JP4704247B2 - Network equipment - Google Patents

Description

  The present invention relates to a network device capable of applying an appropriate security level for each communication partner in IPsec (Security Architecture for Internet Protocol) communication.

  In IPsec communication, a fine security level can be set by setting, but generally the communication speed decreases when the security level is raised, and the communication speed increases when the security level is lowered.

  For this reason, it is desirable to use different IPsec communication with different security levels depending on the communication partner, but it is necessary for the user to set in detail which IPsec parameter to communicate with which partner.

  The applicant has not been able to find prior art documents related to the present invention by the time of filing. Therefore, prior art document information is not disclosed.

  As described above, it is possible to set a fine security level by setting in IPsec communication. However, since the setting is very complicated, it is often the case that a security level that is more than necessary is set uniformly, which reduces the communication speed. There was a problem of inviting.

  In addition, when IPsec communication with different security levels is used differently depending on the communication partner, since it is necessary to set a number of parameters for which partner to communicate with which IPsec parameter, this setting includes the following: Procedures were required and a great deal of effort was required.

  As an IPsec setting, the user must first set a parameter as to whether to use an automatic key exchange method or a manual key exchange method as a key exchange method for establishing an IPsec connection.

  When establishing an IPsec connection using the automatic key exchange method, communication called an automatic key exchange protocol IKE (Internet Key Exchange) is performed. Since IKE has two operation modes, a Main mode and an Aggressive mode, the user needs to set a parameter as to which one to use.

  In IKE, the other party authentication method is used to authenticate the other party. Four types of partner authentication methods in IKE are defined. Therefore, the user sets a parameter indicating which of the four types of pre-shared key authentication method (Pre-Shared Key), digital signature authentication method, public key authentication encryption method, and improved public key encryption authentication method is used. There is a need to.

  In order to encrypt the communication of IKE itself, an encryption algorithm (DES-CBC / 3DES-CBC, etc.), a hash algorithm (MD5 / SHA1, etc.), a partner authentication method (pre-shared secret key authentication method / digital signature authentication method / It is necessary to set parameters of the public key authentication encryption method / the improved public key encryption authentication method) and the Oakley group (768 bit MODP group / 1024 bit MODP group, etc.).

  Further, when performing IPsec communication, whether using an automatic key exchange method or a manual key exchange method, an AH (Authentication Header) authentication algorithm (HMAC-MD5 / HMAC-SHA1, etc.), ESP (Encapsulating Security Payload) encryption Algorithm (NULL / DES-CBC / AES-CBC, etc.), ESP authentication algorithm (HMAC-MD5 / HMAC-SHA1, etc.), PFS (Perfect Forward Secrecy) group (not used / 768-bit MODP group / 1024-bit MODP group) It is necessary to set parameters.

  The present invention has been proposed in view of the above-described conventional problems, and an object of the present invention is to provide a network device capable of applying an appropriate security level for each communication partner.

In order to solve the above-mentioned problem, according to the present invention, as described in claim 1, according to the means for determining the IP address characteristics of the communication partner and the determined IP address characteristics of the communication partner A means for determining an IPsec setting to be used, and a means for performing IPsec communication based on the determined IPsec setting, and when the communication partner is connected to accept a connection for IPsec communication, Start the process of each means, and if it is the initiator side that starts the connection of IPsec communication, start the process of each means before sending the packet to the communication partner, and depending on the characteristics of the IP address The gist is a network device to which an appropriate IPsec communication security level is applied. Since the security policy to be used is automatically determined from the characteristics of the IP address of the communication partner, the communication speed does not decrease due to an excessive security level, and the user's IPsec setting becomes easy.

Further, as described in claim 2, in the network device according to claim 1, when using the global address to the IPsec communication, the number of hops of the routing table set to the IP address of the communication partner Accordingly, the security level of IPsec communication can be further changed .

