Firewall apparatus

US 7,392,538 B2
Filed: 07/19/2002
Issued: 06/24/2008
Est. Priority Date: 10/04/2001
Status: Active Grant

First Claim

Patent Images

1. An in-home network system including a firewall and an information apparatus,wherein the firewall comprises:

first communication means connected to a first network for transmitting and receiving data through the first network by use of an IPv6 protocol;

means for acquiring a first network identifier of the first network, wherein the first network identifier of the first network is included in an IPv6 address, the IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the IPv6 address;

second communication means connected to a second network for transmitting and receiving data through the second network by use of the IPv6 protocol;

means for acquiring a second network identifier of the second network, wherein the second network identifier of the second network is included in an IPv6 address, the IPv6 address having 128 bits and the second network identifier being included as a second 64 bit prefix in the IPv6 address;

IPv6 address converting means by which a portion of a destination IPv6 address of a first message received from an apparatus connected to the first network and corresponding to the first network identifier is converted to the second network identifier, and by which a portion of a source IPv6 address of a second message received from an information apparatus connected to the second network and corresponding to the second network identifier is converted to the first network identifier, whereby communication can occur between the apparatus connected to the first network and the information apparatus connected to the second network; and

an IPv6 address generation processing module configured to generate a first registration IPv6 address based on the second network identifier and an apparatus identifier of the information apparatus, wherein the first registration IPv6 address is registered by the firewall; and

wherein the information apparatus includes;

communication means for transmitting and receiving data to and from the firewall by use of the IPv6 protocol;

means for acquiring the second network identifier of the second network;

means for generating a second registration IPv6 address based on the second network identifier and the apparatus identifier of the information apparatus, wherein the second registration IPv6 address is registered by the firewall;

communication means for transmitting the second registration IPv6 address thus generated to the firewall;

communication means for transmitting and receiving data to and from the apparatus connected to the first network through the firewall by use of the IPv6 protocol;

means for extracting the portion corresponding to the first network identifier of the source IPv6 address of the first message received from the firewall, the message originating from the apparatus connected to the first network; and

means for deciding that the first message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the information apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the apparatus connected to the first network and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the information apparatus.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Communication using IPv6 is carried out, and conversion is given to a prefix of an IPv6 address in a firewall. A security channel for mutual authentication with an out-of-home apparatus or the like is carried out by the firewall, and only identification of an in-home apparatus is carried out on an in-home network by the firewall. A PC is connected to a PC in-home network different from the in-home network, and communication between the PC and the in-home apparatus is always carried out via the firewall.

20 Citations

View as Search Results

5 Claims

1. An in-home network system including a firewall and an information apparatus,wherein the firewall comprises:
- first communication means connected to a first network for transmitting and receiving data through the first network by use of an IPv6 protocol;
  
  means for acquiring a first network identifier of the first network, wherein the first network identifier of the first network is included in an IPv6 address, the IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the IPv6 address;
  
  second communication means connected to a second network for transmitting and receiving data through the second network by use of the IPv6 protocol;
  
  means for acquiring a second network identifier of the second network, wherein the second network identifier of the second network is included in an IPv6 address, the IPv6 address having 128 bits and the second network identifier being included as a second 64 bit prefix in the IPv6 address;
  
  IPv6 address converting means by which a portion of a destination IPv6 address of a first message received from an apparatus connected to the first network and corresponding to the first network identifier is converted to the second network identifier, and by which a portion of a source IPv6 address of a second message received from an information apparatus connected to the second network and corresponding to the second network identifier is converted to the first network identifier, whereby communication can occur between the apparatus connected to the first network and the information apparatus connected to the second network; and
  
  an IPv6 address generation processing module configured to generate a first registration IPv6 address based on the second network identifier and an apparatus identifier of the information apparatus, wherein the first registration IPv6 address is registered by the firewall; and
  
  wherein the information apparatus includes;
  
  communication means for transmitting and receiving data to and from the firewall by use of the IPv6 protocol;
  
  means for acquiring the second network identifier of the second network;
  
  means for generating a second registration IPv6 address based on the second network identifier and the apparatus identifier of the information apparatus, wherein the second registration IPv6 address is registered by the firewall;
  
