JP3009876B2 - Packet transfer method and base station used in the method - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a packet transfer method in wireless or wired packet communication and a base station used in the method. More specifically, in connectionless data communication, a plurality of LAs
The present invention relates to a packet transfer method in a network in which a local area network (N) is connected to form a virtual LAN (VLAN) and a base station used in the method.

[0002]

2. Description of the Related Art In the Internet, IP (Internet P)
rotocol (Internet Protocol) is adopted for the packet transfer method, and thus each terminal has an IP address. The IP address is composed of 32 bits, and some of the upper bits indicate a network address for identifying the data network, and the remaining lower bits indicate a host address for identifying a terminal connected to the data network.

[0005] A terminal transmits a packet in which a destination address and a source address are added to data to an IP network, and the IP network transfers the packet to a data network indicated by a network address in the destination address. If the packet is a unicast packet, the data network transfers the packet to a terminal specified by the host address in the destination address, and if the packet is a broadcast packet, transfers the packet to all terminals connected to the data network (RFC791 I).
Internet Protocol).

However, according to such a packet transfer method, since a packet is transferred to a data network without confirming who the transmitting terminal is, there is a risk that the data network will be illegally accessed by an unknown terminal. There is. Also,
Even if the source terminal is a legitimate terminal, there is also a problem that unauthorized access to a data network other than the data network to which the source terminal belongs cannot be prevented because the destination address is not regulated.

[0005] In order to solve such inconvenience, a packet transfer method for checking a destination address and a source address at the time of packet transfer has been proposed.

In this address check method, a combination of a destination address and a source address to which transfer is permitted is registered in a packet transfer device as a permission table in advance. The packet transfer device checks the destination address and the source address of the transfer packet, and transfers the transfer packet if these addresses are already registered in the permission table, and does not transfer the transfer packet if these addresses are not registered (Ishizaka
Takahiro, "Network Security Device", Japanese Patent Laid-Open No. 2
-302139).

According to this method, the source address is confirmed, and the packet is transferred only when the terminal address is previously permitted, thereby preventing unauthorized access to the data network. However, this method has a problem that the data network can be illegally accessed by forging the source address.

As another conventional packet transfer method, a method called forced transfer has been proposed. This method uses a connection-oriented packet network (ie, X.2).
5, when a plurality of data networks are connected to a packet network that establishes a connection when starting communication, the packet network forces a call to be accessed through the packet network to a database machine for security check. Forward. Then, the database machine checks the validity of the access, transfers the access call to the data network if it is valid, sets up a connection between the terminal and the data network, and disconnects the access call if invalid. (S. Shoji, "Security Checking Method in Packet Switching Network", Japanese Patent Laid-Open No. 5-327773).

However, in this method, when applied to a connectionless packet network in which the transfer is performed based on the destination address given to the packet, all the transfer packets are forcibly transferred to the database machine for security check, and the access is authorized. It is necessary to check gender. Therefore, there arises a problem that the load on the database machine for security check increases and the packet transfer delay time increases.

Further, as another conventional packet transfer method, a remote terminal accesses a data network via a network such as the Internet to which an unspecified number of terminals are connected (hereinafter, referred to as a “relay network”). An encapsulation method that enables unauthorized access to a data network while making it possible has been proposed. In this method, a data network connects to a relay network via a gateway. The gateway first authenticates the remote terminal at the start of communication, and discards the packet if it is determined that the terminal is unauthorized. Next, the remote terminal encrypts the transmission packet including the destination address and the transmission source address and transmits the transmission packet to the gateway. At this time, the encrypted transmission packet is stored in the data portion of the packet addressed to the gateway, and is transferred to the relay network with the address of the gateway connected to the destination data network and the source address added thereto. Note that transferring the packet in this manner is called encapsulation. The gateway extracts the data portion from the received packet and decrypts the encrypted packet. If tampering is detected at the time of decoding, the packet is discarded, and if tampering is not performed, the packet is transferred to the data network. On the other hand, a packet addressed to the remote terminal from the data network is encrypted by the gateway connected to the source data network after adding the destination address and the source address, and then the destination address and the own gateway address are added thereto. Further, it is encapsulated and transferred to the remote terminal.

According to this method, after authenticating the remote terminal, an encryption path is set between the gateway and the remote terminal by encapsulation to prevent unauthorized access to the data network. However, when a remote terminal sends a packet to another remote terminal connected via a relay network, the packet is always transferred via a gateway, so that an optimal route is not selected and the packet transfer delay time Is increased. Also, the gateway needs to perform encapsulation / decapsulation processing for all terminals belonging to the data network connected to the gateway, and the processing load on the gateway increases. Further, in this method, when a data network or a remote terminal transfers a broadcast packet or a multicast packet, a broadcast address or a multicast address cannot be designated as a destination address of a packet sent to the relay network. For this reason, the gateway has no other choice but to copy the packet and then transfer it to each remote terminal by unicast. This causes a problem that the traffic of the relay network increases, a packet transfer delay time increases, and a problem that the load on the gateway increases. Furthermore, when transferring a unicast packet from a source remote terminal to a destination remote terminal, even if these remote terminals are connected to a relay network, they must pass through a gateway connected to the data network before the destination terminal. This causes a problem that the transfer delay time increases because the packet is sent to the network.

[0012]

SUMMARY OF THE INVENTION Accordingly, a first object of the present invention is to provide a user L by forging a source address.
An object of the present invention is to provide a packet transfer method for solving the problem of illegal access to an AN and permitting a packet transfer with a specific data network only to a terminal registered in advance, and a base station used in the method.

Further, a second object of the present invention is to solve the problem that the packet transfer delay time, traffic and load on the gateway increase, and to realize an optimum packet selection method and an efficient packet transfer method. It is to provide a base station used for the method.

[0014]

According to a first aspect of the present invention, a packet network comprises a base station and a packet backbone network connecting the base stations. The station accommodates a plurality of packet terminals under its control, and the packet backbone network is packet communication using a network connected to a user LAN which is a plurality of other packet networks, and each of the packet terminals has a unique A packet having a terminal address and a packet to which a destination address which is the terminal address of the destination terminal and a source address which is its own terminal address are transmitted, and wherein the network transfers the packet using the destination address. A transfer method, wherein the packet network is used when the packet terminal starts communication via the base station. The packet performs terminal authentication of the terminal, the packet terminal that the authentication is successful, encrypts the data to be transmitted, the user LAN to the destination terminal belongs
And transmitting a packet in which the identifier, the destination address and the source address are assigned to the encrypted data, to the packet network, and the packet network receives the packet and performs the encryption included in the received packet. Decoding the data, if the received packet is not falsified, the packet terminal is permitted to communicate with the user LAN having the identifier based on the source address and the identifier included in the received packet. The received packet is transferred to the user LAN only when the communication is permitted, and the received packet is discarded when the communication is not permitted.

According to a second aspect of the present invention, the packet network includes a base station and a packet backbone network connecting the base station, and the base station accommodates a plurality of packet terminals under its control. A packet communication using a network in which the packet backbone network is further connected to a user LAN which is a plurality of other packet networks;
Each of the packet terminals has a unique terminal address and transmits a packet with a destination address being the terminal address of the destination terminal and a source address being its own terminal address, and the network uses the destination address. A packet transfer method for transferring the packet, wherein an identifier for identifying the user LAN is assigned to each user LAN in advance, and the packet network is connected to the terminal address and one or more terminals permitted to communicate with the terminal address. Terminal information in which the identifiers respectively assigned to the user LANs and the information required for terminal authentication are stored in advance, and the packet network, when the packet terminal starts communication via the base station, A terminal authentication of the packet terminal is performed using the information, and the packet terminal If so, the packet terminal is notified of communication permission, and if the communication permission is notified, the packet terminal selects one user LAN for communication from one or more of the user LANs, Encrypting data to be transmitted, transmitting a packet in which the identifier, the destination address, and the source address assigned to the selected user LAN are added to the encrypted data, to the packet network; Upon receiving the packet, determining whether there is tampering at the time of decrypting the encrypted data included in the received packet, discarding the received packet if tampering is detected, and Check whether the correspondence between the source address and the identifier included in the packet is registered in the terminal information, and if the correspondence is already registered, The received packet is forwarded to the destination address in the case the corresponding is not registered is characterized by discarding the received packet.

According to a third aspect of the present invention, the packet network comprises a base station and a packet backbone network connecting the base station, and the base station accommodates a plurality of packet terminals under its control. A packet communication using a network in which the packet backbone network is further connected to a user LAN which is a plurality of other packet networks;
Each of the packet terminals has a unique terminal address and transmits a packet with a destination address being the terminal address of the destination terminal and a source address being its own terminal address, and the network uses the destination address. A packet transfer method for transferring the packet, wherein a unique user LAN name is assigned in advance for each user LAN, and the packet network is connected to the terminal address and one or more user LAs permitted to communicate with the terminal address.
N, and stores in advance terminal information in which the user LAN name assigned to each of the N and the information necessary for terminal authentication are associated with each other, and when the packet terminal starts communication via the base station, one or more of the Select one user LAN to communicate from the user LAN, and select the selected user LA
N is notified to the packet network of the user LAN name assigned to the N. The packet network performs terminal authentication of the packet terminal using the information. If the packet terminal is a legitimate terminal, the packet network An identifier for identifying the user LAN is assigned to the user LAN name notified from the terminal and the packet is notified to the packet terminal. The packet terminal encrypts data to be transmitted and sets the selected user LAN. A packet in which the identifier, the destination address, and the source address assigned to the encrypted data are assigned to the encrypted data is transmitted to the packet network, and the packet network receives the packet and transmits the encrypted packet included in the received packet. At the time of decryption of the encrypted data, it is determined whether or not tampering has been performed. If tampering has been detected, the received packet is discarded, and If it is determined that the correspondence between the user LAN name to which the identifier included in the received packet is assigned and the source address included in the received packet is registered in the terminal information, the correspondence is already registered. , The received packet is forwarded to the destination address, and if the correspondence is not registered, the received packet is discarded. It is characterized in that the identifier assigned to the LAN name is released.

According to a fourth aspect of the present invention, in the second aspect of the present invention, the packet backbone network has a plurality of relay nodes for relaying the packet, and each of the relay nodes transmits the received packet to the packet. A packet forwarding method using a network having a function of selecting a route for forwarding to a destination address, wherein the packet network comprises:
Using the destination address and the identifier in the received packet as the routing information for the route selection, when transferring a unicast packet, if the destination terminal is connected to the packet network, the destination address Then, the packet is transferred to the destination terminal while sequentially selecting the relay node, and if the destination terminal is not currently connected to the packet network, the packet is transferred while sequentially selecting the relay node according to the identifier. When transferring to the user LAN and transferring a broadcast packet and a multicast packet, the relay nodes are sequentially selected using the identifier, the packets are sequentially transferred to the relay node, and communication is performed using the same identifier. To all the packet terminals and the user LAN specified by the identifier. It is characterized in that to transfer Tsu door. According to a fifth aspect of the present invention, in the packet transfer method according to any one of the second to fourth aspects, a packet is transferred using a network in which a gateway is connected between the packet backbone network and the plurality of user LANs. So,
When transferring the received packet to the destination address via the user LAN, the gateway determines the user LAN according to the identifier included in the received packet.
And transfers the received packet to the selected user LAN.

According to a sixth aspect of the present invention, the packet network comprises a base station and a packet backbone network connecting the base station, and the base station accommodates a plurality of packet terminals under its control. The packet backbone network is a packet communication using a network connected via a gateway to a user LAN, which is a plurality of other packet networks, wherein each of the packet terminals has a unique terminal address and the destination terminal has A packet transfer method for transmitting a packet to which a destination address which is a terminal address and a source address which is a terminal address of the terminal itself is added, and wherein the network transfers the packet using the destination address. Preliminarily stores terminal information in which the terminal address is associated with information necessary for terminal authentication. The gateway stores in advance a terminal address of a transmission source that permits transfer of a packet between the packet network and the user LAN, and the packet network allows the packet terminal to perform communication via the base station. When starting, the terminal performs terminal authentication of the packet terminal using the information, and if the packet terminal is a legitimate terminal, notifies the packet terminal of a communication permission, and the packet terminal notifies the communication permission of the communication permission. If so, encrypt the data to be transmitted and transmit the packet with the destination address and the source address added to the packet network, and the packet network receives the packet and includes the packet in the received packet. When the encrypted data is decrypted, the presence or absence of tampering is determined, and if tampering is detected, the received packet is discarded, and Transfer the received packet to the gateway, and if the transfer to the source address included in the packet transferred from the packet network is permitted, the gateway transfers the transfer packet from the user LAN. The transfer is performed to a destination address, and if the transfer is not permitted, the transfer packet is discarded.

