1. Field of the Invention
The present invention relates to a network, an IPsec setting server apparatus, an IPsec processing apparatus, and an IPsec setting method used therefor, and in particular to a network structure according to an IPsec (Internet Protocol security protocol) which provides functions such as confidentiality, integrity, and authentication on the Internet.
2. Description of the Related Art
Conventionally, as the Internet spreads widely, there is increasing desire to secure security on the Internet. In particular, many companies desire to establish a virtual private network on the Internet and establish a network connecting offices or the like in remote places at low cost instead of establishing a network using an expensive private line.
In response to such desire, the IPsec (Internet Protocol security protocol) which provides functions such as confidentiality, integrity, and authentication on the Internet is standardized by the IETF (Internet Engineering Task Force) (e.g., see pages 8 to 11 and FIG. 1 of Japanese Patent Laid-Open No. 2001-298449).
In the case where different two centers communicate via the Internet, it becomes possible to secure security on the Internet path by using the IPsec. It becomes essential to support a new Internet protocol, IPv6 (Internet Protocol version 6), with the IPsec, and it is expected that a larger number of network apparatuses will be associated with the IPsec, and communication using the IPsec will also increase from now on.
FIG. 31 shows a structure of an IPsec processing apparatus which performs communication using this IPsec. In FIG. 31, an IPsec processing apparatus 4 includes interface sections (I/Fs) 41 and 42, an IPsec processing section 43, an SPD (Security Policy Database) 44, an SAD (Security Association Database) 45, and a routing section 46.
The interface section 41 is connected to a private network to perform data communication with the private network. The interface section 42 is connected to the Internet to perform data communication via the Internet.
The IPsec processing section 43 subjects a data communication packet received from the interface sections 41 and 42 to IPsec processing. The SPD 44 is referred to from the IPsec processing section 43 and stores a policy for applying the IPsec. The SAD 45 is referred to from the IPsec processing section 43 and stores an SA(Security Assosiation), which is necessary for subjecting individual communication to the IPsec processing. The routing section 46 transmits and receives data communication packets to and from the IPsec processing section 43 and determines transfer destinations of the respective data communication packets.
However, in the above-described network structure according to the conventional IPsec, in the case where one IPsec processing apparatus carries out IPsec communication with a large number of opposite parties, contents to be set in the apparatus carrying out the IPsec processing increase in the connection by the IPsec.
In order to use the IPsec, it is necessary to set a service [service provided by an AH (Authentication Header), an ESP (Encapsulating Security Payload)], an algorithm, and the like to be used for communication, to which the IPsec is applied, in apparatuses at both ends to which the IPsec processing is applied, respectively.
In the case where an automatic key management (IKE: Internet Key Exchange) protocol is used, it is also necessary to set an encryption algorithm, a hash algorithm, a key common algorithm, and the like, which are used in the automatic key management protocol, in the apparatuses at both the ends. Since these settings are required for each opposite party to be connected by the IPsec, as opposite parties to be connected by the IPsec increase, more settings are required.
In addition, in the network structure according to the conventional IPsec, it is likely that different settings are made at both ends of communication to which the IPsec is applied. In the apparatuses at both the ends to which the IP processing is applied, in the case where the setting of a service to be used or the setting of an algorithm to be used is different, the apparatuses cannot perform communication. When kinds of communication to which the IPsec is applied increase, since the number of settings also increases, it becomes more likely that such an error occurs.
Moreover, in the network structure according to the conventional IPsec, in the case where the automatic key management protocol is used, an arithmetic operation for generating a common secret key takes time and, as a result, it takes long time until communication is started. Usually, in the IPsec processing apparatus, as shown in FIG. 32, since generation of the common secret key is not started until communication becomes necessary, if the generation of the common secret key takes time, it takes long until the start of communication.
Furthermore, in the network structure according to the conventional IPsec, in the casewhere the automatic key management protocol is used, arithmetic operation load is generated in the apparatuses to which the IPsec processing is applied. Since a large number of arithmetic operations are necessary in order to generate the common secret key, performance of other functions (transfer function of a packet to which the IPsec is not applied, etc.)provided in the apparatuses decreases. When kinds of IPsec communication to be treated simultaneously increase, chances of generating the common secret key also increase, and a rate of decrease in the performance becomes larger.