1. Field of the Invention
The present invention relates to a processing method of a fragmented packet in packet transfer equipment transmitting and receiving a packet data through a network, and packet transfer equipment using the method.
2. Description of the Related Art
Packet transfer equipment for transmitting and receiving a packet data between terminals through a network is conceptually illustrated in a network shown in FIG. 1. In this FIG. 1, the packet transfer equipment is shown as a node A and a node B. In the node A, there is provided encryption and encapsulation functions (S1) of the data which is transmitted from a plurality of terminals TE1-TEn, a server SA, or Internet INT accommodated therein. Further, the encapsulated data is transferred to the node B through an IP tunnel 100.
In the above configured system, when the data transmitted from the terminals TE1-TEn, the server SA or the Internet INT accommodated in the node A is encrypted and encapsulated (S1), a predetermined header is added (I). This may cause a packet length exceeding a maximum transfer byte length (or maximum transmission unit; MTU) which is specified by the network. In such a case, the node A on the transmission side has a function of fragmenting the packet into a plurality of packets, so that each length of the encapsulated packets falls within the MTU value (S2).
Thus, the encrypted data (I) is fragmented (II), and each fragmented packet is forwarded to IP tunnel 100.
Meanwhile, in the node B disposed on the receiving side of IP tunnel 100, the fragmented packets of the encrypted data are reassembled (S3), and thereby encrypted data identical to the encrypted data (I) generated in the node A is obtained (III).
Subsequently, the node B decrypts the encrypted data, and performs decapsulation so as to exclude the outer header (S4). Thus, the pre-encrypted data is obtained (IV).
In FIGS. 2A-3B, examples of fragment formats of the IP packet are shown (FIGS. 2A, 2B show cases of an IPv6 packet, and FIGS. 3A, 3B show cases of an IPv4 packet). In these figures, FIGS. 2A, 3A show cases of fragmentation into two packets, while FIGS. 2B, 3B show cases of fragmentation into three packets.
For example, in FIG. 2A, when fragmenting into two packets, the encapsulated data having an IPv6 header is divided into a data 1 of which length is L1, and a data 2 of which length is L2. Modified IPv6 header and fragment header are added respectively. Thus, the original packet is divided into fragmented packets.
In the IPv6 fragment format shown in FIGS. 2A, 2B, each modified IPv6 header includes a payload length and a modified next header (NH) value, and further, the fragment header is added. Whether or not the fragment header exists can be known from the next header (NH) value in the modified IPv6 header. Thus, using this NH, it is determined whether or not the received packet is a packet having been segmented (fragmented).
Further, the fragment header includes fragment offset value, continuation flag, and identifier. Moreover, the modified IPv6 header includes a source address. Using this source address and the identifier in the fragment header, the original encrypted data packet before segmentation can be identified. Also, using the fragment offset value in each fragment header and fragment continuation flag (1 or 0), each divided fragment data location can be identified.
Using hardware, it is relatively easy to perform the fragment processing (S2) at high speed in the transmission node A according to the fragment formats shown in FIGS. 2A-3B, because the processing can be performed serially packet by packet.
In contrast, as to the reassembly processing (S3) in the reception node B, it is necessary to monitor the reception of the entire fragmented packets, and to reassemble the packets. This reception processing becomes complicated, because the sequence within the fragmented packets may become out of sequence (sequence inversion) in the network, or a plurality of fragmented packets may be received from the network concurrently in a multiplexed form.
FIG. 4 shows a diagram illustrating an exemplary procedure of the reassembly processing (S3) for the fragmented packets. FIG. 5 shows an exemplary configuration of packet transfer equipment on the reception side to which the conventional reassembly processing (S3) is applied. Further, FIG. 6 shows a diagram explaining the reassembly processing shown in FIGS. 4 and 5.
In FIG. 4, a fragment decision search section 1 determines whether or not the packet received in a packet receiver 3 is a fragmented packet, by checking whether a fragment header is existent in a modified IPv6 header or an IPv4 header (process step P1).
If no fragment header is existent, this packet is determined to be not a fragmented packet, and accordingly the packet is forwarded to a packet processor 5 (‘N’ in process step P1). If a fragment header is existent (‘Y’ in process step P1), a packet source address (IP_SA) and a fragment identifier ID in the packet header are compared with the entry data having been registered as object packets for reassembly processing, so as to search and identify from which encrypted packet the fragmented packet is produced (process step P2).
As a result of the above search processing, if no matched data is found among the registered objects for reassembly processing (‘N’ in process step P3), the packet is determined as a new fragmented packet. Accordingly, the source address (IP_SA) and the fragment ID are registered newly as a new entry (process step P4), and the search result indicating a new fragmented packet is reported together with the new entry to a reassembly processor 4 (process step P5).
