JP7045247B2 - Communication protection device, control method, and program - Google Patents

Description

The present invention relates to a communication protection device, a control method, and a program.

A communication network installed in a vast factory is generally installed by connecting a large number of hubs in multiple stages and extending the inside of the building. In addition, the production equipment in the factory is always in operation, and operations are carried out to avoid stopping the operation of the entire system as much as possible.

Recently, attempts have been made to connect the manufacturing equipment installed in factories to the Internet to perform production control in the cloud, failure sign analysis, or on-demand production planning.

When the communication network in the factory is a closed network that does not connect to the outside, malicious communication is not performed from the outside via the communication network, so that the need for protection against such communication is low. However, when the communication network in the factory is connected to the outside, it becomes difficult to maintain security.

Patent Document 1 discloses a technique for preventing attacks such as eavesdropping or falsification of communication data. In Patent Document 1, a reliable physical port (also simply referred to as "port") is set in advance by an administrator for a hub to which a device is connected. As a result, the hub manages the communication address (simply referred to as an address) of the communication packet (simply also referred to as “packet”) received by the port. Here, the address includes an IP address and a MAC (Media Access Control) address. When the hub receives communication data spoofing an IP address or MAC address from an unreliable port, the hub discards the received communication data to prevent attacks such as eavesdropping or falsification of the communication data.

JP-A-2015-165614

The present invention provides a communication protection device that improves security while maintaining some devices constituting an existing communication network.

The communication protection device according to one aspect of the present invention includes a communication unit that receives a packet from a first device and transmits the received packet to a second device, and a physical address and a logical address of at least one device. When the memory for holding the address authentication information including the set and the physical address or the logical address of the first device and the second device included in the packet are included in the address authentication information, the first device. And, it is determined whether or not the pair of the physical address and the logical address of the second device matches the pair of the physical address and the logical address included in the address authentication information, and when it is determined that they do not match, the said It includes a control unit that discards packets.

It should be noted that these comprehensive or specific embodiments may be realized in a recording medium such as a system, method, integrated circuit, computer program or computer-readable CD-ROM, and the system, method, integrated circuit, computer program. And may be realized by any combination of recording media.

The communication protection of the present invention can improve security while maintaining some devices constituting the existing communication network.

FIG. 1 is a diagram showing a configuration of a communication system according to an embodiment and a packet address. FIG. 2 is a diagram showing a configuration of a communication system according to an embodiment. FIG. 3 is a diagram showing a configuration of a secure hub according to an embodiment. FIG. 4 is a diagram showing a configuration of a transfer destination table in the embodiment. FIG. 5 is a diagram showing a configuration of address authentication information in the embodiment. FIG. 6 is a diagram showing a configuration of an Ethernet (registered trademark) frame according to an embodiment. FIG. 7 is a diagram showing an example of an ARP request packet according to the embodiment. FIG. 8 is a diagram showing an example of an ARP reply packet according to the embodiment. FIG. 9 is a diagram showing a configuration of an update notification message for notifying the address authentication information in the embodiment. FIG. 10 is a diagram showing an example of the configuration of the IP header in the embodiment. FIG. 11 is a flowchart showing a process of registering address authentication information by the secure hub in the embodiment. FIG. 12 is a flowchart showing a process of notifying another secure hub of address authentication information by the secure hub in the embodiment. FIG. 13 is a flowchart showing a process when the address authentication information is manually set in the embodiment. FIG. 14 is a flowchart showing a transfer process of the received packet according to the embodiment. FIG. 15 is a flowchart showing an address authentication information update process according to the embodiment. FIG. 16 is a flowchart showing a packet transfer determination process according to the embodiment. FIG. 17 is a flowchart showing a packet validation process according to the embodiment. FIG. 18 is a flowchart showing a process of determining a destination port of a received packet in the embodiment.

(Knowledge that became the basis of the present invention)
Conventionally, equipment installed in factory facilities or the like operates by connecting and communicating with each other by a unique communication line using a unique communication method. However, with the spread of the Internet, devices using Ethernet (Ethernet (registered trademark)) and IP (Internet Protocol), which are general-purpose protocols whose speed and price have been reduced, have been installed in factory facilities.

However, Ethernet and IP have not fully considered security.

For example, in the communication network shown in FIG. 1, it is assumed that communication between the communication device TA and the communication device TB is performed via the hubs H1, H2, and H3. The packet PA is a packet transmitted from the communication device TA to the communication device TB, and the packet PB is a packet transmitted from the communication device TB to the communication device TA. The communication made by the packets PA and PB is legitimate communication.

Here, the communication device TC can perform unauthorized communication by transmitting a packet PC in which the source IP address is disguised as the address of the communication device TB (that is, IPB) to the communication device TA. The communication device TC has a problem that by transmitting a large amount of packet PCs to the communication device TA, an attack that increases the processing load of the communication device TA or causes a malfunction is possible.

Furthermore, a MITM attack (Man-In-The-Middle) in which the communication device TC abuses the ARP protocol to logically change the communication path and a third party who is not a legitimate communicator eavesdrops or falsifies the data. There is a problem that Attack) and the like can be performed relatively easily.

According to the technique disclosed in Patent Document 1, it is possible to discard spoofing communication for a device connected to a trusted port of a hub equipped with a defense function. And if you want to protect communication with devices that are not directly connected to the trust port of the defense-equipped hub and are located at a remote location, connect multiple defense-equipped hubs in multiple stages to protect multiple defenses. Of the ports on the function-equipped hub, all the ports through which the communication you want to protect passes must be set as trusted ports.

However, since factory facilities are large, it is common for communication devices that require protection to be installed in separate locations. In addition, there are many devices installed in factory facilities. Therefore, it is not realistic to replace all the hubs existing between the communication devices that need protection with the hubs equipped with the defense function.

Therefore, the present invention provides a communication protection device that improves security while maintaining some devices constituting an existing communication network.

The communication protection device according to one aspect of the present invention includes a communication unit that receives a packet from a first device and transmits the received packet to a second device, and a physical address and a logical address of at least one device. When the memory for holding the address authentication information including the set and the physical address or the logical address of the first device and the second device included in the packet are included in the address authentication information, the first device. And, it is determined whether or not the pair of the physical address and the logical address of the second device matches the pair of the physical address and the logical address included in the address authentication information, and when it is determined that they do not match, the said It includes a control unit that discards packets.

With this configuration, by directly connecting the communication protection device to the device to be protected, it is possible to prevent a third party from acquiring communication between the devices and falsifying, leaking, blocking, or the like. In addition, since a normal hub can be used for the connection between the communication protection devices, the existing equipment can be used continuously. In this way, the communication protection device improves security while maintaining some of the devices constituting the existing communication network.

For example, the memory further holds a group key shared with another communication protection device different from the communication protection device, and the control unit further holds a third device from the other communication protection device. When an update notification message including the address and message authentication information is received via the communication unit, and the authentication information generated by a predetermined algorithm using the group key matches the message authentication information. In addition, the address of the third device included in the update notification message may be updated by adding it to the address authentication information.

