JP2003348171A - Packet switch device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To obtain a packet switch device which prevents lowering of the processing capability of a CPU. <P>SOLUTION: A security engine part 40 is provided in parallel with INF parts 1 to n in a form of an artificial INF part to provide a security engine function. Thus security processing in a CPU part 30 is eliminated, and lowering of the processing capability at the time of an increased data volume (the number of packets) and the packet processing capability is prevented. The security engine function is realized by the artificial INF part 40 to easily additionally extend a security function in the same way as additional extension of the INF parts 1 to n. <P>COPYRIGHT: (C)2004,JPO

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a packet switch device, and more particularly to an IP switch device having a security function and controlling transfer of IP packets in a network using an IP (Internet Protocol) protocol. .

[0002]

2. Description of the Related Art FIG. 11 shows a block diagram of a conventional IP switch device, and FIG. 12 shows a flow (flowchart) of a process when a packet a is input from a network to the conventional IP switch device. The technology related to such a conventional IP switch device is disclosed in Japanese Patent Laid-Open No. 11-20 / 1999.
No. 5309 or JP-A-2000-224219.

[0003] In FIG. 11, an IP switch device has INFs connected to a network (external).
(Network interface) units 1 to n, a CPU unit (control unit) 30 that controls the entire apparatus, and a switch unit 33 that receives control from the CPU unit 30 and connects the INF units 1 to n. . The INF units 1 to n include interface units 21 to 2n, which are hardware connected to a network, and switching tables 11 to 1n for switching control.

[0004] Further, the CPU unit 30 includes a key generation unit 31 for generating a key (key) for encryption / decryption, an IPSec (security processing) unit 42 for controlling security processing (encryption / decryption, authentication), and an INF unit 1. To n switching control switching tables 32.

Referring to FIG. 12, when a packet a is input to the INF unit 1 from the outside (network) of the IP switch device (step S1), the switching table 11 is referred to (step S2). Security processing (encryption / decryption, authentication) is required (step S
If 3 is YES), the security processing is performed by the CPU section 30, and the security packet b of the input packet is transferred to the CPU section 30 (step S20).

When security processing is required in the CPU section 30, security processing is performed in the IPSec section 42 (step S8). For the packet d after the security processing, the switching table 32 in the CPU unit 30 is referred to based on the header information of the packet d, the output destination, for example, the INF unit 3 is determined (step S9), and the packet d is output. The data is transferred to, for example, the INF unit 3 (step S10). When the packet d is input from the switch unit 33, the INF unit 3 outputs the packet e to the outside of the IP switch device (step S1).
1).

[0007] Further, the generation of a key required for the security processing is performed prior to the security processing in the key generation unit 31, and a key exchange is performed with a counterpart device (not shown) in advance. The generated key is transferred to the IPSec unit 42 and used for security processing.

[0008] The security processing referred to here is:
It covers encryption / decryption and authentication. In the case of encryption (encryption),
(Normal) The data (TCP (Transmission Control Protocol) header + payload (data)) portion of the packet (see FIG. 7) after the IP header is encrypted based on the key, and the encrypted header (ESP (ESP ( Encapsulating Securit
y Payload) header is added between the IP header and the encrypted data (see FIG. 8). In the case of decryption, contrary to the case of encryption, the encrypted payload (encrypted data) is decrypted (encrypted) based on the key, and the encrypted header (E
(SP header) is deleted.

In the case of authentication on the transmission side, authentication is performed on the entire packet based on a key, and the result is added to an authentication header (AH (Authentication Header) header) (see FIG. 9). Similarly, in the case of authentication on the receiving side, authentication is performed on the entire packet based on the key, and the authentication header (A
The authentication value added to the H header is compared to confirm the match, and the authentication header (AH header) is deleted.

[0010] In the conventional IP switch device, in the case of an (input) packet a requiring security processing, the CPU unit 3
0 for security processing to be performed,
It was necessary to transfer packet a to U section 30.

Further, normal packet processing is performed as follows. For example, when the packet a is input to the INF unit 1 from outside the IP switch device (step S1), the switching table 11 is referred to (step S1).
2). At this time, since security processing is not necessary (step S3: NO), the destination is determined from the protocol number, IP address number, port number, etc. of the input packet a. If there is a destination (step S4: YES), the packet c Is transferred to the output destination, for example, the INF unit 3 (step S5). In the INF unit 3, the switch unit 33
Is received, the packet c is output outside the IP switch device (step S6).

