JPH1132047A - Packet filtering system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a packet filtering function by providing an MPOA server for receiving an address solution request message inserted by a transmission side MPOA client, reading a transmission/reception IP address and a TCP or UDP port number, performing decision, advancing or stopping an address solution means and limiting the setting of a short cut VCC. SOLUTION: An MPC processing part 22 reads the transmission/reception IP address and the TCP/UDP port number in the received address solution request message, an MPS packet filtering function part 28 is retrieved and a decision processing is performed so as to receive a packet through the short cut VCC. When a solution is not permitted, the message is abandoned and the setting of the short cut VCC is interrupted. When it is permitted, a route to an exit side MPC is retrieved by using a routing part 27 from the reception IP address, the message is transmitted and an MPOA resolution reply is sent to an entrance side MPC.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to the Internet based on the TCP / IP protocol using an asynchronous transfer network, and more particularly to a packet filtering system for passing only data permitted to implement a security function on the Internet.

[0002]

2. Description of the Related Art An IP (Internet Proto
col) and TCP (Transpor) for the transport layer
t Control Protocol) using TCP / IP (Transp
Routers are conventionally used to interconnect ort Control Protocol / Internet Protocol) networks. The router has a plurality of network interfaces and terminates processing up to the network layer. In addition, the processing of the transport layer may be partially performed.

One of the functions of the router is to secure communication security by selectively passing packets, that is, filtering. Now, it is assumed that an IP node existing outside a certain network communicates with an IP node existing inside the network. At this time, the packet passes through a router disposed at the entrance / exit of the network, and the router reads the headers of the network layer and the transport layer in the packet to be passed and performs a transfer process. Therefore, TCP / IP that can pass
The IP address of the transmitting node and the receiving node of the packet and the TCP / UDP (Transport Control Protocol / User)
If a port number of Datagram Protocol is set in advance and set so as to discard packets that do not correspond to the port number, access can be restricted.
That is, it is possible to prevent an IP node inside the network from being externally accessible, or to prohibit access to a specific port in the transport layer. These are called packet filtering at the network layer level or packet filtering at the transport layer level, respectively, and are effective in enhancing communication security.

On the other hand, in order to increase the speed of a network, a high-speed ATM (Asynchronous Traffic) is used instead of a router.
nsfer Mode: TC using an exchange
Technologies for building a P / IP network have been developed. For example, OSI (OpenSystems Interconnectio
n: Open system interconnection) ATM is used for the second and lower layers in the hierarchical model, and TCP / I is used for the third and fourth layers.
The communication method when using the P protocol is being discussed at the ATM Forum, etc.
Specifications such as M Forum 96-0824r9 "have been published.
The specification of “ATM Forum 96-0824r9” is MPOA (Multipro
tocol over ATM: mechanism for transferring multiprotocols)
A terminal or network device having an ATM network interface is defined as an MPOA client (MPC), and a device having a router function is defined as an M
A network is configured as a POA server (MPS).

When the MPC transfers a MAC frame,
When the destination is an MPC in the same subnet or a terminal accommodated in the MPC, communication is performed using a LAN (Local Area Network: Enterprise Information Communication Network) emulation (LANE) protocol defined by the ATM forum. Do. Destination is in a different subnet and M
A router having a PS (server in an MPOA network) function reads an IP address in a MAC (Media Access Control) frame and reads the IP address.
Packets are counted for each address. If the obtained count value is equal to or less than a certain value within a unit time, a MAC frame is transmitted to the MPS, and the MP
S performs the same operation as a conventional router, and sends an IP packet to a node having a destination IP address.

