1. Field of the Invention
The present invention relates to a mobile computer, a packet processing device and a communication control method for realizing a mobile computing scheme using the encryption and authentication processing.
2. Description of the Background Art
In conjunction with availability of a computer system in smaller size and lower cost and a more enriched network environment, the use of computer system has been rapidly expanded into variety of fields, and there is also a transition from a centralized system to a distributed system. In this regard, in recent years, because of the advance and spread of the computer network technology in addition to the progress and improved performance of the computer system itself, it has become possible to realize not only a sharing of resources such as files and printers within an office but also communications (electronic mail, electronic news, file transfer etc.) with outside of an office or organization, and these communications are now widely used.
In particular, in recent years, the use of the world's largest computer network called Internet has become very popular, and there are new computer businesses for connecting to the Internet and utilizing open information and services, or for providing information and services to external users who make accesses through the Internet. In addition, new technological developments are made in relation to the use of the Internet.
Also, in conjunction with the spread of such networks, there are technological developments regarding the mobile computing. In the mobile computing, a user carries along a portable computer terminal and makes communications while moving over networks. In some cases, the user may change a location on a network while continuing the communication, so that there is a need for a scheme that manages a changing address of a mobile computer on a network during such a communication in order to route the communication content correctly.
Also, when the networks are wide spread and free connections among networks are realized so that huge amount of data and services can be exchanged, there arises a need to account for the problem of security.
For example, there is a problem as to how to prevent the leakage of the secret information of the organization to the external network, and there is also a problem as to how to protect resources and information connected to the domestic network. The Internet was developed originally for the academic purpose so that the primary concern was the free data and service exchanges by the network connections and the above described problem of security has not been accounted for.
However, in recent years, many corporations and organizations are connecting to the Internet so that there is a need for a mechanism to guard the own network in view of the above described problem of security.
To this end, there is a known scheme for use at a time of exchanging a data packet on the Internet, in which the content of the data packet is to be encrypted and an authentication code is to be attached before the transmission of the data packet to the external, and the authentication code is to be verified and the data packet is to be decrypted at a received site.
For example, the IETF (which is the standardizing organization for the Internet) specifies the encryption and authentication code attaching scheme for IP packets as the IP security standard (see, IETF RFC 1825-1829). According to this scheme, even when an outside user picks up the data packet on the external network, the leakage of data content can be prevented because the data content is encrypted, and therefore the secure communication can be realized.
A mutual cipher communication is possible between networks which are protected (guarded) by gateway computers that support such a cipher communication, and when the above described mobile computer itself supports a function of the packet encryption and decryption, a cipher communication between any gateways or a gateway and a mobile computer can be supported.
For example, in an exemplary case shown in FIG. 1, a mobile computer 2 that originally belongs to a home network 1a moves to another network 1b and carries out a cipher communication with another computer (CH: Correspondent Host) 3 in a network 1c, through gateways (data packet encryption and authentication devices) 4a and 4c that support the encryption/decryption function.
In general, in a case of realizing the mobile computing, a router (home agent) for managing information about a visiting site of the mobile computer is provided, and the transmission of data destined to the mobile computer is realized by sending it to the home agent of the mobile computer, and carrying out the data routing control with respect to the mobile computer by encapsulating an IP packet destined to an original address of the mobile computer within a packet destined to a current location address of the mobile computer. In FIG. 1, this role is played by a home agent (HA) 5.
This is a scheme called mobile IP which is currently in a process of being standardized by the mobile-IP working group of the IETF (see, IETF RFC 2002-2006).
When this mobile IP scheme is used in combination with the above described data packet encryption of the IP security standard, a packet transfer route in FIG. 1 will be as follows: correspondent host (CH) 3.fwdarw.gateway 4c (where the packet is encrypted).fwdarw.gateway 4a (where the packet is decrypted).fwdarw.home agent (HA) 5.fwdarw.gateway 4a (where the packet is encrypted again).fwdarw.mobile computer 2 (where the packet is decrypted again).
In such a case of using the mobile IP and the packet encryption by the IP security in combination, there is a need for a control to change the operation of each constituent element according to cases differentiated by current locations of the mobile computer and its correspondent.
