Firewall apparatus
First Claim
Patent Images
1. An in-home network system including a firewall and an information apparatus,wherein the firewall comprises:
- first communication means connected to a first network for transmitting and receiving data through the first network by use of an IPv6 protocol;
means for acquiring a first network identifier of the first network, wherein the first network identifier of the first network is included in an IPv6 address, the IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the IPv6 address;
second communication means connected to a second network for transmitting and receiving data through the second network by use of the IPv6 protocol;
means for acquiring a second network identifier of the second network, wherein the second network identifier of the second network is included in an IPv6 address, the IPv6 address having 128 bits and the second network identifier being included as a second 64 bit prefix in the IPv6 address;
IPv6 address converting means by which a portion of a destination IPv6 address of a first message received from an apparatus connected to the first network and corresponding to the first network identifier is converted to the second network identifier, and by which a portion of a source IPv6 address of a second message received from an information apparatus connected to the second network and corresponding to the second network identifier is converted to the first network identifier, whereby communication can occur between the apparatus connected to the first network and the information apparatus connected to the second network; and
an IPv6 address generation processing module configured to generate a first registration IPv6 address based on the second network identifier and an apparatus identifier of the information apparatus, wherein the first registration IPv6 address is registered by the firewall; and
wherein the information apparatus includes;
communication means for transmitting and receiving data to and from the firewall by use of the IPv6 protocol;
means for acquiring the second network identifier of the second network;
means for generating a second registration IPv6 address based on the second network identifier and the apparatus identifier of the information apparatus, wherein the second registration IPv6 address is registered by the firewall;
communication means for transmitting the second registration IPv6 address thus generated to the firewall;
communication means for transmitting and receiving data to and from the apparatus connected to the first network through the firewall by use of the IPv6 protocol;
means for extracting the portion corresponding to the first network identifier of the source IPv6 address of the first message received from the firewall, the message originating from the apparatus connected to the first network; and
means for deciding that the first message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the information apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the apparatus connected to the first network and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the information apparatus.
6 Assignments
0 Petitions
Accused Products
Abstract
Communication using IPv6 is carried out, and conversion is given to a prefix of an IPv6 address in a firewall. A security channel for mutual authentication with an out-of-home apparatus or the like is carried out by the firewall, and only identification of an in-home apparatus is carried out on an in-home network by the firewall. A PC is connected to a PC in-home network different from the in-home network, and communication between the PC and the in-home apparatus is always carried out via the firewall.
20 Citations
5 Claims
-
1. An in-home network system including a firewall and an information apparatus,
wherein the firewall comprises: -
first communication means connected to a first network for transmitting and receiving data through the first network by use of an IPv6 protocol; means for acquiring a first network identifier of the first network, wherein the first network identifier of the first network is included in an IPv6 address, the IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the IPv6 address; second communication means connected to a second network for transmitting and receiving data through the second network by use of the IPv6 protocol; means for acquiring a second network identifier of the second network, wherein the second network identifier of the second network is included in an IPv6 address, the IPv6 address having 128 bits and the second network identifier being included as a second 64 bit prefix in the IPv6 address; IPv6 address converting means by which a portion of a destination IPv6 address of a first message received from an apparatus connected to the first network and corresponding to the first network identifier is converted to the second network identifier, and by which a portion of a source IPv6 address of a second message received from an information apparatus connected to the second network and corresponding to the second network identifier is converted to the first network identifier, whereby communication can occur between the apparatus connected to the first network and the information apparatus connected to the second network; and an IPv6 address generation processing module configured to generate a first registration IPv6 address based on the second network identifier and an apparatus identifier of the information apparatus, wherein the first registration IPv6 address is registered by the firewall; and wherein the information apparatus includes; communication means for transmitting and receiving data to and from the firewall by use of the IPv6 protocol; means for acquiring the second network identifier of the second network; means for generating a second registration IPv6 address based on the second network identifier and the apparatus identifier of the information apparatus, wherein the second registration IPv6 address is registered by the firewall; communication means for transmitting the second registration IPv6 address thus generated to the firewall; communication means for transmitting and receiving data to and from the apparatus connected to the first network through the firewall by use of the IPv6 protocol; means for extracting the portion corresponding to the first network identifier of the source IPv6 address of the first message received from the firewall, the message originating from the apparatus connected to the first network; and means for deciding that the first message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the information apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the apparatus connected to the first network and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the information apparatus. - View Dependent Claims (4, 5)
-
-
2. A communication method for an in-home network system comprising:
-
transmitting, from a first apparatus connected to a first network, a first processing request message to a firewall through the first network, the first processing request message including a first IPv6 address of the first apparatus as a source and a second IPv6 address as a destination; converting, by the firewall, a portion of the first IPv6 address to a portion of the second IPv6 address, whereby communication can occur between the first apparatus connected to the first network and a second apparatus connected to a second network; generating, by the firewall, a first registration IPv6 address based at least in part on a first network identifier of the second network and an apparatus identifier of the second apparatus, wherein the first network identifier of the second network is included in the first registration IPv6 address, the first registration IPv6 address having 128 bits and the first network identifier being included as a first 64 bit prefix in the first registration IPv6 address; generating, by the second apparatus, a second registration IPv6 address based at least in part on the first network identifier of the second network and the apparatus identifier of the second apparatus, wherein the first network identifier of the second network is included in the second registration IPv6 address, the second registration IPv6 address having 128 bits and the first network identifier being included as a second 64 bit prefix in the second registration IPv6 address; storing at least the first and second registration IPv6 addresses in a database module; confirming, by the firewall, whether processing content contained in the first processing request message is secure; determining, by the firewall referencing the database module and comparing registration IPv6 addresses including the first and second registration IPv6 addresses, whether the first apparatus has authority to perform processing on the second apparatus; transmitting, by the firewall, a second processing request message to the second apparatus through the second network, the second processing request message including the first IPv6 address of the first apparatus as a source and the second IPv6 address as a destination; extracting, by the second apparatus, from the second processing request message received from the firewall, a portion corresponding to the first network identifier of the first IPv6 address as a source of the processing request message, and determining if the processing request message received is acceptable if the extracted network identifier matches the second network identifier of an IPv6 address of the second apparatus, wherein the extracted network identifier corresponds to the first 64 bit prefix of the IPv6 address of the first apparatus and the second network identifier corresponds to the second 64 bit prefix of the IPv6 address of the second apparatus; performing, by the second apparatus, an operation corresponding to the second apparatus; transmitting, by the second apparatus, a reply message to the firewall through the second network in response to the second processing request message, the reply message including the second IPv6 address as a source and the first IPv6 address of the first apparatus as a destination; confirming, by the firewall, whether information contained in the reply message is secure; converting, by the firewall, the source of the reply message from the second IPv6 address to the first IPv6 address whereby as a result, communication can occur between the second apparatus connected to the second network and the first apparatus connected to the first network; and transmitting, by the firewall, the reply message thus converted to the first apparatus through the first network, the converted reply message including the second IPv6 address as a source and the first IPv6 address of the first apparatus as a destination. - View Dependent Claims (3)
-
Specification