JP4708297B2 - Communication device for processing a plurality of IPsec sessions - Google Patents

Description

  The present invention is a communication device such as a general router, a broadband router, or a gateway having a routing function based on IP (Internet Protocol) technology and a network address translation (NAT: Network Address Translation, RFC3022) function. The present invention relates to a communication apparatus that processes a plurality of sessions of IPsec (Security Architecture for Internet Protocol), which is a standard for performing cryptographic communication in the Internet.

  In Internet access by a home communication device such as a general home, a network address translation (NAT) function is used to connect a plurality of terminal devices in the home to the Internet with one global address, and to further increase the security of the home network. In many cases, broadband routers equipped with a packet filtering function, a firewall function, and the like are installed.

  In this case, the network address translation (NAT) function converts the private address of each terminal device in the home network into a global address assigned to the outside of the broadband router, thereby connecting the plurality of terminal devices in the home to the Internet. Is possible.

  When connecting multiple terminal devices at the same time, in addition to the network address (IP address, etc.) of the home terminal device, the NAPT (Network Address Port Translation, RFC3022) function that converts the port number of the TCP / UDP protocol is used. Simultaneous address conversion for a plurality of terminal devices is realized.

  When remote access to a corporate network is performed from a home terminal device such as a computer via a virtual private network (VPN) using the Internet communication network, encryption using the IPsec protocol (RFC2401 etc.) is generally used. When communication is used, but a router having a NAPT function is installed in the home network, in order to normally perform the virtual private line network (VPN) connection from the home terminal device, in the router having the NAPT function, A function to normally pass (pass through) the communication of the IPsec session is required.

  Usually, in order to perform communication of the IPsec protocol, there are two sessions: an ISAKMP (Internet Security Association and Key Management Protocol, RFC2408) session of a key management protocol that processes key exchange and the like, and an IPsec session that performs actual encrypted communication. However, the communication format is different in each session, and the TCP / UDP protocol is not used in the IPsec session, so a broadband router or the like having a general NAPT function can communicate with each other. Cannot pass normally.

  To successfully pass IPsec session communication with a router having a NAPT function, the NAT function is realized by recognizing the IPsec communication at the start of the first key management protocol (ISAKMP) session communication and performing special processing in the router. Is transparent. As the key management protocol (ISAKMP), UDP in which a port number of 500 is assigned to the source / destination is used, and communication of the key management protocol (ISAKMP) can be recognized by the port number.

  However, in order to process a plurality of key management protocol (ISAKMP) sessions, a port number other than 500 must be used. However, some IPsec gateway apparatuses installed on the enterprise side may not accept key management protocol (ISAKMP) communication with a source port number other than 500.

  In addition, when the IPsec session communication after the key management protocol (ISAKMP) session is reached, the TCP / UDP protocol itself is not used, and normal NAPT processing by port number conversion cannot be performed. For this reason, a method of translating (passing through) an IPsec session communication by converting only the IP address is generally used.

  FIG. 14 shows a connection configuration example in which a plurality of IPsec sessions are established from a terminal device in the house. 14A, the first terminal device 142 performs IPsec communication with the first IPsec gateway device 144 via the NAT function transparent (pass-through) communication device 141, and the second terminal device 143 Similarly, a connection configuration example for performing IPsec communication with the second IPsec gateway apparatus 145 via the NAT function transparent (pass-through) communication apparatus 141 is shown.

  In this case, since the global IP addresses of the first and second IPsec gateway apparatuses 144 and 145 are different, the NAT pass-through communication apparatus 141 uses two different IP addresses of the IPsec gateway apparatuses 144 and 145 to Sessions can be identified and two IPsec sessions can be handled simultaneously.

  FIG. 14B shows a connection configuration in which the terminal device 142 performs IPsec communication with each of the first IPsec gateway device 144 and the second IPsec gateway device 145 via the NAT pass-through communication device 141. An example is shown. Also in this configuration example, since the global IP addresses of the first and second IPsec gateway apparatuses 144 and 145 are different, the NAT pass-through apparatus 141 can identify and handle two IPsec sessions at the same time.

  In FIG. 14C, the first terminal device 142 performs IPsec communication with the IPsec gateway device 144 via the NAT pass-through communication device 141, and the second terminal device 143 similarly performs the IPsec gateway device. 144 shows an example in which IPsec communication with 144 is performed.

  In this case, even if the packet transferred from the IPsec gateway device 144 toward the NAT pass-through device communication 141 is a packet of the IPsec session of either the first terminal device 142 or the second terminal device 143 in the same house. Since only one set of source IP address and destination IP address can be used as the global IP address, two IPsec sessions cannot be identified by these IP addresses. In the NAT pass-through communication device 141, Cannot pass through multiple IPsec sessions.