According to a seventh aspect of the present invention, in the sixth aspect of the present invention, the packet backbone network has a plurality of relay nodes for relaying the packet, and each of these relay nodes sends the packet to the destination. A packet transfer method using a network having a path selection function for transferring to an address, wherein an identifier for identifying the user LAN is assigned to each user LAN in advance, and the packet terminal transmits the packet to the packet. When transmitting to the network, one of the user LANs to be connected is selected from the plurality of user LANs, an identifier of the selected user LAN is further added to the packet, and the packet is transmitted. The destination address included in the packet transmitted as routing information for route selection and the When transferring a unicast packet using a differentiator, if the destination terminal is connected to the packet network, transfer the packet to the destination terminal while sequentially selecting the relay nodes according to the destination address. If the destination terminal is not connected to the packet network, the packet is transferred to the gateway while sequentially selecting the relay nodes according to the identifier, and the broadcast packet and the multicast packet are transferred. Sequentially selecting the relay node using an identifier and sequentially transferring the packet to the relay node,
Using the same identifier, the packet is transferred to all the communicating packet terminals and the gateway specified by the identifier.

In the invention according to claim 8, in the invention according to claim 4 or 7, when the unicast packet is transferred at the time of the encryption and the decryption, the unicast packet is allocated to each of the packet terminals. When transmitting the broadcast packet or the multicast packet using an encryption key, an encryption key assigned to each of the identifiers is used. According to a ninth aspect of the present invention, in the invention of the fourth or seventh aspect, in performing the encryption and the decryption, the unicast packet is transferred, and the packet terminal transmits the broadcast packet or the multicast packet. When transmitting, using an encryption key assigned to each packet terminal, when the base station transmits the broadcast packet or the multicast packet, using an encryption key assigned to each identifier I have. The invention according to claim 10 is characterized in that, in the invention according to claim 4 or 7, an encryption key assigned to each of the identifiers is used as the encryption key in the encryption and the decryption.

The invention according to claim 11 is a base station which is connected to a packet backbone network to which a plurality of user LANs as other packet networks are connected and accommodates a plurality of packet terminals under its control. A terminal for storing a unique terminal address assigned to each packet terminal, identifiers respectively assigned to one or more user LANs to which the packet terminal is allowed to communicate, and information necessary for terminal authentication in association with each other. Information storage means, terminal authentication means for performing terminal authentication using the information in response to a communication start request from the packet terminal, and notifying the packet terminal of an authentication result; the packet backbone network; and the packet terminal Packet encrypting means for encrypting and transmitting the data portion in the packet transmitted and received between the A packet in which a destination address which is a terminal address, a source address which is a terminal address of the packet terminal, and an identifier assigned to the user LAN is added to the encrypted data from the packet terminal, and the encrypted data is decrypted. Packet decrypting means,
Packet alteration detecting means for detecting alteration from the decoded data and discarding the packet, and a set of the transmission source address and the identifier included in the packet are stored in the terminal information storage means. Comparing means for confirming whether or not the packet is registered in the set of the terminal address and the identifier; and, based on a result of the confirmation by the comparing means, transferring the packet to the destination address on condition that there is the registration. , Filtering means for discarding the packet on condition that there is no registration.

According to a twelfth aspect of the present invention, there is provided a base station which is connected to a packet backbone network to which a plurality of user LANs as other packet networks are connected and accommodates a plurality of packet terminals under its control. A unique terminal address assigned to each packet terminal, user LAN names respectively assigned to one or more user LANs to which the packet terminal is permitted to communicate, and information necessary for terminal authentication are stored in association with each other. Terminal information storage means for performing terminal authentication using the information in response to a communication start request from the packet terminal, notifying the packet terminal of an authentication result, and for a regular packet terminal, An identifier for identifying the user LAN is assigned to the user LAN name notified from the packet terminal along with the communication start request, and the communication is performed. A terminal authentication means for releasing the identifier assigned to the user LAN name on condition that the packet terminal has completed communication, and a data part in a packet exchanged between the packet backbone network and the packet terminal. Packet encryption means for encrypting and transmitting using the information, a destination address being the terminal address of the destination terminal, a source address being the terminal address of the packet terminal, and the identifier being added to the encrypted data. Packet decryption means for receiving a packet from the packet terminal and decrypting the encrypted data; packet falsification detection means for detecting tampering from the decrypted data and discarding the packet; Name of the user LAN to which the identifier to be assigned is assigned and the source address included in the received packet Comparing means for confirming whether a set is registered in the set of the user LAN name and the terminal address stored in the terminal information storage means, and performing the registration based on a result of the confirmation by the comparing means. Filtering means for transferring the packet to the destination address on condition that there is a packet and discarding the packet on condition that there is no registration.

The invention according to claim 13 is the first invention.
In the invention described in 1, the packet encrypting means, if the packet to be transmitted is a unicast packet, encrypts the packet using an encryption key assigned to each packet terminal, and the packet to be transmitted is a broadcast packet or a multicast packet. If there is, the packet is encrypted using the encryption key assigned to each of the identifiers, and if the received packet is a unicast packet, the packet decryption means decrypts the packet using the encryption key assigned to each of the packet terminals. If the received packet is a broadcast packet or a multicast packet, the packet is decrypted using an encryption key assigned to each of the identifiers. Further, the invention according to claim 14 is the invention according to claim 11, wherein the packet encryption means comprises:
If the packet to be transmitted is a unicast packet, it is encrypted using an encryption key assigned to each packet terminal,
If the packet to be transmitted is a broadcast packet or a multicast packet, the packet is encrypted using an encryption key assigned to each of the identifiers, and the packet decryption means decrypts using the encryption key assigned to each of the packet terminals. Is characterized by Claim 1
According to a fifth aspect of the present invention, in the invention of the eleventh aspect, the packet encrypting means encrypts a data portion of a packet to be transmitted using an encryption key assigned to each of the identifiers,
The packet decrypting means decrypts a data portion of a received packet using an encryption key assigned to each of the identifiers.

[0024]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Various embodiments of the present invention will be described below with reference to the drawings. The present invention can be applied to both a wireless packet network and a wired packet network, but the following description will focus on a wireless packet network, and finally an embodiment in which the present invention is applied to a wired packet network. Will be described.

[First Embodiment] In the first embodiment, a packet transfer method according to claims 1, 2 and 5 and claim 1
This corresponds to the case where the base station described in No. 1 is applied.

FIG. 1 schematically shows a network configuration of a packet network in the present embodiment. In the figure, a plurality of radio base stations 1-6 and these radio base stations 1-6
6 is connected to a wireless packet backbone network 1-5. Each radio base station 1
-6 accommodates a plurality of wireless packet terminals 1-7 under its control. The user LAN 1-4 is another packet network, and the wireless packet backbone network 1-5 is a gateway 1-1.
Through 1-3 are connected to a plurality of user LANs 1-4. The gateway 1-3 selects one of the user LANs 1-4 according to a VLAN-ID described later, deletes the VLAN-ID from the packet, and then selects the selected user L.
Forward the packet to the AN. Relay path 1-10 between wireless packet backbone network 1-5 and user LAN 1-4
Various types can be selected, such as a virtual channel connection (VCC) of an ATM (Asynchronous Transfer Mode) network and a virtual private network (VPN) on the Internet. The wireless packet backbone network 1-5 is connected to the terminal authentication server 1-8. The terminal authentication server 1-8 stores a terminal information table, and when the wireless packet terminal 1-7 starts communication, the wireless base station 1-6.
Give terminal information to

In the present embodiment, the terminal information table includes at least a terminal address and a VLAN-ID to be described later.
And an encryption key unique to each terminal as information necessary for terminal authentication. As the terminal address, a MAC (Media Access Control) address in Ethernet is used. The wireless packet network notifies each wireless packet terminal of the encryption key in advance.

FIG. 2 shows the configuration of the radio base station 1-6 according to the present embodiment. The function of each means provided in the radio base station 1-6 will be described sequentially in the following description. In the figure, a solid line indicates a packet signal transmitted and received between the wireless packet backbone network 1-5 or the wireless packet terminal 1-7 and the wireless base station 1-6, and a broken line indicates a wireless base station 1 -6
Means a control signal between the respective units.

FIG. 3 shows an authentication procedure of the wireless packet terminal 1-7 in the present embodiment. As shown in the figure, the wireless packet terminal 1-7 transmits a communication start request signal to the wireless base station 1-6 when starting communication (2-
1). In the wireless base station 1-6, the terminal authentication unit 10 receives the communication start request signal and makes a terminal information request to the terminal authentication server 1-8 (2-2). In response to this terminal information request, the terminal authentication server 1-8 sends a terminal information notification to the radio base station 1-.
6, the terminal authentication unit 10 receives the terminal information notification (2-3), and stores the notified terminal information in the terminal information storage unit 11. Next, the terminal authentication means 10 generates a random number for terminal authentication, encrypts the generated random number using the encryption key included in the terminal information, and sends the encrypted random number to the wireless packet terminal 1-7 as an authentication request signal. Send (2-
4). The wireless packet terminal 1-7 decrypts the transmitted random number with the encryption key notified from the wireless packet network and sends it back to the wireless base station 1-6 as an authentication response signal (2).
-5). The wireless base station 1-6 compares the random number transmitted as the authentication request signal by the terminal authentication means 10 with the returned random number. If they match, the terminal authentication unit 10 determines that the wireless packet terminal 1-7 is a legitimate terminal, and notifies the wireless packet terminal 1-7 of communication permission using an authentication acceptance signal (2-6). Thereafter, using the encryption key obtained from the terminal authentication unit 10 by the packet encryption unit 12, only the data portion excluding the header portion in the data packet is encrypted and transferred. On the other hand, if the two random numbers do not match,
The terminal authentication means 10 determines the wireless packet terminal 1-7 as an unauthorized terminal, and uses the authentication reception signal to send the wireless packet terminal 1-7.
7 is notified of the refusal of communication (2-6).

FIG. 4 shows a procedure for detecting alteration of a data packet in this embodiment. Wireless packet terminal 1-
7 calculates an error detection code for the generated data, attaches it to the data, encrypts the data, and further transmits a data packet to which the header information is added to the wireless base station 1-6 (3-1). In the wireless base station 1-6, the packet decryption means 13 decrypts the encrypted data portion in the data packet and sends it to the packet tampering detection means 14. The packet tampering detection means 14 calculates an error detection code of the decoded data, compares the calculated error detection code with the error detection code obtained from the packet by decoding, and if both match, it is determined that there is no tampering. It is determined that if the two do not match, there is tampering.

Table 1 shows a terminal information table in the present embodiment. The terminal information table includes terminal information including a terminal address, a VLAN-ID, and an encryption key as information necessary for terminal authentication. The terminal information is stored in the terminal information storage unit 11 by the terminal authentication unit 10.
(See FIG. 2).

[0032]

[Table 1]

This VLAN-ID is the user LAN 1-4.
Is defined as an identifier for identifying each user LA.
A unique value is assigned to N in advance. The wireless packet terminal 1-7 has its own user LAN 1-
4 are registered in advance in the terminal authentication server 1-8.

FIG. 5 shows a signal format of a packet used by the wireless packet network in the present embodiment. As shown in the figure, the packet has a destination address 4-1 and a source address 4-2 and a VLAN as header information.
-ID 4-3, and the part of the user data 4-4 is encrypted.

As described in detail below, the radio base stations 1-6
Transfers only packets whose VLAN-ID 4-3 matches the VLAN-ID of the user LAN 1-4 to which the wireless packet terminal belongs, among the packets received from the wireless packet terminal 1-7, and these VLAN-IDs are Packets that do not match are discarded.

FIG. 6 shows a packet transfer procedure in this embodiment. The wireless base station 1-6 performs the authentication shown in FIG. 3 at the start of communication, and starts communication when the wireless packet terminal 1-7 is determined to be a legitimate terminal. Next, the radio base station 1-6 performs the falsification detection procedure shown in FIG. 4, and when detecting falsification of the data packet (5-1) received from the radio packet terminal 1-7, discards this data packet. . On the other hand, if tampering is not detected, in the wireless base station 1-6, the terminal address / VLAN-ID comparison unit 15 refers to the terminal information stored in the terminal information storage unit 11, and the VLAN-ID and the source address 4 After confirming the correspondence with -2, the result is sent to the filtering means 16. That is, the terminal address / VLAN-ID comparison means 15 searches the terminal information table shown in Table 1 and
If there is a terminal whose VLAN address and VLAN-ID are equal to the source address 4-2 and VLAN-ID 4-3 in the data packet, it is determined that the correspondence corresponds to the terminal information. The filtering means 16 transfers the data packet to the destination terminal specified by the destination address 4-1 if the correspondence matches the terminal information based on the transmitted confirmation result (5-2). At this time, if the destination terminal is connected to the user LAN 1-4, the data packet is transferred from the gateway 1-3 to the user LAN 1-4 via the gateway 1-1 or the gateway 1-2. When the destination terminal is connected to the wireless packet network, the data packet is transferred to the destination terminal without passing through the gateway. On the other hand, when the correspondence between the VLAN-ID and the source address 4-2 does not match the terminal information, the filtering unit 16 discards the data packet.

