WO2015174100A1 - Packet transfer device, packet transfer system, and packet transfer method - Google Patents

Abstract

The purposes of the present invention are to discard packets that have fraudulently flowed in and to subsequently prevent attack packets and fraudulent packets flowing undetected into the Internet from flowing out to or flowing into the Internet. The packet transfer device according to the present invention is equipped with: multiple ports or multiple channels; a binding table for storing identification information on the ports or channels and the correspondence relation between physical source addresses and logical source addresses; a discard table that is generated or updated as requested; and a transfer unit that transfers a packet to the next hop node when a physical source address-logical source address pair for the packet is present in the binding table, or discards the packet when the pair is not present in the binding table or when the packet corresponds to the discard table.

Description

Packet transfer apparatus, packet transfer system, and packet transfer method

The present invention relates to a packet transfer device, a packet transfer system, and a packet transfer method.

The cyber attacks that have become more sophisticated and organized year by year have become a major threat on a global scale, as it is said that in 2011 it was said to have caused US $ 1 trillion of damage worldwide. In particular, the DDoS attack that forms a botnet with a myriad of PCs infected with a bot virus and manipulates it to attack websites cannot be prevented with the conventional “security technology to protect myself” Countermeasures for the entire Internet are required.

By the way, according to the announcement by the National Police Agency, about 97% of the attacks by botnets observed in 2012 were SYN (Synchronize) flood attack and UDP (User Datagram Protocol) flood attack, most of which were from the source IP The feature is that the address was spoofed (hereinafter, IP address spoofing or address spoofing). Taking countermeasures against IP address spoofing is expected to have a great effect as a countermeasure against cyber attacks.

The reason why IP address spoofing is successful is that routing on the Internet looks only at the destination IP address of the packet. One of the ingress filtering technologies that try to prevent the IP address spoofed packet from entering the Internet is to check whether the source address of the received packet exists as route information in the route table. URPF (Unicast Reverse Path Forwarding), which is discarded if not found, but widely introduced due to imperfection of address spoofing packet in the address space of the network address described in the routing table It hasn't been done yet.

In addition, there is an IEEE 802.1X standard that grants communication permission to a port by authentication so that a terminal other than a predetermined terminal does not access the network. Some products can add a MAC address-based ingress filtering function to prevent frames from being transmitted from unauthenticated terminals via a repeater hub. Even if the terminal that received the message is infected with a bot virus or the like and transmits an IP address spoofing packet, the authentication LAN switch cannot prevent it.

In addition, DHCP (Dynamic Host Configuration Protocol) address allocation by DHCP (Dynamic Host Configuration Protocol) is monitored for companies and other internal networks, and DHCP snooping technology that filters packets that do not match with it, access authorization to information based on a single policy, etc. Various attempts and products such as the Trusted Network Connect technology that controls the IP address, and the IP trace back technology that tries to identify the source of the IP address spoofing packet are on the market, all of which are effective solutions to eradicate cyber attacks. It is not a means (see, for example, Patent Document 1).

JP 2003-289338 A International Publication No. 2012/076603 JP 2007-68190 A US2003 / 0043853A1

By the way, in related technology network equipment, both hardware and software have been developed by vendors and combined to provide them as network devices. While devices with various functions and features exist for each vendor, the software and hardware of the devices are integrated, so the actual situation is that network configurations and functions other than the architecture assumed by the vendor cannot be added. It was. In contrast, SDN (Software Defined Network) refers to networks and concepts that allow network configuration, functions, and performance to be set and changed dynamically only by software operations. It has been.

Next, I will explain the issues related to the relationship between Internet culture and IP address spoofing. The Internet is obtained by interconnecting networks autonomously operated by an Internet service provider (hereinafter referred to as ISP (Internet Service Provider)) under various policies. Cyber attacks are a problem of the entire Internet, and even if IP address spoofing measures are partially introduced, the effect is insignificant. It seems to be extremely difficult to ask for the introduction of countermeasures to almost all of the countless ISPs, various organizations, and general users.

However, in Internet culture, TCP / IP (Transmission Control Protocol / Internet Protocol), DNS (Domain Name System), e-mail, etc. have become the driving force for Internet infrastructure technology development. “Information should be widely disclosed”, which is the foundation of the government, “The power is domineering and untrustworthy” which hate the intervention of the government, bureaucrats and large corporations, and “The cracking act is commandment”.

That is, the Internet, which is rooted in democracy, is based on the sensible actions and behaviors of users, and there is no mechanism or organization that monitors or restricts usage. There are only Internet governance such as IETF (Internet Engineering Task Force) that standardizes protocols and ICANN (Internet Corporation for Assigned Names and Numbers) that manages finite Internet resources such as domain names and IP addresses. In other words, the idea is that the Internet is open but unprotected, and cracking that exploits it should be strictly disciplined.

It is clear that the IP address spoofing packet is a packet intended for some kind of cracking action, regardless of whether or not it is recognized by the person himself / herself. In other words, taking measures to prevent IP address spoofing packets from entering the Internet is in line with the idea of Internet culture.

And the world of the Internet consists of contracts, and secondary / tertiary ISPs and users are connected and connected under a limited number of primary ISPs. Therefore, if the primary ISP recognizes the cost effectiveness of the present invention and decides to introduce it, the introduction can be defined as a contract clause including the subordinate ISP / organization user / general user.

The nodes to be addressed against address spoofing shown in FIGS. 1 and 23 are (in this specification, a host that generates and transmits user packets, a router and a switch that relays and forwards packets without generating user packets) “Node” is used as a generic term), and a PC 26 used by a so-called general user, a smartphone 24, and a portable terminal as a node to perform a cyber attack or to participate in a cyber attack, whether or not the user intends 25, the server 13 used as a stepping stone for cyber attacks, and recently digital TV 29, refrigerators, printers, ITV cameras, and existing home appliances that have recently been embedded with malicious programs by remote control. There are broadband routers. In addition to this, 26 billion units of “things” such as sensors and devices called IoT (Internet of Things) are expected to be connected to the Internet in 2020. There are concerns that these will become infected with viruses, malware will be embedded in the manufacturing process, social infrastructure such as power grids and railways will be exposed to cyber attacks, and not only the Internet but also the entire society will be devastated.

Such a node, in the damage caused by address spoofing, spoofs the source IP address to the IP address targeted by the machines that are connected to the Internet 10 and are mainly attacked by machines, that is, M-to-M (Machine to Machine) terminals. There have also been reports of cases involving DRDoS (Distributed Reflection Denial of Service) attacks. Furthermore, even with the eMLBR 12 of the present invention, which corresponds to a home broadband router placed in a user's home, an address spoof packet is sent if a device such as bypass (bypass) or direct connection of a personal computer to a WAN line and sending an attack packet is applied. Since these leak out to the outside (Internet 10), these are also nodes that should be targeted for address spoofing.

The network is a set of nodes including iMLBR11 and eMLBR12. The set of nodes, that is, the network is regarded as a node, and the set can be treated as a network. That is, the Internet 10 has a hierarchical and recursive structure. ing. Therefore, even if the network of the above-mentioned “connect anything” policy (Untrusted Internet 21) is connected to the Internet 10 via an existing router not according to the present invention (iMLBR11 or eMLBR12), it can be regarded as one of unreliable nodes. It will be good. The Internet 10 has an HRS 23 (Home RADIUS (Remote Authentication Dial In User Service Server)) that functions as a home authentication server.

However, ISPs operating under various policies, various organizations and general users can be monitored and controlled, and policies can be enforced or can be seen in the IP trace back. Measures such as taking out are unacceptable. In other words, whether or not the source IP address is spoofed is checked at the exit on the user side and the entrance of the Internet 10, and if it is an address spoofed packet, it is securely blocked. The problem is that it is a versatile and technically feasible measure with the minimum necessary for blocking attack packets and illegal packets that are about to flow in.

This is not to deny the existence of an ISP with a policy of “connect anything”, but to communicate by a network operated by the ISP (Untrusted Internet 21) or a virtual circuit connection called “onion routing”. Even if there is an anonymous network that anonymizes the connection route by passing through multiple nodes, quarantine at the connection point (iMLBR11) with these networks is strengthened and the bandwidth is narrowed to attack packets and fraud This means that the flow of packets into the Internet 10 should be suppressed. In other words, measures that can satisfy the above-mentioned issues can be introduced on a global scale with private contracts without waiting for the establishment of international law.

In order to solve the above-mentioned problems, the present invention has a supplicant that makes an authentication request, has no supplicant as well as a terminal whose authenticity is authenticated, and does not have an OS upgrade or a firewall function. An address spoofing packet sent from a completely defenseless terminal (smart home appliance such as a digital television) is prevented from flowing into the Internet 10 and into the Internet 10. Further, attack packets and illegal packets that have passed through the above countermeasures and have flowed into the Internet 10 are prevented from flowing out into the Internet 10 and flowing into the Internet 10 in response to a request from the node that detected them.

In order to achieve the above object, the present invention manages the correspondence between the port or channel identification information, the source physical (so-called MAC) address, and the source logical (so-called IP) address of the packet transfer device (iMLBR and eMLBR). Then, it is checked whether or not this correspondence exists using the identification information of the port or channel that received the frame / packet as a key, and a packet that does not have a correspondence is regarded as an address spoofing packet and discarded. Further, a discard table is generated / updated in response to a request from a node that detects an attack packet or an illegal packet that has passed through the above measures and has flowed into the Internet, and discards a packet corresponding to the discard table.

Specifically, the packet transfer apparatus according to the present invention is:
A plurality of ports or a plurality of channels accommodating at least one node or at least one entity for encapsulating packets in each other in a frame; and
Multi-layer for storing the correspondence between the identification information of the port or the channel, the transmission source physical address of the frame transmitted by the node or the entity, and the transmission source logical address of the packet extracted by decapsulating the frame・ Binding table,
The multi-layer binding table is searched using the port or the channel that received the frame as a key, and when a pair of a source physical address and a source logical address of the frame exists in the banding table, the frame A transfer unit that encapsulates the packet extracted from the packet and transfers it to the next hop node toward the destination logical address of the packet, and discards the packet when it does not exist in the multilayer binding table. .

Specifically, the packet transfer apparatus according to the present invention is:
A plurality of ports or a plurality of channels accommodating at least one node or at least one entity for encapsulating packets in each other in a frame; and
Multi-layer for storing the correspondence between the identification information of the port or the channel, the transmission source physical address of the frame transmitted by the node or the entity, and the transmission source logical address of the packet extracted by decapsulating the frame・ Binding table,
The multi-layer binding table is searched using the port or the channel that received the frame as a key, and when a pair of a source physical address and a source logical address of the frame exists in the banding table, the frame A transfer unit that transfers the packet extracted from the packet to a router that transfers the packet toward the destination logical address, and discards the packet when the packet is not present in the multilayer binding table.

