and exchanges between the authentication / key exchange processing means for performing authentication / key exchange processing and the transmitting apparatus with the authentication / key exchange processing means. An encryption processing means for decrypting the content using the generated key; a first operation mode for outputting a frame including an IP packet among the received data link layer frames to the first packet processing means; A communication processing means having a second operation mode for outputting a frame including an IP packet to the first packet processing means and outputting all copies of the frame to the second packet processing means; Using this information, a receive filter setting that generates a receive filter rule for identifying IP packets that contain authentication / key exchange data among received IP packets Means, a first packet processing means for extracting and outputting the payload portion of the IP packet from the frame output from the communication processing means, and notifying the communication processing means to operate in the second operation mode, and communicating When a predetermined value is included in the data link frame among the frames output from the processing means, the payload portion of the data link frame is extracted, and the frame is extracted based on the reception filter rule generated by the reception filter setting means. And second packet processing means for filtering and outputting.
[0057]
Also, the content transmission method of the present invention supplies the content to be transmitted to the receiving device, establishes a connection with the receiving device, performs authentication / key exchange processing, and exchanges the key exchanged with the receiving device. The content is encrypted using IP, and at least one of the encrypted content and the data related to authentication / key exchange output in the authentication / key exchange process is converted into an IP packet and packetized using the connection information Generates a transmission filter rule that contains rules for identifying IP packets that contain authentication / key exchange data among IP packets, filters the IP packet based on the transmission filter rule, and selects the specified IP packet in the filtered IP packet. The value of is changed.
[0058]
The content receiving method of the present invention establishes a connection with a transmitting apparatus, performs authentication / key exchange processing, decrypts the content using a key exchanged with the transmitting apparatus, and transmits the transmitting apparatus. The payload part is extracted from the received IP packet and output, and using the connection information, a reception filter rule for identifying the IP packet containing authentication / key exchange data from the received IP packet is generated and received. The IP packet is filtered based on the filter rule, and the authentication / key exchange process is restricted when a predetermined value in the IP packet is other than a specified value.
[0059]
Also, the content transmission method of the present invention supplies the content to be transmitted to the receiving device, establishes a connection with the receiving device, performs authentication / key exchange processing, and exchanges the key exchanged with the receiving device. Is used to encrypt the content and frame the input IP packet into the data link layer or change the predetermined value in the input IP packet, frame it into the data link layer, and Use at least the output of the authentication / key exchange process or the output of the encryption process as an IP packet, perform any framing according to the destination IP address, use the connection information, and the IP packet Change the routing information so that the IP packet addressed to the receiving device is changed to a predetermined value in the IP packet and framed in the data link layer. Features.
[0060]
The content receiving method of the present invention establishes a connection with the transmitting device, performs authentication / key exchange processing, decrypts the content using the key exchanged with the transmitting device, and receives the content. Of the frames of the data link layer, a frame including the IP packet is output to the first packet processing means, or a frame including the IP packet of the received frame is output to the first packet processing means, and all the frames Is output to the second packet processing means, and using the connection information, a reception filter rule for identifying an IP packet including authentication / key exchange data is generated from the received IP packet, and the IP is generated from the frame. Extracts and outputs the payload portion of the packet, outputs it to the first packet processing means, and copies all the frames to the second packet processing means The IP packet payload part is extracted from the frame, the IP packet is filtered based on the reception filter rule, and if the specified value in the IP packet is other than the specified value, authentication / key exchange The process is limited.
[0061]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, a content transmission device, a content reception device, a content transmission method, and a content reception method according to the present invention will be specifically described with reference to the drawings.
[0062]
(First embodiment)
FIG. 1 is an overall block diagram illustrating an example of a content transmission / reception system including a content transmission apparatus and a content reception apparatus according to the present invention. The content transmission / reception system of FIG. 1 includes a content transmission device (hereinafter simply referred to as a transmission device) A1 connected to a local area network (hereinafter referred to as LAN) 1, and a content reception device (hereinafter simply referred to as a reception device) B2. Router devices C3 and D4, a receiving device E5 connected to the router device C3, and a receiving device F6 connected to the LAN 1 via the Internet 7.
[0063]
The LAN 1 in FIG. 1 may be either a wireless network such as IEEE802.11 or a wireless LAN and a wired network such as Ethernet (R) (R).
[0064]
Each transmitting device and receiving device are various devices that exchange digital AV data such as a set-top box, a home server, a digital VTR, a DVD player, and a television.
[0065]
In the following, a mechanism for limiting transmission / reception of content that needs to be copyright-protected to a certain range between a transmission device and a reception device will be described.
[0066]
In this embodiment, communication within the LAN 1 permits transmission / reception of content that should be protected by copyright, but does not permit communication outside the LAN 10.
[0067]
For example, in the network shown in FIG. 1, content transmission from the transmission device A1 to the reception devices B2 and C3 is permitted, but content transmission from the transmission device A1 to the reception device F6 connected via the Internet 7 is not permitted. I will decide. In the first embodiment, by limiting the number of reachable router devices by limiting the TTL value of the IP packet to a certain value or less by limiting the communication range between the transmitting device and the receiving device, The configuration of the transmitting device and the receiving device when restricting the distribution range is shown.
[0068]
As shown in the prior art, the transmitting device sets the TTL value of the IP packet to a fixed value (for example, 1) to the receiving device and transmits a packet necessary for authentication / key exchange.
[0069]
Further, the receiving device checks whether the TTL value of the IP packet transmitted from the transmitting device is 1. If the TTL value of the authentication / key exchange packet received from the transmitting device is not 1, it is determined that the packet has been altered on the communication path, and the authentication / key exchange process is stopped.
[0070]
Here, as an authentication / key exchange method, an authentication / key exchange method for copyright protection may be used, or a well-known method such as an elliptic curve Diffie-Hellman key exchange algorithm may be used. Good.
[0071]
Furthermore, with regard to content protection, the content may be encrypted by an encryption method such as the M6 common key block method using the key acquired by the authentication / key exchange process.
[0072]
In addition, in the authentication / key exchange process, not only data transmitted from the transmitting device to the receiving device but also data transmitted from the receiving device to the transmitting device may be transmitted. In the opposite configuration, the receiving device sets the TTL value to 1 and sends it to the sending device. The sending device checks whether the TTL value of the packet sent from the receiving device is 1. What is necessary is just to perform the process to confirm.
[0073]
Here, for the sake of simplicity, a mechanism in which the transmitting device sets the TTL value to 1 and the receiving device checks the TTL value will be described. Furthermore, not only authentication / key exchange processing but also transmission / reception of authenticated content can be performed more strictly by limiting the TTL value for transmission.
[0074]
FIG. 2 is a block diagram illustrating an internal configuration of the transmission device A1 according to the first embodiment. 2 is transmitted to a network interface unit 2000 that performs physical layer processing in the OSI basic reference model established by the International Organization for Standardization (ISO), a communication processing unit 2001 that performs data link layer processing, and a receiving device. Packet processing unit 2002 that performs processing for converting content data to be transmitted and data for authentication / key exchange into TCP / IP packets and UDP / IP packets, and vice versa, and packets to be transmitted Is a transmission filter setting unit 2003 for creating a rule for determining whether or not the packet is related to data whose copyright is to be protected, and whether or not the transmission / reception packet corresponds to the rule created by the filter setting unit Or transmission filtering processing unit 2004 that performs matching processing, and transmission filtering processing unit A packet change processing unit 2005 that applies a predetermined operation described in the rule to a transmission / reception packet, an authentication / key exchange processing unit 2006 that performs authentication / key exchange processing with a receiving device for copyright protection, and data to be transmitted The encryption processing unit 2007 for encrypting / decrypting the content, the content supplying unit 2008 for supplying the content to the encryption processing unit, and the non-copyright protection data processing unit 2009 for performing processing not directly related to the data whose copyright is to be protected And.