On the other hand, if the count value exceeds the above-mentioned fixed value within a unit time, MA
Instead of transmitting a C frame, a VCC (Vi) is sent to an MPC existing on the same subnet as the node having the destination IP address.
rtual Channel Connection) and sends packets through that VCC. As a result, the router (MPS) is short-cut and A
An IP packet can be transmitted from the MPC on the entry side of the TM to the MPC on the exit side. Therefore, the aforementioned V
CC is called a shortcut VCC. Here, the entry side of the ATM is an MPOA from another network.
(Multiprotocol Over ATM: a mechanism for transferring a multiprotocol over an ATM) A node where data flows into a network is shown, and an exit side is a node where data flows out of an MPOA network to many networks.

In order to set the shortcut VCC, it is necessary for the ingress MPC to obtain the ATM address of the egress MPC from the IP address of the destination in the packet. For this reason, the ingress side MPC sends an MPOA resolution request (Resolution Request) to the MPS in the same subnet. When the MPS is on the same subnet as the egress MPC, the MPOA resolution reply (Resolution) is sent to the ingress MPC.
Reply) and sends an MPOA Imposition Request to the egress-side MPC. Further, in order to make the MAC frame transmitted through the shortcut VCC look as if it was transmitted from the egress MPS, the egress MPC needs to transmit the MAC frame with the layer 2 information. For this reason,
The egress MPS notifies the egress MPC with the MPOA imposition request message described above. M
When the PS is in a different subnet from the egress MPC, an MPOA resolution request message is sent to the next MPS.

When the ingress MPC has acquired the ATM address of the egress MPC in the procedure described above, the standard AT
M signaling procedure (ATM Forum UNI3.1 or IT
U-TQ. 2931), the inlet side MPC and the outlet side MPC
The shortcut VCC is set during the period. And thereafter
Data that needs to be transmitted to the egress-side MPC is transmitted through the shortcut VCC. This enables faster data transfer than transmitting a packet to the MPS.

[0009]

SUMMARY OF THE INVENTION As described above, M
In the POA method, a TCP / UDP packet transmitted by using a shortcut VCC is divided into 48-byte cells by an ingress MPC and transmitted to a network. Then, the relay ATM exchange is switched with the cell as it is, and reassembled into a TCP / UDP packet at the egress MPC. Therefore, unlike the case where a router is used, the relay ATM switch uses TCP / UDP in the packet.
Does not read headers or IP headers. Therefore, when an ATM switch is used, there has been a problem that filtering of packets at a transport layer level or a network layer level, which has been conventionally performed by a router, becomes impossible.

An object of the present invention is to provide a packet filtering system that can realize a packet filtering function similar to that of a router in an MPOA network.

[0011]

According to the first aspect of the present invention, in an MPOA network for multi-protocol transfer constructed on an ATM network in an asynchronous transfer mode, a transmitting MPOA client starts an address resolution procedure, ATM of egress MPC from received IP address
In a communication system that acquires an address,
(A) In the address resolution request message, TCP or connectionless as a transport layer protocol in a form of connecting a connection relationship called a connection with a transmission / reception IP address of a packet to be transmitted through a shortcut VCC as a shortcut virtual channel connection to be set up from now on A sending MPOA client provided with an inserting means for inserting a UDP port number as a transport layer protocol of a form only for data transfer, and (b) an address resolution request message inserted by the sending MPOA client. And reads the transmission / reception IP address and TCP or UDP port number in this message, and determines whether or not to respond to the address resolution request according to a preset filtering criterion. And judging means, allowed to proceed for address resolution procedure if responding to the result as the address resolution request is determined in the determination means, shortcut be discontinued address resolution when no response to the address resolution request VC
A relay MP having a limiting means for limiting the setting of C
An OA server is provided in the packet filtering system.

