In recent years, there have increased cases in which home information appliance devices (hereinafter referred to as terminals), such as game consoles and AV equipment, are added to PCs in a home so as to form a home LAN (Local Area Network, hereinafter referred to as LAN). Furthermore, there have been provided various services for performing remote control by connecting away from home to those terminals via a transit network such as the Internet, for sharing information such as pictures or movies with each other via connection between homes, or for enjoying real-time games.
In those services, to prevent leakage of information and unauthorized access, it is important to ensure only communication between preauthorized terminals. In order to ensure only communication between preauthorized terminals, as shown in FIG. 2, it is necessary to provide tunneling parts 41 and 42 in respective terminals for configuring a communication tunnel and to connect between the end terminals via the communication tunnel. Assuming general home LAN environments, terminals 30 and 31 themselves cannot be provided with a tunneling part or the like to configure a communication tunnel for interconnection with another terminal 36. Furthermore, virtualization technology for LAN, such as VLAN, cannot be used in general environments. Therefore, as shown in FIG. 1, there is used in most cases a method in which a dedicated device other than terminals uses a tunneling means or the like for interconnection of the entire LAN.
In FIG. 1, a terminal 30 and a terminal 31 are connected to a LAN 11, which is connected to a transit network 10 such as the Internet via a frame processing apparatus 20. The frame processing apparatus 20 has a tunneling part 41 for configuring a communication tunnel. A terminal 36 has a tunneling part 42. A communication tunnel is configured in the transit network 10 between the tunneling part 41 and the tunneling part 42. Thus, the terminal 36, which is connected to the transit network 10, can access each of the terminals 30 and 31 in the LAN 11 via the communication tunnel.
With the above arrangement, external terminals accessible to the terminals 30 and 31 connected to the LAN 11 can be limited to the terminal 36 in which the communication tunnel has been configured via the frame processing apparatus 20. Unlike the case shown in FIG. 2, however, the terminals connected to the LAN 11 cannot be grouped such that communication is allowed between the terminal 36 and the terminal 30 but not between the terminal 36 and the terminal 31. This is because, in a case where a destination address of an Ethernet frame transmitted from the terminal 36 is designated as a broadcast address or a multicast address, in order to deliver the frame to the terminal 30, the frame processing apparatus 20 needs to send the frame to the LAN 11, so that the frame is inevitably received by the terminal 31 other than the authorized terminal 30.
Technology of transmitting data only to authorized terminals is disclosed in Japanese laid-open patent publication No. 2004-312564 (Reference 1) and Japanese laid-open patent publication No. 2004-363897 (Reference 2). This technology is to convert an IP packet transmitted with IP multicast into unicast IP packet and transmit the converted packet. This technology is applied to the frame processing apparatus 20. The destination multicast address of the IP packet is converted to the unicast address of the terminal 30, and the converted packet is then sent. This method is effective only to IP multicast packets. However, few home information appliances are based on the use of IP multicast. Therefore, the fields of application are limited. Rather, in home information appliances based on the use of IP multicast, because an IP packet that would be delivered with a multicast address is delivered with a unicast address, address-converted packets may be unable to be processed.
Furthermore, other prior art technology of transmitting data only to authorized terminals is disclosed in Japanese laid-open patent publication No. 2003-298602 (Reference 3). In the other prior art technology, a table holds correlation between multicast MAC addresses and unicast MAC addresses. If a received MAC frame is a multicast frame, then retrieval from the table is performed with using the multicast MAC address as a key, the received MAC frame is converted into a MAC frame having the corresponding unicast address, and the converted MAC frame is transmitted. This technology is applied to the frame processing apparatus 20. The destination multicast address of the MAC frame is converted into the unicast address of the terminal 30, and the converted MAC frame is then sent. However, because a unicast MAC address is uniquely identified by a multicast MAC address, if a plurality of external terminals 36 are connected to the frame processing apparatus 20 via the transit network 10, multicast frames sent from all of the external terminals are equally converted into unicast frames. Therefore, specific terminals cannot be grouped such that only a multicast MAC address from a specific external terminal is transmitted to a specific terminal 30 with unicast.