As a prior art document related to the present invention, the following patent document 1 describes a terminal in a dial-up environment in a home communication network and an information server in the authentication server communication network serving as an information providing source via the Internet. Technology for improving communication security (IPsec, internet protocol security) using IP (internet protocol) and technology for address translation (NAT, network address translation) between different networks Are listed.
JP 2002-208965 A

  As described with reference to (c) of FIG. 14, when establishing an IPsec session from a plurality of terminal devices placed under the communication device having the NAT function to the IPsec gateway device, conventionally, one terminal device is used. However, if an IPsec session is established with respect to the IPsec gateway apparatus, there is a problem that other terminal apparatuses cannot simultaneously connect to the same IPsec gateway apparatus.

  The present invention provides a communication device capable of simultaneously establishing an IPsec session with a same IPsec gateway device from a plurality of terminal devices placed under the communication device having the NAT function. In addition, a communication device capable of continuously performing communication of a plurality of IPsec protocols even when a key update (Rekey) operation is performed during communication of an IPsec session for a long time. provide.

  A communication apparatus according to the present invention is (1) a communication apparatus that allows communication of an IPsec session to pass between a terminal apparatus connected to a subordinate LAN side network and an IPsec gateway apparatus connected to a WAN side network. , The initiator identification information (Cookie) of the ISAKMP packet of the key exchange protocol and the security parameter index (SPI) of the IPsec ESP packet, the transmission source IP address, the destination IP address, the port number, the protocol type, and the transmission after the address conversion of the packet It has a management table to be stored as entry information of ISAKMP session and IPsec session together with original address, and initiator identification information (Cookie) of received ISAKMP packet or IPsec ESP packet Based on the security parameter index (SPI), the entry information registered in the management table is referred to identify the entry of the ISAKMP packet or IPsec ESP packet, and the received ISAKMP packet or IPsec ESP packet is managed in the management table. The address conversion is performed according to the entry information registered in the table, and the address is transferred to the terminal device or the IPsec gateway device.

  Also, (2) after receiving the first ISAKMP packet of the key exchange protocol in one IPsec session until the process of registering the security parameter index (SPI) of the IPsec ESP packet in the IPsec session in the management table is completed. Is characterized in that the first ISAKMP packet of the newly received key exchange protocol is discarded.

  (3) An IPsec session communication start waiting timer for measuring an elapsed time from when the ISAKMP packet is received and the ISAKMP session is established until a security parameter index (SPI) of the IPsec ESP packet is registered in the management table. And when the IPsec session communication start waiting timer exceeds a predetermined entry time, the ISAKMP session entry and the IPsec session entry are deleted from the management table. .

  (4) Detecting that the IPsec session communication start waiting timer exceeds a predetermined threshold shorter than the entry time, and newly receiving the first ISAKMP packet of the key exchange protocol from another terminal device under the control. In this case, the management table is configured to delete the entry of the ISAKMP session waiting for the start of the IPsec session communication and the entry of the IPsec session.

  Also, (5) confirming the validity period type (LifeType) and validity period value (LifeDuration) of the ISAKMP session determined in the negotiation of the ISAKMP session, and if the validity period type (LifeType) is time, the validity period value (LifeDuration) is set in the management table as an entry time of the ISAKMP session.

  (6) IPsec session communication for measuring the communication amount of the ISAKMP session until the security parameter index (SPI) of the IPsec ESP packet is registered in the management table after receiving the ISAKMP packet and establishing the ISAKMP session. A volume counter, and when the IPsec session traffic counter exceeds a predetermined entry traffic, the ISAKMP session entry and the IPsec session entry are deleted from the management table. And

  In addition, (7) the ISAKMP session validity period type (LifeType) and validity period value (LifeDuration) determined in the ISAKMP session negotiation are confirmed, and if the validity period type (LifeType) is a communication amount, the validity period A value (LifeDuration) is set in the management table as an entry communication amount of the ISAKMP session.

  (8) When a Rekey packet of an ISAKMP session is received from the IPsec gateway apparatus side, the IP address, protocol type, and port number of the packet are collated with the entry information of the ISAKMP session registered in the management table; If they match, the ISAKMP session is determined to be a rekey packet for key update, and the initiator is sent together with the source IP address, destination IP address, port number, protocol type, and source address after address conversion of the ISAKMP session. Identification information (Cookie) is newly registered in the management table as entry information of the ISAKMP session, and subsequent ISAKMP session packets are added based on the entry information of the new ISAKMP session. Performing scan conversion, characterized by having a structure to be transferred to the communication destination terminal device.

  (9) In the negotiation of the ISAKMP session validity period value (LifeDuration) performed between the terminal apparatus and the IPsec gateway apparatus, the ISAKMP session validity period value (LifeDuration) transmitted by the terminal apparatus is It is changed to the same value smaller than any of the validity period values (LifeDuration) transmitted by all the terminal devices, and the ISAKMP session validity values (LifeDuration) of all the subordinate terminal devices are unified, and the unified It is characterized in that the reception timing of the Rekey packet of the ISAKMP session is estimated based on the valid lifetime value (LifeDuration).