Further, as described in claim 3, in the network device according to any one of claims 1 or 2, IP address is the IPv6 address, I IPv6 Address Type link local address, site local address Alternatively, the stateless address can be used as the IP address characteristic . Thereby, the criterion in the IPv6 environment becomes clear.

Further, as described in claim 4 , in the network device according to any one of claims 1 to 3 , the security level is set at a simple level such as high, medium, and low that is set in advance. Can be provided. As a result, the IPsec setting can be used more easily and properly without the user being aware of the security policy.

According to a fifth aspect of the present invention , in the network device according to any one of the first to fourth aspects, an operation panel is provided that allows a user to set and confirm IPsec directly from the device. be able to. As a result, the user can freely set and change the IPsec setting using the panel.

According to a sixth aspect of the present invention , in the network device according to any one of the first to fifth aspects, a user is provided with a telnet server that can set and confirm IPsec from an external device. be able to. By having a telnet server in the device, it is not necessary to perform IPsec setting by directly operating the device, and user setting is facilitated.

According to a seventh aspect of the present invention , in the network device according to any one of the first to sixth aspects, a user is provided with a Web server that can set and confirm IPsec from an external device. be able to. By having the Web server in the device, it is not necessary to operate the device directly to perform the IPsec setting, and the setting can be easily performed using the Web browser, thereby facilitating the user setting.

In addition, as described in claims 8 to 10 , it can be configured as a security level application method for a network device.

Further, as described in claim 11 , it can be configured as a control program for a network device.

  In the network device of the present invention, an appropriate security level is applied to each communication partner in order to automatically determine an appropriate security level for each communication partner using the characteristics of the IP address used when performing IPsec communication. The communication speed does not decrease due to an excessive security level, and the user can easily set the IPsec.

  Hereinafter, preferred embodiments of the present invention will be described.

  In the following embodiment, it is determined whether the communication is within the link or the communication outside the link from only the IP address, and the security level is determined. However, when using the global address, the external device It is also possible to determine the security level by referring to the router information. For example, if the information on the number of hops in the routing table held by the router is used, it is possible to know how close the network distance to the communication partner device holding the global address is, and using this information, For a partner who is judged to be close, the security level can be lowered to improve speed.

  Further, the communication level is not limited to two types, that is, communication within a link or communication outside a link, and the level can be further divided.

Furthermore, as a characteristic of the IP address,
-Whether it is a link local address-Whether it is a site local address-Various characteristics, such as whether it is a stateless address, can be utilized.

  FIG. 1 is a diagram showing an embodiment of a network system using a network device of the present invention. In FIG. 1, network devices 1A to 1C are arranged on a network 3 constituting a segment # 1, network devices 1D to 1F are arranged on a network 4 constituting a segment # 2, and both networks 3 and 4 are connected to a router 2. Connected by. The network devices 1A to 1F are assumed to be client PCs (Personal Computers), servers, printers, MFPs (Multi Function Printers), and the like. The network devices 1A to 1F may operate as telnet terminals or Web browsers.

  The network devices 1A to 1F are compatible with IPsec. In the figure, an environment of IPv6 (Internet Protocol version 6) is described, but the configuration can be similarly made with IPv4 (Internet Protocol version 4). Communication between IPv6 link local addresses starting with “fe80 :: / 64” is possible within each link (segment), but communication cannot be performed outside the link beyond the router with the link local address. In this case, communication is performed using a global unicast address distributed by the router separately from the link local address. As described above, according to the present invention, the security policies are selectively used by using different addresses used inside and outside the link. Since the range in which communication is performed using the link local address is within the link, generally a certain level of security is ensured. For this reason, communication using a link local address is attempted to improve speed by lowering the security level.

  FIG. 2 is a configuration diagram of an IPv6 address. The IPv6 address is called the prefix part and the lower part is called the interface ID every 64 bits.