For example, suppose that a system has a configuration as shown in FIG. 2, where MN stands for a mobile computer, MN.sup.+ stands for a mobile computer which supports the packet encryption and authentication processing function itself, CH stands for its correspondent host, GW stands for a packet encryption device (gateway), and HA stands for a home agent. Here, the home domain network of the mobile computer MN will be referred to as a home network. Also, "inside the GW protected region" indicates networks protected by gateways, while "outside the GW protected region" indicates other outside regions.
In this case, the situation can be largely classified into four cases [1] to [4] depending on whether each of MN and CH is inside or outside of the GW protected region, as shown in FIG. 19 which will be described in detail below. Here, it is assumed that CH is a stationary (non-mobile) computer which does not carry out the encryption and authentication processing.
Moreover, the cases [1] and [2] of communications via GW in FIG. 19 can be further classified into seven cases (1) to (7), as shown in FIG. 20 which will also be described in detail below.
In each of these cases, the processing at each node and the IP security processing at each gateway can be different, so that in a case of using the mobile IP and the IP security in combination, it is important to note the above described classification of cases [1] and [2] or (1) to (7) according to the location information for the mobile computer and the correspondent host.
Also, depending on a location of the correspondent host, there can be cases in which the packet encryption cannot be used, such as a case where the correspondent host is located in a network which has no packet encryption device, for example. The cases [3] and [4] of the above classification are such cases. In such a case, the mobile computer is going to use only the mobile protocol.
Also, the mobile IP defines the optimization of a packet route destined to the mobile computer via the home agent when each network constituent element has a correct location information as a cache, and it is also necessary to judge the applicability of this route optimization by recognizing the current locations of the mobile computer and the correspondent host if the packet encryption is used in combination.
For example, the route optimization as indicated in FIG. 2 is possible when it can be recognized as the case (5) (a case where CH and MN are located at different sections) of the above classification.
Now, in the mobile IP, when the mobile computer moves to a new visiting site, it is necessary to send a registration message regarding the current location to the home agent. In this case, when the mobile computer moved to a network which is familiar to the home network of the mobile computer so that a gateway of that network freely allows the transmission of the registration message to outside the network, it is possible for the mobile computer to carry out the operation exactly as specified by the mobile IP.
However, in a general network which treats the mobile computer as visiting (or intruding) inside the network from outside the network, it is considered dangerous to freely allow the transmission of the registration message issued by the mobile computer to outside the network, from a viewpoint of the security. In such a case, it becomes necessary for the mobile computer to recognize that it is currently located in a network which treats it as an intruder, and carries out the transmission of the registration message to the home agent after obtaining a permission for external access by carrying out a processing for establishing the own identification with respect to the gateway. Also, even in the actual data transmission after the completion of the registration message transmission, it is necessary to carry out the communication while maintaining the own identification with respect to the gateway.
In the conventional mobile IP scheme, the routing control and the mobile computer location registration have been specified under the assumption that each network node is assigned with a unique IP address and capable of exchanging control packets freely, so that at a time of the actual operation in a case of supporting a mobile computer capable of carrying out communications while moving among inter-connected networks, there has been no operation specification on the network operating policy regarding a kind of organization to which the visited network of the mobile computer belongs.
For this reason, in a case of using the mobile IP and the packet encryption by the IP security in combination, it has been impossible to realize a control to change the operation of each of the mobile computer and the packet encryption device for carrying out the IP packet encryption according to cases differentiated by current locations of the mobile computer and its correspondent, and it has also been difficult to realize the route optimization of the mobile IP.
Also, because the mobile IP specification does not account for the network operating policy, when the mobile computer moves to a network of an external organization and transmits a registration message of the mobile IP destined to the home network, if a gateway of that external network freely allows the transmission of any packet destined outside the network, it is possible to carry out the operation exactly as specified by the mobile IP, but this scheme itself is not preferable from a viewpoint of the security in general. Consequently, especially when the mobile computer has moved to a network which does not freely allow the external access to an internal computer in view of the security, there are cases where even a registration message for a new location which is sent immediately after the move cannot reach the home agent on the home network of the mobile computer so that the trouble is caused in the operations of the mobile IP scheme regarding the mobile computer.