JP6182397B2 - Network system, branch router, and control method thereof - Google Patents

Description

  The present invention relates to a network system, a branch router, and a control method thereof.

  In VPN (Virtual Private Network) communication, a hub-and-spoke VPN network system including a gateway serving as a network hub and a plurality of branch routers serving as spokes connected to the gateway. Exists.

  By the way, in such a hub-and-spoke VPN network system, communication between bases passes through a gateway. For example, even when branch routers are adjacent to each other, transmission delay occurs when the gateway is in a remote place. Becomes larger. Further, since all communications pass through the gateway, there is a problem that the communication amount increases and the equipment load of the gateway increases.

  Therefore, as described in Non-Patent Document 1, a group is configured by a plurality of branch routers, and communication between bases within each group is performed directly between branch routers using a common group key. There is a technique for distributing from a gateway to each branch router.

Star type and mesh type hybrid IP-VPN architecture, IEICE, IEICE Technical Report NS2012-20, May / 2012

  By the way, in the technique disclosed in Non-Patent Document 1, in communication between bases constituting a group, MPSA (Multi-point Security) which is SA (Security Association) using a single group key shared by a plurality of branch routers. When a normal packet is eavesdropped and the destination is rewritten with the destination of another branch router, the packet decrypted by the other branch router is forwarded to the original branch router. Therefore, there is a problem that a replay (retransmission) attack becomes possible (hereinafter referred to as a replay attack by redirection).

  The present invention has been made in view of the above points, and in a network system sharing a single group key shared by a plurality of branch routers in a group, a network capable of preventing a replay attack due to redirection. It is an object of the present invention to provide a system, a branch router, and a control method thereof.

In order to solve the above-described problems, the present invention provides a network system including one or more groups having a plurality of branch routers and a gateway that controls the one or more groups. Communication means for distributing MPSA information to the branch routers, wherein the plurality of branch routers perform encrypted communication with each other according to a tunnel path based on the MPSA information distributed by the distribution means. Obtaining means for obtaining a first source address given to a packet received from another branch router and a second source address obtained by decoding the packet; and obtaining by the obtaining means The route information table is searched based on the received second transmission source address. Whether or not the route information is the tunnel route, and the transmission interface of the tunnel route matches the interface that received the packet, and the termination address of the tunnel route matches the first source address. And determining means for determining, and discarding means for discarding the packet when the determination means determines NO.
According to such a configuration, a replay attack due to redirection can be prevented in a network system that shares a single group key shared by a plurality of branch routers in the group.

In one aspect of the present invention, the determination unit is configured to decode whether or not the first transmission source address acquired by the acquisition unit is registered as an end address of the tunnel route in the route information table. The discarding unit discards the packet when the determination unit determines NO.
According to such a configuration, since the invalid packet is discarded before the packet is decoded, it is possible to prevent processing from being performed on the invalid packet.

One aspect of the present invention is characterized in that the discarding unit discards a packet when the packet received from the predetermined MPSA by the branch router is transmitted to the same MPSA.
According to such a configuration, since invalid packets are discarded, an increase in traffic can be suppressed.

The present invention also provides a network system control method including one or more groups having a plurality of branch routers and a gateway for controlling the one or more groups, wherein the gateway includes the plurality of branches constituting each group. A distribution step of distributing MPSA information to routers, wherein the plurality of branch routers perform mutual encrypted communication according to a tunnel path based on the MPSA information distributed in the distribution step; An acquisition step of acquiring a first transmission source address given to a packet received from the branch router and a second transmission source address obtained by decoding the packet; and The route information table is checked based on the second source address. Whether the corresponding route information is the tunnel route, the transmission interface of the tunnel route matches the interface that received this packet, and the termination address of the tunnel route matches the first source address. A determining step for determining whether or not, and a discarding step for discarding the packet when it is determined as not in the determining step.
According to such a method, it becomes possible to prevent a replay attack due to redirection in a network system that shares a single group key shared by a plurality of branch routers in the group.

In addition, the present invention includes one or more groups having a plurality of branch routers, and distribution means for controlling the one or more groups and distributing MPSA information to the plurality of branch routers constituting each group. In the branch router constituting the network system having a gateway, communication means for performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed by the distribution means, and packets received from other branch routers Based on the first transmission source address assigned and the second transmission source address obtained by decoding the packet, and the second transmission source address obtained by the acquisition unit The route information table is searched, and the corresponding route information is the tunnel route. Determining means for determining whether the transmission interface of the tunnel path matches the interface that received the packet, and whether the termination address of the tunnel path matches the first source address; And discarding means for discarding the packet when it is determined to be no by the means.
According to such a configuration, a replay attack due to redirection can be prevented in a network system that shares a single group key shared by a plurality of branch routers in the group.

