These days, general-purpose information processing apparatuses such as a personal computer (to be simply referred to as a PC hereinafter) have become tools necessary for daily work, and create and edit many data every day. At present, sharing of information and various devices (printer and the like) is indispensable, and PCs are connected to a LAN (Local Area Network) (“IDG Information Communication Series: 10 Gigabit Ethernet Textbook” published by IDG Japan, “IDG Information Communication Series: Multiprotocol Label Switching Textbook” published by IDG Japan, and “Microsoft Windows2000 Server Resource Kit” published by Nikkei BP SoftPress).
When a LAN is constructed, PCs, i.e., client terminal devices (to be referred to as client devices hereinafter) used by users and a server computer (to be referred to as a server device hereinafter) exist on the LAN. These devices are connected by a connection device (switching hub: to be simply referred to as a switch hereinafter) to share data via the server device.
Information as an individual product created by a PC is utilized as shared data in a group, subjected to correction, reference, and improvement, and stored as precise results in a database shared within the group.
The server-client environment using the LAN has rapidly spread in office. A client PC is set on the desk of each worker, whereas the server is installed in a server room managed by the administrator and provides a data infrastructure for daily work. Data sharing in the company LAN produces a high added value which can be achieved not by an individual but by cooperative work (collaboration). Data sharing becomes the core of business activity.
The LAN environment has rapidly been developed as the information infrastructure of the company, and at present has reached a large scale in which almost all workers in the company participate in this environment.
Recently, terminal devices of a new type which assume common use in LAN connection become available along with the spread of the LAN infrastructure. Preferable examples are a network camera and video distribution server. Such device distributes a relatively large volume of color moving picture data by streaming to the LAN, and a PC receives and displays the data.
As the LAN scale becomes large, new needs arise in the company LAN.
One of the needs is a demand for virtually configuring a dedicated network used among specific members in the company, i.e., a network for a specific group.
In particular, this need is strong among members of a specific group such as a human resources group, manager group, or project group which treats confidential information. Jobs among specific members often have contents with high priority, and thus are desirably processed preferentially to LAN packets.
A need from another viewpoint is a demand for separating the traffic between an image terminal device and a general terminal in order to prevent traffic congestion due to image data streaming distribution caused by an image-associated terminal device (multimedia terminal device) present in the LAN. This need is strong especially in, e.g., a design or development group in which visual communication is indispensable for work. The current LAN processes streaming data similarly to general data packets. Images may be omitted due to a congestion delay of data packets unless the data compression ratio is increased. However, an increase in compression ratio degrades the image quality, and there are needs for separation of stream data, and a priority process for separated stream data that is different from a priority process for general packets.
These needs are summarized into a technical demand “a network configured by only specific terminal devices subjected to a priority process is implemented in a general LAN”.
The first need is the implementation of a private area network within the LAN that is configured by terminal devices (personal computers) used by specific members with high secureness. In other words, the first need is the implementation of channel separation of the data traffic within a specific group from the general LAN traffic for the purpose of security. This need also arises for a priority process for the traffic separated from the LAN traffic.
The second need is the implementation of a private area network within the LAN that is configured by specific multimedia terminal devices. In other words, the second need is the implementation of channel separation between streaming data and general LAN data. This need also arises for a priority process for stream data over general packets.
These needs are summed up into the following requirements for a private area network within the LAN.    1. A terminal device in a specific group must be accessible to a company information terminal device within the LAN.    2. An outsider terminal device within the LAN must not be accessible to a terminal device in a specific group.    3. Terminal devices in different specific groups must not be accessible to each other.    4. A specific group packet is processed preferentially to a LAN packet.
That is, the priority is set to “specific group packet>LAN packet”.    5. A stream packet from a specific group is processed preferentially to a general packet.
That is, the priority is set to “stream of specific group>general packet of specific group”.
From requirement 1, an area network for a specific terminal device group must be virtually configured within the LAN instead of configuring an area network independently of the company LAN.
In order to implement a virtual private area network within the LAN, the following methods are taken.    1. A dedicated domain is created for terminal devices of a specific group and managed by a dedicated server.    2. A company LAN is configured with a single domain, and a specific group is formed and managed as a user group.
According to the first method, since a domain different from that of a general LAN in the company is set, user names, passwords, and the like dedicated to the domain of the specific group can be used.
According to the second method, since a specific group is one of user groups within a single domain, user names, passwords, and the like are set for only the single domain. Management of access to a resource by the specific group depends on rights setting of the specific group in the domain server.
These methods suffer the following problems.
User authentication is group management on the basis of the user name and password of the specific group to the dedicated domain in the first method, and similarly on the basis of the authentication result of the user name and password in log-on to the single LAN domain in the second method.
In either case, access is managed on the basis of authentication of “user name and password”, which is weak in the company LAN.
The company holds public information on an individual such as the employee number, extension number, and position, and the department holds an address book and the like. It is not difficult to break a password by analogy based on the public information.
That is, the security of password management is not strong in the company LAN.