However, if there is no information corresponding to the input packet a in the switching table 11 (step S4: NO), the switching table 3
The input packet a is transferred to the CPU unit 30 because the destination search is performed in Step 2 (Step S12). CPU
The switching unit 32 in the CPU unit 30 based on the information of the header of the transferred packet b.
Is referred to, and the output destination, for example, the INF unit 3 is determined (step S13), and the output destination, for example, the INF unit 3
(Step S15). In the INF unit 3, when the packet d is input from the switch unit 33, the packet e is output to the outside of the IP switch device (Step S).
16).

The switching tables 11 to 1n of the INF units 1 to n are managed by the CPU unit 30, and the INF units 1 to n
Since there is no destination information in the switching tables 11 to 1n, the switching table information of the packet transferred to the CPU unit 30 is obtained from the switching table 32 of the CPU unit 30 by using the switching tables 11 to 1n of the transfer source INF units 1 to n. (Step S14), and from the next packet, the INF unit 1 is directly
To n are transferred.

[0014]

When an IP switch device has a security function (encryption / decryption, authentication),
Conventionally, a CPU has a security engine function, and security processing (encryption / decryption, authentication) is realized by software. In this case, the CPU performs from key generation to encryption / decryption, authentication, and packet transfer, and increases the data amount (the number of packets) as the CPU increases.
, There is a problem that the processing capacity of the CPU is reduced and the packet processing capacity is reduced. In addition, there is a possibility that the security processing may cause a risk that the system management processing of the device which should be performed by the CPU or the management of the session information is not performed.

An object of the present invention is to provide a packet switch device which prevents a reduction in the processing capability of a CPU.

[0016]

According to the present invention, there are provided a plurality of interface units having an interface function with a network, a switch unit for controlling packet transfer between these interface units, and a control unit for controlling these units. A packet processing apparatus comprising: a security processing unit configured to perform security processing of an input packet from the network by hardware different from the control unit. Can be

Further, a key generation unit for generating a key for encryption / decryption for the security processing is realized by the hardware. Further, the hardware unit is connected to the switch unit in parallel with the plurality of interface units.

The operation of the present invention will be described. A pseudo INF unit (security engine unit) is provided in parallel with the INF unit for a switch unit that controls packet transfer between INF units, and has a security engine function. This eliminates security processing in the CPU unit and prevents a decrease in CPU processing capacity and packet processing capacity when the data amount (the number of packets) increases. Also,
By realizing the security engine function in the pseudo INF unit, it is possible to easily add and extend the security function, similarly to the additional extension of the INF unit.

[0019]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing the configuration of an embodiment of an IP switch device according to the present invention.
The same parts as in FIG. 12 are denoted by the same reference numerals. In FIG. 1, an IP switch device according to the present invention is connected to INF (network interface) units 1 to n and INF units 1 to n respectively connected to a network (external), and a security engine unit ( A pseudo INF unit) 40, a CPU (information processing device; computer) unit 30 for controlling the entire IP switch device,
A pseudo INF unit 40 and a switch unit 33 that connects the INF units 1 to n under the control of the CPU unit 30.

The security engine unit (pseudo IN)
The F section) 40 includes a switching table 41 for switching control, and an IPSec (security processing) section 42 for controlling security processing (encryption / decryption, authentication). Further, the INF units 1 to n include interface units 21 to 2 n which are hardware connected to a network, and switching tables 11 to 1 n for switching control. Furthermore, the CPU unit 30 includes a key generation unit 31 that generates a key for encryption / decryption, and a switching control switching table 32 for the INF units 1 to n.

In FIG. 1, the CPU section 30 includes
It manages the units 1 to n, the security engine unit 40, and the switching tables 11 to 1n, 41, 32. The key information used in the security processing generated by the key generation unit 31 is obtained by exchanging a key with a counterpart device (not shown), and the key information is obtained by the IPSec of the security engine unit 40. Transfer to the unit 42.

The switch unit 33 transfers the packets transferred from the INF units 1 to n, the security engine unit 40 and the CPU unit 30 to the transfer destination INF units 1 to n, the security engine unit 40 and the CPU unit 30. I
The NF units 1 to n receive packets a from outside the IP switch device.
Is input, the destination is determined from the protocol number, the IP address number, the port number, etc. of the input packet a by referring to the switching tables 11 to 1n.
Transfer to 3. Also, the packet c,
When d is input, the packet e is output to the outside of the IP switch device.

The switching tables 11 to 1n, 41,
Reference numeral 32 identifies the encrypted packet and searches for the destination based on the protocol number, the IP address number, and the port number of the packet. 1 to 4, the encryption information and the destination information are defined in the same tables 11 to 1n, 41, and 32, but may be provided separately.

The interface units 21 to 2n perform input processing of a packet a input from outside the IP switch device,
The output processing of the packet e to the outside of the IP switch device of the packets c and b input from the switch unit 33 is performed. I
The Psec unit 42 performs security processing on a packet that requires security processing based on the key created by the key generation unit 31. The key generation unit 31 generates a key used for security processing. For key generation,
The method may be implemented by hardware or software, and the method of implementation is not limited.