In addition, the present invention includes one or more groups having a plurality of branch routers, a distribution step of controlling the one or more groups and distributing MPSA information to the plurality of branch routers constituting each group. In the method for controlling the branch router constituting the network system having a gateway, a communication step for performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed in the distribution step, and a message received from another branch router An acquisition step of acquiring a first transmission source address given to the received packet and a second transmission source address obtained by decoding the packet; and the second transmission source address obtained in the acquisition step Search the route information table based on the Whether or not the route information is the tunnel route, and the transmission interface of the tunnel route matches the interface that received the packet, and the termination address of the tunnel route matches the first source address. A determination step for determining, and a discard step for discarding the packet when the determination step determines NO.
According to such a method, it becomes possible to prevent a replay attack due to redirection in a network system that shares a single group key shared by a plurality of branch routers in the group.

  According to the present invention, in a network system sharing a single group key shared by a plurality of branch routers in a group, a network system capable of preventing a replay attack due to redirection, a branch router, and control of these It becomes possible to provide a method.

It is a figure which shows the structural example of the network system which concerns on embodiment of this invention. It is a figure which shows the detailed structural example of the gateway and branch router as described in embodiment shown in FIG. FIG. 3 is a diagram illustrating a detailed configuration example of an MPSA processing unit illustrated in FIG. 2. It is a figure which shows the example of a connection of a branch router, and the example of the IP address of each part. 5 is an example of a route information table included in the branch router shown in FIG. 4. It is a figure which shows an example of the format of an IP packet and an ESP packet. It is a figure which shows an example of the detailed format of the ESP packet shown in FIG. 4 is a flowchart for explaining an example of processing executed in a transmission source address inspection unit shown in FIG. 3. 4 is a flowchart for explaining an example of processing executed in an ESP decoding unit and a uRPF inspection unit shown in FIG. 3. It is a figure which shows the deformation | transformation embodiment of this invention. It is a flowchart for demonstrating operation | movement of the deformation | transformation embodiment shown in FIG.

  Next, an embodiment of the present invention will be described.

(A) Description of Configuration of Embodiment FIG. 1 is a diagram illustrating a configuration example of a network system according to an embodiment of the present invention. As shown in this figure, a network system according to an embodiment of the present invention includes a gateway 10, a transit network 20, an I-IP (Internal-Internet Protocol) network 30, branch routers 50 and 60, an E-IP (External-Internet). Protocol) client networks 70 and 80 exist. The branch routers 50 and 60 perform encrypted communication based on MPSA.

  Here, the gateway 10 receives a group key via an IKE_SA (Security Association) that is an encrypted communication path for key exchange established with the branch routers 50 and 60 by IKEv2 (Internet Key Exchange Protocol Version 2). In addition to distribution, route information is exchanged by BGP (Border Gateway Protocol) via CHILD_SA, which is an encrypted communication channel for data communication established by IKEv2. In this route information, information (terminal IP address) indicating which branch router is to be passed in order to reach an E-IP client network existing under the control of another branch router from a certain branch router via MPSA. For example, such information can be exchanged by using the techniques disclosed in, for example, RFC 5565, RFC 5512, and RFC 5566.

  The transit network 20 is a network that relays traffic of the I-IP network 30 and the MPSA 40.

  The I-IP network 30 is a virtual network provided by CHILD_SA on the transit network 20. The E-IP client networks 70 and 80 are external networks provided at each base of the client.

  FIG. 2 is a diagram showing a configuration example of the gateway 10 and the branch routers 50 and 60 shown in FIG. As shown in FIG. 2, the gateway 10 includes a packet transmission / reception unit 11, an SA (Security Association) processing unit 12, an IKE (Internet Key Exchange) processing unit 13, a route protocol processing unit 14, an MPSA transmission unit 15, and an MPSA management unit 16. And a packet transmitting / receiving unit 17.

  Here, the packet transmission / reception unit 11 transmits and receives packets to and from the branch routers 50 and 60. When performing encrypted communication by IPsec with the branch routers 50 and 60, the SA processing unit 12 performs SA (Security Association) by IKE_SA or CHILD_SA based on the authentication algorithm and encryption algorithm notified from the IKE processing unit 13. Execute the process. As a result, the gateway 10 can distribute the group key between the branch routers 50 and 60 by encrypted communication.