In addition, the IP communication method in the current LAN has a security problem. IP communication broadcasts address information of a terminal device. Any terminal devices can be connected to communicate with each other as far as they are electrically connected to the LAN. Access management is performed on the session layer, which is a fundamental problem. The current LAN transmits data by an IEEE 802.3 Ethernet® method. The feature of this communication method is based on a media access control (MAC) address corresponding to MAC and an IP address corresponding to the data link layer. The IP address represents the final transmission destination address, and the MAC address represents the next transfer destination address in each transmission step. Since the MAC address must be acquired from the IP address of a partner device, an ARP (Address Resolution Protocol) is adopted. This protocol makes it possible to transmit data by the MAC address as far as the partner device falls within the subnet range. If the partner device falls outside the subnet range, a router is interposed, and the first transmission destination becomes the MAC address of the router.
The originating IP address and originating MAC address of a terminal device must be set in a transmission packet in order to receive a response from the partner device. As a method of obtaining the IP address of the terminal device, the DHCP is used. The MAC address is a known address which is set in the factory and held by the network card of the terminal device.
More specifically, the terminal device must issue an inquiry in order to obtain its IP address and the MAC address of the transfer destination. The current IP network always performs connection in any one of the data link layer (Ethernet), network layer (IP layer), and transport layer (TCP/UDP layer). In other words, terminal devices can be basically connected, and a security function of determining whether their connection is permitted depends on password management by an application on the session layer or upper layer.
The subnet communication method (layer 2 communication) after acquiring the IP address of the terminal device and the MAC address of the transfer destination is as follows. Within the subnet, communication connection is done using only the MAC address. When the layer 2 communication method based on the MAC address is defined as a LAN communication method, details of the LAN communication method within the subnet are as follows.
This communication method will be explained by exemplifying communication between device A connected to port “1” of a LAN switch (switching hub) and device B connected to port “5”, as shown in FIG. 21.
Assume that device A is to communicate with device B.    1. Device A sets its MAC address MAC-A, its IP address IP-A, MAC address MAC-B of the partner device, and IP address IP-B of the partner device in an Ether frame to generate and transmit transmission frame FR-A.    2. The LAN switch reads originating MAC address MAC-A from input frame FR-A from port 1, and registers MAC address MAC-A in a MAC address table ensured in the apparatus. The MAC address table holds the correspondence between the port number (in this case, port “1”) and MAC address MAC-A.    3. The switch does not have the MAC address of destination device B in the MAC address table at first, and broadcasts (or floods) the input packet to all associated ports.    4. When the destination MAC of received frame FR-A coincides with MAC address MAC-B of device B, destination device B which has received broadcasted frame FR-A sets its MAC address MAC-B, its IP address IP-B, MAC address MAC-A of the partner device, and IP address IP-A of the partner device in Ether frame FR-B, and sends back Ether frame FR-B.    5. In FIG. 21, since device B is connected to port “5” of the LAN switch, the LAN switch receives Ether frame FR-B via port “5”. The LAN switch reads MAC address MAC-B of the transmission source (in this case, the network interface card of device B), and registers MAC address MAC-B in the MAC address table. The MAC address table holds the correspondence between port 5 and MAC address MAC-B.
Subsequent communication between device A and device B is one-to-one communication without flooding because the addresses of the two terminal devices have been registered in the MAC address table of the switch. Communication between the two devices does not influence other ports.
After a series of communication operations end and when a predetermined time (e.g., 5 min) has elapsed, the correspondence “port and originating MAC address” registered in the MAC address table within the LAN switch is deleted.
In this LAN communication,    1. The MAC address and IP address of a transmission device leak due to flooding.    2. This method always permits communication connection between devices, and authentication of access to a partner device depends on password check on the session stage.
For this reason, a MAC address and IP address can be acquired on the basis of a broadcasted flooding packet. By generating a frame having a disguise MAC address and IP address, up to communication connection on the transport layer can be achieved. Access management depends on only password authentication management on the session layer.
Since the MAC address (set in the manufacture) and IP address (set by the DHCP) are given values which cannot be changed by the user, leakage cannot be prevented by any measure such as a periodic change of the MAC address and IP address. Also, the password is very weak in the company and can be easily broken by analogy, as described above.
In this manner, the conventional method can construct a specific group area network within the LAN, but cannot construct a securely separated specific group area network.
The following problem also occurs in the implementation of a private area network by image terminal devices of a specific group.
In LAN communication, transaction type burst (or bulk) data of a general LAN terminal device (personal computer) and stream type successive data of an image terminal device are similarly divided into Ethernet packets and then transmitted. Stream type data requires isochronism in regard to the time, but an attribute which can be added to packet data is only priority in the packet process queue. For example, when a burst jumbo packet pertaining to burst data is being transferred, transmission of even a stream packet with the highest priority must wait for the end of the transfer process.
In this manner, a burst packet and stream packet are transmitted by the same process and controlled by only the process order priority. A stream packet from an image terminal device is obstructed by a burst packet from a general LAN terminal device, and cannot be supplied at a necessary timing.
These problems can be easily understood from the assumption that a network monitor directly connectable to the LAN is developed and the isochronous stream of uncompressed image data is transmitted via the LAN and displayed on the network monitor.
That is, the current LAN suffers contention between stream data and general burst data of a personal computer on the LAN. In this case, stream data must be permitted to pass even by interrupting general burst data during processing.
As described above, the conventional LAN cannot preferentially process stream data.