1. Field of the Invention
The present invention relates to a node device and a communication control method for carrying out packet transfer.
2. Description of the Related Art
As the user classes of the Internet expand, the utilization methods of the Internet are also widening. As for the user classes, the users who do not have special technical knowledges are increasing, and as for the utilization methods, the applications that require high safety such as purchases through the WWW and accesses to bank accounts are spreading.
In order to enable even the users who do not have special techniques to use such applications safely, there are propositions for a framework to provide the safety in the network. Among them, there is a technique called IPsec (IP security) (see RFC 2401). The IPsec is a protocol for exchanging IP packets by encrypting them, and includes ESP (IP Encapsulating Security Payload) for providing the confidentiality, AH (IP Authentication Header) for providing integrity and authentication, and IKE (Internet Key Exchange) for exchanging parameters to be used by ESP and AH between nodes.
In the IPsec, the basic requirements regarding the security such as the authentication and the encryption are realized at the network layer, so that there is an advantage that there is no need to add the security function to the individual application.
Between the nodes utilizing the IPsec, information called security association (SA) is shared in order to realize the authentication and the encryption. The security association information (abbreviated as SA hereafter) contains various parameters such as a destination information (destination address), an identification number (Security Parameter Index (SPI)), a key information and a valid period information (lifetime, for example).
A node that is a transmitting side of the packet can uniquely identify the corresponding SA from a set of the destination address (address of a node that is a receiving side of the packet) and the SPI. A node that is a receiving side can uniquely identify the corresponding SA from the SPI. The SPI needs to be unique for the identical destination, so that the SPI is determined by the node that is the receiving side. As such, the SA has a sense of direction so that in order for the packet using the security protocol to go and return, two SAs are necessary for a pair of nodes.
The outline of the processing at the nodes on the transmitting side and the receiving side are as follows. Namely, after the exchange of the SA is completed, the transmitting side node applies a prescribed cryptographic processing (encryption, for example) utilizing a prescribed key (secret key, for example) to the packet according to the SA corresponding to the destination and the SPI. The transmitting side node then transmits the IP packet containing an IPsec header where the SPI is described in a SPI field of this IPsec header. When the IP packet containing the IPsec header is received, the receiving side node obtains the corresponding SA from the SPI described in the SPI field of the IPsec header, and applies a prescribed processing (decryption, for example) utilizing a prescribed key (secret key, for example) to the packet according to that SA. Note that if the corresponding SA does not exist at the receiving side node, the received IP packet will be discarded.
On the other hand, the standard protocol for exchanging the SA between nodes utilizing the IPsec and updating the SA regularly (according to the valid period of the SA) is the IKE (Internet Key Exchange). In the IKE, a node that becomes a side for starting the communication is called an initiator, and a node that becomes a side for responding to it is called a responder. The SA is essentially a unidirectional information, but in the case of exchange using the IKE, the bidirectional SA is always established.
Here, the case of carrying out the communication using the IPsec between two nodes, after the exchange and sharing of the SA by the IKE are completed, will be considered.
For example, as shown in FIG. 10A, suppose that the exchange of the SA by the IKE is completed such that the SA with the destination=R and the SPI=100 is shared between a node (initiator node) 1001 and a node (responder node) 1002. Then, as shown in FIG. 10B, the node 1001 has the SA corresponding to the destination=R and the SPI=100 so that the node 1001 can transmit the IP packet in which a prescribed portion of the packet is encrypted according to that SA and data indicating the SPI=100 is described in the SPI field of the IPsec header. On the other hand, as shown in FIG. 10C, the node 1002 that received the IP packet containing the IPsec header with the SPI=100 has the SA with the SPI=100, so that the node 1002 can decrypts the prescribed portion of the packet according to that SA.
Here, suppose that a fault (which can be a fault due to the hardware or the fault doe to the software) occurs in the receiving side (responder side) node 1002, and this node 1002 is recovered after losing all the SAs utilized by the communications until then, as shown in FIG. 11A. Conventionally, there is no mechanism for detecting the fault of the receiving side node 1002 at the transmitting side (initiator side) node 1001. For this reason, even after the fault occurred, the node 1001 that has the SA corresponding to the SPI=100 continues the communication according to the IPsec using that SA, as shown in FIG. 11B. However, at the node 1002, the SA corresponding to the SPI=100 is lost, so that the received packet is discarded as shown in FIG. 11C. As a result, effectively the communication cannot be established until the valid period of this SA expires.
As a method for handling such a situation, it is possible to consider the method in which the SA data are stored in a stable recording device such as hard disk at a stage where the exchange and sharing of the SA by the IKE are completed, and the SA is revived by utilizing the SA data stored in the stable recording device after the receiving side node is recovered from the fault. However, this method requires to record even the key information to be kept secret in the stable recording device, so that it is very inconvenient in that a possibility for the leakage of the key information increases.
As another handling method, it is possible to consider the method in which, when the SA corresponding to the SPI of the received packet does not exist at the receiving side node, a notification message indicating this fact is returned from the receiving side node to the transmitting side node. However, this method has the following drawbacks.
(1) By giving a packet having arbitrary SPI to the receiving side node and observing the reaction of the receiving side node to it, it becomes possible to check from the external whether the receiving side node has the SA corresponding to that SPI that was given to the receiving side node.
(2) It becomes possible to make an attack for blocking the communication by giving a fake message indicating the SA is lost to the transmitting side node that is communicating normally.
(3) When the authentication is applied to the above described notification message in order to prevent the attack of (2), it becomes possible to make an attack for causing the increase of the processing load on the receiving side node due to the authentication operation at a time of transmitting the notification message, by giving packets having arbitrary SPI to the receiving side node.
Thus, according to the conventional methods, it has been difficult to recover the normal state quickly without damaging the safety when the SA is lost at the responder side of the IKE. Namely, the method for storing the SA at a time of its generation has a possibility for the leakage of the secret. Also, the method for notifying the fact that the SA is lost to the initiator side has a possibility for the leakage of the information and the attacks for blocking the communication or increasing the processing load.