Here, a procedure for transferring a packet from the user LAN 1-4 to the wireless packet terminal 1-7 will be briefly described. The gateway 1-1 or the gateway 1-2 to which the user LAN 1-4 is connected.
When the gateway transmits a packet to the gateway 1-3, the gateway transmits the transmitted packet from the relay path 1-10 to the gateway 1-3.
Transfer to The gateway 1-3 sends the packet to the user LAN 1 according to the relay path 1-10 from which the packet was sent.
-4 is assigned to the VLAN-ID assigned to the packet, and then transferred to the wireless packet backbone network 1-5. The wireless base station 1-6 receives the transferred packet, encrypts the data portion of the packet, and transmits the encrypted data to the wireless packet terminal 1-7 indicated by the destination address. The wireless packet terminal 1-7 is encrypted. Receive and decode the packet.

As described above, according to the present embodiment, a wireless packet terminal can be specified by performing terminal authentication at the start of communication, and unauthorized access from an unknown terminal or a terminal whose terminal address has been forged can be prevented. Can be. Further, by transmitting the packet after encrypting it with a terminal-specific encryption key, it is possible to prevent an unauthorized terminal from impersonating an authenticated authorized terminal and prevent unauthorized access by the impersonated terminal. Further, by detecting tampering at the time of decryption of the encryption and discarding the packet, it is possible to prevent the transfer of the tampered packet, and to obtain the effect of preventing communication interruption due to tampered data and increase in traffic of the wireless packet network. . Moreover, VLAN-I
By confirming the correspondence between D and the source address, it is possible to prevent a terminal after authentication from accessing a user LAN to which the user does not belong, and prevent unauthorized access from a terminal belonging to another user LAN. can do.

[Second Embodiment] This second embodiment relates to a packet transfer method according to claims 1, 2 and 5, and claim 1.
This corresponds to the case where the base station described in No. 1 is applied.

In the present embodiment, the network configuration of the packet network, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet are the same as those shown in FIGS. 1
Equivalent to the embodiment.

As in the first embodiment, a unique value is assigned to the VLAN-ID for each user LAN 1-4 in advance.

Each wireless packet terminal 1-7 has a VLAN-ID of a plurality of user LANs 1-4 permitted to connect.
Are registered in the terminal authentication server 1-8 in advance.

Table 2 shows a terminal information table in the present embodiment. For example, a wireless packet terminal having an address # 1 as a terminal address is permitted to connect to a user LAN 1-4 having a VLAN-ID of VLAN-ID # A or VLAN-ID # B.

[0044]

[Table 2]

As described in detail below, the radio base stations 1-6
Is one of the VLAN-IDs of the user LANs to which the wireless packet terminal is permitted to connect from among the packets received from the wireless packet terminal 1-7 and the VLAN-ID4.
-3, forward only packets that match
-Discard packets that do not match the ID.

FIG. 7 shows a packet transfer procedure in the present embodiment. In the wireless base station 1-6, the terminal authentication means 10 authenticates the wireless packet terminal 1-7, and starts encryption communication if the wireless packet terminal is a legitimate terminal. Next, in the wireless base station 1-6, the packet decoding means 13 decodes (6-1) the data packet from the wireless packet terminal 1-7, and the packet tampering detection means 14 checks the received data packet for tampering, and If is detected, the packet is discarded. Note that the procedure so far is the same as in the first embodiment. On the other hand, if tampering is not detected, in the wireless base station 1-6, the terminal address / VLAN-ID comparing unit 15 refers to the terminal information stored in the terminal information storage unit 11, and sets the VLAN-ID 4-3 and the transmission source. It is checked whether the correspondence with the address 4-2 has been registered in the terminal information, and the result is sent to the filtering means 16.
That is, the terminal address / VLAN-ID comparing means 15
Indicates that the terminal address in the terminal information table matches the source address 4-2, and that the VLAN-ID is registered in a plurality of VLAN-IDs registered corresponding to the terminal address.
If there is one that matches ID4-3, it is determined that the correspondence has been registered in the terminal information. And
The filtering means 16 transfers the data packet to the destination terminal specified by the destination address 4-1 if the correspondence has been registered in the terminal information based on the transmitted confirmation result (6-2). At this time, the destination terminal is the user LAN 1−
4, the data packet is transmitted from the gateway 1-3 to the gateway 1-1 or the gateway 1--1.
2 to the user LAN 1-4. When the destination terminal is connected to the wireless packet network, the data packet is transferred to the destination terminal without passing through the gateway. On the other hand, if the correspondence between the VLAN-ID and the source address is not registered in the terminal information, the filtering unit 16
Discards the data packet.

As described above, according to the present embodiment, the first
The following effects are further obtained in addition to the effects obtained from the embodiment. That is, by confirming the correspondence between the VLAN-ID and the source address, it is possible to prevent a terminal after authentication from accessing a data network for which connection is not permitted, and to allow other terminals to access other data from a terminal for which connection is permitted. Unauthorized access to the network can be prevented. Further, by registering a plurality of VLAN-IDs per wireless packet terminal, it is possible to access a plurality of data networks with one wireless packet terminal, and the serviceability to the user is improved.

[Third Embodiment] The third embodiment corresponds to the case where the packet transfer method according to the first, second, fourth, fifth and eighth aspects and the base station according to the eleventh and thirteenth aspects are applied. I have.

FIG. 8 schematically shows a network configuration of a packet network in the present embodiment. As in the first embodiment, the wireless packet network includes a plurality of wireless base stations 7-6.
And a wireless packet backbone network 7-5 connecting the plurality of wireless base stations 7-6. Each radio base station 7-6 has a plurality of radio packet terminals 7-
7 are accommodated. Wireless packet backbone network 7-5
Are connected to a plurality of user LANs 7-4 (other packet networks) via gateways 7-1 to 7-3. Here, the gateway 7-3 selects one of the user LANs 7-4 according to the VLAN-ID 4-3, deletes the VLAN-ID from the packet, and then selects the selected user LA 7-4.
Forward the packet to N. Further, the wireless packet backbone network 7-5 in the present embodiment has a plurality of relay nodes 7-9 that relay packets. Each relay node 7-9 has a destination address 4-1 and a VLA in the packet.
It has routing information using N-ID4-3,
An optimal route is selected according to the routing information and the packet is transferred. For example, when the relay node 7-9 receives a packet, the relay node 7-9 transmits the source address 4
The terminal address indicated by -2 and the port receiving the packet, and the VLAN-ID 4-3 in the received packet and the port receiving the packet are stored in association with each other.
Next, if the received packet is a unicast packet, the relay node 7-9 transmits the received packet to the port corresponding to the terminal address indicated by the destination address 4-1. In contrast, if the received packet is a broadcast packet or a multicast packet, relay node 7-9 sets V
The received packet is transmitted to all ports corresponding to LAN-ID 4-3. Here, the “port” is an interface for the relay node 7-9 to connect a communication path with a relay node or a wireless base station adjacent to itself. As the relay path 7-10, various types can be selected in the same manner as the relay path 1-10 shown in FIG. The wireless packet backbone network 7-5 is connected to the relay node 7
-9 is connected to the terminal authentication server 7-8.
The terminal authentication server 7-8 is the terminal authentication server 1 shown in FIG.
The terminal information table shown in Table 2 is stored similarly to -8, and terminal information is given to the radio base station 7-6 when the radio packet terminal 7-7 starts communication.

In this embodiment, the encryption key registered in the terminal information table is used for terminal authentication and encryption of a unicast packet, and this encryption key is hereinafter referred to as a "terminal key". The wireless packet network notifies each wireless packet terminal 7-7 of a terminal key in advance.

In addition to the above, the terminal authentication server 7-8 has VLAN information in a VLAN information table shown in Table 3.

[0052]

[Table 3]

This VLAN information table is composed of VLAN-
The correspondence between the ID and an encryption key (hereinafter, referred to as “VLAN key”) commonly used by all terminals having the same VLAN-ID is recorded. This VLAN key is used for encrypting broadcast packets and multicast packets. The wireless packet network is connected to each wireless packet terminal 7-.
7 is notified of the VLAN key in advance.

As in the first embodiment, a unique value is assigned to the VLAN-ID for each user LAN 7-4 in advance.

The wireless packet terminal 7-7 registers the VLAN-ID of the user LAN 7-4 to which the wireless packet terminal 7-7 belongs in advance in the terminal information table of the terminal authentication server 7-8.

As described in detail below, the radio base station 7-6
Is one of the VLAN-IDs of the user LANs 7-4 to which the wireless packet terminal is permitted to connect, among the packets received from the wireless packet terminal 7-7.
Only the packet whose ID 4-3 matches is transferred, and any V
Packets that do not match the LAN-ID are discarded.

The configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS. .

FIG. 9 shows a packet transfer procedure in this embodiment. As in the first embodiment, in the wireless base station 7-6, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and starts encrypted communication if the wireless packet terminal is a legitimate terminal. I do. In addition,
At the time of this authentication, the terminal authentication means 10 obtains the VLAN information together with the terminal information from the terminal authentication server 7-8 and stores it in the terminal information storage means 11. On the other hand, the wireless packet terminal 7
-7 selects a terminal key when transmitting a unicast packet, performs encryption, and transmits the encrypted data packet to the wireless base station 7-6 (8-1). On the other hand, when transmitting a broadcast packet or a multicast packet, the wireless packet terminal 7-7 performs encryption by selecting a VLAN key, and transmits the encrypted data packet to the wireless base station 7-6 (8-1). ). In response to these, the packet decoding means 13 of the radio base station 7-6
When a unicast packet is received, the terminal key is selected to decode the data packet, and when a broadcast packet or multicast packet is received, V
A LAN key is selected to decrypt the data packet. The packet tampering detection unit 14 checks whether the data packet decoded according to the tampering detection procedure shown in FIG. 4 has been tampered with, and discards the data packet if tampering is detected. On the other hand, if tampering of the data packet is not detected, the terminal address / VLAN-ID comparing means 15 sends the VLAN-ID 4-3 and the source address 4 in the same manner as in the second embodiment.
-2, and if these correspondences are already registered in the terminal information, the data packet is transferred to the destination terminal specified by the destination address (8-2). At this time, in the present embodiment, when the destination terminal is connected to the user LAN 7-4, each relay node 7-9 selects the next transmission port according to the destination address 4-1 in the data packet and performs gateway selection. Transfer the data packet to 7-3. The gateway 7-3 is a gateway 7 according to the VLAN-ID 4-3.
-1 or the gateway 7-2 is selected and the data packet is transferred to the user LAN 7-4. When the destination terminal is connected to the wireless packet network, each relay node 7-9 selects the next transmission port according to the destination address 4-1 and transfers the data packet to the destination terminal. Therefore, in this case, the data packet is transferred without passing through the gateway. On the other hand, when the correspondence between the VLAN-ID and the source address is not registered in the terminal information,
Filtering means 16 discards the data packet.

FIG. 10 shows a procedure for transferring a broadcast packet in this embodiment. When the data occurs, the transmission source terminal transmits a broadcast packet to the radio base station 7-6 (9-1). Radio base station 7-6
Then, the packet encryption unit 12 selects the VLAN key from the encryption keys obtained from the terminal authentication unit 10 (9-2), encrypts the broadcast packet (9-3), and sets all the packet terminals (in FIG. Wireless packet terminals # 1, #
Transmit the broadcast packet to 2) (9-
4). Each of the wireless packet terminals # 1 and # 2 selects a VLAN key as an encryption key (9-5) and decrypts the encrypted broadcast packet (9-6). As described above, in the present embodiment, since the VLAN key is used for encryption, a packet terminal having the same VLAN-ID can decode a broadcast packet and a multicast packet.

FIG. 11 shows how a broadcast packet is transferred in a network. As shown in the figure, when the radio packet terminal 7-7a (transmission terminal) belonging to the user LAN #A transmits a broadcast packet to the radio base station 7-6a, the packet is transmitted to the radio packet backbone network 7-5. You. The wireless packet backbone network 7-5 has a VLAN-ID 4-3.
, The broadcast packet is transferred from the relay node 7-9a to the gateway 7-3 and the relay node 7-9b. Here, the gateway 7-3 is a VLAN-ID
Referring to 4-3, the broadcast packet is transferred to the gateway 7-1 connected to the user LAN #A. On the other hand, the relay node 7-9b further transfers the broadcast packet to the relay node 7-9c, and
c is a wireless packet terminal 7- belonging to the user LAN #A.
7c transfers the broadcast packet to the connected wireless base station 7-6c.

As described above, the route is selected based on the routing information using the VLAN-ID, and the broadcast packet is transferred. Only the wireless packet terminal 7-7b belonging to the user LAN #B is connected to the wireless base station 7-6b, and the same VL as the VLAN-ID 4-3 is used.
The wireless packet terminal having the AN-ID is not subordinate. Therefore, the relay node 7-9b is
Do not forward broadcast packets to -6b.