  (10) When the validity period type (LifeType) of the ISAKMP session validity period value (LifeDuration) determined by negotiation between the terminal apparatus and the IPsec gateway apparatus is time, the validity period value (LifeDuration) ) And the reception timing of the Rekey packet of the first ISAKMP session, the transmission timing of the Rekey packet of the IPsec gateway apparatus is learned.

  (11) When the validity period type (LifeType) of the ISAKMP session validity period value (LifeDuration) determined by negotiation between the terminal device and the IPsec gateway apparatus is a communication amount, the validity period value ( The transmission timing of the Rekey packet of the IPsec gateway apparatus is learned on the basis of LifeDuration) and the communication amount of communication performed until the Rekey packet of the first ISAKMP session is received.

  Further, (12) until the learning of the rekey packet transmission timing of the IPsec gateway apparatus is completed, a new ISAKMP packet from another terminal apparatus is not accepted but discarded.

  (13) receiving an ISAKMP packet from the IPsec gateway apparatus side, indicating that the packet is a packet for negotiating key exchange of an IPsec session, and storing the IP address of the packet in the management table If they match the session entry information and they match, it is determined that the packet is a rekey packet for key update of the IPsec session, and the source IP address, destination IP address, port number, protocol of the IPsec session Initiator identification information (Cookie) is newly registered in the management table as the entry information of the IPsec session together with the type and the source address after the address conversion, and the Rekey packet is transferred by judging the communication destination terminal device of the Rekey packet. Thereafter, when an IPsec ESP packet is received from the IPsec gateway apparatus side, the IP address and protocol type of the packet are identified to identify an IPsec session, and the security parameter index (SPI) of the packet is set in the management table. It is characterized in that it is added to the entry of the IPsec session, the address of the subsequent IPsec session packet is converted based on the entry information of the new IPsec session, and transferred to the communication destination terminal device.

  Also, (14) receiving a rekey packet for key update of the IPsec session and discarding a new IPsec session packet from another terminal device until learning of the reception timing of the rekey packet is completed. It is characterized by doing.

  (15) Based on the learning result of the Rekey packet transmission timing described in (10) or (11), the entry time of the ISAKMP session is calculated, and the calculated entry time is used as the entry time of the ISAKMP session. It is set in the management table, and when the ISAKMP session exceeds the entry time, the entry of the ISAKMP session is deleted from the management table.

  (16) Based on the learning result of the Rekey packet transmission timing described in (12), the entry time of the IPsecP session is calculated, and the calculated entry time is stored in the management table as the entry time of the IPsec session. When the IPsec session is set and the entry time exceeds the entry time, the IPsec session entry is deleted from the management table.

  (17) A configuration in which when one entry of an ISAKMP session or an IPsec session entry related to the same communication terminal in the management table is deleted, the other entry related to the entry is deleted from the management table. It is characterized by having.

  According to the present invention, an ISAKMP packet initiator of a key exchange protocol is established when establishing an IPsec session from a plurality of terminal devices placed under a communication device having a NAT function to an IPsec gateway device in a home or company. The identification information (Cookie) and the security parameter index (SPI) of the IPsec ESP packet are stored in the management table as entry information of the ISAKMP session and the IPsec session, and based on the initiator identification information (Cookie) or the security parameter index (SPI). By identifying the session of the received ISAKMP packet or IPsec ESP packet, and converting the addresses of those packets according to the entry information registered in the management table. Thus, an IPsec session with the same IPsec gateway apparatus as a communication partner can be simultaneously established for a plurality of terminal apparatuses.

  In addition, when an IPsec session is established for a long time, even when a key update (Rekey) operation is performed, the timing of the key update (Rekey) is estimated or learned, and the timing of the key update (Rekey) is determined. Based on this, the ISAKMP session or IPsec session targeted for key update is identified, and the entry information in the management table of the ISAKMP session or IPsec session is updated, so that IPsec communication can be continued.

  1 and 2 show an embodiment of establishing an IPsec session according to the present invention. In the figure, reference numerals 13 and 14 denote terminal devices, 15 denotes a communication device to which the present invention is applied, 16 denotes an IPsec gateway device, and the LAN side network 11 to which the terminal devices 13 and 14 are connected and the IPsec gateway device 16 are connected. The WAN side network 12 is connected via the communication device 15.

  The terminal device 13 or the terminal device 14 performs communication of an IPsec session with the IPsec gateway device 16, and the terminal device 13 and the terminal device 14 are initiators, and the IPsec gateway device 16 is a responder. The IP addresses of the terminal device 13, the terminal device 14, the communication device 15, and the IPsec gateway device 16 are respectively “A”, “B”, “C”, and “D”. These are the same in all the embodiments described below.