The security engine unit 30 performs security processing on the packet b input from the switch unit 30 in the IPSec unit 42, refers to the switching table 41 after the security processing, and checks the output destination IN.
The F units 1 to n are determined and transferred to the switch unit 33.

The operation of the embodiment of the present invention will be described with reference to FIG. 10 which is a flowchart (FIG. 1). In FIG. 10, when a packet a is input from, for example, the INF unit 1 from outside the IP switch device (network) (step S1), the switching table 11 is referred to (step S2). If security processing (encryption / decryption, authentication) is required (YES in step S3), security processing is performed by security engine unit 40.
The security packet b of the input packet is transferred to the security engine unit 40 (Step S7).

When security processing is required, the security engine section 40 performs security processing in the IPSec section 42 (step S8). The packet d after the security processing refers to the switching table 41 in the security engine unit 40 based on the header information of the packet d, determines the output destination, for example, the INF unit 2 (step S9), and The data is transferred to the output destination INF unit 2 (step S10).

When the packet d is input from the switch unit 33, the INF unit 2 outputs the packet e to the outside of the IP switch device (step S11). In FIG. 1, the generation of the key required for the security process
The key generation unit 31 in the U unit 30 performs a key exchange with a counterpart device (not shown) in advance of security processing. The data is transferred to the IPSec unit 42 and used for security processing.

The security processing referred to here is:
It covers encryption / decryption and authentication. In the case of encryption (encryption),
(Normal) The data (TCP (Transmission Control Protocol) header + payload (data)) portion of the packet (see FIG. 7) after the IP header is encrypted based on the key, and the encrypted header (ESP (Encapsulating) Security
Payload) is added between the IP header and the encrypted data (see FIG. 8).

In the case of decryption, contrary to the case of encryption,
The encrypted payload (encrypted data) is decrypted (encrypted) based on the key, and the encrypted header (ESP header) is deleted. For sender authentication, the entire packet is
Authentication is performed based on the key, and the result is set in the authentication header (AH (A
uthentication Header) (see FIG. 9). In the case of authentication on the receiving side, the entire packet is similarly authenticated based on the key, and compared with the authentication value added to the authentication header (AH header) to confirm the match, and the authentication header (AH header) To delete.

In FIG. 10, normal packet processing is performed as follows. From outside the IP switch device
For example, when the packet a is input to the INF unit 1 (step S1), the switching table 11 is referred to (step S2). At this time, since security processing is not required (NO in step S3), the destination is determined from the protocol number, IP address number, port number, etc. of the input packet a. If there is a destination (YES in step S4), the input packet a Is transferred to the output destination INF unit 2 (step S
5).

However, if there is no information corresponding to the input packet a in the switching table 11 (NO in step S4), the switching table 3
In order to perform a destination search at 2, the input packet a is sent to the CPU.
Transfer to the unit 30 (step S12). The CPU 30 refers to the switching table 32 in the CPU 30 based on the information of the header of the transferred packet b,
The output destination, for example, the INF unit 2 is determined (step S1).
3) Transfer to the output destination INF unit 2 (step 15).
When the packet d is input from the switch unit 33, the INF unit 2 outputs the packet e to the outside of the IP switch device (Step S16).

The switching tables 11 to 1n of each of the INF units 1 to n are managed by the CPU unit 30. Packets transferred to the CPU unit 30 because the switching tables 11 to 1n of the INF units 1 to n do not have destination information. Is added to the switching tables 11 to 1n of the transfer source INF units 1 to n from the switching table 32 of the CPU unit 30 (step 14), and from the next packet, without passing through the CPU unit 30, Direct INF section 1
The packet transfer is performed during the interval n.

FIG. 2 is a block diagram showing the configuration of another embodiment of the IP switch device according to the present invention. In FIG. 2, the IP switch device according to the present invention uses the I switch shown in FIG.
As compared with the P switch device, the key generation unit 31 arranged in the CPU unit 30 is arranged instead of the switching table 41 of the security engine unit 40.

In this configuration, the key generation performed prior to the security processing is performed by the security engine unit 40, so that the transfer of the key to the IPSec unit 42 after the exchange of the key with the partner device is performed by the switch. This can be performed in the security engine unit 40 without going through the unit 33. As a result, the key generation is not managed by the CPU unit 30, so that the load on the CPU is reduced, and the switch unit 33 can also reduce the amount of packet processing. Further, as another advantage, a security function by key generation can be realized only by adding the security engine unit 40 to an IP switch device including the CPU unit 30 having no key generation unit 31.