According to the second aspect of the present invention, in the MPOA network for multi-protocol transfer constructed on the ATM network in the asynchronous transfer mode, the transmitting MPOA client activates an address resolution procedure, and converts the received IP address from the received IP address. In a communication system in which an ATM address of an egress-side MPC is obtained, (a) MPO
A server and (MP) this MPOA at the time of address resolution request
A transmission / reception IP address of a packet transmitted through a shortcut VCC as a shortcut virtual channel connection declared to a server, and a TCP or connectionless data transfer type transport layer protocol for establishing a connection relationship of connection. UD as port layer protocol
A first storage unit for storing a P port number; and a T which matches a content stored in the first storage unit when transmitting a packet.
A transmitting MPOA client having a transmitting means for transmitting only a CP / IP packet to a shortcut VCC; and (c) a transmitting / receiving IP address of a packet notified from the MPOA server and transmitted through the shortcut VCC when an address resolution request is made; Or a second storage unit for storing a UDP port number, and a TCP matching the content stored in the second storage unit at the time of packet reception.
The packet filtering system is provided with a receiving MPOA client having a packet filtering unit that receives only / IP from the shortcut VCC and discards other TCP / IP packets.

According to the third aspect of the present invention, an edge device or an ATM terminal as a device having an ATM interface and another network interface is TCP / UDP as a transport control protocol / user datagram protocol. By reading the header and IP header, the IP address and TCP / UD
It is characterized by realizing packet filtering by P port number.

That is, in the packet filtering system of the present invention, similarly to a conventional router, a criterion based on a filtering rule based on information of a transport layer and a network layer is described in the MPS. Then, when the ingress MPC resolves the ATM address of the egress MPC using the MPOA protocol as a method of performing communication by the TCP / IP protocol on the network using the ATM switch, transmission of a packet to be transmitted is performed. The receiving node's IP address, transport layer protocol (TCP or UDP), and TCP / UD
Declare the P port numbers and check with the MPS of the relay if they are prohibited by the criteria described above. As a result, if the access is not prohibited, the address resolution procedure proceeds. If the access is prohibited, the address resolution procedure is stopped and the shortcut VCC is not set, thereby implementing filtering at the time of setting the VCC.

In addition, after the VCC is set, the above-mentioned ingress MPC transmits only the TCP / IP packet having the attribute declared at the time of the address resolution request, and does not transmit any other packets to the shortcut VCC. To realize filtering at the time of data transmission. The egress-side MPC receives only the TCP / IP packet having the attribute declared from the ingress-side MPC through the ingress-side MPS at the time of the address resolution request, and discards the other packets. Thereby, filtering at the time of data reception is realized.

[0016]

BEST MODE FOR CARRYING OUT THE INVENTION

[0017]

DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention will be described in detail below with reference to embodiments.

In the packet filtering system according to the present embodiment, when IP packet communication is performed between MPCs in different subnets, transmission / transmission in an IP packet header is performed.
Filtering is performed by both the IP address of the receiving node and the TCP / UDP port number. The MPC may be a terminal having an ATM interface or a device having an ATM interface and another network interface (this is called an edge device). In the present embodiment, the latter case of an edge device will be described. In the embodiment, the IP
IP address or T of the receiving node in the packet header
Even if the packets have different CP / UDP port numbers, packets that pass through the same entry-side MPC and exit-side MPC use the same shortcut VCC.

FIG. 1 shows a functional configuration of an edge device according to an embodiment of the present invention. In this edge device, a LEC (LAN Emulation Client) processing unit 11 performs processing for transferring a MAC frame to an LEC in the same subnet using a LANEL (LAN Emulation) protocol. The MPC processing unit 12 connected to the LEC processing unit 11 converts the MAC frame that encapsulates the IP packet into an M
An address resolution procedure for transmitting / receiving to / from a PS or setting a shortcut VCC to an MPC in another subnet is performed.

LEC processing unit 11 and MPC processing unit 12
(Virtual Circuit) table 13 connected to
Performs registration and management of the VCC of the set ATM. The ATM VC termination unit 14 is an ATM (not shown).
It is an interface with a network, which assembles ATM cells into packets and decomposes packets into ATM cells. The non-ATM network interface 15 connected to the MPC processing unit 12
It is an input / output interface unit with a network other than the ATM.