  When receiving the first ISAKMP (Internet Security Association Key Management Protocol) packet (P11) of the key exchange processing protocol (IKE: Internet Key Exchange) from the terminal device 13, the communication device 15 indicates that the packet is an ISAKMP packet. The management table provided in the communication device 15 is identified by the number (500), and the source IP address “A”, the destination IP address “D”, the source port number “500”, and the destination are entered as an ISAKMP session entry. Register port number “500”, protocol type “UDP”, source IP address “C” after NAT conversion, and initiator identification information (Cookie) “xxxx” in the ISAKMP header (see table T11 in the figure). Then, the ISAKMP packet P11 is transferred to the IPsec gateway apparatus 16.

  Subsequently, the communication device 15 passes the IPsec packet from the WAN side 12 to the LAN side 11, and therefore when the IPsec session is established by sending and receiving the ISAKMP packet (P 13) between the terminal device 13 and the IPsec gateway device 16. In addition, as an entry for the IPsec session, the source IP address “A”, the destination IP address “D”, the protocol type “ESP”, and the source IP address “C” after NAT conversion are registered (see table T12).

  When the communication device 15 receives the first IPsec packet (P15) from the IPsec gateway device 16 after establishing the IPsec session, the communication device 15 uses the packet of the registered IPsec session according to the source / destination IP address and protocol type (ESP). The security parameter index (SPI) “XXXX” in the header of the received ESP (Encapsulating Security Payload) packet is added to the entry (see table T13 in FIG. 2).

  Thereafter, the communication of the IPsec session between the terminal device 13 and the IPsec gateway device 16 is identified by this security parameter index (SPI), and when the communication device 15 receives the IPsec packet from the IPsec gateway device 16, It becomes possible to determine which ISAKMP session the IPsec packet belongs to.

  The communication device 15 receives the first ISAKMP packet (P11) of the key exchange processing protocol (IKE) from the terminal device 13, registers the entry of the ISAKMP session in the management table (see table T11), and then performs the next IPsec session. Until the entry is registered and the registration of the security parameter index (SPI) to the entry of the IPsec session (see table T13) is completed, the ISAKMP packet (P12) of the key exchange processing protocol (IKE) is received from another terminal device 14. , P14), it is discarded.

  After registration of the security parameter index (SPI) in the entry of the IPsec session (see table T13) is completed, the communication device 15 receives the ISAKMP packet (P16) of the key exchange processing protocol (IKE) from another terminal device 14. Registers an entry for the ISAKMP session of the terminal device 14 in the management table (see table T14).

  That is, as the entry, the received source IP address “B”, destination IP address “D”, source port number “500”, destination port number “500”, protocol type “UDP”, source after NAT conversion The IP address “C” and initiator identification information (Cookie) “yyyyy” in the ISAKMP header are registered (see table T14), and the ISAKMP packet is transferred to the IPsec gateway apparatus 16.

  Thereafter, as in the case of the terminal device 13, when the first IPsec packet is received from the IPsec gateway device 16, the security parameter index (SPI) of the header of the received ESP (Encapsulating Security Payload) packet is used as the IPsec session of the management table. Add to the entry.

  Then, the communication device 15 identifies the IPsec session communication between the terminal device 13 and the terminal device 14 with the IPsec gateway device 16 by the security parameter index (SPI), thereby enabling communication of a plurality of IPsec sessions. On the other hand, network address translation (NAT) can be performed to allow normal passage.

  FIG. 3 shows a first embodiment for deleting an entry in the management table. As described above, after registering the ISAKMP session entry of the terminal device 13 in the management table (see table T31), the communication device 15 receives the first IPsec packet from the IPsec gateway device 16 even if a predetermined time has elapsed. If the security parameter index (SPI) cannot be additionally written without being received, the ISAKMP packet from the other terminal device 14 is discarded during that time, so that the other terminal device 14 may perform IPsec communication. It becomes impossible.

  Therefore, the communication device 15 establishes an ISAKMP session and an IPsec session between the terminal device 13 and the IPsec gateway device 16, registers the ISAKMP session and the IPsec session entry in the management table (see table T31), and then the IPsec gateway device 16 When the IPsec packet is not received from and the predetermined entry time elapses (timeout), the corresponding ISAKMP session, IPsec session entry and IPsec session entry are deleted from the management table (see table T32).

  In this way, even if the terminal device 13 transmits the ISAKMP packet for the first time and the security parameter index (SPI) cannot be registered due to some trouble, another terminal device will be used after a predetermined time has elapsed. 14 can accept ISAKMP packets.

  FIG. 4 shows a second embodiment for deleting a management table entry. The communication device 15 establishes an ISAKMP session and an IPsec session between the terminal device 13 and the IPsec gateway device 16, registers the ISAKMP session and the IPsec session entry in the management table (see table T41), and then the IPsec gateway device. When an IPsec packet is not received from 16 and an ISAKMP packet (P41) is received from another terminal device 14 after a predetermined time (however, a time shorter than the predetermined entry time described with reference to FIG. 3) has elapsed. Then, the entry for the ISAKMP session and IPsec session of the previous terminal device 13 registered in the management table is deleted from the management table, and the entry for the ISAKMP session for the subsequent terminal device 14 is registered (table T42). Irradiation).