The packet transfer apparatus according to the present invention is
An authentication request packet or frame sent together with the received port or channel identification information from the transfer unit provided in another packet transfer apparatus connected in advance mediates an authentication request to the authentication server, and the authentication server Obtaining an authenticated authentication result, setting the communication service quality determined based on the authentication result as a storage target of the multilayer binding table,
Check the existence of the requesting node or entity of the authentication request via the port or the channel, and update the multilayer binding table;
A control unit that transmits the multilayer binding table to the transfer unit provided in another packet transfer device;
The transfer unit
The multilayer binding table transmitted from the control unit may be updated.

In the packet transfer apparatus according to the present invention,
The discard table of the transfer unit receives a discard request from any node or entity connected to the port or channel, or periodically accesses a predetermined node or entity that is determined in advance, and acquires the discard request. Update
The transfer unit
A frame or packet corresponding to the discard table may be discarded.

In the packet transfer apparatus according to the present invention,
The transfer unit and the control unit cooperate with each other,
In response to the address resolution request frame addressed to its own device broadcasted by the node or the entity, the address resolution request frame is broadcasted from the same port or channel to the node or the entity,
A pair of a source physical address and a source logical address of an address resolution response frame returned via the port or the channel, and a pair of a source physical address and a source logical address of the address resolution request frame addressed to the own apparatus. By verifying the authenticity of the physical address and the logical address of the node or the entity.

In the packet transfer apparatus according to the present invention,
The control unit and the transfer unit are
When the node or the entity has a fixed process identification address, the process identification address may be stored in the multilayer binding table.

In the packet transfer apparatus according to the present invention,
An integrated structure including a part or all of each function of DHCP (Dynamic Host Configuration Protocol), layer 2 switch, and W-LAN (Wireless Local Area Network) may be used.

In the packet transfer apparatus according to the present invention,
The transfer unit or the control unit is
When a packet transmitted by an authenticated node or entity is received, a predetermined value according to the communication protocol of the packet may be written in a predetermined field of the received packet. Further, when a packet transmitted by an unauthenticated node or entity is received, the predetermined field may be reset.

Specifically, the packet transfer system according to the present invention is:
A packet transfer device arranged on the Internet user side;
A packet transfer device arranged on the Internet side, and the packet transfer device arranged on the Internet side sends an address spoof packet bypassing or passing through the packet transfer device arranged on the Internet user side. Even prevent the inflow to the Internet.

Specifically, the packet transfer method according to the present invention includes:
Identification information of a plurality of ports or a plurality of channels accommodating at least one node or at least one entity that encapsulates packets in a frame, and a transmission source physical address and transmission of the frame transmitted by the node or the entity Search the multi-layer binding table that stores the correspondence with the original logical address using the identification information of the port or channel to which the frame has been sent as a key,
When a pair of a transmission source physical address and a transmission source logical address of the frame exists in the banding table, a packet extracted from the frame is encapsulated into a frame and a next hop node is directed toward the transmission destination logical address of the packet And a transfer procedure for discarding the packet when it does not exist in the multilayer binding table.

Specifically, the packet transfer method according to the present invention includes:
Identification information of a plurality of ports or a plurality of channels accommodating at least one node or at least one entity that encapsulates packets in a frame, and a transmission source physical address and transmission of the frame transmitted by the node or the entity Search the multi-layer binding table that stores the correspondence with the original logical address using the identification information of the port or channel to which the frame has been sent as a key,
When a pair of a source physical address and a source logical address of the frame exists in the banding table, the frame is transferred to a router that transfers the packet taken out from the frame toward the destination logical address, When it does not exist in the binding table, it has a transfer procedure for discarding the packet.

If the packet transfer device according to the present invention is deployed as a so-called edge router (iMLBR11) at the end of the Internet 10, the address spoofing packet, attack packet, and illegal packet are prevented from flowing into the Internet 10. Furthermore, if the packet transfer device according to the present invention is deployed as a so-called broadband router or the like (eMLBR12) on the Internet user side, the outflow of address spoofing packets, attack packets, and illegal packets to the Internet 10 is prevented.

An example of the block diagram of the network which concerns on this embodiment is shown. An example of the block diagram of eMLBR which concerns on this embodiment is shown. An example of the block diagram of iMLBR which concerns on this embodiment is shown. An example of the component of the network which has a some communication function which concerns on this embodiment is shown. An example of the authentication between an IEEE 802.1X non-corresponding node and eMLBR using an ARP reflection according to the present embodiment and a forward packet transfer sequence is shown. An example of the block diagram in the communication procedure which concerns on this embodiment is shown. An example of the table in the communication procedure which concerns on this embodiment is shown. An example of the flowchart in the communication procedure which concerns on this embodiment is shown. The evaluation result which applied the packet transfer method concerning this embodiment is shown. The evaluation result which applied the packet transfer method concerning this embodiment is shown. An example of the structure of the network which has a some communication function which concerns on this embodiment is shown. 4 shows an example of an authentication and uplink packet transfer sequence between an IEEE 802.1X compatible node and an eMLBR according to the present embodiment. 2 shows an example of a network having a plurality of communication functions according to the present embodiment. An example of the mutual authentication between eMLBR-R (for general homes) and iMLBR and an uplink packet transfer sequence according to the present embodiment is shown. An example of the structure of the network which has a some communication function which concerns on this embodiment is shown. An example of the structure of the network which has a some communication function which concerns on this embodiment is shown. An example of the evaluation environment of the responsiveness evaluation in the TV online data service by the band limitation according to the present embodiment is shown. An example of the flow table of the responsiveness evaluation of TV online data service concerning this embodiment is shown. The evaluation result of the responsiveness evaluation of TV online data service concerning this embodiment is shown. The evaluation result of the responsiveness evaluation of TV online data service concerning this embodiment is shown. An example of a sequence operation between the IEEE 802.1X compatible terminal and the eMLBR 12 according to the present embodiment is shown. An example of adaptation of IPv6 in the packet transfer system according to the present embodiment will be shown. An example of the block diagram of the network which concerns on this embodiment is shown.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited to embodiment shown below. These embodiments are merely examples, and the present invention can be implemented in various modifications and improvements based on the knowledge of those skilled in the art. In the present specification and drawings, the same reference numerals denote the same components.

Furthermore, the terms described below used in each embodiment are commonly applied to all the embodiments.

Internet: Generally, a computer network or a physical network connected to each other via a digital transmission medium is called a computer network or a physical network. A computer network connected to each other via a packet transfer device (router or layer 3 switch) is connected to the Internet. It is called work. A proper noun of an internetwork that is open to the world that interconnects computer networks operated by ISP is the Internet (The Internet), which provides a packet communication service using a TCP / IP protocol system. To use packet communication services on the Internet, home routers (eMLBR) deployed on the user side network, private lines or public access lines (telephone lines, ISDN lines, ADSL lines, optical lines, wireless lines, etc.) ) To the edge router (iMLBR) deployed at the end of the Internet. Mobile communication networks have used a unique protocol system based on TCP / IP so far, but with the introduction of smartphones and the like, IP networks using TCP / IP have become operational, NGN (Next パ ケ ッ ト Generation サ ー ビ ス Network) also provides a TCP / IP-based packet communication service. In this specification, these are also included as components of the Internet.

Packet: A transfer unit (PDU: “Protocol” Data ”Unit) in layer 3 (network layer) for performing communication between end nodes, including a transmission source logical address and a transmission destination logical address, a packet type, and user data. RFC packet 791 standard IP packets and ITU-T recommendation X. 25 packets are included.

Frame: A PDU of layer 2 (data link layer) for performing communication between nodes in one physical network directly connected via a digital transmission medium, and encapsulating packets in a predetermined format (MAC header Or a trailer, or adding a SECTAG by MACsec or encrypting the payload). On the receiving side, the frame is decapsulated (including error check, message authentication by MACsec, etc., and decryption of the encrypted payload), and the packet is taken out. In addition to MAC frames, PPP (Point-to-Point-Protocol) frames, HDLC (High-Level-Data-Link-Control) frames, ATM (Asynchronous-Transfer-Mode) cells and the like are included.

Node: A “node” is used as a generic term for a host that generates and transmits / receives user packets, and a router or layer 3 switch that relays and forwards packets without generating user packets. Furthermore, since the Internet has a hierarchical and recursive structure, a network that is a set of nodes can be treated as a node. In this specification, a network is also treated as one of “nodes”.

Entity: Vendor-specific entities such as users, processes, clients, servers, mail accounts, NETBOIS names, host names, etc., and groups composed of them.

Port: Physical port (so-called LAN or router switch port), virtual port configured by software using existing physical connection, interface for inputting / outputting data to / from the outside, etc. Identification information for each device Identified and managed by

Channel: Channel identification information such as a secure channel (SCI: Secure Channel Identifier) that can be identified using a shared key, such as MACsec, or a source MAC address may be used as channel identification information. Others include channels, slots, connections, sessions, flow labels, etc. assigned to nodes and entities using time blocks, spreading codes, resource blocks in TDMA, CDMA, OFDMA, etc. used in mobile communications, etc. Are identified and managed across multiple devices.

Multi-layer binding router (MLBR): A term used to describe the characteristics of the packet transfer apparatus according to the present invention. Further, address spoofing packets, attack packets, and illegal packets sent to the outside (Internet) are arranged on the user side. What prevents the outflow is called eMLBR (egress MLBR), and what is arranged as a so-called edge router at the end of the Internet and prevents inflow of address spoofing packets, attack packets, and illegal packets into the Internet is called iMLBR (ingress MLBR). Furthermore, eMLBR is installed at home, eMLBR-R (Residence), eMLBR-O (Organization) is deployed in organizations such as companies, eMLBR-C (Data Center) is deployed in data centers, etc. ), EMLBR-W (W-LAN Spot Service) for wireless LAN spot service, eMLBR-S (Sensor Network) for wireless sensor network and IoT, mobile communication network This is referred to as eMLBR-M (Mobile Network) or the like, and can be applied by appropriately selecting or adding functions according to various uses and forms.
A similar effect can be obtained even if the multi-layer binding filtering device is arranged in front of an existing router.

