The present invention relates to a packet routing apparatus (network connection apparatus) for mutually connecting a plurality of networks, and its routing processing method.
As a packet routing apparatus (network connection apparatus) for connecting a plurality of networks, there is a bridge for performing mutual connection in a data link layer of a network system hierarchy, a router apparatus for performing mutual connection in a network layer of an upper layer thereof, or the like.
The bridge manages a MAC (Media Access Control) address, and judges whether or not a received frame from a network should be routed to another network, in accordance with the content of a destination MAC address in the received frame and a filtering address table as routing control information.
The router apparatus selects a predetermined route or an optimum route in accordance with an address in the received frame and a route information table stored in the router apparatus, and routes the received frame.
There are some kinds of protocols used in the network layer, and an IP (Internet Protocol) is known as a typical example. In the IP protocol, an IP address is used for networking. The IP protocol, together with a TCP (Transmission Control Protocol) in an upper transport layer, is often called TCP/IP.
The packet routing apparatus, such as the bridge apparatus, the router apparatus, or a brouter apparatus having both a bridge function and a router function, is constructed to include at least two communication ports and a processor for performing a routing processing.
As a conventional technique for performing a routing processing of an IP packet, a technique disclosed in Japanese Patent Unexamined Publication No. Hei. 5-199230can be cited. According to this, there are provided a router management unit for mainly performing apparatus management of the whole packet routing apparatus, such as route information management, and a plurality of routing accelerators for assisting the former to dedicatedly process a routing processing of a packet. The router management unit and the routing accelerators, or the respective routing accelerators are connected by a high speed router bus, and the routing processing of the packet is independently and dispersedly performed by the plurality of routing accelerators.
The routing processing can be performed at high speed by the plurality of routing accelerators, and when routing accelerators are further added, it is possible to easily realize a large scale network from a small scale one.
While the speed-up of a routing processing of an IP packet is demanded, various new functions have been added in the IP network in addition to existing functions. For example, there is an IPsec function of encrypting a packet in an IP layer, for construction of VPN (Virtual Private Network), a NAT (Network Address Translator) function of mutually converting a private IP address and a global IP address, for private network construction as a countermeasure against IP address insufficiency, a load balancing function of seamlessly using a plurality of servers by making the plurality of servers typified by one IP address for a client, an illegal packet detection, a filtering function, or the like. In these additional functions, a processing quite different from a normal routing processing of an IP packet must be carried out, for example, modification of an IP address, encryption/decryption of a data portion in the IP packet, comparison with a detailed table for detection of an illegal packet, or the like.
Incidentally, the specifications and requirements of various techniques relating to the Internet are published as RFC (Request For Comment) with serial number by IETF (Internet Engineering Task Force). For example, RFC2401can be cited in relation to the IPsec function, RFC1631, RFC2391 and RFC2663 can be cited in relation to the NAT function or the load balancing function, and RFC2267 etc. can be cited in relation to the filtering function. In the following description, the foregoing IPsec function, the NAT function, the load balancing function, the illegal packet detection function, and the like are together expressed as IP additional functions.
In the conventional packet routing apparatus, in the case where a plurality of processing units having the IP additional functions are provided in the middle of an internal transmission route of the packet routed by the apparatus, means for specifying a necessary IP additional function processing unit for each packet is newly required.
Besides, there has been a problem that if a dedicate route is provided in parallel, which transmits each packet to an objective IP additional function processing unit after the necessary IP additional function processing unit for each packet is specified, a circuit scale becomes large, and packet transmission between different IP additional functions becomes difficult.