  In this way, the other terminal device 14 can accept an ISAKMP packet with a shorter waiting time than in the case of the embodiment of FIG. 3, and when there is no ISAKMP packet transmission request from the other terminal device 14. Can sufficiently increase the reception waiting time of the security parameter index (SPI) to the above-described entry time with respect to the previous terminal device 13.

  FIG. 5 shows a third embodiment for deleting an entry in the management table. After the ISAKMP session is established between the terminal device 13 and the IPsec gateway device 16, the communication device 15 registers the entry of the ISAKMP session in the management table, but the ISAKMP session validity type (LifeType) is time (seconds). In this case, the LifeDuration value “xx” indicating the valid time of the ISAKMP session is set in the management table as the entry time of the session (see table T51). When this entry time is exceeded, the entry for the ISAKMP session is deleted from the management table (see table T52).

  In this way, by setting the effective time of the ISAKMP session determined by the negotiation in the ISAKMP session as the timeout time of the entry time for deleting the entry from the management table, the ISAKMP session sets the time for deleting the entry from the management table. It is possible to set the minimum time only for the effective period.

  FIG. 6 shows a fourth embodiment for deleting a management table entry. The communication device 15 registers the entry of the ISAKMP session in the management table after the ISAKMP session is established between the terminal device 13 and the IPsec gateway device 16, but the ISAKMP session validity type (LifeType) is the communication amount (kilobytes). In this case, the LifeDuration value “xxx” indicating the effective communication amount of the ISAKMP session is set in the management table as the entry communication amount of the session (see table T61). When the communication device 15 transfers an ISAKMP packet by the amount of entry traffic, the entry for the ISAKMP session is deleted from the management table (see table T62).

  FIG. 7 shows a first embodiment for key update (Rekey) of an ISAKMP session in the present invention. In the figure, IPsec communication is performed between the terminal device 13 and the IPsec gateway device 16, and the ISAKMP session and IPsec session entry information used in this IPsec communication are stored in the management table in the communication device 15. Registered (see table T71).

  When the communication device 15 receives the ISAKMP Rekey packet from the IPsec gateway device 16 during IPsec communication, the communication device 15 is registered in the management table with the source / destination IP address, protocol type, source / destination port number of the Rekey packet. Entry information, and when they match, it is determined that the Rekey packet is a Rekey packet of an ISAKMP session in which an IPsec session is being established, and a new IP address, protocol type, port number of the Rekey packet, The source IP address after NAT conversion and initiator identification information (Cookie) “yyyyyy” are added to the management table (see table T72).

  The communication device 15 performs address conversion on the received Rekey packet by the NAT function according to the address conversion information registered in the management table, and transfers the packet to the terminal device 13. In this way, by adding an entry of the ISAKMP session newly created by the Rekey packet to the management table and performing address conversion based on the entry information, it becomes possible to perform NAT pass-through for the Rekey packet. .

  FIG. 8 shows a second embodiment for key update (Rekey) of an ISAKMP session in the present invention. The communication device 15 that has received the ISAKMP packet (P81) from the terminal device 13 refers to the validity period type (LifeType) and the validity period, that is, the session update interval (LifeDuration), and the value of the update interval (LifeDuration) is the communication device. If it is larger than the preset value set to 15, the ISAKMP packet (P82) in which the value of the update interval (LifeDuration) is rewritten to this set value is transferred to the IPsec gateway apparatus 16. Here, the setting value set in advance in the communication device 15 is set to a value smaller than any of the effective period values (LifeDuration) transmitted by all the terminal devices under its control.

  Thereafter, when the ISAKMP packet (P83) is received also from the terminal device 14, the communication device 15 similarly refers to the validity period type (LifeType) and the update interval (LifeDuration), and the value of the update interval (LifeDuration) is the communication. If it is larger than the preset value set in the device 15, similarly, the ISAKMP packet (P 84) in which the value of the update interval (LifeDuration) is rewritten to the set value is transferred to the IPsec gateway device 16.

  Normally, even if the Rekey packet (P85) transmitted from the IPsec gateway device 16 to the communication device 15 is a Rekey packet for an ISAKMP session of either the terminal device 13 or the terminal device 14, the IP address, the protocol type, and the port It is the same in all information of numbers.

  In the example of FIG. 8, the values of the update intervals (LifeDuration) of the terminal device 13 and the terminal device 14 are 28800 and 14400, respectively. In this case, the actual update timing is performed in a time shorter than the value of the update interval (LifeDuration) determined in the negotiation, and this is different for each communication, so the next Rekey packet received from the IPsec gateway apparatus 16 is Therefore, it is impossible to determine which ISAKMP session of the terminal device 13 or the terminal device 14 is the Rekey packet.

