The present invention relates to a technique concerning a communication network, especially communication devices required to compose a packet exchange network. More particularly, the invention relates to a technique to process each packet that prevents overhead flow of the packets under packet transfer in a communication network. Processing to be applied to packets is mainly encryption for security in data transfer, compression, and capsulation.
FIG. 10 shows a block diagram of a communication network in which a packet transferring apparatus is used as each node. Generally, a communication network is composed of terminals (T1, T2, T3, T11, etc.) and nodes. Each ellipse shown in FIG. 10 denotes a communication network composed of plural nodes. In this communication network, communication is done between terminals, which are end points of the communication. When two end points are connected to each other via a node, communication is also enabled between terminals that are not connected directly to each other. A node relays communication with a terminal or another node such way. The IETF (Internet Engineering Task Force) rules the relay of communication in each communication network. A communication network that conforms to the Internet Protocol ruled by the IETF is referred to as an Internet IN. An Internet IN is composed of plural communication networks managed by different managers and connected to each other. When communication is done more and more on a network composed of nodes managed by different managers just like such an Internet IN, however, discrimination will have to be made between nodes managed by a manager of a network to which terminals belong and other nodes from aspects of management, safety, or operability. Hereinafter, a node that connects between networks managed by different managers is referred to as an edge node or edge router.
The networks of an Internet IN are divided into two types; one is a network usually managed by electric communication enterprises and allowed to be connected by an unspecific number of users; and another is a network managed by users or users authorized to manage the network and allowed to be connected among the network's member users. Hereinafter, the latter is referred to as private networks.
The former network is also divided into two types; one is a network managed by a provider who provides users with Internet connection services; and another is a network managed by a carrier who provides users simply with line connection services.
Hereinafter, a network managed by the provider who provides users with Internet connection services is referred to as an ISP network (ISP1, ISP2). A network managed by the carrier who provides users with line connection services is referred to as a carrier network (CN1, CN2). Edge routers in each of the following networks is referred to as private network edge routers PE1, PE2, ISP network edge routers ER1, ER2, and carrier network edge routers CE1, CE2.
A private network is connected to the Internet in two ways; direct connection to an ISP network ISP1 just like the private network PN1 and connection to the ISP network ISP2 via a carrier network CN1 just like the private network PN2.
Data is transferred as packet data in such a network. For a packet transferring method and a packet transferring apparatus, the packet transferring processing uses information handled in plural layers as data link layer, network layer, transport layer, etc. in a network model (an OSI reference model defined by the International Standard Organization).
FIG. 4 shows an example of a packet. A packet is nesting-structured as follows. When a transport layer header TLH is added to transport layer data TL_DATA, the result becomes network layer data NL_DATA. When a network layer header NLH is added to network layer data NL_DATA, the result becomes data link layer data DL_DATA. When a data link layer header DHL and a data link layer trailer DLT (depending on the data link layer protocol) are added to data link layer data DL_DATA, the result becomes a data link layer packet. A data link layer packet is also referred to as a frame FL.
Putting packet data in such a nesting structure is referred to as encapsulation. Generally, encapsulation is a method that provides a packet or a whole frame handled in a layer protocol in a hierarchical network system with header information of another protocol, thereby the packet or frame is handled as a payload. On the contrary, deleting such header information from a packet or frame to take out data therefrom is referred to as decapsulation.
Usually, packets are transferred in two ways; one is a way where a node is required just to process the header information of a subject layer in each packet; and another is a way where the node is required to process the whole data of each packet completely. The former example (header processing) is a route selection in the network layer. In this case, the output destination of a packet can be decided just by processing the network layer header information in the packet. On the other hand, sometimes the whole data in a packet must be processed. In this case, encryption, decryption, encapsulation, or decapsulation is done for the packet.
