JP4750750B2 - Packet transfer system and packet transfer method - Google Patents

Description

  The present invention relates to a packet transfer system and a packet transfer method for determining that a frame transmitted from a terminal used by a user is a frame transmitted from an authorized user and transferring the frame to an external network.

  Conventionally, as networks such as the Internet are generally spread, information processing systems such as corporations have caused various problems such as processing delay due to an increase in spoofed packets that spoof normal IP (Internet Protocol) addresses. Yes. In view of this, various transfer control apparatuses that determine whether packets can be transferred and perform transfer control (filtering) in order to prevent an information processing system such as a company from receiving such malicious spoofed packets have been disclosed.

  Generally, a layer 2 switch is used as a transfer control device that determines whether or not Ethernet (registered trademark) frames can be transferred in layer 2. Normally, the layer 2 switch determines whether transfer is possible by referring to only Ethernet (registered trademark) header information including a MAC (Media Access Control) address.

  Recently, referring to upper layer packet information (for example, IP header, TCP / UDP (Transmission Control Protocol / User Datagram Protocol) header, etc.) included in an Ethernet (registered trademark) frame, whether or not the frame can be transferred. A method for determining a route is implemented, and a layer 2 switch that filters spoofed packets using this method is used (see Non-Patent Documents 1 to 3). Specifically, this layer 2 switch holds a storage table that stores the correspondence between the MAC address and the IP address, and is stored in the storage table that holds a combination of the MAC address and the IP address of the received packet. In this case, the packet is transferred to the destination, and if not stored, the packet is discarded.

  In multicast transmission, an MLD (Multicast Listener Discovery) mechanism is often used. This MLD reads the multicast route information included further inside the IP packet included in the received frame, and suppresses the transfer of the received frame to the port to which the terminal not transmitting the listener request is connected. (Non-Patent Document 4).

  However, even if any of the above-described methods is used, there is a problem in that it is impossible to control transfer of communication in which an IP address is spoofed in a network using a DHCP server that dynamically assigns an IP address. Specifically, upon receiving an IP address acquisition request, an address allocation device (DHCP server) that dynamically allocates an IP address, on condition that the MAC address of the request transmission source terminal is a MAC address stored in advance. Assign an IP address. Therefore, when an IP address acquisition request is transmitted from a terminal whose MAC address is illegally set, the address assignment device assigns an IP address to the terminal. As a result, in the network, when a transfer control device receives a packet from a terminal that obtained an IP address illegally, that is, when a packet from a terminal that spoofed an IP address is received, the transfer control device transfers the packet to the destination. Will end up.

  In general, as a method for solving such a problem, a transfer control device that restricts packet transfer when communication using a terminal other than the IP address assigned by the terminal is used to spoof the IP address. Is being used. Specifically, when an IP address is assigned by the address assignment device, the transfer control device associates the assigned “MAC address” with the assigned “IP address” and the assigned terminal The “physical interface number (for example, logical port number, line number)” to be connected is stored.

  When receiving the packet, the transfer control device acquires the “physical interface number” that received the packet, and also acquires the “IP address” and “MAC address” of the transmission source from the IP header of the packet. Subsequently, the transfer control device determines whether or not the combination of the acquired “physical interface number”, “IP address”, and “MAC address” is stored, and if these combinations are stored, When the received packet is transferred to the destination and the combination is stored, the received packet is discarded at the destination, thereby limiting the transfer of the packet with the spoofed IP address.

“FreeBSD Hypertext Man Pages”, [online], [Search April 20, 2007], Internet <http://www.freebsd.org/cgi/man.cgi?query=bridge&apropos=0$sektion=0&manpath= FreeBSD + 6.2-RELEASE & format-html> “FreeBSD Hypertext Man Pages”, [online], [Search April 20, 2007], Internet <http://www.freebsd.org/cgi/man.cgi?query=bridge&apropos=0$sektion=0&manpath= FreeBSD + 6.2-RELEASE> “IPTABLES”, [online], [Search April 20, 2007], Internet <http://www.linux.or.jp/JM/html/iptables/man8/iptables.8.html> "Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches, RFC4541", [online], [searched April 20, 2007], Internet <http://www.ietf.org/ rfc / rfc4541.txt>

  However, the above-described conventional technique has a problem in that a packet using a spoofed IP address cannot be accurately filtered in a shared media type network sharing a single physical network such as a wireless LAN.

  Specifically, when a single physical network is used, since the “physical interface number” of all terminals to which “IP address” is assigned has the same value, the transfer control device spoofs “MAC address”. The terminal that acquired the “IP address” cannot be specified. As a result, when the transfer control device receives a packet from a terminal that spoofs “MAC address” and obtains an “IP address” illegally, that is, receives a packet from a terminal that spoofs “IP address”, Even though the packet needs to be discarded, the MAC address and the physical interface number are stored in association with the IP address, and the packet is transferred to the destination. It becomes.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and a packet that can accurately filter packets using a spoofed IP address even in a shared media type network. It is an object to provide a transfer system and a packet transfer method.

In order to solve the above-described problems and achieve the object, the present invention determines that a frame transmitted from a terminal used by a user is a frame transmitted from a valid user, and transfers the frame to an external network. A communication path storage unit that stores a virtual communication path identifier that uniquely identifies a virtual communication path connected to the terminal and a MAC address of the terminal in association with each other. The address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned with the IP address in association with each other, and when the connection request is received from the terminal, On the condition that the user is a valid user, a virtual communication path is connected to the terminal, and the virtual communication path identifier assigned to the connected virtual communication path A communication path connection control means for associating the MAC address of the terminal and storing it in the communication path storage means, and a frame from a terminal assigned with an IP address connected by a virtual communication path by the communication path connection control means. Is received from the frame, the MAC address is acquired from the frame, and stored in the communication path storage means specified from the acquired MAC address and the virtual communication path identifier of the virtual communication path from which the frame is transmitted. When the MAC address matches, frame transfer is permitted, and when the MAC address does not match, the frame transfer control unit rejects the frame transfer, and the IP address from the frame permitted to transfer by the frame transfer control unit And MAC address, specified by the acquired IP address and the acquired MAC address Transfer control means for transferring the frame as a packet to the external network when the IP address stored in the address information storage means matches, and discarding the frame when the IP address does not match. Features.

Furthermore, the present invention , in the above invention, further comprises encryption key storage means for storing an encryption key shared with the terminal in association with the MAC address of the terminal, wherein the communication path connection control means is connected to the terminal from the terminal. When a connection request is received, an encryption key stored in the encryption key storage unit in association with the MAC address of the terminal is acquired, and the virtual key is transferred between the terminal and the terminal using the acquired encryption key. It is connected by a communication path.

Further, the present invention , in the above invention, further comprises invalidation state detection means for detecting that a virtual communication path connected to the terminal is in an invalid state, wherein the communication path connection control means is The communication path storage associated with the virtual communication path identifier assigned to the virtual communication path when the virtual communication path is detected to be invalid by the invalidation state detecting means. The information stored in the means and the information stored in the address information storage means in association with the MAC address of the terminal are deleted.

Also, the present invention provides the encryption key storing the encryption key corresponding to the MAC address of the terminal when a virtual communication path is established with the terminal by the communication path connection control means. Session information storage means for storing the acquired encryption key, the MAC address of the terminal, and the virtual communication path identifier of the virtual communication path as session information in a predetermined session information storage means. When the communication path connection control means receives a connection request from a terminal that has temporarily canceled the connection via the virtual communication path, the session information corresponding to the MAC address of the terminal is stored in the predetermined session information storage means. Stored in the predetermined session information storage means, and using the acquired session information, a new session information is acquired. Rather than a virtual communication path for the virtual communication channel identifier, characterized in that to reconstruct the virtual communication path for the virtual communication path identifier previously connected between the terminal.

In addition, the present invention further includes a user authentication unit in the above invention, which, when receiving a connection request from the terminal, determines whether or not the terminal is a valid user by a predetermined authentication method. It is characterized by.

Further, in the present invention according to the above invention, a user ID for uniquely identifying a user who uses the terminal is assigned to the terminal, and a connection request is transmitted by the user authentication means. A user information storage means for storing the user ID assigned to the terminal and the MAC address of the terminal when the determined terminal is determined to be a valid user, and the user information The MAC address is specified from the user ID stored in the storage means, and the IP address specifying means for specifying the IP address stored in the address information storage means from the specified MAC address and / or stored in the address information storage means. The MAC address is specified from the IP address to be stored, and the user information stored in the user information storage means is determined from the specified IP address. And user identification means for identifying ID, and characterized by further comprising a.

Further, according to the present invention , in the above invention, packet transfer suitable for transferring to an external network by determining that a frame transmitted from a terminal used by a user is a frame transmitted from a valid user. A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and a MAC address of the terminal, and the terminal An address information storage means for storing the IP address assigned to the IP address and the MAC address of the terminal assigned with the IP address in association with each other, and when a connection request is received from the terminal, the terminal is a valid user On the condition that the terminal is connected to the terminal by a virtual communication path, the virtual communication path identifier assigned to the connected virtual communication path and the terminal A communication path connection control step of associating an AC address with the communication path storage means, and receiving a frame from a terminal assigned with an IP address connected by a virtual communication path by the communication path connection control step Then, the MAC address is acquired from the frame, and the MAC address stored in the communication path storage means specified from the acquired MAC address and the virtual communication path identifier of the virtual communication path to which the frame is transmitted Frame transfer control step of permitting the transfer of the frame if the two match, and rejecting the transfer of the frame if they do not match, and the IP address and MAC from the frame permitted to transfer by the frame transfer control step Before an address is acquired and specified by the acquired IP address and the acquired MAC address A transfer control step of transferring the frame as a packet to the external network when the IP address stored in the address information storage means matches, and discarding the frame when the IP address does not match, To do.

