1. Field of the Invention
The present invention relates to a packet processing device for transferring packets to a mobile computer and a mobile computer capable of carrying out cipher communications while moving among inter-connected networks, as well as a packet transfer method and a packet processing method suitable for a mobile computing.
2. Description of the Background Art
In conjunction with availability of a computer system in smaller size and lower cost and a more enriched network environment, the use of computer system has been rapidly expanded into variety of fields, and there is also a transition from a centralized system to a distributed system. In this regard, in recent years, because of the advance and spread of the computer network technology in addition to the progress and improved performance of the computer system itself, it has become possible to realize not only a sharing of resources such as files and printers within an office but also communications (electronic mail, electronic news, file transfer etc.) with outside of an office or organization, and these communications are now widely used. In particular, in recent years, the use of the world's largest computer network called Internet has become very popular, and there are new computer businesses for connecting to the Internet and utilizing open information and services, or for providing information and services to external users who make accesses through the Internet. In addition, new technological developments are made in relation to the use of the Internet.
Also, in conjunction with the spread of such networks, there are technological developments regarding the mobile computing. In the mobile computing, a user carries along a portable computer terminal and makes communications while moving over networks. In some cases, the user may change a location on a network while continuing the communication, so that there is a need for a scheme that manages a changing address of a mobile computer on a network during such a communication in order to route the communication content correctly.
Also, when the networks are wide spread and free connections among networks are realized so that huge amount of data and services can be exchanged, there arises a need to account for the problem of security. For example, there is a problem as to how to prevent the leakage of the secret information of the organization to the external network, and there is also a problem as to how to protect resources and information connected to the domestic network. The Internet was developed originally for the academic purpose so that the primary concern was the free data and service exchanges by the network connections and the above described problem of security has not been accounted for. However, in recent years, many corporations and organizations are connecting to the Internet so that there is a need for a mechanism to guard the own network in view of the above described problem of security.
To this end, there is a known scheme for use at a time of exchanging a data packet on the Internet, in which the content of the data packet is to be encrypted and an authentication code is to be attached before the transmission of the data packet to the external, and the authentication code is to be verified and the data packet is to be decrypted at a received site. According to this scheme, even when an outsider picks up the data packet on the external network, the leakage of data content can be prevented because the data content is encrypted, and therefore the safe communication can be realized.
A mutual cipher communication is possible between networks which are protected (guarded) by gateway computers that support such a cipher communication, and when the above described mobile computer itself supports a function of the packet encryption and decryption, a cipher communication between any gateways or a gateway and a mobile computer can be supported. For example, in an exemplary case shown in FIG. 1, a mobile computer 2 that originally belongs to a home network 1a moves to another network 1b and carries out a cipher communication with another computer (correspondent host) 3 in a network 1c, through gateways 4a and 4c that support the encryption/decryption function.
In general, in a case of realizing the mobile computing, a router (home agent) for managing data on a visiting site of the mobile computer is provided, and the transmission of data destined to the mobile computer is realized by sending it via the home agent of the mobile computer, so as to carry out the data routing control with respect to the mobile computer. In FIG. 1, this role is played by a home agent (HA) 5.
A packet transfer route in FIG. 1 will be as follows: correspondent host 3 .fwdarw. gateway 4c .fwdarw. gateway 4a .fwdarw. home agent (HA) 5 .fwdarw. gateway 4a .fwdarw. mobile computer 2. In a case where the decryption is to be carried out by a gateway of the network 1b, the transfer route will be as follows: correspondent host 3 .fwdarw. gateway 4c .fwdarw. gateway 4a .fwdarw. home agent (HA) 5 .fwdarw. gateway 4a .fwdarw. a gateway of the network 1b .fwdarw. mobile computer 2.
In either case, the packet is decrypted once at the gateway 4a, sent to the home agent 5, sent back to the gateway 4a, and encrypted at the gateway 4a. In other words, the gateway 4a is going to carry out the encryption processing twice with respect to the entire packet (a data portion of the packet).
In general, the encryption/decryption of a data packet is a processing that requires a very large amount of calculations, and the above described packet sequence is quite redundant. In particular, in a case of supporting many mobile computers, this redundancy can cause a considerable lowering of the throughput in the entire system.
The similar problem also exists for a device such as a router for relaying encrypted packets, in a case where a received packet is to be decrypted, encrypted, and then relayed.
On the other hand, in a system that realizes the packet transfer to a mobile computer by using the encapsulation and the security measure by using the packet encryption, when a mobility processing and an encryption processing with respect to a packet are carried out in arbitrary order depending on a positional relationship among the elements constituting the system, it has been impossible to recover the original content correctly at a mobile computer that receives the packet. In this case, it has also been impossible to carry out a packet transfer processing correctly at a packet processing device for transferring a packet to the mobile computer that is located on a side where the mobile computer is located.
As described, in the mobile computing, a packet destined to a mobile computer is transferred via a host that manages data on a visited site of the mobile computer. In a case where the mobile computer carries out communications that require packet encryption/decryption with a correspondent host through gateways of respective networks, a data packet destined to a mobile computer reaches to a home agent after being decrypted once at an encryption gateway of a home network, transmitted from a home agent after a current location of the mobile computer is searched, and then transmitted toward the mobile computer after being encrypted again at the encryption gateway of the home network. Consequently, the decryption and the encryption are going to be carried out twice in total, which is redundant and potentially a cause of the bottleneck in the entire system. The similar problem also exists for a device such as a router for relaying encrypted packets, in a case where a received packet is to be decrypted, encrypted, and then relayed.
On the other hand, in a system that realizes the packet transfer to a mobile computer by using the encapsulation and the security measure by using the packet encryption, when a mobility processing and an encryption processing with respect to a packet are carried out in arbitrary order depending on a positional relationship among the elements constituting the system, it has been impossible to carry out the packet processing correctly at a mobile computer that receives the packet and a packet processing device for transferring a packet to the mobile computer.