Multi-layer binding (MLB) table: Port 2 or channel identification information and source physical address (so-called MAC address or VPI (Virtual Path ｉ Identifier) / VCI (Virtual Channel Identifier) used in ATM) (data link layer) ) Address) and a source logical address (so-called IPv4 address, IPv6 address, carrier layer specific layer 3 (network layer) address, etc.), and a predetermined expiration date (for example: 4 hours). In the case of a server, in addition to the above, a source process identification address (so-called well-known port number) may be added to the MLB table.

Discard table: Analyzes packets sent from the victim node ReN that is mainly subjected to a cyber attack, or from the node ReN that has detected a packet that seems to be a cyber attack or a packet that seems to be a cyber attack packet. This is a table generated and updated based on the discard request information from the node DeN that recognizes the attack or damage or from the node ShN that distributes the discard request information to the entire Internet. A table for managing a destination / source logical address, a part or all of a destination / source process identification address, an anonymous address, and a validity period thereof.

IEEE 802.1X: An authentication standard used when connecting to a wired LAN or wireless LAN, which prevents only authorized nodes and entities from connecting to the network. In the present invention, authentication according to IEEE 802.1X is not limited to a LAN switch (data link layer), but is applied to a packet transfer device (network layer) such as a layer 3 switch or a router. In addition to the TLS (Transport Layer Security) used in the description of this embodiment, the IEEE 802.1X authentication method includes MD5 (Message Digest Algorithm 5) and LEAP (Lightweight Extended AuthenticAP). There are Flexible Authentication via Secure Tunneling, TLS (Tunneled Transport Layer Security), and PEAP (Protected EAP), but these may be applied although the authentication method and authentication level are different.

Supplicant: A device, software, or entity on the authentication requesting side, authenticated side, or client side in the authentication of nodes or entities on the network. Note that Windows (Windows is a registered trademark) 2000 (SP4), Windows XP and later Windows, and Mac OS X have a built-in supplicant function compatible with IEEE 802.1X.

Authenticator: Takes the role of a proxy that receives requests from supplicants, mediates exchanges with authentication servers, and determines supplicant connection availability and communication service quality levels.

Authentication server: Verifies the authenticity of nodes or entities (mutually) using a client ID and password, or a digital certificate, and notifies the authenticator whether to allow access from the client. RADIUS (Remote Authentication Register) such as RADIUS (Remote Authentication Dial In User Service), LDAP (Lightweight Directory Access Protocol), HLR (Home Location Register Register) including Microsoft Authenticator for mobile communications.

Communication service quality (QoS (Quality of Service)): confidential communication, bandwidth limitation, bandwidth guarantee, delay / jitter guarantee, censorship, destination IP address restriction, communication possible protocol restriction, connection rejection, communication content recording, etc.

OpenFlow: A network and concept that can dynamically set and change the network configuration, functions, and performance by software is called SDN (Software Defined Network), and OpenFlow is being developed with the intention of load balancing in cloud computing. This is one of the technical standards for realizing SDN, and consists of an “OpenFlow controller” that controls the path control, an “OpenFlow switch” that controls the data transfer function, and an “OpenFlow protocol” for communication between the controller and the switch.

ARP Reflection (ARPF): The authenticity of logical and physical addresses of nodes or entities that do not support IEEE 802.1X, such as so-called smart home appliances such as digital televisions that do not support IEEE 802.1X, existing home routers, IoT, etc. This is a function defined in the present invention for simply verifying and blocking address spoofing packets. Specifically, a node transmits an address resolution (ARP (Address Resolution) Protocol) request packet via a port or channel of a default gateway (DGW) triggered by communication with another network, but the node is spoofing the address. Otherwise, since an ARP response should be returned in response to the ARP request from the DGW, the eMLBR or iMLBR functioning as the DGW sends an ARP request to the node that sent the ARP request through the same port or channel. The transmission is called ARP reflection.

FIG. 2 shows a configuration example of the egress multilayer binding packet transfer apparatus eMLBR according to the present embodiment, and FIG. 3 shows a configuration example of the ingress multilayer binding packet transfer apparatus iMLBR. In the present embodiment, the eMLBR 12 and iMLBR 11 function as a packet transfer device.

FIG. 2 is a diagram showing an example in which almost all functions necessary for the eMLBR 12 deployed on the user side are implemented. eMLBR-R, eMLBR-O, eMLBR-C, eMLBR-W, eMLBR-S, eMLBR-M, etc. are selected and implemented according to their use. Further, the packet transfer apparatus according to the present embodiment may have an integrated structure having functions such as DHCP, W-LAN, and Layer 2 / VLAN. In this case, a packet transfer apparatus that realizes easy network management can be provided. On the other hand, although network management becomes complicated, DHCP, W-LAN, Layer 2 / VLAN, etc. may be deployed as separate devices. Furthermore, in the case where the existing router is used for the routing function, the function unit related to the routing function is not implemented or the function unit is stopped as an egress multi-layer binding filtering device that is placed in front of the existing router. Good. Specifically, the transfer unit 14 of the eMLBR 12 functioning as a packet transfer device searches the MLB table using the port or channel that received the frame / packet as a key, and sends the frame / packet source physical address and source logical address to each other. When the pair exists in the MLB table, the packet may be transferred to the router that transfers the packet toward the destination logical address of the packet, and when not present in the MLB table, the packet may be discarded.

The eMLBR 12 includes a control unit 15. The control unit 15 further receives a processing request for receiving a packet or a frame such as a DHCP request, an address resolution request, or an authentication request transmitted from the transfer unit 14 together with the received port or channel identification information. Authentication using ARP reflection for non-IEEE802.1X compatible nodes such as digital TV and IoT, and authentication unit that authenticates each other by exchanging digital certificates with iMLBR11, authenticating as an authenticator An authentication mediation unit that mediates to a server, an authentication result acquisition unit that acquires an authentication result from the authentication unit and the authentication server, a correspondence relationship between port or channel identification information, a source physical address, a source logical address, and the like Generate and update the validity period as an MLB table LB table generation / updating unit, existence checking unit that checks the existence of a node or entity that has permitted communication and updates the validity period of the above-mentioned MLB table, encryption key generation / exchange unit that generates and exchanges an encryption key using MACsec, etc. A discard table generating / updating unit that generates / updates a validity period based on a discard request from another node, a QoS determining unit that determines a communication service quality based on an authentication result (authentication level), and a DHCP request. Assign an IP address to the visited node, or provide a logical address or process identification address used under the eMLBR12, a DHCP unit that provides information necessary for network connection, such as a netmask or DGW IP address, on the external network NAT technology for conversion to a logical address or process identification address to be used A NAT table generation unit that generates a bull, a processing result in each of these functional units, an ARP request packet for ARP reflection generated in the authentication unit, a packet for actuality confirmation generated in the actuality confirmation unit, and the like are transmitted to the transfer unit 14 Processing result transmission unit for performing the above, other functions not shown in the figure but necessary for control of the transfer unit 15 such as the layer 2 / VLAN switch unit, the IPsec tunnel mode support function, and the control program that is illegally intruded into the eMLBR 12 And an integrity check function for checking whether or not a table or the like has been tampered with, a security hole discovered after the implementation, or a version upgrade function for adding a new function.

The eMLBR 12 further includes a transfer unit 14, which further includes a plurality of communication systems required for wired (Ethernet (Ethernet is a registered trademark), optical signal, etc.) / Wireless (such as wireless LAN / mobile communication) communication. Port unit that provides physical ports, or channel unit that provides multiple channels, physical signal reception / decryption unit, physical signal generation / transmission unit, encryption / decryption unit, reception that temporarily buffers packets or frames Buffer unit and transmission buffer unit, frame decapsulation unit that extracts packets from received frames, frame encapsulation unit that performs the reverse, source and destination physical addresses of received frames and packets, source and destination logical addresses , Layer 2, 3, 4 address to extract source and destination process identification addresses Extraction unit, QoS providing unit providing communication service quality specified for a port or channel, Layer 2 switch and layer 2 / VLAN switch unit providing VLAN function, MLB table unit storing MLB table, discard table Discarding table section to store, packet discarding section that searches the MLB table and discard table to discard packets, layer 3 switch section that performs packet forwarding processing by referring to the routing table, DHCP request, address resolution request, authentication request, etc. A processing request transmission unit that transmits a frame or packet to the reception unit of the control unit 15 to request processing, a processing result reception unit that reflects or relays the processing result transmitted from the control unit 15 to the corresponding functional units, etc. You may have.

FIG. 3 is a diagram showing an example in which almost all functions necessary for the iMLBR 11 deployed at the end of the Internet 10 are installed. Since the function of each functional unit is almost the same as that of the eMLBR 12 of FIG. 2, detailed description is omitted, but the NAT function and the layer 2 / VLAN function are not necessary in principle. Further, the packet transfer apparatus according to the present embodiment may have an integrated structure having various functions such as DHCP. In this case, a packet transfer apparatus that realizes easy network management can be provided. On the other hand, although network management becomes complicated, DHCP etc. may be deployed as another device. Furthermore, in the case where the existing router is used for the routing function, the function unit related to the routing function is not implemented or the function unit is stopped as an ingress multi-layer binding filtering device that is placed in front of the existing router. Good. Specifically, the transfer unit 14 of the iMLBR 11 functioning as a packet transfer device searches the MLB table using the port or channel that received the frame / packet as a key, and sends the frame / packet source physical address and source logical address to each other. When the pair exists in the banding table, the packet may be transferred to the router that transfers the packet toward the destination logical address of the packet, and when the pair does not exist in the MLB table, the packet may be discarded.

The iMLBR 11 includes a control unit 15 and performs mutual authentication by performing authentication for a node that does not support IEEE 802.1X or exchanging digital certificates between the eMLBR 12 and the iMLBR 11. In addition, the iMLBR 11 includes a transfer unit 14, and the physical signal reception / decoding unit / generation / transmission unit is wired (Ethernet (Ethernet is a registered trademark), optical signal, etc.) / Wireless (wireless LAN / mobile communication, etc.) ) Has the necessary functions.

(Embodiment 1)
In the present embodiment, a digital television by ARP reflection (ARPF), a multi-function machine equipped with a plurality of functions such as a fax, a scanner, and a printer, and IEEE802. An operation example of authentication and uplink packet transfer sequence by the eMLBR 12 of the X non-compliant host will be described. FIG. 4 shows the configuration of the network according to this embodiment. The network configuration shown in FIG. 4 includes the Internet 10 including the iMLBR 11, an IEEE 802.1X-incompatible node, and the eMLBR 12.

