WO2004039016A1

WO2004039016A1 - Data transmitting method and apparatus thereof

Info

Publication number: WO2004039016A1
Application number: PCT/JP2003/013457
Authority: WO
Inventors: Hiroaki Higaki; Masuko Kanou; Takanori Kimura
Original assignee: Elwing Co.,Ltd.
Priority date: 2002-10-23
Filing date: 2003-10-22
Publication date: 2004-05-06
Also published as: JP2004147029A; AU2003275572A1

Abstract

Security in communications using a public network is improved. If relay points (32) for IP packets (20) are intentionally or dynamically changed, the IP packets (20) are transmitted via random paths. Therefore, even if a third party performs a wiretapping in any one of the paths, it could get only a part of the packets, so that the decryption could be satisfactorily prevented. Thus, a highly enhanced security can be obtained. Additionally, since IP packet groups are distributed and transmitted through the plurality of paths, consequently, a communication path of a wide band can be formed.

Description

Data transfer method and device

"Technical field"

The present invention relates to a data transfer method and apparatus for transferring data packets over a public network such as the Internet.

"Background technology"

In recent years, corporate networks (intranets) have become widespread, and headquarters, sales offices, branch offices, factories, etc., scattered in Japan or overseas, are being interconnected by networks. In the corporate network, highly confidential information is exchanged, and there is a high demand for network security. For example, when connecting remote LANs with a WAN (Wide Area Network), such as a LAN at a head office and a LAN at a branch, dedicated lines, frame relays, ISDN, etc. are conceivable, but all of them have considerable communication costs.

Therefore, a VPN (Virtual Private Network) using the Internet, which is a public network, has been put to practical use. A VPN has the features of low cost, high security, and high bandwidth, and is suitable for building a corporate network by interconnecting geographically dispersed in-house LANs. The basic functions that make up a VPN are “tunneling or encapsulation” and “encryption”. Of these, the former tunneling technology is a technology that makes multiple in-house LANs virtually appear as one corporate network by encapsulating data packets with a new header. The user sees it as a private network, despite the fact that the Internet is involved. Next, the latter encryption technology is designed to prevent the data contents from being seen by a third party only by the tunneling described above, which could lead to data eavesdropping (sniffing) or tampering. This is a technology for transmitting packets after encrypting them. "Disclosure of the invention"

By the way, in the VPN currently used, the information encrypted by the router connected to the internal corporate LAN of the transmission source is transmitted over the Internet as an encapsulated IP (Internet Protocol) bucket on a normal route. It is delivered using a publishing method. Then, it is decrypted by the router connected to the destination company LAN.

This is shown in Fig. 11, where the sender's internal LAN 900 sends a message, such as "HELL〇", to the "IFM PJ", for example, by sending a message "HELL〇" by the word 902. , And further packetized into “I”, “F”, “”, “Μ”, and “Ρ”. These IΡ packets 911 are sent from the router 902 to the Internet 910. In the in-house LAN 922 of the transmission destination, the IP bucket 912 is received via the router 922, and the packet is decrypted by the router 922.

In the above case, the routing table (routing table) recorded in the router 902 is referred to, and the IP packet 912 is copied according to the IP address of the destination corporate LAN 920 described in the IP packet header. The transfer destination is determined sequentially. That is, when the routing table is configured, the route 914 from the source in-house LAN 900 to the destination in-house LAN 900 is statically determined. That is, the route is mechanically determined based on the routing table. The IP bucket 912 is not always delivered by the same route due to the nature of the Internet 910. However, in many cases, the IP buckets 9 12 will be delivered using the same route 9 14. Therefore, the eavesdropper 950 detects the route 914 and observes and eavesdrops on the detected route 914, thereby obtaining the entire group of IP buckets 912, and Decoding can be performed using a high-performance computer.

Various methods have been devised as encryption algorithms.Each of the methods requires only a large amount of computation to acquire information without the need for an encryption key or decryption key. It is the basis. For this reason, There is a high possibility that the information will be illegitimately obtained by eavesdroppers 950 because it will be deciphered due to Yuu's improvement in computing power.

The present invention focuses on the above points, and an object thereof is to improve security in communication using a public network. Another object is to provide a method for effectively reducing the possibility of eavesdropping on data transmission over a public network.