  The IKE processing unit 13 executes processing for determining an encryption algorithm necessary for IPsec and sharing an encryption key before performing encrypted communication by IPsec. The route protocol processing unit 14 executes processing for exchanging the route information table with the branch routers 50 and 60.

  The GSA transmission unit 15 executes processing for transmitting a group key to the branch routers 50 and 60. The GSA management unit 16 is a processing unit that manages a group key transmitted to the branch routers 50 and 60. The packet transmitting / receiving unit 17 is connected to a network device other than the branch routers 50 and 60, and transmits and receives packets.

  The branch router 50 includes a packet transmission / reception unit 51, an SA processing unit 52, an IKE processing unit 53, a route protocol processing unit 54, a GSA reception unit 55, a GSA processing unit 56, and a packet transmission / reception unit 57.

  Here, the packet transmission / reception unit 51 transmits and receives packets between the gateway 10 and the branch router 60. When performing encrypted communication by IPsec with the gateway 10, the SA processing unit 52 executes SA processing by IKE_SA or CHILD_SA based on the authentication algorithm and encryption algorithm notified from the IKE processing unit 53. As a result of the SA processing, the branch router 50 can receive the group key by encrypted communication with the gateway 10.

  The IKE processing unit 53 executes a process for determining a necessary encryption algorithm and sharing an encryption key in the SA processing unit 52 that performs the encrypted communication before performing the encrypted communication. The route protocol processing unit 54 executes processing for exchanging route information with the gateway 10.

  The MPSA receiver 55 executes a process for receiving the group key distributed from the gateway 10. The MPSA processing unit 56 executes SA processing based on the group key. The packet handled by the MPSA processing unit 56 can use the same ESP (Encapsulated Security Payload) as CHILD_SA handled by the SA processing unit 52, and belongs to any SA by the SPI (Security Parameter Index) stored in the header part of the ESP. Identifies whether it is a packet. The packet transmission / reception unit 57 transmits / receives a packet to / from the E-IP client network 70.

  Since the branch router 60 has the same configuration as that of the branch router 50, detailed description thereof is omitted. In FIG. 3, illustration of the connection between the branch router 60 and the gateway 10 is omitted to simplify the drawing, but the branch router 60 is connected to the gateway 10 like the branch router 50.

  FIG. 3 is a diagram showing a detailed configuration of the MPSA processing unit 56 shown in FIG. Since the MPSA processing unit 66 has the same configuration, the MPSA processing unit 56 will be described below as an example.

  As shown in FIG. 3, the MPSA processing unit 56 includes an MPSA search unit 561, an MPSA table 562, a source address inspection unit 563, an ESP decoding unit 564, and a uRPF (Unicast Reverse Path Forwarding) inspection unit 565. Yes.

  Here, when communicating with the branch router 60, the MPSA search unit 561 searches the MPSA table 562 for an MPSA that is an agreement regarding the group key and the like, and acquires the corresponding MPSA. The MPSA table 562 is a table that stores the MPSA described above.

  The transmission source address inspection unit 563 refers to the route information table 59 based on the transmission source address of the IP address given to the packet, and determines whether or not the transmission source of the packet is valid.

  The ESP decryption unit 564 refers to the MPSA table 562 and decrypts the encrypted packet.

  The uRPF inspection unit 565 determines whether the packet transmission source is valid based on the route information stored in the route information table 59.

  The route information table 59 stores the route information acquired by the route protocol processing unit 54, and the routing processing is executed based on this route information.

(B) Description of Operation of Embodiment Next, the operation of the embodiment of the present invention will be described. In the following, first, the general operation of this embodiment will be described, and then the detailed operation will be described.

  FIG. 4 is a diagram showing a detailed configuration example of the branch routers 50 and 60 and the E-IP client networks 70 and 80 shown in FIG. In FIG. 4, the branch routers 50 and 60 are connected to each other by the MPSA 40 on the transit network 20. A personal computer 71 is connected to the E-IP client network 70, and a personal computer 81 is connected to the E-IP client network 80. Further, the IP address of the personal computer 71 is 172.16.0.2, the IP address of the personal computer 81 is 172.17.0.2, and the IP address of the E-IP client network 70 is 172.16.0.2. The IP address of the E-IP client network 80 is 172.17.0.0/16. The IP addresses on the transit network side of the branch routers 50 and 60 are 192.168.1.1 and 192.168.1.2, respectively, and these are the termination addresses of the MPSA 40. For simplification, the branch routers 50 and 60 are illustrated as the same subnet of the transit network, but may be different subnets.

