Packet communication system

Abstract

A packet communication system for effectively using network resources and for improving network operability. A transmission security policy database specifies the omission of header information attached when a transmission packet is capsulated, as a transmission security policy. A header-information omitting section omits the header information of the capsulated transmission packet. A packet transmission processing section adds a security header and a header for tunnel communication to the packet from which the header information has been omitted and transmits the packet. A receiving security policy database specifies that the header information has been omitted, as a receiving security policy. A header-information recovering section searches the receiving security policy database for a security policy for a received packet, and when recognizing that the received packet is a target packet from which the header information has been omitted, recovers the header information.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a view showing the principle of a packet communication system.

FIG. 2 shows an example structure of a mobile VPN.

FIG. 3 shows packet formats.

FIG. 4 shows packet formats.

FIG. 5 shows an example structure of a mobile VPN having an address converter.

FIG. 6 shows packet formats.

FIG. 7 shows the internal structure of a mobile node.

FIG. 8 shows the internal structure of a VPN gateway.

FIG. 9 shows a transmission processing flow of the mobile node.

FIG. 10 shows the transmission processing flow of the mobile node.

FIG. 11 shows a transmission processing flow of the mobile node.

FIG. 12 shows the transmission processing flow of the mobile node.

FIG. 13 shows a receiving processing flow of the mobile node.

FIG. 14 shows the receiving processing flow of the mobile node.

FIG. 15 shows a receiving processing flow of the mobile node.

FIG. 16 shows the receiving processing flow of the mobile node.

FIG. 17 shows a forwarding processing flow of the VPN gateway.

FIG. 18 shows the forwarding processing flow of the VPN gateway.

FIG. 19 shows a forwarding processing flow of the VPN gateway.

FIG. 20 shows the forwarding processing flow of the VPN gateway.

FIG. 21 shows a forwarding processing flow of the VPN gateway.

FIG. 22 shows the forwarding processing flow of the VPN gateway.

FIG. 23 shows a forwarding processing flow of the VPN gateway.

FIG. 24 shows the forwarding processing flow of the VPN gateway.

FIG. 25 shows an example structure of an SPD.

FIG. 26 shows the format of a Binding Update message.

FIG. 27 shows the format of a Binding Acknowledgement message.

FIG. 28 shows the format of a Registration Request message.

FIG. 29 shows the format of a Registration Reply message.

FIG. 30 shows an example structure of a Mobile-IP network.

FIG. 31A shows the format of a Mobile-IP packet sent from the mobile node, and FIG. 31B shows the format of a Mobile-IP packet sent from a home agent.

FIG. 32 shows an example structure of a mobile VPN.

FIG. 33A shows the format of a Mobile-VPN packet sent from the mobile node, and FIG. 33B shows the format of a Mobile-IP packet sent from the VPN gateway.

Claims

1. A packet communication system for performing packet communication, comprising: a packet transmission apparatus; anda packet receiving apparatus,the packet transmission apparatus comprising: a transmission security policy database for storing a security policy indicating a level of protection applied to a packet, specifying the omission of header information attached when a transmission packet is capsulated, as a transmission security policy for omitting redundant information;a header-information omitting section for searching the transmission security policy database at packet transmission for a security policy for a capsulated transmission packet, and, when recognizing that the capsulated transmission packet is a target packet from which the header information is to be omitted, for omitting the header information from the target packet; anda packet transmission processing section for adding a security header by tunneling in an encryption protocol and a header for tunnel communication to the packet from which the header information has been omitted, and for applying transmission processing to the packet, andthe packet receiving apparatus comprising: a receiving security policy database specifying the header information, which is to be recovered, as a receiving security policy; anda header-information recovering section for searching the receiving security policy database at packet reception for a security policy for a received packet, and, when recognizing that the received packet is a target packet from which the header information has been omitted, for recovering the header information.

2. The packet communication system according to claim 1, wherein the header-information omitting section omits the header information before security association in the encryption protocol is applied; andthe header-information recovering section recovers the header information after the security association is released.

3. The packet communication system according to claim 1, wherein the transmission security policy database specifies the omission of header information attached when the original packet is capsulated in Mobile-IP communication;the receiving security policy database specifies the recovery of the header information, omitted at a transmission side by capsulation in Mobile-IP communication; andthe packet transmission processing section adds a header by IPsec tunneling to the packet from which the header information has been omitted.

