JP4235672B2 - Information processing apparatus, data communication method, program, and recording medium - Google Patents

Description

  The present invention relates to a method and system for safely communicating between information processing apparatuses connected to the same network, which can directly communicate without going through a data relay apparatus called a router.

  Conventionally, when communication is performed between information processing apparatuses connected via an arbitrary communication means, for example, Non-Patent Document 1 between information processing apparatuses connected to different networks via a data relay apparatus called a router. The disclosed global address is used. In addition, when the communication partner is connected to the same network as the communication partner and direct communication with the communication partner is possible without using a router, for example, a link local address disclosed in Non-Patent Document 2 can be used.

R. Hinden, M.O'Dell, S. Deering, July 1998, Internet <URL: http://www.ietf.org/rfc/rfc2374.txt> R.Hinden, S.Deering, April 2003, Internet <URL: http://www.ietf.org/rfc/rfc3513.txt>

  However, in the above prior art, when a global address is used, an information processing device belonging to a different network can connect to the information processing device, so that a malicious person continuously sends a large amount of data to the information processing device. The problem is that it is subject to DoS (Denial Of Service) attacks that make communication impossible by sending it, or it is widely disclosed by DNS (Domain Name Service) and is fixed, so it is easy to intercept communication data. was there.

  Therefore, an object of the present invention is to reduce the risk of a denial-of-service (DoS) attack aimed at global addresses and wiretapping of communications.

The information processing apparatus of the present invention communicates with a local address communication means for performing communication using a local address, which can communicate only with a communication partner in the local network, and a communication partner in the local network and a communication partner of another local network. Possible global address communication means for performing communication using a global address, connection request means for making a connection request to a communication partner by communication using a global address by the global address communication means, and responding to the connection request And generating means for generating a local address in response to receiving a request to shift to communication using a local address transmitted from the communication partner, wherein the local address communication means is the generating means To send the local address generated by The features.
The data communication method of the present invention includes a local address communication means for performing communication using a local address, capable of communicating only with a communication partner in a local network, and communicating with a communication partner in the local network and a communication partner of another local network. A data communication method by an information processing apparatus having a global address communication means for performing communication using a global address, wherein a connection request is made by communication using the global address by the global address communication means to a communication partner A connection request step to be performed; and a generation step of generating a local address in response to receiving a request to move to communication using a local address transmitted from the communication partner in response to the connection request; The local address communication means is the live address The local address generated in step and transmits to the communication party.

  According to the present invention, depending on whether or not data communication with a communication partner is data communication performed via a data relay device, not a global address but a local address where data communication via a data communication device is not possible Therefore, it is possible to reduce the risk of a denial of service (DoS) attack targeting a global address and wiretapping of communication.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments to which the invention is applied will be described in detail with reference to the accompanying drawings.

<First Embodiment>
FIG. 1 is a diagram showing a configuration of a communication system according to an embodiment of the present invention. The information processing apparatuses 101 and 102 are connected to a LAN (local area network) 103 such as Ethernet (registered trademark), and can directly communicate with each other without mediation of a third party. The router 104 operates so as to relay data between the LAN 103 and the LAN 105 or not to relay the data. The information processing device 106 is connected to the LAN 105, and can communicate with the information processing devices 101 and 102 on the LAN 103 via the router 104.

  FIG. 2 is a diagram showing whether data communication is possible depending on the type of address based on the system configuration of FIG. The information processing apparatuses 101, 102, and 106 have local addresses (corresponding to 202, 204, and 206, respectively) that can communicate only with apparatuses on the same network, and via the router 104 in addition to the apparatuses on the same network. Global addresses (corresponding to 201, 203, and 205, respectively) that can communicate with devices on different networks are set. When communication is performed between the information processing apparatuses 101 and 102 connected to the LAN 103 that is the same network, the global addresses 201 and 203 can be used, or the local addresses 202 and 204 can be used for communication. However, when communication is performed from the information processing apparatus 106 to 101, the local address 206 of the information processing apparatus 106 is blocked from being communicated by the router 104, and therefore cannot communicate with the local address 202 of the information processing apparatus 101. On the other hand, when the global address 205 of the information processing apparatus 106 is used, since it can pass through the router 104, communication with the global address 201 of the information processing apparatus 101 is possible.

  3, 4, and 5 are flowcharts illustrating an example of a communication address change process that operates in the information processing apparatuses 101, 102, and 106 in the communication system configuration of FIG. 1. Hereinafter, the first embodiment of the present invention will be described with reference to the flowcharts of FIGS. 3 and 4.