  In IPv6, communication is performed within a link using an IP address called a link local address. A link local address is an address dedicated to a single link. Mainly used when automatic address setting, neighbor search, or when there is no router. If either the source or destination address is a link local address, the router does not forward the packet to the other link. The upper 64 bits of the address is “fe80 :: / 64”. A global address is used when communicating outside the link. The first 48 bits of the address are obtained from the provider and the following 16 bits are used for the intra-site subnet. It is characteristic that the upper 3 bits are “001” (binary).

  In the present embodiment, in the case of IPv6, it is determined whether or not the upper 64 bits are “fe80 :: / 64” to determine whether or not the communication partner is in a link.

  Further, in IPv4, communication is performed in the link using an IP address called IPv4 link local address (Auto IP). The IPv4 link local address is one that is automatically selected and assigned an IP address that does not overlap with the others from the range of “169.254.0.1” to “169.254.255.254” when DHCP (Dynamic Host Configuration Protocol) cannot be used. It is. This is called an APIPA (Automatic Private IP Addressing) function.

  In the present embodiment, in the case of IPv4, it is determined whether or not the IP address is within the range of “169.254.0.1” to “169.254.255.254”, and it is determined whether or not the communication partner is within the link.

  FIG. 3 is a software module configuration diagram showing an internal configuration example of the network device 1. In FIG. 3, the network device 1 includes a host application 11 that uses IPsec communication, a network control unit 12 that manages IPsec communication, and an OS (Operating System) 13.

  The application 11 is an application that wants to make IP communication IPsec. Since IPsec can secure all IP communications, many applications are applicable. For example, a web application is applicable.

  The IPsec setting table 121 of the network control unit 12 is a table that stores various parameters necessary for IPsec communication. Specifically, an encryption algorithm, an IKE mode, and the like are stored.

  The IPsec communication unit 122 of the network control unit 12 is a module responsible for IPsec communication. This module is responsible for IPsec communication management and packet security.

  The simple setting template table 123 of the network control unit 12 is a table that stores the IPsec setting contents corresponding to the security level in order to simplify the IPsec setting.

  The communication partner determination unit 124 of the network control unit 12 is a module in charge of determining whether the communication partner is inside or outside the link from the IP address.

  The used IPsec setting determination unit 125 of the network control unit 12 is a module that determines the IPsec setting actually used by the IPsec communication unit 122.

  The network protocol 131 of the OS 13 is a module in charge of network protocol processing. Responsible for processing IP packets and setting security policies for the OS.

  The network communication driver 132 of the OS 13 is a module responsible for controlling the network device.

  FIG. 4 is a diagram showing an example of the IPsec setting table 121, which holds a plurality of security policies including items such as mode, IKE Phase 1 authentication method, IP address / mask, and setting values corresponding to the items.

  FIG. 5 is a diagram illustrating an example of the simple setting template table 123, and items such as key exchange and IKE Mode are set in advance for each security policy (low, medium, and high).

  The operation of the above embodiment will be described below.

  First, the user performs IPsec setting. This IPsec setting includes a simple setting and a detailed setting.

  FIG. 6 is a diagram showing an example of the IPsec simple setting screen. Here, an example of a screen for setting the IPsec simple setting using the setting panel mounted on the network device 1 is shown. The user can set the IPsec level without being aware of detailed IPsec setting parameters by setting the security level from high, medium, and low through touching the touch panel. For example, when a “medium” button of the in-link policy setting button is touched, a medium security policy is set in the link. Setting items set through the panel are stored in the IPsec setting table 121.

  7 and 8 are diagrams showing examples of detailed setting screens for IPsec setting items on the panel of the network device 1. FIG. The user performs various IKE / IPsec settings from the setting panel of the network device 1. The setting items include a selection type and a type for inputting password information called a key phrase. The user sets each item by touching a button or inputting characters from the panel keyboard. Each security policy can be set inside and outside the link. Setting items set through the panel are stored in the IPsec setting table 121.

  FIG. 9 is a diagram showing an example of an IPsec setting screen by telnet. Since the network device 1 includes the telnet server, the user can perform IPsec setting remotely. A user connects to a device using a telnet terminal, and performs IPsec setting by typing characters from a keyboard. Setting items set using telnet are stored in the IPsec setting table 121.

