The function that calculates the permission of transfer is indispensable to conventional network devices in order to ensure conventional security of conventional computer network system, as follows.
Referring to FIG. 33, a conventional computer network will be described. A user or subscriber of the network possesses a user's terminal, such as a computer terminal, for concatenation to the network. A user's terminal is assigned with a specific network address in accordance with a predetermined rule when it is concatenated to the network in order to be distinguished from other user's terminals. Herein, the network address is represented by a numeral of a plurality of digits of, for example, first through third digits (a, b, c). The predetermined rule defines a hierarchical structure of the network address. The predetermined rule defines a hierarchical structure of the network address. For example, the first digit of the numeral represents a nation, such as England, Germany, and Japan. The second digit of the numeral represents a city in the nation, and the third digit of the numeral represents a company name in the city. In the following description, these hierarchical items will be called segments. Referring to FIG. 33, each segment is depicted by a rectangular block. Specifically, the network includes a first segment (SEGMENT1), second segment (SEGMENT2), and a third segment (SEGMENT3) at a highest hierarchical level. The first segment (SEGMENT1) includes the fourth segment (SEGMENT4) and the fifth segment (SEGMENT5). Likewise, the second segment (SEGMENT2) and the third segment (SEGMENT3) include the sixth segment (SEGMENT6) and the seventh segment (SEGMENT7), respectively. A user's terminal (PC) 401-1 exists in the fourth segment. Likewise, a user's terminal (PC) 401-2 and a user's terminal (PC) 401-3 exists in the sixth segment. The first segment possesses a network address (1, *, *) in which a first digit alone is specified as “1”. The fourth segment subordinate to the first segment possesses a network address (1, 2, *) in which first and second digits “1” and “2” are specified. Like wise, the fifth segment subordinate to the first segment possesses a network address (1, 3 *) in which first and second digits “1” and “3” are specified. Thus, the user's terminal 401-1 in the fourth segment possesses a specific or unique network address (1, 2, 6). The second segment possesses a network address (2, *, *) in which a first digit alone is specified as “2”. The sixth segment subordinate to the second segment possesses a network address (2, 3, *) in which first and second digits “2” and “3” are specified. Thus, the user's terminal 401-2 and 402-3 in the sixth segment possesses a specific or unique network address (2, 3, 4) and (2, 3, 5) respectively. The third segment possesses a network address (3, *, *) in which a first digit alone is specified as “3”. The seventh segment subordinate to the third segment possesses network address (3, 5, *) in which first and second digits “3” and “5” are specified. A symbol “*” contained in these addresses represents “don't care”.
Each digit of each network address is represented by a binary number of three bits. Thus, each network address is represented by a bit sequence of nine bits in total. For example, a network address (1, 2, *) is represented by a bit sequence (001, 010, 000). In the following description, these bit sequences will be called storage data. Since the symbol “*” represents “don't care” for the third digit, it is necessary to indicate that the first six bits (001, 010) in the storage data (001, 010, 000) alone are valid and the remaining bits (000) are invalid. For this purpose, mask information (or mask data) is combined with storage data. In the following description, these pairs will be called structured data. In the illustrated example, the mask information (or mask data) is given by a bit sequence (111, 111, 000). Herein, “0” and “1” represent a mask invalid state and a mask valid state, respectively.
In order to concatenate or establish communication between a plurality of user's terminals in the network, each segment is provided with a network device, for example, a router. As illustrated in FIG. 33, the first segment, the second segment, the third segment, the forth segment, the fifth segment, the sixth segment, and the seventh segment are provided with the first network device 400-1, the second network device 400-2, the third network device 400-3, the fourth network device 400-4, the fifth network device 400-5, the sixth network device 400-6, and the seventh network device 400-7, respectively. As illustrated in FIG. 33, each network device is concatenated to any user's terminals or any network devices subordinate to the corresponding segment. In addition, the first network device 400-1 is concatenated to the network device 400-2, the network device 400-3, and the network device 400-6.
Each network device in the corresponding segment is supplied from any user's terminals or any network devices concatenated to the network devices with communication data, and a source network address and destination network address annexed thereto. With reference to the source network address, the destination network address and predetermined transfer rule, the network device calculates a permission of transfer. Furthermore, with reference to the destination network address and the relationship of connection of network apparatuses, the network device calculates an optimum transfer route and produces a transfer network address. Herein, the network device controls a communication data transfer.
