1. Field of the Invention
The present invention relates to an address resolution method using NHRP (Next Hop Resolution Protocol) in an NBMA (Non-Broadcast, Multi-Access) network and an NHRP server, and in particular to an authentication method of NHRP packets and an NHRP server which can perform the authentication method.
2. Description of the Prior Art
An NBMA network, typified by an ATM (Asynchronous Transfer Mode) network, is a network which is not media-shared. The use of NHRP as a protocol for address resolution in an NBMA network has, for example, been discussed in the IETF (Internet Engineering Task Force) and the protocol is specified in texts such as the electronic document "draft-ietf-rolc-nhrp-08.txt" by V. Luciani et al. and the document has now been updated to "draft-ietf-rolc-nhrp-11.txt". These documents can be obtained from various FTP (File Transfer Protocol) sites on the Internet.
NHRP is used for realizing transmission from a source station to a destination station via networks in which broadcasting has not been implemented such as X.25 networks and ATM networks, or networks not wanting to use broadcasting such as a large-scale Ethernet sub-network.
NHRP will next be explained. This explanation refers to an example in which the NBMA network is an ATM network and an IP (Internet Protocol) is used as the upper layer protocol, but identical results are obtained when a network other than an ATM network is used as the NBMA network or a protocol other than IP is used as the network layer protocol.
In order to perform IP communication on an ATM network, the ATM address, which is a datalink layer address, of the communication partner must be obtained based on the IP address, which is a network layer address, of the communication partner. With NHRP, NHRP servers (NHS) are placed in certain areas (for example, in each LIS [Logical IP Subnet]) for distributed administration of correspondence between the IP addresses and ATM addresses of ATM terminals connected to the ATM network.
When an ATM terminal connected to the network wants to resolve an ATM address for an IP address of a certain communication partner, an NHRP resolution request packet is sent to a predetermined NHS. When the NHS which has received the NHRP resolution request packet is able to resolve the address, the NHS sends back an NHRP resolution reply packet to the source ATM terminal. When the NHS is not able to resolve the address, the NHS redirects the NHRP resolution request packet to another NHS which is likely to be in charge of the relevant IP address. In other words, the NHRP resolution request packet is redirected between multiple NHS servers on the network until it reaches an NHS capable of resolving the address.
As a result, provided that the communication partner is directly connected to the ATM network, it is possible to resolve the communication partner's ATM address even in a case in which the communication partner belongs to a different LIS. When the communication partner is not directly connected to the ATM network, the ATM address of an exit router or a gateway in the ATM network can be resolved, and thus, IP communication to the communication partner can be performed using this ATM address.
Having received an NHRP packet, the NHS performs end-to-end authentication or hop-by-hop authentication depending on the packet type; i.e. the NHS performs end-to-end authentication when the NHRP packet is an NHRP registration request packet or an NHRP registration reply packet and performs hop-by-hop authentication when the NHRP packet is of any other type.
However, a conventional NHRP authentication method stipulates that an authentication extension be appended to the extension part of the NHRP packet prior to authentication processing. Keyed MD5 and Clear Text Password (hereinafter abbreviated to `MD5` and `Clear Text`) are the stipulated authentication types. Since this extension part is not essential to an NHRP packet, there are cases in which authentication extension is not appended. In such a case there is deemed to be no authentication type. Thus a total of three differing authentication types are stipulated.
Although a plurality of authentication types are stipulated, the handling of these differing authentication types in a conventional NHRP is not clear. Consequently, particularly in a case where the NHRP packet which is to be authenticated using hop-by-hop authentication is redirected from one LIS to another LIS, when the authentication types of these two LIS are different, the authentication operation is delegated to the system implementation.
Furthermore, networks generally have a network policy determined for each domain of network administration. For instance, one domain in the network may want to adopt a policy of not redirecting NHRP packets between LIS of differing authentication types. Another domain in the network may want to adopt a policy according to which NHRP packets may acceptably be redirected between LIS of differing authentication types. With NHRP, it is also desirable to be able to determine a policy regarding the handling of NHRP packets between LIS of differing authentication types for each domain of the network. However, with a conventional NHRP there has been a problem that it becomes impossible to maintain interoperability of authentication between NHRP servers of different vendors. In other words, the conventional NHRP cannot operate with the authentication policy described above wherein a policy is determined for each domain.
Furthermore, between a plurality of domains in the same NBMA network it may be desirable to adopt a policy of not redirecting NHRP packets between different domains irrespective of whether identical authentication types or different authentication types are used. Conversely, among another plurality of domains, it may be desirable to adopt a policy wherein NHRP packets may acceptably be redirected between differing domains irrespective of whether identical authentication types or differing authentication types are used. In other words, it is also desirable to be able to determine a policy regarding the handling of NHRP packets among domains on a network. However, with a conventional NHRP there has been a problem that NHRP cannot work due to the authentication policies between the domains as described above.