  Thus, by having a telnet server in the network device 1, it is not necessary to perform IPsec setting by directly operating the device, and the user setting becomes easy.

  FIG. 10 and FIG. 11 are diagrams showing examples of IPsec setting screens via the Web. Since the network device 1 includes the Web server, the user can perform IPsec setting remotely. The user performs IPsec setting by clicking a button on the Web. Setting items set using the Web are stored in the IPsec setting table 121.

  As described above, by having the Web server in the network device 1, it is not necessary to directly operate the device to perform the IPsec setting, and the setting can be easily performed using the Web browser, so that the user can easily perform the setting. become.

  FIG. 12 is a sequence diagram illustrating a processing example of IPsec communication. In FIG. 12, assuming that IPsec communication is performed between the network device 1A and the network device 1B, the network device 1A is connected to the communication partner network device 1B (step S101). Thus, it is determined whether the IP address of the communication partner is inside or outside the link (step S102).

  In the network device 1A, the used IPsec setting determining unit 125 determines the security policy (IPsec setting) to be used according to the determination result, and the IPsec communication unit 122 reads the security policy necessary for the IPsec connection from the IPsec setting table 121. (Step S103), establish an IPsec connection with the communication partner, and perform communication by IPsec (Step S104).

  In the figure, an example in which the network device 1A is a responder (IPsec connection receiving side) is shown, but the same applies when the network device 1A is an initiator (IPsec communication start side). When the network device 1A is an initiator, before transmitting a packet, the communication partner determination unit 124 determines the IP address of the transmission partner, applies either the in-link security policy or the off-link security policy, and performs IPsec communication. To start.

  FIG. 13 is a flowchart showing an example of IPsec communication processing. In FIG. 13, when the process is started (step S201), the network device 1 determines the IP address of the communication partner by the communication partner determination unit 124 (step S202) and communicates with the intra-link security policy or the off-link security policy. To determine whether to communicate (step S203, S204).

  Then, the IPsec communication unit 122 reads the security policy necessary for the IPsec connection from the IPsec setting table 121 by the use IPsec setting determination unit 125, establishes an IPsec connection with the communication partner, and performs communication by IPsec (step S205).

  As described above, in the present invention, it is determined whether or not the communication path is safe using the characteristics of the IP address used when performing IPsec communication, and an appropriate security level is automatically determined for each communication partner. In general, when the security level is increased, the communication speed is decreased. Therefore, in the present invention, in the relatively safe communication path, IPsec communication with a low security level is automatically performed to prevent a decrease in the communication speed.

  Generally, stronger security is required outside the link such as the Internet environment than in the link such as the LAN environment. In the present invention, by determining whether or not the communication partner address is a link local address, IPsec communication having different security strengths is properly used for communication within the link and communication outside the link. Since the security policy can be automatically set, it is easy to selectively use the IPsec setting for each communication partner.

  The present invention also has the effect of facilitating user IPsec settings by automatically setting security policies. Conventionally, when IPsec communication with different security levels is selectively used depending on the communication partner, the user has to set in detail which IPsec parameter is used for communication with which partner. In the present invention, since many of these IPsec parameter settings can be automatically used properly, the user's labor can be reduced.

  The present invention has been described above by the preferred embodiments of the present invention. While the invention has been described with reference to specific embodiments, various modifications and changes may be made to the embodiments without departing from the broad spirit and scope of the invention as defined in the claims. Obviously you can. In other words, the present invention should not be construed as being limited by the details of the specific examples and the accompanying drawings.