Herein, description will be made about the case where the associative memory is applied to the network device 400-1 in FIG. 33. It is assumed that the transferring the input data to a network device 400-6 having a network address (2, 3, *) is more optimum than to another network device 400-2 having a network address (2, *, *). In other words, it is optimum here to select the network device having the least number of bits in a mask valid state, in the network devices corresponding to the network address coincident with each other, taking the destination network address and the mask information into account, into a valid state.
Table 1(a) shows one setting of transfer rule in the computer network described in this example:
TABLE 1(a)TRANSFERPERMIT TRANSFER FROM THE INTERNALRULE 1:OF SEGMENT 4 TO THE INTERNAL OFSEGMENT 2TRANSFERPERMIT TRANSFER FROM THE INTERNALRULE 2:OF SEGMENT 1 TO THE INTERNAL OFSEGMENT 3TRANSFERREJECT TRANSFER FROM THE INTERNALRULE 3:OF SEGMENT 4 TO THE INTERNAL OFSEGMENT 6TRANSFERPERMIT TRANSFER FROM INTERNALRULE 4:PC401-1 OF SEGMENT 4 TO INTERNALPC401-2 OF SEGMENT 6TRANSFERREJECT TRANSFER FROM THE INTERNALRULE 5:OF SEGMENT 1 TO INTERNAL PC401-3OF SEGMENT 6
TABLE 1(b)SOURCEDESTINATIONPERMIT = 1TRANSFER RULENETWORK ADDRESSNETWORK ADDRESSREJECT = 01(1. 2. *)(2. *. *)1STORAGE DATASTORAGE DATA“001 010 000” = (1. 2. 0)“010 000 000” = (2. 0. 0)MASK INFORMATIONMASK INFORMATION“111 111 000” = (7. 7. 0)“111 000 000” = (7. 7. 0)2(1. *. *)(3. *. *)1STORAGE DATASTORAGE DATA“001 000 000” = (1. 0. 0)“011 000 000” = (3. 0. 0)MASK INFORMATIONMASK INFORMATION“111 000 000” = (7. 7. 0)“111 000 000” = (7. 0. 0)3(1. 2. *)(2. 3. *)0STORAGE DATASTORAGE DATA“001 010 000” = (1. 2. 0)“010 011 000” = (2. 3. 0)MASK INFORMATIONMASK INFORMATION“111 111 000” = (7. 7. 0)“111 111 000” = (7. 7. 0)4(1. 2. 6)(2. 3. 4)1STORAGE DATASTORAGE DATA“001 010 110” = (1. 2. 6)“010 011 100” = (2. 3. 4)MASK INFORMATIONMASK INFORMATION“111 111 111” = (7. 7. 7)“111 111 111” = (7. 7. 7)5(1. *. *)(2. 3. 5)0STORAGE DATASTORAGE DATA“001 000 000” = (1. 0. 0)“010 011 101” = (2. 3. 5)MASK INFORMATIONMASK INFORMATION“111 000 000” = (7. 0. 0)“111 111 111” = (7. 7. 7)Rule 1 defines that transfer from subordinate to segment 4 to subordinate to segment 2 is permitted. Rule 2 defines that transfer from subordinate to segment 1 to subordinate to segment 3 is permitted. Rule 3 defines that transfer from subordinate to segment 4 to subordinate to segment 6 is prohibited. Rule 4 defines that transfer from PC401-1 subordinate to segment 4 to PC401-2 subordinate to segment 6 is permitted. Rule 5 defines that transfer from subordinate to segment 1 to PC401-3 subordinate to segment 6 is prohibited. When source network address and destination network address are represented by a pair of storage data and mask information, the transfer rule of Table1(a) can be described as Table1(b). These transfer rules are necessary for security of computer network system. In case of the transfer from segment 4 to segment 6 under the transfer rule of Table1(a), vital data stored in PC401-3, for example, can be protected from unlawful access, copy, falsification, and elimination, because only the transfer from PC401-1 to PC401-2 is permitted and all other transfer is prohibited.
Herewith, the user's terminals are not directly connected by the use of the communication channels but carry out communication by controlling the transfer of communication data by the use of communication control functions of the network devises. Thus, communication channels as limited resources are saved while security is ensured.
Next, referring to FIG. 34, the conventional network device 422 is used in the network devise 400-1 in FIG. 33.
The network device 422 is supplied with input transfer data 402, and produce output transfer data 403. The input transfer data 402 comprises a source network address 404, a transfer network address 405, a destination network address 406, and data division 407. The output transfer data 403 comprises a source network address 406, a second transfer network address 408, a destination network address 406, and data division 407. Since the conventional network device 422 is used in the network device 400-1 of FIG. 33, as will readily be understood, the transfer network address 405 in the input transfer data 402 is the network address of the network devise 400-1 itself in FIG. 34.