[0075]
The transmission filter setting unit 2003 and the transmission filtering processing unit 2004 are features of the present embodiment. When transmitting content that requires copyright protection, information exchanged with the receiving device prior to the authentication / key exchange processing is performed. The transmission filter setting unit 2003 originally creates a rule, and notifies the filtering processing unit 2004 of the transmission filter rule 2010.
[0076]
The filtering processing unit 2004 performs matching processing with the packet being input / output according to the set transmission filter rule 2010. When there is a packet that matches the transmission filter rule 2010 in the transmission filter setting unit 2003, the packet change processing unit 2005 performs the predetermined processing described in the transmission filter rule 2010 on the packet and transmits the packet. .
[0077]
An example of the transmission filter rule 2010 is shown in FIG. The transmission filter rule 2010 includes a matching unit 3000 serving as a key for searching for a corresponding packet, and an operation unit 3001 describing that predetermined processing is performed when there is a packet corresponding to the transmission filter rule.
Multiple transmission filter rules are described in consideration of the case where the transmitting device transmits content to multiple receiving devices and the case where multiple connections are established to transmit multiple content to a single receiving device. It is desirable to be able to do so. In this case, the filtering processing unit 2004 sequentially searches whether or not a transmission filter rule is defined in the matching unit for the packet. If the corresponding transmission filter rule 2010 is defined, the filtering processing unit 2004 operates the rule number. The processing described in section 3001 is performed on the packet.
[0078]
Here, the processing of rule number 1 shown in FIG. 3 will be described as an example. In the transmission filter rule 2010, the destination IP address (the IP address of the receiving device) is ee.ff.ggg.h in the IP packet transmitted from the transmitting device, and the source IP address is aa.bb. Among TCP packets of .ccc.ddd (IP address of own transmission device), if the source TCP port number is X and the destination TCP port number is Y, the TTL value of the IP packet is set to A It means that it is a rule that instructs setting.
[0079]
The rules include (1) a method using a combination of the IP address and UDP port number of the transmitting device and the receiving device in addition to the combination of the IP address and TCP port number of the transmitting device and the receiving device, and (2) the RTP payload. A method using the type classification number can be considered.
[0080]
The filter setting unit 2003 creates such a transmission filter rule 2010, and the transmission filtering processing unit 2004 searches for the corresponding packet in accordance with it, and performs processing for changing the packet in accordance with the contents described in the operation unit.
[0081]
FIG. 4 is a block diagram illustrating an internal configuration of the receiving device according to the first embodiment. 4 is a network interface unit 4000 that performs Ethernet (R) physical layer processing in the OSI basic reference model, a communication processing unit 4001 that performs data link layer processing, and a packet received from a transmitting device. A matching process is performed on the reception filter setting unit 4002 for creating a rule, a packet processing unit 4003 for converting each packet into data, and a rule created by the filter setting unit during packet processing, and there is a corresponding packet. A reception filtering processing unit 4004 that performs predetermined processing in some cases, an encryption processing unit 4005 that decrypts related encrypted content data transmitted from the transmitting device, and authentication that performs authentication / key exchange processing for copyright protection -Key exchange processing unit 4006 and decrypted content to display device A content processing unit 4007 that performs processing to force or storage, and a non-copyright protection data processing unit 4008 for processing data not directly related to the copyright.
[0082]
The reception filter setting unit 4002 and the reception filtering processing unit 4004 are characteristic parts of the receiving device in the present embodiment, and the received packet is copyrighted based on information exchanged with the transmitting device prior to the authentication / key exchange processing. A reception filter rule 4009 for determining whether the packet is related to data to be protected is created, and the rule is notified to the reception filtering processing unit.
[0083]
The reception filtering processing unit 4004 has a function of performing matching processing with a packet according to the set reception filter rule 4009 and notifying the authentication / key exchange processing unit when a corresponding packet is detected.
[0084]
An example of the reception filter rule 4009 set by the reception device is shown in FIG. The configuration of the rules may be the same format as that of the transmitting device shown in FIG. That is, it has a matching unit 5000 and an operation unit 5001.
[0085]
Here, the processing of rule number 1 in FIG. 5 will be described as an example. In this rule, among IP packets received from the sending device, the destination IP address (IP address of the own device) is ee.ff.ggg.h, and the source IP address (IP address of the sending device) is aa Authentication / key when the source TCP port number is X, the destination TCP port number is Y, and the TTL value of the IP header is not 1 in the TCP packet of .bb.ccc.ddd Processing for notifying the exchange processing unit that the packet has been received is performed.
[0086]
The rules include (1) a method using a combination of the IP address and UDP port number of the transmitting device and the receiving device in addition to the combination of the IP address and TCP port number of the transmitting device and the receiving device, and (2) the RTP payload. A method using the type classification number can be considered.
[0087]
Upon receiving this notification, the authentication / key exchange processing unit may perform a process of interrupting the authentication / key exchange process, a process of stopping the reception of content from the transmitting device, or the like.
[0088]
Hereinafter, the operations of the filter setting unit 4002 and the filtering processing unit 4004 will be mainly described.
[0089]
6, 7, and 8 are diagrams illustrating a sequence of the receiving device 6001 and the transmitting device 6000. Here, the IP address of the transmitting device 6000 is aa.bb.ccc.ddd, the IP address of the receiving device 6001 is ee.ff.ggg.h, the standby port used by the transmitting device for authentication / key exchange is X, and the receiving device Let Y be the port used for authentication / key exchange.
[0090]
The sending device sends the TTL value in the IP header in the authentication / key exchange packet as 1, and the receiving device checks whether the TTL value of the packet sent from the sending device is 1. And
[0091]
Hereinafter, the processing procedure will be described with reference to the sequence diagrams of FIGS.
[0092]
First, the receiving device 6001 transmits an authentication / key exchange processing request packet to the transmitting device (S60). In addition to the authentication / key exchange processing request, information necessary for the transmitting device to create a rule is also transmitted. The connection information indicates, for example, the IP address and port number of the receiving device.
[0093]
In this example, a message notifying the port number of the receiving device is included in the authentication / key exchange request, but the message notified by the receiving device is transmitted to the transmitting device as a packet separate from the authentication / key exchange processing. May be.
[0094]
Here, the value of the standby port number of the transmitting device used for the authentication / key exchange request of the transmitting device 6000 is fixed, or the negotiation is performed before the transmitting device 6000 and the receiving device 6001 start the authentication / key exchange processing. It is assumed that the receiving device knows the authentication / key exchange standby port number of the transmitting device 6000 by performing the processing.
[0095]
As a protocol for performing the negotiation process, for example, a method described in JP 2002-019135 or a method such as RTSP (Real Time Streaming Protocol) may be used. RTSP is detailed in the document published by the IETF and available at http://www.ietf.org.
[0096]
Upon receiving the authentication / key exchange processing request and the information related to the connection, the transmitting device 6000 creates a rule for transmission filtering based on the information (S61).
