The present invention relates to a subscriber line accommodation apparatus which is used to send a packet to a communication terminal connected to a subscriber line terminated by a subscriber line termination unit and a packet filtering method used in sending a packet.
There is widely employed a service form in which DHCP (Dynamic Host Configuration Protocol) is used by each user terminal to connect to a communication network such as the Internet through a transmission line such as a telephone line or an optical cable. The DHCP indicates a protocol to dynamically assign a reusable IP (Internet Protocol) address.
In a communication network using DHCP, however, a third party can interfere with communication of another person or impose as another person by assuming a false IP address or MAC (Media Access Control) address.
For example, when the bridge forwarder of a subscriber line termination unit included in a communication network using DHCP has received packets to be subjected to flooding, the packets are transmitted to all nodes present on the same network. For this reason, unnecessary packets are transmitted to even a user terminal which is no communication target, and the traffic increases.
Additionally, in the communication network using DHCP, an IP address is dynamically assigned to each user terminal. Hence, it is impossible to exclude unnecessary packets by registering a static filter in advance.
A subscriber line accommodation apparatus has been proposed in which all MAC addresses of user terminals connected to accommodated lines are registered. When a communication terminal different from these MAC addresses is going to access the network, the access is rejected, thereby increasing the security level (e.g., reference 1 (Japanese Patent Laid-Open No. 2002-204246)).
In the first proposal, a third party can interfere with communication of another person or impose as another person by assuming a false IP address.
To solve this problem, a subscriber line accommodation apparatus capable of rejecting an access request from a third party for a communication network by using an IP packet has been proposed (see, for example, reference 2 (Cisco-Cable Source-Verify and IP Address Security (http://www.cisco.com/warp/public/109/source_verify.html))).
In the second proposal, when an IP packet arrives at a DHCP server to request acquisition of an IP address, an IP address is issued in response to the request. In addition, a set of the issued IP address, the identification number of the subscriber line for which IP address acquisition is requested, and the MAC address of the communication terminal which has issued the request is registered in a filter condition registration means. When a packet has arrived, a set of the IP address, identification number, MAC address of the packet transmission source and the set of the IP address, identification number, MAC address registered in the filter condition registration means are compared. Only when the two sets coincide, packet communication is permitted. Communication is not permitted for a packet in which address information such as the IP address of the transmission source coincides but the identification number of the subscriber line does not coincide. Hence, illicit access can effectively be prevented.
However, the second proposal only regulates packet input by using an input filter and cannot regulate output of unnecessary data. Hence, packets sent to a communication terminal connected to a subscriber line cannot be filtered efficiently.