According to the present invention , a virtual communication path identifier that uniquely identifies a virtual communication path connected to a terminal and the MAC address of the terminal are stored in association with each other, and an IP address assigned to the terminal And the MAC address of the terminal to which the IP address is assigned are stored in association with each other, and when a connection request is received from the terminal, the terminal is connected to the terminal on the condition that the terminal is a valid user. Connected with a virtual communication path, stores the virtual communication path identifier assigned to the connected virtual communication path and the MAC address of the terminal in association with each other, and connected with the virtual communication path When a frame is received from a terminal to which an IP address is assigned, a MAC address is acquired from the frame, and the acquired MAC address and virtual communication of a virtual communication path through which the frame is transmitted When the MAC address specified by the identifier matches, the transfer of the frame is permitted. When the MAC address does not match, the transfer of the frame is rejected, and the IP address and the MAC address are acquired from the frame permitted to transfer. When the acquired IP address matches the IP address specified by the acquired MAC address, the frame is transferred to the external network as a packet, and when it does not match, the frame is discarded. As a result of being able to specify a normally connected terminal by a virtual channel identifier that identifies a virtual channel, it is possible to accurately filter packets using a spoofed IP address even in a shared media network Is possible.

  For example, even when a frame in which a MAC address is spoofed is received from a terminal connected through a virtual communication path, as a result of storing the virtual communication path identifier and the MAC address in association with each other, the frame is received from an unauthorized terminal. It can be detected and discarded as a transmitted frame, and even when a frame spoofing an IP address is received from a terminal connected via a virtual communication path, the assigned IP address and MAC address Can be detected and discarded as a frame transmitted from an unauthorized terminal. Further, since a virtual communication path (L2 access session) to which the terminal is connected is uniquely specified and a malicious terminal that spoofs the same MAC address cannot connect to the L2 access session, Communication is possible only using the assigned IP address.

Further, according to the present invention , an encryption key shared with the terminal is further stored in association with the MAC address of the terminal, and when a connection request is received from the terminal, it corresponds to the terminal that is the destination of the connection request If the encryption key to be stored is stored, it is determined that the terminal is a valid user, the encryption key is acquired, and the virtual communication is performed with the terminal using the acquired encryption key. Since the connection is made via a road, a virtual communication path with high security can be created, and as a result, third-party intervention can be firmly prevented.

  For example, as a result of being able to connect a VPN (Virtual Private Network) using an encryption key, it is possible to firmly prevent a third party from intruding into the connected virtual communication path. Is possible. In addition, since the encryption key is shared between the terminal that desires connection and the packet transfer system, it is possible to authenticate the terminal that transmits the connection request depending on whether or not the encryption key is held. . Furthermore, by using the encryption key generated from the MAC address, it is possible to more firmly prevent the encryption key from being spoofed and the intervention of the terminal that is spoofing the IP address.

Further, according to the present invention , when it is detected that the virtual communication path connected to the terminal is in an invalid state, the virtual communication path identifier assigned to the virtual communication path is supported. As a result of deleting the information stored in association with the information stored in association with the MAC address of the terminal, it is possible to invalidate the virtual communication path with the terminal holding the MAC address, It is possible to firmly prevent a malicious terminal that misrepresents a MAC address or an IP address from connecting to a network.

  For example, as a technique for detecting that a virtual communication path is in an invalid state, when a disconnection signal from an L2 network access point is detected by a link (association), a new virtual communication path is established In addition, when it is determined that another virtual communication path related to the MAC address of the terminal connected through the virtual communication path is invalid, a connection update signal is periodically received from the terminal where the virtual communication path is established. For example, a periodic connection update signal may not be received even after the expiration date has passed, and it is detected that the state is invalid by these methods.

  As a result, even if a malicious terminal tries to connect to the packet transfer system, since the packet transfer system does not hold the encryption key A shared with the legitimate terminal, the legitimate terminal is connected. The virtual communication path (L2 access session) cannot be reproduced. Even if a malicious terminal generates an L2 access session using a different encryption key, the IP packet transmitted from the terminal is discarded because the session is different from the L2 access session to which the legitimate terminal is connected. Is possible.

  In addition, when a terminal connected via a virtual communication path periodically transmits an update signal for updating the connection to the packet transfer system, the update signal is not received even if the update procedure expires. Then, as a result of being able to detect that the connection with the terminal may be disconnected and detecting that the connection is in an invalid state, a malicious terminal that misrepresents a MAC address or an IP address is connected to the network. It is possible to prevent it strongly.

Further, according to the present invention , when a virtual communication path is established with a terminal, an encryption key corresponding to the MAC address of the terminal is acquired, and the acquired encryption key, the MAC address of the terminal, The virtual communication path identifier of the virtual communication path is further stored as session information, and when a connection request is received from a terminal that temporarily cancels the connection through the virtual communication path, the corresponding MAC address of the terminal is supported. If the session information to be stored is stored, the session information is acquired, and using the acquired session information, the virtual communication channel identifier that has been connected before, not the virtual communication channel of the new virtual communication channel identifier Thus, it is possible to suppress reconnection of layer 3 communication due to re-payment of the IP address.

  For example, since a session can be restored in layer 2 and there is no need to reestablish an upper layer connection higher than layer 3, it is possible to suppress reassignment of IP addresses, and further, SIP registration ( In systems such as Session Initiation Protocol registration (DIP) and location registration when using Mobile IP, DDNS (Dynamic Domain Names Server) that dynamically registers IP addresses and corresponding names, an update signal (for example, reconnection or IP Occurrence of address reassignment) can be suppressed.

Further, according to the present invention, when a connection request is received from a terminal, whether or not the terminal is a legitimate user is determined by a predetermined authentication method. Therefore, after authenticating the terminal at the L2 layer level As a result of connecting the virtual communication path, it is possible to keep security high.

  For example, IEEE802. x or EAP (Extensible Authentication Protocol) -TLS (Transport Layer Security) “RFC2716” or the like can be used to receive an electronic certificate issued by a third party together with a connection request, based on this electronic certificate. As a result of authenticating the terminal, security can be kept high.

Further, according to the present invention , the terminal is assigned a user ID that uniquely identifies the user who uses the terminal, and it is determined that the terminal that transmitted the connection request is a valid user. The user ID assigned to the terminal and the MAC address of the terminal are stored in association with each other, the MAC address is specified from the stored user ID, and the IP stored from the specified MAC address is stored. The user assigned to the terminal from the IP address can specify the address, the MAC address from the stored IP address, and the user ID stored from the specified IP address. It is possible to easily specify the IP address of the terminal to which the user ID is assigned from the ID or user ID.

  For example, the MAC address is searched from the correspondence between the user ID and the MAC address, and further, the correspondence between the user ID and the IP address is searched by searching for the MAC address from the correspondence between the MAC address and the IP address. Obtainable. It is also possible to obtain a MAC address from the correspondence between the MAC address and the IP address using the IP address as a key, and to search the user ID using the MAC address obtained from the correspondence between the user ID and the MAC address as a key. Is possible.

  Exemplary embodiments of a packet transfer system and a packet transfer method according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, the main terms used in the present embodiment, the outline and features of the packet transfer system according to the present embodiment, the configuration of the packet transfer system and the flow of processing will be described in order, and finally various modifications to the present embodiment. An example will be described.

[Explanation of terms]
First, main terms used in this embodiment will be described. The “communication system” used in the present embodiment is a “packet transfer system (corresponding to the“ packet transfer system ”recited in the claims”), which receives an access request from a terminal, This is a system that allows connection between a terminal and an external network such as the Internet by permitting connection and assigning an IP address when the terminal is a legitimate terminal. Specifically, this packet transfer system includes an L2 network access point, a frame transfer device, an IP address assignment device, a rule reflector, and an L3 routing mechanism. The L2 network access point and the frame transfer device are connected so as to be able to communicate with each other, and the frame transfer device, the IP address assignment device, and the rule reflector are connected so as to be able to communicate with each other via the L3 routing mechanism. Has been.

  An L2 network access point is a device such as a wireless access point that is connected to a terminal by wireless communication, and a frame transfer device is a device that transmits a frame in layer 2, and is inside the frame. It is a device that interprets the structure of the included upper protocol and determines whether or not the frame can be transferred.

  Further, the IP address assignment device dynamically issues and assigns an IP address to a terminal connected to the L2 network access point, and associates the “MAC address” and “IP address” of the assigned terminal with each other. This is a storage device, specifically, a DHCP (Dynamic Host Configuration Protocol) server or the like. The L3 routing mechanism is a device that stores routing information and transmits a packet received from the frame transfer device to a destination based on the routing information. Specifically, a router, an L3 switch, etc. Corresponds to this. Also, the rule reflector is an IP address assigned to a terminal by an IP address assigning device, and when the “MAC address” and “IP address” of the assigned terminal are stored, based on the stored information. A device that creates a transfer rule that can be interpreted by the frame transfer device and stores the created transfer rule in the frame transfer device.