In this case, however, it is necessary for the security engine unit 40 to perform the destination information and key exchange procedure processing. In the case of this configuration, the switching table 4
1 in the security engine unit 40,
To search for the destination again after decoding (decoding), it is necessary to transfer the decoded packet to another, for example, the INF unit 2 and search for the destination information in another, for example, the switching table 12 of the INF unit 2. The number of times of processing in the INF units 1 to n increases.

FIG. 3 is a block diagram showing the configuration of still another embodiment of the IP switch device according to the present invention. 3, the IP switch device according to the present invention has a configuration in which a key generation unit 31 arranged in the CPU unit 30 is additionally arranged in the security engine unit 40 as compared with the IP switch device shown in FIG.

In this configuration, the key generation performed prior to the security processing is performed by the security engine unit 40, so that the transfer of the key to the IPSec unit 42 after the exchange of the key with the partner device is performed by the switch. This can be performed in the security engine unit 40 without going through the unit 33.

Thus, management of key generation is performed by the CPU 30
Is not performed, the load on the CPU is reduced, and the switch unit 33 can also reduce the amount of packet processing. Further, as another advantage, a security function by key generation can be realized only by adding the security engine unit 40 to an IP switch device including the CPU unit 30 having no key generation unit 31.

However, in this case, it is necessary for the security engine unit 40 to perform the destination information and key exchange procedure processing. Further, in the case of this configuration, since the processing content in the security engine unit 40 is increased by the amount of the key generation processing,
The processing capability of the security processing itself may be reduced.

FIG. 4 is a block diagram showing the configuration of still another embodiment of the IP switch device according to the present invention. In FIG. 4, the IP switching device according to the present invention has a configuration in which the switching table 41 of the security engine unit 40 is deleted as compared with the IP switching device shown in FIG. In this configuration, the security engine unit 40
Does not have the switching table 41, the IPS
The destination search after the security processing in the ec unit 42 needs to be performed in another, for example, the INF unit 2.

Thus, for example, the number of times of processing in the INF unit 2 increases, but the configuration of the security engine unit 40 itself can be simplified.

FIG. 5 shows the switching tables 11-1.
n, 32, and 41, showing a protocol number,
It stores encryption information and destination information corresponding to the IP address and the port number, respectively. FIG. 6 shows one specific (setting) example of the switching tables 11 to 1n, 32, and 41. FIG. 7 shows the configuration of a normal packet, which is composed of an IP header containing a protocol number, an IP address, etc., a TCP header containing a port number, etc., and a payload as data.

FIG. 8 shows the structure of an encrypted (ESP) packet, which includes an IP header, an encrypted (ESP) header, an encrypted TCP header, and encrypted data (payload) as data. Be composed. FIG. 9 shows the configuration of an authenticated (AH) packet. An ordinary (AH) header and an authentication value are added to a normal packet.

[0045]

As described above, according to the present invention, even if the data amount (the number of packets) is increased by providing the security engine unit in the form of a pseudo INF unit in parallel with the INF unit, the present invention is not limited to this. There is an effect that it is possible to prevent a decrease in processing capacity and packet processing capacity. Also, by providing the security engine unit in the form of a pseudo INF unit, there is an effect that the security function can be easily added and extended using the existing INF unit interface.

[Brief description of the drawings]

FIG. 1 is a block diagram of an embodiment of the present invention.

FIG. 2 is a block diagram of another embodiment of the present invention.

FIG. 3 is a block diagram of still another embodiment of the present invention.

FIG. 4 is a block diagram of still another embodiment of the present invention.

FIG. 5 is a diagram showing a configuration of a switching table.

FIG. 6 is a diagram showing a specific example of a switching table.

FIG. 7 is a diagram showing a configuration of a normal packet.

FIG. 8 is a diagram showing a configuration of an encrypted packet.

FIG. 9 is a diagram showing a configuration of an authentication packet.

FIG. 10 is a flowchart of an embodiment of the present invention.

FIG. 11 is a block diagram of a conventional IP switch device.

FIG. 12 is a flowchart of a conventional IP switch device.

[Explanation of symbols]

1 to n INF section 11-1n, 32, 41 Switching table 21-2n interface 30 CPU section 31 Key generator 33 Switch section 42 IPSec section

Claims (3)

[Claims] 1. A packet switch device comprising: a plurality of interface units having an interface function with a network; a switch unit for controlling packet transfer between these interface units; and a control unit for controlling these units. A packet switch device, wherein a security processing unit for performing security processing of an input packet from the network is configured by hardware different from the control unit. 2. The packet switch device according to claim 1, wherein a key generation unit that generates a key for encryption / decryption for the security processing is realized by the hardware. 3. The packet switch device according to claim 1, wherein the hardware unit is connected to the switch unit in parallel with the plurality of interface units.