1. Field of the Invention
The present invention relates to a communication control apparatus, a firewall apparatus, a communication control system, and a data communication method.
2. Related Background Art
Mobile IPv6, which is the conventional technology of permitting a mobile station such as a cell phone or the like to use the same IP (Internet Protocol) address, regardless of its movement, is under investigation by IETF (Internet Engineering Task Force). Mobile IPv6 is implemented by mobile IP terminals as mobile stations and a home agent. A packet with the destination address being a permanent IP address (home address) of a mobile IP terminal is transmitted according to the normal IP procedure and thereafter arrives at a link of the home agent. This causes the home agent to receive the packet addressed to the home address.
The mobile IP terminal, as moving, is connected to a new node after movement and acquires a care-of (c/o) address being a temporary IP address, using the existing stateless address autoconfiguration (RFC2462) or stateful address autoconfiguration (DHCP: Dynamic Host Configuration Protocol). The mobile IP terminal registers this c/o address with the home agent.
There are two methods for the mobile IP terminal to communicate with another terminal: a bidirectional tunnel mode and a route optimization mode. In the bidirectional tunnel mode, a tunnel is generated between the mobile IP terminal and the home agent. The tunnel is a technique of putting an original IP packet in another IP packet and transmitting it, thereby carrying the packet in an arbitrary route, regardless of the source IP address and destination IP address of the original IP packet, as disclosed in RFC2473.
When the mobile IP terminal transmits an IP packet to another terminal, this IP packet is first transmitted via the tunnel to the home agent. The home agent takes the IP packet out of the tunnel and thereafter sends the IP packet to the other terminal according to the normal IP procedure. This allows the IP packet to reach the other terminal. Conversely, when the other terminal transmits an IP packet to the mobile IP terminal, the IP packet arrives at the home agent according to the normal IP procedure. Thereafter, the home agent puts this IP packet into a tunnel and sends it to the mobile IP terminal.
In contrast to it, in the route optimization mode the mobile IP terminal notifies the other terminal of its IP address, prior to transmission of an IP packet. If the other terminal transmits an IP packet to the mobile IP terminal in the bidirectional tunnel mode, the mobile IP terminal will transmit a c/o address of its own to the other terminal, in order to switch the mode into the route optimization mode.
In the route optimization mode, when the mobile IP terminal transmits an IP packet to another terminal, this IP packet is transmitted directly (without intermediation of a tunnel) from the mobile IP terminal to the other terminal. At this time, the c/o address is set in the source address of the IP packet, and the home address in the home address option in the IP packet.
On the other hand, when the other terminal transmits an IP packet to the mobile IP terminal, the IP packet is provided with a routing header, and the IP packet is transmitted directly (without intermediation of a tunnel) from the other terminal to the mobile IP terminal. The routing header is defined by RFC2460 and is information for transmitting a packet via an arbitrary relay point. The c/o address is set as a first destination (relay point) of the IP packet, and the home address as a second destination.
In the internal networks such as LANs, a firewall, which determines the propriety of passage of data arriving at a boundary between networks, in accordance with a predetermined filtering condition, is located in order to detect and interrupt unauthorized accesses from the external networks such as the Internet. The firewalls are often provided in the software form and used as installed in routers, proxy servers, etc., and in certain cases dedicated hardware devices are also used because of demands for higher performance (e.g., cf. Patent Document 1).    [Patent Document 1] Japanese Patent Application Laid-Open No. 10-70576