In the above description, the packet transfer procedure based on the second embodiment has been described. However, the packet transfer procedure may be based on the first embodiment. In such a case, Table 1 is used instead of Table 2 as the terminal information table, and it is confirmed whether the correspondence between the VLAN-ID and the transmission source address has been registered in the terminal information (8-3 in FIG. 9). Instead, it is checked whether this correspondence matches the terminal information (5-3 in FIG. 6).

As described above, according to the present embodiment, the first to first embodiments
The following effects are obtained in addition to the effects of the second embodiment. That is, in the present embodiment, since the next relay node is selected according to the destination address and the packet is transferred, when a wireless packet terminal transfers a packet to another wireless packet terminal, an optimal route is established without passing through a gateway. Can be selected and transferred, and an increase in transfer delay time can be prevented.

When a broadcast packet or a multicast packet is transferred, the VLAN-ID
Therefore, there is no need to perform unicast transfer from the gateway to all wireless packet terminals communicating using the same VLAN-ID. Therefore, it is possible to transfer a packet by selecting an optimal route, and it is possible to prevent increases in transfer delay time, traffic, and processing load on the gateway.

Further, if the VLAN-ID is the same, the broadcast packet or the multicast packet is encrypted using the common encryption key. In contrast, a broadcast packet or a multicast packet can be transferred in one transmission. Therefore, the traffic, the transfer delay time, and the load on the base station can be suppressed as compared with the case where the packet encrypted using the encryption key of each wireless packet terminal is transmitted a plurality of times. Although the VLAN key is not a terminal-specific encryption key, since a packet terminal having a different VLAN-ID cannot be known, unauthorized access due to spoofing does not occur.

[Fourth Embodiment] The fourth embodiment corresponds to the case where the packet transfer method according to the first, second, fourth, fifth and ninth aspects and the base station according to the eleventh and fourteenth aspects are applied. I have.

The network configuration of the packet network in this embodiment is the same as that of the third embodiment shown in FIG.
Also, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS. .

As in the third embodiment, a unique value is assigned to the VLAN-ID in advance for each user LAN 7-4.

The wireless packet terminal 7-7 registers the VLAN-ID of the user LAN 7-4 to which the wireless packet terminal 7-7 belongs in advance in the terminal information table of the terminal authentication server 7-8.

As in the third embodiment, the radio base station 7-6
Is one of the VLAN-IDs of the user LANs 7-4 to which the wireless packet terminal is permitted to connect, among the packets received from the wireless packet terminal 7-7.
Only the packet whose ID 4-3 matches is transferred, and any V
Packets that do not match the LAN-ID are discarded.

The terminal authentication server 7-8 has the same VLAN information table as that of the third embodiment shown in Table 3, and the VLAN key is a wireless packet network used for encrypting broadcast packets and multicast packets. Also notifies each wireless packet terminal 7-7 of the VLAN key in advance, as in the third embodiment.

The terminal information table of this embodiment is the same as the terminal information table of the second embodiment shown in Table 2.
Encryption key (terminal key) registered in this terminal information table
Is used at the time of terminal authentication, at the time of encrypting a unicast packet, and at the time of encrypting a broadcast and multicast packet by a wireless packet terminal. The wireless packet network is connected to each wireless packet terminal 7-7.
Is notified of the terminal key in advance.

FIG. 12 shows a packet transfer procedure in this embodiment. In the wireless base station 7-6, as in the third embodiment, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and if the packet terminal is a legitimate terminal, performs encrypted communication. Start. Note that the terminal authentication means 10 obtains the VLAN information together with the terminal information from the terminal authentication server 7-8 at the time of this authentication as in the third embodiment. Next, different from the third embodiment, the wireless packet terminal 7-7 encrypts the data packet using the terminal key without distinction of the unicast packet / broadcast packet / multicast packet and transmits the encrypted data packet to the wireless base station 7-6. (11-1). In the radio base station 7-6, the packet decoding means 13 decodes the data packet using the terminal key without distinguishing the unicast packet / broadcast packet / multicast packet. The subsequent procedure is the same as in the third embodiment. The wireless base station 7-6 discards the received data packet if the data packet has been tampered with. If the received data packet has not been tampered with, the destination address if the correspondence between the VLAN-ID and the source address has been registered in the terminal information. The data packet is transferred to the destination terminal specified in 4-1 (11-2). At this time, the data packet is transferred as in the third embodiment. On the other hand, VLAN-ID
If the correspondence between the packet and the source address is not registered in the terminal information, the filtering unit 16 discards the data packet.

In this embodiment, a broadcast terminal and a multicast packet transmitted by the radio base station 7-6 are encrypted using a VLAN key as in the third embodiment, so that packet terminals having the same VLAN-ID are used. Is capable of decoding broadcast packets and multicast packets. On the other hand, the wireless packet terminal 7-
Since the terminal key is used for encrypting the broadcast packet and the multicast packet transmitted by the wireless base station 7, the wireless base station 7-6 switches between two types of encryption keys (terminal key and VLAN key) as in the third embodiment. There is no need to decrypt the encryption.

In this embodiment, the manner in which a broadcast packet is transferred over a packet network is the same as that of the third embodiment shown in FIGS. That is, when the wireless base station 7-6 transmits a broadcast or multicast packet, the packet is encrypted using the VLAN key.

Although the packet transfer procedure based on the second embodiment has been described in the above description, the packet transfer procedure may be based on the first embodiment. In that case, as described in the third embodiment, the terminal information table shown in Table 1 is used, and it is checked whether the correspondence between the VLAN-ID and the source address matches the terminal information.

As described above, according to the present embodiment, the third
As in the embodiment, when a wireless packet terminal transfers a packet to another wireless packet terminal, it is possible to select and transfer an optimal route without passing through a gateway, thereby preventing an increase in transfer delay time. can do.

In addition, in the present embodiment, when the wireless base station transfers a broadcast packet or a multicast packet, it encrypts the broadcast packet or the multicast packet using an encryption key common to the VLAN-ID. Therefore, the wireless base station can transfer a packet to all the wireless packet terminals under the control of the same VLAN-ID in one transmission. Therefore, the traffic, the transfer delay time, and the load on the base station can be suppressed, respectively, as compared with the case where the data is encrypted and transmitted a plurality of times using the encryption key of each wireless packet terminal.

When the radio packet terminal transfers a broadcast packet or a multicast packet,
It is encrypted using an encryption key for unicast packets. Therefore, when the wireless base station receives a packet from a wireless packet terminal, the wireless base station can decrypt the packet without switching the encryption key. The load on the wireless base station can be suppressed.

[Fifth Embodiment] This fifth embodiment corresponds to the case where the packet transfer method according to the first, second, fourth, fifth and tenth aspects and the base station according to the eleventh and fifteenth aspects are applied. I have.

The network configuration of the packet network in this embodiment is the same as the configuration of the third embodiment shown in FIG.
In addition, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS.

As in the third embodiment, a unique value is assigned to the VLAN-ID in advance for each user LAN 7-4.

The terminal authentication server 7-8 has a terminal information table and a VLAN information table as in the third embodiment.

As in the third embodiment, the radio base station 7-6
Is one of the VLAN-IDs of the user LANs 7-4 to which the wireless packet terminal is permitted to connect, among the packets received from the wireless packet terminal 7-7.
Only the packet whose ID 4-3 matches is transferred, and any V
Packets that do not match the LAN-ID are discarded.

In the present embodiment, the VLAN key is used when encrypting a packet. The wireless packet network notifies each wireless packet terminal 7-7 of the VLAN key in advance.

The terminal information table in the present embodiment is
This is the same as the terminal information table of the second embodiment shown in Table 2. Here, in the present embodiment, a VLAN key of the user LAN 7-4 to which each packet terminal belongs is used as an encryption key registered in the terminal information table.

FIG. 13 shows a packet transfer procedure in the present embodiment. As in the third embodiment, in the wireless base station 7-6, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and starts encrypted communication if the packet terminal is a legitimate terminal. Note that obtaining VLAN information together with terminal information from the terminal authentication server 7-8 at the time of this authentication is the same as in the third embodiment. Next, unlike the third embodiment and the fourth embodiment, the wireless packet terminal 7-7 encrypts the data packet using the VLAN key without distinguishing between the unicast packet / broadcast packet / multicast packet and performs the wireless base station. It transmits to 7-6 (12-1). Radio base station 7-6
Then, the packet decoding means 13 decodes the data packet using the VLAN key without distinguishing the unicast packet / broadcast packet / multicast packet. The subsequent procedure is the same as in the third embodiment. The radio base station 7-6 discards the received data packet if it has been tampered with. If the received data packet has not been tampered with, the destination address 4 if the correspondence between the VLAN-ID and the source address has been registered in the terminal information. Transfer the data packet to the destination terminal designated by -1 (12-
2). At this time, the data packet is transferred as in the third embodiment. On the other hand, when the correspondence between the VLAN-ID and the source address is not registered in the terminal information, the filtering unit 16 discards the data packet.

In the present embodiment, unlike the third embodiment, only the VLAN key is used for encryption and no terminal key is used. Can be decrypted. Further, since the wireless base station and the wireless packet terminal do not need to switch between two types of encryption keys to perform encryption and decryption, the load on the wireless base station and the wireless packet terminal can be suppressed.

In this embodiment, the manner in which the broadcast packet is transferred over the packet network is the same as that of the third embodiment shown in FIG. In the above description, the packet transfer procedure based on the second embodiment has been described. However, the packet transfer procedure may be based on the first embodiment. In that case, as described in the third embodiment, the terminal information table shown in Table 1 is used, and it is checked whether the correspondence between the VLAN-ID and the source address matches the terminal information.

As described above, according to the present embodiment, the third
As in the embodiment, when a wireless packet terminal transfers a packet to another wireless packet terminal, it is possible to select and transfer an optimal route without passing through a gateway, thereby preventing an increase in transfer delay time. can do.

In addition, in this embodiment, when a packet is transferred, encryption is performed using an encryption key common to the VLAN-ID.
The broadcast packet and the multicast packet can be transferred by one transmission to all the wireless packet terminals under the control. Therefore, the traffic, the transfer delay time, and the load on the base station can be suppressed, respectively, as compared with the case where the data is encrypted and transmitted a plurality of times using the encryption key of each wireless packet terminal.

Also, since the encryption key common to the VLAN-ID is used, the wireless base station and the wireless packet terminal can decrypt the packet when receiving the packet without switching the encryption key. Therefore, the load on the wireless base station and the wireless packet terminal can be reduced as compared with the case where two types of encryption keys are used. In addition, VLAN
The key is not a terminal-specific encryption key, but a different VLAN-I
Since the packet terminal having D cannot be known, unauthorized access due to spoofing does not occur.

[Sixth Embodiment] The sixth embodiment is directed to a packet transfer method according to the first, third, and fifth aspects and a first aspect.
This corresponds to the case where the base station described in No. 2 is applied. In the present embodiment, the VLAN-ID
Are dynamically assigned at the start of communication. The network configuration of the packet network, the configuration of the wireless base station, the alteration detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS. 1, 2, 4 and 5. Respectively equal.

In the present embodiment, a unique name (hereinafter, referred to as “user LAN name”) is assigned to each of the user LANs 1-4 in order to realize dynamic VLAN-ID assignment. For example, in FIG.
“User LAN #A” is assigned to A, and “User LAN #B” is assigned to LAN #B. Further, in this embodiment, the wireless base station 1-6 stores a VLAN-ID assignment management table shown in Table 4 in order to hold the correspondence between the user LAN name and the VLAN-ID.
Further, in the present embodiment, the terminal information table held by the terminal authentication server 1-8 is as shown in Table 5, and the VL
The difference from the first embodiment (Table 1) is that the user LAN name is used instead of the AN-ID.

[0095]

[Table 4]

[0096]

[Table 5]

In this embodiment, the authentication procedure of the wireless packet terminal shown in FIG. 14 is adopted by partially changing the authentication procedure shown in FIG. As shown in FIG. 14, when transmitting a communication start request signal to the wireless base station 1-6, the wireless packet terminal 1-7 transmits a communication start request signal to the wireless LAN terminal 1-6. LAN #
A ”) is transmitted (18-1). In the wireless base station 1-6, the terminal LAN
The name is stored internally. Next, as in the first embodiment, the radio base station 1-6 makes a request (2-2) to the terminal authentication server 1-8 to acquire terminal information (2-3) and stores it in the terminal information. The random number for terminal authentication is stored in the means 11, the random number for terminal authentication is encrypted, an authentication request signal is transmitted to the wireless packet terminal 1-7 (2-4), and an authentication response signal sent back by the wireless packet terminal 1-7 (2-5) Perform authentication based on

The authentication allows the wireless packet terminal 1-7
Is determined to be a legitimate terminal, the terminal authentication means 10 assigns a VLAN-ID to the user LAN name notified (18-1) from the wireless packet terminal 1-7 (18-
6). If, for example, the user LAN name notified from the wireless packet terminal 1-7 is “user LAN #A”, the terminal authentication unit 10 assigns, for example, “VLAN-ID #A” to this user LAN, and As shown in FIG. 4, “user LAN #A” and “VLAN-ID #A”
Is added to the VLAN-ID assignment management table. Next, the terminal authentication unit 10 notifies the wireless packet terminal 1-7 of the communication permission by using the authentication acceptance signal. Notify (18-7). The processing when the wireless packet terminal 1-7 is determined to be an unauthorized terminal is the same as in the first embodiment.