  In step S301 in FIG. 3, it is determined whether or not there is a connection request from another device. If there is no connection request, the process proceeds to step S401 in FIG. If there is a connection request, it is determined in step S302 whether the connection is to a global address. If it is not a global address, that is, if it is a local address, the local address of the connection source device is stored in step S310. It is determined whether or not it matches the local address, and if it matches, the process proceeds to step S401, and data communication is performed using the local address. On the other hand, if they do not match, it is presumed that the connection is illegal, so the connection is disconnected in step S311 and the process proceeds to step S401. The local address is assumed to correspond to a link local address in IPv6 (Internet Protocol Version 6) defined by RFC3513.

  If it is determined in step S302 that the address is a global address, in step S303, whether or not the data communication with the connection source device is the data communication performed via the router, the connection source device connects to the local subnet. It is judged by whether it is done. Whether or not it is connected to the local subnet is determined by issuing an ARP (Address Resolution Protocol / RFC826) packet in which the address of the connection source device described in the source address of the IP packet is set and returning a significant packet It is determined that it is connected to the local subnet.

  If it is determined in step S303 that the device is not connected to the local subnet, that is, is a device connected to another network via a router, communication using the local address cannot be performed, and the process proceeds to step S401. If it is determined in step S303 that it is connected to the local subnet, an address migration request is transmitted in step S304. In the address transfer request, the local address of its own device is set, and if the device that has received this permits the address transfer, if the connection with the connection destination is disconnected, the local address is reconnected. . In step S305, it is determined whether or not there is a response corresponding to the address transfer request. If there is no response, it is determined in step S306 whether or not a predefined timeout period has elapsed.

  If the time-out period has not elapsed, the process returns to step S305. If the time-out period has elapsed, it is considered that some kind of failure has occurred. Therefore, the connection is disconnected in step S307, and the process of step S401 is performed. move on. When a response corresponding to the address transfer request is received in step S305, it is determined in step S308 whether the response is an address transfer permission response. If it is an address migration permission response, the encrypted local address included in the address permission response is decrypted and stored in step S309.

  In the address permission response, the local address of the transmission source is encrypted with the public key of the device to prevent eavesdropping (transmitting the address transfer request), and is decrypted using the private key of the device. There is a need. When the decryption and storage of the local address is completed in step S309, the process proceeds to step S307, the connection is disconnected, and the process proceeds to step S401. When the address transfer request and the corresponding address grant response are processed normally, the connection using the global address is disconnected, and then a new connection is established using the local address included in the address grant response.

  Subsequently, in step S401 in FIG. 4, it is determined whether an address transfer request has been received. If not received, the process proceeds to step S405. When the address transfer request is received, a local address is generated in step S402. In the case of IPv6, the local address is called a link local address and is defined in RFC3513. This is because the upper 64 bits are “fe80000000000000” in hexadecimal and the lower 64 bits are the unique ID (IEEE802 MAC address of the device). / 48 bits) is obtained by synthesizing 64 bits by inserting hexadecimal “fffe” (16 bits) between company_id (24 bits) and vendor unique ID (24 bits). In step S403, the link local address generated in step S402 is encrypted with the public key of the device that transmitted the address transfer request, and in step S404, an address transfer permission response including the encrypted link local address is transmitted. Proceed to step S405. In step S405, it is determined whether or not the connection has been disconnected. If the connection has not been disconnected, the process returns to step S301 in FIG. 3, and if disconnected, the process ends.

  As described above, according to the present embodiment, when the information processing apparatus connected by the global address determines that the connected apparatus is connected to the same network, the local address migration request is transmitted, When the local address migration permission response corresponding to is received, the subsequent communication is performed using the local address. In this way, the known global address is used only during the initial negotiation, and the actual communication is performed using the local address, so the risk of denial of service (DoS) attacks targeting the global address and wiretapping of communication is reduced. Can be made.

<Second Embodiment>
In the first embodiment, the link local address format defined in RFC3513 is used. However, the link local address is generated from the unique address of the network device in which the lower 64 bits are attached to the information processing device. Once the association between the information processing device and the link local address is known, it is possible to avoid an attack from an information processing device on another network or an eavesdropping crisis via a router, but it is still on the same network. There is a danger against attacks and eavesdropping from information processing devices.