With this configuration, the validity of the update notification message can be successfully verified only by the communication protection device with the same key set in the same group, and the update notification message can be sent only to the communication protection devices belonging to the same group. .. As a result, it is possible to prevent the communication protection device from receiving and operating an unauthorized update notification message sent from, for example, a malicious person. Therefore, the communication protection device improves security while maintaining some devices constituting the existing communication network while avoiding the operation based on the unauthorized update notification message.

For example, the control unit may further transmit the address authentication information to another communication protection device different from the communication protection device via the communication unit.

With this configuration, the communication protection device can share the address authentication information with other communication protection devices. As a result, the communication protection device cooperates with other communication protection devices to improve security while maintaining some devices constituting the existing communication network.

For example, the address authentication information includes a set of an address of the at least one device and a sequence ID, and each time the control unit transmits the address authentication information to the other communication protection device via the communication unit. The sequence ID incremented to may be included in the address authentication information.

With this configuration, the communication protection device can share the address authentication information with other communication protection devices based on the sequence ID. More specifically, it is effective in defending against a save & replay attack that overwrites the past information by capturing the address authentication information on the communication path and resending it later.

For example, the control unit may collect the addresses of devices capable of communicating with the communication unit and update the address authentication information based on the collected addresses.

With this configuration, the communication protection device can update the address authentication information by collecting the addresses of the communicable devices. This has the advantage that the administrator of the communication protection device does not need to investigate the address of the communicable device and set it in the communication protection device. Further, since the address authentication information can be updated according to the communication packet flowing into the communication protection device, there is an advantage that the administrator of the communication protection device does not need to repeatedly check and update the address authentication information.

For example, the address authentication information is a set of a MAC (Media Access Control) address and an IP (Internet Protocol) address, and the control unit is among the addresses collected when updating the address authentication information. When there is only one set of the MAC addresses associated with one IP address, the set may be updated by adding the set to the address authentication information.

With this configuration, the communication protection device adds to the address authentication information as a reliable IP address / MAC address pair when there is one MAC address pair associated with any IP address among the collected addresses. Can be done.

Further, in the control method of the communication protection device according to one aspect of the present invention, the communication protection device includes a memory for holding address authentication information including the address of at least one device, and the control method is the first device. Whether or not the communication step of receiving a packet from and transmitting the received packet to the second device and the address of the second device included in the packet are included in the address authentication information. The present invention includes a control step of discarding the packet when the determination is made and it is determined that the address of the second device is not included in the address authentication information.

As a result, the same effect as that of the communication protection device is obtained.

Further, the program according to one aspect of the present invention is a program for causing a computer to execute the above control method.

As a result, the same effect as that of the communication protection device is obtained.

It should be noted that these comprehensive or specific embodiments may be realized in a recording medium such as a system, method, integrated circuit, computer program or computer-readable CD-ROM, and the system, method, integrated circuit, computer program. Alternatively, it may be realized by any combination of recording media.

Each of the embodiments described below shows a specific example of the present invention. The numerical values, shapes, components, steps, the order of steps, and the like shown in the following embodiments are examples, and are not intended to limit the present invention. Further, among the components in the following embodiments, the components not described in the independent claim indicating the highest level concept are described as arbitrary components. Moreover, in all the embodiments, each content can be combined.

(Embodiment)
One embodiment of the present embodiment will be described with reference to the drawings. In each drawing, the same reference numerals are used for the same components.

1. 1. Overall Configuration of Communication System FIG. 2 is a diagram showing a configuration of a communication system 10 according to the present embodiment. The communication system 10 includes, for example, a communication network deployed in a factory facility and equipment connected to the communication network. However, the communication system 10 is not limited to the one deployed in the factory facility.

In the present embodiment, the equipment in the factory facility communicates on Ethernet defined by IEEE802.3 by an appropriate protocol such as TCP (Transmission Control Protocol) / IP and UDP (User Datagram Protocol) / IP according to the characteristics of the application. I do.

In FIG. 2, the communication system 10 is connected to the Internet line 100 via the router 101. This makes it possible to perform advanced control such as remote monitoring of a device from a remote location via the Internet line 100.

Each device communicates with another device by connecting to the hub 103, 105 or 106 with a LAN cable, or the secure hub 102 or 104 which is a form of a communication protection device.

The hub 103, 105 or 106, or the secure hub 102 or 104 has a function of transmitting a packet transmitted from each device to an appropriate device based on the address information in the packet.

In FIG. 2, the communication system 10 includes PLCs (Programmable Logical Controllers) 110 and 115, SCADA (Supervisory Control And Data Acquisition) 112, and PCs 111, 113, 114 and 116 as devices connected to the communication network.

The PLCs 110 and 115 control motors such as belt conveyors on production lines, or control sensors for positioning control of braking equipment. The SCADA 112 performs system monitoring or control monitoring such as PLC, and more specifically, process monitoring. PCs 111, 113, 114 and 116 are manufacturing PCs that collect navigation and traceability data for manufacturing procedures.

In FIG. 2, the line connecting the components indicates a LAN cable. Further, the numerical values described at the connection points of the hubs 103, 105 and 106, and the secure hubs 102 and 104 and the LAN cable are the identifiers of the physical ports (also simply referred to as “ports”) to which the LAN cable is connected. Is shown.

The communication system 10 shown in FIG. 2 can suppress an attack that causes a load increase or a malfunction of the PLC 115 by transmitting a packet to the PLC 115 by, for example, the PC 114 impersonating the SCADA 112 by the secure hubs 102 and 104. Hereinafter, the configuration and processing for suppressing the above attack will be described.

2. 2. Configuration of Secure Hub FIG. 3 is a diagram showing the configuration of the secure hub 104. Here, the secure hub 104 will be described as an example, but the same description holds true for the secure hub 102. In FIG. 3, the secure hub 104 includes a storage area 201, a packet transfer control unit 202, a transfer processing unit 204, ports P1, P2, P3 and P4, and a setting input unit 209. The ports P1, P2, P3 and P4 are also simply referred to as ports.

The packet transfer control unit 202 determines whether or not the packet can be transferred.

Further, the packet transfer control unit 202 transmits the address authentication information 210 to another secure hub via the port. Further, the packet transfer control unit 202 receives an update notification message including an address and message authentication information from another secure hub. Then, when the authentication information generated by the predetermined algorithm using the group key and the message authentication information match, the packet transfer control unit 202 sets the address included in the update notification message as the address authentication information. Update by adding to 210.

Further, the packet transfer control unit 202 collects the addresses of the devices capable of communicating with the port, and updates the address authentication information 210 based on the collected addresses.

The transfer processing unit 204 performs IO (Input / Output) processing for receiving or transmitting a packet by the port. When the address authentication information 210 contains an address (specifically, a physical address or a logical address between the source device and the destination device) included in the packet received by the port, the transfer processing unit 204 , It is determined whether or not the set of the physical address and the logical address of the source device and the destination device matches the set of the physical address and the logical address included in the address authentication information. Then, the transfer processing unit 204 discards the packet when it is determined in the above determination that they do not match.

The packet transfer control unit 202 and the transfer processing unit 204 correspond to the control unit.