In order to achieve the above object, the present invention controls a route on a public network through which the bucket passes when transferring a data packet through a public network, and also sets a relay point set thereby. A transmission process is performed on the packet so that the packet passes.

According to the present invention, the following effects can be obtained.

(1) Since the data packet transfer route is intentionally set and dynamically changed, the security of communication using the public network is improved and the possibility of eavesdropping is effectively reduced. Is done.

(2) Since data packets are transferred via a plurality of routes, the communication path can be broadened.

The above and other objects, features, and advantages of the present invention will become apparent from the following detailed description and the accompanying drawings.

"Brief description of the drawings"

FIG. 1 is a diagram showing a main part of an embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration example of the IP diffusion device.

FIG. 3 is a flowchart showing a procedure of a relay point search in the first embodiment. FIG. 4 is a flowchart illustrating a procedure for searching for a relay point according to the first embodiment. FIG. 5 is a flowchart showing a procedure of transmitting and receiving an IP bucket in the first embodiment.

FIG. 6 is a diagram illustrating the operation of the first embodiment. FIG. 7 is a flowchart showing main operations of the second embodiment of the present invention.

FIG. 8 is a diagram showing the operation of the second embodiment.

FIG. 9 is a flowchart showing main operations of the fourth embodiment of the present invention.

FIG. 10 is a diagram illustrating the operation of the fourth embodiment.

FIG. 11 is a diagram showing a state of conventional IP packet transmission / reception.

"Best mode for carrying out the invention"

While there may be many embodiments of the present invention, an appropriate number of embodiments will now be shown and described in detail.

First, an outline will be described. In the present invention, attention has been paid to the point that the eavesdropper does not have to receive all I p packets in order to enable secure communication no matter how much the performance of the eavesdropper's computer is improved. In other words, by intentionally delivering a group of IP packets for delivering one ciphertext using a plurality of different routes, even if the group of IP packets delivered on a certain route is eavesdropped, the entire ciphertext If you don't get it, you won't be able to decipher it and your security will improve. In addition, the success rate of wiretapping can be further reduced by introducing a method of dynamically determining the route used for delivery every time a communication request is generated.

First, Embodiment 1, which is a basic mode of the present invention, will be described. The overall configuration is shown in Fig. 1, where the source LAN 100 is connected to the Internet 30 via an IP spreading device 100, which is a router with an IP spreading function. . Further, the Internet 30 is connected to the in-house LAN 40 of the transmission destination via the IP spreading device 102. Although not shown, the provider intervenes as necessary.

In the in-house LAN 100 of the transmission source, for example, the data “HELL〇” is encrypted into “IF MM P” by the IP spreading device 100, and further, “I”, “F j,” “M”, “ M ”and“ P ”. These IP packets 20 It is sent from the IP diffusion device 100 to the Internet 30. In the in-house LAN 40 of the transmission destination, the IP bucket 20 is received via the IP spreading device 102, and the IP bucket 20 is decoded by the IP spreading device 102.

In the above case, in the present embodiment, a route for delivering the IP packet 20 is searched by the IP spreading device 100, and a route is dynamically set. Therefore, the IP packet 20 is delivered using a plurality of different routes. In the illustrated example, the "P" and "M" packets are delivered via route 34, the "Μ" and "FJ" packets are delivered via route 36, and the "I" packet is delivered via route 38. .

Therefore, even if the eavesdropper 60 detects the route 38 and obtains the IP packet by observing and eavesdropping on the route 38, only the IP packet of “I” can be obtained. For this reason, decoding is not possible even if decoding is attempted using a high-performance computer.

Next, the configuration of the above-described IP diffusion devices 100 and 102 will be described. Since both have the same configuration, the IP diffusion device 100 will be described below as a representative. FIG. 2 shows the configuration of the IP diffusion apparatus 100, which includes a CPU 104, a display 106, a hard disk 108, a RAMI 10, a ROM 112, and IZFs 114 to 120. Among these, the CPU 104 controls the operation of the entire apparatus and executes a program stored in the ROM 112. The display 106 is for appropriately displaying an operation state and a result. The hard disk 108 is a memory for storing data and programs such as a routing table TA and an access log LA. The RA Ml 10 is a memory that is appropriately used when loading or executing a program.