The sequence diagram in FIG. 5 is a diagram showing an authentication and uplink packet transfer sequence between an eMLBR 12 and an IEEE 802.1X non-compliant node such as a digital television using ARP reflection. FIG. 5 describes a user MAC frame / IP packet that is transmitted from a node toward an external network (Internet 10). The exchange of the DHCP protocol and the like in the present embodiment is described in a simplified manner (for example, four exchanges such as DHCP Discover → DHCP Offer → DHCP Request → DHCP ACK). In addition, in order to avoid complicated illustrations and explanations, descriptions of the functional units of the transfer unit 14 and the control unit 15 related to each step are also omitted.

The operation of the sequence diagram of FIG. 5 will be described below. When a node that does not support IEEE 802.1X starts communication with another node, a DHCP request packet is broadcasted (step S111). The eMLBR 12 that has received the DHCP request temporarily registers in the MLB table A of the control unit 15 that stores the correspondence relationship between the received port identification information, the MAC address of the node, and the IP address to be assigned as the private IP address (step S112). ). The node receives a DHCP response packet for assigning an IP address together with information necessary for connection to the network, such as a netmask of the eMLBR 12 and an IP address of the DGW (step S113). The node that has received the DHCP response broadcasts an ARP request packet for requesting resolution of the DGW address (step S114).

The eMLBR 12 that has received the ARP request packet should return an ARP response to the ARP request from the eMLBR 12 if the node has not spoofed the address, so broadcast the ARP request packet (ARPF request) to the node, An ARP response packet from the node is received (steps S115 and S116). The eMLBR 12 searches the MLB table A of the control unit 15 using the port that received the ARP response packet as a key, and temporarily registers from the MLB table A if there is no source IP address and source MAC address pair in the ARP response The correspondence relationship is deleted (steps S117 and S118). On the other hand, when it exists in the MLB table A, QoS (for example, as described later, for example, the uplink bandwidth is 10 kbps) is determined, and after valid period (for example, 4 hours) is set, it is registered in the MLB table A of the transfer unit 14 for regular registration. (Step S119).

Next, the eMLBR 12 receives the user MAC frame / IP packet transmitted by the node after the eMLBR 12 returns the ARP response in step S120 as a response to the first ARP request (DGW address resolution) from the node (step S114). (Step S121), the eMLBR 12 checks whether the source IP address and the source MAC address of the received user MAC frame / IP packet exist in the MLB table A of the transfer unit 14 (Step S122). Discards the transmitted packet (step S123).

On the other hand, if it exists in the MLB table A of the transfer unit 14, it converts the address from the private IP address to the global IP address by referring to the NAT table with the QoS determined in step S 119, and sends the MAC to the next hop node iMLBR 11. The iMLBR 11 receives the MAC frame / IP packet after encapsulating it in a frame (step S124). Note that the ARP response in step S120 need not be performed because the node already knows the MAC address of eMLBR 12 in the ARP request (ARPF request) in step S115.

In addition, the control unit 15 included in the eMLBR 12 according to the present embodiment performs real-time confirmation on a node or entity port or channel in cooperation with the transfer unit 14 (not necessarily periodically) (step S128 and step S128). In step S129, the MLB table A may be updated (the validity period is extended) according to the confirmation result in step S130.

The iMLBR 11 (ISP edge router) uses the identification information of the port that received the packet transferred in step S124 as a key, and the packet IP address (global IP address assigned to the eMLBR 12) and the MAC address (of the eMLBR 12). Whether the pair exists in the MLB table B of the transfer unit 14 is checked (step S125). If the pair does not exist in the MLB table B, the packet is discarded (step S126). On the other hand, if it exists in the MLB table B of the transfer unit 14, the next hop at the QoS determined in advance when the eMLBR 12 is authenticated (if the eMLBR 12 is authenticated as an IEEE 802.1X node by the iMLBR 11) Transfer to the node (step S127).

When authentication is performed by ARP reflection according to the present embodiment, it cannot be said that the terminal is more secure than IEEE802.1X authentication using an ID, password, or digital certificate. That is, since the authentication level is low, QoS is directed to the Internet 10, for example. Even if the upstream bandwidth is limited to about 10 kbps, if the downstream bandwidth is not limited, TV users can use the remote control for data communication with TV stations, screen transitions, and other Internet connection services via television. , Never feel uncomfortable.

Therefore, smart home appliances and IoT that could become a hotbed of cyber attacks without OS version upgrades or firewall functions could become a hotbed for cyber attacks, even if they were infected with bot viruses or malware was embedded in the manufacturing process, and the source IP address was attack target For DRDoS attacks that send a large number of packets by spoofing the IP address, or for a DDoS attack that sets a destination IP address as the attack target IP address and transmits a large number of packets while randomly changing the source IP address Even if it is complied with, it is possible to prevent the address spoofed packet from flowing out to the Internet 10, and only attack packets that coincide with the transmission source IP address of the terminal happen to flow into the Internet 10, so that damage can be minimized. Furthermore, Embodiment 5 to be described later can prevent an attack packet from flowing out / inflowing into the Internet 10 for a long time.

In this embodiment, ARP reflection is performed in response to an ARP request from the node. For example, the node caches the IP address and MAC address of the eMLBR 12, and uses an ICMP packet to send an echo request (communication confirmation) to the eMLBR 12. When the MLB table corresponding to this packet / frame is not held by the eMLBR 12, an echo request (echo reflection) or an ARP request is sent to the node, and the response packet / frame and the echo request packet from the node are sent. / The authenticity of the IP address and MAC address in various variations, such as checking the source IP address of the frame and the source MAC address and registering them in the MLB table of the control unit 15 and the transfer unit 14 if they match By verification It may be used testimony.

Here, FIG. 6 shows an experimental example of the communication operation of ARP reflection using OpenFlow. Host #A is trying to communicate with host #B via eMLBR12. The eMLBR 12 executes OpenFlow and functions as a packet transfer apparatus according to the present embodiment. The eMLBR 12 is composed of an OpenFlow controller 15 that is a control unit 15 and an OpenFlow switch 14 that is a transfer unit 14. The OpenFlow switch 14 includes an MLB table. In FIG. 6, the ARP request (step S211) transmitted from the host #A for address resolution of the DGW is sent to the OpenFlow controller 15, and the controller generates an ARP request (ARPF) for the host #A. And sent to the host #A via the OpenFlow switch (step S212). This is based on the assumption that the ARP response will not be returned if the other party has spoofed the address as described above. If the other party has not spoofed the address, the ARP response is returned (step S213), and the OpenFlow controller The authenticity is verified by collating the ARP request sent in step S211 with the IP address MAC address of the ARP response returned in step S213, and if they match, they are provisionally registered in the MLB table of the OpenFlow controller 15, The data is positively registered in the MLB table of the OpenFlow switch 14 with Flow mod.

As a development framework for the OpenFlow controller 15, Trema-edge is mounted on a personal computer (OS: Ubuntu 12.04 (X64), CPU: Celeron 440@2.00 GHz, memory: 2GB), and the OpenFlow switch 14 has Open vSwitch 2 0.0 was mounted on another personal computer with the same specifications and operated as a layer 3 switch. In this program, the correspondence relationship between the IP address and the MAC address accepted by each port of the switch is provisionally registered in the MLB table of the OpenFlow controller 15 and positively registered in the MLB table of the OpenFlow switch 14.

Next, the operation of this embodiment will be described with reference to FIGS. FIG. 7 shows the configuration of the flow table, and FIG. 8 shows the transition of the flow table. All ARP requests and packets related to ARPF that have arrived at the OpenFlow switch 14 functioning as a switch are inquired to the OpenFlow controller 15 by Packet-In (table: 0 in FIGS. 7 and 8), and other packets are inquired. Only those that have passed multiple flow table transitions (pipeline processing) are routed, or an inquiry to the controller is generated as Packet-In (same table: 180).

The OpenFlow switch 14 that has received the ARP request transmitted by the host #A at the port 1 performs a Packet-In operation to the OpenFlow controller 15 in the table 0 shown in FIGS. 7 and 8 (steps S211 and S311). . The OpenFlow controller 15 temporarily registers the pair of the source IP address and source MAC address of the received ARP request frame / packet in the MLB table in the controller using the received port 1 as a key. Next, the OpenFlow controller 15 packet-outs an ARP request to the OpenFlow switch 14 as ARP reflection, and the switch sends this to the host #A from the port 1 (step S212). The OpenFlow switch 14 that has received the ARP response returned from the host #A at the port 1 again generates Packet-In to the controller (steps S213 and S312). The controller searches the MLB table in the controller using port 1 as a key, and if there is a pair of the source IP address and source MAC address of the ARP response from host #A, it determines that the same pair of nodes exists. Certify. The controller performs a flow mod operation on the switch (step S214), and the flow entry having “port: 1” as a matching condition is stored in the physical port table (table: 60) and the flow entry having the same pair as a matching condition is set. Write to the MLB table (table: 101) (regular registration). As a result, when an IP packet other than the above pair is received at port 1, it is discarded.
Using the flow entry confirmation command, it was confirmed that the host #A was authenticated by the controller according to the above processing flow and each flow entry was written in the corresponding table in the switch.

The OpenFlow switch 14 uses pipeline processing to make a transition to the MLB table of the received port in the process of processing the received packet (tables 60 and 101 in FIGS. 7 and 8). If there is a source IP / MAC address in the MLB table of the same port, the routing operation (FIG. 7 table: 180, step S316) proceeds, but if it is not in the MLB table, it is discarded (tables in FIGS. 7 and 8: 101). And 102).

In order to verify the effectiveness of this implementation example, a SYN flood attack experiment was conducted using the simple attack tool hping3. An experiment was performed a plurality of times to transmit 10,000 packets to the attack destination while randomly changing the source IP address within the range of the network address (192.168.2.0/24). As a result, of the 10,000 packets that could reach the attack destination, on average, about 30 packets (≈10,000 ÷ 256; original IP address of the attack source host), and the remaining 9,970 packets were discarded. It was confirmed in the log on the switch.

Further, when the ICMP echo request packet is transmitted from the host #A to the host #B with the transmission rate changed from 2.5 kpps to 160 kpps, the MLB table function is turned on as shown in FIGS. 9 and 10 (FIG. 7). It was observed that both the tables are activated) and off (the table in FIG. 7: only 180 is activated), the higher the transmission rate, the higher the ICMP response packet non-arrival rate at the host #A. The CPU usage rate of 14 was less than 1%, and no packet loss at the switch was observed. This is because host #A attempting to receive a response packet while generating and transmitting an ICMP echo request packet falls into an overload state and misses the response packet.