[0097]
In this case, the IP address of the receiving device 6001 is ee.ff.ggg.h, and when sending a TCP / IP packet destined for the own device whose source port number is Y and destination port number is X, A rule indicating that the packet TTL value is set to 1 is created and applied to the packet processing unit (S62, S63).
[0098]
On the other hand, the receiving device 6001 has a TCP / IP packet addressed to its own device whose source IP address is aa.bb.ccc.ddd which is the IP address of the transmitting device, whose source port number is X and whose destination port number is Y. A reception filtering rule that performs a predetermined process when a packet with a TTL value other than 1 is received is created and applied to the packet processing unit (S64).
[0099]
This rule may be created and applied before sending the authentication / key exchange request packet.
[0100]
As described above, the transmitting device 6000 and the receiving device 6001 have created a rule, and a method of applying the rule to each packet processing unit has been shown.
[0101]
Next, a process in which the transmitting device 6000 and the receiving device 6001 perform authentication / key exchange processing in a state where filtering rules are set in the receiving device 6001 and the transmitting device 6000 will be described.
[0102]
When the transmission device 6000 transmits the authentication / key exchange packet 70 to the reception device, it is determined that the packet 70 is for authentication / key exchange from the IP address and port number of the transmission source and the IP address and port number of the transmission destination. The transmission filtering processing unit detects, and transmits the TTL value set to 5 (S65).
[0103]
Similarly, in the receiving device 6001, the reception filtering processing unit identifies that the received packet corresponds to the rule from the transmission / reception IP address and port number, checks the TTL value, and if the TTL value is 5, The process is continued (S66).
[0104]
If the packet transmitted by the transmitting device 6000 is not for authentication / key exchange with the receiving device (for example, non-authentication / key exchange packet 72 addressed to another device A 71), the transmission destination IP address and port number are different. Therefore, it does not correspond to the filtering rule, and the TTL value is not changed by the filtering processing unit of the transmitting device. Similarly, if the receiving device is not the authentication / key exchange processing packet transmitted from the transmitting device, it does not correspond to the filtering rule, and the processing is continued (S67).
[0105]
Next, a case where the TTL value of the IP packet for authentication / key exchange transmitted from the transmission device 6000 changes on the communication path between the transmission device 6000 and the reception device 6001 will be described.
[0106]
For the transmitting device 6000, the transmission filtering processing unit detects that the packet is for authentication / key exchange addressed to the receiving device in the same procedure as described above, and sets the TTL value to 5 and transmits it. (S66).
[0107]
Here, it is assumed that the TTL value of this packet changes from 5 to 4 due to a change in the communication path (S67). At this time, the receiving device receives the packet whose TTL value has been changed to 4 (S68).
[0108]
The receiving device 6001 extracts a corresponding packet from the packets received according to the rules set in the reception filtering processing unit, and checks the TTL value. In this case, the value of TTL is 4 instead of 5 because the communication path has changed from the previously received packet, and the predetermined processing described in the operation part of the filtering rule is performed (S69).
[0109]
Here, the predetermined processing refers to notification to the authentication / key exchange processing unit as shown in FIG. 5, for example. As described above, the authentication / key exchange processing unit that has received this notification may suspend the authentication / key exchange processing (S70).
[0110]
The receiving device 6001 transmits a message for canceling the authentication / key exchange processing to the transmitting device, performs predetermined error processing, and then performs processing for deleting the reception filtering rule (S71, S72).
[0111]
When the transmitting device 6000 receives the message for canceling the authentication / key exchange processing, the transmitting device 6000 performs predetermined error processing and deletes the reception filtering rule set in the receiving device (S73).
[0112]
Although not shown, even when the authentication / key exchange process ends normally and the authentication / key exchange connection is disconnected, the receiving / transmitting device deletes the reception / transmission filtering rule.
[0113]
When the device A 71 transmits a non-authentication / key exchange packet 73 or the like to the receiving device 6001, the receiving device 6001 that has received the packet inspects the packet and confirms that the packet does not correspond to the rule. Receive (S74, S75).
[0114]
FIG. 9 shows the processing procedure of the transmitting device 6000 shown so far, and FIG. 10 shows the processing procedure of the receiving device 6001.
[0115]
In FIG. 9, the transmitting device 6000 receives an authentication / key exchange processing request from the receiving device (S90). Next, information (IP address, port number, etc.) of the receiving device is acquired (S91).
[0116]
Next, a rule for connection with the receiving device and the authentication / key exchange processing is created (S92). Next, this rule is applied to the filtering processing unit (S93). Next, a transmission packet is created (S94). Next, matching processing with a rule is performed (S95), and if the packet does not match the rule, packet transmission (S96) is performed. S96) is performed.
[0117]
In FIG. 10, the receiving device 6001 acquires the IP address of the transmitting device and the authentication / key exchange processing port (S100). Next, an authentication / key exchange processing request and connection information (IP address, port number, etc.) are notified to the transmitting device (S101).
[0118]
Next, a rule for an authentication / key exchange processing connection with the receiving device is created (S102). Next, a rule is applied to the filtering processing unit (S103). Next, a packet is received (S104). Next, rule matching processing is performed (S105). If the packet does not match the rule, packet reception is performed (S106). If the packet matches, error processing is performed because the TTL value is not 1. Further, the authentication / key exchange process is stopped (S108), and an error is notified to the transmitting device (S109).
[0119]
In the examples shown so far, the method for changing or checking the TTL value of the IP packet to a predetermined value only for connections that perform authentication / key exchange has been described. In addition, the TTL value may be set to a predetermined value in order to limit the distribution range to the connection for transmitting and receiving content data.
[0120]
In this case, the IP address and TCP / UDP port number related to the data connection are the same as the information related to the authentication / key exchange connection required for setting the transmission / reception filtering rules. For example, the transmitting device and the receiving device may notify each other in advance, and each may create and set a filtering rule.
[0121]
The first embodiment is characterized in that the packet processing unit has a function of performing packet processing of TCP / IP packets and includes a transmission filtering processing unit. The filtering processing unit sorts out a specific packet such as data requiring copyright protection or data for authentication / key exchange for copyright protection according to the type of packet, and performs a predetermined operation on the packet. Do.
[0122]
Note that a rule for selecting packets is dynamically generated and set. As a result, (1) when the IP address of the sending device or receiving device is dynamically determined by a protocol such as DHCP (Dynamic Host Configuration Protocol), or (2) the port number of the content data changes dynamically depending on the connection. (3) It is possible to cope with cases where the same transmitting device and receiving device need to establish multiple connections at the same time and connections cannot be identified in advance, and protect copyrights sent and received from the same device. It is possible to realize a mechanism that does not affect connections that are not related to the data to be processed.
(Second Embodiment)
Next, a second embodiment of the present invention will be described. The second embodiment of the present invention is an example of realizing the method for limiting the content distribution range described in the first embodiment with a configuration in which transmission / reception filtering processing is not performed by the packet processing unit.
[0123]
FIG. 11 is a block diagram illustrating an internal configuration of a transmission device according to the second embodiment. In FIG. 11, the same reference numerals are given to the same components as those in FIG. 2 illustrating the internal configuration of the transmission device in the first embodiment, and the differences will be mainly described below.
[0124]
In the transmission device of FIG. 11, the packet processing unit 1100 does not include a filtering processing unit, and further includes a second communication process including a TTL change processing unit 1101 that performs a process of changing the TTL value of an IP packet to be transmitted. The transmission filter setting unit 1103 has a function of changing the routing table 1104. The first communication processing unit 1105 has the same function as the communication processing unit in FIG.