It is a figure which shows one Embodiment of the network system using the network apparatus of this invention. It is a block diagram of an IPv6 address. It is a software module block diagram which shows the internal structural example of a network apparatus. It is a figure which shows the example of an IPsec setting table. It is a figure which shows the example of a simple setting template table. It is a figure which shows the example of an IPsec simple setting screen. FIG. 10 is a diagram (part 1) illustrating an example of a detailed setting screen for IPsec setting items on a panel of a network device. FIG. 10B is a second diagram illustrating an example of a detailed setting screen for IPsec setting items on a panel of a network device. It is a figure which shows the example of the IPsec setting screen by telnet. FIG. 10 is a diagram (part 1) illustrating an example of an IPsec setting screen using the Web. It is FIG. (2) which shows the example of the IPsec setting screen by Web. It is a sequence diagram which shows the example of a process of IPsec communication. It is a flowchart which shows the process example of IPsec communication.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1, 1A-1F Network apparatus 11 Application 12 Network control part 121 IPsec setting table 122 IPsec communication part 123 Simple setting template table 124 Communication partner determination part 125 Used IPsec setting determination part 13 OS
131 Network protocol 132 Network communication driver 2 Router 3, 4 Network

Claims (11)

Means for determining the characteristics of the IP address of the communication partner;
Means for determining an IPsec setting to be used according to the determined IP address characteristics of the communication partner;
Means for performing IPsec communication based on the determined IPsec setting,
When the self is the responder side that accepts the connection of IPsec communication, the processing of each means starts when there is a connection from the communication partner, and when the self is the initiator side that starts the connection of IPsec communication, the communication Before sending the packet to the other party, start the processing of each means,
A network device characterized by applying an appropriate IPsec communication security level according to the characteristics of an IP address. The network device according to claim 1,
A network device characterized in that, when a global address is used for IPsec communication, the security level of IPsec communication is further changed according to the number of hops in the routing table set for the IP address of the communication partner. In the network apparatus as described in any one of Claim 1 or 2,
The IP address is an IPv6 address,
Network equipment characterized in that the I IPv6 address type is used link-local address, which one of the site-local address or stateless address as a characteristic of the IP address. The network device according to any one of claims 1 to 3 ,
A network device comprising means for setting a security level at a simple level such as high, medium and low, which is set in advance. The network device according to any one of claims 1 to 4 ,
A network device comprising an operation panel that allows a user to set and confirm IPsec directly from the device. The network device according to any one of claims 1 to 5 ,
A network device comprising a telnet server that allows a user to set and check IPsec from an external device. The network device according to any one of claims 1 to 6 ,
A network device comprising a Web server that allows a user to set and check IPsec from an external device. Determining the characteristics of the IP address of the communication partner;
Determining an IPsec setting to be used according to the determined IP address characteristics of the communication partner;
A step of performing IPsec communication based on the determined IPsec setting,
When the self is the responder side that accepts the connection of IPsec communication, the process of each step starts when there is a connection from the communication partner, and when the self is the initiator side that starts the connection of IPsec communication, the communication Before sending the packet to the other party, start the process of each step,
A security level application method for a network device, characterized in that an appropriate IPsec communication security level is applied according to the characteristics of an IP address. The method for applying a security level of a network device according to claim 8 ,
When a global address is used for IPsec communication, the security level of the IPsec communication is further changed according to the number of hops in the routing table set for the IP address of the communication partner. Method. The method for applying a security level of a network device according to any one of claims 8 and 9 ,
The IP address is an IPv6 address,
A method for applying a security level of a network device, characterized in that whether the type of IPv6 address is a link local address, a site local address or a stateless address is used as a characteristic of an IP address . Computers that make up network equipment
Means for determining the IP address characteristics of the communication partner;
Means for determining an IPsec setting to be used according to the determined IP address characteristics of the communication partner;
Based on the determined IPsec setting, function as a means for performing IPsec communication,
When the self is the responder side that accepts the connection of IPsec communication, the processing of each means starts when there is a connection from the communication partner, and when the self is the initiator side that starts the connection of IPsec communication, the communication Before sending the packet to the other party, start the processing of each means,
A network device control program, wherein an appropriate IPsec communication security level is applied according to the characteristics of an IP address.

Images