  However, as described above, the value of the update interval (LifeDuration) is changed to a sufficiently small value (for example, 300) in the communication device 15, and the changed value is adopted in the ISAKMP negotiation. The session update interval (LifeDuration) can be standardized, so that it is possible to infer which session the Rekey packet received from the IPsec gateway apparatus 16 is.

  In the example of FIG. 8, the ISAKMP packet from any of the terminal device 13 and the terminal device 14 changes the update interval (LifeDuration) to a sufficiently small value 300, and this 300 is adopted as the value after negotiation. ing. As a result, the update interval (LifeDuration) of all sessions is unified, so that the Rekey packet (P85) received from the IPsec gateway 16 first is the key update (Rekey) of the session of the terminal device 13 that has established the session first. And the transmission destination of the Rekey packet (p85) can be determined.

  FIG. 9 shows a third embodiment for key update (Rekey) of an ISAKMP session in the present invention. In this embodiment, the ISAKMP session is based on the update interval (LifeDuration) determined by negotiation between the terminal device 13 and the IPsec gateway device 16 and the reception timing of the first Rekey packet received from the IPsec gateway device 16 thereafter. The reception timing of the next Rekey packet is learned, and the reception timing of the next Rekey packet is estimated based on the learning result.

  For example, the update interval (LifeDuration) determined by transmission / reception of the ISAKMP session packet (P91) of the terminal device 13 is 28800 seconds, and the reception timing of the Rekey packet (P92) received first from the IPsec gateway device 16 is 14400 seconds later. If there is, it can be estimated that the reception timing of the next Rekey packet is 14400 seconds later.

  In addition, for example, when the update interval (LifeDuration) determined by transmission / reception of the packet (P93) of the ISAKMP session is 10000 kilobytes and the reception timing of the first Rekey packet (P94) is after receiving 5000 kilobytes of data, The reception timing of the next Rekey packet is estimated after receiving 5000 kilobytes of data.

When the value of the update interval (LifeDuration) changes every time a Rekey packet is received,
Rekey packet reception timing = update interval (LifeDuration) × 1 / α
Or Rekey packet reception timing = update interval (LifeDuration) −β
Assuming that the Rekey packet reception timing is calculated, the next Rekey packet reception timing can be estimated by calculating the value of α or β.

  In order to increase the accuracy of the learning result, the Rekey packet is received a plurality of times, and the value of α or β is determined based on the Rekey packet reception timing observed a plurality of times. can do.

  When learning the reception timing of the Rekey packet, new ISAKMP packets (P95, P96) received from other terminal devices 14 (terminal devices for which no ISAKMP session is established) until learning of the reception timing of the Rekey packet is completed. Discard. By doing this, it is possible to prevent a plurality of ISAKMP sessions that have not been learned of the key update (Rekey) timing from being registered in the management table, and when a new Rekey packet is received, it is unknown which ISAKMP session is the Rekey packet. You can prevent it from happening.

  10 and 11 show an embodiment for key update (Rekey) of an IPsec session in the present invention. In the figure, IPsec communication is performed between the terminal device 13 and the IPsec gateway device 16, and entries of ISAKMP sessions and IPsec sessions used in the IPsec communication are registered in the management table. (See Table T101).

  When the ISAKMP Rekey packet (P101) is received from the IPsec gateway apparatus 16 during the IPsec communication and the key exchange type (ExchangeType) is “QuickMode” indicating the key exchange of the IPsec session, the communication apparatus 15 transmits the Rekey packet ( The source / destination IP address, protocol type, source / destination port number of P101) and the entry information registered in the management table are collated, and if they match, the Rekey packet (P101) is It is determined that the packet is a rekey packet of the IPsec session in communication, and information on the source / destination IP address of the session of the rekey packet (P101) and the source IP address after NAT conversion is newly temporarily registered in the management table. (Tabe T102 reference), and transfers the Rekey packet (P101) to the terminal device 13.

  Thereafter, when the key exchange (Rekey) sequence is completed and the IPsec ESP packet (P102) is received from the IPsec gateway apparatus 16, the communication apparatus 15 transmits the source / destination IP address and protocol type of the IPsec ESP packet (P102). The IPsec ESP packet (P102) is collated with the entry information registered in the management table, and is determined to be a communication packet of the IPsec session updated by the key update (Rekey). The security parameter index (SPI) value “YYYYY” of (P102) is overwritten and added to the temporarily registered entry of the previous management table (see table T103).

  As a result, the IPsec session newly created by the key update (Rekey) is also added to the management table. By performing NAT conversion based on the information in the management table, the updated IPsec communication is normally passed (NAT pass-through). ).

  In the key exchange (Rekey) sequence of this IPsec session, as with the key exchange (Rekey) sequence in the ISAKMP session, another terminal device 14 (IPsec session has not been established until the reception timing of the Rekey packet is learned. The new ISAKMP packet (P103) received from the terminal device that does not exist is discarded.