[0125]
The packet processing unit 1100 has a function of selecting a communication processing unit corresponding to the destination IP address while referring to the contents of the routing table 1104.
[0126]
FIG. 12A shows a typical example of the routing table 1104 used in the second embodiment. The routing table 1104 is a table showing a combination of a destination IP address and a communication processing unit used in a lower layer.
[0127]
For example, the first row of the table means that a transmission packet whose destination IP address is in the range of XYZ0 / 255.255.255.0 should be transmitted from the first communication processing unit (eth0) 1105.
[0128]
The packet processing unit 1100 has a function of determining which communication processing unit to select from the destination IP address according to the information described in the routing table 1104. The description after changing and setting the routing table 1104 will be described later.
[0129]
FIG. 13 shows a specific processing procedure of the transmitting device. As shown in FIG. 13, the transmitting device first receives an authentication / key exchange processing request from the receiving device (S1300). Next, prior to the authentication / key exchange processing and content transmission processing, information (IP address, etc.) of the receiving device that is the destination device is acquired (S1301).
[0130]
Next, the routing table 1104 is changed so that the packet processing unit 1100 uses the second communication processing unit 1102 when transmitting a packet addressed to the receiving device (S1302).
[0131]
An example of the routing table 1104 changed here is shown in FIG. Compared to FIG. 12A, in FIG. 12B, a packet addressed to a receiving device whose IP address is ee.ff.ggg.h is transmitted using the second communication processing unit (v-eth) 1102. A rule indicating that is added.
[0132]
After changing the routing table 1104, the packet processing unit 1100 generates authentication / key exchange data or content data packets (S1303), and refers to the routing table 1104 to correspond to the destination IP address. And pass the data to the communication processing unit, which is a lower layer (S1304).
[0133]
Here, since the communication processing unit is described in the routing table so that the packet addressed to ee.ff.ggg.h is passed to the second communication processing unit (v-eth) 1102, the second communication processing The part (v-eth) 1102 processes this packet (S1305).
[0134]
The second communication processing unit (v-eth) 1102 performs data link layer processing, changes the TTL value of the IP header to a predetermined value (for example, 3), and outputs it (S1305).
[0135]
That is, in the packet processing unit, the value set by the system is set as the TTL value, but the TTL value output after the second communication processing unit (v-eth) 1102 is set to a predetermined value (for example, 1). It is set (S1306). Thereafter, the network interface unit 2000 performs physical layer processing, and the packet is transmitted (S1307).
According to the routing table shown in FIG. 12B, a transmission packet whose destination IP address is in the range of XYZ0 / 255.255.255.0 is passed to the first communication processing unit (eth0) 1105. Since the first communication processing unit (eth0) 1105 does not change the TTL, it performs the conventional link layer processing and passes it to the network interface unit (S1308). The network interface unit 2000 performs physical layer processing, and the packet is transmitted (S1307).
[0136]
As described so far, in the second embodiment, the communication processing unit is selected by the destination IP address, and the TTL value of the IP packet is manipulated for the packet for the receiving device. .
[0137]
If it is possible to specify not only the destination IP address but also the destination connection, it is possible to flexibly limit the content distribution range.
[0138]
For example, in the authentication / key exchange process, the TTL value is set to a predetermined value for transmission, and content data that is connected separately from the authentication / key exchange process does not require any particular restrictions and is a system-specific value. When transmitting, it is possible to manipulate the TTL value of the packet in connection units, not in IP address units.
[0139]
Similarly, when data other than authentication / key exchange and content data is transmitted to the receiving device, it is possible to realize that no TTL restriction is added.
[0140]
FIG. 14 is a block diagram showing the internal configuration of the transmitting device when packets can be manipulated for each connection.
[0141]
The same components as those in FIG. 11 will be described with the same numbers. The difference from FIG. 11 is that the second communication processing unit 1400 includes a filtering processing unit 1401 as a part of the function, and the transmission filter setting unit 1402 includes any filtering processing unit 1401 and packet change processing unit 1403. It is a point that can set a rule.
[0142]
The second communication processing unit 1400 shown in FIG. 14 specifies a connection from the destination IP address and the transmission / reception TCP port number, and notifies the packet change processing unit 1403 when there is a packet corresponding to the rule. The change processing unit 1403 changes the TTL value.
[0143]
As described above, the transmission filter setting unit 1402 sets a rule in the filtering processing unit 1401 so that the TTL value can be manipulated for each connection.
[0144]
For example, the TTL value can be set to N (for example, 1) for a connection of authentication / key exchange processing for a certain receiving device, and M (for example, 10) can be set for transmission of content data.
[0145]
For some receiving devices, the TTL value is set to P (for example, 3) for authentication / key exchange connections, and Q (for example, 5) is set for content data transmission. You can also manipulate the value of.
[0146]
FIG. 15 is a sequence diagram illustrating a processing procedure of the transmission device when the communication processing unit of the transmission device includes a filtering processing unit. First, an authentication / key exchange processing request is received from the receiving device (S1500). Next, information (IP address) of the receiving device is acquired (S1501). Next, a rule for connection with the receiving device for authentication / key exchange processing is created (S1502).
[0147]
Next, the filtering rule is applied to the second communication processing unit 1400 to change the routing table (S1503). Next, a transmission packet is created (S1504). Next, the packet processing unit 1100 selects a communication processing unit (S1505).
[0148]
If the first communication processing unit is selected (S1506), packet transmission is performed as usual (S1507). When the second communication processing unit 1400 is selected (S1508), a rule matching process is performed (S1509).
[0149]
If the input packet does not correspond to the rule, the packet is transmitted as usual (S1507). If the rule is satisfied, the packet is manipulated (S1510), and the packet is transmitted (S1507).
[0150]
Next, the configuration of the receiving device in the second embodiment will be described. FIG. 16 is a block diagram illustrating an internal configuration of a receiving device according to the second embodiment.
[0151]
In FIG. 16, the same reference numerals are given to the same components as those in FIG. 4 showing the internal configuration of the receiving device in the first embodiment, and the differences will be mainly described below.
[0152]
The difference from FIG. 4 is that the first packet processing unit 1600 does not include a filtering processing unit, and the second packet processing unit 1601 that operates asynchronously with the first packet processing unit 1600 The communication processing unit 1604 is different.
[0153]
Hereinafter, a method for determining whether or not the TTL value of an IP packet is a specific value for a specific connection with a transmitting device will be described with a focus on the second packet processing unit.
[0154]
FIG. 17 is a sequence diagram illustrating a specific processing procedure of the receiving device according to the second embodiment. As shown in FIG. 17, first, prior to authentication / key exchange processing and content reception processing, the receiving device performs transmission / reception with the transmission device of the transmission source, and uses each other's IP address, authentication / key exchange, and port used for content transmission / reception. Information such as numbers is exchanged (S1700, S1701).
[0155]
Next, a filter for specifying the connection generated between the receiving device and the transmitting device is created (S1702).
[0156]
The filter format may be the same format as that shown in FIG. This filter is applied to the second packet processing unit 1601, and the received link layer data is copied not only to the first packet processing unit 1600 but also to the second packet processing unit 1601 to the communication processing unit 1604. (S1703).
