When a node receives an IP (Internet Protocol) packet, the node is required to appropriately perform a process of passing and transferring the received IP packet to a destination, or discarding the received IP packet. A function of determining what process is to be performed with respect to a received IP packet as described above is referred to as filtering.
In implementing filtering, a node registers in advance filter criteria (rules) and processes (services) associated with the filter criteria in a filter table in the priority order. Further, when receiving an IP packet, the node searches, in the priority order, whether or not a filter criterion to be satisfied by information included in the IP packet exists in the filter table. When a filter criterion to be satisfied by information included in a received IP packet is found, the node determines a process associated with the filter criterion as a process to be performed with respect to the IP packet. Further, the node performs a process of transferring an IP packet to an appropriate destination node, or discarding the IP packet according to a determined process content.
As filter criteria, it is possible to use various header information in a TCP/IP (Transmission Control Protocol/Internet Protocol) protocol stack. For instance, it is possible to use header information of a network layer (such as an IP), header information of a transport layer (such as a TCP or a UDP (User Datagram Protocol)), header information of an application layer, or the like. FIG. 8 illustrates an IP header, and FIG. 9 illustrates a UDP header.
In this example, there is described a filtering example, in which five information pieces (an IP 5-tuple) i.e. an IP header of a network layer (a transmission source IP address, a destination IP address, and a protocol) and a UDP header of a transport layer (a transmission source port number and a destination port number) are set as a filter criterion.
In a host or a router, when the IP packet length is longer than the length of an MTU (Maximum Transmission Unit) within a network, and when a non-dividable flag indicated in a flag field within an IP header is set to be dividable, a packet is divided for transmission. The packet dividing process is referred to as fragmentation.
FIG. 10 illustrates an example of a packet when UDP data is fragmented. As illustrated in the example of FIG. 10, when an IP packet is divided, an original IP header is attached to all the IP packets. However, header information of a transport layer or a layer higher than the transport layer such as a UDP header is included in IP data of an IP packet. In view of the above, the header information is included only in a divided leading IP packet.
When filtering is performed by using an IP 5-tuple as a filter criterion, it is possible to specify a transmission source IP address, a destination IP address, and a protocol with respect to all the divided IP packets, because the transmission source IP address, the destination IP address, and the protocol are included in an IP header. However, a transmission source port number and a destination port number are specified only by a divided leading IP packet, because the transmission source port number and the destination port number are included in a UDP header.
Thus, it is possible to determine a process (a service) by accurately filtering a leading IP packet when a divided IP packet is filtered with use of an IP 5-tuple as a filter criterion. However, it is not possible to accurately specify a transmission source port number and a destination port number by an IP packet other than a leading IP packet, and as a result of filtering, an unintended service may be applied, or an IP packet may be discarded.
In the following description, a divided (fragmented) IP packet is referred to as a fragment packet, a divided leading IP packet is referred to as a leading fragment packet, and a non-divided IP packet is referred to as a non-fragment packet.
PTL 1 discloses an example of a fragment packet filtering method as described above. In this method, a filtering result of a leading fragment packet is registered in a routing table, and when second and succeeding fragment packets are received, a process is performed based on the filtering result registered in the routing table.