  Generally, when a terminal and an L2 network access point are connected by a shared media type network (shared network) such as a wireless LAN, it is required to use an application such as an IP phone safely. . In an application such as an IP phone, a server device in the network stores a correspondence between an IP address and a communication person ID. When the server device receives a call addressed to a communication person, the server device transmits an incoming call notification to the IP address corresponding to the communication person. When this IP address is an IP address that is dynamically assigned, the IP address may be reused among a plurality of communication parties, so that an IP address assigned to one communication person is transferred to another communication person. Before the assignment, a certain rest period is provided, and the system must be operated so that the IP address assigned once during the rest period becomes invalid. In such a network, if a user sets an IP address during a suspension period by intentional setting, another communicator can be spoofed. Therefore, in a situation where a shared media type network such as a wireless LAN is operated while dynamically assigning an IP address, “IP address spoofing”, that is, “control to prevent forwarding a spoofed IP address” This is very important.

[Outline and features of packet transfer system]
Next, the outline and characteristics of the packet transfer system according to the first embodiment will be described with reference to FIG. FIG. 1 is a system configuration diagram illustrating the overall configuration of the packet transfer system according to the first embodiment.

  As shown in FIG. 1, this packet transfer system is composed of an L2 network access point, a frame transfer device, an IP address allocation device, a rule reflector, and an L3 routing mechanism. The apparatus is connected to be communicable with each other, and the frame transfer apparatus, the IP address assigning apparatus, and the rule reflector are connected to be communicable with each other via the L3 routing mechanism. The user terminal A and the L2 network access point are connected by wireless communication. The user terminal A stores “MAC address 1” as a MAC address, and stores an encryption key A generated based on the MAC address.

  In such a configuration, as described above, the packet transfer system determines that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transfers the frame to an external network. In particular, even in a shared media type network, the main feature is that packets using a spoofed IP address can be accurately filtered.

  To explain this main feature in detail, the L2 network access point corresponds to the virtual communication path identifier that uniquely identifies the virtual communication path connected to the user terminal and the MAC address of the terminal. And store it in the communication path DB. Specifically, the communication path DB of the L2 network access point stores “a“ virtual communication path identifier ”that uniquely identifies a connected virtual communication path and a“ MAC address ”of the terminal” in association with each other.

  The IP address assignment device dynamically issues and assigns an IP address to a terminal connected to the L2 network access point, and associates “MAC address” and “IP address” of the assigned terminal with address information. Store in DB. Since the address information DB and the communication path DB store information after a virtual communication path connected to the user terminal A is connected, the stored information is omitted here.

  The L2 network access point stores the encryption key generated based on the MAC address of the user terminal A in the encryption key DB in association with the MAC address of the user terminal. For example, the encryption key DB of the L2 network access point is “a“ MAC address indicating the MAC address of the user terminal ”and“ an encryption key indicating the encryption key generated based on the MAC address of the user terminal A ”. “MAC address 1, encryption key A”, etc. Here, as a technique for sharing the encryption key, it may be stored in advance by an administrator or the like, or may be stored using an existing technique such as WPA (Wi-Fi Protected Access).

  Further, the frame transfer apparatus stores interpretable transfer rules in the transfer rule DB. Specifically, the frame transfer apparatus stores the transfer rule generated and stored by the rule reflector in the transfer rule DB. Also, the transfer rule DB includes “rule 0 for identifying the rule,“ condition ”for determining whether transfer is possible,“ action ”to be executed when the condition is met,“ rule 0, data included in the frame ” “Allows passage of frames whose type is an IP packet” and “Rule 1, permits passage of frames, which is communication between the terminal and the IP address assignment device” are stored in advance.

  Under such conditions, when the packet transfer system receives a connection request from a user terminal, the encryption key corresponding to the user terminal that is the transmission destination of the connection request is stored in the encryption key DB. The user terminal is determined to be a valid user, the encryption key is acquired from the encryption key DB, and the user terminal is connected to the user terminal using a virtual communication path using the acquired encryption key. The virtual channel identifier assigned to the connected virtual channel and the MAC address of the terminal are associated with each other and stored in the channel DB (see (1) and (2) in FIG. 1). ).

  Specifically, in the above example, when the L2 network access point of the packet transfer system receives a frame indicating a connection request from the user terminal A by wireless communication, the user terminal A that is the transmission destination of the frame The MAC address “MAC address 1” is acquired from the frame. Subsequently, the L2 network access point determines that the user terminal A is a valid user because the encryption key A corresponding to the acquired “MAC address 1” is stored in the encryption key DB. The encryption key A is acquired from the encryption key DB, and the user terminal A is connected to the user terminal A using the acquired encryption key A through a virtual communication path (L2 access session). Then, the L2 network access point includes the identifier “virtual communication path A” assigned to the connected virtual communication path, and the MAC address “MAC address 1” of the connected user terminal A acquired from the frame. Are stored in the communication path DB.

  When the L2 access session is established between the user terminal A and the L2 network access point, the user terminal A transmits an IP packet indicating an IP address acquisition request to the packet transfer system via the L2 access session. . The frame transfer apparatus that has received this IP address acquisition request via the L2 network access point sequentially refers to the rule numbers in the transfer rule DB, and in the transfer rule DB “rule 0, the data type included in the frame is an IP packet. , “Permit passage of frame” and “Rule 1, allow passage of frame, which is communication between the terminal and the IP address assignment device” are stored. Transfer to mechanism. The virtual communication path established here is a communication path such as VPN (Virtual Private Network), VC (Virtual Circuit, Virtual Call, Virtual Connection).

  When the L2 network access point and the terminal are connected by a virtual communication path, the packet transfer system assigns an IP address and generates and stores a transfer rule ((3) and (4 in FIG. 1). )reference). Specifically, in the above example, the L3 routing mechanism of the packet transfer system that has received the IP address acquisition request transfers the request to the IP address assignment device based on the routing information stored in the own device. Then, the IP address assignment device assigns “IP address 1” as the IP address to the user terminal A that has transmitted the request. Then, the IP address assignment device stores “MAC address 1” and “IP address 1” of the assigned terminal in the address information DB in association with each other. Then, the rule reflector rewrites “MAC address 1” and “IP address 1” stored in the address information DB to transfer rules interpretable by the frame transfer device, and stores them in the transfer rule DB of the frame transfer device. To do.

  That is, at this time, “virtual communication path A, MAC address 1” is stored as “virtual communication path identifier, MAC address” in the communication path DB of the L2 network access point, and the address of the IP address allocation device In the information DB, “MAC address 1, IP address 1” is stored as “MAC address, IP address”. Also, the transfer rule DB of the frame transfer device includes “Rule 0, data type included in the frame is an IP packet, allow passage of the frame”, “Rule 1, the terminal and the IP address assignment device. “Permit frame passing for communication”, “Rule 2, the source address of the layer 2 frame is MAC address 1, and the source IP address of the IP header included in the frame is IP address 1. , “Allow passage of frame” is stored.

  After that, the packet transfer system is connected to the virtual communication path by the L2 network access point, receives the frame from the user terminal assigned with the IP address by the IP address assignment device, and acquires the MAC address from the frame. When the MAC address stored in the communication path DB specified from the virtual communication path identifier of the virtual communication path from which the frame is transmitted matches the acquired MAC address, the frame is framed. If it does not match, the frame is discarded (see (5) and (6) in FIG. 1).

  Specifically, in the above example, a user terminal A connected to an L2 network access point and assigned an IP address transmits a frame (IP) to an external network by wireless communication via the connected L2 access session. Packet). The frame thus transmitted is received by the L2 network access point of the packet transfer system. The L2 network access point that has received the frame acquires “MAC address 1” from the frame. Further, the L2 network access point acquires “MAC address 1” stored in the communication path DB corresponding to “virtual communication path identifier A” of the L2 access session to which the frame is transmitted. Then, the L2 network access session matches the “MAC address 1” acquired from the transmitted frame and the “MAC address 1” acquired from the communication path DB. A is determined to be an authorized user, and the frame is transferred to the frame transfer apparatus.

  When the packet transfer system receives a frame transferred by the access point, the packet transfer system acquires an IP address from the frame and stores it in the address information DB specified by the acquired IP address and the acquired MAC address. If the IP address matches, the frame is transferred to the routing mechanism as a packet. If the IP address does not match, the frame is discarded (see (7) and (8) in FIG. 1).

  Specifically, in the above example, the frame transfer apparatus that has received the frame transferred by the L2 network access point receives “MAC address 1” and “IP address” as the MAC address and IP address of the user terminal A that is the frame transmission source. Address 1 "is obtained from the frame. Subsequently, the frame transfer apparatus acquires “IP address 1” stored in the address information DB of the IP address assignment apparatus in association with the acquired “MAC address 1”. Then, the frame transfer apparatus matches the “IP address 1” acquired from the frame with the “IP address 1” acquired from the storage unit of the IP address assignment apparatus. Since the transmission source address of the two frames is the MAC address 1 and the transmission source IP address of the IP header included in the frame is the IP address 1, the passage of the frame is permitted. " The frame is transferred as an IP packet to the routing mechanism. The routing mechanism that has received the IP packet transmits the IP packet to the external network based on the routing table stored in the own device.

  Here, transfer control of a frame in which an IP address or a MAC address is spoofed will be described. For example, it is assumed that the user terminal A (IP address 1, MAC address 1) connected in the L2 access session as described above spoofs the MAC address “MAC address 2” and transmits the frame. In this case, the L2 network access point that has received the transmitted frame acquires “MAC address 2” from the frame. Also, the L2 network access session acquires “MAC address 1” stored in the communication path DB in correspondence with the “virtual communication path identifier A” of the L2 access session to which the frame is transmitted. The L2 network access session is determined by the fact that the “MAC address 2” acquired from the transmitted frame does not match the “MAC address 1” acquired from the communication path DB. It is determined that A is not a legitimate user, and the frame is discarded.

