1. Field of the Invention
The present invention relates to a packet inspection device for inspecting a packet to be transferred from inside the network to outside the network, a mobile computer capable of carrying out cipher communications while moving among inter-connected networks, and a packet transfer method to be carried out the packet inspection device and the mobile computer.
2. Description of the Background Art
In conjunction with availability of a computer system in smaller size and lower cost and a more enriched network environment, the use of computer system has been rapidly expanded into variety of fields, and there is also a transition from a centralized system to a distributed system. In this regard, in recent years, because of the advance and spread of the computer network technology in addition to the progress and improved performance of the computer system itself, it has become possible to realize not only a sharing of resources such as files and printers within an office but also communications (electronic mail, electronic news, file transfer etc.) with outside of an office or organization, and these communications are now widely used.
In particular, in recent years, the use of the world's largest computer network called Internet has become very popular, and there are new computer businesses for connecting to the Internet and utilizing open information and services, or for providing information and services to external users who make accesses through the Internet. In addition, new technological developments are made in relation to the use of the Internet.
Also, in conjunction with the spread of such networks, there are technological developments regarding the mobile computing. In the mobile computing, a user carries along a portable computer terminal and makes communications while moving over networks. In some cases, the user may change a location on a network while continuing the communication, so that there is a need for a scheme that manages a changing address of a mobile computer on a network during such a communication in order to route the communication content correctly.
In general, in a case of realizing the mobile computing, a router (home agent) for managing the visiting site information of the mobile computer is provided at a network (home network) to which the mobile computer belongs, and when the mobile computer is away from the home network, the mobile computer sends a registration message for indicating a current location to this home agent. When this registration message is received, the transmission of data destined to the mobile computer is realized by sending it to the home agent of the mobile computer, and carrying out the data routing control with respect to the mobile computer by encapsulating an IP packet destined to an original address of the mobile computer within a packet destined to a current location address of the mobile computer.
For example, in FIG. 1, this role is played by a home agent (HA) 5 in a case where the mobile computer 2 that originally belongs to the home network 1a moves to another network 1b and carries out the communication with another computer (correspondent host: CH) 3 within the other network 1c. This is a scheme called mobile IP which is currently in a process of being standardized by the mobile-IP working group of the IETF which is the standardizing organization for the Internet (see, IETF RFC 2002, IP mobility support (C. Perkins)).
Now, in the mobile IP, when the mobile computer moves to a new visiting site, it is necessary to send a registration message regarding the current location to the home agent. In this case, depending on a type of the network to which the mobile computer has moved, the handling of the message issued by the mobile computer may be different.
For example, when the mobile computer moved to a network which is familiar to the home network of the mobile computer so that a gateway (firewall) provided at an exit of that network freely allows the transmission of the registration message to outside the network, it is possible for the mobile computer to carry out the operation exactly as specified by the mobile IP.
On the other hand, in a general network which treats the mobile computer as visiting (or intruding) inside the network from outside the network, it is judged to be dangerous to freely allow the transmission of the registration message issued by the mobile computer to outside the network, from a viewpoint of the security. In such a case, it becomes necessary for the mobile computer to recognize that it is currently located in a network which treats it as an intruder, and carries out the transmission of the registration message to the home agent after obtaining a permission for external access by carrying out a processing for establishing the own identification with respect to the gateway. Also, even in the actual data transmission after the completion of the registration message transmission, it is necessary to carry out the communication while maintaining the own identification with respect to the gateway.
However, in the conventional mobile IP scheme, the routing control and the mobile computer location registration have been specified under the assumption that each communication node is assigned with a unique IP address and capable of exchanging control packets freely, so that at a time of the actual operation in a case of supporting a mobile computer capable of carrying out communications while moving among inter-connected networks, there has been no operation specification on the network operating policy regarding a kind of organization to which the visited network of the mobile computer belongs. For this reason, especially when the mobile computer has moved to a network which does not freely allow the external access to an internal computer in view of the security, there are cases where even a registration message for a new location which is sent immediately after the location change cannot reaches the home agent on the home network of the mobile computer so that the trouble is caused in the operations of the mobile IP scheme regarding the mobile computer.