[0157]
Usually, the communication processing unit 1604 determines to which processing unit (in this case, the packet processing unit) to which the payload portion of the data link frame should be transferred from the value of the type type of the data link frame.
[0158]
However, in this case, since the second packet processing unit 1601 transmits a frame acquisition mode setting notification to the communication processing unit 1604, the communication processing unit 1604 that receives this also sends data to the first packet processing unit 1600. All the included data link frames are transferred to the second packet processing unit 1601 (S1703).
[0159]
Next, the receiving device starts receiving data for authentication / key exchange processing (S1704).
[0160]
For example, the communication processing unit 1604 outputs an IP packet from the type classification of the received data link frame to the first packet processing unit (S1705).
[0161]
On the other hand, since the second packet processing unit 1601 has sent the frame acquisition mode setting notification to the communication processing unit 1604, it passes all received frames to the second packet processing unit 1601 (S1706).
[0162]
The second packet processing unit 1601 sorts data for authentication / key exchange processing using the reception filter rule set by the reception filter setting unit 4002 (S1707).
[0163]
If the packet does not match the rule, the packet is discarded (S1708). If it matches the rule, it is determined that the TTL value is not the expected value, error processing is performed, and authentication / key exchange processing and content data reception are stopped (S1709, S1710, S1711).
[0164]
The packets input to the first packet processing unit 1600 are subjected to authentication / key exchange processing (S1712), content encryption processing (S1713), and non-copyright protection data processing (S1714) according to the contents.
[0165]
What is important here is that the second packet processing unit 1601 only performs a check process on the received packet.
[0166]
The first packet processing unit 1600 needs to extract the payload portion from the received packet and operate in synchronization with the encryption processing unit, the authentication / key exchange processing unit, and the non-copyright protection data processing unit.
[0167]
However, the second packet processing unit 1601 simply performs matching processing with the reception filter rule, and discards the compared packets.
[0168]
In addition, since the first packet processing unit 1600 and the second packet processing unit 1601 can operate asynchronously, the first packet processing unit 1600 is processed at high speed without affecting the first packet processing unit 1600. be able to.
[0169]
As described above, in the second embodiment, by adding the communication processing unit 1604 and the second packet processing unit 1601, even if the packet processing unit has no filtering function, the packet processing unit is changed. It is possible to change the TTL value for a specific IP address or a specific connection and send it.
[0170]
For this reason, the packet processing unit is provided from, for example, an OS vendor, and is particularly useful when the application vendor cannot change the source code of the packet processing unit.
(Third embodiment)
A third embodiment of the present invention will be described with reference to the drawings. In the third embodiment, the configuration of a transmitting device and a receiving device when restricting the distribution range of content by performing authentication and key exchange in a data link layer frame will be described.
[0171]
The authentication / key exchange processing procedure in the data link layer is described in detail in the method described in JP2002-019135, but the detailed configuration of the device is not mentioned.
[0172]
In the present embodiment, a method for realizing the configuration of the transmission device and the reception device will be described. In authentication and key exchange at the data link layer, a dedicated type type is defined in the data link layer frame. Here, the type classification number of the data link layer for authentication / key exchange processing is assumed to be X.
[0173]
FIG. 18 is a diagram showing a configuration example when Ethernet (R) is used as a frame of the data link layer.
[0174]
The Ethernet (R) frame includes an Ethernet (R) header 180 and an Ethernet (R) payload 181.
[0175]
FIG. 19 is a block diagram illustrating an internal configuration of a transmission device according to the third embodiment.
[0176]
In FIG. 19, the point which has the 3rd packet process part 1900 differs from 1st Embodiment or 2nd Embodiment. The same components as those in FIG. 14 are denoted by the same reference numerals.
[0177]
The third packet processing unit 1900 is a characteristic part in this embodiment. Hereinafter, the third packet processing unit 1900 will be mainly described. The third packet processing unit 1900 performs address resolution processing such as processing for searching for the address of the data link corresponding to the receiving device.
[0178]
The addressing method for identifying the receiving device is (1) using the data link layer address as it is, (2) using the device ID specified by the copyright protection method as the address, and uniquely assigning the data link layer address from the device ID. A method for defining the addressing method for identification in the data link layer, (3) A method for resolving the data link layer address using the ARP / RARP used in the conventional TCP / IP with the IP address as the address, etc. Can be considered.
[0179]
The data link layer addresses of the receiving device and transmitting device acquired by address resolution and the type type defined by the frame definition unit 1902 are passed to the communication processing unit 1901.
[0180]
The communication processing unit 1901 receives the transmission destination address, the transmission source address, the type type, and the data from the third packet processing unit 1900, framing them as a predetermined configuration, and transmits them to the receiving device through the network interface unit 1903.
[0181]
The difference from the prior art is that the third packet processing unit 1900 does not perform TCP / IP processing. In the methods shown in the first embodiment and the second embodiment, TCP / IP packets are assumed for authentication / key exchange. Therefore, it is necessary to prepare a packet processing unit that implements TCP / IP processing.
[0182]
In the third embodiment, since authentication / key exchange data is transmitted and received in a data link layer frame, a packet processing unit for creating a TCP / IP packet is not necessary for the authentication / key exchange procedure.
[0183]
FIG. 20 is a block diagram illustrating an internal configuration of a receiving device according to the third embodiment. In FIG. 20, the point that the third packet processing unit 2000 is included and the communication processing unit 2001 that can determine the type type X of the data link frame is provided. Different from the embodiment. The same components as those in FIG. 16 are denoted by the same reference numerals.
[0184]
The third packet processing unit 2000 has the same function as the third packet processing unit shown in the transmitting device of the present embodiment, performs address resolution of the data link layer of the transmitting device, and performs authentication / key exchange data. Is encapsulated in a data link layer frame and transmitted to the transmitting device.
[0185]
In addition, the communication processing unit 2001 includes a type classification determination table 2002 for selecting a packet processing unit that performs upper layer processing according to the type classification of the data link frame.
[0186]
FIG. 21 shows a configuration example of this type classification table 2002. As shown in FIG. 21, in the type classification determination table 2002, the value (type classification) 2100 of the type classification field of the data link frame as shown in FIG. 18 and the packet processing unit 2101 of the higher layer are paired. It is a table.
[0187]
The communication processing unit selects which packet processing unit the payload portion of the received data link layer frame is to be passed from the type classification determination table, and passes the payload portion to the selected communication processing unit.
[0188]
In the configuration of the receiving apparatus shown in FIG. 20, the fact that the type type X of the data link frame corresponds to the second packet processing unit is recorded in advance in the type type discrimination table of the communication processing unit.
[0189]
Next, the configuration of the receiving device when the type classification determination table is not held or when the table does not have the correspondence table between the type classification X and the second packet processing unit will be described. FIG. 22 shows the internal configuration of the receiving device in that case.
[0190]
22 is different from FIG. 20 in that a fourth packet processing unit 2200 is provided instead of the third packet processing unit.
[0191]
The fourth packet processing unit 2200 shown in FIG. 20 notifies the communication processing unit 2201 that the data link frame data received by the communication processing unit 2201 should be copied and delivered, and the data link frame selection processing. Part 2202.
[0192]
When the communication processing unit 2201 receives the notification from the fourth packet processing unit 2200, the communication processing unit 2201 has a function of passing the header portion and payload portion of the data link frame to the packet processing unit.