  In such a configuration, an encryption algorithm (encryption method or authentication method) used in IKE_SA is determined by IKE_INIT exchange between gateway 10 and IKE processing units 13 and 53 of branch router 50, and an encryption key is obtained by key exchange. Shared. Further, through IKE_SA, an encryption algorithm used in communication through IPsec CHILD_SA is determined, and an encryption key is shared. As a result, as shown in FIG. 1, IKE_SA used for exchanging IKE messages and CHILD_SA for transmitting and receiving packets to be protected by IPsec are formed between the gateway 10 and the branch router 50 as an encrypted tunnel. . The MPSA transmission unit 15 receives the group key from the MPSA management unit 16 and transmits the group key to the branch router 50 via the encrypted tunnel. The MPSA receiving unit 55 of the branch router 50 receives the encryption algorithm and group key from the gateway 10 and supplies them to the MPSA processing unit 56. Further, by exchanging tunnel termination IP address information based on RFC 5565, RFC 5512, and RFC 5566 between the route protocol processing units 14 and 54 via CHILD_SA by BGP, the branch router 50 transmits a packet to an E-IP client network to the MPSA 40. To which branch router to be connected (tunnel route information).

  A similar process is executed between the gateway 10 and the branch router 60, and the MPSA receiving unit 65 of the branch router 60 receives the same group key received by the branch router 50 from the gateway 10 and sends it to the MPSA processing unit 66. Supply. As a result, the branch router 50 and the branch router 60 hold the same group key. Further, CHILD_SA is exchanged between the start route protocol processing units 14 and 64 by tunnel BGP IP addresses based on RFC 5565, RFC 5512, and RFC 5566, so that the branch router 60 holds the same route information as the branch router 50. And which branch router connected by the MPSA 40 should know the packet to a certain E-IP client network.

  The branch router 50 and the branch router 60 use the group key acquired in this way, so that the authentication method and encryption parameters used in IPsec communication are not exchanged individually between the branch routers. As shown in FIG. 4, an MPSA 40 serving as an encrypted tunnel is formed between the branch router 50 and the branch router 60, and encrypted communication can be performed via the MPSA 40. In FIG. 4, for simplicity, the IP address at the end of the branch router 50 connected to the MPSA 40 is 192.168.1.1, and the IP address at the end of the branch router 60 is 192.168.1.2. However, any address can be designated as long as reachability of the IP packet is ensured.

  FIG. 5 is a diagram illustrating an example of route information that the branch routers 50 and 60 have. Here, FIG. 5A shows route information that the branch router 50 has, and FIG. 5B shows route information that the branch router 60 has. The upper part of FIG. 5A shows that the branch router 50 is directly connected to the E-IP client network 70 having an IP address of 172.16.0.0/16. . Further, in the lower part of FIG. 5A, the terminal IP connected to the MPSA 40 through the interface “Tunnel0” is connected to the E-IP client network 80 in which the branch router 50 has an IP address of 172.17.0.0/16. The address is 192.168.1.2. It is shown that they are connected via a branch router. The lower information in FIG. 5A recursively resolves the tunnel termination IP address information exchanged by RFC 5565, RFC 5512, and RFC 5566 in addition to the normal route information exchanged by BGP or the like, and the branch router 50 , 60 based on the setting information of itself, the route information obtained by setting the interface directed to the tunnel termination IP address as “Tunnel0” that is an interface connected to its own MPSA, that is, a packet to a certain destination To indicate where to forward the packet via which interface. The tunnel route information refers to route information used when relaying a packet via MPSA, holds its own tunnel interface connected to MPSA as transmission interface information, and is connected to the destination branch via MPSA. The route information uses the MPSA termination IP address of the router as termination address information.

  5B shows that the branch router 60 is directly connected to the E-IP client network 80 having an IP address of 172.17.0.0/16. ing. Further, in the lower part of FIG. 5B, the terminal IP that the branch router 60 connects to the MPSA 40 through the interface “Tunnel 0” to the E-IP client network 70 having the IP address of 172.16.0.0/16. The address is 192.168.1.1. It is shown that they are connected via a branch router.

  In the situation described above, for example, a case where a packet is transmitted from the personal computer 71 to the personal computer 81 is assumed. In that case, the personal computer 71 sends an IP packet 100 as shown in FIG. 6A to the E-IP client network 70. 6A is assigned 172.17.0.2, which is the IP address of the personal computer 81, as the transmission destination address, and 172, which is the IP address of the personal computer 71, as the transmission source address. 16.0.2 is given.

