1. Field of the Invention
The present invention relates to a communication apparatus that updates a key used to decrypt or authenticate a packet to be communicated between the communication apparatus and another communication apparatus.
2. Description of the Related Art
In recent years, the necessity of ensuring security in sending and receiving of data via a network has increased. A protocol for ensuring security of an Internet Protocol (IP) packet flowing on an IP network includes an IP Security Protocol (IPSec) (see Japanese Patent Application Laid-Open No. 2006-352500).
An encryption key and an authentication key used in the IPSec are managed as a Security Association (SA). A packet conforming to the IPSec is encrypted, decrypted, and authenticated using an encryption key and authentication key managed as the SA.
The SA is periodically updated from an old SA to a new SA at each software expiration date (update date). On the other hand, the old SA used before the updating is retained until an instruction to delete the SA is received from a communication partner or a hardware expiration date (deletion date) passes. The hardware expiration date is provided to reduce the possibility that the packet is unsuccessfully received even if a packet using the old SA is delivered late or it takes time for the communication partner to shift from the old SA to the new SA.
When the instruction to delete the SA from the communication partner disappears in the network, however, a communication apparatus cannot receive the deletion instruction so that the SA cannot be deleted until the hardware expiration date passes.
A user can set any value as the hardware expiration date. Thus, the old SA may remain in a memory without being deleted for a long time after being updated.
When the old SA remains in the memory for a long time without being deleted, a memory space is compressed. Further, a processing load when the SA is searched for increases.