  Further, for example, it is assumed that the user terminal A (IP address 1, MAC address 1) connected in the L2 access session as described above spoofs the IP address as “IP address 2” and transmits the frame. The L2 network access point that has received the transmitted frame acquires “MAC address 1” from the frame. Further, the L2 network access point acquires “MAC address 1” stored in the communication path DB corresponding to “virtual communication path identifier A” of the L2 access session to which the frame is transmitted. Then, the L2 network access point matches the “MAC address 1” acquired from the transmitted frame with the “MAC address 1” acquired from the communication path DB. Is a legitimate user, and the frame is transferred to the frame transfer apparatus.

  Subsequently, the frame transfer apparatus that has received the frame transferred by the L2 network access point sets “MAC address 1” and “IP address 2” as the MAC address and IP address of the user terminal A that is the frame transmission source. Get from. Subsequently, the frame transfer apparatus refers to the transfer rule DB in order, and determines whether or not to transfer to the acquired “MAC address 1” and “IP address 2”. In this case, the frame transfer device “Rule 2, the transmission source address of the layer 2 frame is MAC1 and the transmission source IP address of the IP header included in the frame is IP address 1 and allows passage of the frame. “Yes” is stored in the transfer rule DB, that is, since the IP address acquired from the frame is “IP address 2”, the frame is discarded.

  As described above, the packet transfer system according to the first embodiment can identify a terminal that is normally connected by a virtual communication path identifier that identifies a virtual communication path. As a result, the shared media can be identified as described above. Even in a type network, it is possible to accurately filter packets using spoofed IP addresses.

[Configuration of packet transfer system]
Next, the configuration of the packet transfer system shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating the configuration of the packet transfer system according to the first embodiment. As shown in FIG. 2, the packet transfer system according to the first embodiment includes a rule reflector 10, an L3 routing mechanism 20, an IP address assignment device 30, an L2 network access point 40, and a frame transfer device 50. Each will be described here.

(Rule Reflector 10)
The rule reflector 10 generates a transfer rule that can be interpreted by the frame transfer apparatus 50 and stores it in the frame transfer apparatus 50. Specifically, the rule reflector 10 assigns an IP address (IP address 1) to the user terminal A by the IP address assignment device 30, and “MAC address 1” and “IP address 1” of the assigned terminal. Are stored in the address information DB 33, based on the stored information, a transfer rule that can be interpreted by the frame transfer device 50 is created, and the created transfer rule is stored in the transfer rule DB 54 of the frame transfer device 50. . For example, when “MAC address 1” and “IP address 1” are stored in the address information DB 33 of the IP address assignment device 10, the rule reflector 10 determines that “source of layer 2 frame” from the stored information. When the address is MAC1 and the source IP address of the IP header included in the frame is IP address 1, a transfer rule “permit passage of the frame” is generated, and the frame transfer device 50 transfers Store in the rule DB 54.

(L3 routing mechanism 20)
The L3 routing mechanism 20 transmits the received packet to the destination based on the stored routing information (route information). This routing mechanism 20 generally has a plurality of LAN interfaces with different network segments, manages the destination network / mask, the IP address of the adjacent router, and the outgoing interface table, and based on the destination IP address of the received IP packet. Forward the frame. Specifically, the L3 routing mechanism 20 rewrites the IP address acquisition request, which is a broadcast addressed to the IP address allocation device 30 transmitted from the user terminal A, to unicast communication, and forwards it to the IP address allocation device 30. Or the IP packet transmitted from the user terminal A to which the IP address is assigned to the external network is transferred to the external network.

(Configuration of IP address allocation device 30)
As shown in FIG. 2, the IP address assignment device 30 includes a communication control I / F unit 31, a storage unit 32, and a control unit 34. The communication control I / F unit 31 controls communication regarding various information exchanged with the user terminal A via the L3 routing mechanism 20. Specifically, the communication control I / F unit 31 receives the IP address acquisition request transmitted from the user terminal A via the L3 routing mechanism 20 or responds to the received IP address acquisition request. A response is transmitted to the user terminal A via the L3 routing mechanism 20.

  The storage unit 32 stores data and programs necessary for various processes performed by the control unit 34, and includes an address information DB 33 particularly closely related to the present invention.

  The address information DB 33 stores the IP address assigned to the terminal and the MAC address of the terminal assigned with the IP address in association with each other. Specifically, when an IP address is assigned by an IP address assignment unit 35 to be described later, the address information DB 33 stores the assigned IP address and the MAC address of the terminal to which the IP address is assigned in association with each other. . For example, as shown in FIG. 3, the address information DB 33 stores “MAC address 1, IP address 1”, “MAC address 2, IP address 2”, etc. as “MAC address, IP address”. Further, the information including various data and parameters shown here can be arbitrarily changed unless otherwise specified. FIG. 3 is a diagram illustrating an example of information stored in the address information DB of the IP address assignment device.

  The control unit 34 has an internal memory for storing a control program such as an OS (Operating System), a program that defines various processing procedures, and necessary data, and is particularly closely related to the present invention. An IP address assignment unit 35 is provided, and various processes are executed by these.

  The IP address assignment unit 35 dynamically assigns an IP address to the user terminal. Specifically, in the above example, when the IP address allocation unit 35 receives the IP address acquisition request transmitted from the user terminal A through the L3 routing mechanism, the IP address allocation unit 35 is the MAC address of the user terminal A “ “MAC address 1” is acquired from the IP address acquisition request, and “IP address 1” is assigned to the user terminal A. Then, the IP address assignment unit 35 associates “IP address 1”, which is the assigned IP address, with “MAC address 1”, which is the MAC address of the user terminal, and stores them in the address information DB 33.

(Configuration of L2 network access point 40)
As shown in FIG. 2, the L2 network access point 40 includes a wireless communication unit 41, a communication control I / F unit 42, a storage unit 43, and a control unit 46.

  The wireless communication unit 41 controls communication over a wireless network. Specifically, the wireless communication unit 41 receives a connection request (L2 network access request) from the user terminal A, or sends an IP address acquisition request from the user terminal A. Or a response to an IP address acquisition request received by the communication control I / F unit 42, which will be described later.

  The communication control I / F unit 42 controls communication with the frame transfer device 50 to be connected. Specifically, the communication control I / F unit 42 transfers a connection request received by the wireless communication unit 41 to the frame transfer device 50. And a response to the IP address acquisition request transmitted by the IP address assignment device 30 is received.

  The storage unit 43 stores data and programs necessary for various processes performed by the control unit 46, and includes an encryption key DB 44 and a communication path DB 45 that are particularly closely related to the present invention.

  The encryption key DB 44 stores an encryption key generated based on the MAC address of the user terminal A in association with the MAC address of the user terminal. Specifically, in the above example, as shown in FIG. 4, the encryption key DB 44 is “an encryption key generated based on the“ MAC address indicating the MAC address of the user terminal ”and the MAC address of the user terminal A. “MAC address 1, encryption key A”, “MAC address 2, encryption key B”, etc. Here, as a technique for sharing the encryption key, it may be stored in advance by an administrator or the like, or may be stored using an existing technique such as WPA. In addition, information including various data and parameters can be arbitrarily changed unless otherwise specified. FIG. 4 is a diagram illustrating an example of information stored in the encryption key DB. The encryption key DB 44 corresponds to “encryption key storage unit” recited in the claims.

  The communication path DB 45 stores a virtual communication path identifier that uniquely identifies a virtual communication path connected to the user terminal and the MAC address of the terminal in association with each other. Specifically, in the above example, the communication path DB 45, as shown in FIG. 5, “a“ virtual communication path identifier ”that uniquely identifies a connected virtual communication path, and a“ MAC address ”of a terminal”. Are stored as “MAC address 1, virtual channel identifier A”, “MAC address 2, virtual channel identifier B”, and the like. Information including various data and parameters shown here can be arbitrarily changed unless otherwise specified. FIG. 5 is a diagram illustrating an example of information stored in the communication path DB. The communication path DB 45 corresponds to “communication path storage means” recited in the claims.

  The control unit 46 has a control program such as an OS (Operating System), a program defining various processing procedures, and an internal memory for storing necessary data, and particularly as closely related to the present invention, A communication path connection unit 47 and a frame transfer control unit 48 are provided, and various processes are executed by these units.

  When the communication path connection unit 47 receives a connection request from a user terminal, and the encryption key corresponding to the user terminal that is the transmission destination of the connection request is stored in the encryption key DB 44, the communication path connection unit 47 It is determined that the terminal is a valid user, an encryption key is acquired from the encryption key DB 44, and the user terminal is connected to the user terminal using a virtual communication path using the acquired encryption key. The virtual channel identifier assigned to the connected virtual channel is associated with the MAC address of the terminal and stored in the channel DB 45.

  Specifically, in the above example, when the wireless communication unit 41 receives a frame indicating a connection request from the user terminal A, the communication path connection unit 47 is the user terminal A that is the transmission destination of the frame. The MAC address “MAC address 1” is acquired from the frame. Subsequently, the communication path connection unit 47 determines that the user terminal A is a valid user because the encryption key A corresponding to the acquired “MAC address 1” is stored in the encryption key DB. The encryption key A is acquired from the encryption key DB, and the user terminal A is connected to the user terminal A using the acquired encryption key A through a virtual communication path. Then, the communication path connection unit 47 identifies the identifier “virtual communication path A” assigned to the connected virtual communication path and the MAC address “MAC address 1” of the connected user terminal A acquired from the frame. Are stored in the communication path DB 45. The communication path connection unit 47 corresponds to “communication path connection control means” recited in the claims.

