(1) Field of the Invention
The present invention relates to a packet forwarding apparatus forming an Internet access network. More particularly, the invention relates to a packet forwarding apparatus having a function of selecting one of gateways connected to an Internet transit network and connecting a user terminal to the Internet transit network via the selected gateway.
(2) Description of Related Art
Nowadays, an authentication-based high-speed Internet connection service is provided. In this connection service, a user terminal is connected to an authentication server via a high-speed access line such as an Asymmetric Digital Subscriber Line (ADSL), Fiber to The Home (FTTH), or wireless LAN, and the user terminal is connected to the Internet when succeeded in authentication.
In the authentication-based high-speed Internet connection service, each user terminal is connected to a transit network managed by an Internet Services Provider (ISP) via, for example, a gateway node such as a Broadband Access Server (BAS) that terminates a high-speed access network. If the user terminal is a PPPoE terminal for Point to Point Protocol over Ethernet (PPPoE) prescribed in RFC 2516, the BAS terminates PPPoE or PPP, a protocol for connecting with the user terminal, and forwards layer-3 packets to the transit network.
In addition to the above layer-3 Internet connection service, an authentication-base connection service at a layer-2 level is also provided in recent years. In the layer-2 level authentication-base connection service, user authentication is carried out in accordance with a PPP Extensible Authentication Protocol (EAP) in IEEE 802.1X prescribed in RFC 2284. In this case, the transit network is comprised of Ethernet. In the EAP, user authentication is performed by communicating EAP over LAN (EAPOL) packets between a supplicant which is a user terminal to be an authentication requester and an authenticator which is a gateway node to be an authentication executor. The authenticator forwards each packet transmitted from an authenticated user terminal to the transit network by layer-2 packet forwarding.
In the layer-2 Internet connection service using the IEEE 802.1X, each user terminal (supplicant) sends an IP address request to a Dynamic Host Configuration Protocol (DHCP) server which is managed by an ISP and receives an IP address assigned, for example, in an EAP forwarding phase which is executed after the completion of an EAP authentication phase. Because IEEE 802.1X fundamentally assumes to connect each supplicant with an authenticator in a one-to-one connection manner, the authenticator has to be provided with a plurality of connection ports as many as the number of supplicants it serves. However, in a case where a plurality of supplicants (user terminals) are connected to the authenticator via a L2SW, the authenticator can communicate with the plurality of supplicants through one connection port if a special multicast MAC address (“01-80-C2-00-00-03”) is applied to each EAPOL packet and the L2SW can pass the multicast EAPOL packet to the authenticator.
In order to provide an IP telephone service to each user terminal via the transit network, it is required to enhance the communication performance of the access network and the transit network up to a level comparable to that of an existing telephone network. In a network for layer-3 connection using PPPoE, it is possible to adopt an access network of redundant BASs configuration in which a plurality of BASs connectable with user terminals are prepared so that a service disruption can recover quickly even if a BAS serving a number of user terminals has failed.
In the network of the redundant BASs configuration, a plurality of BASs reply response packets called a PPPoE Active Discovery Offer (PADO) in response to a PPPoE Active Discovery Initiation (PADI) packet broadcasted from a PPPoE terminal, the PPPoE terminal selects one of the BASs that reply the PADO packets and executes a succeeding communication control procedure starting from transmission of a PPPoE Active Discovery Request (PADR) packet with the selected BAS.
However, since the selection of BAS by the PPPoE terminal depends on the reception timing of each of PADO packets or a BAS selection algorithm implemented on the PPPoE terminal, it is unable to control load distribution among the BASs from ISP or telecommunications carrier side. Therefore, it is impossible for the ISP to manage the BASs in such a manner that, for example, one of two redundant BASs operates as active and the other as standby, or PPPoE terminals are selectively connected to the BASs so as to balance out the loads on the two BASs.
As a prior art, for example, Japanese Patent Publication No. 2004-158977 proposes a load distribution processing system adapted such that a load distributing apparatus connected to a plurality of Web servers receives an access request from a user terminal and selects one of Web servers to which the user terminal should be connected. According to this system, however, if a Web server selected by the load distributing apparatus has failed, no response to an access request is transmitted to a requester terminal, despite that there exist the other normal Web servers in a network. For this reason, the user terminal has to transmit the access request packet again by detecting the time over for waiting the response. It takes extra time for Web access.
On the other hand, in the layer-2 connection service in accordance with IEEE 802.1X, an authenticator can serve a plurality of supplicants by the intervention of an L2SW for passing EAPOL packets to the authenticator. In this case, when a supplicant multicasts a connection initiation request packet (EAPOL-Start), a plurality of authenticators will response to the request. However, because one-to-one connection is fundamentally assumed between a supplicant and a authenticator in IEEE 802.1X, each supplicant of IEEE 802.1X that transmitted the EAPOL-Start packet expects to receive one response packet (EAP-Request/ID Request) at a next step of a communication control procedure. Therefore, if a plurality of EAP-Request/ID Request packets are replied from authenticators in response to the same EAPOL-Start packet, how the supplicant operates in response to the second arrived EAP-Request/ID Request packet depends on the software implemented on the supplicant. If the supplicant repeats the same operation in response to all EAP-Request/ID Request packets, the supplicant has a possibility of failing in connecting to the Internet due to confusion of communication control procedures carried out with the plurality of authenticators.