The private network can also be connected virtually by using a tunneling technique. Hereinafter, packet encapsulation required for tunneling will be described. In the case of FIG. 1, tunneling means a method that a packet transferred from the terminal T1 to the terminal T3 is encapsulated to a packet to be transferred from the edge router PE1 to the edge router PE3, thereby the route between edge routers PE1 and PE3 existing in a route denoted by a broken line in FIG. 1 is regarded as a virtually connected route. This virtually connected route is referred to as a tunnel TN1. A concrete method of the tunneling is encapsulation of a packet with use of a new header, thereby transferring the encapsulated packet according to the new header instead of processing the encapsulated packet in the processing layer. In the case of FIG. 1, tunneling means a processing that a new network layer header is added to a packet sent by the terminal T1 and the packet is transferred to the edge router PE3 according to the added network layer header information, then the edge router PE1 deletes the added header, thereby the packet sent from the terminal T1 is taken out.
FIG. 5 shows a configuration of a packet in a network layer, which is encapsulated in the network layer. In this encapsulation, a packet having a network layer header NLH shown in FIG. 4 and including data link layer data DL_DATA is composed as new network layer data T_NL_DATA. And, a new network layer header T_NLH is added to the packet, thereby the portion becomes new data link layer data DL_DATA2. This data link layer data DL_DATA2 is processed as a network layer packet on the basis of this network layer header T_NLH information until it is decapsulated. In this decapsulation, the network layer header T_NLH is deleted according to this network layer header T_NLH information at a node to which the packet arrives and the network layer data T_NL_DATA is restored to the original network layer packet, that is, the original data link layer data DL_DATA. The restored data is transferred as a network layer packet according to the network layer header NLH information.
When a terminal communicates with another, the unit of data to be sent/received in layers lower than the transport layer are respective packets. The unit of data to be sent/received in layers higher than the session layer is a group of continuous packets. Hereinafter, such a packet group is referred to as a packet flow.
An encryption technique becomes a very important item for concealing data of the above packet flow to be transferred in the network shown in FIG. 1.
Conventionally, each encryption processing has been done by an application program on the subject terminal to process each packet flow or by a node. The encryption is done in two ways; one is a way where the data part in each packet is encrypted; and another is a way where tunneling (encapsulation) is done for packet data, thereby the whole packet data including a network layer header, which is information transferred in a private network, is encrypted.
The way to encrypt whole packet data is applied for the packets, passing through such routes as cannot be identified by network managers in the Internet, in order to maintain the safety of the data running through the routes as well as to conceal information of the routes where the packets are passing, in other words, in order to keep information of the network layer header being transferred in a private network to which the subject terminal belongs, away from every person who can recognize the packet at a node in a route where the packets are passing.
Next, a description will be made for how a packet is to be encapsulated for encryption with reference to FIGS. 5 and 6.
FIG. 6 shows a configuration of a packet encrypted for encrypted tunneling. The network layer header of the packet is also encrypted at this time. A new network layer header T_NLH is added to the packet as an encapsulated header. The new header T_NLH is needed to pass the encapsulated packet T_NL_DATA through an ISP network that functions as a tunnel. In this encryption, data T_NL_DATA to be encapsulated is encrypted into encrypted encapsulated data ENCRYPTED. A network layer header NLH having address information of a private network is encrypted such way and the header NLH passes a node in the subject ISP network as encrypted data ENCRYPTED, so that it is difficult for any third person to obtain the value of the network header NLH.
Packets pass each node as a packet flow. Each of conventional packet transferring apparatuses, therefore, comes to encrypt or decrypt each packet flow passing through a route up to the counterpart packet transferring apparatus. In this case, an edge node has encrypted every packet passing through a tunnel route, that is, a route up to the counterpart edge node that decrypts those packets.
Each of the conventional packet transferring apparatuses has not identify any terminal that has generated a subject packet flow to decide whether to encrypt or decrypt part of the packet flow so as to encrypt only some packets that must be encrypted.
When such a packet transferring apparatus is used as an edge node, packet flows from the network to which the edge node belongs are concentrated. When an edge node executes encryption that calculates data more than the packet header processing, the number of packets to be processed comes to be limited in a node in which packet flows are concentrated due to the delay of the calculation for encryption. This is why efficiency of packet processings must be more improved to solve the problem.