Filtering technology is technology for restricting unsuitable access from the Internet or to the Internet when a company etc. connects to the Internet. Normally, the filtering technology is mounted as a filtering means in the firewall or router or host or other communication equipment. This filtering means judges whether each packet access from the Internet at the company etc. (or vice versa) matches with a predetermined restrictive condition and when matching it discards that packet.
For example, the private address used in an intranet of a company etc. is an address which can be freely used only inside the company, so having a packet including such an address transferred on the Internet would be unsuitable and therefore that packet is discarded by the above filtering means. Alternatively, a specific port number is designated for a specific application, and only packets including that port number are allowed to be accessed by the filtering means.
FIG. 20 is a view schematically showing a network covered by the present invention.
In the figure, the left side shows the Internet constructed by ISPs (Internet service providers), while the right side shows a company network such as an intranet. Further, communication equipment is arranged at their boundary. The present invention mainly covers this communication equipment.
Note that the above term “communication equipment” in the present invention is a general term for the above-mentioned firewall or router or host. Packet filtering is performed in this communication equipment.
FIG. 21 is a view of the general configuration of conventional communication equipment, and
FIG. 22 is a view showing in detail a comparing table 12 of FIG. 21.
In FIG. 21, reference numeral 10 is the above communication equipment. Specifically, it is a router or a host.
The communication equipment 10 is provided with a comparing means 11 for the packet filtering. This comparing means 11 is provided with a comparing table 12. While this comparing table 12 is being referred to, whether an input (IN) packet PKT is to be passed or discarded is determined. A packet PKT for which pass through is permitted is output from OUT.
A detailed example of a comparing table 12 referred to for pass through or discard is shown in FIG. 22.
Referring to this figure, the comparing table 12 stores filter conditions (<1>, <2> . . . <k>) as a list in advance. When a packet PKT is input to the communication equipment 10, in the case of an IP (Internet Protocol), the filter conditions, that is, the “destination IP address”, “source IP address”, “destination port number”, “source port number”, etc. are checked for each packet. A packet PKT which does not match the conditions is discarded.
The “mask for destination IP address” in the comparing table 12 means that the lower n (m>n) bits in for example the destination IP address (m bits) are masked (ignored). Due to this mask, filtering is possible for a plurality of communication partners as a single group, so efficiency is good. The “mask for source IP address” in the table 12 is also used for a similar purpose.
The object of the filter condition designated at the comparing table 12 is usually information described in the header of each packet. Actual examples are shown below for such a header.
FIG. 23 is a view of the format showing the actual content of an IPv4 header,
FIG. 24 is a view of the format showing the actual content of an IPv6 header,
FIG. 25 is a view of the format showing the actual content of a TCP header, and
FIG. 26 is a view of the format showing the actual content of a UDP header.
Referring to the IPv4 (IP Version 4) header of FIG. 23, the source IP address is checked by the “Source Address”, while the destination IP address is checked by the “Destination Address”.
The IPv6 (IP Version 6) header of FIG. 24 is similar to the case of FIG. 23.
The TCP (transmission control protocol) header of FIG. 25 functions as an upper layer above the IP, but in the same way as above, the source port number is checked by the “Source Port”, while the destination port number is checked by the “Destination Port”. Note that this “Destination Port” often designates a specific application.
The UDP (user datagram protocol) header of FIG. 26 is also similar to the case of FIG. 25 explained above.
According to the conventional comparing means 11 (FIG. 21) explained above, the following problems arise: First, as the number of communication partners increases more and more in the future, the number of filter conditions will also increase. That is, the number of entries to the comparing table 12 will end up increasing and the filtering time will increase together with the increase in the hardware.
Second, there is the problem that when introducing IPsec (IP Security) protocol expected to increase in usage in the future, the above-mentioned upper layer TCP headers or UDP headers will end up being encrypted by the IPsec, so filtering using the “Source Port” and “Destination Port” shown in FIG. 25 and FIG. 26 will no longer be possible.
Further, ancillary to this, in so-called “peer-to-peer” type applications where the port number is dynamically determined by negotiation like the VoIP (Voice over IP), the above filtering is not possible by static settings. As a result, to secure security, it is necessary to filter all VoIP packets, so there is the problem that VoIP cannot in fact be used.