Ports P1, P2, P3 and P4 are physical ports connected to each device. Ports P1, P2, P3 and P4 each receive a packet from the connected device, and the received packet is sent to the device connected to another connected port based on the address information contained in the packet. Send. A port ID, which is an identifier, is assigned to each of the ports P1, P2, P3, and P4. The port ID corresponds to a physical port number in a communication device such as a general hub. It is assumed that the port ID of the port P1 is "P1" which is the same as the code thereof. In FIG. 2, the port ID of the port P1 is simply described as “1”. The same applies to other ports.

For example, the hub 103 is connected to the port P1, the PLC 115 is connected to the port P2, and the PC 116 is connected to the port P3. Ports P1, P2, P3 and P4 correspond to communication units.

The setting input unit 209 provides an input I / F for setting information from the user.

The setting input unit 209 provides, for example, a graphical Web interface (not shown) for the user to make settings. The setting input unit 209 is, for example, a Web for the user to set the IP addresses of the secure hubs 102 and 104 installed in the communication system 10, and the group key used for authentication between the secure hubs 102 and the secure hubs 104. Provides an interface etc. The setting input unit 209 may provide a Web interface or the like for manually setting a reliable IP address and MAC address set as the address authentication information 210, if necessary.

The storage area 201 is a storage device that holds various types of information. The storage area 201 corresponds to a memory.

The information stored in the storage area 201 includes the address authentication information 210, the transfer destination table 211, and the group key information 213.

The address authentication information 210 is information that stores the correspondence between the reliable IP address and the MAC address. The address authentication information 210 includes the address of at least one device.

The transfer destination table 211 is information that manages the MAC addresses of the devices connected to the ports P1, P2, P3, and P4.

The group key information 213 is key information used as authentication information between the secure hub 102 and the secure hub 104.

The ports of the secure hub 102 are ports Q1, Q2, Q3 and Q4. Further, it is assumed that the port ID of the port Q1 is "Q1" which is the same as the code thereof. In FIG. 2, the port ID of the port Q1 is simply described as “1”. The same applies to other ports. For example, SCADA 112 is connected to port Q2 of the secure hub 102.

3. 3. Configuration of Storage Area Next, the information held in the storage area 201 will be specifically described.

FIG. 4 is a diagram showing the configuration of the transfer destination table 211. The transfer destination table 211 is information for managing the MAC address of the device connected to the port of the secure hub, and is used when determining the destination port of the packet.

The transfer destination table 211 includes a port ID 401 which is a number for identifying a port of the secure hub, a MAC address 402 of a network interface card of a device connected to the port, and an IP address 403 of the device.

The MAC address 402 and the IP address 403 are the MAC address and the IP address of the device directly connected to the port or indirectly connected via the hub, respectively. When devices are connected via a hub, a set of MAC addresses and IP addresses of a plurality of devices can be registered for one port.

In FIG. 4, for example, two pairs of MAC address and IP address are registered for port P1. Specifically, for the port P1, the set of the MAC address "02-02-02-0a-0a-6e" and the IP address "192.168.0.110", and the MAC address "02-" A total of two sets, a set of "02-02-0a-0a-6f" and a set of the IP address "192.168.0.111", are registered.

Further, when a plurality of IP addresses are assigned to the network interface card of the device, a plurality of IP addresses may be registered for one MAC address.

The MAC address 402 can be obtained from the source MAC address of the Ethernet® frame transmitted from the device connected to the port. Further, the IP address 403 can be acquired from the source IP address stored in the ARP (Address Resolution Protocol) packet transmitted by the device connected to the port. The ARP packet will be described later.

FIG. 5 is a diagram showing the configuration of the address authentication information 210. The address authentication information 210 includes the device ID 501, the port ID 502, the method 503, the sequence ID 504, the MAC address 505, and the IP address 506.

The device ID 501 is an identifier that can identify the secure hub. Here, the device ID of the secure hub 104 is SH4, and the device ID of the secure hub 102 is SH2.

The port ID 502 is an identifier that can identify the port of the secure hub.

Among the devices connected to the secure hub included in the communication system 10, the secure hub to which the reliable device is connected and the port to which the reliable device is connected are connected by the device ID 501 and the port ID 502. Be identified.

Method 503 is a learning method that is a method of acquiring a reliable MAC address and IP address. The learning method is selected from "auto" or "manual". “Auto” means that it was acquired by dynamic learning by a secure hub. "Manual" means that it was acquired by manual setting by the administrator for the secure hub.

The sequence ID 504 is a sequence ID when the address authentication information 210 is shared between the secure hubs.

The MAC address 505 and the IP address 506 are the MAC address and the IP address of the device connected to the secure hub and determined to be reliable, respectively.

The address authentication information 210 manages both the above-mentioned information generated by the secure hub 104 having the address authentication information 210 and the above-mentioned information notified from the other secure hub 102. The process of generating the address authentication information 210 and the process of sharing the address authentication information 210 between the secure hubs will be described later.

4. Configuration of ARP Packet Next, the configuration of the ARP packet will be described. ARP is a protocol for searching a MAC address, which is the physical address of a communication partner, in order to transmit an Ethernet (registered trademark) frame to the communication partner when the IP address of the communication partner is known. The ARP packet has a configuration in which the ARP packet is stored in the Payload of the Ethernet (registered trademark) frame.

FIG. 6 is a diagram showing a configuration of an Ethernet (registered trademark) frame 600. The Ethernet® frame 600 shown in FIG. 6 has the format specified by IEEE 802.3. Specifically, the Ethernet (registered trademark) frame 600 includes a Playable 601 indicating the start of data, an SFD (Start Frame Delimiter) 602, a destination physical address D-MAC603, and a source physical address S. -MAC 604, EtherType 605 which is a type of transmission data, Payload 606 which is transmission data, and FCS (Frame Check Sequence) 607 used for error checking of transmission data are included.

Payload 606 includes an ARP packet 610.

The ARP packet 610 has the format specified by RFC826. The ARP packet 610 has a HardwareType 611 indicating the type of protocol used in the data link layer in the OSI reference model, a ProtocolType 612 indicating the type of protocol used in the network layer in the OSI reference model, and the address of the data link layer. Stores the length, that is, the ResolutionLength 613 that indicates the length of the MAC address, the length of the network layer address, that is, the ProtocolLength 614 that indicates the length of the IP address, and the operation code that indicates the operation type that distinguishes the request or response. Operation 615, ARP-S-MAC616, which is the address of the data link layer of the source of the ARP packet, ARP-S-IP617, which is the address of the network layer of the source, and the data link layer of the target device to acquire the address. It includes ARP-D-MAC618, which is an address, and ARP-D-IP619, which is the address of the network layer of the target device for which the address is acquired.

Next, the configuration of the ARP request packet indicating the request of the MAC address and the configuration of the ARP reply packet indicating the response to the request will be described.

FIG. 7 is a diagram showing an example of an ARP request packet. FIG. 8 is a diagram showing an example of an ARP reply packet. These ARP request packets and ARP reply packets have specific information set in the fields of the ARP packet shown in FIG.

Here, it is assumed that the MAC address of the device that is the source of the ARP request packet is "02-02-02-0c-0c-0c" and the IP address of the device that is the source is "192.168.0.100". .. Then, the source device transmits an ARP request packet for acquiring the MAC address of the device whose IP address is "192.168.0.101". Ethernet (registered trademark) when a device having an IP address of "192.168.0.101" notifies a MAC address "02-02-02-02-0a-0a-0a" to a transmitted ARP request packet. ) The structure of the frame will be described.