  communication means for transmitting the second registration IPv6 address thus generated to the firewall;
  
  communication means for transmitting and receiving data to and from the apparatus connected to the first network through the firewall by use of the IPv6 protocol;
  
  means for extracting the portion corresponding to the first network identifier of the source IPv6 address of the first message received from the firewall, the message originating from the apparatus connected to the first network; and
  
  means for deciding that the first message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the information apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the apparatus connected to the first network and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the information apparatus.
- View Dependent Claims (4, 5)
- - 4. An in-home network system as claimed in claim 1, further comprising:
    - a database module configured to store and register a plurality of registration IPv6 addresses including the first registration address and the second registration IPv6 address.
  - 5. An in-home network system as claimed in claim 4, further comprising:
    - a network defense processing module configured to confirm whether the message sent from the apparatus connected to the first network is secure and to determine, by referencing the database module and comparing registration IPv6 addresses including the first and second registration IPv6 addresses, whether the apparatus connected to the first network has authority to perform processing on the information apparatus connected to the second network.

2. A communication method for an in-home network system comprising:
- transmitting, from a first apparatus connected to a first network, a first processing request message to a firewall through the first network, the first processing request message including a first IPv6 address of the first apparatus as a source and a second IPv6 address as a destination;
  
  converting, by the firewall, a portion of the first IPv6 address to a portion of the second IPv6 address, whereby communication can occur between the first apparatus connected to the first network and a second apparatus connected to a second network;
  
  generating, by the firewall, a first registration IPv6 address based at least in part on a first network identifier of the second network and an apparatus identifier of the second apparatus, wherein the first network identifier of the second network is included in the first registration IPv6 address, the first registration IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the first registration IPv6 address;
  
  generating, by the second apparatus, a second registration IPv6 address based at least in part on the first network identifier of the second network and the apparatus identifier of the second apparatus, wherein the first network identifier of the second network is included in the second registration IPv6 address, the second registration IPv6 address having 128 bits and the first network identifier being included as a second 64 bit prefix in the second registration IPv6 address;
  
  storing at least the first and second registration IPv6 addresses in a database module;
  
  confirming, by the firewall, whether processing content contained in the first processing request message is secure;
  
  determining, by the firewall referencing the database module and comparing registration IPv6 addresses including the first and second registration IPv6 addresses, whether the first apparatus has authority to perform processing on the second apparatus;
  
  transmitting, by the firewall, a second processing request message to the second apparatus through the second network, the second processing request message including the first IPv6 address of the first apparatus as a source and the second IPv6 address as a destination;
  
  extracting, by the second apparatus, from the second processing request message received from the firewall, a portion corresponding to the first network identifier of the first IPv6 address as a source of the processing request message, and determining if the processing request message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the second apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the first apparatus and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the second apparatus;
  
  performing, by the second apparatus, an operation corresponding to the second apparatus;
  
  transmitting, by the second apparatus, a reply message to the firewall through the second network in response to the second processing request message, the reply message including the second IPv6 address as a source and the first IPv6 address of the first apparatus as a destination;
  
  confirming, by the firewall, whether information contained in the reply message is secure;
  
  converting, by the firewall, the source of the reply message from the second IPv6 address to the first IPv6 address whereby as a result, communication can occur between the second apparatus connected to the second network and the first apparatus connected to the first network; and
  
  transmitting, by the firewall, the reply message thus converted to the first apparatus through the first network, the converted reply message including the second IPv6 address as a source and the first IPv6 address of the first apparatus as a destination.
- View Dependent Claims (3)
- - 3. A communication method as in claim 2 wherein:
    - communication between the first apparatus and the firewall is secured using one of a cipher communication function and an authentication function; and
      
      communication between the second apparatus and the firewall is not secured.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Maxell, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Oeda, Shigeto, Ito, Hiromichi, Okamoto, Chikashi
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
Avery; Jeremiah

Application Number

US10/198,978
Publication Number

US 20030070095A1
Time in Patent Office

2,167 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

H04L 63/0869 for achieving mutual authen...

Firewall apparatus

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall apparatus

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links