From the above, it was confirmed that this implementation functions effectively against IP address spoofing and can at least have sufficient performance as eMLBR12 for home use.

FIG. 17 shows an evaluation environment for TV online data service responsiveness evaluation by bandwidth limitation, and FIG. 18 shows a TV online data service responsiveness evaluation flow table. In FIG. 18, NAPT exchange frequently occurs with Packet-In. Therefore, it is necessary to mount a closed NAPT exchange module in the switch. 19 and 20 show the evaluation results of the responsiveness evaluation of the TV online data service. FIG. 19 shows the evaluation result with the band (Kbps) as the vertical axis and the time (sec) as the horizontal axis, and the evaluation result with the display time (sec) as the vertical axis and the band (Kbps) as the horizontal axis.

(Embodiment 2)
In this embodiment, an operation example of an authentication and uplink packet transfer sequence between an IEEE 802.1X compatible node such as a personal computer using IEEE 802.1X and the eMLBR 12 will be described. A network configuration according to this embodiment is shown in FIG. The network configuration shown in FIG. 11 includes the Internet 10 including the iMLBR 11 and the HRS 23, the node, and the eMLBR 12. In FIG. 1, FIG. 11, FIG. 23, etc., it is described that the HRS 23 is arranged inside the Internet. However, a reliable organization such as an ISP prevents an authentication data or a program from being falsified due to unauthorized intrusion. This means that the HRS 23 is strictly managed, and may be arranged outside the Internet via the iMLBR 11 and the eMLBR 12. The same applies to the following.

FIG. 12 shows an example of a sequence operation between an IEEE 802.1X compatible node such as a personal computer and the eMLBR 12. Note that FIG. 12 describes a MAC frame / IP packet that is transmitted from a node to an external network (Internet 10). Also, exchange of EAP / RADIUS protocol including DHCP protocol in this embodiment, conversion / relay processing of EAP message and RADIUS message by authenticator, key generation / exchange / MAC frame encryption / decryption by MACsec, etc. Are simplified or omitted. Also, descriptions of the functional units of the transfer unit 14 and the control unit 15 relating to each step are omitted. The basic sequence is the same for eMLBR-W equipped with a wireless LAN function.

In addition, since the MAC frame including the EAP message is transmitted with the multicast address, when the switching hub is arranged under the EgER, the MAC frame does not reach the authenticator. Changes to the IEEE 802.1X standard are required, such as assigning specific MAC addresses for EAP messages.

The operation of the sequence diagram of FIG. 12 will be described below. The supplicant of the IEEE802.1X compatible node uses an extended authentication protocol (EAP: Extensible Authentication Protocol) EAPOL (EAP over LAN) to send an EAP message frame to the authenticator of the eMLBR 12 (step S411). The eMLBR 12 that has received the EAPOL sends an EAP request (TLS) to the IEEE802.1X compatible node (step S412), exchanges EAP messages between the nodes and the eMLBR 12 (step S413), and the eMLBR 12 functions as a home authentication server. Mediate to the RADIUS server 23 (step S414). The RADIUS server transmits the authentication result to the eMLBR 12 (step S415). The authenticator of the eMLBR 12 discriminates the authentication result (step S416), and if the authentication fails, informs the node of the EAP failure and ends the processing (step S417).

If the authentication is successful, the EAP success is notified to the node (step S418), and a shared key is generated and exchanged between the node and the eMLBR 12 using the MACsec Key Agreement (MKA) protocol defined in IEEE 802.1X. A secure channel is established (step S419). Hereinafter, in communication between the node and the eMLBR 12, confidential communication using shared key encryption defined by the same standard is performed, and message authentication is performed to check whether data has been tampered with during communication.

When a node that succeeds in authentication transmits a DHCP request by broadcast (step S420), the eMLBR 12 determines a communication service quality (QoS) level, sets a valid period (for example, 4 hours), and identifies secure channel identification information. Using the key as a key, the correspondence between the MAC address of the node and the fixed (same as the previous) or dynamically assigned (private) IP address is provisionally registered in the MLB table A of the control unit 15 (step S421), Further, it is registered in the MLB table A of the transfer unit 14 (step S422). Then, a DHCP response that assigns an IP address together with information necessary for connection to the network, such as a netmask and an IP address of the DGW, is transmitted to the node (step S423).

Thereafter, the node transmits a user MAC frame in which the payload (user packet) is encrypted using the shared key and encapsulated in the MAC frame via the secure channel established with the eMLBR 12 (step S424). The eMLBR 12 decapsulates / decrypts / messages the encrypted user MAC frame, and then searches the MLB table A of the transfer unit 14 using the secure channel identification information as a key (step S425). If the MAC address pair does not exist, the frame / packet is discarded (step S426).

On the other hand, when the source IP address / source MAC address pair exists in the MLB table A, the QoS determined in step S423 is converted to the global IP address of the eMLBR12 when NAT is assigned in step S421 (NAT). ) And then encrypt the user packet via the secure channel already established between eMLBR12 and iMLBR11, that is, using the shared key between eMLBR12 and iMLBR11, and encapsulate it in the MAC frame before being the next hop node iMLBR11 (ISP edge router) receives the encrypted user MAC frame.

In addition, the control unit 15 and the transfer unit 14 included in the eMLBR 12 in the present embodiment cooperate with each other to appropriately check the existence by updating the encryption key between the node and the eMLBR 12 (step S432), and in step S433, depending on the confirmation result, the MLB The table A may be updated, that is, the validity period of the MLB table A may be extended.

The iMLBR 11 (ISP edge router) decapsulates / decrypts / messages the MAC frame transferred in step S427, and then searches the MLB table B of the transfer unit 14 using the secure channel identification information between the eMLBR 12 and the iMLBR 11 as a key. (Step S428), if there is no source IP address and source MAC address pair, the packet is discarded (Step S429). On the other hand, when the source IP address and source MAC address pair exist in the MLB table B, the user MAC frame is transferred to the next hop node toward the destination IP address with the designated QoS (steps S430 and S431).

In this embodiment, a RADIUS server is used as an authentication server based on the IEEE802.1X standard for node or entity authentication, but authentication may be performed using another authentication server / standard such as LDAP.

In addition, when authenticating or checking the existence of a node or entity, the OS version upgrade status, firewall configuration status, virus detection software pattern file, package-type application programs and Java that are widely used and subject to cyber attacks The update state of middleware such as a virtual machine may be examined and reflected in the determination of the authentication level, that is, the communication service quality. By conveying this result to the user, it is possible to prompt the user to keep the terminal in a more secure state.

(Embodiment 3)
In the present embodiment, an operation example of mutual authentication and uplink packet transfer sequence between eMLBR-R12 (for general residential use) and iMLBR11 compatible with IEEE 802.1X will be described. A network configuration according to the present embodiment is shown in the figure. The network configuration shown in FIG. 13 includes the Internet 10 including the iMLBR 11 and the HRS 23, the host 30, and the eMLBR-R12.

A description will be given of MAC frames / packets transmitted from a node to an external network (Internet 10). Note that the exchange of EAP / RADIUS protocols including conversion / relay processing of EAP messages and RADIUS messages by the authenticator in the present embodiment, key generation / exchange / MAC frame encryption / decryption by MACsec, etc. are simplified. Or it is omitted. Also, descriptions of the functional units of the transfer unit 14 and the control unit 15 relating to each step are omitted.

The operation of the sequence diagram of FIG. 14 will be described below. The eMLBR-R12 supplicant compatible with IEEE 802.1X connected to the network first sends an EAP message frame to the authenticator of iMLBR11 by EAPOL (step S511). The iMLBR 11 that has received EAPOL sends an EAP request (TLS) to the eMLBR-R 12 (step S 512), exchanges EAP messages between the eMLBR-R 12 and the iMLBR 11 (step S 513), and the iMLBR 11 functions as a home authentication server. To the RADIUS server 23 (step S514). The RADIUS server transmits the authentication result to iMLBR 11 (step S515). The authenticator of the iMLBR 11 discriminates the authentication result (step S516). If the authentication fails, the eMLBR-R 12 is notified of the EAP failure and the processing is terminated (step S517).

When the authentication is successful, the eMLBR-R 12 is notified of the success of EAP (step S518), and the eMLBR-R 12 and the iMLBR 11 generate and exchange a shared key using the MKA protocol to establish a secure channel (step S519). ). Hereinafter, in the communication between the eMLBR-R 12 and the iMLBR 11, confidential communication using shared key encryption is performed, and message authentication for checking whether data has been tampered with is performed.

When the eMLBR-R 12 that has succeeded in authentication broadcasts a DHCP request (step S520), the iMLBR 11 determines a communication service quality (QoS) level, sets an effective period (for example, 4 hours), and secure channel Using the identification information as a key, provisionally registered in the MLB table A of the control unit 15 that stores the correspondence between the MAC address of the eMLBR-R12 and the IP address that is fixedly or dynamically assigned to the eMLBR-R12 (step S521). In addition, it is registered in the MLB table A of the transfer unit (step S522). Then, a DHCP response that assigns an IP address together with information necessary for connection to the network, such as a netmask and an IP address of the DGW, is returned to the eMLBR-R 12 (step S523).

Thereafter, an IEEE802.1X-compatible node (such as a personal computer) is authenticated by the method described in the second embodiment, establishes a secure channel with eMLBR-R12, and uses the secure channel identification information as a key and the IP address of the node. After the MAC address / QoS pair is correctly registered in the MLB table B of the transfer unit 14, the encrypted user MAC frame is transmitted to the eMLBR 12 (step S524), and the eMLBR-R 12 transfers the secure channel identification information as a key. The MLB table B of the unit 14 is searched, and if there is no source IP address / source MAC address pair of the same frame / packet, the eMLBR 12 discards the packet transmitted by the node (step S526). On the other hand, if it exists in the MLB table B, the source private IP address is converted into a global IP address with a preset QoS, and via a secure channel between the eMLBR 12 and the iMLBR 11, that is, a shared key between the eMLBR 12 and the iMLBR 11 The user packet is encrypted using, and encapsulated in a MAC frame, and then transferred to the iMLBR 11 that is the next hop node with the designated QoS (step S527).

The iMLBR 11 searches the MLB table A of the transfer unit 14 for the frame / packet transferred in step S527 using the secure channel identification information between the eMLBR 12 and the iMLBR 11 as a key (step S528), and sends the source IP to the MLB table A. If the address and the source MAC address do not exist, the frame / packet is discarded (step S529). On the other hand, if it exists in the MLB table A, the user MAC frame is transferred to the next hop node with the designated QoS (step S530). In addition, the control unit 15 and the transfer unit 14 included in the iMLBR 11 in the present embodiment cooperate with each other to appropriately check the existence by updating the encryption key between the iMLBR 11 and the eMLBR 12 (step S532), and according to the confirmation result in step S533. The MLB table A may be updated, that is, the validity period of the MLB table A may be extended.