FIG. 15 shows a packet transfer procedure in this embodiment. First, in the present embodiment, the authentication procedure shown in FIG. 14 is executed as the authentication procedure (19-
1). Next, the wireless packet terminal 1-7 transmits the data packet to the wireless base station 1-6.
As the ID 4-3, the previously notified VLAN-ID (18-7 in FIG. 14) is used. Thereafter, similarly to the first embodiment, the transfer of the data packet to the destination terminal (5-
The process up to 2) is performed, but when it is checked whether the data packet has not been tampered with and the correspondence between the user LAN name and the source address matches the terminal information (19-2), the following process is performed. Do. That is, in the wireless base station 1-6, the terminal address / VLAN-ID comparing means 15 acquires the user LAN name corresponding to the source address 4-2 from the terminal information table shown in Table 5, and acquires the acquired user LA.
The VLAN-IDs corresponding to the N names are shown in Table 4 below.
VLAN searched by ID assignment management table
It is determined whether or not the ID matches the VLAN-ID 4-3 in the data packet. The filtering means 16 transfers the data packet to the destination terminal specified by the destination address 4-1 (5-2) based on the determination result if the two match, and if not, the data packet Discard. Thereafter, if the communication is completed between the wireless packet terminal 1-7 and the destination terminal, the wireless base station 1
In -6, the terminal authentication means 10 uses the VLAN-I shown in Table 4
The group of "user LAN #A" and "VLAN-ID #A" is deleted from the D allocation management table, thereby releasing the VLAN-ID assigned to the wireless packet terminal 1-7 (19-3).

As described above, in this embodiment, the VLAN-ID is dynamically assigned to the radio packet terminal 1-7, so that the limited VLAN-ID can be reused efficiently. More user LANs can be accommodated.

[Seventh Embodiment] The seventh embodiment is directed to a packet transfer method according to claims 1, 3 and 5, and claim 1.
This corresponds to the case where the base station described in No. 2 is applied. In the present embodiment, the VLAN-ID dynamic allocation described in the sixth embodiment is applied to the second embodiment. Accordingly, the network configuration of the packet network, the configuration of the radio base station, the falsification detection procedure of the data packet, and the signal format of the packet in the present embodiment are shown in FIGS.
5 is the same as that of the first embodiment shown in FIG.

In this embodiment, the terminal authentication server 1-8 stores a terminal information table shown in Table 6. In comparison with Table 5 (sixth embodiment), for one terminal address, a plurality of user LAN names that permit communication with the packet terminal having the terminal address are registered.

[0103]

[Table 6]

The authentication procedure of the wireless packet terminal in the present embodiment is as shown in FIG. The difference between the authentication procedure shown in FIG. 16 and FIG. 14 (sixth embodiment) is that when the wireless packet terminal 1-7 transmits a communication start request signal to the wireless base station 1-6, the user LAN name of the communication partner is (20-1) is notified to the wireless base station 1-6. Therefore, the authentication procedure performed thereafter is the same as in the sixth embodiment.

FIG. 17 shows a packet transfer procedure in this embodiment. In the present embodiment, first, the procedure shown in FIG. 16 is executed as an authentication procedure (21-1).
Next, the wireless packet terminal 1-7 transmits the data packet to the wireless base station 1-6, and at this time, the VLAN-ID4
As -3, the previously notified VLAN-ID (18-7 in FIG. 16) is used. Thereafter, the process up to the transfer of the data packet to the destination terminal (6-2) is performed in the same manner as in the second embodiment, but the data packet is not falsified,
When it is determined whether the correspondence between the user LAN name and the source address has been registered in the terminal information (21-2), the following process is performed. That is, in the wireless base station 1-6, the terminal address / VLAN-ID comparison unit 15 searches the VLAN-ID assignment management table shown in Table 4 for the user LAN name corresponding to the VLAN-ID 4-3 included in the received packet. Whether the set of the searched user LAN name and the source address 4-2 included in the received packet exists in a plurality of sets of the terminal address and the user LAN name in the terminal information table shown in Table 6. Is checked, and if this set does not exist in the terminal information table, it is determined that the correspondence is not registered in the terminal information. On the other hand, if this set exists in the terminal information table, the terminal address / VLAN-ID comparison unit 15 sends the VL assigned to the user LAN name
The AN-ID is obtained from the VLAN-ID assignment management table shown in Table 4, and it is checked whether or not the obtained VLAN-ID matches the VLAN-ID 4-3 in the packet. It is determined that the registration has been made, and if they do not match, it is determined that the above-mentioned correspondence has not been registered in the terminal information. If the correspondence is already registered in the terminal information based on the determination result, the filtering means 16 transfers the data packet to the destination terminal specified by the destination address 4-1 (6-2), and If not registered, the data packet is discarded. Thereafter, when the communication between the wireless packet terminal 1-7 and the destination terminal is completed, the terminal authentication unit 10 releases the VLAN-ID allocated to the wireless packet terminal 1-7, as in the sixth embodiment. (21-3).

[Eighth Embodiment] In the eighth embodiment, a packet transfer method according to the first, second, and fifth aspects and the first aspect are described.
This corresponds to the case where the base station described in No. 1 is applied. In the embodiments described so far, the MAC address is used as the terminal address.
VLAN-ID for user LAN using address
Had to be assigned. On the other hand, in the present embodiment, an IP address is used as the terminal address, and a unique network address is assigned to the user LAN in advance for each user LAN 1-4. As described above, the IP address has the configuration shown in FIG. 18, but in the present embodiment, the network address part included in this IP address is used instead of the VLAN-ID. That is, in this embodiment, the network address can be obtained by extracting the upper bits of the destination address 4-1 in the data packet. Therefore, the VLAN-ID 4-3 shown in FIG.
The signal format in the present embodiment is as shown in FIG.

The terminal information table in this embodiment is as shown in Table 7, and the VL used in Table 1 is
A network address is used instead of the AN-ID. Further, the wireless packet terminal 1-
Reference numeral 7 preliminarily registers the network addresses of the user LANs 1-4 to which the user belongs in the terminal authentication server 1-8. Note that the network configuration of the packet network, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, and the falsification detection procedure of the data packet in the present embodiment are the same as those in the first embodiment shown in FIGS. equal.

[0108]

[Table 7]

FIG. 20 shows a packet transfer procedure in the present embodiment, which is different from the packet transfer procedure shown in FIG. 6 (first embodiment) in the following points. That is, in the wireless base station 1-6, if the falsification of the received data packet (5-1) is not detected by the packet falsification detecting means 14, the terminal address / VLAN-ID comparing means 15 The network address part is extracted from the destination address 4-1 and the network address of the user LAN to which the wireless packet terminal 1-7 belongs is obtained from the terminal information table shown in Table 7 based on the source address 4-2, It is checked whether these two network addresses match (24-1). After that, the filtering means 16 based on the confirmation result sent,
If the two network addresses match, the data packet is transferred to the destination terminal specified by the destination address 4-1 as in the first embodiment (5-2). On the other hand, if the two network addresses do not match, the filtering unit 16 discards the data packet.

As described above, in this embodiment, there is no need to provide an extra field such as VLAN-ID in a data packet as in the first embodiment.

[Ninth Embodiment] The ninth embodiment is directed to a packet transfer method according to claims 1, 2 and 5, and claim 1.
This corresponds to the case where the base station described in No. 1 is applied. In the present embodiment, the use of the network address described in the eighth embodiment is applied to the second embodiment. Also in the present embodiment, each user L
A unique network address is assigned to the AN in advance. The terminal information table in the present embodiment is as shown in Table 8, and the VL used in Table 2 is used.
A network address is used instead of the AN-ID. The network configuration of the packet network, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in the present embodiment are shown in FIGS. 1 to 4 and FIG. Respectively.

[0112]

[Table 8]

FIG. 21 shows a packet transfer procedure according to the present embodiment, which differs from the packet transfer procedure shown in FIG. 7 (second embodiment) in the following points. That is, in the wireless base station 1-6, if the falsification of the received data packet (6-1) is not detected by the packet falsification detecting means 14, the terminal address / VLAN-ID comparing means 15 The network address part is extracted from the destination address 4-1. Based on the source address 4-2, all network addresses assigned to the user LAN to which the wireless packet terminal 1-7 is permitted to communicate are listed in Table 8. It is obtained from the indicated terminal information table.
Next, the terminal address / VLAN-ID comparison means 15
Checks whether the acquired network address matches the network address extracted from the destination address 4-1. The filtering means 16 determines the destination address 4-
The data packet is transferred to the destination terminal specified in 1 (6-
2) If there is no matching network, the data packet is discarded.

As described above, also in the present embodiment, the VLAN-ID is included in the data packet as in the first embodiment.
There is no need to provide an extra field such as

[Tenth Embodiment] The tenth embodiment corresponds to the case where the packet transfer method according to the first, second, fourth, fifth and eighth aspects and the base station according to the eleventh and thirteenth aspects are applied. I have. In the present embodiment, the use of the network address described in the eighth embodiment is applied to the third embodiment. Also in this embodiment, the user LAN 1-
4 is pre-assigned a unique network address to each user LAN. The network configuration of the packet network in this embodiment is the same as that in the third embodiment shown in FIG. The configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are shown in FIG.
To FIG. 4 and FIG. Further, the terminal authentication server 7-8 is provided with a VLAN information table shown in Table 9, and differs from Table 3 (the third embodiment) in that a network address is used instead of the VLAN-ID. I have. In this embodiment, as in the third embodiment, the wireless packet network notifies each wireless packet terminal 7-7 of the VLAN key in advance.

[0116]

[Table 9]

FIG. 22 shows a packet transfer procedure according to the present embodiment, which differs from the procedure of the third embodiment shown in FIG. 9 in the following points. First, if no falsification of the received data packet (8-1) is detected, the terminal address / VLAN-ID comparing unit 15 determines the destination address of the received data packet in the same manner as in the ninth embodiment.
It is confirmed whether or not the network address extracted from 1 is registered in the network addresses assigned to the plurality of user LANs 1-4 permitted to communicate with the wireless packet terminal 7-7 (26-1). ). Then, the filtering means 16 determines whether to transfer (8-2) or discard the packet according to the result of this confirmation.

Here, when transferring the data packet (8
When the destination terminal is connected to the user LAN 7-4, each relay node 7-9 selects the next transmission port in accordance with the destination address 4-1 in the data packet and performs the gateway 7-3. Transfer the data packet to The gateway 7-3 selects the gateway 7-1 or the gateway 7-2 according to the network address extracted from the destination address 4-1 and transmits the data packet to the user LA.
Transfer from N7-4 to the destination terminal. On the other hand, when the destination terminal is connected to the wireless packet network, similarly to the third embodiment, each relay node 7-9 selects the next transmission port according to the destination address 4-1 and sets the gateway as the gateway. The packet is forwarded to the destination terminal without intervention.

The transfer procedure of the broadcast packet in this embodiment is basically the same as that in the third embodiment (FIG. 10), and the route selection is performed using the network address extracted from the destination address instead of the VLAN-ID. What is done is different.

As described above, also in the present embodiment, the VLAN-ID is included in the data packet as in the first embodiment.
There is no need to provide an extra field such as In addition,
Here, the case where the use of the network address is applied to the third embodiment has been described.
The fifth embodiment differs from the fifth embodiment only in the use of the encryption key when transmitting a data packet from the wireless packet terminal 7-7 to the wireless base station 7-6. Therefore, these fourth to
Also in the fifth embodiment, a network address can be used instead of the VLAN-ID.

[Eleventh Embodiment] The eleventh embodiment corresponds to the case where the packet transfer method according to claims 1 and 6 is applied.

The configuration of the packet network, the configuration of the radio base station, the authentication procedure of the radio packet terminal and the falsification detection procedure of the data packet in this embodiment are the same as those of the first embodiment shown in FIGS.
Each is the same as in the case of the embodiment.

Table 10 shows a terminal information table according to the present embodiment, which comprises a terminal address and an encryption key as information necessary for terminal authentication.

[0124]

[Table 10]

Each of the gateways 1-1 and 1-2 connected to each user LAN 1-4 has the permitted address information in the permitted address table. Table 11 shows the permitted address table of the gateway 1-1.
Indicates an allowed address table of the gateway 1-2. The gateways 1-1 and 1-2 transfer only the data packets whose transmission source addresses 4-2 are registered in the permission address tables of the respective gateways to the user LAN 1-4.

[0126]

[Table 11]

[0127]

[Table 12]

The signal format of the packet of the wireless packet network in this embodiment is the same as that of FIG. 19 described in the eighth embodiment, and the destination address 4-1
And the source address 4-2 as header information, and the user data 4-4 is encrypted.