[0193]
The data link frame selection processing unit 2202 filters frames necessary for authentication / key exchange by selecting data type frame X type frames used for authentication / key exchange processing from the header part of the data link frame, The fourth packet processing unit 2200 passes the selected payload portion of the data link frame to the authentication / key exchange processing unit.
[0194]
23 and 24 are sequence diagrams illustrating specific processing procedures of the transmission device and the reception device according to the third embodiment.
[0195]
As shown in FIGS. 23 and 24, first, the transmitting device 2300 and the receiving device 2301 perform address resolution for specifying the address of the data link layer of the receiving device prior to authentication / key exchange (S230, S231, S232). ).
[0196]
In the first and second embodiments, information is exchanged between the transmitting device and the receiving device using IP packets. In the third embodiment, authentication and key exchange are performed using a data link layer frame instead of an IP packet.
[0197]
For this reason, the receiving device and the transmitting device need to resolve the data link layer address, not the IP address. As address resolution methods for this purpose, (1) a method in which an Ethernet (R) broadcast is transmitted and a receiving device notifies the address of the own data link layer in a form that responds to a broadcast frame; (2) from Ethernet (R) For example, a method of directly reporting the hardware address of the receiving device to the transmitting device using an upper protocol (eg, IP) is conceivable.
[0198]
In the third embodiment, the transmitting device 2300 creates a frame addressed to the acquired receiving device 2301, the address of the own device, and X in the frame type type, and transmits the frame to the receiving device 2301 (S233, S234). ).
[0199]
Upon receiving the frame, the receiving device 2301 determines that the frame is an authentication / key exchange frame from the type type field from the data link frame discrimination processing unit of the communication processing unit or the packet processing unit, and sends it to the authentication / key exchange processing unit. (S235, S236).
[0200]
Next, consider a case where an IP packet is transmitted from the transmission device 2300. The frame types of IP packets and authentication / key exchange packets are different.
[0201]
Therefore, the transmitting device 2300 inserts A for IP packet as the type type of the data link frame and transmits it (S237, S238).
[0202]
The receiving device receives this frame and checks the type category field of the data link frame in the same manner as the previous procedure (S239, S240).
[0203]
At this time, since the value of the field contains A, which is an IP value, instead of X, which is an authentication / key exchange value, this frame is discarded (S241).
[0204]
As described above, the transmission device and the reception device can determine the type type of the data link frame.
[0205]
Note that if the frame selection process of the receiving device shown in FIG. 22 is generalized, it can be applied to a wider range of purposes. For example, the data link frame selection processing unit has determined the processing contents according to the value of the type type field of the data link frame so far, but it is possible to realize home restriction of content by setting more general rules .
[0206]
When the receiving device receives the ARP packet transmitted from the transmitting device, the receiving device transmits a response packet notifying the transmitting device that the ARP packet has been received. The configuration of the receiving device for realizing this will be described.
[0207]
FIG. 25 shows an internal configuration of a receiving device generalizing the data link frame selection processing unit 2202 of the fourth packet processing unit 2200 shown in FIG.
[0208]
The receiving apparatus shown in FIG. 22 is different in that the fourth packet processing unit 2500 includes a second data link frame selection processing unit 2501 and a local area check response processing unit 2503.
[0209]
Here, the functions and operations of the local area check response processing unit 2503 and the data link frame selection processing unit 2501 will be mainly described. The same components as those in FIG. 22 will be described with the same numbers.
[0210]
The second data link frame selection processing unit 2501 has a data link frame selection table 2502 inside, and has a function of processing packets input according to the rules described in the table.
[0211]
FIG. 26 shows a configuration example of the data link frame selection table 2502. The rule shown in FIG. 26 includes a matching unit 2600 serving as a key for searching for a corresponding frame, and an operation unit 2601 describing that a predetermined process is performed when there is a frame corresponding to the rule.
[0212]
The rule includes input / output, frame type classification, transmission destination address, transmission source address, and frame type classification.
[0213]
The second data link frame selection processing unit 2501 performs the process described in the operation unit if the received frame matches the condition.
[0214]
In the following, the processing of rule number 2 shown in FIG. 26 will be described as an example. In this rule, among the received frames, the destination address is aa: bb: cc: dd: ee: ff (own device address), the source address is 11: 22: 33: 44: 55: 66, and the type type When a frame having a number X indicating an ARP frame is received in the field, the local area check response processing unit 2503 is notified.
[0215]
The local area check response processing unit 2503 includes a filter setting unit 2504 therein. The receiving device acquires the address of the transmitting device before the transmitting device transmits an ARP packet for restricting the distribution range of the content.
[0216]
The filter setting unit creates the rule shown in FIG. 26 and applies the rule to the data link frame selection table 2502 of the data link frame selection processing unit 2501.
[0217]
Further, when the local area check response processing unit 2503 receives a notification from the second data link frame selection processing unit 2501 that the ARP packet has been received from the transmitting device, the local area check response processing unit 2503 creates a payload portion of the response packet, The packet processing unit 2500 has a function of transmitting to a transmitting device.
[0218]
As described above, the second data link frame selection processing unit 2501 detects the ARP packet transmitted from the transmission device, and notifies the local area check response processing unit 2503 of the ARP packet.
[0219]
Upon receiving this notification, the check response processing unit generates and transmits a response packet to the transmitting device.
[0220]
27, 28, and 29 are diagrams showing sequences of the transmission device 2700 and the reception device 2701 in the third embodiment.
[0221]
Here, it is assumed that the type type X is used as the authentication / key exchange frame. Furthermore, it is assumed that a rule as shown in FIG. 26 is described in the data link frame selection table of the receiving device 2701.
[0222]
First, the transmitting device 2700 and the receiving device 2701 perform address resolution processing in order to acquire the address of the data link layer of each other (S270, S271, S272).
[0223]
After acquiring each other's address, the transmitting device 2700 transmits a data link frame for authentication / key exchange describing the type type X to the receiving device 2701 (S273, S274).
[0224]
When receiving the frame, the receiving device 2701 refers to the rules described in the data link frame selection table and performs a data link frame selection process (S275, S276).
[0225]
In this case, the data link frame selection table indicates that “when a packet with type type X is received, the payload portion should be extracted from the data link frame and output to the authentication / key exchange processing portion”. Since the rule is described, the payload portion is output to the authentication / key exchange processing portion according to this rule (S277).
[0226]
Next, it is assumed that the ARP frame is transmitted from the transmission device 2700 to the reception device 2701 (S278, S279).
[0227]
Also in this case, when the receiving device receives the ARP frame, the receiving device refers to the rules described in the data link frame selection table and performs the data link frame selection processing (S280, S281).
[0228]
Since the data link frame selection table includes a rule that “when a packet in which type type A indicating an ARP frame is described is received, the local area check processing unit should be notified” In accordance with this rule, the payload portion is output to the authentication / key exchange processing portion (S282).
[0229]
Next, it is assumed that the data link frame describing the type type Z is transmitted from the transmission device 2700 to the reception device s701 (S283, S284).
[0230]
When receiving the frame, the receiving device 2701 refers to the rules described in the data link frame selection table and performs a data link frame selection process (S285, S286).
[0231]
Since there is no description regarding the type type Z in the data link frame selection table, this frame is discarded (S287).
[0232]
Finally, it is assumed that the device Z 2900 transmits an ARP frame of type type A to the receiving device 2701.