(Embodiment 4)
In the above embodiment, the eMLBR 12 is authenticated by the RADIUS server via the iMLBR 11 in accordance with IEEE802.1X. However, in the present embodiment shown in FIG. 15, each of the eMLBR 12 and the iMLBR 11 can be trusted in advance by a CA (CA station). If a digital certificate that proves its authenticity has been obtained, it may be exchanged directly and mutually authenticated.

By applying the address spoofing countermeasure based on the embodiment described above, even if encrypted communication is performed in the transport mode or tunnel mode using IPsec, the ports in eMLBR 12 and iMLBR 11 are used for all frames / packets. Alternatively, since the channel is used as a key to check whether the source IP address and source MAC address pair exists in the MLB table, the outflow / inflow of address spoof packets to the Internet 10 can be prevented. As networks (providers) to which this is applied expand, cyber attacks based on various address spoofing, such as DDoS and DRDoS, and unauthorized intrusion into servers, etc. are expected to decrease drastically.

In addition, even if there are some "connect anything" providers or networks or anonymous networks, iMLBR11 deployed at the connection point with these networks will block packets outside the network address space described in the MLB table (Function as uRPF as described above), and by combining with a request for discarding, block an attacker's IP address or a packet whose address is spoofed randomly in the address space, etc. Can do. Furthermore, the communication service quality of the accommodation port of iMLBR11 (band narrowing, quarantine (discarding SYN flood attack packets, etc. by anomaly detection, discarding virus-contaminated packets by virus detection software, discarding encrypted packets, discarding spam mail, etc.) It is considered that the safety and security of the entire Internet 10 is significantly increased by limiting the above.

However, eMLBR12 and iMLBR11 become new attack targets when viewed from the cracker. For this purpose, it is necessary to make it robust to prevent unauthorized entry into these packet transfer apparatuses. In addition, an attack against the software processing system of the control unit 15 such as an integrity check function, an EAP flood attack, an ARP flood attack, etc. is performed so that it can be detected even if a program, routing table, MLB table, etc. are tampered with. However, it is necessary to have a self-protection function that blocks them by the transfer unit 14. Furthermore, when a new security hole is found in eMLBR12 or iMLBR11, it is necessary to provide a version upgrade function so that a function corresponding to the emergence of a new cyber attack can be added to the control unit 15 and the transfer unit 14.

The packet transfer apparatus according to the present embodiment is not limited to IPv4, and may handle IPv6. In addition, for users who have already obtained global IP addresses, the reported address space is provisionally registered in the MLB table of the control unit 15, and after the IEEE 802.1X authentication, in units of IP addresses, in the MLB table of the transfer unit 14. You may register correctly.

Furthermore, when the iMLBR 11 or eMLBR 12 accommodates the server 13, the identification information of the port or channel that accommodates the server 13 is used as a key (from another DHCP or from the own device's DHCP, or an address held by the user). In addition to the IP address assigned to the server 13 and the MAC address of the server 13 (from space), a fixed process identification address (well-known port number) that identifies the process to be activated on the server 13 may also be a binding target. . As a result, even if a malicious attacker creates a port for unauthorized intrusion, it is possible to prevent information loss from the port.

In addition, when applying ARP reflection, the authentication level is low as described above. For example, a VLAN in which the terminal is isolated from other end nodes is configured, and is connected to an external network via a band-limited bridge. If the connection camera is a surveillance camera such as ITV (Industrial TeleVision), the connection destination is limited. Therefore, by taking measures such as adding the destination IP address to the MLB table, illegal packets are leaked to the Internet 10 I can prevent it.

Furthermore, the control unit 15 included in the iMLBR 11 or the eMLBR 12 appropriately checks the existence of the port or channel in which the node or entity is accommodated (not necessarily periodically), and maintains and updates the communication service quality (IEEE802.1. If MACsec is used in 1X, physical connection is confirmed, shared key is updated, existence confirmation response is not received for a certain period of time, the entry is deleted from the MLB table and the communication service is stopped. When a node moves to another port or channel After confirming the absence of the original port or channel, the authentication may be performed again and only the port or channel of the MLB table may be changed).

Note that there may be a plurality of nodes or entities accommodated by one port or channel. In this case, a plurality of pairs of source IP addresses and source MAC addresses are registered in the MLB table using the port or channel identification information as a key.

Also, one or a plurality of eMLBRs 12 may be arranged in a multi-stage manner toward the Internet 10 in the user side network. Furthermore, the eMLBR 12 may be connected (multi-homing) to a plurality of iMLBRs 11 arranged at the end of the Internet 10.

(Embodiment 5)
The introduction of the above-described embodiment is thought to drastically reduce the inflow of address spoofing packets to the Internet 10, and thus cyber attacks, but attacks that do not involve address spoofing (for example, SYN food while changing the source IP address at random) In the case of an attack, an attack packet with a true source IP address is leaked / inflowed to the Internet 10 with a certain probability, and the user does not know from a virus-infected personal computer or a remotely operated digital TV. It is impossible to prevent them from participating in the attack without spoofing the address in the meantime.) Furthermore, when a mastermind such as a DDoS attack sends a command to a bot via a so-called C & C (Command and Control) server, the source IP address is set via an anonymous network (for example, Tor: The Onion Router). Although the act of concealment (hereinafter referred to as anonymous IP address) is widely performed, since the anonymous IP address packet is not an address spoof packet, it prevents outflow / inflow to the Internet 10 like an address non-spoof packet. I can't. However, in the case of a Tor network, the addresses (anonymous IP addresses) of Tor nodes, which are supposed to be several thousand, are made public on the Internet and can be blacklisted.

In this embodiment, an example of an operation in which the iMLBR 11 and the eMLBR 12 generate / update a discard table in response to a request from another node and discard a packet that matches the countermeasure as a countermeasure against the above problem.

Specifically, as shown in FIG. 16, an unauthorized access monitoring system / intrusion detection system IDS (Intrusion Detection System), an intrusion prevention system IPS (Intrusion Prevention System), an anonymous network or an anonymous IP address detection system, etc. were operated. The ReN40 (Request Node) functioning as a response request node or response request entity monitors traffic in a data center, an institutional network, a DMZ (DeMilitized Zone), or a server that provides key points or services of the Internet 10, When a clear attack or congestion estimated to be caused by an attack or an anonymous IP address is detected, the attack packet is sent to DeN42 (Deliver Node). It is a node that sends a packet that is presumed to be a packet and requests countermeasures. The DeN 42 is a node of an organization that collects, analyzes, and aggregates attack packets sent from the ReN 40 and transmits discard request information when it is determined to be an attack. The ShN 43 (Share Node) is a node that distributes the discard request information transmitted by the DeN 42 to the iMLBR 11 or eMLBR 12 that relays and forwards the discard target packet to the entire Internet 10 in the case of a large-scale attack. In FIG. 16, DeN42, ShN43, etc. are described so as to be arranged inside the Internet. However, like the above-mentioned HRS23, the disposal request information, the program, etc. are not altered by unauthorized intrusion, etc. This means that a reliable organization such as an ISP strictly manages them, and may be arranged outside the Internet via the iMLBR 11 and the eMLBR 12.

The discard request information transmitted by the DeN 42 includes a source MAC address / source IP address / port number and a destination MAC address / destination IP address / port number of a packet to be discarded (attack, anonymous IP address, information leakage, etc.). Some or all pairs and validity periods are described together with a digital certificate or electronic signature of DeN42. Upon receipt of this, the ShN 43 applies the IP address of the iMLBR 11 or eMLBR 12 that is the discard request destination by applying a traceroute command or the like for examining the route information to the attack source IP address and the victim node IP address described in the discard request information. Is determined (address resolution), and the discard request information is delivered to the corresponding iMLBR11 or eMLBR12. Specifically, route information is acquired by transmitting an ICMP echo request packet while incrementing TTL by 1. When MLBR receives an ICMP echo request packet with TTL of 1, MLBR is displayed in the option field of the ICMP time exceeded packet. Attribute information (e.g., iMLBR deployed as an edge router, iMLBR deployed at the border with providers that have not yet installed MLBR, eMLBR-R for home, eMLBR-W for wireless LAN, eMLBR-C for data center, etc. The IP address of the iMLBR11 or eMLBR12 existing on the transfer route and its attribute information may be acquired by writing the type, the node to be accommodated, the network attribute, etc.) and returning it to the route information investigation source (ShN43). . Thereafter, the discard request information may be transmitted to the iMLBR 11 or eMLBR 12 using a transfer protocol such as HTTP or SMTP. The same applies to iMLBR11 and eMLBR12 that accommodate the victim node. By using an ICMP packet and a transfer protocol such as HTTP or SMTP, even if there is a firewall on the transfer path, it can pass through the firewall without being blocked.

Upon receiving the discard request information, the control unit 15 of the iMLBR 11 or eMLBR 12 confirms the authenticity of the discard request information from the attached digital certificate, generates / updates the discard table based on the discard request information, and transfers it. Transmitted to the unit 14. Thereafter, the transfer unit 14 refers to the MLB table for the received frame / packet and confirms that it is not an address spoofing packet. Then, the source IP address / port number and destination IP address / port number corresponding to the discard table, etc. It is checked whether it corresponds to an anonymous IP address registered as a pair or a black list, and if it corresponds, it is discarded (the MLB table may be inquired after collating with the discard table). If not, the process proceeds to the routing process.

In the present embodiment, the ReN 41 may be a personal computer, a tablet terminal, a smartphone, a digital TV, or the like that is equipped with a function equivalent to IDS or IPS or virus detection software. Also, if the ReN 40 has an attack packet analysis function and a delivery function equivalent to DeN42 and ShN43 and can identify the attacker's IP address, use the ICMP echo request packet directly applying the above traceroute command. From the IP address and attribute information of iMLBR11 and eMLBR12 existing on the transfer path from ReN41 to the attacker and the order in which ICMP time exceeded packets are returned, the positional relationship between iMLBR11 and eMLBR12 (accommodates victim nodes) Whether the MLBR accommodates the attacker node or the MLBR). Thereafter, the discard request information may be delivered to the iMLBR 11 or eMLBR 12 using a transfer protocol such as HTTP or SMTP. Further, if the attack source is in a limited range, the DeN 42 may deliver the discard request information to the corresponding iMLBR 11 or eMLBR 12 directly by acting as the ShN 43 function. Moreover, iMLBR11 and eMLBR12 may implement the function of ReN40, and may function as ReN40.
In addition, in the above embodiment, iMLBR11 and eMLBR12 update the discard table by a discard request from DeN23, ShN43, etc., but iMLBR11 and eMLBR12 send discard request information to DeN23, ShN43, etc. by notification from DeN23 or ShN43. The iMLBR 11 and the eMLBR 12 may access the DeN 23, the ShN 43, etc. periodically, and if there is new discard request information related to itself, it may be acquired.

