This invention relates to a packet transfer apparatus for receiving a packet and transferring the received packet to another apparatus.
A related-art packet transfer apparatus performs flow control to which an access control list (ACL) is applied. As a related art therefor, there is known a method of realizing the flow control to which an ACL using a content addressable memory (CAM) is applied. An example thereof is disclosed in, for example, Japanese Patent Application Laid-open No. 2009-231890.
In Japanese Patent Application Laid-open No. 2009-231890, it is disclosed that the CAM identifies a flow entry based on information on an IP packet header such as a source IP address.
In general, the packet output from the packet transfer apparatus itself often includes information relating to network control, and therefore needs to be handled separately from the other packets. In the following description, the packet output from the packet transfer apparatus itself is referred to also as “own-apparatus-originated packet”.
However, in an architecture in which the same path as an HW transfer path is allocated as a path for transferring the own-apparatus-originated packet, when a source IP address (SIP) of the ACL is set to “d.c.”, it is not possible to distinguish the own-apparatus-originated packet from the other packets. Here, “d.c.” represents “don't care” indicating that no concern is given to a particular piece of information (bit).
In order to solve the above-mentioned problem, the IP address of the packet transfer apparatus is set in the ACL as the SIP, to thereby be able to identify the own-apparatus-originated packet. However, there is a problem in that, when a packet whose SIP is spoofed is transmitted from a malicious attacker, the packet transfer apparatus cannot identify the spoofed packet.
Further, there is a problem in that, with regard to entries of the CAM for which filter control for the ACL is set, when only the own-apparatus-originated packet is caused to pass, a large number of entries needs to be set in order to exclude the own-apparatus-originated packet. For example, in order to exclude the IP address “5” of the packet transfer apparatus from among IP addresses “0” to “7”, three entries of “0xx”, “100”, and “11x” are necessary. It should be noted that “x” represents “don't care”.