Note that, in FIG. 7, only the fields related to the ARP packet 610 in the Ethernet (registered trademark) frame 600 described with reference to FIG. 6 are shown, and the Premium 601, SFD 602, and FCS 607 are omitted.

The ARP request packet 610A shown in FIG. 7 is used when examining the MAC address of a device having a specific IP address, and is transmitted by broadcasting so as to reach all the devices connected to the communication system 10.

The ARP request packet 610A is included in the Ethernet® frame 600A.

"FF-FF-FF-FF-FF-FF" indicating a broadcast is stored in the D-MAC 603 of the Ethernet (registered trademark) frame 600A, and the MAC address of the source network interface card is stored in the S-MAC 604. 02-02-02-0c-0c-0c "is stored. Further, "0x0806", which is a value indicating that the data type of Payload 606 is an ARP packet, is stored in EtherType 605.

The following values are stored in the ARP request packet 610A. HardwareType 611 stores "0x0001" indicating that the protocol type is Ethernet (registered trademark). In ProtocolType 612, "0x0800" indicating that the protocol type is an IP protocol is stored. HardwareLength613 stores "0x06" indicating that the length of the MAC address is 6 bytes. In ProtocolLength614, "0x04" indicating that the length of the IP address of the IP version 4 is 4 bytes is stored. Operation 615 stores "0x0001" indicating that the operation of ARP is a request. The ARP-S-MAC616 stores the source MAC address "02-02-02-0c-0c-0c". The ARP-S-IP617 stores the source IP address "192.168.0.100". The ARP-D-MAC618 stores a dummy value "FF-FF-FF-FF-FF-FF". In ARP-D-IP619, "192.168.0.101" indicating the IP address to be investigated is stored.

The device that has received the ARP request packet 610A confirms the ARP-D-IP619 in the packet and determines whether or not it matches the IP address of the device itself. Then, if it is determined that the device matches, the ARP reply packet 610B described later is returned, and if it is determined that the device does not match, the ARP request packet is discarded.

FIG. 8 is a diagram showing an ARP reply packet 610B. In FIG. 8, only the area related to the ARP packet 610 in the Ethernet (registered trademark) frame 600 described with reference to FIG. 6 is shown, and the Premium 601, SFD 602, and FCS 607 are omitted.

The ARP reply packet 610B is a packet returned by a device having an IP address to be investigated in response to receiving the ARP request packet 610A when the ARP request packet 610A is received. The ARP reply packet 610B is also used for the purpose of notifying other devices of a change in the IP address of the device itself, which is called Gratuitous ARP.

Of the ARP reply packet 610B, the field in which the same value as the ARP request packet 610A described with reference to FIG. 7 is stored will be omitted. The device that has received the ARP request packet 610A generates and returns an ARP reply packet 610B including the IP address and MAC address of its own device to the device that is the source of the ARP request packet 610A.

In the D-MAC 603 of the Ethernet (registered trademark) frame 600B, “02-02-02-02-0c-0c-0c”, which is the MAC address of the device that transmitted the request packet, is stored. The S-MAC 604 stores the source MAC address "02-02-02-0a-0a-0a".

The following values are stored in the ARP reply packet 610B. Operation 615 stores "0x0002" indicating that the operation of ARP is a reply. The ARP-S-MAC616 stores the source MAC address "02-02-02-0a-0a-0a". The ARP-S-IP617 stores the source IP address "192.168.0.101". The destination MAC address "02-02-02-0c-0c-0c" is stored in the ARP-D-MAC618. The destination IP address "192.168.0.100" is stored in the ARP-D-IP619.

In this way, the device that has transmitted the ARP request packet 610A acquires the MAC address for the IP address of the device to be investigated by receiving the ARP reply packet 610B from the device to be investigated.

5. Configuration of the message for notifying the address authentication information Next, a message used when notifying the address authentication information 210 among a plurality of secure hubs will be described. This communication message is broadcast from the secure hub to the devices existing in the communication system 10 by broadcasting. Then, only the secure hub belonging to the same group as the transmitted secure hub can receive the transmitted communication message.

FIG. 9 is a diagram illustrating a configuration of an update notification message 700 for the secure hub to notify the address authentication information 210. The message shown in FIG. 9 is an update notification message 700 for one secure hub to update the address authentication information 210 possessed by the other secure hub. The update notification message 700 is included in the Payload 606 of the Ethernet (registered trademark) frame 600 or the payload of the IP packet.

As shown in FIG. 9, the update notification message 700 includes a header portion and a body portion.

The header portion includes a Command ID 701, a Sequence ID 702, a Switch ID 703, and a NuMofEntry 704.

CommandID701 is a field in which the type of command is stored. The type of the command is, for example, "0x0101: Notification of update of address authentication information".

The Sequence ID 702 is a field in which a different numerical value is stored for each update notification message in order to detect duplication of update notification messages. The Security ID 702 is set to a monotonically increasing counter value possessed by the secure hub that sends the update notification message. This counter value is incremented each time the secure hub sends a communication message, in other words, it is incremented by one. The Sequence ID 702 is effective in defending against a save & replay attack that overwrites past information by capturing an update notification message and resending it later.

The SwitchID703 is a field in which the device ID of the secure hub that sent the update notification message is stored.

NuMofEntry704 is a field in which a numerical value indicating the number of address authentication information included in the body portion of the update notification message is stored.

The body portion includes n Entry 705s for storing address authentication information and a MessageAtumenticationCode706. Here, n is a numerical value stored in NuMofEntry704. The MessageAtumentationCode706 stores authentication information for data including n Entry 705 included in the header portion and the body portion.

The MessageAtumentationCode706 stores the authentication information of the update notification message. The Message Authentication Code 706 is authentication information generated by, for example, an HMAC (Hash-based Message Authentication Code) algorithm defined by RFC 2104. The secure hub uses the key information stored in the group key information 213 as a private key in the HMAC algorithm. The secure hub has the same private key, that is, the validity of the communication message is successfully verified only with the secure hubs belonging to the same group. This allows the secure hub to send communication messages only to secure hubs that belong to the same group.

The address authentication information 210 generated by the own device is stored in the Entry 705. The address authentication information 210 generated by the own device means that the device ID 501 of the address authentication information 210 shown in FIG. 5 matches the own device ID. The port ID 502 of the address authentication information 210 is stored in Port 707, the method 503 of the address authentication information 210 is stored in the Mode 708, the MAC address 505 of the address authentication information 210 is stored in the MAC Address 709, and the IP address 506 of the address authentication information 210 is the IP Address 710. By storing in, Entry705 is generated.

6. Configuration of IP Header Next, the details of the IP header will be described. FIG. 10 is a diagram showing an Ethernet (registered trademark) frame 600C including an IP packet used when a device on the network performs IP communication specified by RFC791.

In FIG. 10, the IP header 1700 is stored in Payload 606 of the Ethernet (registered trademark) frame 600C and is used to identify the destination address. The IP header 1700 includes a SourceIPAddress1702 and a DestinationIPAddress1703, and is used for identifying a destination IP address and a source IP address.