The network device 422 comprises a source network address 409, a destination network address 410, an associative memory 101, a CPU 413, an encoder 414, a memory 416, a transfer network address changing section 418, and data transfer division 421.
The source network address extracting section 409 extracts the source network address 404 contained in the input transfer data 402, and supplies it to the CPU 413 as the source network address 411. The destination network address extracting section 410 extracts the destination network address 402 contained in the input transfer data 402, and supplies it to the associative memory 101 and the CPU 413 as the destination network address 412.
Among the network devices concatenated with the network device 422 in the network, the network address of the segment of the network device out of the network to which the network device 422 belongs, is memorized in the associative memory word 102 in the associative memory 101 of the network device 422. Herein, in FIG. 34, description will be made about the case where the conventional network device is used in the network device 400-1 in FIG. 33. The network address (2, *, *), to which the network device 400-2 belongs, is memorized in the associative memory word 102-1. Specifically, the associative memory word 102-1 stores in binary numbers the storage data (010, 000, 000) and the mask information (111,000,000) to implement (2, *, *) represented by structured data format. Likewise, the network address (2, 3, *), to which the network device 400-6 belongs, is memorized in the associative memory word 102-2, and the network address (3, *, *), to which the network device 400-3 belongs, is memorized in the associative memory word 103-3, respectively. The associative memory 101 possesses searching (or retrieving) function or mask searching function in addition to write/read functions of writing and reading storage data (namely, the address data) at a designated memory address in the matter similar to an ordinary memory circuit. Specifically, the associative memory 101 possesses the mask searching function to put the only match line 115 corresponding to the storage data with the least number of bits in a mask valid state, in the match lines 105-1 through 105-3 corresponding to one of the storage data coincident with the input destination network address 412 taking the mask information into account, into a valid state. The pending patent application 2000-181406 can be cited as one example of the associative memory 101.
The encoder 414 encodes the match lines 105-1 through 105-3, supplied by the associative memory 101, into a memory address signal 415. The memory 416 stores the network addresses of the network device corresponding to the segment network addresses, each of which comprises the storage data and the mask information, and each of which is stored in each associative memory word of the associative memory 101. In the memory 416, each network device network address is memorized in a word corresponding to the associative memory word of the associative memory 101 where a corresponding network address is memorized. For example, the network address (2, *, *) is stored in the first associative memory word 102-1 of the associative memory 101 while the network address of the network device 400-2 (FIG. 33) corresponding thereto is stored in the first word of the memory 416. Similarly, the network address of the network device 400-6, the network address of the network device 400-3, are stored in the second word and the third word of the memory 416, respectively. Supplied with the memory address signal 415 as a read address, the memory 416 produces a memory data signal 417 stored in the word designated by the memory address signal 415.
The transfer network address 418 produces the changed transfer data 419 by changing the transfer network address 405 of input transfer data 402 into memory data signal 417, and supplies it to the data transfer division 421. The CPU 413 determines the transfer permission under the rule indicated in the table (a), and supplies the result of the determination to the data transfer field 421 as the transfer control signal 420. The data transfer division 421 produces the changed transfer data 419 as the output transfer data 403 when the transfer control signal 420 permits the transfer. Otherwise, the data transfer division 421 does not produce the changed transfer data when the transfer control signal prohibits the transfer.
It is assumed that the source network address 404 in the input transfer data 402 is (1, 2, 3), and the destination network address 405 in the input transfer data 402 is (3, 5, 6). Upon completion of the searching operation in the associative memory 101, the match line 105-3 corresponding to the network address (3, *, *) in the associative memory word 102-3 alone is put into a valid state. Then, the encoder 414 produces “3” as the memory address 403. The memory 416 produces the memory data signal 417 representative of the network address of the network device 400-3. The transfer network address changing section 418 changes the transfer network address 405 in the input transfer data 402 into the network address of the network device 400-3, and supplies it to the data transfer field 421 as the changed transfer data 419. Since the source network address information 411 is (1, 2, 3) and the destination network address information 412 is (3, 5, 6), CPU 413 applies the transfer rule 2, and supplies the transfer control signal 420 to the data transfer field 421 with transfer permitted state. Consequently, the data transfer field 421 transfers the changed transfer data 419 as the output transfer data 403 to the router 400-3. The router 400-3 is responsive to the transfer data and performs the operation similar to that mentioned above. Thus, the transfer data are successively transferred with security from network devices to network devices on the optimised route until the user's terminal at the destination network address (3, 5, 6) is reached.