  By doing so, it is possible to prevent a plurality of IPsec sessions that have not been learned at the key exchange timing (Rekey) from being registered in the management table, and any key update (Rekey) of any session when a new key update (Rekey) is performed. It is possible to prevent it from becoming unknown.

  FIG. 12 shows an embodiment in which entries in the management table are deleted based on the key update (Rekey) timing of the ISAKMP session. In the figure, the communication device 15 establishes an ISAKMP session between the terminal device 13 and the IPsec gateway device 16, registers an ISAKMP session entry in the management table (see table T 121), and then updates the key of the ISAKMP session. A time (seconds) until the ISAKMP Rekey packet (P121) is received, the key update (Rekey) timing is learned by the above-described method, and a value slightly longer than the key update (Rekey) time (timing) “Xx” is set as an entry time in the management table (see table T122). When this entry time has timed out, the entry of the corresponding ISAKMP session is deleted from the management table (see table T123).

  FIG. 13 shows an embodiment in which entries in the management table are deleted based on the key update (Rekey) timing of the IPsec session. The communication device 15 establishes an IPsec session between the terminal device 13 and the IPsec gateway device 16, registers an ISAKMP session and an entry for the IPsec session in the management table (see table T131), and then performs key exchange processing protocol (IKE). The time (seconds) until the IPsec Rekey packet (P131) is received is measured, the key update (Rekey) timing of the IPsec session is learned, and a value “xx” slightly longer than the time (timing) of the key update (Rekey) Is set as an entry time in the management table (see table T132). When this entry time has timed out, the entry of the corresponding ISAKMP session is deleted from the management table (see table T133).

  When the communication device 15 of the present invention deletes either the entry of the ISAKMP session or the entry of the IPsec session from the management table by entry time timeout or key update (Rekey), the communication device 15 uses the resources of the communication device 15. In order to reduce this, it is possible to adopt a configuration in which the entry of the ISAKMP session or the entry of the IPsec session linked to the entry to be deleted is also deleted from the management table.

FIG. 4 is a diagram illustrating an embodiment of establishing an IPsec session according to the present invention. FIG. 4 is a diagram illustrating an embodiment of establishing an IPsec session according to the present invention. It is a figure which shows 1st Embodiment which deletes the entry of the management table in this invention. It is a figure which shows 2nd Embodiment which deletes the entry of the management table in this invention. It is a figure which shows 3rd Embodiment which deletes the entry of the management table in this invention. It is a figure which shows 4th Embodiment which deletes the entry of the management table in this invention. It is a figure which shows 1st Embodiment with respect to the key update (Rekey) of the ISAKMP session in this invention. It is a figure which shows 2nd Embodiment with respect to the key update (Rekey) of the ISAKMP session in this invention. It is a figure which shows 3rd Embodiment with respect to the key update (Rekey) of the ISAKMP session in this invention. It is a figure which shows embodiment with respect to the key update (Rekey) of the IPsec session in this invention. It is a figure which shows embodiment with respect to the key update (Rekey) of the IPsec session in this invention. It is a figure which shows embodiment which deletes the entry of the management table of this invention based on the key update (Rekey) timing of an ISAKMP session. It is a figure which shows embodiment which deletes the entry of the management table of this invention based on the key update (Rekey) timing of an IPsec session. It is a figure which shows the example of a connection structure which establishes several IPsec session from the terminal device in a house.

Explanation of symbols

11 LAN side network 12 WAN side network 13, 14 Terminal device 15 Communication device 16 IPsec gateway device

Claims (5)

