1. Field of the Invention
The present invention relates in general to a packet transfer method and a base station for using it in wireless or wired packet communication. More particularly, the present invention relates to a packet transfer method for a connection-less type data communication in a network composed of a packet network and a plurality of local area networks (LAN) forming a virtual LAN (VLAN), and also to a base station for use in such method. The present invention is based on a Patent Application, Hei9-228966 filed in Japan, content of which is incorporated herein by reference.
2. Description of the Related Art
Internet is based on Internet Protocol (IP) for its packet transfer method so that each terminal has an IP address. IP address is a 32-bit address in which a part of the upper bits shows the network address for identifying the data network, and the remaining lower bits show the host address for identifying the terminal connecting to the data network.
The connecting terminal transmits a packet comprised by data and attachment including the destination address and the source address to the IP network, which transfers the packet to a data network indicated by the network address included in the destination address. When the packet is a unicast packet, the data network transmits the packet to a terminal specified by the host address shown in the destination address. While when the packet is a broadcast packet, the data network transmits the packet to all terminals connected to the data network (RFC791 Internet Protocol).
However, such a packet transfer method is designed to transmit the packet to the data network without confirming the identity of the source terminal, so that there is a danger of an unknown terminal accessing the data network inappropriately. Also, even when the source terminal is an authorized terminal, because the destination address is not regulated, there is a problem that it is not possible to prevent the source terminal from accessing other data network to which the source terminal does not belong and is not approved for accessing.
To resolve such difficulties, a packet transfer method is proposed to check the addresses of both the receiver and the sender at the time of packet transfer.
According to this address checking method, sets of transfer-allowed destination addresses and the source addresses are pre-registered in the packet transfer device in a permission table. Packet transfer device checks destination address and source address in the transferred packet, and if the addresses are registered in the permission table, the transferred packet is transmitted, but will not be transmitted if the addresses are not registered in the table (Takahiro Ishizaka, "Network Security Device", Japanese Patent Application, First Publication, Hei 2-302139).
According to this method, the source address is confirmed and only those terminals that have permitted terminal addresses can receive transmission, therefore, inappropriate access to the data network is prevented. However, this method does not prevent counterfeit source address to be used for fraudulent access to the data network.
Other proposed packet transfer methods include forced transmission method. According to this method, when a call is accessed through a packet network of the connection oriented type (i.e., packet network typically follows X.25 protocol to setup a connection when communication is to be started) connected to a plurality of data networks, the packet network forces the call to route to a database machine for security checks. The database machine checks the legitimacy of the accessed call, and when it is legitimate, the call is transferred to the data network to establish a connection between the data network and the terminals, and if it is illegitimate, the call is terminated (Shouji Oyoshi, "Security checking method in packet exchange network, Japanese Patent Application, First Publication, Hei5-327773).
However, when the above method is applied to a connection-less type packet network which carries out transfer according to the destination address attached to a packet, all the transfer packets are coerced to route to the database machine for security checks to check their access legitimacy. This approach creates problems of increasing the load on the database machine for security checks and increasing the packet transmission delay time.
Other types of packet transfer methods include encapsulation technique which utilizes a network system (referred to as relay network), such as Internet, to allow a plurality of unspecified remote terminals to access to a data network while preventing illegitimate access to the data network from unauthorized packet terminals. In this method, the data network connects to the relay network through gateways. At the time of starting the communication process, the gateway authenticates the identity of the remote terminal, and if it is found that the remote terminal has not been authorized, the packet is discarded. Next, remote terminal transmits a sender packet, containing an encrypted destination address and an encrypted source address, to the gateway. At this time, the encrypted sender packet is stored in the data section of the packet addressed to the gateway, and is sent with an attachment containing the address of the gateway connected to the destination network and the source address. The capsulated packet is sent to the relay network. This type of packet transfer method is called an encapsulation method. The destination gateway retrieves the data section from the received packet, and decodes the encrypted packet. If it detects tampering while decoding, the capsulated packet is discarded and if it does not detect any tampering, the capsulated packet is transferred to the data network. As for the packet sent from the data network to the remote terminal, the gateway connected to the source data network attaches the destination address and the source address, and, after encrypting, further attaches the destination address and dedicated gateway address to the capsule packet, and transfers the entire capsule to the remote terminal.
According to this method, after confirming the authenticity of the remote terminal, an encrypted path for the capsule is established between the gateway and the remote terminal to prevent fraudulent access to the data network. However, if the remote terminal wishes to transmit the packet to other remote terminals connected to the relay network, the packet is always sent through the gateway, therefore, optimal path cannot always be selected and the packet transmission delay time is increased. Also, it is necessary for the gateway to encapsulate and decapsulate packets for all the terminals that belong to data networks connecting to the gateway, therefore, processing load on the gateway is increased. Also, when the data network or remote terminals are attempting to transmit broadcast packet or multicast packet, this method does not allow inclusion of broadcast or multicast addresses in the destination address of the packet sent to the relay network. Therefore, the gateway can only duplicate the packet and unicast the packet to each remote terminal causing traffic congestion in the relay network, packet transfer time delay in addition to increase in the gateway load. Furthermore, when sending a unicast packet from a source remote terminal to destination remote terminals, even when these remote terminals are connected to a relay network, the packet is always handled through the gateway connected to the data network before the packet is sent to the addressed terminal, thus causing a problem that the transfer time delay is increased.