1. Field of the Invention
The present invention relates to packet relay systems, and particularly to a packet relay system which filters packets and relays packet communication.
2. Description of the Related Art
In recent years, the widespread use of broadband networks and the advance of wireless technologies make it possible to use video, audio, and many other applications, increasing the importance of network operations. This, however, poses constant risk of attacks such as unauthorized access to information communications networks. Higher network security is required.
One general feature for protecting a network from unauthorized access is filtering. The filter function checks packets sent on a network for whether they can be passed and ensures security by discarding any unauthorized packet. Filtering prevents an unnecessary packet from being relayed, and traffic can be reduced.
If filtering is specified in a packet relay apparatus such as a router, packets are filtered by using information of layer 2 to layer 4. The filtering can be protocol filtering for passing just hypertext transfer protocol (HTTP) packets, for instance, or filtering by packet reception port or transmitting terminal address.
The packet relay apparatus generally has a filter table of a fixed capacity. Filtering is performed by comparing the parameter information of a filter rule specified in the filter table and packet header information.
FIG. 22 is a view showing a router having a filter table. The figure shows an example of simple filtering. A router 100 has a filter table 110. The filter table 110 lists reception ports, transmission-source media access control (MAC) addresses, and filtering results.
When port P11 of the router 100 receives a packet sent from a terminal 5, the packet is relayed and sent to a specified address because the corresponding filtering result is “permit” in the filter table 110. If port P12 receives a packet, the router 100 discards the packet because the corresponding filtering result is “deny” in the router 100.
One conventional packet filtering technology uses a plurality of network interfaces in a router to perform filtering and routing separately (refer to Unexamined Japanese Patent Application Publication No. Hei-6-97965, paragraph numbers 0008 to 0012 and FIG. 1 , for instance).
A router provided on a network performs filtering in accordance with a filter table like the filter table 110 described above. As the network has become huge and complicated in recent years, an increased number of filter rules and entries has been required, increasing the possibility that the capacity of the table in the apparatus becomes insufficient.
The shortage of table capacity can be made up simply by adding memory. The addition, however, increases the equipment cost. Alternatively, a filter may be specified in a different router that has an available space in the table resource, and packets are transferred to the different router, thereby performing proxy filtering.
FIG. 23 shows packet relaying through proxy filtering by another router. If the router 100 cannot perform filtering when the router 100 relays a packet to a terminal 6, the router 100 asks a router 101 on a packet transfer route to perform filtering. If the router 101 determines that the packet can be passed, as a result of filtering, the router 101 sends the packet to the final destination, which is the terminal 6.
With this method, the router 101, which is asked to perform filtering, must be on the route to the final destination, which is the terminal 6. Whether filtering can be asked depends on the transfer route of the network topology. For instance, if the router 101 in the vicinity of the request source router 100 is not in contact with the terminal 6 on the network, the router 101 cannot be asked to perform filtering.
If it is determined that a packet can be passed, as a result of filtering performed by the router 101, the packet may be looped back to the request source router 100, thereby sent to the final destination, which is the terminal 6.
In the conventional packet relay network, the router 101 cannot perform proxy filtering based on the information specific to the request source router 100. Packet filtering requires information specific to the apparatus on which a filter is specified, such as a packet reception or transmission port number, as a filter key. Because layer 2 or layer 3 does not have a function to transfer the apparatus-specific information to a different router, the conventional packet relay system cannot perform filtering based on the information specific to the request source node.
Another problem of the conventional packet relay network is that a packet cannot be looped back from the proxy filtering router 101 to the request source router 100. When the request to perform filtering is made to a different router, the received packet must be transferred to the router 101 without rewriting the header of the packet. Layer 2 or layer 3 does not have a function to transfer the packet to a router beyond the route of the packet.
Even if the packet can be transferred and a filtering request can be made, the router 101 performs layer-2 relaying and loopback transmission to the reception port because MAC-DA of the received packet is not a local address.
In layer-2 relaying flow, a dynamic filtering function provided to avoid a packet loop usually discards a packet of which reception port matches its transmission port. The dynamic filtering function of the router 100 prevents the packet from being looped back to the request source router 100.
With the conventional technology described above (Unexamined Japanese Patent Application Publication No. Hei-6-97965), filtering is performed in accordance with the filter table in the router. No provisions have been made for the router when it cannot perform filtering because of an insufficient capacity of the table.