The ATM signaling processing unit 16 connected to the VC table 13 and the ATM VC terminating unit 14
It controls and processes signaling for setting ATM VCC. The shortcut VCC table 17 connected to the MPC processing unit 12 stores the MPOA
9 is a table for a shortcut VCC set using a protocol and ATM signaling. Each shortcut VCC entry in the shortcut VCC table 17 has a TCP / I
The attribute of the P packet is written.

FIG. 2 shows a shortcut V at the entrance side MPC.
FIG. 3 shows an example of a shortcut VCC table at the exit-side MPC.

FIG. 4 shows a functional configuration of the MPS. The LEC (LAN Emulation Client) processing unit 21 communicates with LECs in the same subnet using the LANE (LAN Emulation) protocol. The MPS processing unit 22 connected to the LEC processing unit 21 performs input MPC processing based on the MPOA protocol.
And an address resolution procedure for setting a shortcut VCC for the egress MPC. The router function unit 23 is connected to another MPS or M
It performs processing as a router for transferring an IP packet transmitted from a PC to another MPS or an MPC in another subnet. LEC processing unit 21, MPS processing unit 22
And VC table 24 connected to router function unit 23
Performs registration and management of the set ATM VCC. ATM connected to this VC table 24
The VC terminating unit 25 is an interface with an ATM network (not shown), and assembles ATM cells into packets and disassembles packets into ATM cells.

The ATM signaling processing unit 26 connected to the VC table 24 and the ATM VC termination unit 25
It controls and processes signaling for setting up ATM VCC. MPS processing unit 22 and router function unit 23
The routing unit 27 connected to is a route search table for searching for an MPC or MPS in another subnet. This route search table may be dynamically set by a routing protocol or may be statically set by an administrator. The MPS packet filtering function 28 connected to the route search table 27
This is a part that limits the address resolution by the MPOA protocol through the PS and limits the setting of the shortcut VCC, which is set in advance by the administrator.

FIG. 5 shows an example of the MPS packet filtering function unit. In this figure, column "1" is
TCP “8010” port of the transmitting terminal whose IP address is “111.111.22.22” and TCP Nos. 25 to 100 of the receiving terminal whose IP address is “111.12.12.12” Indicates that a shortcut VCC may be set between the port and the port. The column “2” indicates that the IP address is “122.122.22.
"*" Is the UDP of the sending terminal in the network
(User Datagram Protocol) The application AP-1 using the port "517" and the IP address "1"
22.12.12. * Indicates that a shortcut VCC may be set between the receiving terminal and the application AP-1 using the UDP “8080” port of the receiving terminal existing in the network.

As shown in FIG. 5, when one entry is composed of a pair of a transmission IP address (or its prefix) and a reception IP address (or its prefix), and the address resolution is not prohibited here Only an address resolution unprocessed answer request is made.

FIG. 6 shows the flow of processing when the ingress MPC relays a MAC frame received from a network other than the ATM. First, the entrance side MPC
Reads the destination MAC address and destination IP address in the received MAC frame (step S10).
1). Then, it is determined whether or not the destination MAC address is an MPS in the same subnet (step S10).
2). MP whose destination MAC address is in the same subnet
If it is other than S (Y), a MAC frame is sent to the destination node using the LANE protocol (step S103).

On the other hand, when the destination MAC address is an MPS in the same subnet (step S10
2: N), the entry of the shortcut VCC in the shortcut VCC table 17 is searched using the destination IP address as a key (step S104). If no entry for this key is found (step S10
5: N), a new entry is created, the count value of the counter is set to “1”, and the received MAC frame is sent to the entry-side MPS (step S106). If an entry corresponding to this key is found (step S1
05: Y), it is determined whether or not the shortcut VCC has not been set (step S107).