According to this embodiment, an attack without address spoofing or the IP address of the end node (Tor node) of the above-mentioned anonymous network is registered (as a blacklist) in the discard table of iMLBR11 or eMLBR12 that accommodates the node. This makes it possible to discard the attack packet that has passed through the network that can connect anything and the anonymous network, and can prevent inflow / outflow to the Internet 10. Further, by registering the victim node's IP address, L4 port number, destination IP address, etc. in the discard table of the iMLBR11 or eMLBR12 that accommodates the victim node, the leakage of information leakage packets or Access to the C & C server can be blocked.

(Embodiment 6)
In the present embodiment, countermeasures against cyber attacks by a multilayer binding router (MLBR) will be described below. First, in the present embodiment, a cracking intention packet is targeted for countermeasures. The cracking intention packet indicates an IP address spoofing (including impersonation) packet, an anonymous IP address packet, and an IP address non-spoofing attack packet.

The functions of the MLBR according to this embodiment are shown in (1) to (6) below.
(1) When there is a connection request from a node or entity, authenticity and soundness are authenticated and quarantined, and QoS to be provided is determined according to the authentication and quarantine level.
(2) The correspondence between the IP address and MAC address of a node or entity is registered in the MLB table using the physical port or (secure) channel as a key.
(3) The MLB table is searched using the physical port or channel that received the packet as a key, and if there is a packet source IP address and MAC address pair, it is transferred to the next hop node with the specified QoS, and exists If not, it is considered as address spoofing or spoofing and discarded.
(4) Existence and soundness of the node or entity are appropriately checked via the physical port or channel, and the MLB table is updated (the validity period is extended).
(5) In response to a valid discard request from another node, the discard table is updated, and thereafter, anonymous address packets and address non-spoofing attack packets corresponding to the discard table are discarded.
(6) The eMLBR 12 arranged on the user (egress) and the iMLBR 11 arranged on the Internet side (ingless) prevent the outflow and outflow of the cracking intention packet to the Internet.

Specific nodes are listed below for the nodes that are targets of cyber attack countermeasures in the MLBR according to the present embodiment.
-A generic term for host and router may be a node. In this case, a network that is a set of nodes is also a node.
IEEE802.1X compatible terminal (PC, smart phone, etc.) In this case, it is effective for suppressing cracking acts in authentication / quarantine and ensuring the soundness of the terminal. However, it is difficult to be identified even if a bad thing is done via an anonymous network, and if it infects a bot, it will participate in a DDoS attack. In addition, it is possible to take care of wrongs without remote control or spoofing (apparently) address spoofing.
-IEEE802.1X non-compliant terminals (Smart home appliances such as TVs and IoT). In this case, there is no OS update or FW, and it may be a hotbed for cyber attacks.
・ Home router. It is remotely controlled and may be involved in attacks.
-ISP of policy that can be connected with anything. In this case, it is unlikely that all ISPs will introduce countermeasures.
・ Anonymous network and Tor. In this case, it is an anonymous address, not address spoofing.
・ Impersonation terminal.

Here, an example of a sequence operation between the above-described IEEE 802.1X compatible terminal and the eMLBR 12 is shown in FIG. The sequence in FIG. 21 according to the present embodiment is different from the sequence in FIG. 12 in the second embodiment in that two servers are provided. Specifically, the server may include the quarantine server 31 and the RADIUS server 23 separately. In step S514, the eMLBR 12 is different from the sequence of FIG. 12 in the second embodiment in that a soundness statement is also exchanged when the eMLBR 12 mediates this to the RADIUS server 23 or the quarantine server 31 functioning as a home authentication server. Further, due to the difference in the configuration described above, in FIG. 21 as compared to FIG. 14, each server can transmit the authentication result and the quarantine result to the eMLBR 12 in step S515.

Hereinafter, countermeasures against cyber attacks according to this embodiment will be described using specific cases. In the first case, countermeasures against targeted email attacks are shown below. In a targeted email attack, the employee's terminal that unintentionally opened a forged email is used as a stepping stone in a connect-back, and the attacker then sends a command via the C & C server to open a back door on the core server while involving multiple terminals. It is an attack that creates and steals confidential information.

In the present embodiment, four response examples are described for the targeted mail attack according to the first case. First, anonymous addresses are used when many attackers send commands to the C & C server, but this measure disables the use of anonymous networks. Second, the basic server prevents information leakage from the back door by registering it in the MLB table including its own port number.

Third, as soon as an attack or sign of attack is detected in the organization network using IDS or the like, a disposal request describing the IP address of the C & C server and the IP address of the organization is accommodated in the eMLBR 12 and the C & C server of the organization. eMLBR 12 and iMLBR 11 are sent, and thereafter, exchange of command packets with the C & C server is blocked. Fourthly, a discard request describing the transmission destination IP address of leaked information is sent to the eMLBR 12 and iMLBR 11 of its own organization to prevent subsequent information leak.

Next, in the second case, countermeasures against wireless sensor network attacks are shown below. In wireless sensor network attacks, IOTs that form ad-hoc type sensor networks are successively infected with malware or embedded in the IoT manufacturing process, and the attacker sends various commands to the IOT via the C & C server. This is an attack that makes the system uncontrollable by tampering with data, stealing information, or running away equipment or social infrastructure.

In this embodiment, three response examples are described for the wireless sensor network attack according to the second case. The first disables the use of anonymous addresses. Second, IoT can be prevented from accessing a C & C server or the like if the IP address of the Internet connection destination is limited as the QoS of the eMLBR 12 accommodating the sensor network. Thirdly, if the bandwidth is limited as QoS, the use of the IoT for band attacks is disabled.

Next, in the third case, countermeasures against DNS cash poisoning are shown below. DNS cache poisoning is an attack that causes cache DNS servers such as IPS, companies, and universities to cache fake DNS information. By caching fake DNS information, it is possible to conduct an action such as guiding a client such as an ISP customer, a company internal user, a university student or the like referring to the cache DNS server to a fake site.

An example of handling DNS DNS poisoning related to the third case is described below. ISPs, companies, universities, and the like that are not properly subjected to ACL (Access Control List) have returned responses to inquiries from outside that are not clients. Such a cache DNS server is called an open resolver. Since the open resolver can make arbitrary inquiries from the outside, it can be said that it is easy to add poison. In addition, even an original client can make an arbitrary inquiry in a case where the client is infected with a virus and potted.

Therefore, a cache DNS server that is not properly set up is subjected to a cache poisoning attack when there is even one malicious client or remotely operated client among the clients using this, and if successful, the cache DNS server May affect all clients using the server.

The following are specific methods for cash poisoning. For example, Kaminsky method, delegation injection attack, and transfer injection attack. Currently implemented measures include setting an appropriate ACL on the cache DNS server, making it not an open resolver, and randomizing without fixing (or incrementally) the source port number when making external inquiries. Or introduce settings.

In recent years, even if the cache DNS server itself is randomized, if a NAT device or Firewall exists on the way to the Internet, there are cases where the device fixes the port number or performs incremental mapping. Therefore, it is also necessary to care for the devices that intervene in such relays. In recent ISPs, there are cases where LSN (Large Scale NAT) is adopted to cope with the exhaustion of IP addresses, and among these implementations, there are implementations in which port mapping is not properly randomized. In this way, current measures are not limited to cache DNS servers, but must be carefully set and managed by network administrators with advanced expertise across ISPs, corporations, and university networks. The fact is not to be.

On the other hand, in the countermeasures by MLBR, DNS cache poisoning, the attacker spoofs the IP address of the authoritative DNS server and directly poisons the cashier DNS server, or the authoritative DNS from a good user's PC by remote control. It is conceivable that the server IP address is spoofed and poisoned. At that time, the attacker anonymizes the source IP address using the Tor network or the like. In MLBR, anonymous address packets block inflow / outflow to the Internet. In addition, since the IP address spoofing packet is discarded in the MLBR, DNS cache poisoning can be prevented without requiring advanced settings.

Next, in the fourth case, countermeasures against DNS reflection attack (DNS Amp) are shown below. In a DNS reflection attack, DNS generally has a larger data size for responses than for queries. This is an attack in which a large amount of responses are returned toward the target address by misusing this and performing a large number of inquiries by impersonating the source address as the target address.

A response example for the DNS reflection attack according to the fourth case will be described below.
There are many cases where the open resolver is used as a stepping stone because it responds to inquiries from any party. In many cases, CPE (Customer Equipment Equipment) represented by a home broadband router is used as a stepping stone.

There are many CPE implementations that are open resolvers or open forwarders (inquiries are forwarded to the DNS server that is forwarded by the device for any inquiries from any device), and if attackers abuse it, including return traffic, etc. Larger traffic can be generated.

As a countermeasure, IP53B (Inbound Port 53 Blocking) is currently being implemented by domestic ISPs and CATV operators. This is to block traffic from the ISP to the customer's port 53. As a result, traffic to the open resolver and open forwarder can be suppressed, but careful introduction is required in consideration of the adverse effects of doing this (service disruption when customers set up a DNS server). It is being advanced. On the other hand, as a countermeasure by MLBR, since the DNS spoofing attack (DNS Amp) is based on an address spoofing packet, it can also be prevented by MLBR without the need for advanced specialized knowledge.

In the first related technology (see, for example, Patent Document 2), address spoofing measures in a data center are used in a computer system, a controller, and a network monitoring method. Specifically, the strength of security against unauthorized access and obstruction using a spoofed address is improved. A computer system according to a first related technique includes a controller, a switch that performs a relay operation specified by the flow entry for a received packet that matches the flow entry set by the controller, and a controller connected to the switch. To do.

The switch notifies the controller of the source address information of the received packet that does not match the flow entry set in itself (Packet-In). If the address information of the legitimate host terminal and the source address information do not match, the controller determines that the source address of the received packet is spoofed and sets a discard flow entry in the switch. Therefore, as compared with the invention according to the present embodiment, in the first related technology, a packet-in with a heavy processing load occurs each time a new address spoofing packet is received. In other words, in the present invention, a large number of address spoof packet attacks causes the switch to be overloaded and become inoperable.