[0233]
When receiving the frame, the receiving device 2701 refers to the rules described in the data link frame selection table and performs a data link frame selection process. The data link frame selection table states that “If the source address is aa: bb: cc: dd: ee: ff and type type A, the local area check processing unit should be notified”. . In this case, the type type matches, but the address of the transmission source, that is, the address of the device Z is ab: cd: ef: gh: ij: kl, so it does not correspond to the rule, and this ARP frame is discarded ( S289, S290, S291).
[0234]
Up to now, the data link frame for authentication / key exchange with the type type set to a specific value is transmitted from the transmitting device to the receiving device, and the receiving device authenticates and exchanges the key from the type type of the Ethernet (R) frame. Although the method for discriminating a frame for use has been described, the authentication / key exchange process also includes information to be transmitted from the receiving device to the transmitting device. In that case, the transmitter device and the receiver device may be replaced.
[0235]
【The invention's effect】
According to the configurations of the transmitting device and the receiving device described above, no changes are made to the encryption processing unit and the authentication / key exchange processing unit in any of the embodiments.
[0236]
For this reason, even if one or all of the restriction methods described in the embodiments are selected, the encryption processing unit and the authentication / key exchange processing unit can be developed independently of the restriction method. Realizing a content transmission device, content reception device, content transmission method, and content reception method that can be expected to have the effect of minimizing design changes and suppressing the occurrence of bugs and reduce product development costs Can do.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a content transmission / reception system according to the present invention.
FIG. 2 is a block diagram showing an internal configuration of a transmitting device according to the first embodiment.
FIG. 3 is an explanatory diagram of a transmission filter rule according to the present invention.
FIG. 4 is a block diagram showing an internal configuration of a receiving device according to the first embodiment.
FIG. 5 is an explanatory diagram of a transmission filter rule according to the present invention.
FIG. 6 is a diagram showing an operation sequence of a receiving device and a transmitting device according to the present invention.
FIG. 7 is a diagram showing an operation sequence of a receiving device and a transmitting device according to the present invention.
FIG. 8 is a diagram showing an operation sequence of a receiving device and a transmitting device according to the present invention.
FIG. 9 is an explanatory diagram showing a processing procedure of the transmitting device according to the present invention.
FIG. 10 is an explanatory diagram showing a processing procedure of a receiving device according to the present invention.
FIG. 11 is a block diagram showing an internal configuration of a transmission device according to the second embodiment.
FIG. 12 is an explanatory diagram showing a routing table according to the present invention.
FIG. 13 is an explanatory diagram showing a processing procedure of a transmitting device according to the present invention.
FIG. 14 is a block diagram showing an internal configuration of a transmitting device according to the present invention.
FIG. 15 is a diagram showing an operation sequence diagram of the processing procedure of the transmitting apparatus according to the present invention.
FIG. 16 is a block diagram showing an internal configuration of a receiving device according to the second embodiment.
FIG. 17 is a sequence diagram illustrating a processing procedure of a receiving device according to the second embodiment.
FIG. 18 is a diagram showing a configuration example when Ethernet (R) is used as a frame of a layer according to the present invention.
FIG. 19 is a block diagram showing an internal configuration of a transmission device according to the third embodiment.
FIG. 20 is a block diagram showing an internal configuration of a receiving device according to the third embodiment.
FIG. 21 is a diagram showing a configuration example of a type classification table according to the present invention.
FIG. 22 is a diagram showing an internal configuration of a receiving device according to the present invention.
FIG. 23 is a sequence diagram showing processing procedures of a transmitting device and a receiving device in the third embodiment.
FIG. 24 is a sequence diagram showing processing procedures of a transmitting device and a receiving device in the third embodiment.
FIG. 25 is a diagram showing an internal configuration of a receiving device according to the present invention.
FIG. 26 is a diagram illustrating a configuration example of a data link frame selection table.
FIG. 27 is a sequence diagram showing processing procedures of the transmitting device and the receiving device in the third embodiment.
FIG. 28 is a sequence diagram showing processing procedures of the transmitting device and the receiving device in the third embodiment.
FIG. 29 is a sequence diagram showing processing procedures of a transmitting device and a receiving device according to the third embodiment.
FIG. 30 is a block diagram showing the overall configuration of a conventional content transmission / reception system.
FIG. 31 is a sequence diagram showing a processing procedure of a conventional content transmission / reception system.
FIG. 32 is a sequence diagram showing a processing procedure of a conventional content transmission / reception system.
FIG. 33 is a data structure diagram in the case of transmitting conventional content in the RTP packet format.
FIG. 34 is a block diagram showing the internal configuration of a conventional transmission device
FIG. 35 is a block diagram showing the internal configuration of a conventional receiving device.
[Explanation of symbols]
2000 ・ ・ ・ Network interface part
2001 ... Communication processing unit
2002 ... Packet processing unit
2003: Transmission filter setting unit
2004 ... Transmission filtering processing unit
2005 ... Packet change processing unit
2006 ... Authentication / key exchange processing part
2007 ... Cryptographic processing part
2008 ・ ・ ・ Content Supply Department
2009 ... Non-copyright protection data processing part

Claims (15)

In a content transmitting device that transmits content to at least one receiving device,
Content supply means for supplying the content for transmission to the receiving device;
An authentication / key exchange processing means for establishing a connection with the receiving device and performing authentication / key exchange processing;
An encryption processing means for encrypting the content using a key exchanged with the receiving device in the authentication / key exchange processing means;
Packet processing means for IP packetizing at least one of the content encrypted by the encryption processing means and the data related to authentication / key exchange output from the authentication / key exchange processing means;
Transmission filter setting means for generating a transmission filter rule using the connection information and describing a rule for specifying an IP packet including the authentication / key exchange data among IP packets generated by the packet processing means When,
Based on the transmission filter rule generated by the transmission filter setting means, filtering processing means for selecting and extracting the IP packet packetized by the packet processing means;
Content transmitting apparatus characterized by comprising a packet change process means for changing the predetermined value in the IP packet containing the authentication and key exchange data Eject by said filtering means.   The content transmission apparatus according to claim 1, wherein the predetermined value in the IP packet is a TTL value. The connection information includes at least one of a transport layer protocol in the connection, an IP address of a transmission device and / or a reception device, a port number of a transmission device and / or a reception device, and an RTP payload type. The content transmission apparatus according to claim 1. In a content receiving device that receives content from at least one transmission device,
An authentication / key exchange processing means for establishing a connection with the transmitting device and performing authentication / key exchange processing;
An encryption processing means for decrypting the content using a key exchanged with the transmitting device in the authentication / key exchange processing means;
Packet processing means for extracting and outputting the payload portion from the IP packet received from the transmission device;
Using the connection information, a reception filter setting means for generating a reception filter rule for specifying an IP packet including the authentication / key exchange data among the received IP packets;
Based on the reception filter rule is the reception filter setting means is generated, a predetermined value of the sorted IP packets up and out, the IP packet containing the authentication and key exchange data to which the packet processing means for processing provisions A content receiving apparatus comprising: filtering processing means for notifying the authentication / key exchange processing means when the value is other than a value. The content receiving apparatus according to claim 4, wherein the predetermined value in the IP packet is a TTL value.   The connection information includes at least one of a transport layer protocol in the connection, an IP address of a transmission device and / or a reception device, a port number of a transmission device and / or a reception device, and an RTP payload type. The content receiving apparatus according to claim 4. In a content transmitting device that transmits content to at least one receiving device,
Content supply means for supplying the content for transmission to the receiving device;
An authentication / key exchange processing means for establishing a connection with the receiving device and performing authentication / key exchange processing;
An encryption processing means for encrypting the content using a key exchanged with the receiving device in the authentication / key exchange processing means;
First communication processing means for framing the input IP packet into a data link layer frame ;
A second communication processing means for framing the IP packet into a data link layer frame ;