  The frame transfer control unit 48 acquires a MAC address from the frame when the frame is received from a terminal connected with a virtual communication path by the communication path connection unit 47 and assigned an IP address. If the MAC address matches the MAC address stored in the communication path DB 45 identified from the virtual communication path identifier of the virtual communication path from which the frame is transmitted, transfer of the frame is permitted. , Refuse to transfer the frame.

  More specifically, the frame transfer control unit 48 is connected to the user terminal by the communication path connection unit 47 through a virtual communication path and receives a frame from the user terminal to which the IP address is assigned. The MAC address is acquired from the frame. Then, the frame transfer control unit 48 specifies the MAC address stored in the communication path DB 45 corresponding to the virtual communication path identifier of the virtual communication path transmitted from the frame, and the MAC address acquired from the frame When the MAC address specified from the communication path DB matches, the frame is transferred to the frame transfer device 50. When the MAC address does not match, the frame is discarded.

  In the example described above, the frame transfer control unit 48 is connected to the user terminal A by the communication path connection unit 47 through a virtual communication path, and the user terminal A to which the IP address “IP address 1” is assigned. When the frame is received from the frame, “MAC address 1” which is the MAC address is acquired from the frame. Then, the frame transfer control unit 48 specifies “MAC address 1” as the MAC address stored in the communication path DB 45 corresponding to the virtual communication path identifier A of the virtual communication path transmitted from the frame, Since the “MAC address 1” acquired from “1” matches the “MAC address 1” specified from the communication path DB, the frame is transferred to the frame transfer device 50. The frame transfer control unit 48 corresponds to “frame transfer control means” recited in the claims.

(Configuration of frame transfer device 50)
As shown in FIG. 2, the frame transfer apparatus 50 includes an internal communication control I / F unit 51, an external communication control I / F unit 52, a storage unit 53, and a control unit 55.

  The internal communication control I / F unit 51 controls communication related to various information exchanged with the connected L2 network access point 40. More specifically, in the above example, the internal communication control I / F unit 51 receives a connection request or an IP address acquisition request from the user terminal A transferred from the connected L2 network access point 40, or is described later. A response to the IP address acquisition request received by the external communication control I / F unit 52 is transmitted to the L2 network access point 40.

  The external communication control I / F unit 52 controls communication related to various information exchanged with the connected L3 routing mechanism 20. Specifically, the external communication control I / F unit 52 transmits the IP address acquisition request of the user terminal A received by the internal communication control I / F unit 51 to the IP address allocation device 30. Therefore, the request is transferred to the L3 routing mechanism 20 or a response to the request is received from the L3 routing mechanism 20.

  The storage unit 53 stores data and programs necessary for various processes performed by the control unit 55, and includes a transfer rule DB 54 that is particularly closely related to the present invention. The transfer rule DB 54 stores interpretable transfer rules generated and stored by the rule reflector 10. More specifically, in the above example, as shown in FIG. 6, the transfer rule DB 54 reads “Rule number that identifies a rule”, “Condition” that determines whether transfer is possible, and “ "Action 0" as "Rule 0, the data type included in the frame is an IP packet, allow the passage of the frame", "Rule 1, the communication between the terminal and the IP address assignment device, the passage of the frame "Allow" or "Rule 2, allow passage of frames where the source address of the layer 2 frame is MAC address 1 and the source IP address of the IP header included in the frame is IP address 1" And remember. Further, the information including various data and parameters shown here can be arbitrarily changed unless otherwise specified. FIG. 6 is a diagram illustrating an example of information stored in the transfer rule DB.

  The control unit 55 has an internal memory for storing a control program such as an OS (Operating System), a program that defines various processing procedures, and necessary data, and is particularly closely related to the present invention. A transfer control unit 56 is provided, and various processes are executed by these units.

  The transfer control unit 56 acquires an IP address and a MAC address from the frame permitted to be transferred by the frame transfer control unit 48 of the L2 network access point 40, and is specified by the acquired IP address and the acquired MAC address. If the IP address stored in the address information DB 33 matches, the frame is transferred to the external network as a packet. If the IP address does not match, the frame is discarded. Specifically, the transfer control unit 56 uses the MAC address and the IP address of the user terminal A that is the frame transmission source as “MAC address 1” from the IP header of the frame transferred by the frame transfer control unit 48 of the L2 network access point 40. And “IP address 1”. Subsequently, the transfer control unit 56 determines whether the frame can be transferred based on the transfer rules stored in the transfer rule DB 54.

  In the example described above, the transfer control unit 56 uses the MAC address and IP address of the user terminal A that is the frame transmission source as the MAC address from the IP header of the frame transferred by the frame transfer control unit 48 of the L2 network access point 40. The frame is acquired for “address 1” and “IP address 1”. Then, the transfer control unit 56 reads “Rule 2, the source address of the layer 2 frame is the MAC address 1 and the source IP address of the IP header included in the frame is the IP address 1 in the transfer rule DB 54. Since “permit passage of frame” is stored, the frame is transferred to the routing mechanism 20 as an IP packet.

  On the other hand, in the transfer rule DB 54, “Rule 2, the transmission of the frame in which the transmission source address of the layer 2 frame is the MAC address 1 and the transmission source IP address of the IP header included in the frame is the IP address 1. "Reject" or "Rule 3, frame 2 source address is MAC address 1 and IP header source IP address included in the frame is IP address 2" Is stored, the transfer control unit 56 rejects the transfer of the frame and discards the frame. The transfer control unit 56 corresponds to “transfer control means” recited in the claims.

[Processing by packet transfer system]
Next, processing by the packet transfer system will be described with reference to FIGS. FIG. 7 is a flowchart illustrating a flow of virtual communication path connection processing in the packet transfer system according to the first embodiment, and FIG. 8 is a flowchart illustrating a flow of frame transfer processing in the packet transfer system according to the first embodiment.

(Virtual channel connection processing flow)
As shown in FIG. 7, when a connection request is received from the user terminal (Yes at step S701), the packet transfer system acquires a MAC address from the connection request (step S702). Specifically, in the above example, the L2 network access point 40 that has received the connection request (L2 network access request) transmitted from the user terminal A by wireless communication uses the MAC address 1 as the MAC address from the connection request. Is obtained.

  Subsequently, the packet transfer system determines whether or not an encryption key corresponding to the acquired MAC address is stored (step S703). More specifically, in the above example, the L2 network access point 40 determines whether or not the encryption key corresponding to the acquired “MAC address 1” is stored in the encryption key DB 44.

  If the encryption key corresponding to the acquired MAC address is stored (Yes at step S703), the packet transfer system acquires the encryption key and uses the encryption key acquired between the user terminal and the virtual key. A virtual communication path identifier assigned to the established virtual communication path and the acquired MAC address are stored in association with each other (step S705).

  Specifically, in the above example, when the “encryption key A” corresponding to the acquired “MAC address 1” is stored in the encryption key DB 44, the L2 network access point 40 acquires the “encryption key A”. Then, the virtual communication path “virtual communication path identifier A” is established using the “encryption key A” acquired between the user terminal and the virtual assigned to the established virtual communication path. The communication path identifier “virtual communication path identifier A” and the acquired MAC address “MAC address 1” are stored in the communication path DB 45 in association with each other.

  On the other hand, when the encryption key corresponding to the acquired MAC address is not stored (No at Step S703), the packet transfer system rejects the connection (Step S706). Specifically, in the above example, when the encryption key corresponding to the acquired “MAC address 1” is not stored in the encryption key DB 44, the L2 network access point 40 sends a response indicating that the connection is rejected to the user. Transmit to terminal A.

(Flow of frame transfer processing)
As shown in FIG. 8, when a frame is received from the user terminal (Yes at step S801), the packet transfer system acquires a MAC address from the frame (step S802). Specifically, in the example described above, the L2 network access point 40 that has received a frame transmitted by wireless communication from the user terminal A connected via a virtual communication path uses the MAC address as the MAC address from the frame. 1 ”is acquired.

  Subsequently, the packet transfer system specifies the MAC address stored in the communication path DB by the virtual communication path identifier of the virtual communication path from which the frame is transmitted (step S803), and specifies the acquired MAC address. It is determined whether or not the received MAC address matches (step S804). Specifically, in the above example, the L2 network access point 40 sets the MAC address associated with the virtual channel identifier “virtual channel identifier A” of the virtual channel to which the frame is transmitted, The communication path DB is identified as “MAC address 1”, and it is determined whether or not the acquired “MAC address 1” matches the identified “MAC address 1”.

  If the acquired MAC address matches the specified MAC address (Yes at step S804), the packet transfer system permits transfer of the frame (step S805). Specifically, in the example described above, when the acquired “MAC address 1” matches the specified “MAC address 1”, the L2 network access point 40 transfers the frame to the frame transfer device 50. .

  Then, the packet transfer system acquires an IP address from the frame (step S806), and determines whether or not the acquired IP address matches the IP address stored in the address information DB 33 of the IP address assignment device 30. (Step S807).

  More specifically, the frame transfer apparatus 50 uses the IP header transferred from the L2 network access point 40 as the MAC address and IP address of the user terminal A as “MAC address 1” and “IP address 1”. And get. Subsequently, the frame transfer apparatus 50 acquires “IP address 1” stored in the address information DB 33 of the IP address allocation apparatus 30 in association with the acquired “MAC address 1”. Then, the “IP address 1” acquired from the frame matches the “IP address 1” acquired from the address information DB 33 of the IP address assignment device 30, that is, a rule that allows the transfer rule DB to transfer the frame. Whether or not is stored is determined.