FIG. 23 shows a packet transfer procedure in the present embodiment. In the wireless base station 1-6, the terminal authentication unit 10 authenticates the wireless packet terminal 1-7 at the start of communication, and starts encrypted communication when the packet terminal is a legitimate terminal. At the time of this authentication, the terminal authentication means 10 obtains terminal information from the terminal authentication server 1-8.
Next, the wireless packet terminal 1-7 transmits the encrypted data packet to the wireless base station 1-6 (14-1). In the wireless base station 1-6, when the packet decoding means 13 decodes the data packet and the packet falsification detecting means 14 detects the falsification of the received data packet (14-1), the received data packet is discarded. The procedure so far is the same as in the first embodiment (FIG. 6). On the other hand, if tampering is not detected, the terminal address / VLAN-ID comparing unit 15 does not check the correspondence between the VLAN-ID and the source address as in the first embodiment, and filters the received data packet as it is. 16 and send it to
The filtering means 16 transfers the data packet to the destination terminal specified by the destination address 4-1 (14-
2). At this time, if the destination terminal is connected to the user LAN 1-4, the data packet is transferred from the gateway 1-3 to the user LAN 1-4 via the gateway 1-1 or the gateway 1-2. At this time, the selected gateway confirms the source address 4-2 in the data packet, and transfers the data packet to the user LAN 1-4 if the address has been registered in the permitted address table of the selected gateway. If not registered, the data packet is discarded. On the other hand, when the destination terminal is connected to the wireless packet network, the data packet is transferred to the destination terminal without passing through the gateway.

As described above, in the present embodiment, by performing terminal authentication at the start of communication, a wireless packet terminal can be specified, and illegal access from an unknown terminal or a terminal whose terminal address has been forged can be prevented. it can. Also,
By encrypting and transferring the packet, it is possible to prevent an unauthorized terminal from impersonating an authenticated authorized terminal and prevent unauthorized access by the impersonated terminal. Furthermore, by detecting tampering at the time of decryption of the encryption and discarding the packet, it is possible to prevent the transfer of the tampered packet, and to prevent communication interruption due to the tampered data and increase in traffic of the wireless packet network. In addition, the gateway permits the transfer of the packet according to the destination address and the source address, so that the authenticated packet terminal is able to communicate with the user LA whose communication is not permitted.
N can be prevented from accessing other users' LANs.
It is possible to prevent unauthorized access from terminals belonging to.

[Twelfth Embodiment] The twelfth embodiment corresponds to the case where the packet transfer method according to the first, seventh and eighth aspects is applied.

The configuration of the packet network in this embodiment is the same as the configuration of the third embodiment shown in FIG. In addition, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS.

As in the third embodiment, a unique value is assigned to the VLAN-ID in advance for each user LAN 7-4.

The terminal authentication server 7-8 has a terminal information table and a VLAN information table as in the third embodiment. The VLAN information table in the present embodiment is equal to the VLAN information table in the third embodiment shown in Table 3. In the present embodiment, a VLAN key is used for encrypting a broadcast packet and a multicast packet. The wireless packet network is connected to each wireless packet terminal 7.
-7 is notified of the VLAN key in advance.

The terminal information table in this embodiment is
This is the same as the information table in the eleventh embodiment shown in Table 10. The encryption key (terminal key) registered in the terminal information table is used for terminal authentication and encryption of a unicast packet. The wireless packet network notifies each wireless packet terminal 7-7 of a terminal key in advance.

The gateways 7-1 and 7-2 connected to the user LANs 7-4 have the permitted address information shown in Tables 11 and 12 in the same manner as the gateways 1-1 and 1-2 in the eleventh embodiment. Has in the allowed address table.

FIG. 24 shows a packet transfer procedure in this embodiment. As in the third embodiment, in the wireless base station 7-6, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and starts encrypted communication if the packet terminal is a legitimate terminal. At the time of this authentication, the terminal authentication means 10 makes the terminal authentication server 7-8.
The same as in the third embodiment, the VLAN information is obtained together with the terminal information from. Next, the wireless packet terminal 7-7 becomes the third
As in the embodiment, VLA is used as the encryption key corresponding to the packet.
The N key or the terminal key is selected, and the encrypted data packet is transmitted to the wireless base station 7-6 (15-1). The wireless base station 7-6 selects a decryption key corresponding to the packet and decrypts the data packet as in the third embodiment. Then, the packet tampering detection means 14 receives the received data packet (15-
If the falsification of 1) is detected, the received data packet is discarded. On the other hand, if tampering is not detected, the terminal address / VLAN-ID comparison unit 15 does not check the correspondence between the VLAN-ID and the source address as in the third embodiment, and the received data packet is directly filtered by the filtering unit. 16 and the filtering means 16 transmits the data packet to the wireless packet network for transfer to the destination terminal specified by the destination address 4-1 (15-
2). At this time, when the destination terminal is connected to the user LAN 7-4, each relay node 7-9 selects the next transmission port according to the destination address 4-1 in the data packet and sends the data to the gateway 7-3. Forward the packet. The gateway 7-3 selects the gateway 7-1 or the gateway 7-2 according to the network address extracted from the destination address 4-1 and transmits a data packet from the user LAN 7-4 connected to the selected gateway to the destination terminal. Transfer (15-3). At this time, the selected gateway confirms the source address 4-2 in the data packet, and if the address is registered in the permitted address table of the selected gateway, transfers the data packet to the user LAN 7-4. If not registered, the data packet is discarded. On the other hand, when the destination terminal is connected to the wireless packet network, as in the third embodiment, each relay node 7-9 selects the next transmission port according to the destination address 4-1 and sets the gateway as the gateway. The data packet is transferred to the destination terminal without any intervention.

The procedure for transferring a broadcast packet in this embodiment is the same as that in the third embodiment shown in FIG. In the present embodiment, since the VLAN key is used for the encryption, the packet terminal having the same VLAN-ID can decrypt the broadcast packet and the multicast packet as in the third embodiment.

In this embodiment, the manner in which the broadcast packet is transferred by the packet network is the same as that in the third embodiment shown in FIG.

As described above, according to the present embodiment, the first
The following effects are obtained in addition to the effects obtained by the embodiment. In other words, because the next relay node is selected according to the destination address and the packet is transferred, when a wireless packet terminal transfers a packet to another wireless packet terminal, the optimum route is selected and transferred without passing through a gateway. It is possible to prevent the transfer delay time from increasing. Also, when forwarding broadcast packets and multicast packets,
Since the next relay node is selected based on the VLAN-ID and the packet is transferred, the gateway does not need to perform unicast transfer to all wireless packet terminals communicating using the same VLAN-ID, and optimal route selection is performed. It is possible to prevent an increase in transfer delay time, traffic, and processing load on the gateway. When a broadcast packet or a multicast packet is transferred, since the encryption is performed using an encryption key common to the VLAN-ID, the wireless base station sends one packet to all subordinate wireless packet terminals having the same VLAN-ID. These packets can be transferred in each transmission. Therefore, compared with the case where the packet is encrypted using the encryption key of each wireless packet terminal and transmitted a plurality of times, traffic,
The transfer delay time and the load on the base station can be suppressed. Although the VLAN key is not a terminal-specific encryption key, since a packet terminal having a different VLAN-ID cannot be known, unauthorized access due to spoofing does not occur.

[Thirteenth Embodiment] The thirteenth embodiment corresponds to the case where the packet transfer method according to the first, seventh and ninth aspects is applied.

The configuration of the packet network in this embodiment is the same as the configuration of the third embodiment shown in FIG. In addition, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS.

As in the third embodiment, a unique value is assigned to the VLAN-ID for each user LAN in advance. The terminal authentication server 7-8 has a terminal information table and a VLAN information table as in the third embodiment.
The VLAN information table in the present embodiment is equal to the VLAN information table in the third embodiment shown in Table 3.

In this embodiment, the VLAN key is used when the radio base station 7-6 encrypts a broadcast packet and a multicast packet. The wireless packet network notifies each wireless packet terminal 7-7 of the VLAN key in advance.

The terminal information table of the present embodiment is the same as the terminal information table of the eleventh embodiment shown in Table 10. The encryption key (terminal key) registered in the terminal information table is used at the time of terminal authentication, at the time of encrypting a unicast packet, and at the time of encrypting a broadcast and multicast packet by the wireless packet terminal 7-7. The wireless packet network notifies each wireless packet terminal 7-7 of a terminal key in advance.

The gateways 7-1 and 7-2 have the permission address tables shown in Tables 11 and 12, respectively, similarly to the gateways 1-1 and 1-2 in the eleventh embodiment.

FIG. 25 shows a packet transfer procedure in this embodiment. As in the third embodiment, in the wireless base station 7-6, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and starts encrypted communication if the packet terminal is a legitimate terminal. At the time of this authentication, the terminal authentication means 10 makes the terminal authentication server 7-8.
The same as in the third embodiment, the VLAN information is obtained together with the terminal information from. Next, the wireless packet terminal 7-7 enters the fourth
As in the embodiment, the data packet is encrypted using the terminal key without distinction of the unicast packet / broadcast packet / multicast packet, and the radio base station 7-
6 (16-1). In the radio base station 7-6, the packet decoding means 13 decodes the data packet using the terminal key without distinguishing the unicast packet / broadcast packet / multicast packet. Thereafter, as in the twelfth embodiment, the wireless base station 7-6 discards the received data packet if the data packet has been tampered with.
The data packet is transferred to the destination terminal specified by the destination address 4-1 in the same manner as in the twelfth embodiment without confirming the correspondence between the ID and the source address (16-
3). That is, if the destination terminal is connected to the user LAN 7-4, the data packet is transmitted to each relay node 7-
9, the gateway 7-3, the gateway 7-1 or the gateway 7-2, and the user LAN 7-4. At this time, the gateway 7-1 or 7-2 transfers the data packet to the user LAN 7-4 if the source address 4-2 of the data packet (16-2) has been registered in the permission address table, and If so, the data packet is discarded. On the other hand, when the destination terminal is connected to the wireless packet network, the data packet is transferred to the destination terminal without passing through the gateway.

In this embodiment, the manner in which a packet network transfers a broadcast packet is the same as that in the third embodiment shown in FIG.

According to the present embodiment, the following effects can be obtained in addition to the effects obtained by the eleventh embodiment.
In other words, because the next relay node is selected according to the destination address and the packet is transferred, when a wireless packet terminal transfers a packet to another wireless packet terminal, the optimum route is selected and transferred without passing through a gateway. It is possible to prevent the transfer delay time from increasing. When transferring a broadcast packet and a multicast packet, the VLAN-ID
, The next relay node is selected and the packet is transferred, so that the gateway does not need to perform unicast transfer to all wireless packet terminals communicating using the same VLAN-ID, and transfers the packet by the optimal route selection. It is possible to prevent an increase in transfer delay time, traffic, and processing load on the gateway. Also, since a broadcast key and a multicast packet transmitted by the wireless base station are encrypted using a VLAN key, packet terminals having the same VLAN-ID can decrypt the encryption. When the wireless base station transfers a broadcast packet or a multicast packet,
Since the encryption is performed by using the encryption key common to the LAN-ID, the wireless base station can transfer these packets to all the wireless packet terminals under the same VLAN-ID in one transmission. Therefore, the traffic, the transfer delay time, and the load on the base station can be suppressed, respectively, as compared with the case where the data is encrypted and transmitted a plurality of times using the encryption key of each wireless packet terminal. Further, the wireless packet terminal uses a terminal key which is an encryption key for a unicast packet when encrypting a broadcast packet and a multicast packet to be transmitted. Therefore, unlike the twelfth embodiment and the like, the wireless base station can decrypt the encryption without switching between two types of encryption keys when receiving a packet. Therefore, the load on the wireless base station can be reduced as compared with the case where the broadcast packet and the multicast packet are encrypted using the encryption key and transmitted.

[Fourteenth Embodiment] The fourteenth embodiment corresponds to the case where the packet transfer method according to claims 1, 7 and 10 is applied.

The configuration of the packet network in this embodiment is the same as the configuration of the third embodiment shown in FIG. In addition, the configuration of the wireless base station, the authentication procedure of the wireless packet terminal, the falsification detection procedure of the data packet, and the signal format of the packet in this embodiment are the same as those in the first embodiment shown in FIGS.

As in the third embodiment, the VLAN-ID has a unique value assigned to each user LAN in advance. The terminal authentication server 7-8 has a terminal information table and a VLAN information table as in the third embodiment. The VLAN information table in the present embodiment is equal to the VLAN information table in the third embodiment shown in Table 3. In the present embodiment, as in the fifth embodiment, VL
The AN key is used when encrypting a packet. In addition, the wireless packet network provides VL to each wireless packet terminal 7-7.
The AN key is notified in advance.

The terminal information table of this embodiment is the same as the terminal information table of the eleventh embodiment shown in Table 10. As the encryption key registered in the terminal information table, the VLAN key of the user LAN 7-4 to which each terminal belongs is used.

The gateways 7-1 and 7-2 have permission address tables shown in Tables 11 and 12, respectively, similarly to the gateways 1-1 and 1-2 in the eleventh embodiment.

