1. Field of the Invention
The present invention relates to an integrated information communication system (ICS) in which various information communication appliances such as personal computers, LANs (Local Area Networks), telephones (including cellular phones and PHSs), FAXs (Facsimiles), CATV (Cable Television) and the Internet, and/or various information communication systems are connected to each other in an integrated manner via not only dedicated lines, but also ISDN (Integrated Services Digital Network), FR (Frame Relay), ATM (Asynchronous Transfer Mode), IPX (Integrated Packet Exchange), satellite, wireless and public lines. In this case, while an address (information communication purpose) is applied to an information communication appliance so as to be discriminated from other information communication appliances, this information communication appliance will communicate with other information communication appliances. More specifically, the present invention is directed to such an integrated information communication system that while data transfer services are integrated by employing a connectionless type network (for instance, Internet Protocol techniques of RFC 791 and RFC 1883), economical characteristics of entire information communications are increased by employing a unified address system, and also security is secured, communications can be established among connected terminals, or systems.
2. Description of the Prior Art
As an integrated information communication system (ICS) to which an encapsulation technique has been applied, Japanese Patent No. 3084681 C2 discloses the below-mentioned ICS system owned by the Applicants, the related technical scope of which will be explained as follows:
That is to say, as represented in FIG. 1, the integrated information system is mainly subdivided into an internal area and an external area. In the internal area of the integrated information communication system, a large number of relay apparatus are connected to each other via a communication line having an IP packet transfer function, whereas in a peripheral unit of the integrated information communication system, a plurality of access control apparatus (AC) are provided. The most of LANs used in enterprises are connected via a user communication line to these access control apparatus. The integrated information communication system may realize three sorts of services, for instance, 1) an “intra-corporation communication” service with employment of a private IP address defined by the IETF rule; 2) an “inter-corporation communication” service without using a private IP address; and also 3) a “virtual dedicated line” service which may pretend such a condition that two terminals are virtually and continuously connected to each other by way of an IP communication line.
While IP addresses are selectively used in the external area and the internal area of the integrated information communication system, these IP addresses employed in the external area/internal area of the integrated information communication system are called as “external/internal addresses”. An IP packet of the external area of the integrated information communication system is referred to as an “external packet”, and an IP packet of the internal area of the integrated information communication system is called as an “internal packet”. An external packet sent out from a LAN is entered via a user communication line into an access control apparatus which applies an IP header containing an internal address applied to a logic terminal of the user communication line to the entered external packet, so that the external packet is converted into an internal packet (namely, encapsulation, see FIG. 2). Then, the internal packet is transferred inside the integrated information communication system and thereafter is reached to another access control apparatus by which the IP header is removed from the internal packet (namely, decapsulation). Then, the resultant external packet is sent out via another user communication line toward a terminal provided inside a LAN of a communication counter party.
As shown in FIG. 3, the user communication line is subdivided into a user physical communication line 91, and also user logic communication lines 92-1 and 92-2. A logic contact (termination of user logic communication line) between the user logic communication line (92-1, 92-2) and an access control apparatus 90 is referred to as a logic terminal (93-1, 93-2) to which an internal address of an IP network is applied so as to identify logic terminal. In the example of FIG. 3, the user physical communication line 91 contains the user physical communication lines 92-1 and 92-2, an internal address “U” is applied to the logic terminal 93-1 functioning as a termination, or trailing end (contact between access control apparatus 90 and user logic communication line 92-1) of the user logic communication line 92-1, and an internal address “X” is applied to the logic terminal 93-2 of the termination of the user logic communication line 92-2. Reference numerals 94-1 to 94-3 show terminals connected to the user logic communication lines 92-1 and 92-2. A subdivision of a physical communication line into a plurality of logic communication lines may be realized in, for instance, DLCI of a frame relay and/or VPI/VCI of an ATM network.
Then, the embodiment-15 of the above-described Japanese Patent No. 3084681 C2 discloses the technical method of “non-capsulation of inter-corporation communication”. In other words, the following technical method is disclosed: As to the virtual dedicated (exclusively-used) line and the intra-corporation communication, the external packet is encapsulated to produce the internal packet in the access control apparatus, and then, this internal packet is transferred to the internal area of the integrated information communication system. Thereafter, the internal packet is decapsulated so as to recover the external packet in another access control apparatus, and then, the external packet is transmitted via the user communication line to the communication counter party. As to the inter-corporation communication, the external packet is directly regarded as the internal packet, while the external packet is not encapsulated, and then, is transferred to the internal area of the integrated information communication system. Thereafter, the transferred external packet is transmitted from another access control apparatus (provided on the side of packet reception) via the user communication line to the terminal of the communication counter party. Such a technical method is opened in, for example, the above-explained Japanese Patent No. 3084681 C2. That is, a domain name server (DNS) is applied to an integrated information communication network containing such a function that an external IP packet is encapsulated so as to be converted into an internal packet. In this case, when a domain name is inquired, a domain name server (DNS) answers an IP address.
Furthermore, while both the above-explained IP encapsulation technical method and the above-described IP decapsulation technical method are employed as the initial condition, the embodiment-32 of Japanese Patent No. 3084681 C2 discloses the packet reception priority control technique. That is, the internal packets which are reached from the internal area of the integrated information communication system to the access control apparatus are ordered in accordance with the designation of the records of the conversion table employed in the access control apparatus, and then, are sent out to the external area of the integrated information communication system. Also, the embodiment-33 of Japanese Patent No. 3084681 C2 discloses the packet transmission priority control technique. That is, the external packets which are reached from the external area of the integrated information communication system to the access control apparatus are ordered in accordance with the designation of the records of the conversion table employed in the access control apparatus, and then, are sent out to the internal area of the integrated information communication system. The transfer efficiency of the external IP packet and the internal IP packet, which are registered in the record of the conversion table, is improved based upon both the above-described packet reception priority control and also the above-explained packet transmission priority control.
However, the servers installed inside the various sorts of networks are provided in the internal area of the above-described conventional integrated information communication system, while these servers may operate/manage the integrated information communication system. The servers own the respective IP addresses. In the case that such an address range which is not encapsulated is present, the following high risk may occur. That is, the operation management server receives such an unfair attack that a very large amount of IP packets are transmitted from the external area of the IP network to the operation management server, and that secret data of the operation management server is unfairly read out.