The I / F 114 is an interface for connecting to an in-house LAN. IZF 116-120 is an interface for connecting to the Internet. In this embodiment, only the IZF 116 is used, and the other I / Fs 118 and 120 will be described later. The ROM 112 stores dynamic relay point search software PA, IP packet transmission / reception software PB, VPN software PC, log analysis software PD, cooperative packet segmentation / synthesis software PE, and route information cache software PF. Each is a program executed by the CPU 104.

Among them, the dynamic relay point search software PA is a program for intentionally or dynamically searching for a relay point of a route for transmitting the packet 20. 3 and 4 show one example of a method of searching for a relay point as a flowchart. As shown in the figure, when the IP spreading device 100 receives a group of IP packets from the company LAN 10 as a source and the company LAN 40 as a destination, the IP spreading device 100 refers to its own routing table TA. Then, it is detected that the relay IP diffusion device of this IP packet is 102 (steps S10 and S12). The next step S14 will be described later.

The IP spreader 100 transmits an IP packet for measuring the number of hops, with itself as a source and the IP spreader 102 as a destination (step S16). Here, let the initial value of the TTL (Time To Live) of the IP packet for measuring the number of hops be T i. The number of hops refers to the number of overnight passes. The TTL is a value that indicates the lifetime of an IP bucket on the network, and is indicated by the number of hops when passing through a router. The TTL value is decremented by one each time a router passes. When the IP spreading apparatus 102 at the transmission destination receives the IP packet for measuring the number of hops, it calculates the number of hops from the IP spreading apparatus 100 (step S18). This is given by Τ-Ti One To, where To is the TTL value at the time of reception.

Next, IP diffusion apparatus 102 transmits an IP bucket for notifying the hop count measurement result, with itself as a transmission source and IP diffusion apparatus 100 as a destination (step S20). The IP packet for notification of the measurement result includes the calculated hop count T. When the destination IP spreading apparatus 100 receives the IP packet for notifying the hop count measurement result, the spreading degree D = F (T) based on the value of T. Is calculated (step S22).

The spreading degree D indicates how much the multiple routes used for data distribution are spread. If the spreading factor D is large, the security is improved because the possibility that multiple routes pass through a common computer is increased, but the number of hops of the obtained route is increased. Conversely, if the spreading factor D is small, the number of hops of the obtained route is small, but the possibility that multiple routes pass through a common computer is high, and data can be obtained by a thief monitoring the computer. The possibility of being stolen increases. In the present embodiment, it is assumed that the relationship D = F (T) between the number of hops T of the route from the IP spreading device 100 to the IP spreading device 102 and the spreading degree D of the route is obtained in advance from experimental measurement data. I do.

Next, the IP spreader 100 randomly determines N IP addresses IP [0], IP [1],..., IP [N-1] (step S24). Then, the IP diffusion device 100 transmits itself an IP packet P [i] with a TTL as D and a destination as IP [i] (i = 0, 1,..., N—1). (Step S26). Then, when the IP packet P [i] reaches the IP [i] (Yes in step S28), the IP [i] sends the IP CMP (I CMP ( Internet Control Message Protocol) A protocol unreachable message is transmitted (step S30). Upon receiving the I CMP protocol unreachable message corresponding to P [i], the IP diffusion apparatus 100 randomly determines IP [i] again (step S32). Next, the IP spreading apparatus 100 sets itself as a transmission source, sets IP [i] as a transmission destination, and further transmits an IP packet P [i] having a TTL of D (step S34).

If the above steps S30 to S32 are repeated and the IP packet P [i] does not reach IP [i] (No in step S28), the TTL value of P [i] When it reaches 0, it sends an I CMP time-out message with itself as the source and the IP spreader 100 as the destination (step S36). Then, IP diffusion apparatus 100 sets source R [i] of the I CMP time-out message corresponding to P [i] as one of the relay points (step S38). like this By receiving the I CMP timeout message corresponding to P [0], P [1],…, Ν [Ρ-1], N relay points (relay routers) R [0], R [1], ……, R [N-1] are determined (step S40).