FIG. 7 shows a processing procedure when an entry corresponding to a key is found but its shortcut VCC is not set. In this case, first, the count value is incremented by "1" (step S201). Then, the count value of the shortcut VCC entry is compared with a preset threshold value (step S20).
2). As a result, when the threshold value is larger (step S203: Y), the MAC frame is transmitted to the ingress-side MPS, and the process ends (end). If the count value is greater or equal, the I
The transmission / reception IP address in the P packet header and TCP /
Read the UDP port number and send the packet to the ingress MPS
(Step S204). Next, A of the exit side MPC
To get the TM address, MPOA resolution
MPS in the same subnet as the request message
(Step S205). Information specified by the standard MPOA protocol is added to this message, and the transmission / reception IP address and TCP / UDP port number of the IP packet read in step S204 are included. If the MPOA resolution request is successful, the next step is to send the MPO
A resolution reply is returned, A of exit side MPC
The TM address is notified (step S206).

Next, the entry MPC is added to the above-mentioned entry.
, The transmission / reception IP address of the TCP / IP packet to be transmitted, and the TCP / UDP port number are registered (step S207). And the exit side MP
With the ATM address of C as a destination, a standard ATM signaling procedure is performed to set a shortcut VCC (step S208). Then, the VPI / VCI (Virtua) of the shortcut VCC set in step S208
l Path identifier / Virtual Channel identifier (virtual path identifier / virtual channel identifier) is set in the shortcut VCC entry (step S2).
09).

FIG. 8 shows the flow of processing when an entry corresponding to a key is found in step S107 in FIG. 6 and a shortcut VCC has been set. In this case, first, the transmission / reception IP address and TCP / UDP port number of the IP packet header in the MAC frame are read (step S301). And the exit side M
Since the shortcut VCC to the PC is set,
The transmission / reception IP address and TCP / UDP port number in the set shortcut VCC entry are compared with the transmission / reception IP address and TCP / UDP port number in the IP packet called in step S301 (step S302). ). If all of these values match (step S303:
Y), the received MAC frame is transmitted to the shortcut VCC to the exit-side MPC of the entry described above (step S304).

If any of these values is not equal (step S303: N), an MPOA resolution request is transmitted to the ingress MPS, and the received MAC frame is transmitted to the ingress MPS (step S303). S3
05). In this message, the transmission / reception IP address and the TCP / UDP port number of the IP packet read in step S301 are included together with the part defined by the standard MPOA protocol. When the MPOA resolution request is successful and the MPOA resolution reply is returned from the MPS (step S30)
6: Y), the ATM address of the egress MPC is notified,
This means that the transmission of the IP packet is permitted.
Therefore, at this time, the transmission / reception address of the TCP / IP packet to be newly transmitted and the TCP / UDP port number are additionally registered in the above-mentioned entry (step S307).

If the MPOA resolution reply does not return from the MPS in step S306 (N), the IP packet is copied to the shortcut VCC.
The process is terminated because it is not permitted to transmit through (End).

FIG. 9 shows that the MPS receives M
It shows the flow of processing when receiving a POA resolution request message. First, the MPS processing unit 22 shown in FIG.
A resolution request message is received (step S401). Next, the transmission / reception IP address and TCP / UDP port number in the message are read (step S402). Then, the MPS packet filtering function unit 28 (FIG. 4) is searched to determine whether the address can be resolved in order to receive the packet through the shortcut VCC (step S4).
03). As a result, when the solution is not permitted (step S404: Y), the MPOA resolution
The request message is discarded, and the setting of the shortcut VCC for the input side MPC and the output side MPC is interrupted (step S405).