  The branch router 50 receives such an IP packet 100 and converts it into an ESP packet 200 belonging to the MPSA 40 as shown in FIG. 6B based on the encryption algorithm, group key and tunnel path information received from the gateway 10. To do. More specifically, an ESP header 202 and an ESP trailer 203 are added to the IP packet 100 shown in FIG. Then, the IP header 101, the TCP header 102, the data 103, and the ESP trailer 203 that are hatched in FIG. 6B are encrypted. Then, ESP authentication data 204 for the ESP header 202 and the encrypted hatched portion in FIG. 6B is added. Finally, the outer IP header 201 is added to complete the ESP packet 200. The ESP header 202 includes information such as an SPI (Security Parameter Index) for specifying the encrypted tunnel, a sequence number indicating the packet order, and an initialization vector value corresponding to the encryption algorithm. In addition, the ESP trailer 203 includes padding data for adjusting the number of bytes of data to be encrypted according to the encryption algorithm and a padding length that is information indicating the length, and a network layer or transformer encrypted by the ESP. And a next header which is port layer information. The ESP authentication data 204 is data for checking the integrity of the data, and an ICV (Integrity) generated for the ESP header 202 to the ESP trailer 203 using a MAC (Message Authentication Code). Check Value (integrity check value). The outer IP header 201 is an IP header newly added by the branch router 50.

  FIG. 7 is a diagram showing the configuration of the outer IP header 201 and the IP header 101. As shown in this figure, the outer IP header 201 has a destination address 201d and a source address 201s in a part thereof. The IP header 101 also has a destination address 101d and a source address 101s as part of it. When a packet is transmitted from the personal computer 71 to the personal computer 81, the destination address 101d of the IP header 101 is 172.17.0.2, which is the IP address of the personal computer 81, as described above. The address 101 s is 172.16.0.2 which is the IP address of the personal computer 71. On the other hand, the destination address 201d of the outer IP header 201 is 192.168.1.2 which is the IP address at the end of the MPSA 40, and the source address 201s is 192.168.1.1 which is the IP address at the end of the MPSA 40. It is.

  The ESP packet 200 transmitted from the branch router 50 belongs to the MPSA 40 and is delivered to the branch router 60 via the transit network 20. In the branch router 60, since the ESP packet 200 belongs to the MPSA 40, it is received by the interface “Tunnel0” connected thereto, and the MPSA search unit 661 refers to the SPI of the ESP header 202 from the MPSA table 662 and finds the corresponding MPSA. The ESP packet 200 is supplied to the ESP decoding unit 664 and the ESP packet 200 is supplied to the source address checking unit 663.

  The transmission source address inspection unit 663 acquires the transmission source address 201 s of the outer IP header 201 and searches the path information table 69 for path information having the transmission source address 201 s as a termination address. In this example, since the source address 201s is 192.168.1.1 which is the terminal IP address connected to the MPSA 40 of the branch router 50, it is shown in the lower part of FIG. The route information “172.16.0.0/16 via 192.168.1.1. Tunnel 0” is acquired. Next, the transmission source address inspection unit 663 refers to the acquired route information and determines whether or not the transfer destination interface of this route is an interface that has received the ESP packet 200. In the present example, the received interface is “Tunnel 0”, which matches the acquired route information, and is determined to be applicable. As a result, this packet is determined to be a legitimate packet and supplied to the ESP decoding unit 664. Note that if the information corresponding to the source address 201s of the outer IP header 201 does not exist in the route information table 69 or the interface does not match, the packet is discarded. By such processing, it is possible to detect a packet for which the transmission source has been spoofed and immediately discard it without performing a decoding process.

  The ESP decoding unit 664 decodes the packet passed from the source address checking unit 663 based on the MPSA supplied from the MPSA table 662, takes out the original IP packet 100 shown in FIG. The result is passed to the uRPF inspection unit 665 together with the transmission source address 201 s of the header 201.

  The uRPF inspection unit 665 acquires the source address 101 s from the IP header 101 of the IP packet 100 decrypted by the ESP decryption unit 664. Then, the corresponding route information is searched from the route information table 69 using the source address 101s as a key. In this example, the source address 101 s is 172.16.0.2, which is the IP address of the personal computer 71. For this reason, in the route information table 69, the lower route information (information including 172. 16.0.0 / 16) shown in FIG. 5B corresponds, and this information is acquired. Next, in the uRPF inspection unit 665, the transfer destination interface indicated by the acquired path information is an interface that has received the ESP packet 200, and the termination address of the MPSA 40 to which the interface is connected is that of the outer IP header 201 of the ESP packet 200. It is determined whether or not it matches the source address 201s. As a result, when these two conditions are satisfied, the IP packet 100 is transmitted to the E-IP client network 80, and when at least one of the two conditions is not satisfied, the IP packet 100 is discarded. In this example, the transfer destination interface indicated by the acquired path information is “Tunnel 0”, which matches the interface that received the ESP packet 200, and “Tunnel 0” is the termination address of MPSA 40 to which 192.168.1 is connected. .1 is the same as the transmission source address 201 s of the outer IP header 201 of the ESP packet 200, it is determined that both conditions are satisfied, and the IP packet 100 is sent to the E-IP client network 80. The IP packet 100 sent to the E-IP client network 80 is received by the personal computer 81.