Next, the IP packet transmission / reception software PB distributes the corresponding packet to the route passing through the relay point searched by the above-described dynamic relay point search software PA, and receives the delivered packet. It is a program. FIG. 5 shows the operation procedure as a flowchart. As shown in the figure, the IP spreading device 100 is a relay of the IP spreading device 102, and the IP packet group transmitted to the computer on the company LAN 40 is divided into N subgroups PG [0], PG [1], ……, split into PG [N-1] (Step S50). Then, the IP packet belonging to PG [i] (i = 0, 1,..., N—1) is delivered via the relay router R [i] (step S52). This is done by using the IP packet as data, the source as the IP spreading device 100, the destination as the IP spreading device 102, and using the Loose Source Routing (loose source routing) option specified in the IP protocol. , R [i], by creating a force packet to create an IP packet CP [i] specified to be delivered via R [i].

The IP spreading device 102, which has received the IP packet CP [i], extracts the data portion of the IP packet and sends it from any computer in the corporate LAN 10 to any computer in the corporate LAN 40. The transmitted IP packet is obtained (step S54). The IP diffusion device 102 transmits the obtained IP packet to the in-house LAN 40 (step S56).

Next, the VPN software PC is a program for performing tunneling and encryption processing for connecting the in-house LAN 10 and the in-house LAN 40 by VPN. The log analysis software PD is a program for analyzing the communication status of the IP diffusion device 100 and storing the record on the hard disk 108 as an access log LA. Note that the cooperative packet division / synthesis software PE and the routing information cache software PF are all other implementations. An embodiment will be described later.

Next, the overall operation of the present embodiment will be described. In the following description, it is assumed that the IP address of each unit is assigned as shown in FIG. That is, there is a PC (personal computer) 12 on the company LAN 10 side, and a private IP address A is assigned. In addition, a global IP address B is assigned to the in-house LAN 10. The IP address N is assigned to the relay point (relay route) 32 of the searched route. Further, a private IP address P is assigned to the PC 42 on the company LAN 0 side, and a global IP address Q is assigned to the company LAN 40. Then, it is assumed that the PC 12 transmits the data to the PC 42 overnight.

First, in the transmission of data overnight, the relay point of the route for transmitting the IP packet 20 is searched by the dynamic relay point search software PA according to the procedures shown in FIGS. Specifically, a relay point from the source internal LAN 10 to the destination internal LAN 40 is determined at random. Then, as shown in FIGS. 6 (B) to 6 (D), a header is added to the encrypted data and IP bucketing is performed. First, as shown in FIG. 6 (B), the packet headers of the transmission source A and the transmission destination P are added. Next, the VPN software PC adds the encapsulation headers for source B and destination Q as shown in Fig. 6 (C). Next, the IP packet transmission / reception software PB adds a spreading header to the above-mentioned relay point 32 as a destination as shown in FIG. 6 (D). At this time, as described above, the IP packets 20 are grouped, and a relay point is designated for each group.

When the IP packet to which the header is added in this manner is sent from the SIP spreading device 100 to the in-net network 30, first, the destination IP address "N" of the spreading header is referred to. Is forwarded to the address. That is, the IP bucket 20 is transferred to a router (not shown) corresponding to the relay point 32. Upon arriving at the relay point 32, the IP address of the relay point 32 ends its role and is deleted. Then, as shown in FIG. 6 (C), the IP packet 20 is transferred to the address “Q” of the encapsulation header. Address "Q" is internal LAN 4 Since it is 0, the IP packet 0 arrives at the IP diffusion device 102 of the in-house LAN 40. This time, the encapsulation header is deleted, and the IP packet 20 is transferred to the address “P” of the packet header. Since the address “P” is 042 of the in-house LAN 40, the IP packet 20 is transferred to the PC 42. In this case, in the present embodiment, the relay point 32 is intentionally set to be different for each group of the IP buckets 20. That is, the IP packet subgroup PG [i] (i = 0, 1, ... N-1) is forwarded via the relay router R [i]. Therefore, even if a third party eavesdrops on any of the routes, only a part of the packets can be obtained, and decryption is successfully prevented, and high security can be secured. In addition, since a group of IP packets is transferred while being spread over a plurality of routes, a broadband communication channel is eventually formed.