7. Operation of Secure Hub Next, the operation of Secure Hub will be described. In the present embodiment, as the operation of the secure hub, a process of registering the address authentication information 210 after learning the packet forwarding status and a process of forwarding the packet using the registered address authentication information 210 will be described separately. .. However, it is not essential to perform the two processes separately as the operation of the secure hub. That is, as the operation of the secure hub, the process of registering the address authentication information 210 may be performed while performing the process of forwarding the packet.

7-1. Address Authentication Information Registration Process FIG. 11 is a flowchart showing a process of registering address authentication information by the secure hub 102 in the present embodiment. Although the processing of the secure hub 102 will be described, the same description holds for the secure hub 104. The same shall apply hereinafter.

In step S801, the secure hub 102 waits until a packet is received from any of the ports P1, P2, P3, and P4. When a packet is received by any of ports P1, P2, P3 and P4, the transfer processing unit 204 transfers the received packet to the packet transfer control unit 202.

In step S802, the packet transfer control unit 202 determines whether or not the packet received in step S801 is an ARP packet. In the case of an ARP packet (YES in step S802), the packet transfer control unit 202 performs the process of step S803. If it is not an ARP packet (NO in step S802), the packet transfer control unit 202 performs the process of step S804.

In step S803, the packet transfer control unit 202 extracts ARP-S-IP617, which is the IP address of the source of the ARP packet, and ARP-S-MAC616, which is the MAC address of the source, and receives the port number. And register it in the transfer destination table 211.

The MAC address of the source may be extracted from the S-MAC 604 of the Ethernet (registered trademark) frame 600 instead of being extracted from the ARP-S-MAC 616 of the ARP packet 610.

In step S804, the packet transfer control unit 202 determines the destination port in order to deliver the packet to the communication partner, and notifies the transfer processing unit 204 of the port ID of the determined destination port. The detailed processing of step S804 will be described later.

In step S805, the transfer processing unit 204 sends a packet by the destination port based on the port ID notified in step S804.

In step S806, the packet transfer control unit 202 determines whether or not the learning period for learning the packet transfer status has been completed. If it is determined that the learning period has not been completed (NO in step S806), the process returns to step S801. When it is determined that the learning period is completed (YES in step S806), the packet transfer control unit 202 performs the process of step S807.

In step S807, the packet transfer control unit 202 registers the address authentication information 210 using the transfer destination table 211. The packet transfer control unit 202 extracts a reliable MAC address and IP address set from the transfer destination table 211. Specifically, the packet transfer control unit 202 has only one MAC address in one port among the set of port ID 401, MAC address 402, and IP address 403 (see FIG. 4) registered in the transfer destination table 211. Extract the associated pair. Then, the packet transfer control unit 202 sets a set of a MAC address and an IP address to which one MAC address is associated with one port as a set of a reliable MAC address and an IP address, and sets this set as a set of its own device. The device ID and the extracted port ID are associated and registered in the address authentication information 210.

If the packet transfer control unit 202 has a plurality of sets associated with one MAC address, the packet transfer control unit 202 may extract these plurality of sets. Then, a plurality of extracted sets may be used as a set of reliable MAC addresses and IP addresses, and the device ID of the own device and the extracted port ID may be associated with this set and registered in the address authentication information 210.

In this way, the packet transfer control unit 202 sets a pair of reliable MAC addresses and IP addresses to which one MAC address is associated with one port. This is because when one MAC address is associated with one port, it is assumed that a legitimate terminal is connected to the one port, in other words, no unauthorized terminal is connected. This means that if an unauthorized terminal is connected, it will be connected to the LAN cable to which the legitimate terminal is connected via a hub or the like, and in that case, a plurality of MAC addresses are associated with one port. Because it will be done.

In addition, when one unauthorized terminal is newly connected to a port (also referred to as "empty port") to which nothing is connected among the ports of the secure hub, one MAC address is associated with one port. However, this state can be prevented. This is because the empty port can be physically blocked in advance when constructing a network or the like, and can be protected from inserting a new LAN cable.

Further, the packet transfer control unit 202 registers "auto" as the method 503 of the address authentication information 210, and registers "n / a" as the sequence ID 504.

In step S808, the secure hub 102 notifies another secure hub of the address authentication information 210 registered in step S807. The detailed processing of step S808 will be described later.

It is assumed that a set in which one MAC address is associated with one port is registered in the address authentication information 210, but the present invention is not limited to this, and is associated with a port set as a reliable port by the administrator. The thing may also be registered in the address authentication information 210. The setting by the administrator is made through the setting input unit 209.

Next, the detailed processing of step S808 will be described. FIG. 12 is a flowchart showing a process of notifying another secure hub of the address authentication information 210 by the secure hub in the present embodiment.

In step S901, the packet transfer control unit 202 extracts the set registered by the own device, that is, the secure hub 102 from the address authentication information 210. Specifically, the packet transfer control unit 202 extracts a set in which the device ID 501 matches the device ID of the secure hub 102 from the address authentication information 210.

In step S902, the packet transfer control unit 202 generates an update notification message 700 of the address authentication information 210 including the set extracted in step S901. Then, the packet transfer control unit 202 stores the generated update notification message 700 in the Payload 606 of the Ethernet (registered trademark) frame 600.

In step S903, the packet transfer control unit 202 broadcasts the Ethernet (registered trademark) frame 600 generated in step S902 by all ports via the transfer processing unit 204.

FIG. 13 is a flowchart showing a process when the administrator manually sets the address authentication information 210 in the present embodiment. Step S808A, which is a series of processes shown in FIG. 13, is a process included in step S808 of FIG.

In step S1001, the setting input unit 209 of the secure hub 102 receives input of a reliable IP address, MAC address, and port ID set from the administrator.

In step S1002, the setting input unit 209 registers the set input in step S1001 in the address authentication information 210. The setting input unit 209 registers "manual" as the method 503 of the address authentication information 210, and registers "n / a" as the sequence ID 504.

In step S808, the secure hub 102 notifies another secure hub of the address authentication information 210 registered in step S1002. Step S808 is the same as step S808 in FIG.

7-2. Packet forwarding process Next, the packet forwarding process of the received packet in the secure hub will be described in detail. FIG. 14 is a flowchart showing the transfer processing of the received packet in the present embodiment.

In step S1101, the secure hub 102 waits until it receives a packet on any of ports P1, P2, P3, and P4. When a packet is received by any of ports P1, P2, P3, and P4, the transfer processing unit 204 transfers the received packet to the packet transfer control unit 202.

In step S1102, the packet transfer control unit 202 determines whether or not the packet received in step S1101 includes the update notification message 700 of the address authentication information. In the case of the address authentication information update notification message 700 (YES in step S1102), the packet transfer control unit 202 performs the process of step S1103. If it is not the address authentication information update notification message 700 (NO in step S1102), the packet transfer control unit 202 performs the process of step S1104.

In step S1103, the packet transfer control unit 202 executes reception processing of the update notification message 700 of the address authentication information 210 included in the packet received in step S1101. The details of the process of step S1103 will be described later.

In step S1104, the packet transfer control unit 202 determines whether or not the packet received in step S1101 can be transferred. A detailed description of step S1104 will be described later.