  If the acquired IP address matches the IP address stored in the address information DB 33 of the IP address assignment device 30 (Yes in step S807), the packet transfer system transfers the frame as a packet (step S808). .

  Specifically, in the above example, the frame transfer device 50 matches “IP address 1” acquired from the frame with “IP address 1” stored in the address information DB 33 of the IP address assignment device 30. That is, in the transfer rule DB 54, “Rule 2, the transmission source address of the layer 2 frame is MAC address 1, and the transmission source IP address of the IP header included in the frame is IP address 1, Since “permit” is stored, the frame is transferred as an IP packet to the external network via the L3 routing mechanism 20.

  On the other hand, when the acquired MAC address does not match the specified MAC address (No at Step S804), or when the acquired IP address does not match the IP address stored in the address information DB 33 of the IP address assignment device 30 (No in step S807), the packet transfer system discards the frame (step S809).

[Effects of Example 1]
Thus, according to the first embodiment, the virtual communication path identifier that uniquely identifies the virtual communication path connected to the user terminal A is associated with the MAC address of the user terminal A. When the connection request is received from the user terminal A, the user terminal A is connected to the user terminal A through a virtual communication path on the condition that the user terminal A is a valid user. Then, the virtual communication path identifier assigned to the connected virtual communication path and the MAC address of the user terminal A are stored in association with each other, and the IP address is connected through the virtual communication path. When a frame is received from the assigned user terminal A, the MAC address is acquired from the frame, and specified from the acquired MAC address and the virtual channel identifier of the virtual channel through which the frame is transmitted MAC If the address matches, the transfer of the frame is permitted. If the address does not match, the transfer of the frame is rejected, the IP address and the MAC address are acquired from the frame permitted to transfer, the acquired IP address, If the IP address stored in the address information DB 33 specified by the acquired MAC address matches, the frame is transferred to the external network as a packet. If the IP address does not match, the frame is discarded. As a result of identifying a normally connected terminal by a virtual channel identifier that identifies a valid communication channel, it is possible to accurately filter packets using a spoofed IP address even in a shared media network is there.

  For example, even when a frame in which a MAC address is spoofed is received from a terminal connected through a virtual communication path, as a result of storing the virtual communication path identifier and the MAC address in association with each other, the frame is received from an unauthorized terminal. It can be detected and discarded as a transmitted frame, and even when a frame spoofing an IP address is received from a terminal connected via a virtual communication path, the assigned IP address and MAC address Can be detected and discarded as a frame transmitted from an unauthorized terminal.

  Further, since a virtual communication path (L2 access session) to which the terminal is connected is uniquely specified and a malicious terminal that spoofs the same MAC address cannot connect to the L2 access session, Communication is possible only using the assigned IP address.

  In addition, according to the first embodiment, when an encryption key shared with the user terminal A is stored in association with the MAC address of the user terminal A and the connection request is received from the user terminal A, the connection request When the encryption key corresponding to the terminal that is the destination of the transmission is stored, it is determined that the user terminal A is a valid user, the encryption key is acquired, and the acquired encryption key is used. Since the user terminal A is connected to the user terminal A through the virtual communication path, a virtual communication path with high security can be created. As a result, it is possible to strongly prevent third party intervention. is there.

  For example, as a result of being able to connect a VPN using an encryption key, it is possible to firmly prevent a third party from intruding into the connected virtual communication path. In addition, since the encryption key is shared between the terminal that desires connection and the packet transfer system, it is possible to authenticate the terminal that transmits the connection request depending on whether or not the encryption key is held. . Furthermore, by using the encryption key generated from the MAC address, it is possible to more firmly prevent the encryption key from being spoofed and the intervention of the terminal that is spoofing the IP address.

  By the way, in the packet transfer system according to the present invention, an authentication function to the layer 2 network can be added. Thus, in the second embodiment, a packet transfer system to which an authentication function for a layer 2 network is added will be described with reference to FIG. FIG. 9 is a diagram illustrating the overall configuration of the packet transfer system according to the second embodiment.

  As shown in FIG. 9, this packet transfer system is different from the packet transfer system described in the first embodiment in an authentication unit 62 (corresponding to “user authentication means” described in claims) and a user information DB 61 (patent). L2 access authentication device 60 and matching mechanism 70 (corresponding to “user information storage means” described in claims) and matching mechanism 70 (“IP address specifying means” and “user specifying means” described in claims) Corresponding to and) have been added. Also, the L2 network access point 40 shown in FIG. This is a device compatible with x and EAP-TLS (RFC2716).

  The user information DB 61 of the L2 access authentication device 60 stores a user ID that uniquely identifies the user terminal A and the MAC address of the terminal in association with each other. As a specific example, as shown in FIG. 10, the user information DB 61 includes “user A, MAC address 1” as “a user ID uniquely identifying a terminal and a“ MAC address ”of the terminal”. Or “user B, MAC address 2”. Further, the information including various data and parameters shown here can be arbitrarily changed unless otherwise specified. FIG. 10 is a diagram illustrating an example of information stored in the user information DB.

  When the authentication unit 62 of the L2 access authentication device 60 receives a connection request from the user terminal A, the authentication unit 62 determines whether or not the terminal is a legitimate user by a predetermined authentication method, and sends the connection request. When it is determined that the transmitted terminal is a valid user, the MAC address and IP address of the terminal are stored in the user information DB 61.

  The matching mechanism 70 specifies an IP address stored in the address information DB 33 from a MAC address stored in the user information DB 61 corresponding to the user ID, and stores it in the address information DB 33 corresponding to the IP address. The user ID stored in the user information DB 61 is specified from the MAC address to be stored.

  The predetermined authentication shown here will be specifically described below. The L2 network access point 40 that receives the electronic certificate together with the connection request from the user terminal A using x or EAP-TLS (RFC2716) or the like transmits the connection request to the L2 access authentication device via the L3 routing mechanism 20. 60 (see (1) in FIG. 9).

  Then, the authentication unit 62 of the L2 access authentication device 60 determines whether the terminal that transmitted the connection request from the received electronic certificate is a valid user (see (2) in FIG. 9). If it is determined that the user is a valid user, the authentication unit 62 of the L2 access authentication device 60 stores “user A, MAC address 1” in the user information DB 61 as the user ID and MAC address of the user terminal A. (See (3) in FIG. 9).

  Thereafter, an IP address is assigned to the user terminal A by the same method described in the first embodiment, and the IP address and MAC address of the user terminal A are stored in the address information DB 33 of the IP address assignment device 30. Then, the matching mechanism 70 specifies the IP address stored in the address information DB 33 from the MAC address stored in the user information DB 61 corresponding to the user ID, and in the address information DB 33 corresponding to the IP address. The user ID stored in the user information DB 61 is specified from the stored MAC address (see (5) in FIG. 9). That is, the matching mechanism 70 searches for the MAC address from the correspondence between the user ID and the MAC address, and further searches for the MAC address from the correspondence between the MAC address and the IP address as a key, thereby obtaining the user ID and the IP address. Can be obtained. It is also possible to obtain a MAC address from the correspondence between the MAC address and the IP address using the IP address as a key, and to search the user ID using the MAC address obtained from the correspondence between the user ID and the MAC address as a key. Is possible.

  Further, according to the second embodiment, when a connection request is received from a terminal, the terminal obtains the MAC address and IP address of the terminal from the connection request, and based on the acquired MAC address and IP address, the terminal Since it is determined by a predetermined authentication method whether or not the user is a legitimate user, it is possible to maintain high security as a result of connecting the virtual communication path after authenticating the terminal at the L2 layer level.

  For example, IEEE802. x or EAP (Extensible Authentication Protocol) -TLS (Transport Layer Security) “RFC2716” or the like can be used to receive an electronic certificate issued by a third party together with a connection request, based on this electronic certificate. As a result of authenticating the terminal, security can be kept high.

  According to the second embodiment, the user terminal A is assigned a user ID that uniquely identifies the user who uses the terminal, and the terminal that transmitted the connection request is a valid user. The user ID assigned to the terminal and the user information DB 61 stored in association with the MAC address of the terminal, and the MAC address from the user ID stored in the user information DB 61. The IP address stored in the address information DB 33 is specified from the specified MAC address, the MAC address is specified from the IP address stored in the address information DB 33, and stored in the user information DB 61 from the specified IP address. Therefore, the user ID assigned to the terminal from the IP address or the user ID is assigned. It is possible to easily identify the IP address of the terminal user ID is given split.

  For example, the MAC address is searched from the correspondence between the user ID and the MAC address, and further, the correspondence between the user ID and the IP address is searched by searching for the MAC address from the correspondence between the MAC address and the IP address. Obtainable. It is also possible to obtain a MAC address from the correspondence between the MAC address and the IP address using the IP address as a key, and to search the user ID using the MAC address obtained from the correspondence between the user ID and the MAC address as a key. Is possible.

  By the way, in the packet transfer system according to the present invention, when it is detected that the connected virtual communication path is in an invalid state, the information regarding the connected user terminal can be deleted. Thus, in the third embodiment, a packet transfer system that deletes information related to a connected user terminal when a connected virtual communication path is detected to be invalid will be described with reference to FIG. To do. FIG. 11 is a diagram illustrating the overall configuration of the packet transfer system according to the third embodiment.