Next, a second embodiment of the present invention will be described with reference to FIGS. In this embodiment, in addition to the first embodiment, processing by the cooperative packet division / synthesis software PE and a plurality of IZFs 116 to 120 are used. Each IF is connected to a different NSP (Network Service Provider).

If there is a contract with a specific NSP, there is usually one firewall that serves as the connection point between the company LAN and the Internet. In this case, as described above, security can be secured by setting a plurality of routes from the firewall to the destination. However, in order to ensure higher security, it is desirable to provide multiple firewalls and deliver IP packet groups via multiple different NSPs. The present embodiment focuses on such a point.

FIG. 5 shows the operation procedure of the present embodiment, in which the IP spreading apparatus 100 harms and ijs the IP packet and assigns it to one of the plurality of IZFs 116 to 120 (step S60). Each IP packet is delivered individually from the assigned IZF Is performed (step S62). Then, similarly to Embodiment 1 described above, the packet is delivered to the IP spreading apparatus 102 via a different relay point for each group, and the packet is distributed by the cooperative packet division / synthesis software PE of the IP spreading apparatus 102. They are combined (step S64).

FIG. 8 shows the state corresponding to FIG. As shown in the figure, by using multiple source I / Fs, the source provider differs depending on the packet group. For this reason, for example, even if the IP packets 22a and 22b pass through the same relay point 22, the routes are different, and the security is further improved.

Next, a third embodiment of the present invention will be described. In this mode, the route information cache software PF is used. The route information cache software PF temporarily stores the relay point information obtained by the processing shown in FIGS. 3 and 4 by the dynamic relay point search software PA as route information DA on the hard disk 108. I do.

According to Embodiment 1 described above, a search for a relay point is performed for each data transmission process, and the delivery of the IP bucket is performed by a different route for each packet. In this case, even if the relay point is changed at an appropriate interval instead of every time, sufficient security can be practically secured. For example, the route may be determined to be different each time a communication event occurs. During the same communication event, it is more convenient to use the same relay point from the viewpoint of the absolute communication speed.

From this point of view, in the present embodiment, as shown in step S14 of FIG. 3, a plurality of routes from the IP diffusion devices 100 to 102 are stored in the route cache as route information DA. If there is (Yes in step S14), the operation after step S16 is not performed, and the relay point of each IP bucket is set using the route information DA.

How often the route information DA is updated depends on the necessity. May be set. The higher the frequency, the higher the security, but the lower the communication speed. The update frequency may be changed according to the importance of the data.

Next, a fourth embodiment of the present invention will be described. In the current Internet, IP packets that use the source routing function of the IP protocol are discarded without being forwarded in many cases. This is because the source routing option is used to prevent the unauthorized delivery of IP packets, as described in RFC (Request for Comment [s]) 2003 (a technical document on the Internet that uses IP encapsulation). This is because it is often used for.

Therefore, in the present embodiment, the above-described IP spread communication can be performed even in an environment where source routing cannot be used. In the present embodiment, the delivery processing of the IP packet 20 is performed using the IP CMP echo. FIG. 9 shows a processing procedure by the IP bucket transmitting / receiving software PB in the present embodiment.

According to the present embodiment, the IP spreading apparatus 100 divides the IP bucket group transmitted to the computer on the in-house LAN 40 through the IP spreading apparatus 102 into N subgroups PG [0], PG [1], ……, divided into PG [N-1] (Step S70). The IP packet 20 belonging to each of the divided subgroups PG [i] (i = 0, 1,..., N—1) is delivered via the relay router R [i] as follows.

First, the IP spreading apparatus 100 transmits an I CMP echo request message in which the IP bucket 20 is data, the source is the IP spreading apparatus 102, and the destination is R [i] (step S72). The relay router R [i], which has received the echo request message, uses the function of the I CMP protocol to copy the data portion of the received echo request message as it is, to echo the source R [i] and echo the destination. Send an I CMP echo reply message to the IP spreading device 102 specified as the request source Yes (step S74).

