Network address filtering is a general technique for restricting, on a node level, a communication attempt from a node used by a malicious user. This technique is purposed to block a packet having a particular network address by using a protocol stack or a higher-layer application program. Targeted network addresses are mainly the Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses. A user can explicitly select a target communication partner by registering in the user's device a network address of a node to which communication is to be permitted or restricted. There are other methods, such as registering a range of addresses to which communication is to be permitted or restricted, or registering a designated subnet or prefix (see Japanese Patent Application Laid-Open (KOKAI) No. 2006-093910).
However, if the network address of the node is changed, the registered filtering-target address must also be changed. This leads to an increased work of users and device administrators. Among IPv6 addresses, there is a type that changes its address value in a short period of time. An IPv6 anonymous address defined by the RFC 3041 has a characteristic in that an IPv6 address is automatically generated, and after an elapse of a predetermined time period, another IPv6 address is automatically generated and the previous IPv6 address is no longer used. In other words, if the filtering-target node has an IPv6 anonymous address, the registered content of the filtering target must constantly be updated, hampering the user's convenience. To generate an IPv6 anonymous address, a router first distributes prefix information to a node on a network. The node which has received the prefix information generates its own IPv6 address by combining the prefix information with a random-formed interface identifier. Further, the prefix information distributed by the router has lifetime information. The node starts timing from the address generation, and when the lifetime elapses, the use of the IPv6 address is disabled. In this case, the node again generates an IPv6 address from the prefix information and random-formed interface identifier. In general, the lifetime is often from few hours to few days. Therefore, the IPv6 address of the node is also changed within few hours to few days. Even if the IPv6 address is registered in the IPv6 address filter, a frequent setting change is needed.
In the IPv4, a similar problem also occurs when using, e.g., Dynamic Host Configuration Protocol (DHCP). In this case, a DHCP server distributes an IPv4 address. However, depending on the DHCP server setting, the distributing IPv4 address varies each time, and as a result the IPv4 address value of the node may change in a short period.
In such environment where a network address changes, Mac address filtering may be used as alternative means. The Mac address filtering is a technique of filtering a Media Access Control (Mac) address of a device. The Mac address is a device-unique address and is never changed. Therefore, once the address is set, filtering can be performed permanently unless the device is replaced. However, Mac address information in a network frame is an address of the device which has transmitted the frame. Therefore, when communication is performed through a router, the Mac address in the frame is the address of the router, and the Mac address of the node which has transmitted the frame is not included. In other words, in the network environment having a router, Mac address filtering cannot be used as alternative means, and the fundamental problem solution has not yet been provided.