  Through the above processing, the IP packet 100 transmitted from the personal computer 71 is received by the personal computer 81. Further, the uRPF inspection unit 665 obtains route information from the route information table 69 using the source address 101s included in the IP header 101 as a key, and the transfer destination interface indicated by the obtained route information receives the ESP packet 200. If the IP address of the MPSA 40 connected to the interface matches the source address 101s of the outer IP header 201 of the ESP packet 200, the decrypted IP packet 100 is sent to the E-IP client network 80. Since the IP packet 100 is sent out and the IP packet 100 is discarded in other cases, the IP packet can be transmitted even if the normal packet is intercepted and the destination is rewritten to another branch router. 100 can be discarded In, it is possible to prevent a replay attack by redirect.

  In the above embodiment, the transmission source address 201 s of the outer IP header 201 of the ESP packet 200 is registered in the route information table 69 by the transmission source address inspection unit 663 before the inspection by the uRPF inspection unit 665 is executed. In the path information, it is determined whether or not it matches the termination address where the interface that has received the ESP packet 200 is the transfer destination interface. If not, the ESP packet 200 is discarded. Thereby, by excluding illegal packets before executing the decoding process, unnecessary decoding processes can be eliminated and the processing load can be reduced.

  Next, an example of processing executed in the branch routers 50 and 60 will be described with reference to FIGS. FIG. 8 is a flowchart for explaining an example of processing executed in the transmission source address checking unit 663. When the processing of this flowchart is started, the following steps are executed. Since the processes executed in the branch routers 50 and 60 are the same, the following description will be given taking the branch router 60 as an example.

  In step S <b> 10, the transmission source address inspection unit 663 acquires the transmission source address 201 s of the outer IP header 201 of the ESP packet 200. For example, as described above, when a packet is transmitted from the personal computer 71 to the personal computer 81, 192.168.1.1 which is the IP address at the end of the MPSA 40 is acquired as the source address 201s.

In step S11, the transmission source address inspection unit 663 searches the route information table 69, and searches for route information having the transmission source address 201s acquired in step S10 as a termination address. In the present example, route information having an end address of 192.168.1.1 that is an IP address is searched.

  In step S12, the transmission source address checking unit 663 determines whether or not the route information corresponding to the transmission source address 201s exists as a tunnel termination as a result of the search in step S11, and if it exists as a tunnel termination (step S12). : Yes), the process ends. In other cases (step S12: No), the process proceeds to step S13. In the present example, the route information table 69 includes route information (route information shown in the lower part of FIG. 5B) corresponding to the IP address 192.168.1.1. Since it is the termination information of the tunnel route, it is determined as Yes and the process is terminated.

  In step S13, the transmission source address inspection unit 663 discards the target packet. Thereby, an illegal packet can be discarded.

  Next, an example of processing executed in the ESP decoding unit 664 and the uRPF inspection unit 665 will be described with reference to FIG. When the process shown in FIG. 9 is started, the following steps are executed.

  In step S30, the ESP decoding unit 664 acquires the transmission source address 201s of the outer IP header 201 of the ESP packet 200. For example, as described above, when a packet is sent from the personal computer 71 to the personal computer 81, 192.168.1.1 that is the IP address of the interface that the router 50 connects to the transit network 20 is acquired as the source address 201s. Is done.

  In step S31, the ESP decoding unit 664 decodes the ESP packet 200. In the present example, the IP packet 100 shown in FIG. 6A is obtained.

  In step S32, the uRPF inspection unit 665 acquires the transmission source address 101s of the IP header 101 of the IP packet 100. In this example, the source address 101 s including the IP address of the personal computer 71 is acquired from the IP packet 100.

  In step S33, the uRPF inspection unit 665 searches the route information table 69 using the transmission source address 101s acquired in step S32 as a key. In the present example, the path information table 69 is searched using the IP address of the personal computer 71 172.16.0.2 as a key.