  As shown in FIG. 11, when the virtual communication path is established between the L2 access authentication apparatus and the user terminal as shown in FIG. 11, the MAC address of the terminal is different from the first embodiment or the second embodiment. Is connected to the session information DB 80 for storing the acquired encryption key, the MAC address of the terminal, and the virtual channel identifier of the virtual channel as session information. ing. In addition, the L3 routing mechanism 20 is connected with a session information notification device 90 that transmits an instruction to delete information about the connected user terminal to each device when the connected virtual communication path is disconnected. Has been.

  In such a configuration, as in the first or second embodiment, when a connection request is transmitted from the user terminal A, user authentication is executed by the L2 access authentication device 60, and the user is a valid user. When the determination is made, the L2 network access point 40 acquires the encryption key A corresponding to the MAC address of the user terminal A from the encryption key DB 44, and uses the acquired encryption key A to communicate with the user terminal A. (1) to (4) in FIG. 11). Then, as shown in FIG. 12, the L2 access authentication device 60 stores the session information (encryption key A, MAC address 1, virtual channel identifier A) of the established virtual channel in the session information DB 80 ( (See (5) in FIG. 11). Here, the user terminal connected to the L2 network access point 40 through a virtual communication path periodically transmits a connection update signal to the L2 network access point 40 in order to continue the connection state. FIG. 12 is a diagram illustrating an example of information stored in the session information DB.

  Thereafter, when the L2 network access point 40 detects that the connected virtual communication path is in an invalid state (see (6) in FIG. 11), the L2 network access point 40 is in an invalid state stored in the communication path DB 45, respectively. While deleting the “virtual channel identifier A, MAC address 1”, which is information corresponding to the detected MAC address of the user terminal A (see (7) in FIG. 11), the session is in an invalid state. The detection is notified to the L2 access authentication device 60 (see (8) in FIG. 11).

  Here, as a technique for detecting that the virtual communication path is in an invalid state, when a disconnection signal from the L2 network access point 40 is detected by a link (association), a new virtual communication path is established. When it is determined that another virtual communication path related to the MAC address of the terminal connected through the virtual communication path is invalid, the connection is periodically updated from the terminal where the virtual communication path is established. Receiving the signal may include a case where the periodic connection update signal is not received even after the expiration date has passed, and the invalid state can be detected by various methods other than this.

  Then, the L2 access authentication device 60 that has received the notification that the session has been invalidated receives the “encryption key A, MAC address 1, virtual channel identifier A” stored in the session information DB 80, and the user User terminal “User A, MAC address 1” stored in the information DB 61 is deleted (see (9) in FIG. 11), and the user terminal detected as being in the invalidation state stored in the transfer rule DB 54 An instruction to delete a transfer rule, which is information corresponding to the MAC address of A, is transmitted to the rule reflector 10, and a notification detected that the session is invalidated is transmitted to the session information notifier 90 ( (See (10) in FIG. 11).

  Upon receiving the delete instruction, the rule reflector 10 stores the “rule 2, the source address of the layer 2 frame is the MAC address 1 stored in the transfer rule DB 54 of the frame transfer device 50, and the IP header included in the frame. The transmission rule “permits passage of frames whose source IP address is IP address 1” is deleted (see (11) in FIG. 11).

  In addition, the session information notifier 90 that has received the notification detected that the session is in the invalidation state uses the IP address allocation device 30 detected as being in the invalid state stored in the address information DB 33. The IP address allocation device 30 that has transmitted the instruction to delete the information “MAC address 1, IP address 1” corresponding to the MAC address “MAC address 1” of the user terminal A and received the instruction is stored in the address information DB 33. "MAC address 1, IP address 1" is deleted, the IP address assignment of the user terminal A is terminated (see (12) in FIG. 11).

  As described above, according to the third embodiment, when it is detected that a virtual communication path connected to the user terminal A is in an invalid state, the virtual communication path is assigned to the virtual communication path. The information “virtual communication channel identifier A, MAC address 1” stored in the communication channel DB 45 in association with the existing virtual communication channel identifier A and the address information DB 33 in association with the MAC address of the user terminal A are stored. Since the information “MAC address 1, IP address 1” is deleted, the virtual communication path with the terminal that holds the MAC address can be invalidated. It is possible to firmly prevent the terminal from connecting to the network.

  For example, even if a malicious terminal tries to connect to the L2 network access point 40, the L2 network access point 40 of the packet transfer system does not hold the encryption key A shared with the legitimate terminal. An L2 access session to which a valid terminal is connected cannot be reproduced. Even if a malicious terminal generates an L2 access session using a different encryption key, it is a session different from the L2 access session to which the legitimate terminal is connected. It can be discarded by the transfer device 50.

  In addition, when a terminal connected via a virtual communication path periodically transmits an update signal for updating the connection to the packet transfer system, the update signal is not received even if the update procedure expires. Then, the connection with the terminal can be considered to be disconnected, and the connection can be invalidated. As a result, a malicious terminal that spoofs the MAC address or the IP address is strongly prevented from connecting to the network. It is possible.

  By the way, in the packet transfer system according to the present invention, there are a plurality of L2 network access points, and when a terminal reconnects from a certain L2 network access point to a different L2 network access point, a virtual communication path is quickly reconstructed. Can do. Therefore, in the fourth embodiment, a packet transfer system for quickly reconstructing a virtual communication path will be described with reference to FIG. FIG. 13 is a diagram illustrating the overall configuration of the packet transfer system according to the fourth embodiment.

  The difference from the first to third embodiments is that a plurality of L2 network access points A to C are connected to the frame transfer apparatus 50 as shown in FIG. In such a configuration, it is assumed that the user terminal A to which the IP address “IP address 1” is assigned and the L2 network access point C are connected via a virtual communication path. In that case, the session information DB 80 stores session information (encryption key A, MAC address 1, virtual communication path identifier A) of the established virtual communication path.

  From this state, the user terminal A cancels the virtual communication path with the L2 network access point C, and newly sends a connection request for requesting reconnection to the L2 network access point B to the L2 network access point B. (See (1) in FIG. 13). Then, the L2 network access point B refers to the session information DB 80 and stores session information (encryption key A, MAC address 1) corresponding to “MAC address 1” that is the MAC address of the user terminal A that has transmitted the connection request. Since the virtual communication path identifier A) is stored, the session information (encryption key A, MAC address 1, virtual communication path identifier A) is acquired (see (2) in FIG. 13), and the acquired session information is acquired. Based on (encryption key A, MAC address 1, virtual channel identifier A), a virtual channel connected between the user terminal A and the L2 network access point C is reconstructed ((( See 3))). The subsequent frame transfer control is the same as that in the first embodiment, and is therefore omitted here.

  As described above, according to the fourth embodiment, when a virtual communication path is established with the user terminal A, the encryption key A corresponding to the MAC address 1 of the terminal is acquired from the encryption key DB 44. The acquired encryption key A, the MAC address 1 of the user terminal A, and the virtual communication path identifier A of the virtual communication path are stored as session information, and the connection via the virtual communication path is temporarily canceled. If the session information corresponding to the MAC address 1 of the user terminal A is stored in the session information DB 80 when the connection request is received from the user terminal A, the session information is acquired from the session information DB 80 and acquired. The virtual communication path of the previously connected virtual communication path identifier A is used instead of the virtual communication path of the new virtual communication path identifier using the session information thus generated. Since rebuild between A, it is possible to suppress the re-connection of Layer 3 communication by re-payout of the IP address.

  For example, since a session can be restored in layer 2 and there is no need to reestablish an upper layer connection higher than layer 3, it is possible to suppress reassignment of IP addresses, and further, SIP registration ( registration), location registration when using Mobile IP, and methods such as DDNS that dynamically register IP addresses and corresponding names, generate update signals (for example, reconnection and reassignment of IP addresses) It can be deterred.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, as shown below, different embodiments will be described by dividing into (1) system configuration and (2) programs.

(1) System Configuration, etc. Also, among the processes described in this embodiment, all or one of the processes described as being automatically performed (for example, the process of acquiring a MAC address and user ID from a connection request). The part can also be done manually. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters (for example, FIGS. It can be changed arbitrarily unless you want to.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. It can be configured by integrating (for example, integrating an L2 network access point and a frame transfer device). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic. For example, the frame transfer apparatus and the L2 network access point are integrated, the frame transfer apparatus and the rule reflector are integrated, or the communication path connection unit of the L2 network access point is configured to be included in the frame apparatus. Various device configurations can be realized.

(2) Program The packet transfer system described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the packet transfer system and the packet transfer method according to the present invention determine that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user, and send it to an external network. It is useful for forwarding, and is particularly suitable for accurately filtering packets using a spoofed IP address even in a shared media type network.

1 is a system configuration diagram illustrating an overall configuration of a packet transfer system according to a first embodiment. 1 is a block diagram illustrating a configuration of a packet transfer system according to a first embodiment. It is a figure which shows the example of the information memorize | stored in address information DB. It is a figure which shows the example of the information memorize | stored in encryption key DB. It is a figure which shows the example of the information memorize | stored in communication path DB. It is a figure which shows the example of the information memorize | stored in transfer rule DB. 3 is a flowchart illustrating a flow of virtual communication path connection processing in the packet transfer system according to the first embodiment. 3 is a flowchart illustrating a flow of frame transfer processing in the packet transfer system according to the first embodiment. It is a figure which shows the whole structure of the packet transmission system which concerns on Example 2. FIG. It is a figure which shows the example of the information memorize | stored in user information DB. FIG. 10 is a diagram illustrating an overall configuration of a packet transfer system according to a third embodiment. It is a figure which shows the example of the information stored in session information DB. FIG. 10 is a diagram illustrating an overall configuration of a packet transfer system according to a fourth embodiment.

