The present invention relates to a method and an apparatus for communication control in a communication network system formed by a plurality of computers including mobile computers for communicating data with each other and providing necessary services over a plurality of interconnected networks, for the purpose of controlling accesses to mobile computers that are moving over the networks.
In conjunction with the reduction of size and cost of a computer system and the progress of a network environment, the use of a computer system has been expanded to a variety of fields rapidly, and the transition from a centralized system to a distributed system is in progress. Moreover, in recent years, in addition to the advance and the improved performance of a computer system itself, the advance and spread of the computer network technology has enabled communications (such as electronic mails, electronic news, file transfer, etc.) with externals of one office or one organization, in addition to the sharing of resources (such as files, printers, etc.) within one office, which are now widely used. Particularly, in recent years, the use of the worldwide computer network called Internet has widely spread, and there are new computer businesses for supporting connections to the Internet for the purpose of utilizing opened information and services or for providing information and services to external users accessing through the Internet. Furthermore, developments of many new technologies concerning the use of the Internet are currently in progress.
In addition, in conjunction with such a spread of the computer network, developments of technologies concerning mobile computing are also currently in progress. In the mobile computing, a user can make communications by using a portable terminal or computer while moving over the networks. There are even cases in which a location on the networks is changed while being in a communication, so that there is a need for a scheme to manage addresses of mobile computers on the networks which are changing during communications in order to properly deliver communication contents to the mobile computers.
On the other hand, as the computer networks spread and free connections among the networks are realized so that enormous amount of data and services are to be communicated through the networks, there arises a need to account for the problems of security. For example, it is necessary to account for a problem as to how to prevent a leakage of secret information of an organization to the external network, or a problem as to how to protect resources and information associated with an organization""s network from illegal accesses from externals of an organization. The Internet was originally constructed for the academic purposes so that it was primarily concerned with the realization of free communications of data and services by network connections and the problems of security were not taken into account. However, recently, many commercial companies and groups are being connected to the Internet so that there has been a need for a mechanism to protect own organization""s network in view of the problems of security.
To this end, in a case of connection a plurality of networks, it is common to provide a mechanism called firewall which monitors and checks data communicated through these networks for the purpose of preventing the illegal accesses from externals and the leakage of internal data to externals. By providing the firewall, it becomes possible to prevent the illegal accesses from externals and the leakage of secret information to externals, while enabling internal computers to receive external services safely.
Also, in a case of communicating important data with particularly high secrecy through external networks, there is a scheme for encrypting data contents before transmitting data packets to the external and decrypting received data contents at a receiving side. According to this scheme, even if a third person at outside the organization spoofs the data packets on the external network, the data contents would not be leaked to that third person because the data contents are encrypted, so that it becomes possible to guarantee the safe communication.
In this regard, such encryption/decryption is possible between the networks which are protected (guarded) by the firewalls which support this encryption/decryption. In a case of an access to the mobile computer described above, when the mobile computer moves to a network managed by the same organization which is managing the home network of the mobile computer and the this visited network is guarded by the firewall which supports the encryption/decryption, the encryption/decryption can be carried out similarly as in a case of communication between the computers within the same network. In such a case, for the purpose of addressing computers, it suffices to use the private addresses within that organization.
On the other hand, when the mobile computer moves to a network managed by an external organization or a network which is managed by the own organization but not guarded by the firewall, this mobile computer has to be treated as an external computer. Consequently, the encryption/decryption cannot be carried out, and the private address within that organization cannot be used within the external organization so that a totally different way of addressing this mobile computer will be necessary.
However, the conventional mobile computing scheme is not provided with a processing for changing the address according to a current location of the mobile computer. In the conventional mobile computing scheme, external addresses which are unique over all networks are given to all mobile computers, and the access to the mobile computer is realized by managing a table of correspondence between addresses (private addresses) within the own organization and external addresses.
This conventional mobile computing scheme has a problem in that, in general, there is only a limited number of addresses which are unique over the external networks (Internet), and it is expected that a number of available external addresses will be insufficient for allocation to all the mobile computers when the mobile computers become popular.
It is therefore an object of the present invention to provide a method and an apparatus for communication control in a communication network system using a mobile computer, capable of realizing flexible address control and management for the mobile computer regardless of a location of the mobile computer in the communication network system.
According to one aspect of the present invention there is provided a method for controlling communications in a communication network system formed by a plurality of computers for communicating data with each other through a plurality of interconnected networks, said plurality of computers including at least one mobile computer for communicating data while changing a location in the communication network system, the method comprising the steps of: (a) when the mobile computer is located within a home network of the mobile computer, carrying out a communication with the mobile computer by transferring communication data using a first location identifier specific to the mobile computer which is uniquely defined within own organization networks of the mobile computer; (b) when the mobile computer is located within an external own organization network, carrying out a communication with the mobile computer by routing communication data to the external own organization network using a third location identifier indicating a current visited location of the mobile computer in the communication network system which is uniquely defined over all the networks, and addressing the mobile computer within the external own organization network using the first location identifier; and (c) when the mobile computer is located within an external other organization network, carrying out a communication with the mobile computer by routing communication data to the external other organization network using the third location identifier, and addressing the mobile computer within the external other organization network using a second location identifier assigned to the mobile computer at a time of moving outside the own organization networks which is uniquely defined over all the networks.
According to another aspect of the present invention there is provided a relay device for relaying communication data in a communication network system formed by a plurality of computers for communicating data with each other through a plurality of interconnected networks, said plurality of computers including at least one mobile computer for communicating data while changing a location in the communication network system, the relay device being provided in a home network of the mobile computer and comprising: management means for managing the address information for the mobile computer within own organization networks of the mobile computer, the address information containing a corresponding set of a first location identifier, a second location identifier and a third location identifier, the first location identifier being a location identifier specific to the mobile computer which is uniquely defined within the own organization networks, the second location identifier being a location identifier reserved for the mobile computer which is uniquely defined over all the networks, and the third location identifier being a location identifier indicating a current visited location of the mobile computer in the communication network system which is uniquely defined over all the networks; and processing means for obtaining the third location identifier corresponding to the first location identifier or the second location identifier of a destination computer attached to communication data transmitted from a source computer according to the address information, and transferring the communication data by attaching the obtained third location identifier to the destination computer.
According to another aspect of the present invention there is provided a data packet processing device for processing communication data in a communication network system formed by a plurality of computers for communicating data with each other through a plurality of interconnected networks, said plurality of computers including at least one mobile computer for communicating data while changing a location in the communication network system, the data packet processing device being provided in a home network of the mobile computer and comprising: management means for managing an address information for the mobile computer within own organization networks of the mobile computer, the address information containing a corresponding set of a first location identifier, a second location identifier and a third location identifier, the first location identifier being a location identifier specific to the mobile computer which is uniquely defined within the own organization networks, the second location identifier being a location identifier reserved for the mobile computer which is uniquely defined over all the networks, and the third location identifier being a location identifier indicating a current visited location of the mobile computer in the communication network system which is uniquely defined over all the networks; and processing means for receiving communication data transmitted from a relay device provided in the home network of the mobile computer which is encapsulated using the third location identifier corresponding to the first location identifier, then decapsulating the communication data using the third location identifier, then encapsulating the communication data using the second location identifier corresponding to the third location identifier, then encapsulating the communication data using the third location identifier, and then transmitting the communication data to an external other organization network, when the mobile computer is located within the external other organization network and the communication data has a destination specified by the first location identifier.
Other features and advantages of the present invention will become apparent from the following description taken in conjunction with the accompanying drawings.