  Since the link local address is used only between devices on the same network, there is no operational problem as long as it is unique within the same network. From this, as the lower 64 bits of the link local address, an arbitrary 64-bit value is generated using the random number generation function without using the unique address of the communication device, and this is generated as the upper 64 bits starting from “fe80” described above. It is possible to generate a link local address by combining.

  The flowchart of FIG. 5 is obtained by changing the link local address generation process in the flowchart of FIG. 4 to generate using a random number. When an address transfer request is received in step S401, a 64-bit random number is generated by a random number generation function in step S501. In step S502, a link local address with the generated random number as the lower 64 bits is generated. In step S503, it is determined whether the generated link local address is already used on the local network using the ARP protocol. If it is used, the process returns to step S501 to repeat the series of processes for generating a random number, synthesizing the link local address, and detecting the collision. If the combined link local address is not used in step S503, the link local address is encrypted in step S403, and transmitted in an address change permission response in step S404.

  The link local address is intended for automatic configuration by a device, and the IPv6 specification stipulates that at least one link local address is used. Accordingly, one link local address with automatic configuration is normally set, and for example, a global address is set when it is assigned by a DHCP server or set by an OS setting tool. In this embodiment, when shifting from a global address to a local address, the local address is changed by a random number, so that each time a shift occurs, the local address is different. Since some communication occurs even while another communication is performed, there is a possibility that communication is performed using a plurality of local addresses at a certain point in time. May have.

  As described above, according to the second embodiment of the present invention, the lower 64 bits of the link local address change for each call without using the fixed unique address of the communication device (information processing device). By using the value obtained by the random number function, it is possible to reduce the risk of attacks from information processing apparatuses on the same network and threats of eavesdropping.

  Another object of the present invention is to supply a storage medium storing software program codes for realizing the functions of the above-described embodiments to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the storage medium. Needless to say, this can also be achieved by reading and executing the program code stored in.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the program code itself and the storage medium storing the program code constitute the present invention.

  As a storage medium for supplying the program code, for example, a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (basic system or operating system) running on the computer based on the instruction of the program code. Needless to say, a case where the functions of the above-described embodiment are realized by performing part or all of the actual processing and the processing is included.

  Further, after the program code read from the storage medium is written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function is determined based on the instruction of the program code. It goes without saying that the CPU or the like provided in the expansion board or function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

It is a figure which shows the structure of the communication system which concerns on one Embodiment of this invention. It is the figure which showed the propriety of the data communication by the kind of address based on the structure of the communication system of FIG. It is a flowchart which shows operation | movement of the communication system which concerns on one Embodiment of this invention. It is a flowchart which shows operation | movement of the communication system which concerns on one Embodiment of this invention. It is a flowchart which shows operation | movement of the communication system which concerns on one Embodiment of this invention.

Explanation of symbols

101, 102, 106: Information processing device 103, 105: LAN
104: Router

Claims (7)

A local address communication means for performing communication using a local address, capable of communicating only with a communication partner in the local network;
A global address communication means capable of communicating with a communication partner in a local network and a communication partner of another local network and performing communication using a global address;
Connection request means for making a connection request to a communication partner by communication using a global address by the global address communication means;
Generating means for generating a local address in response to receiving a request to shift to communication using a local address transmitted from the communication partner in response to the connection request;
The local address communication unit transmits the local address generated by the generation unit to the communication partner.   The information processing apparatus according to claim 1, wherein the generation unit generates a local address based on a random number. A determination unit for determining whether the local address generated by the generation unit is not already used in the local address;
3. The information according to claim 1, wherein the determination unit causes the generation unit to generate a local address again when the local address generated by the generation unit is already used in the local address. Processing equipment. Further comprising encryption means for encrypting the local address generated by the generation means;
The information processing apparatus according to any one of claims 1 to 3, wherein the local address communication unit transmits the local address encrypted by the encryption unit to the communication partner. A local address communication means for performing communication using a local address that can communicate only with a communication partner in the local network, and a global address that can communicate with a communication partner in the local network and a communication partner of another local network are used. A data communication method by an information processing apparatus having a global address communication means for performing communication,
A connection request step for making a connection request to a communication partner by communication using a global address by the global address communication means;
Generating a local address in response to receiving a request to shift to communication using a local address transmitted from the communication partner in response to the connection request;
The local address communication means transmits the local address generated in the generating step to the communication partner.   A program for causing a computer to execute the data communication method according to claim 5.   A computer-readable recording medium on which the program according to claim 6 is recorded.

Images