In the second related technology, the IP address and the MAC address are stored in the table in association with each other, and discarded when the IP address and the MAC address of the packet sent from the terminal are not in the table. Specifically, the terminal always transmits an ARP request packet by broadcast to resolve the address of the first-stage router prior to communication. In this ARP request packet, the source MAC address and IP address are described. For this reason, even if a villain is from a different physical port, an ARP request packet can be captured by using a wireless network, etc., and an IP address and MAC address pair can be seen and impersonated by another person's PC.

On the other hand, in the invention according to the present embodiment, the IP address and MAC address pairs are managed by the MLB table using the physical port or (secure) channel as a key, so even if the ARP request packet is stolen from another port or channel, it is impersonated. Packets from the terminal can be discarded. Until now, it has been virtually impossible to rewrite the MAC address assigned by the NIC manufacturer, but with the advent of SDN technology such as OpenFlow, it has been arbitrarily rewritten. Therefore, compared with the invention according to the present embodiment, the second related technology has a security problem in that it does not have a function of managing a physical port or a (secure) channel as a key.

In the third related technology (see, for example, Patent Document 3 and Patent Document 4), the MAC address and the IP address are stored together, and the user sets the IP address assigned by the ISP to the terminal or intentionally. Even if a packet is received from a terminal that has not been assigned a pre-assigned IP address for a user who has altered the same IP address as that of another terminal, the packet is discarded within the bridge. Specifically, a table for managing MAC addresses and IP addresses in association with each other is provided. However, this is a by-product generated when the MAC bridge transmits an ARP request packet to the terminal to which the IP address is assigned and acquires the MAC address described in the returned ARP response packet. In the subsequent filtering, only the source MAC address is referred to.

Therefore, for example, even if a terminal is infected with malware and transmits an IP address spoof packet, it cannot be blocked, and in the third related technology, it is a MAC bridge (layer 2 packet transfer device) and basically refers only to the MAC address. Cause problems. On the other hand, the invention according to the present embodiment checks whether a pair of a MAC address and an IP address exists in the MLB table using a physical port or a (secure) channel as a key. As a result, even if the owner of the terminal does not spoof the IP address or MAC address, even if it is infected with malware and sent to a DDoS attack, etc. Inflow can be prevented.

Here, the adaptation of the IPv6 version of ARP reflection in the packet transfer system according to the present embodiment will be specifically described. In IPv6, NDP (Neighbor Discovery Protocol) is used instead of ARP (Address Resolution Protocol) for IPv4. NDP includes identification of MAC addresses of neighboring nodes on the link, address change / stop detection, check of reachability to neighboring nodes, detection of routers on the link and setting as a packet forwarding destination, etc. There is a function, and the name of the packet used in each is different. Since NDP does not have broad transmission, multicast transmission is used instead. FIG. 22 shows a comparison in the case where the IPv4 version of ARP reflection is applied to the IPv4 version in the packet transfer system according to the present embodiment.

The terminology of functions used in adaptation of IPv6 version is listed below.
RS packet (router solicitation packet (RS)): a packet used by the node for address resolution of the first-stage router RA packet (router response packet (RA): packet returned by the router in response to the RS packet) NS packet (Neighbor Solicitation (NS)): A packet that resolves the MAC address of a specific node. It is almost the same as the IPv4 ARP packet.
-NA packet (Neighbor Advertisement (NA)) Response packet to NS packet

As described above, it is practically impossible to deploy the MLBR according to the present invention to the entire Internet and all user sides. As a countermeasure for this, for a packet transmitted by a node or entity that has received a predetermined authentication or quarantine via eMLBR 12 and permitted to be connected, but not discarded by eMLBR 12, for example, in transfer unit 14 or control unit 15, For IPv4, for example, “1” is written as an authentication flag in undefined bits (last 2 bits) of the service type field of the IP header, and for IPv6, predetermined bits (last 2 bits) of the traffic class field. Thus, the authenticity may be displayed. Further, for packets transmitted by an unauthenticated node or an unauthenticated entity, that is, packets not passing through the eMLBR 12, the predetermined bit of the predetermined bit is set in the iMLBR 11 installed at the boundary with the network that relayed and forwarded these packets. The authentication flag may be reset (“0”). As a result, packets sent from the network of providers that have not yet installed MLBR, and packets that bypass eMLBR 12 and enter the Internet, iMLBR 11 that received this packet, iMLBR 11 that accommodates the packet destination node, It becomes possible to confirm whether or not the packet is transmitted from the authenticated node or entity in the eMLBR 12, and if the authentication flag is “0”, it is delivered to the quarantine site and whether or not it is a cracking intention packet. Can be inspected in detail, or it can be left to the recipient (such as discarding or performing a detailed quarantine inspection). A packet with an authentication flag of “1” indicates that the packet is transmitted from an authenticated node or entity, and the packet is not infected with malware, that is, safety is guaranteed. Does not mean.

The present invention can be applied to the information and communication industry.

10: Internet 11: iMLBR
12: eMLBR
13: Server 14: Transfer unit (Open Flow Switch)
15: Control unit (Open Flow Controller)
20: Mobile Network
21: Untrusted Internet
22: HLR
23: HRS
24: Smartphone 25: Mobile phone 26: PC
27: Tablet PC
28: Telephone 29: Digital TV 30: Host 31: Quarantine server 40: ReN (Request Node)
41: Host / ReN
42: DeN (Deliver Node)
43: ShN (Share Node)

Claims (11)

A plurality of ports or a plurality of channels accommodating at least one node or at least one entity for encapsulating packets in each other in a frame; and
Multi-layer for storing the correspondence between the identification information of the port or the channel, the transmission source physical address of the frame transmitted by the node or the entity, and the transmission source logical address of the packet extracted by decapsulating the frame・ Binding table,
When the multi-layer binding table is searched using the port or the channel that received the frame as a key, and a pair of a source physical address and a source logical address of the frame exists in the multi-layer banding table A transfer unit that encapsulates the packet extracted from the frame and forwards it to the next hop node toward the destination logical address of the packet, and discards the packet when it does not exist in the multilayer binding table; A packet transfer apparatus comprising: A plurality of ports or a plurality of channels accommodating at least one node or at least one entity for encapsulating packets in each other in a frame; and
Multi-layer for storing the correspondence between the identification information of the port or the channel, the transmission source physical address of the frame transmitted by the node or the entity, and the transmission source logical address of the packet extracted by decapsulating the frame・ Binding table,
The multi-layer binding table is searched using the port or the channel that received the frame as a key, and when a pair of a source physical address and a source logical address of the frame exists in the banding table, the frame A packet transfer apparatus comprising: a transfer unit that transfers the packet extracted from the packet to a router that transfers the packet to a destination logical address and discards the packet when the packet is not present in the multilayer binding table . The packet transfer device includes:
An authentication request packet or frame sent together with the received port or channel identification information from the transfer unit provided in another packet transfer apparatus connected in advance mediates an authentication request to the authentication server, and the authentication server Obtaining an authenticated authentication result, setting the communication service quality determined based on the authentication result as a storage target of the multilayer binding table,
Check the existence of the requesting node or entity of the authentication request via the port or the channel, and update the multilayer binding table;
A control unit that transmits the multilayer binding table to the transfer unit provided in another packet transfer device;
The transfer unit
The packet transfer apparatus according to claim 1, wherein the multi-layer binding table transmitted by the control unit is updated. The controller is
The discard table of the transfer unit receives a discard request from any node or entity connected to the port or channel, or periodically accesses a predetermined node or entity that is determined in advance, and acquires the discard request. Update
The transfer unit
4. The packet transfer apparatus according to claim 1, wherein a frame or a packet corresponding to the discard table is discarded. The transfer unit and the control unit cooperate with each other,
In response to the address resolution request frame addressed to its own device broadcasted by the node or the entity, the address resolution request frame is broadcasted from the same port or channel to the node or the entity,
A pair of a source physical address and a source logical address of an address resolution response frame returned via the port or the channel, and a pair of a source physical address and a source logical address of the address resolution request frame addressed to the own apparatus. 5. The packet transfer apparatus according to claim 1, wherein the authenticity of the physical address and the logical address of the node or the entity is verified and authenticated by collating each other. The control unit and the transfer unit are
6. The packet transfer according to claim 1, wherein when the node or the entity has a fixed process identification address, the process identification address is a target to be stored in the multilayer binding table. apparatus. 7. The integrated structure including a part or all of each function of DHCP (Dynamic Host Configuration Protocol), layer 2 switch, and W-LAN (Wireless Local Area Network). Packet transfer equipment. The transfer unit or the control unit is
When a packet transmitted by an authenticated node or entity is received, a predetermined value according to the communication protocol of the packet is written in a predetermined field of the received packet, and a packet transmitted by an unauthenticated node or entity is 8. The packet transfer apparatus according to claim 1, wherein when the packet is received, the predetermined field is reset. A packet transfer device arranged on the Internet user side;
9. The packet transfer apparatus disposed on the Internet side according to claim 1, wherein the packet transfer apparatus disposed on the Internet side includes the packet transfer apparatus disposed on the Internet user side. What is claimed is: 1. A packet transfer system characterized in that even if an address spoof packet is sent by detouring or passing through, the packet forwarding system prevents inflow to the Internet. Identification information of a plurality of ports or a plurality of channels accommodating at least one node or at least one entity that encapsulates packets in a frame, and a transmission source physical address and transmission of the frame transmitted by the node or the entity Search the multi-layer binding table that stores the correspondence with the original logical address using the identification information of the port or channel to which the frame has been sent as a key,
When a pair of a transmission source physical address and a transmission source logical address of the frame exists in the banding table, a packet extracted from the frame is encapsulated into a frame and a next hop node is directed toward the transmission destination logical address of the packet A packet transfer method comprising: transferring a packet to the packet and discarding the packet when the packet does not exist in the multilayer binding table. Identification information of a plurality of ports or a plurality of channels accommodating at least one node or at least one entity that encapsulates packets in a frame, and a transmission source physical address and transmission of the frame transmitted by the node or the entity Search the multi-layer binding table that stores the correspondence with the original logical address using the identification information of the port or channel to which the frame has been sent as a key,
When a pair of a source physical address and a source logical address of the frame exists in the banding table, the frame is transferred to a router that transfers the packet taken out from the frame toward the destination logical address, A packet transfer method comprising a transfer procedure of discarding the packet when it does not exist in the binding table.

Images