Meanwhile, if the search results in a match (‘Y’ in process step P3), the search result indicating packet assembly (reassembly) is proceeding is reported (process step P6). Based on this, from the search result, a fragmented packet of an identical packet is identified using the fragment ID, and the packets are assembled in reassembly processor 4 for each reported entry, in order of the offset values (process step P7).
Thus, on completion of the fragment assembly (‘Y’ in process step P8), release of the entry is instructed to fragment decision search section 1 (process step P9).
FIG. 6 shows an example of the conventional reassembly processing in the assembly processing (process step P7) shown in FIG. 4.
Referring to the processing shown in FIG. 6, the entry of the packet having been received in packet receiver 3 is searched in fragment decision search section 1. In reassembly processor 4, an assembly buffer 2 of fixed length is assigned correspondingly to each search entry. Here, the prepared number of assembly buffers 2 is identical to the number of entries concurrently processed.
Based on the packet obtained in fragment decision search section 1 and the search information thereof, data parts (data 1, data 2 and data 3) are written in each assembly buffer 2 (i.e. buffer memory for assembly) of which address location corresponds to a fragment offset value L in the packet header, while headers (H1, H2 and H3) are stored in a header storage area 2a of assembly buffer 2.
Here, as shown in FIGS. 2A-3B, the header information in the fragmented packet includes the fragment offset value L, and a flag M indicating whether or not a successive packet exists. The fragment offset value L indicates the start position of the payload data relative to the header of the top packet, in which the fragment offset value ‘0’ represents the top packet. As to the flag M, M=1 indicates a successive packet is existent, while M=0 indicates the packet of interest is the final packet.
Next, after the entire fragmented packets are received, in reassembly processor 4, the reassembly processing is performed by successively reading out the packet data from assembly buffer 2 corresponding to the entry. Also, processing including substitution of the header is performed in this reassembly processor 4. Then, the packet is forwarded to packet processor 5, and further transmitted from a packet transmitter 6.
As such, the processing performed in reassembly processor 4 shown in FIG. 6 can be performed at high speed using hardware.
FIG. 7 shows another configuration example of the packet transfer equipment on the reception side, to which the reassembly processing (S3) is applied. FIG. 8 shows an explanation diagram illustrating the reassembly processing shown in FIG. 7.
In the exemplary configuration shown in FIG. 7, when fragment decision search section 1 decides the received packet is a fragmented packet, software processing in a software processor 8 performs the reassembly processing. In FIG. 7, the fragmented packet decided in fragment decision search section 1 is transferred to software processor 8 through an interface 7. The search and assembly processing by software is performed in software processor 8, and after reassembly, the packet is transferred again to packet processor 5 through interface 7.
As shown in FIG. 8, in software processor 8, packets are stored entry by entry in order of reception, in assembly buffer 2 connected by a chain. However, since the stored fragmented packets are not always received in order of fragmentation, after the entire fragmented packets are received, the fragment sequence is determined using the continuation information M and the fragment offset value L stored in each fragment header. Then, by rearranging the sequence (i.e. by reading out the fragments in order of fragmentation), reassembly processing is performed.
This method requires a substantial time for packet sequence decision processing. However, since efficient use of assembly buffer 2 can be attained, the method is effective in such equipment that does not need fast processing, as effective method using software and firmware.
Also, as a technique related to the above, an invention related to packet processing has been disclosed in the official gazette of the Japanese Unexamined Patent Publication No. 2001-223704. In this disclosure, based on an ATM cell received from an extended line, packets are stored in an assembly memory. The packets are read out from the memory, and a packet of which address is resolvable is processed by hardware, while a packet of which address is not resolvable is processed by software.
Now, in packet transfer equipment provided in a system in which encrypted packets are transferred at high speed on the order of Gigabits/sec through IP tunnel 100 as shown in FIG. 1, when a fragmented packet is received, the reassembled packet must be transferred to a decryption section at high speed.
High-speed processing may be actualized if the reassembly processing is performed by hardware, as in the conventional example shown in FIGS. 4 to 6. However, it is not possible to determine the packet length before fragmentation until the reception of the entire fragmented packets is completed. If a buffer of a certain length is prepared in advance, the reassembly cannot be performed when the packet length after reassembly exceeds the prepared buffer length.
In contrast, when reassembly processing is performed for the fragmented packets using software processor 8, as illustrated in the conventional example shown in FIGS. 7 and 8, a problem is that the processing time does not catch up packet reception in case fragmented packets are consecutively received.
Further, when the fragmented packets are to be reassembled in the former processing shown in FIGS. 4 to 6 as described above, securing an area having the maximum packet length after reassembly is required for the packet assembly. Since the upper limit of the packet length flowing on the network may be 64K Bytes, in order to ensure processing for the entire fragmented packet, a buffer memory amounting to 64K Bytes×(concurrent processing number) is necessary. This is very disadvantageous in view of both memory cost and mounting space.