4. The packet communication system according to claim 3, wherein, when the packet transmission apparatus is moved from a home network to a visitor-location network, and the packet receiving apparatus is installed at a point where a communication path with the packet transmission apparatus is to be encrypted, the transmission security policy database specifies, as the transmission security policy, the omission of header information that includes a care-of address of the packet transmission apparatus in the visitor-location network as a transmission source address and an address of a home agent for managing the position of the packet transmission apparatus as a destination address; andthe receiving security policy database specifies, as the receiving security policy, that the header information has been omitted.

5. The packet communication system according to claim 3, wherein, when the packet receiving apparatus is moved from a home network to a visitor-location network, and the packet transmission apparatus is installed at a point where a communication path with the packet receiving apparatus is to be encrypted, the transmission security policy database specifies, as the transmission security policy, the omission of header information that includes an address of a home agent for managing the position of the packet receiving apparatus as a transmission source address and a care-of address of the packet receiving apparatus in the visitor-location network as a destination address; andthe receiving security policy database specifies, as the receiving security policy, that the header information has been omitted.

6. A packet communication apparatus for performing packet communication, comprising: a security policy database for storing a security policy indicating a level of protection applied to a packet, specifying the omission of header information attached when a transmission packet is capsulated, as a transmission security policy for omitting redundant information, and specifying the header information, which is to be recovered, as a receiving security policy;a header-information omitting section for searching the security policy database at packet transmission for a security policy for a capsulated transmission packet, and, when recognizing that the capsulated transmission packet is a target packet from which the header information is to be omitted, for omitting the header information from the target packet;a packet transmission processing section for adding a security header by tunneling in an encryption protocol and a header for tunnel communication to the packet from which the header information has been omitted, and for applying transmission processing to the packet; anda header-information recovering section for searching the security policy database at packet reception for a security policy for a received packet, and, when recognizing that the received packet is a target packet from which the header information has been omitted, for recovering the header information.

7. A packet communication method for performing packet communication, a packet transmission apparatus comprising a transmission security policy database for storing a security policy indicating a level of protection applied to a packet, specifying the omission of header information attached when a transmission packet is capsulated, as a transmission security policy for omitting redundant information, anda packet receiving apparatus comprising a receiving security policy database specifying the header information, which is to be recovered, as a receiving security policy,the packet communication method comprising the steps of:the packet transmission apparatus searching the transmission security policy database for a security policy for a capsulated transmission packet, and, when recognizing that the capsulated transmission packet is a target packet from which the header information is to be omitted, omitting the header information from the target packet;the packet transmission apparatus adding a security header by tunneling in an encryption protocol and a header for tunnel communication to the packet from which the header information has been omitted, and transmitting the packet; andthe packet receiving apparatus searching the receiving security policy database for a security policy for a received packet, and, when recognizing that the received packet is a target packet from which the header information has been omitted, recovering the header information.

8. The packet communication method according to claim 7, wherein the header information is omitted before security association in the encryption protocol is applied; andthe header information is recovered after the security association is released.

9. The packet communication method according to claim 7, wherein the transmission security policy database specifies the omission of header information attached when the original packet is capsulated in Mobile-IP communication;the receiving security policy database specifies the recovery of the header information, omitted at a transmission side by capsulation in Mobile-IP communication; andthe packet transmission processing section adds a header by IPsec tunneling to the packet from which the header information has been omitted.

10. The packet communication method according to claim 9, wherein, when the packet transmission apparatus is moved from a home network to a visitor-location network, and the packet receiving apparatus is installed at a point where a communication path with the packet transmission apparatus is to be encrypted, the transmission security policy database specifies, as the transmission security policy, the omission of header information that includes a care-of address of the packet transmission apparatus in the visitor-location network as a transmission source address and an address of a home agent for managing the position of the packet transmission apparatus as a destination address; andthe receiving security policy database specifies, as the receiving security policy, that the header information has been omitted.

11. The packet communication method according to claim 9, wherein, when the packet receiving apparatus is moved from a home network to a visitor-location network, and the packet transmission apparatus is installed at a point where a communication path with the packet receiving apparatus is to be encrypted, the transmission security policy database specifies, as the transmission security policy, the omission of header information that includes an address of a home agent for managing the position of the packet receiving apparatus as a transmission source address and a care-of address of the packet receiving apparatus in the visitor-location network as a destination address; andthe receiving security policy database specifies, as the receiving security policy, that the header information has been omitted.