In order to protect communication data against fraudulent activities, such as eavesdropping and falsification, on networks, such as the Internet, counter measures involving performing encryption processing on communication data to be transmitted are taken. One known example of the encryption processing is a technology called IPsec (Security Architecture for Internet Protocol). In IPsec, SAs (security associations, e.g., IKE_SA and CHILD_SA) using an IKE (Internet Key Exchange protocol) are established between communication apparatuses (nodes) that perform communication. After the SA establishment, encryption processing and decryption processing of communication data are performed by referring to a SAD (SA database) that is a database managing the SAs.
In recent years, with the increased capacities and speeds of networks, a configuration in which multiple IP addresses are accommodated in one communication apparatus and multihoming using the multiple IP addresses is employed has been proposed in order to realize load distribution and path redundancy. That is, in the proposed configuration, communication paths are set for the respective IP addresses accommodated in one communication apparatus (in other words, multiple sets (flows) of IP addresses for communication are prepared) and the communication paths are simultaneously used to realize multihoming. For example, radio communication systems (such as an LTE (long term evolution) based radio communication system) including radio base stations called eNodeB and high-order stations, such as an S-GW (serving gateway) and an MME (mobility management entity), are intended to perform communication between one radio base station and the high-order station or communication between one radio base station and another radio base station adjacent thereto by using the aforementioned multihoming.
IPsec specifies that, when multiple IP addresses are accommodated in one communication apparatus, SAs are to be established as follows. As a first establishment method, a technology for establishing SAs for respective communication paths constituted by multiple IP addresses (i.e., SAs for respective IP addresses) is known, as defined in RFC (Request for Comment) 4306. That is, a technology for establishing multiple SAs is known. As a second establishment method, a technology in which an SA is established for one arbitrary communication path (i.e., one arbitrary IP address) and the established SA is switched when encryption processing for another communication path is performed is known, as defined in RFC 4555.
In terms of path redundancy, a configuration in which multiple communication apparatuses each having a single IP address can also be conceived. In this configuration, for example, a communication apparatus in a master state (or a communication apparatus in a normal system) and a communication apparatus in a backup state (or a communication apparatus in a standby system) are appropriately switched to realize path redundancy. A technology in which an SA used for encryption processing is pre-transferred to the communication apparatus in the master state while the communication apparatus in the master state performs communication involving encryption processing has also been proposed to eliminate a need for information exchange during switching from the communication apparatus in the master state to the communication apparatus in the backup state. In addition, a configuration in which, when one communication apparatus accommodates multiple communication paths, one of the communication paths is specified as an active line and one virtual address is assigned to the active line has also been proposed to realize path redundancy.
Examples of related art include Japanese Unexamined Patent Application Publication Nos. 2004-328563, 2004-350025, and 2008-219679.
Examples of the related art further include RFC 4306, Internet Key Exchange (IKEv2) Protocol and RFC 4555, MOBIKE Protocol.