  In step S34, the uRPF inspection unit 665 acquires the route information corresponding to the source address 101s existing in the route information table 69, and the transfer destination interface included in the acquired tunnel route information and the receiving interface that has received the packet are It is determined whether or not they match. If it is determined that the transfer destination interface and the reception interface match (step S34: Yes), the process proceeds to step S35. Otherwise (step S34: No), the process proceeds to step S36. . In this example, there is route information in the lower part of FIG. 5B as route information corresponding to the IP address 172.16.0.2 of the personal computer 71. This route information receives the ESP packet 200. Since this is a tunnel route with the interface as the transfer destination interface, it is determined Yes and the process proceeds to step S35.

  In step S35, the uRPF inspection unit 665 determines whether or not the termination address of the path information searched in step S33 matches the transmission source address 201s of the outer IP header 201 of the ESP packet 200, and if they match (step S35). : Yes), the process ends. In other cases (step S35: No), the process proceeds to step S36. In the present example, the route information searched in step S33 is the route information in the lower part of FIG. 5B, and its end address is 192.168.1.1, which is the outer address of the ESP packet 200. Since it matches the source address 201s of the IP header 201, it is determined as Yes and the process is terminated.

  In step S36, the uRPF inspection unit 665 discards the processing target packet.

  According to the above process, the path information is acquired from the path information table 69 using the source address 101s included in the IP header 101 as a key, and the transfer destination interface of the acquired path information receives the ESP packet 200. If it is information of the matching tunnel path and the end address of the tunnel path matches the source address 101s of the outer IP header 201 of the ESP packet 200, the decrypted IP packet 100 is transferred to the E-IP client network. Send to 80. Otherwise, the IP packet 100 is discarded. Thus, when a normal packet is eavesdropped and the destination is rewritten to another branch router and transferred from the branch router, the IP packet 100 is discarded, so that a replay attack due to redirection can be prevented.

(C) Description of Modified Embodiment Each of the above embodiments is an example, and it is needless to say that the present invention is not limited to the case described above. For example, the embodiment shown in FIG. 1 shows the case where there are two branch routers, but the present invention can be applied even when there are three or more branch routers. In the embodiment shown in FIG. 1, the case where there is only one group having the branch routers 50 and 60 has been described as an example. However, two or more groups exist, and a common MPSA is used in each group. The present invention can also be applied when performing encrypted communication.

  In FIG. 3, the transmission source address checking units 563 and 663 are provided to check the transmission source address. However, the transmission source address checking units 563 and 663 are not necessarily provided and may be excluded depending on circumstances. May be.

  In FIG. 4, the E-IP client networks 70 and 80 have the same subnet mask (mask length), but a completely different subnet mask may be assigned to them. The branch routers 50 and 60 are connected to the transit network 20 through the same subnet, but may be different subnets.

  Moreover, the route information table shown in FIG. 6 is an example, and route information of other formats may be used.

  FIG. 10 is a diagram showing an example of a modified embodiment of the present invention. In FIG. 10, parts corresponding to those in FIG. Compared with FIG. 1 in FIG. 10, a branch router 150 and an E-IP client network 170 are added. Other configurations are the same as those in FIG. In FIG. 10, by prohibiting packet transfer within the same MPSA, it is possible to prevent spoofing and suppress an increase in unnecessary traffic. More specifically, in the modified embodiment shown in FIG. 10, when the packet is received, the branch routers 50, 60, 150 discard the packet if the transmission MPSA and the reception MPSA of the packet are the same. For example, when there is a packet transferred from the branch router 150 to the branch router 60 via the branch router 50 as indicated by a one-dot chain line in FIG. 10, the branch router 50 has the same transmission MPSA and reception MPSA. And determines that the packet is discarded. As a result, spoofing can be prevented and an increase in traffic can be suppressed by preventing transfer of unnecessary packets as compared to the case where such a packet is transferred and discarded in the branch router 60.

  FIG. 11 is a flowchart for explaining an example of processing executed in the branch routers 50, 60, 150 of the modified embodiment shown in FIG. In FIG. 11, parts corresponding to those in FIG. 9 are denoted by the same reference numerals and description thereof is omitted. In FIG. 11, the process of step S37-S39 is added compared with FIG. Other than that is the same as FIG. Below, the process of step S37-S39 is demonstrated.

  In step S37, the uRPF inspection unit 665 acquires the destination address 101d of the IP header 101 of the IP packet 100.

  In step S38, the uRPF inspection unit 665 searches the route information table 69 using the destination address 101d acquired in step S37 as a key.