A communication device that allows communication of an IPsec session between a terminal device connected to a subordinate LAN side network and an IPsec gateway device connected to a WAN side network,
The initiator identification information (Cookie) of the ISAKMP packet of the key exchange protocol and the security parameter index (SPI) of the IPsec ESP packet, the source IP address, the destination IP address, the port number, the protocol type, and the source after the address conversion of the packet A management table for storing as entry information of ISAKMP sessions and IPsec sessions together with addresses,
Based on the initiator identification information (Cookie) of the received ISAKMP packet or the security parameter index (SPI) of the IPsec ESP packet, the entry information of the ISAKMP packet or IPsec ESP packet is referred to by referring to the entry information registered in the management table. Identify and
The ISAKMP packets or IPsec ESP packet is received, the address translation according to the entry information registered in the management table, have a structure to be transferred to the terminal or IPsec gateway device,
When a rekey packet of an ISAKMP session is received from the IPsec gateway apparatus side, the IP address, protocol type, and port number of the packet are collated with the entry information of the ISAKMP session registered in the management table, and they match. And the sender identification information (Cookie) together with the source IP address, the destination IP address, the port number, the protocol type, and the source address after the address conversion of the ISAKMP session. Is newly registered in the management table as ISAKMP session entry information,
A packet subsequent ISAKMP session by performing address conversion based on the entry information of Do ISAKMP session was該新, have a structure to be transferred to the communication destination terminal,
In the negotiation of the ISAKMP session validity period (LifeDuration) performed between the terminal apparatus and the IPsec gateway apparatus, the ISAKMP session validity period value (LifeDuration) sent by the terminal apparatus is sent to all the subordinate terminal apparatuses. Change to the same value smaller than any of the effective period values (LifeDuration) to be transmitted, and unify the effective period values (LifeDuration) of the ISAKMP sessions of all subordinate terminal devices,
A communication apparatus for processing a plurality of IPsec sessions, wherein the reception timing of an ISAKMP session Rekey packet is estimated based on the unified lifetime value (LifeDuration). A communication device that allows communication of an IPsec session between a terminal device connected to a subordinate LAN side network and an IPsec gateway device connected to a WAN side network,
The initiator identification information (Cookie) of the ISAKMP packet of the key exchange protocol and the security parameter index (SPI) of the IPsec ESP packet, the source IP address, the destination IP address, the port number, the protocol type, and the source after the address conversion of the packet A management table for storing as entry information of ISAKMP sessions and IPsec sessions together with addresses,
Based on the initiator identification information (Cookie) of the received ISAKMP packet or the security parameter index (SPI) of the IPsec ESP packet, the entry information of the ISAKMP packet or IPsec ESP packet is referred to by referring to the entry information registered in the management table. Identify and
The ISAKMP packets or IPsec ESP packet is received, the address translation according to the entry information registered in the management table, have a structure to be transferred to the terminal or IPsec gateway device,
When a rekey packet of an ISAKMP session is received from the IPsec gateway apparatus side, the IP address, protocol type, and port number of the packet are collated with the entry information of the ISAKMP session registered in the management table, and they match. And the sender identification information (Cookie) together with the source IP address, the destination IP address, the port number, the protocol type, and the source address after the address conversion of the ISAKMP session. Is newly registered in the management table as ISAKMP session entry information,
A packet subsequent ISAKMP session by performing address conversion based on the entry information of Do ISAKMP session was該新, have a structure to be transferred to the communication destination terminal,
When the validity period type (LifeType) of the ISAKMP session validity period value (LifeDuration) determined by negotiation between the terminal apparatus and the IPsec gateway apparatus is time, the validity period value (LifeDuration) and the first A communication apparatus for processing a plurality of IPsec sessions, characterized by learning a transmission timing of a Rekey packet of the IPsec gateway apparatus based on a reception timing of a Rekey packet of an ISAKMP session. A communication device that allows communication of an IPsec session between a terminal device connected to a subordinate LAN side network and an IPsec gateway device connected to a WAN side network,
The initiator identification information (Cookie) of the ISAKMP packet of the key exchange protocol and the security parameter index (SPI) of the IPsec ESP packet, the source IP address, the destination IP address, the port number, the protocol type, and the source after the address conversion of the packet A management table for storing as entry information of ISAKMP sessions and IPsec sessions together with addresses,
Based on the initiator identification information (Cookie) of the received ISAKMP packet or the security parameter index (SPI) of the IPsec ESP packet, the entry information of the ISAKMP packet or IPsec ESP packet is referred to by referring to the entry information registered in the management table. Identify and
The ISAKMP packets or IPsec ESP packet is received, the address translation according to the entry information registered in the management table, have a structure to be transferred to the terminal or IPsec gateway device,
When a rekey packet of an ISAKMP session is received from the IPsec gateway apparatus side, the IP address, protocol type, and port number of the packet are collated with the entry information of the ISAKMP session registered in the management table, and they match. And the sender identification information (Cookie) together with the source IP address, the destination IP address, the port number, the protocol type, and the source address after the address conversion of the ISAKMP session. Is newly registered in the management table as ISAKMP session entry information,
A packet subsequent ISAKMP session by performing address conversion based on the entry information of Do ISAKMP session was該新, have a structure to be transferred to the communication destination terminal,
When the validity period type (LifeType) of the validity period value (LifeDuration) of the ISAKMP session determined by negotiation between the terminal apparatus and the IPsec gateway apparatus is a traffic volume, the validity period value (LifeDuration) and the first Communication for processing a plurality of IPsec sessions characterized by learning the transmission timing of the Rekey packet of the IPsec gateway apparatus based on the traffic volume of the communication performed until the rekey packet of the ISAKMP session is received apparatus. 4. A plurality of IPsec sessions according to claim 2 or 3 , wherein a new ISAKMP packet from another terminal device is not accepted until learning of a rekey packet transmission timing of the IPsec gateway device is completed. Communication device that processes. Based on the learning result of the transmission timing of the Rekey packet according to claim 2 or 3 , the entry time of the ISAKMP session is calculated,
The calculated entry time is set in the management table as an entry time of an ISAKMP session, and when the ISAKMP session exceeds the entry time, the entry of the ISAKMP session is deleted from the management table. A communication apparatus that processes a plurality of IPsec sessions according to 2 or 3 .

Images