In step S1105, the packet transfer control unit 202 performs the process of step S804 when it is determined in step S1104 whether or not transfer is possible (YES in step S1105). Further, the packet transfer control unit 202 performs the process of step S1107 when it is determined that the transfer is not possible in the determination of whether or not the packet can be transferred (NO in step S1105).

In step S804, the packet transfer control unit 202 determines the transmission destination port in order to deliver the packet to the communication partner, and notifies the transfer processing unit 204 of the port ID of the determined port.

In step S1106, the transfer processing unit 204 transmits a packet by the destination port based on the port ID notified in step S804.

In step S1107, the packet transfer control unit 202 displays that the packet received in step S1101 cannot be transferred, or notifies another device.

In step S1108, the transfer processing unit 204 discards the packet received in step S1101.

The means for notifying that the packet received in step S1101 cannot be transferred is not particularly limited in this embodiment. For example, if the secure hub 102 is equipped with a monitor, it may be displayed on the monitor. In addition, other devices such as a rotating light are notified that the packet cannot be transferred by Simple Network Management Protocol (SMP) communication defined by, for example, RFC3411, and the packet is visualized by rotating and emitting light with the rotating light. You may do it.

7-3. Address authentication information update process Next, the detailed process of step S1103 will be described. FIG. 15 is a flowchart showing an update process of the address authentication information 210.

In step S1201, the packet transfer control unit 202 acquires the group key of the group to which the secure hub 102 belongs from the group key information 213, and the update notification message 700 received in step S1101 is notified from the secure hub of the same group. Determine if it exists. Specifically, the packet transfer control unit 202 sets up in step S1101 when the authentication information generated by the HMAC algorithm using the group key of the secure hub 102 and the value of the MessageAuctionationCode706 stored in the update notification message 700 match. If it is determined that the update notification message 700 received in step 2 is notified from the secure hub of the same group and does not match, the update notification message 700 received in step S1101 is not notified from the secure hub of the same group. Is determined.

If it is determined that the update notification message 700 received in step S1101 is not notified from the secure hub of the same group (NO in step S1201), the packet transfer control unit 202 performs the process of step S1202. On the other hand, when it is determined that the update notification message 700 received in step S1101 is notified from the secure hub of the same group (YES in step S1201), the packet transfer control unit 202 processes the process in step S1203. I do.

In step S1202, the packet transfer control unit 202 discards the packet received in step S1101.

In step S1203, the packet transfer control unit 202 acquires the SwitchID703 stored in the update notification message 700 received in step S1101. Next, a set including the device ID 501 that matches the SwitchID 703 is extracted from the address authentication information 210, and whether or not the Sequence ID 702 stored in the update notification message 700 is larger than the value of the sequence ID 504 of the extracted set. Is determined. If it is determined that the Sequence ID 702 is larger (YES in step S1203), the packet transfer control unit 202 performs the process of step S1204, and if not (NO in step S1203), the packet is packet. The transfer control unit 202 performs the process of step S1202.

In step S1204, the packet transfer control unit 202 deletes the set extracted from the address authentication information 210 in step S1203 from the address authentication information 210, and newly registers the Entry 705 stored in the update notification message 700 in the address authentication information 210. do. The values of SwitchID703 and SequenceID702 are stored in the device ID 501 and the sequence ID 504, respectively.

7-4. Packet transfer determination processing Next, the detailed processing of step S1104 will be described. FIG. 16 is a flowchart of the transfer determination process of the received packet.

In step S1301, the packet transfer control unit 202 determines whether or not the ARP operation type (Operation 615) of the packet received in step S1101 is a response. When it is determined that the operation type of the ARP is a response (YES in step S1301), the packet transfer control unit 202 executes the process of step S1302. If it is determined that the ARP operation type is not a response (NO in step S1301), the packet transfer control unit 202 executes the process of step S1311.

If the packet received in step S1101 is not an ARP packet, the process of "when it is determined that the operation type of ARP is not a response" is performed.

In step S1302, the packet transfer control unit 202 performs ARP-S-MAC616 and ARP-S-IP617 stored in the ARP packet in order to carry out the validity check of the ARP packet contained in the Ethernet (registered trademark) frame. , And ARP-D-MAC618 and ARP-D-IP619 are designated as validation targets.

In step S1303, the packet transfer control unit 202 performs an ARP packet validity check on the inspection target specified in step S1302. Details of the validation test will be described later.

In step S1304, the packet transfer control unit 202 includes the result of the validity check for ARP-S-MAC616 and ARP-S-IP617 designated as inspection targets, and the ARP-D-MAC618 and ARP-D- designated as inspection targets. Obtain the result of the validation test for IP619. Then, when the packet transfer control unit 202 determines that all the results of the two validity tests are valid (YES in step S1304), the packet transfer control unit 202 executes the process of step S1327. When the packet transfer control unit 202 determines that the result of at least one of the two validation tests is not valid (NO in step S1304), the packet transfer control unit 202 executes the process of step S1328.

In step S1311, the packet transfer control unit 202 checks whether or not the operation type of ARP of the packet received in step S1101 is a request. When the operation type of ARP is a request (YES in step S1311), the packet transfer control unit 202 executes the process of step S1312. If the ARP packet type is not a request (NO in step S1311), the packet transfer control unit 202 executes the process of step S1321.

If the packet received in step S1101 is not an ARP packet, the process of "when it is determined that the ARP operation type is not a request" is performed.

In step S1312, the packet transfer control unit 202 performs ARP-S-MAC616 and ARP-S-IP617 stored in the ARP packet in order to perform the validity check of the ARP packet contained in the Ethernet (registered trademark) frame. Is specified as a validity check target.

In step S1313, the packet transfer control unit 202 performs an ARP packet validity check on the inspection target specified in step S1312. The content of the process in step S1313 is the same as that in step S1303.

In step S1314, the packet transfer control unit 202 acquires the result of the validity check for the ARP-S-MAC616 and the ARP-S-IP617 which are the inspection targets specified in step S1312. When the packet transfer control unit 202 determines that the result of the validity check is valid (YES in step S1314), the packet transfer control unit 202 executes the process of step S1327. When the packet transfer control unit 202 determines that the result of the validity check is not valid (NO in step S1314), the packet transfer control unit 202 executes the process of step S1328.

In step S1321, the packet transfer control unit 202 designates S-MAC 604 and SourceIPAddress1702 as validation targets in order to carry out the validation of the Ethernet (registered trademark) frame.

In step S1322, the packet transfer control unit 202 performs a validity check on the inspection target specified in step S1321. The content of the process in step S1322 is the same as that in step S1303.

In step S1323, the packet transfer control unit 202 acquires the result of the validity check for the inspection target S-MAC604 and SourceIPAddress1702 specified in step S1321. When the packet transfer control unit 202 determines that the result of the validity check is valid (YES in step S1323), the packet transfer control unit 202 executes the process of step S1324. When the packet transfer control unit 202 determines that the result of the validity check is not valid (NO in step S1323), the packet transfer control unit 202 executes the process of step S1328.

In step S1324, the packet transfer control unit 202 designates the D-MAC 603 and the Destination IPAddress 1703 as the validation target in order to perform the validation of the Ethernet (registered trademark) frame.