FIG. 26 shows a packet transfer procedure in this embodiment. As in the third embodiment, in the wireless base station 7-6, the terminal authentication unit 10 authenticates the wireless packet terminal 7-7 at the start of communication, and starts encrypted communication if the packet terminal is a legitimate terminal. At the time of this authentication, the terminal authentication means 10 makes the terminal authentication server 7-8.
The same as in the third embodiment, the VLAN information is obtained together with the terminal information from. Next, the wireless packet terminal 7-7 receives the fifth
VL without distinction of unicast packet / broadcast packet / multicast packet as in the embodiment
The data packet is encrypted using the AN key and transmitted to the wireless base station 7-6 (17-1). In the wireless base station 7-6, the packet decoding means 13 outputs the unicast packet /
The data packet is decrypted using the VLAN key without distinguishing the broadcast packet / multicast packet. Thereafter, as in the twelfth embodiment, the radio base station 7-6 discards the received data packet if the data packet has been tampered with, and if not, the radio base station 7-6
The destination address 4-1 is determined in the same manner as in the twelfth embodiment without confirming the correspondence between the LAN-ID and the source address.
The data packet is transferred to the destination terminal specified by (17-3). That is, the destination terminal is the user LAN 7-
4, the data packet is transferred to the destination terminal via each relay node 7-9, gateway 7-3, gateway 7-1 or gateway 7-2, and user LAN 7-4. At that time, the gateway 7-1 or 7
-2 is the source address 4 of the data packet (17-2)
If -2 is registered in the permission address table, the data packet is transferred to the user LAN 7-4, and if not registered, the data packet is discarded. On the other hand, when the destination terminal is connected to the wireless packet network, the data packet is transferred to the destination terminal without passing through the gateway.

In the present embodiment, the manner in which the broadcast packet is transferred by the packet network is described in FIG.
Equivalent to the embodiment.

As described above, according to the present embodiment, the first
The following effects are obtained in addition to the effects obtained by the embodiment. In other words, because the next relay node is selected according to the destination address and the packet is transferred, when a wireless packet terminal transfers a packet to another wireless packet terminal, the optimum route is selected and transferred without passing through a gateway. It is possible to prevent the transfer delay time from increasing. Also, when forwarding broadcast packets and multicast packets,
Since the next relay node is selected based on the VLAN-ID and the packet is transferred, the gateway does not need to perform unicast transfer to all wireless packet terminals communicating using the same VLAN-ID, and optimal route selection is performed. It is possible to prevent an increase in transfer delay time, traffic, and processing load on the gateway. Further, in the present embodiment, since only the VLAN key is used for the encryption and the terminal key is not used, the VLAN-
Packet terminals having the same ID can decrypt the encryption of broadcast and multicast packets.
Further, since the encryption key common to the VLAN-ID is used, the wireless base station and the wireless packet terminal do not need to switch between two types of encryption keys at the time of packet reception to perform encryption and decryption. Therefore, the load on the wireless base station and the wireless packet terminal can be reduced as compared with the case where two types of encryption keys are used. When transferring a packet, VL
Since the encryption is performed using the encryption key common to the AN-ID, the wireless base station can transfer these packets to all the subordinate wireless packet terminals having the same VLAN-ID in one transmission. Therefore, the traffic, the transfer delay time, and the load on the base station can be suppressed, respectively, as compared with the case where the data is encrypted and transmitted a plurality of times using the encryption key of each wireless packet terminal. Although the VLAN key is not a terminal-specific encryption key, since a packet terminal having a different VLAN-ID cannot be known, unauthorized access due to spoofing does not occur.

[Fifteenth Embodiment] In each of the embodiments described above, the case where the present invention is applied to a wireless packet network has been described. However, the present invention is not limited to the wireless packet network and may be applied to a wired packet network. FIG. 27 shows a network configuration in a case where the first embodiment is realized by a wired packet network. In the figure, a packet backbone network 27-5 having a function equivalent to that of the wireless packet backbone network 1-5 is used, except for the difference between wireless / wired, and the wireless base station 1-6.
Access server (wired connection device) with the same function as
27-6, and a packet terminal 27- having the same function as the wireless packet terminal 1-7 except for the difference between wireless / wired.
7 are provided. All other configurations are the same as in the first embodiment (FIG. 1). The packet transfer procedure according to the present embodiment is exactly the same as that of the first embodiment, except that all communications including between the access server 27-6 and the packet terminal 27-7 are performed by wire. Also,
When the network configuration shown in FIG. 8 is used, the wireless packet backbone network 7-5, the wireless base station 7-6, and the wireless packet terminal 7-7 are respectively connected to the packet backbone network 27-5, the access server 27-6, and the packet. Terminal 2
What is necessary is just to replace with 7-7. Therefore, the network configuration of the wired packet network can be applied to all the embodiments described above.

The embodiments described above are all illustrative of the present invention and not restrictive, and the present invention can be embodied in other various modifications and alterations. Therefore, the scope of the present invention is defined only by the appended claims and their equivalents.

For example, in each of the above embodiments, the radio base station (or access server) which is the entrance to the packet network
By performing terminal authentication, packet tampering detection, and the like, the most efficient transfer can be realized. However, depending on the configuration of the packet network, a control station or the like that controls the radio base station may be provided. In such a case, the control station may perform terminal authentication and packet falsification detection.

[0161]

As described above, according to the present invention,
By performing terminal authentication at the start of communication, a packet terminal can be specified, and an effect of preventing unauthorized access from an unknown terminal or a terminal whose terminal address has been forged can be obtained. Further, by encrypting and transferring the packet, it is possible to prevent an unauthorized terminal from impersonating an authenticated authorized terminal, and to obtain an effect of preventing unauthorized access by the impersonated terminal. Further, by detecting tampering at the time of decryption of the encryption and discarding the packet, it is possible to prevent the transfer of the tampered packet, and it is possible to obtain an effect of preventing communication interruption due to tampered data and an increase in traffic on the packet network.

Therefore, the problem of illegal access to a data network (user LAN) by falsifying a source address is solved, and a packet transfer method for permitting only a terminal registered in advance to communicate with a specific data network. Can be provided. Further, it is possible to solve the problem that the packet transfer delay time, the traffic, and the load on the gateway increase, and to provide an efficient packet transfer method capable of selecting an optimum route.

According to the second, third, eleventh, or twelfth aspect of the invention, by confirming the correspondence between the identifier or the user LAN name and the source address, the authenticated terminal is permitted to connect itself. Access to data networks that do not (or do not belong to)
The effect of preventing unauthorized access to a data network from a terminal permitted (or belonging) to a certain data network can be obtained. Furthermore, by registering a plurality of identifiers or user LAN names per packet terminal, it is possible to access a plurality of data networks with one packet terminal, and the effect of improving the serviceability to the user is obtained. .

According to the invention described in claim 4 or 7, since the next relay node is selected in accordance with the destination address and the packet is transferred, when the packet terminal transfers the packet to another packet terminal, the gateway is used. It is possible to select and transfer an optimum route without passing through the transfer path, and to obtain an effect of preventing an increase in transfer delay time. Also, when forwarding a broadcast packet and a multicast packet, since the next relay node is selected according to the identifier and the packet is forwarded, the gateway transmits a packet to all packet terminals communicating with the same identifier. No need to cast transfer. Therefore,
It is possible to transfer a packet by selecting an optimum route, and it is possible to obtain an effect of preventing an increase in transfer delay time, traffic, and processing load on the gateway.

According to the invention, the gateway permits the transfer of the packet in accordance with the destination address and the source address, so that the authenticated packet terminal can be connected to the user LAN to which the communication is not permitted. Access can be prevented, and an effect of preventing unauthorized access from a packet terminal belonging to another user LAN can be obtained.

According to the invention of claim 8 or 13, since the broadcast packet and the multicast packet are encrypted using the common encryption key if the identifier is the same, the base station has the same identifier. These packets can be transferred to all subordinate packet terminals in one transmission. Therefore, the effect of suppressing traffic, transfer delay time, and load on the base station can be obtained as compared with the case where the packet is encrypted using the encryption key of each packet terminal and transmitted a plurality of times.

According to the ninth or fourteenth aspect of the present invention, when the base station transfers the broadcast packet and the multicast packet, the base station encrypts the broadcast packet and the multicast packet using the encryption key common to the identifiers. Therefore, the base station can transfer these packets to all subordinate packet terminals having the same identifier in one transmission. Therefore, compared to the case where the packet is encrypted using the encryption key of each packet terminal and transmitted a plurality of times, the effect of suppressing the traffic, the transfer delay time, and the load on the base station can be obtained. Also,
When a packet terminal transfers a broadcast packet and a multicast packet, it encrypts the packet using an encryption key for a unicast packet. Therefore, when the base station receives the packet from the packet terminal, it can decrypt the packet without switching the encryption key, and the base station encrypts the packet using the encryption key for the broadcast packet and the multicast packet and transmits the packet. Thus, the effect of suppressing the load on the device can be obtained.

According to the tenth or fifteenth aspect of the present invention, when a packet is transferred, the packet is encrypted using a common encryption key for the identifier. , The broadcast packet and the multicast packet can be transferred by one transmission. Therefore, compared to the case where the packet is encrypted using the encryption key of each packet terminal and transmitted multiple times,
The effect of suppressing the traffic, the transfer delay time, and the load on the base station can be obtained. Further, since the common encryption key is used for the identifier, the base station and the packet terminal can decrypt the packet without switching the encryption key when receiving the packet. Therefore, the effect of suppressing the load on the base station and the packet terminal can be obtained as compared with the case where two types of encryption keys are used.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a network configuration of wireless packet communication according to a first embodiment of the present invention.

FIG. 2 is a block diagram illustrating a configuration of a wireless base station according to each embodiment of the present invention.

FIG. 3 is a diagram illustrating an authentication procedure of wireless packet communication according to the first embodiment of the present invention.

FIG. 4 is a diagram showing a procedure for detecting data packet tampering in the embodiment.

FIG. 5 is a diagram showing a signal format of a packet in the embodiment.

FIG. 6 is a diagram showing a packet transfer procedure in the embodiment.

FIG. 7 is a diagram illustrating a packet transfer procedure according to the second embodiment of the present invention.

FIG. 8 is a block diagram illustrating a network configuration of wireless packet communication according to a third embodiment of the present invention.

FIG. 9 is a diagram showing a packet transfer procedure in the embodiment.

FIG. 10 is a diagram showing a broadcast packet transfer procedure in the embodiment.

FIG. 11 is a diagram showing a state of transfer of a broadcast packet in the embodiment.

FIG. 12 is a diagram illustrating a packet transfer procedure according to a fourth embodiment of the present invention.

FIG. 13 is a diagram illustrating a packet transfer procedure according to the fifth embodiment of the present invention.

FIG. 14 is a diagram illustrating an authentication procedure of wireless packet communication according to a sixth embodiment of the present invention.

FIG. 15 is a diagram showing a packet transfer procedure in the embodiment.

FIG. 16 is a diagram illustrating an authentication procedure of wireless packet communication according to a seventh embodiment of the present invention.

FIG. 17 is a diagram showing a packet transfer procedure in the embodiment.

FIG. 18 is a diagram showing a configuration of an IP address.

FIG. 19 is a diagram illustrating a signal format of a packet according to the eighth embodiment of the present invention.

FIG. 20 is a diagram showing a packet transfer procedure in the embodiment.

FIG. 21 is a diagram illustrating a packet transfer procedure according to a ninth embodiment of the present invention.

FIG. 22 is a diagram illustrating a packet transfer procedure according to the tenth embodiment of the present invention.

FIG. 23 is a diagram showing a packet transfer procedure in the eleventh embodiment of the present invention.

FIG. 24 is a diagram showing a packet transfer procedure in the twelfth embodiment of the present invention.

FIG. 25 is a diagram showing a packet transfer procedure in the thirteenth embodiment of the present invention.

FIG. 26 is a diagram illustrating a packet transfer procedure in a fourteenth embodiment of the present invention.

FIG. 27 is a block diagram illustrating a network configuration of wired packet communication according to a fifteenth embodiment of the present invention.