According to predetermined routing information, at least the output from the authentication / key exchange processing unit or the encryption processing unit is converted into an IP packet and output to the first communication processing unit or the second communication processing unit according to a destination IP address. and packet processing means that,
Using the information of the connection, the transmission filter set for generating a transmission filter rule the rule is described for identifying the IP packet containing the authentication and key exchange data among the generated IP packet with said packet processing means Means and
The second communication processing means includes:
Based on the transmission filter rule generated by the transmission filter setting means, filtering processing means for selecting and extracting the IP packets input from the packet processing means ,
A content transmission apparatus comprising: a packet change processing unit that changes a predetermined value in the IP packet extracted by the filtering processing unit . In a content receiving device that receives content from at least one transmission device,
An authentication / key exchange processing means for establishing a connection with the transmitting device and performing authentication / key exchange processing;
An encryption processing means for decrypting the content using a key exchanged with the transmitting device in the authentication / key exchange processing means;
A first operation mode for outputting a frame including an IP packet among received frames of the data link layer to a first packet processing means; and a first packet processing for a frame including an IP packet among the received frames. Communication processing means having a second operation mode for outputting to the means and outputting all copies of the frame to the second packet processing means;
Using the connection information, a reception filter setting means for generating a reception filter rule for specifying an IP packet including the authentication / key exchange data among the received IP packets;
First packet processing means for extracting and outputting a payload portion of an IP packet from the frame output from the communication processing means;
A reception filter generated by the reception filter setting unit, informing the communication processing unit to operate in the second operation mode, extracting a payload portion of an IP packet from the frame output from the communication processing unit; based on the rule, and Eject by selecting the IP packet, if the predetermined value in the IP packet containing the authentication and key exchange data is other than the specified value, notifies the authentication & key exchange processing unit And a second packet processing means. In a content transmitting device that transmits content to at least one receiving device,
Content supply means for supplying the content for transmission to the receiving device;
An authentication / key exchange processing means for establishing a connection with the receiving device and performing authentication / key exchange processing;
An encryption processing means for encrypting the content using a key exchanged with the receiving device in the authentication / key exchange processing means;
First packet processing means for converting at least the content encrypted in the encryption processing means into an IP packet;
Second packet processing means for packetizing and outputting data relating to authentication / key exchange output from the authentication / key exchange processing means in a format different from the packet processing means;
Communication processing means is provided for encapsulating the data output from the first packet processing means and the second packet processing means with different predetermined values and encapsulating them in a data link layer frame. A content transmission device. In a content receiving device that receives content from at least one transmission device,
An authentication / key exchange processing means for establishing a connection with the transmitting device and performing authentication / key exchange processing;
An encryption processing means for decrypting the content using a key exchanged with the transmitting device in the authentication / key exchange processing means;
A first operation mode for outputting a frame including an IP packet among received frames of the data link layer to a first packet processing means; and a first packet processing for a frame including an IP packet among the received frames. Communication processing means having a second operation mode for outputting to the means and outputting all copies of the frame to the second packet processing means;
First packet processing means for extracting and outputting a payload portion of an IP packet from the frame output from the communication processing means;
The notified to operate in said second operation mode to the communication processing means, if it contains the predetermined value in the data link frame of the frame output from said communication processing unit, the data link frame And a second packet processing means for extracting and outputting the payload portion of the content. In a content receiving device that receives content from at least one transmission device,
An authentication / key exchange processing means for establishing a connection with the transmitting device and performing authentication / key exchange processing;
An encryption processing means for decrypting the content using a key exchanged with the transmitting device in the authentication / key exchange processing means;
A first operation mode for outputting a frame including an IP packet among received frames of the data link layer to a first packet processing means; and a first packet processing for a frame including an IP packet among the received frames. Communication processing means having a second operation mode for outputting to the means and outputting all copies of the frame to the second packet processing means;
Using the connection information, a reception filter setting means for generating a reception filter rule for specifying an IP packet including the authentication / key exchange data among the received IP packets;
First packet processing means for extracting and outputting a payload portion of an IP packet from the frame output from the communication processing means;
When said notified to the communication processing means to operate in said second operation mode included the predetermined value in the data link frame of the frame output from said communication processing means, data extracting the payload portion of the link frame, content, characterized by comprising a second packet processing means for outputting the Eject by selecting the frame based on the received filter rule is the reception filter setting unit to produce Receiver device. In a content transmission method for transmitting content to at least one receiving device,
Providing the content for transmission to the receiving device;
Establishing a connection with the receiving device, performing authentication / key exchange processing,
Performing encryption of the content using a key exchanged with the receiving device;
The encrypted content and at least one of the data related to authentication / key exchange output in the authentication / key exchange process are converted into IP packets,
Using the connection information, generate a transmission filter rule describing a rule for specifying an IP packet including the authentication / key exchange data among the packetized IP packets,
Based on the transmission filter rule, then Eject by selecting the IP packet,
Content transmission method characterized by changing the predetermined value in the IP packet containing said mounting Ri out the the authentication and key exchange data. In a content receiving method for receiving content from at least one transmission device,
Establishing a connection with the transmitting device, performing authentication / key exchange processing,
Decrypting the content using a key exchanged with the transmitting device;
Extract and output the payload part from the IP packet received from the transmitter,
Using the connection information, generate a reception filter rule for identifying an IP packet including the authentication / key exchange data among the received IP packets,
Based on the received filter rule, the sorted IP packets up and out, when the predetermined value in the IP packet containing the authentication and key exchange data is other than the specified value, the authentication and key exchange process A content receiving method characterized by limiting. In a content transmission method for transmitting content to at least one receiving device,
Providing the content for transmission to the receiving device;
Establishing a connection with the receiving device, performing authentication / key exchange processing,
Performing encryption of the content using a key exchanged with the receiving device;
Frame the input IP packet into a data link layer frame or change the specified value in the input IP packet, frame the data link layer frame ,
Using predetermined routing information, at least the output of the authentication / key exchange process or the output of the encryption process is converted into an IP packet, and according to the destination IP address, any one of the frames is performed,
Using the connection information, change a predetermined value in the IP packet of the IP packet addressed to the receiving device among the IP packets converted into the IP packet, and change the routing information to frame the data link layer A content transmission method characterized by the above. In a content receiving method for receiving content from at least one transmission device,
Establishing a connection with the transmitting device, performing authentication / key exchange processing,
Decrypting the content using a key exchanged with the transmitting device;
Outputting a frame including an IP packet among the received data link layer frames to the first packet processing means, or outputting a frame including the IP packet of the received frame to the first packet processing means; and Output all copies of the frame to a second packet processing means;
Using the connection information, generate a reception filter rule for identifying an IP packet including the authentication / key exchange data among the received IP packets,
Extract and output the payload portion of the IP packet from the frame,
Outputting to the first packet processing means and notifying all second copies of the frame to be output to the second packet processing means, extracting the payload portion of the IP packet from the frame, and based, the sorted IP packets up and out, when the predetermined value in the IP packet containing the authentication and key exchange data is other than the specified value, characterized in that to limit the authentication and key exchange process Content receiving method.

Images