In step S1325, the packet transfer control unit 202 performs a validity check on the inspection target specified in step S1324. The content of the process in step S1325 is the same as that in step S1303.

In step S1326, the packet transfer control unit 202 acquires the result of the validity check for the inspection target D-MAC603 and Destiny IPAdress1703 specified in step S1324. When the packet transfer control unit 202 determines that the result of the validity check is valid (YES in step S1326), the packet transfer control unit 202 executes the process of step S1327. When the packet transfer control unit 202 determines that the result of the validity check is not valid (NO in step S1326), the packet transfer control unit 202 executes the process of step S1328.

In step S1327, the packet transfer control unit 202 determines that the packet received in step S1101 can be transferred.

In step S1328, the packet transfer control unit 202 determines that the packet received in step S1101 cannot be transferred.

7-5. Validation processing Next, the validation processing of the received packet will be described. FIG. 17 is a flowchart showing a process of validating a received packet in the present embodiment. The process shown in FIG. 17 shows in detail the process included in step S1303 of FIG.

In step S1401, the packet transfer control unit 202 determines whether or not a set having the same IP address as the IP address designated as the inspection target is registered in the address authentication information 210. When it is determined that the above set is registered in the address authentication information 210 (YES in step S1401), the packet transfer control unit 202 executes step S1402. When it is determined that the above set is not registered in the address authentication information 210 (NO in step S1401), the packet transfer control unit 202 executes step S1403.

In step S1402, the packet transfer control unit 202 determines whether or not the MAC address included in the set having the same IP address as the IP address designated as the inspection target matches the MAC address designated as the inspection target. .. If it is determined that both MAC addresses match (YES in step S1402), the packet transfer control unit 202 executes the process of step S1405. If it is determined that the two MAC addresses do not match (NO in step S1402), the packet transfer control unit 202 executes the process of step S1406.

In step S1403, the packet transfer control unit 202 determines whether or not a set having the same MAC address as the MAC address designated as the inspection target is registered in the address authentication information 210. When it is determined that the above set is registered in the address authentication information 210 (YES in step S1403), the packet transfer control unit 202 executes the process of step S1404. When it is determined that the above set is not registered in the address authentication information 210 (NO in step S1403), the packet transfer control unit 202 executes the process of step S1405.

In step S1404, the packet transfer control unit 202 determines whether or not the IP address included in the set having the same MAC address as the MAC address designated as the inspection target matches the IP address designated as the inspection target. .. If it is determined that both IP addresses match (YES in step S1404), the packet transfer control unit 202 executes the process of step S1405. If it is determined that the two IP addresses do not match (NO in step S1404), the packet transfer control unit 202 executes the process of step S1406.

In step S1405, the packet transfer control unit 202 determines that the inspection target is appropriate.

In step S1406, the packet transfer control unit 202 determines that the inspection target is not valid.

When a new IP address is assigned to the network interface card of the device, a plurality of IP addresses are registered for one MAC address. Therefore, the originally received Ethernet (registered trademark) frame is determined to be invalid where it is determined to be valid.

In order to avoid this situation, the address authentication information 210 may be updated before the validation process.

Specifically, when the operation type of the ARP is response (YES) in step S1301, the packet transfer control unit 202 uses the method 503 associated with the port ID 502 of the port that received the ARP packet. If the set "auto" does not exist in the address authentication information 210, ARP-S-MAC616 and ARP-S-IP617 are newly registered in the address authentication information 210 as reliable IP addresses and MAC addresses.

Further, when the set of "auto" in the method 503 associated with the port ID 502 of the port that received the ARP packet already exists in the address authentication information 210, the ARP-S-MAC616 and the MAC address of the received ARP packet are present. If it is the same as 505, ARP-S-MAC616 and ARP-S-IP617 are registered in the address authentication information 210 as reliable IP addresses and MAC addresses. This is because it is determined that a new IP address needs to be added.

Further, if the ARP-S-MAC616 of the received ARP packet and the MAC address 505 are not the same, it is determined that a new device is connected via the hub, and the method 503 associated with the port ID 502 of the port is used. The set of "auto" is deleted from the address authentication information 210.

7-6. Process of determining the destination port Next, the process of determining the destination port for the received packet will be described in detail. FIG. 18 is a flowchart showing a process of determining a destination port of a received packet in the present embodiment.

In step S1501, the transfer processing unit 204 acquires the D-MAC 603 which is the destination MAC address of the packet received in step S1101.

In step S1502, the transfer processing unit 204 determines whether or not a set including the same MAC address 402 as the D-MAC 603 exists in the transfer destination table 211. If it is determined that the above set exists (YES in step S1502), the transfer processing unit 204 executes the process of step S1503. If it is determined that there is no matching pair (NO in step S1502), the transfer processing unit 204 executes the process of step S1504.

In step S1503, the transfer processing unit 204 selects the port ID 401 included in the set having the D-MAC 603 included in the transfer destination table 211 as the transmission destination port.

In step S1504, the transfer processing unit 204 selects a port other than the port that received the packet in step S1101 as the transmission destination port.

8. Effect of the Embodiment In the present embodiment, the secure hub 102 generates the address authentication information 210 that stores the correspondence between the reliable IP address and the MAC address, and shares it with another secure hub 104. Then, the secure hubs 102 and 104 determine whether or not the received packet can be forwarded based on the address authentication information 210, and forward only the packet that can be forwarded. The secure hub 102 collects the trusted IP address and MAC address of the SCADA 112 by being connected to a device to be protected, such as the SCADA 112. Then, the collected IP address and MAC address are shared with the remote secure hub 104 to prevent the transfer of packets from the PC 114 impersonating the SCADA 112 to the device (for example, PLC115) connected to the secure hub 104. Can be done.

This corresponds to preventing unauthorized communication in which the communication device TC in FIG. 1 transmits a packet PC disguised as the address of the communication device TB to the communication device TA.

Therefore, it is possible to protect the communication between the devices simply by connecting the secure hub of the present embodiment to the device to be protected, and maintain a part of the equipment in the existing communication network to suppress the investment cost and secure the security. Can be improved.

9. Other Modifications Although the present invention has been described based on the above-described embodiment, the present invention is not limited to the above-described embodiment. The following cases are also included in the present invention.

(1) In the above embodiment, the case of using IP communication on Ethernet has been described as an example, but the present invention is not limited to this. For example, it can be applied to any network model in which a protocol such as ARP that solves the address information between the two layers exists, such as the relationship between the data link layer and the network layer in the OSI reference model.

(2) In the above embodiment, the case of protecting the data communication between the devices installed in the factory has been described as an example, but the present invention is not limited to this. For example, it can be applied to protect communication between ECUs (Electro Control Units) mounted on a vehicle.

(3) In the above embodiment, it has been described that a fixed IP address is assigned to the device in advance, but the present invention is not limited to this. You may use DHCP (Dynamic Host Configuration Protocol) that automatically assigns an IP address when the device connects to the communication network. In this case, the secure hub may also monitor the DHCP communication and generate the address authentication information based on the IP address and MAC address information given to each device.

(4) In the above embodiment, the address authentication information update notification message 700 is sent by broadcasting, but the present invention is not limited to this. The IP addresses of all secure hubs that share address authentication information may be retained and transmitted by unicast.