Explanation of symbols

10 Rule Reflector 20 L3 Routing Mechanism 30 IP Address Allocation Device 31 Communication Control I / F Unit 32 Storage Unit 33 Address Information DB
34 Control Unit 35 IP Address Allocation Unit 40 L2 Network Access Point 41 Wireless Communication Unit 42 Communication Control I / F Unit 43 Storage Unit 44 Encryption Key DB
45 communication channel DB
46 control unit 47 communication path connection unit 48 frame transfer control unit 50 frame transfer device 51 internal communication control I / F unit 52 external communication control I / F unit 53 storage unit 54 transfer rule DB
55 Control Unit 56 Transfer Control Unit 60 L2 Access Authentication Device 61 User Information DB
62 Authentication Unit 70 Matching Mechanism 80 Session Information DB
90 Session information notifier

Claims (6)

A packet transfer system for determining that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transferring the frame to an external network,
A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and the MAC address of the terminal;
Address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned the IP address in association with each other;
When a connection request is received from the terminal, the terminal is connected to the terminal via a virtual communication path on the condition that the terminal is a valid user, and is allocated to the connected virtual communication path. A communication path connection control means for associating a given virtual communication path identifier with the MAC address of the terminal and storing it in the communication path storage means;
When a frame is received from a terminal connected with a virtual communication path by the communication path connection control means and assigned an IP address, the MAC address is acquired from the frame, and the acquired MAC address and the frame are When the MAC address stored in the communication path storage means specified from the virtual communication path identifier of the transmitted virtual communication path matches, transfer of the frame is permitted, and when the MAC address does not match, the frame Frame transfer control means for refusing to transfer,
An IP address and a MAC address are acquired from a frame whose transfer is permitted by the frame transfer control unit, and the acquired IP address and an IP address stored in the address information storage unit specified by the acquired MAC address Transfer control means for transferring the frame as a packet to the external network if the two match, and discarding the frame if they do not match,
An encryption key storage means for storing an encryption key shared with the terminal in association with the MAC address of the terminal;
When the communication path connection control means receives a connection request from the terminal, the communication path connection control means acquires an encryption key stored in the encryption key storage means in association with the MAC address of the terminal, and uses the acquired encryption key A packet transfer system for connecting to the terminal via the virtual communication path. A packet transfer system for determining that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transferring the frame to an external network,
A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and the MAC address of the terminal;
Address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned the IP address in association with each other;
When a connection request is received from the terminal, the terminal is connected to the terminal via a virtual communication path on the condition that the terminal is a valid user, and is allocated to the connected virtual communication path. A communication path connection control means for associating a given virtual communication path identifier with the MAC address of the terminal and storing it in the communication path storage means;
When a frame is received from a terminal connected with a virtual communication path by the communication path connection control means and assigned an IP address, the MAC address is acquired from the frame, and the acquired MAC address and the frame are When the MAC address stored in the communication path storage means specified from the virtual communication path identifier of the transmitted virtual communication path matches, transfer of the frame is permitted, and when the MAC address does not match, the frame Frame transfer control means for refusing to transfer,
An IP address and a MAC address are acquired from a frame whose transfer is permitted by the frame transfer control unit, and the acquired IP address and an IP address stored in the address information storage unit specified by the acquired MAC address Transfer control means for transferring the frame as a packet to the external network if the two match, and discarding the frame if they do not match,
An invalidation state detecting means for detecting that a virtual communication path connected to the terminal is in an invalid state ,
The communication path connection control means uses a virtual communication path identifier assigned to the virtual communication path when the virtual communication path is detected to be invalid by the invalidation state detection means. A packet transfer system , wherein information stored in the communication path storage means in association with the information stored in the address information storage means in association with the MAC address of the terminal is deleted . A packet transfer system for determining that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transferring the frame to an external network,
A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and the MAC address of the terminal;
Address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned the IP address in association with each other;
When a connection request is received from the terminal, the terminal is connected to the terminal via a virtual communication path on the condition that the terminal is a valid user, and is allocated to the connected virtual communication path. A communication path connection control means for associating a given virtual communication path identifier with the MAC address of the terminal and storing it in the communication path storage means;
When a frame is received from a terminal connected with a virtual communication path by the communication path connection control means and assigned an IP address, the MAC address is acquired from the frame, and the acquired MAC address and the frame are When the MAC address stored in the communication path storage means specified from the virtual communication path identifier of the transmitted virtual communication path matches, transfer of the frame is permitted, and when the MAC address does not match, the frame Frame transfer control means for refusing to transfer,
An IP address and a MAC address are acquired from a frame whose transfer is permitted by the frame transfer control unit, and the acquired IP address and an IP address stored in the address information storage unit specified by the acquired MAC address Transfer control means for transferring the frame as a packet to the external network if the two match, and discarding the frame if they do not match,
An encryption key storage means for storing an encryption key shared with the terminal in association with the MAC address of the terminal;
When a virtual communication path is established with the terminal by the communication path connection control means, an encryption key corresponding to the MAC address of the terminal is acquired from the encryption key storage means, and the acquired encryption key, Session information storage means for storing the MAC address of the terminal and the virtual communication path identifier of the virtual communication path as session information in a predetermined session information storage means ,
When the communication path connection control means receives a connection request from the terminal , the communication path connection control means acquires an encryption key stored in the encryption key storage means in association with the MAC address of the terminal, and uses the acquired encryption key If the connection request is received from a terminal that temporarily cancels the connection through the virtual communication path, the corresponding MAC address of the terminal is supported. Session information to be stored in the predetermined session information storage means, the session information is acquired from the predetermined session information storage means, and the virtual session identifier of the new virtual communication path identifier is acquired using the acquired session information. A packet transfer system characterized by reconstructing a virtual communication channel of a previously connected virtual communication channel identifier with the terminal instead of a simple communication channel . A packet transfer system for determining that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transferring the frame to an external network,
A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and the MAC address of the terminal;
Address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned the IP address in association with each other;
When a connection request is received from the terminal, the terminal is connected to the terminal via a virtual communication path on the condition that the terminal is a valid user, and is allocated to the connected virtual communication path. A communication path connection control means for associating a given virtual communication path identifier with the MAC address of the terminal and storing it in the communication path storage means;
When a frame is received from a terminal connected with a virtual communication path by the communication path connection control means and assigned an IP address, the MAC address is acquired from the frame, and the acquired MAC address and the frame are When the MAC address stored in the communication path storage means specified from the virtual communication path identifier of the transmitted virtual communication path matches, transfer of the frame is permitted, and when the MAC address does not match, the frame Frame transfer control means for refusing to transfer,
An IP address and a MAC address are acquired from a frame whose transfer is permitted by the frame transfer control unit, and the acquired IP address and an IP address stored in the address information storage unit specified by the acquired MAC address Transfer control means for transferring the frame as a packet to the external network if the two match, and discarding the frame if they do not match,
User authentication means for determining whether or not the terminal is a legitimate user when a connection request is received from the terminal ;
A packet transfer system comprising: The terminal is assigned a user ID that uniquely identifies a user who uses the terminal,
When it is determined that the terminal that transmitted the connection request by the user authentication means is a valid user, the user ID assigned to the terminal and the MAC address of the terminal are stored in association with each other. User information storage means;
IP address specifying means for specifying a MAC address from a user ID stored in the user information storage means, and specifying an IP address stored in the address information storage means from the specified MAC address and / or the address information storage means claim specifies the MAC address from the IP address stored, characterized in that the user identification means for identifying a user ID stored from the specified IP address in the user information storage means, further comprising a four The packet transfer system described in 1. A packet transfer method suitable for determining that a frame transmitted from a terminal used by a user is a frame transmitted from a legitimate user and transferring the frame to an external network,
A communication path storage means for uniquely storing a virtual communication path identifier for uniquely identifying a virtual communication path connected to the terminal and the MAC address of the terminal;
Address information storage means for storing the IP address assigned to the terminal and the MAC address of the terminal assigned the IP address in association with each other;
An encryption key storage means for storing an encryption key shared with the terminal in association with the MAC address of the terminal;
When a connection request is received from the terminal, the terminal is connected to the terminal via a virtual communication path on the condition that the terminal is a valid user, and is allocated to the connected virtual communication path. A communication path connection control step of associating a given virtual communication path identifier with the MAC address of the terminal and storing it in the communication path storage means;
When a frame is received from a terminal connected by a virtual communication path and assigned an IP address in the communication path connection control step, the MAC address is acquired from the frame, and the acquired MAC address and the frame are When the MAC address stored in the communication path storage means specified from the virtual communication path identifier of the transmitted virtual communication path matches, transfer of the frame is permitted, and when the MAC address does not match, the frame Frame transfer control process for rejecting the transfer of
An IP address and a MAC address are acquired from the frame permitted to be transferred by the frame transfer control step, and the acquired IP address and an IP address stored in the address information storage means specified by the acquired MAC address And a transfer control step of transferring the frame as a packet to the external network if the two match, and discarding the frame if not matching ,
When the communication channel connection control step receives a connection request from the terminal, the communication path connection control step acquires an encryption key stored in the encryption key storage unit in association with the MAC address of the terminal, and uses the acquired encryption key A packet transfer method comprising: connecting the terminal to the terminal through the virtual communication path.

Images