In intranets, the Internet and other information communication networks, different types of local network, such as subnets operated by corporate business divisions, household networks, and regional networks operated by carriers, are interconnected among one another, the art of tunneling is currently well known as a means to make frames non-transparent when they are transmitted/received over a network. The art achieves this by encapsulating frames to be transmitted/received between two local networks (inner frames) into a different type of frames (outer frames) and sending out these outer frames over the network (refer to Literature 1 for an example).
The tunneling art connects two local networks with each other through a logical link, by which frames flowing through the logical link become non-transparent from outside. Because of this, it becomes possible, for example, to use a communication protocol which is not supported by a network over which frames are transmitted and to encrypt frames to prevent them from being eavesdropped.
A data link layer tunneling technique according to a related art will be described below. FIG. 30 is a diagram showing the content of a frame F6 which is being transmitted/received through a data link layer, such as Ethernet (registered trademark). A data series F1, for example, is transmitted/received by use of HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol) or other application. To a data series F1 is added a transport layer header F2, which contains the control information of the transport layer protocol, such as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to perform traffic control specified by the application.
The data series F1 is also added a network layer header F3, which contains, among others, an IP (Internet Protocol) or other logical address defined by a network layer protocol and allocated to each of destination terminals within an information communication network and becomes a packet F5.
In a local network, a packet F5 is added a data link layer header F4 and becomes a frame F6. The data link layer header F4 contains a physical address which is recognizable by terminals, switching hubs and other communication equipment within a local network; this address is defined by a data link layer protocol, such as Ethernet (registered trademark). It is these frames F6 that are actually transmitted/received over the local network.
In a typical data link layer tunneling technique, a frame F6 actually transmitted/received over a local network is regarded to be a data series F1, and creates another frame or packet by further adding various headers, such as a transport layer header, to the data series F1. This process is called “encapsulation.” The reciprocal process to take out the original frame F6 is called “decapsulation.”
One data link layer tunneling technique according to a related art uses EtherIP data format, as shown in FIG. 31 (refer to Literature 2 for an example). According to Literature 2, EtherIP is a tunneling technique to encapsulate frames of Ethernet (registered trademark), which is a data link layer protocol, into packets of IPv4 (Internet Protocol version 4), which is a network layer protocol.
To an Ethernet (registered trademark) frame F7, which is actually transmitted/received through Ethernet (registered trademark), this technique adds an EtherIP header F8 (the user's own header) and an IP header F9 (a network layer header) to create an IP packet F10.
An Ethernet (registered trademark) frame F7 is inherently valid only within a local network. The original Ethernet (registered trademark) frame F7 is not maintained in its entirety because its MAC (Media Access Control) header (a data link layer header) is discarded when it is transferred to another network by a routing apparatus, such as a router.
Ethernet (registered trademark) supports broadcast transmission and is capable of broadcasting an Ethernet (registered trademark) frame F7 to all the terminals connected to a local network. However, for the reason described above, it cannot transmit the same frame to more than one local network simultaneously, which can be problematic.
In addition, in an IPv4 network whose network layer protocol can transfer IPv4 frames only, other network layer protocols, such as IPX (Internetwork Packet exchange) and AppleTalk (registered trademark), are invalid. This causes a problem that it is not possible to communicate with another local network via an IPv4 network by using IPX, AppleTalk (registered trademark) or other similar protocol.
However, when EtherIP is used, Ethernet (registered trademark) frames for broadcast and Ethernet (registered trademark) frames using IPX, AppleTalk (registered trademark), etc. are all encapsulated into IPv4 packets and can pass through an IPv4 network. Ethernet (registered trademark) frames taken out by decapsulation at a certain local network can be transmitted without any modification at that local network. Using EtherIP thus resolves the above-described problems.
FIG. 32 shows an overall configuration of an information communication network which connects between two local networks through a tunneling apparatus capable of encapsulation and decapsulation by EtherIP.
A tunneling apparatus typically has two separate physical interfaces: one for receiving frames to be encapsulated and the other for receiving frames to be decapsulated. Referring to FIG. 32 as an example, a tunneling apparatus R51 is placed in a local networks R11, with one physical interface connected to a subnet R41 over which Ethernet (registered trademark) frames are transmitted/received and the other to a subnet R45 over which IP packets resulting from encapsulating Ethernet (registered trademark) frames are transmitted/received.
Similarly to the tunneling apparatus R51 described above, a tunneling apparatus R52 is placed in a local networks R12, with one physical interface connected to a subnet R42 over which Ethernet (registered trademark) frames are transmitted/received and the other to a subnet R46 over which IP packets resulting from encapsulating Ethernet (registered trademark) frames are transmitted/received.
An Ethernet (registered trademark) frame transmitted from a terminal R1 in the local networks R11 is received by the tunneling apparatus R51 via the subnet R41. If the Ethernet (registered trademark) frame is an Ethernet (registered trademark) frame to be received by the local network R12, the frame is encapsulated into an IP packet so that it can pass through the Internet R10 and is transmitted by specifying the logical address of the tunneling apparatus R52 in the local network R12. The tunneling apparatus R52 receives the IP packet, decapsulates the IP packet to take out the Ethernet (registered trademark) frame, and transmits the resultant Ethernet (registered trademark) frame to the subnet R42.
In this way, the subnets R41, R42 are logically connected with each other by the tunneling apparatuses R51, R52 through a communication tunnel R50, and the Ethernet (registered trademark) frame is received by the terminal R2 as if it were transmitted directly from the terminal R1. Transmission of an Ethernet (registered trademark) frame from the terminal R2 to the terminal R1 takes place in a similar manner to the above. More specifically, the subnet R41 and the subnet R42 are connected with each other transparently as viewed from their data link layer protocols, and they together behave as if they were one local network.
In the example above, in addition to EtherIP, many other approaches to the encapsulation of a frame of a specific data link layer protocol into a packet of a specific network layer protocol can be applied as the art of tunneling. Examples of these approaches include Ethernet (registered trademark) over HTTPS[HTTP over SSL (Secure Sockets Layer)] (refer to Literature 3 for an example), L2TPv3 (Layer two Tunneling Protocol version 3), and Ethernet (registered trademark) over IPsec, which combines EtherIP and IPsec (IP security protocol). Configurations wherein these approaches are applied are similar to the one described above.
However, in these configurations, the terminal R1 and the terminal R2 are decoupled from and are not able to communicate with the information communication network R10. One common solution to this problem is to set up a policy on the tunneling apparatus as to which frames should be passed as are and which frames should be encapsulated. Another solution is to operate the tunneling apparatus in combination with a firewall. These solutions still present problems in that the existing network must be disconnect for a while and that significant changes are required in the network configuration.
Literature 1: Ruixi Yuan and W. Timothy Strayer “Virtual Private Networks: Technologies and Solutions,” Pearson Education Co., Ltd., Japan, 2001
Literature 2: “EtherIP: Tunneling Ethernet (registered trademark) Frames in IP Datagrams”<URL http://www.ietf.org/rfc/rfc3378. txt>
Literature 3: “SoftEther.com-SoftEther Virtual Ethernet (registered trademark) System-SoftEther VPN System”<URL http://www.softether.com/jp/>
A current tunneling apparatus which performs encapsulation of date link layer frames typically has two or more separate physical interfaces: one for receiving frames to be encapsulated and the other for receiving frames to be decapsulated. This is problematic because the network must be disconnected for a while when installing a tunneling apparatus and because the installation and removal of a tunneling apparatus are not simple tasks.