The IP diffusion device 102 that has received the I CMP echo response takes out the data and obtains the IP packet 20 transmitted from the computer in the company LAN 10 to the computer in the company LAN 40 (step S76). ). The IP diffusion device 102 transmits the obtained IP packet 20 to the in-house LAN 40 (step S78).

For example, it is assumed that the IP address of each section is assigned as shown in FIG. 10A (the same as FIG. 6A). In transmitting data, as in the above-described embodiment, the relay point of the path transmitting the IP packet 20 is searched by the dynamic relay point search software PA according to the procedures shown in FIGS. Next, as shown in Fig. 10 (B), the packet headers of source A and destination P are added to the data. Next, an IP CMP echo request header is added as shown in FIG. 10 (C) by the processing of FIG. 9 by the IP packet transmitting / receiving software PB. In the illustrated example, the transmission source is “Q” and the transmission destination is “N”. In other words, the source should be the global IP address “B” because the source is the corporate LAN 10, but in the present embodiment, the global IP address of the corporate LAN 40 that is the destination is the global IP address “B”. The IP address "Q" is the source.

When the IP packet 20 with the header added in this manner is transmitted from the IP spreader 100 to the Internet 30, first, the destination IP address of the I CMP echo request header, "N" is referred to. Is transferred to the relay point 32 of the address. Then, at the relay point 32, as shown in FIG. That is, in the echo response header, the transmission source and the transmission destination are reversed with respect to the echo request header. In the illustrated example, the transmission source is “Ν” and the transmission destination is “Q”.

Therefore, the IP packet 20 is transmitted from the relay point 32 to the in-house LAN 40, and arrives at the IP diffusion device 102 of the in-house LAN 40. Then, both the echo request header and the echo response header of the I CMP are deleted, and the IP packet 20 is transferred to the address “P” of the bucket header. Address "P" is company Since the PC 42 is the LAN 40, the IP packet 20 is transferred to the PC 42.

In this way, by using the echo-back technique, spread communication becomes possible regardless of the availability of source routing, and security can be improved.

The present invention has many embodiments, and can be variously modified based on the above disclosure. For example, the following are included.

(1) The above embodiment is an example in which the present invention is applied to a VPN, but is applicable to general public networks such as the Internet.

(2) Various design changes can be made to the device configuration shown in FIG. 2 so as to achieve the same operation. For example, in the above embodiment, as shown in FIGS. 2 and 8, one IP spreading device is provided with a plurality of I / Fs for the Internet, but IZFs for the Internet are provided. A plurality of IP spreading devices may be provided, each connected to a different NSP.

(3) In the above embodiment, the packet delivery route is controlled by changing the relay point (relay router) on the Internet. However, other route control methods such as changing and setting the route itself are used. It does not prevent the application of. For example, a large number of routes or relay points may be prepared in advance as a table, and a route or a relay point may be randomly selected from this table.

"Industrial applicability"

According to the present invention, since the transfer route of the data bucket is intentionally set and dynamically changed, the possibility of eavesdropping is effectively reduced, and a public network requiring security is used. It is suitable for communication that has been performed. Further, since the data packet is transferred via a plurality of paths, it is suitable for a communication path which requires a wider bandwidth.

Claims

The scope of the claims

1. A data transfer method for transferring data packets over a public network,

Controlling the route on the public network through which the packet passes; and performing transmission processing on the packet so that the corresponding packet passes through the route set by the step.

A data transfer method comprising:

2. The data transfer method according to claim 1, wherein the route is controlled by dynamically changing a relay point on a public network.

3. The data transfer method according to claim 1, further comprising: performing a VPN encapsulation process on the packet.

4. The data transfer method according to claim 1, further comprising a step of transmitting the packet to a public network via a plurality of providers.

5. A data transfer device for transferring data packets through a public network,

A route control means for controlling a route on the public network through which the bucket passes;

Packet transmitting means for performing transmission processing on the packet so that the packet passes through the route set by this;

A data transfer device comprising:

6. The data transfer device according to claim 5, wherein the route control means controls the route by dynamically changing a relay point on a public network.

7. The data transfer device according to claim 5, further comprising encapsulation processing means for performing a VPN encapsulation process on the packet.

8. Send the packet to the public network via multiple providers The data transfer device according to any one of claims 5 to 7, further comprising a data transmission means.