Recently, more and more communication networks have been made into IP, and IP communication networks have been widely used as a social infrastructure, centering around the Internet. Therefore, with packet communications including personal information and commercial transaction information, and the like through the Internet, securing security in communication paths has become indispensable to prevent eavesdropping and forging.
Accordingly, as a technology concerning communication security of the Internet, security architecture for the Internet protocol discussed in the Internet Engineering Task Force is widely known (S. Kent, et al., “Security Architecture for the Internet Protocol” RFC2401, November, 1998).
In IPv6 expected to come into widespread use in future, IPSec (IP Security Protocol) is equipped as standard. Furthermore, as communication networks is more and more made into IP, it is anticipated that the number of connected terminals and the number of users increase, and access modes are complicated.
In IPSec, usually, safe communications are achieved by performing authentication and encryption processing by common key between a sender and a receiver. Therefore, it is necessary to predetermine between a sender and a receiver key information necessary to apply IPSec, authentication algorithm information, encryption algorithm information, and parameter information necessary for algorithm. These arrangements are referred to as security association (SA), and stored in a security association database (SADB).
Furthermore, the IPSec processing device stores security policies (SP) stipulating IPSec processing to be applied, according to information such as an IP address included in an inputted/outputted IP packet. SPs are stored in a security policy database (SPD).
The IPSec processing device compares conditions defined in an SP with information such as an IP address in an inputted/outputted IP packet, and extracts SA corresponding to SP meeting the conditions. The IPSec processing device authenticates or encrypts the inputted/outputted IP packet, based on the extracted SA.
Negotiations are made between IPSec processing devices before communication is started, and the SPs and SAs described previously are automatically created. As this technology, IKE (Internet Key Exchange) is known. (D. Harkins, et al., “The Internet Key Exchange (IKE)” RFC2409, November 1998).