On the other hand, when the solution is permitted in step S404 (N), a route to the exit-side MPC is searched from the destination IP address using the routing unit 27 (step S406). When the egress MPC exists in a different subnet from the MPS (step S407: Y), the next-stage NHRP (Next Hop Res
Solution Protocol) The MPOA resolution request message is transferred to the server (step S408). When the egress MPC exists in the same subnet in step S407 (N), the MPOA cache imposition (Cache Impo
transmission) message (step S40)
9). In this message, in addition to the MAC address of this MPS, the MAC address of the destination IP node and the IP address of the destination specified by the standard MPOA protocol, and the packet of the packet sent through the shortcut VCC, A transmission IP address and a TCP / UDP port number for transmission and reception are included. Next, the entrance side M
MPOA Resolution Reply (Re
solution Reply) message.

FIG. 10 shows a state in which the MPC executes the shortcut VC.
It shows the flow of processing when an MPOA cache imposition message is received from the egress MPS to set C. First, an MPOA cache imposition message is received (step S
501). Next, from the MPOA cache imposition message, the ATM address of the ingress MPC defined by the standard MPOA protocol and the egress MPA
In addition to the MAC address of S and the MAC address of the receiving IP node, the receiving IP address of the transmitted IP packet and the TCP / IDP port number for transmission / reception are read (step S502).

Next, the ATM address of the entry side MPC,
Using the IP address of the receiving IP node as a key, an entry is searched for in the shortcut VCC table 17 (FIG. 1) (step S503). If there is no entry (step S504: Y), it is read out in step S502,
Transmission / reception IP address of TCP / IP packet to be transmitted, TCP / IDP port number, AT of entrance MPC
M address, the MAC address of the egress MPS and the MAC address of the receiving IP node
It is registered in the C table 17 (step S505). Then, the shortcut V is set according to the ATM signaling procedure.
Since the VPI / VCI of the CC is determined, the value is registered in the above-mentioned entry (step S506).

If the entry already exists in step S504, the transmission IP address of the packet to be transmitted, read out in step S502, and the transmission / reception TCP /
The IDP port number is additionally registered in this entry (step S506).

FIG. 11 shows the flow of processing when the egress MPC receives a packet via the shortcut VCC. First, the cellularized IP packet is received through the shortcut VCC (step S601). Next, an IP packet is assembled from the cells by the ATM VC terminating unit 14 shown in FIG.
602). Then, a corresponding entry is searched for in the exit side shortcut VCC table 17 (FIG. 1) using the VPI / VCI of the shortcut VCC to which the packet has been sent and the destination IP address as a key (step S6).
03). Next, the transmission / reception I in the P packet to be received
The P address and the TCP / UDP port number are read (step S604). Then, the value read in step S604 is compared with the transmission / reception IP address of the corresponding entry of the shortcut VCC and the TCP / UDP port number (step S605).

As a result, if both are equal (step S606: Y), it is determined that the packet is a permitted packet, and the MAC address of the MPS in the same subnet and the MAC address of the IP node of the receiving destination are added.
An AC frame is transmitted from the non-ATM interface 15 (FIG. 1) to the corresponding network (step S).
607). If any one is not equal in step S606 (N), the packet is regarded as a violating packet, discarded, and packet filtering is executed (step S608).

[0041]

As described above, claims 1 to 3 are described.
According to the described invention, A is set for each TCP / UDP packet.
Even if the TCP / UDP header and the IP header are not read by the TM exchange, the packet filtering by the IP address and the TCP / UDP port number can be realized by reading those headers by the edge device or the ATM terminal. In the present invention, since the filtering standard is set in advance, for example, if this is set as the standard shown in FIG. 5 of the embodiment set by the router having the MPS function, this is set together with the MPOA protocol message, Propagate to edge devices and ATM terminals. Therefore, if the contents of the appropriate filtering rule are set in the router having the MPS function, there is an advantage that the communication security of all IP nodes existing downstream therefrom is improved.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a functional configuration of an edge device according to an embodiment of the present invention.

FIG. 2 shows a shortcut V on the entrance side MPC of the embodiment.
FIG. 4 is an explanatory diagram showing the contents of a CC table.

FIG. 3 shows a shortcut V at the exit side MPC of the present embodiment.
FIG. 4 is an explanatory diagram showing the contents of a CC table.

