1. Field of the Invention
The present invention relates to a technology for authentication of a source address in a network.
2. Description of the Related Art
Recently, malignant software, viruses, worms, and the like are often sent using a false source address from a malicious user to execute a denial of service (DoS) attack or a distributed DoS attack. Therefore, to eliminate such threats, it is important detect a packet for which a false source address is used. Moreover, it is important to prevent such a packet from flowing into a network.
Conventionally, routers and firewalls detect a false source address by filtering based on regular rules such as a rule in which the transfer of a packet whose source address and destination address are the same is not allowed. In addition, routers have a unicast reverse path forwarding (uRPF) function in which a source address is checked against a routing table and a packet from a source address that is not registered in the routing table is discarded.
Furthermore, as a conventional technique to strictly prevent a false source address, there is an authentication header (AH) mode communication in security architecture for Internet protocol (IPsec). Moreover, a proposal to prevent spoofing by a false source address has been publicly known. In this proposal, a host determines an Internet protocol version 6 (IPv6) address by communicating with a gateway or a dynamic host configuration protocol (DHCP) server, receives a public key certificate from the gateway or the DHCP server, and sends the public key certificate including the IPv6 address to a communication counterpart (for example, Japanese Patent Laid-Open Publication No. 2004-7512).
However, in the conventional false-address detecting function using routers or firewalls described above, a false global address having no regularity cannot be prevented. Therefore, a false source address cannot certainly be detected. Moreover, to performed communication in the conventional AH mode of the IPsec, it is necessary to manage various kinds of information (IP address, user identification (ID), preshared key in Internet key exchange (IKE), etc.) for each user in a virtual private network (VPN) server. Since the amount of information to be managed and the amount of processing increase in proportion to the number of subscribers, it is not suitable for a large scale system.