  In step S39, the uRPF inspection unit 665 determines whether or not the transmission MPSA and the reception MPSA are the same. If it is determined that they are the same (step S39: Yes), the process proceeds to step S36 to discard the packet. Otherwise (step S39: No), the process ends.

  According to the above processing, spoofing can be prevented and an increase in unnecessary traffic can be suppressed by discarding packets transferred in the same MPSA.

DESCRIPTION OF SYMBOLS 10 Gateway 11 Packet transmission / reception part 12 SA processing part 13 IKE processing part 14 Path | route protocol processing part 15 MPSA transmission part (distribution means)
16 MPSA management unit 20 Transit network 30 I-IP network 40 MPSA
50, 60 Branch router 51, 61 Packet transceiver (communication means)
52, 62 SA processing unit 53, 63 IKE processing unit 54, 64 Route protocol processing unit 55, 65 MPSA reception unit 56, 66 MPSA processing unit 57, 67 Packet transmission / reception unit 70, 80 E-IP client network 90 Tunnel 54, 64 Route protocol processing unit 56, 66 MPSA processing unit 59, 69 Route information table 561, 661 MPSA search unit 563, 663 Source address checking unit (acquiring unit, determining unit, discarding unit)
564,664 ESP decoding unit (acquisition means)
565,665 uRPF inspection section (determination means, discarding means)

Claims (6)

In a network system having one or more groups having a plurality of branch routers and a gateway for controlling the one or more groups,
The gateway is
Distribution means for distributing MPSA (Multi-point Security Association) information to a plurality of branch routers constituting each group;
The plurality of branch routers are:
Communication means for performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed by the distribution means;
An acquisition means for acquiring a first source address given to a packet received from another branch router and a second source address obtained by decoding the packet;
A route information table is searched based on the second source address obtained by the obtaining unit, the corresponding route information is the tunnel route, and the transmission interface of the tunnel route receives the packet and Determining means for determining whether or not a termination address of the tunnel path matches the first source address;
A discarding unit that discards the packet when the determination unit determines no,
A network system characterized by this. The determination unit determines whether or not the first transmission source address acquired by the acquisition unit is registered in the route information table as a termination address of the tunnel route before the packet is decoded. ,
The discarding unit discards the packet when the determination unit determines NO.
The network system according to claim 1.   3. The network system according to claim 1, wherein the discarding unit discards the packet when the packet received from the predetermined MPSA by the branch router is transmitted to the same MPSA. In a control method of a network system having one or more groups having a plurality of branch routers and a gateway for controlling the one or more groups,
The gateway is
A distribution step of distributing MPSA information to a plurality of branch routers constituting each group;
The plurality of branch routers are:
A communication step of performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed in the distribution step;
An obtaining step of obtaining a first source address given to a packet received from another branch router and a second source address obtained by decoding the packet;
A route information table is searched based on the second source address obtained in the obtaining step, the corresponding route information is the tunnel route, and the transmission interface of the tunnel route receives the packet A determination step of determining whether an end address of the tunnel path matches the first source address;
And a discarding step of discarding the packet when it is determined to be NO in the determination step. A network system comprising one or more groups having a plurality of branch routers, and a gateway having a distribution means for controlling the one or more groups and distributing MPSA information to the plurality of branch routers constituting each group In the branch router constituting
Communication means for performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed by the distribution means;
An acquisition means for acquiring a first source address given to a packet received from another branch router and a second source address obtained by decoding the packet;
A route information table is searched based on the second source address obtained by the obtaining unit, the corresponding route information is the tunnel route, and the transmission interface of the tunnel route receives the packet and Determining means for determining whether or not a termination address of the tunnel path matches the first source address;
A discarding unit that discards the packet when the determination unit determines no,
A branch router characterized by that. A network system having one or more groups having a plurality of branch routers, and a gateway having a distribution step for controlling the one or more groups and distributing MPSA information to the plurality of branch routers constituting each group In the control method of the branch router that constitutes
A communication step of performing encrypted communication with each other according to a tunnel path based on the MPSA information distributed in the distribution step;
An obtaining step of obtaining a first source address given to a packet received from another branch router and a second source address obtained by decoding the packet;
A route information table is searched based on the second source address obtained in the obtaining step, the corresponding route information is the tunnel route, and the transmission interface of the tunnel route receives the packet A determination step for determining whether or not a termination address of the tunnel path matches the first source address, and
A discarding step of discarding the packet when it is determined to be NO by the determination step;
A branch router control method characterized by the above.

Images