FIG. 4 is a block diagram illustrating a functional configuration of an MPS according to the present embodiment.

FIG. 5 is an explanatory diagram showing an example of an MPS packet filtering function unit.

FIG. 6 is a flowchart showing a flow of processing when an ingress MPC relays a MAC frame received from a network other than an ATM.

FIG. 7 is a flowchart showing a processing procedure when an entry corresponding to a key is found but the shortcut VCC is not set.

FIG. 8 is a flowchart showing the flow of processing when an entry corresponding to a key is found in step S107 of FIG. 6 and a shortcut VCC has been set.

FIG. 9 is a flowchart showing the flow of processing when the MPS receives an MPOA resolution request message from the ingress MPC.

FIG. 10 is a flowchart illustrating a process flow when the MPC receives an MPOA cache imposition message from the egress MPS to set a shortcut VCC.

FIG. 11 is a flowchart showing the flow of processing when an egress MPC receives a packet via a shortcut VCC.

[Explanation of symbols]

 11, 21 LEC processing unit 12 MPC processing unit 13, 22, 24 VC table 14, 25 ATM VC termination unit 15 Non-ATM network interface unit 16, 26 ATM signaling processing unit 17 Shortcut VCC table 23 Router function unit 27 Routing unit 28 MPS Packet filtering function

Claims (3)

[Claims] An MPOA for multi-protocol transfer constructed on an ATM network in an asynchronous transfer mode
In the network, the sending MPOA client initiates the address resolution procedure, and the egress MPOA is determined from the received IP address as the received international network address.
Egress MP that is a client in the network
In a communication system in which an ATM address of an OA client is obtained, transmission / reception of a packet to be transmitted through a shortcut VCC as a shortcut virtual channel connection to be set in an address resolution request message is performed.
A transmitting side having an insertion unit for inserting a P address and a UDP as a transport layer protocol of a form only for transferring data such as TCP or a connectionless transport layer as a transport layer protocol having a connection relationship of connection. The MPOA client receives the address resolution request message inserted by the sending MPOA client, reads the transmission / reception IP address and the TCP or UDP port number in the message, and sends the address according to the preset filtering criteria. Determining means for determining whether or not to respond to the resolution request; and proceeding the address resolution procedure if the determination result indicates that the address resolution request is to be responded, and canceling the address resolution if not responding to the address resolution request. Do A relay MPOA server having a restriction means for restricting the setting of a shortcut VCC. 2. An MPOA for a multi-protocol transfer constructed on an ATM network in an asynchronous transfer mode.
In the network, the sending MPOA client initiates an address resolution procedure, and determines the egress M
In a communication system in which an ATM address of an egress MPOA client, which is a client in a POA network, is obtained, the MPOA server and a shortcut VCC as a shortcut virtual channel connection declared to the MPOA server at the time of an address resolution request. Sending and receiving packet I
First storage means for storing a P address, a UDP as a transport layer protocol of a form only for transferring data such as TCP or connectionless as a transport layer protocol in a form of connecting a connection relation of connection, and a packet. A transmitting MPOA client including a transmitting unit that transmits only a TCP / IP packet that matches the content stored in the first storage unit to the shortcut VCC at the time of transmission, and a shortcut notified from the MPOA server when an address resolution request is issued. Second storage means for storing a transmission / reception IP address, TCP or UDP port number of a packet transmitted through VCC, and TCP / IP matching the content stored in the second storage means at the time of packet reception
Only received from shortcut VCC, other T
A packet filtering system comprising: a receiving MPOA client having a packet filtering means for discarding CP / IP packets. 3. An edge device or an ATM terminal as a device having an ATM interface and another network interface reads a TCP / UDP header and an IP header as a transport control protocol / user datagram protocol. , IP
3. The packet filtering system according to claim 1, wherein packet filtering is realized by an address and a TCP / UDP port number.