[Explanation of symbols]

1-1, 1-2, 1-3, 7-1, 7-2, 7-3 Gateway 1-4, 7-4 User LAN 1-5, 7-5 Wireless packet backbone network 1-6, 7- 6, 7-6a to 7-6c Wireless base station 1-7, 7-7, 7-7a to 7-7c Wireless packet terminal 1-8, 7-8 Terminal authentication server 1-10, 7-10 Relay path 4 -1 Destination address 4-2 Source address 4-3 VLAN-ID 4-4 User data 7-9, 7-9a to 7-9c Relay node 10 Terminal authentication means 11 Terminal information storage means 12 Packet encryption means 13 Packet Decoding means 14 Packet falsification detecting means 15 Terminal address / VLAN-ID comparing means 16 Filtering means 27-5 Packet backbone network 27-6 Access server (wired connection device) 27-7 Packet terminal

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Hitoshi Takanashi 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo Nippon Telegraph and Telephone Corporation (72) Inventor Masahiro Morikura 3-19 Nishishinjuku, Shinjuku-ku, Tokyo No. 2 Inside Nippon Telegraph and Telephone Corporation

Claims (15)

(57) [Claims] 1. A packet network comprising a base station and a packet backbone network connecting the base station, wherein the base station accommodates a plurality of packet terminals under its control, and the packet backbone network further comprises a plurality of packet terminals. Packet communication using a network connected to a user LAN which is another packet network, wherein each of the packet terminals has a unique terminal address, and a destination address which is the terminal address of the destination terminal and its own terminal address. A packet transfer method in which a packet to which a certain source address is added is transmitted, and the network transfers the packet using the destination address, wherein the packet network is configured such that the packet terminal is connected to the base station via the base station. When starting communication, the terminal of the packet terminal is authenticated. Encrypts data to be transmitted, transmits a packet in which an identifier assigned to the user LAN to which the destination terminal belongs, the destination address, and the source address are assigned to the encrypted data, and transmits the packet to the packet network; The network receives the packet, decrypts the encrypted data included in the received packet, and if the received packet has not been tampered with, based on the source address and the identifier included in the received packet, Transferring the received packet to the user LAN only when the packet terminal is permitted to communicate with the user LAN having the identifier, and discarding the received packet when the communication is not permitted; A packet transfer method characterized by the above-mentioned. 2. A packet network comprising a base station and a packet backbone network connecting the base station, wherein the base station accommodates a plurality of packet terminals under its control, and the packet backbone network further comprises a plurality of packet terminals. Packet communication using a network connected to a user LAN which is another packet network, wherein each of the packet terminals has a unique terminal address, and a destination address which is the terminal address of the destination terminal and its own terminal address. A packet transfer method in which a packet to which a certain source address is assigned is transmitted, and the network transfers the packet using the destination address, wherein an identifier for identifying the user LAN is assigned to each user LA.
N, and the packet network stores terminal information in which the identifiers respectively assigned to the terminal addresses and one or more user LANs permitted to communicate are associated with information necessary for terminal authentication. When the packet terminal starts communication via the base station, the packet network performs terminal authentication of the packet terminal using the information, and if the packet terminal is a legitimate terminal, If the communication permission is notified, the packet terminal selects one of the user LANs for communication from one or more of the user LANs and, if notified of the communication permission, transmits the packet. The data to be encrypted is encrypted, and the identifier, the destination address, and the source address assigned to the selected user LAN are added to the encrypted data. The packet network receives the packet, determines whether there is tampering at the time of decrypting the encrypted data included in the received packet, and determines whether the tampering has been detected if the tampering is detected. If the packet is discarded and not falsified, it is checked whether or not the correspondence between the source address and the identifier included in the received packet is registered in the terminal information, and the correspondence is already registered. A method of transferring the received packet to the destination address in a case, and discarding the received packet if the correspondence is not registered. 3. A packet network comprising a base station and a packet backbone network connecting the base station, wherein the base station accommodates a plurality of packet terminals under its control, and the packet backbone network further comprises a plurality of packet terminals. Packet communication using a network connected to a user LAN which is another packet network, wherein each of the packet terminals has a unique terminal address, and a destination address which is the terminal address of the destination terminal and its own terminal address. A packet transfer method in which a packet to which a certain source address is assigned is transmitted, and the network transfers the packet using the destination address, wherein a unique user LAN name is previously assigned to each user LAN. The packet network may include one or more users allowed to communicate with the terminal address. Terminal information in which the user LAN name assigned to each of the LANs and information necessary for terminal authentication are stored in advance, and when the packet terminal starts communication via the base station, one or more Selecting one of the user LANs for communication from the user LAN, notifying the user network name assigned to the selected user LAN to the packet network, the packet network using the information to Terminal authentication of the terminal is performed, and if the packet terminal is a legitimate terminal, the user L notified from the packet terminal
An identifier for identifying the user LAN is assigned to the AN name to notify the packet terminal, and the packet terminal encrypts data to be transmitted,
A packet in which the identifier assigned to the selected user LAN, the destination address, and the source address are added to the encrypted data is transmitted to the packet network, and the packet network receives the packet and receives the received packet. Judge the presence or absence of tampering at the time of decryption of the encrypted data included in the received data, discard the received packet if tampering is detected, and assign the identifier included in the received packet if not tampered Check whether the correspondence between the LAN name and the source address included in the received packet is registered in the terminal information, and if the correspondence is already registered, transfer the received packet to the destination address; If the correspondence is not registered, the received packet is discarded, and the packet network thereafter terminates the communication by the packet terminal. Packet transfer method which is characterized in that so as to release the identifier during assigned to the user LAN name. 4. The packet backbone network has a plurality of relay nodes for relaying the packet, each of which uses a network having a function of selecting a route for transferring the received packet to the destination address. The packet network, wherein the packet network uses the destination address and the identifier in the received packet as routing information for the route selection, and when transferring a unicast packet, the destination terminal If connected to a packet network, the packet is transferred to the destination terminal while sequentially selecting the relay node according to the destination address, and if the destination terminal is not connected to the packet network, the identifier is Corresponding to the user LAN while sequentially selecting the relay nodes in response to the packet.
When transferring a broadcast packet and a multicast packet, the relay node is sequentially selected using the identifier, and the packet is sequentially transferred to the relay node. The packet terminal and the user LAN specified by the identifier
3. The packet transfer method according to claim 2, wherein the packet is transferred to the network. 5. A packet transfer method using a network in which a gateway is connected between the packet backbone network and the plurality of user LANs, wherein the transfer of the received packet to the destination address via the user LAN is performed. , The gateway according to the identifier included in the received packet, the user LAN
5. The packet transfer method according to claim 2, wherein the received packet is transferred to the selected user LAN. 6. A packet network comprising a base station and a packet backbone network connecting the base station, wherein the base station accommodates a plurality of packet terminals under its control, and the packet backbone network further comprises a plurality of packet terminals. Packet communication using a network connected to a user LAN which is another packet network via a gateway, wherein each of the packet terminals has a unique terminal address and a destination address which is the terminal address of the destination terminal. A packet transfer method for transmitting a packet to which a source address which is a terminal address of the network is transmitted, and the network transfers the packet using the destination address, wherein the packet network includes the terminal address and terminal authentication. Terminal information in which information necessary for the gateway is stored in advance, and the gateway The said packet network user LA
N stores a terminal address of a transmission source that permits transfer of a packet between N in advance. The packet network uses the information when the packet terminal starts communication via the base station. The terminal performs terminal authentication, and if the packet terminal is a legitimate terminal, notifies the packet terminal of communication permission.If the communication permission is notified, the packet terminal encrypts data to be transmitted. Transmitting the packet with the destination address and the source address to the packet network. The packet network receives the packet and determines whether there is tampering at the time of decrypting the encrypted data included in the received packet. If the alteration is detected, the received packet is discarded. If the alteration is not altered, the received packet is transferred to the gateway. The gateway transmits the transfer packet to the user LAN if transfer to the source address included in the packet transferred from the packet network is permitted.
The packet is transferred to the destination address, and if the transfer is not permitted, the transfer packet is discarded. 7. A packet using a network, wherein the packet backbone network has a plurality of relay nodes for relaying the packet, and each of the relay nodes has a route selection function for transferring the packet to the destination address. A transfer method, wherein an identifier for identifying the user LAN is assigned to each user LA.
N, and when transmitting the packet to the packet network, the packet terminal selects one user LAN to be connected from among the plurality of user LANs, and selects the selected user LA.
The packet network further adds an identifier of N to the packet and transmits the packet. The packet network uses the destination address and the identifier included in the packet transmitted as routing information for the route selection, and transmits a unicast packet. When transferring, if the destination terminal is connected to the packet network, the packet is transferred to the destination terminal while sequentially selecting the relay nodes according to the destination address, and the destination terminal is connected to the packet network. If the connection is not established, the packet is transferred to the gateway while sequentially selecting the relay nodes according to the identifier, and when the broadcast packet and the multicast packet are transferred, the relay nodes are sequentially selected using the identifier. Then, the packet is sequentially transferred to the relay node, and transmitted using the same identifier. All of the packet terminal and a packet transfer method according to claim 6, wherein the forwarding to said gateway specified by said identifier in. 8. When the unicast packet is transferred during the encryption and the decryption, an encryption key assigned to each packet terminal is used, and when the broadcast packet or the multicast packet is transferred, 8. The packet transfer method according to claim 4, wherein an encryption key assigned to each of the identifiers is used. 9. An encryption key assigned to each packet terminal when the unicast packet is transferred and when the packet terminal transmits the broadcast packet or the multicast packet during the encryption and the decryption. 8. The packet transfer method according to claim 4, wherein when the base station transmits the broadcast packet or the multicast packet, an encryption key assigned to each of the identifiers is used. 10. The packet transfer method according to claim 4, wherein an encryption key assigned to each of the identifiers is used as the encryption key during the encryption and the decryption. 11. A base station connected to a packet backbone network to which a plurality of user LANs as other packet networks are connected and accommodating a plurality of packet terminals under its control, wherein a unique number assigned to each of the packet terminals is provided. Terminal information storage means for storing information necessary for terminal authentication in association with terminal addresses of the packet terminals, identifiers respectively assigned to one or more user LANs to which the packet terminal is allowed to communicate, and the packet terminal A terminal authentication unit for performing terminal authentication using the information in response to a communication start request from the terminal, and notifying the packet terminal of an authentication result; and a packet exchanged between the packet backbone network and the packet terminal. Packet encrypting means for encrypting and transmitting the data portion using the information, and a destination which is the terminal address of the destination terminal Packet decoding means for receiving, from the packet terminal, a packet in which an address, a source address as a terminal address of the packet terminal, and an identifier assigned to the user LAN are added to the encrypted data, and decrypting the encrypted data; Packet alteration detecting means for detecting alteration from the decrypted data and discarding the packet; and a set of the source address and the identifier included in the packet are stored in the terminal information storage means. Comparing means for confirming whether or not the packet is registered in the set of the terminal address and the identifier, and, based on a confirmation result by the comparing means, the packet is transmitted to the destination address on condition that the registration is performed. Filtering means for transferring and discarding the packet on condition that there is no registration. Base station that features. 12. A base station connected to a packet backbone network to which a plurality of user LANs as other packet networks are connected and accommodating a plurality of packet terminals under its control, wherein a unique number assigned to each packet terminal is provided. Terminal information storage means for storing information necessary for terminal authentication in association with one or more terminal addresses, user LAN names respectively assigned to one or more user LANs to which the packet terminal is permitted to communicate, Performs terminal authentication using the information in response to a communication start request from the packet terminal, notifies the packet terminal of the authentication result, and, for a legitimate packet terminal, transmits the packet along with the communication start request. An identifier for identifying the user LAN is assigned to the user LAN name notified from the terminal, and the notification is performed. Terminal authentication means for releasing the identifier assigned to the user LAN name on condition that the communication has been completed; and encrypting a data part in a packet exchanged between the packet backbone network and the packet terminal using the information. Packet encryption means for encrypting and transmitting, from the packet terminal, a packet in which the destination address which is the terminal address of the destination terminal, the source address which is the terminal address of the packet terminal, and the identifier are added to the encrypted data. Packet decryption means for decrypting the encrypted data, packet falsification detection means for detecting tampering from the decrypted data and discarding the packet, and user LAN to which an identifier included in the received packet is assigned A set of a name and a source address included in the received packet is stored in the terminal information storage. Comparing means for checking whether or not the user LAN name and the terminal address are stored in the set of the user LAN name stored in a row, based on a result of the check by the comparing means, on condition that the registration exists. A base station comprising: a filtering unit that transfers the packet to a destination address and discards the packet on condition that there is no registration. 13. The packet encrypting means, if the packet to be transmitted is a unicast packet, encrypts the packet using an encryption key assigned to each packet terminal, and if the packet to be transmitted is a broadcast packet or a multicast packet. If the received packet is a unicast packet, the packet decryption unit decrypts the packet using the encryption key allocated to each packet terminal. 12. The base station according to claim 11, wherein if the received packet is a broadcast packet or a multicast packet, the packet is decrypted using an encryption key assigned to each of the identifiers. 14. The packet encrypting means, if the packet to be transmitted is a unicast packet, encrypts the packet using an encryption key assigned to each packet terminal, and if the packet to be transmitted is a broadcast packet or a multicast packet. 12. The method according to claim 11, wherein the encryption is performed using an encryption key assigned to each of the identifiers, and the packet decryption unit decrypts the data using an encryption key assigned to each of the packet terminals. base station. 15. The packet encryption unit encrypts a data portion of a packet to be transmitted using an encryption key assigned to each of the identifiers, and the packet decryption unit encrypts a data portion of the packet to be assigned to each of the identifiers. 12. The base station according to claim 11, wherein a data part of the received packet is decoded by using the base station.