(5) Each device in the above embodiment may be composed of one system LSI (Large Scale Integration: large-scale integrated circuit) in part or all of the constituent elements. A system LSI is a super-multifunctional LSI manufactured by integrating a plurality of components on one chip, and specifically, is a computer system including a microprocessor, ROM, RAM, and the like. .. A computer program is recorded in the RAM. The system LSI achieves its function by operating the microprocessor according to the computer program.

Further, each part of the constituent elements constituting each of the above-mentioned devices may be individually integrated into one chip, or may be integrated into one chip so as to include a part or all of them.

Further, although the system LSI is used here, it may be referred to as an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of making an integrated circuit is not limited to the LSI, and may be realized by a dedicated circuit or a general-purpose processor. An FPGA (Field Programmable Gate Array) that can be programmed after the LSI is manufactured, or a reconfigurable processor that can reconfigure the connection and settings of the circuit cells inside the LSI may be used.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. The application of biotechnology may be possible.

(6) A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system composed of a microprocessor, ROM, RAM and the like. The IC card or module may include the above-mentioned super multifunctional LSI. When the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.

(7) The present invention may be the method shown above. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of a computer program.

The present invention also relates to recording media capable of computer-readable computer programs or digital signals, such as flexible disks, hard disks, CD-ROMs, MOs, DVDs, DVD-ROMs, DVD-RAMs, and BDs (Blu-ray®). ) Disc), may be recorded in a semiconductor memory or the like. Further, it may be a digital signal recorded on these recording media.

Further, the present invention may transmit a computer program or a digital signal via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.

Further, the present invention is a computer system including a microprocessor and a memory, in which the memory records a computer program, and the microprocessor may operate according to the computer program.

It may also be carried out by another independent computer system by recording the program or digital signal on a recording medium and transferring it, or by transferring the program or digital signal via a network or the like.

In each of the above embodiments, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory. Here, the software that realizes the communication protection device of each of the above embodiments is the following program.

That is, this program is a method for controlling a communication protection device in a computer, wherein the communication protection device includes a memory for holding address authentication information including an address of at least one device, and the control method is a first method. Whether or not the communication step of receiving a packet from the device and transmitting the received packet to the second device and the address of the second device included in the packet are included in the address authentication information. When it is determined whether or not the address of the second device is included in the address authentication information, a control method including a control step of discarding the packet is executed.

Although the communication protection device and the like according to one or more embodiments have been described above based on the embodiment, the present invention is not limited to this embodiment. As long as it does not deviate from the gist of the present invention, a form in which various modifications conceived by those skilled in the art are applied to the present embodiment or a form constructed by combining components in different embodiments is also within the scope of one or a plurality of embodiments. May be included within.

INDUSTRIAL APPLICABILITY The present invention is useful as a method for controlling a communication protection device and a communication protection device against an attack or the like attempting to illegally acquire data via a network.

10 Communication system 100 Internet line 101 Router 102, 104 Secure hub 103, 105, 106, H1, H2, H3 hub 110, 115 PLC
111, 113, 114, 116 PC
112 SCADA
201 Storage area 202 Packet transfer control unit 204 Transfer processing unit 209 Setting input unit 210 Address authentication information 211 Forwarding destination table 213 Group key information 401, 502 Port ID
402, 505 MAC address 403, 506 IP address 501 Device ID
503 Method 504 Sequence ID
600, 600A, 600B, 600C Ethernet® Frame 601 Premium
602 SFD
603 D-MAC
604 S-MAC
605 EtherType
606 Payload
607 FCS
610 ARP packet 610A ARP request packet 610B ARP reply packet 611 HardwareType
612 ProtocolType
613 HardwareLength
614 ProtocolLength
615 Operation
616 ARP-S-MAC
617 ARP-S-IP
618 ARP-D-MAC
619 ARP-D-IP
700 Update notification message 701 CommandID
702 Sequence ID
703 SwitchID
704 NuOfEntry
705 Entry
706 Message Authentication Code
707 Port
708 Mode
709 MAC Address
710 IP Address
1700 IP Header 1702 SourceIPAddress
1703 Destination IPAddress
P1, P2, P3, P4 port PA, PB, PC packet TA, TB, TC communication device

Claims (8)

A communication unit that receives a packet from the first device and transmits the received packet to the second device so as to connect a plurality of devices including the first device and the second device. A communication unit that includes multiple configured ports,
A memory that holds address authentication information including a set of physical and logical addresses of at least one device, after the communication unit sends and receives packets.
(A) Of the plurality of ports, the port ID of the port to which a single set of one physical address and one logical address is associated and the single set are used as the address authentication information. Registered and
(B) Of the plurality of ports, the port ID of the port to which a plurality of pairs of one physical address and one logical address are associated with each other and the plurality of pairs are registered in the address authentication information. Not, memory and
When the physical address or logical address of the first device and the second device included in the packet is included in the address authentication information, the physical address and the logical address of the first device and the second device The set includes a control unit that determines whether or not the set of the physical address and the logical address included in the address authentication information matches, and if it is determined that the set does not match, the packet is discarded.
Communication protection device. The memory further holds a group key shared with another communication protection device different from the communication protection device.
The control unit further
An update notification message including the address of the third device and the message authentication information is received from the other communication protection device via the communication unit.
When the authentication information generated by the predetermined algorithm using the group key and the message authentication information match, the address of the third device included in the update notification message is authenticated. Update by adding to the information,
The communication protection device according to claim 1. The control unit further
The address authentication information is transmitted to another communication protection device different from the communication protection device via the communication unit.
The communication protection device according to claim 1. The address authentication information includes a set of an address of the at least one device and a sequence ID.
The control unit includes the sequence ID incremented each time the address authentication information is transmitted to the other communication protection device via the communication unit in the address authentication information.
The communication protection device according to claim 3. The control unit collects the addresses of devices capable of communicating with the communication unit, and updates the address authentication information based on the collected addresses.
The communication protection device according to claim 1. The address authentication information is a set of a MAC (Media Access Control) address and an IP (Internet Protocol) address.
When the control unit updates the address authentication information, if there is only one set of the MAC addresses associated with one of the IP addresses among the collected addresses, the control unit authenticates the set. Update by adding to the information,
The communication protection device according to claim 5. It is a control method for communication protection devices.
The communication protection device is
A communication unit including a plurality of ports configured to connect a plurality of devices including a first device and a second device, and a communication unit.
A memory that holds address authentication information including the address of at least one device, after the communication unit sends and receives packets.
(A) Of the plurality of ports, the port ID of the port to which a single set of one physical address and one logical address is associated and the single set are used as the address authentication information. Registered and
(B) Of the plurality of ports, the port ID of the port to which a plurality of pairs of one physical address and one logical address are associated with each other and the plurality of pairs are registered in the address authentication information. Not equipped with memory
The control method is
A communication step of receiving a packet from the first device and transmitting the received packet to the second device.
It is determined whether or not the pair of the physical address and the logical address of the second device included in the packet is included in the address authentication information, and the physical address and the logical address of the second device are used. A control method including a control step of discarding the packet when it is determined that the set of is not included in the address authentication information. A program for causing a computer to execute the control method according to claim 7.

Images