Network, IPsec setting server apparatus, IPsec processing apparatus, and IPsec setting method used therefor
First Claim
1. A network comprising:
- IPsec processing apparatuses, which use an IPsec (Internet Protocol security protocol) for encrypting and authenticating communications via the Internet between two different centers; and
an IPsec setting apparatus, which manages IPsec settings of the IPsec processing apparatuses,wherein in response to receiving a request from a first IPsec processing apparatus to communicate with a second IPsec processing apparatus, the IPsec setting apparatus transmits a request to the second IPsec processing apparatus and upon receiving a reply to the request from the second IPsec processing apparatus the IPsec setting apparatus transmits a common encryption key to the first and second IPsec process apparatuses to be used to encrypt and authenticate IPsec communications between the first and second process apparatuses;
wherein said IPsec setting apparatus generates SA (Security Association) parameters, to be used in the IPsec communication between the first and the second IPsec processing apparatuses, based on the contents of the request message and contents of IPsec policies stored by the IPsec setting apparatus;
wherein said IPsec setting apparatus sends a distribution message including the policies of said IPsec and the SA parameters in response to the request message; and
wherein the IPsec processing apparatus retransmits the request for communication to the IPsec setting apparatus and receives new setting information before a term of validity for the SA expires,wherein said IPsec setting apparatus generates the common encryption key to be used in encryption and authentication of the IPsec communications between the first IPsec processing apparatus and the second IPsec processing apparatus and transmits the generated common encryption key to the IPsec processing apparatus.
3 Assignments
0 Petitions
Accused Products
Abstract
There is provided an IPsec setting server apparatus capable of preventing inconsistency of setting among communicating apparatuses. An IPsec processing section subjects a data communication packet received from an interface section to IPsec processing. An SPD is referred to from the IPsec processing section and records policies for applying the IPsec. An SAD is referred to from the IPsec processing section and records an SA necessary for subjecting an individual kind of communication to the IPsec processing. A request processing section receives a setting request message from the IPsec processing apparatus and returns a distribution message. IPsec policies necessary for determining a requested setting are stored in a distribution policy storage section. Information on respective kinds of SA communication requested to be set is stored in a management table.
25 Citations
18 Claims
-
1. A network comprising:
-
IPsec processing apparatuses, which use an IPsec (Internet Protocol security protocol) for encrypting and authenticating communications via the Internet between two different centers; and an IPsec setting apparatus, which manages IPsec settings of the IPsec processing apparatuses, wherein in response to receiving a request from a first IPsec processing apparatus to communicate with a second IPsec processing apparatus, the IPsec setting apparatus transmits a request to the second IPsec processing apparatus and upon receiving a reply to the request from the second IPsec processing apparatus the IPsec setting apparatus transmits a common encryption key to the first and second IPsec process apparatuses to be used to encrypt and authenticate IPsec communications between the first and second process apparatuses; wherein said IPsec setting apparatus generates SA (Security Association) parameters, to be used in the IPsec communication between the first and the second IPsec processing apparatuses, based on the contents of the request message and contents of IPsec policies stored by the IPsec setting apparatus; wherein said IPsec setting apparatus sends a distribution message including the policies of said IPsec and the SA parameters in response to the request message; and wherein the IPsec processing apparatus retransmits the request for communication to the IPsec setting apparatus and receives new setting information before a term of validity for the SA expires, wherein said IPsec setting apparatus generates the common encryption key to be used in encryption and authentication of the IPsec communications between the first IPsec processing apparatus and the second IPsec processing apparatus and transmits the generated common encryption key to the IPsec processing apparatus. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An IPsec setting apparatus managing IPsec setting of IPsec processing apparatuses, which use an IPsec (Internet Protocol security protocol) for securing communication via the Internet between two different centers,
wherein said IPsec setting apparatus manages IPsec policies applied among the IPsec processing apparatuses, wherein said IPsec setting apparatus specifies the IPsec policies to be applied between a first IPsec processing apparatus, requesting communication with a second IPsec processing apparatus, and the second IPsec processing apparatus, based upon contents of the request to the IPsec setting apparatus from the first IPsec processing apparatus for communication with the second IPsec processing apparatus, said IPsec setting apparatus generating a common encryption key to be used in encryption and authentication of IPsec communication and distributes the generated common encryption key to the first and second IPsec processing apparatuses; -
wherein said IPsec setting apparatus generates SA (Security Association) parameters used in the IPsec communication between the first IPsec processing apparatus and the second IPsec processing apparatus based upon the contents of the request message and contents of the IPsec policies stored by the IPsec setting apparatus; wherein said IPsec setting apparatus simultaneously transmits to the first IPsec processing apparatus and to the second IPsec processing apparatus a message including at least the policies and the SA parameters for IPsec communication between the first IPsec processing apparatus and the second IPsec processing apparatus in response to the request message; and wherein the first IPsec processing apparatus retransmits the request for communication to the IPsec setting apparatus and receives new setting information before a term of validity for the SA expires, wherein said IPsec setting apparatus generates the common encryption key to be used in encryption and authentication of the IPsec communications between the first IPsec processing apparatus and the second IPsec processing apparatus and transmits the generated common encryption key to the IPsec processing apparatus. - View Dependent Claims (9, 10)
-
-
11. An IPsec processing apparatus using an IPsec (Internet Protocol security protocol) on the Internet,
wherein said IPsec processing apparatus receives from an IPsec setting apparatus managing communication a packet containing the IPsec to be applied to communications with another IPsec processing apparatus, determines whether or not to request from the IPsec setting apparatus a setting for IPsec communication, and wherein the IPsec processing apparatus transmits a request for communication with the other IPsec processing apparatus to the IPsec setting apparatus in order to receive from the IPsec setting apparatus a setting for IPsec communication, the IPsec processing apparatus received from the IPsec setting apparatus a common encryption key to be used in encryption and authentication of said IPsec communication; - and
wherein said IPsec processing apparatus includes means for setting an SPD (Security Processing Database), in which policies for applying said IPsec is recorded, and an SAD (Security Association Database), in which an SA (security Association) necessary for subjecting an individual communication to the IPsec processing is stored, based upon a message received from the IPsec setting apparatus; and wherein said IPsec processing apparatus retransmits the request for communication to the IPsec setting apparatus and receives new setting information before a term of validity for the SA expires, wherein said IPsec processing apparatus receives the common encryption key generated by said IPsec setting apparatus to be used in encryption and authentication of the IPsec communications between said IPsec processing apparatus and the other IPsec processing apparatus. - View Dependent Claims (12)
- and
-
13. An IPsec setting method for a network comprising:
-
receiving from a first IPsec processing apparatus a request for communication with a second IPsec processing apparatus; in response to the received request, sending a request to the second IPsec processing apparatus, receiving a reply to the sent request from the second IPsec processing apparatus, in response to the reply from the second IPsec processing apparatus, retrieving IPsec policy rules from memory based on the content of the request from the first IPsec processing apparatus and the retrieved policy rules, generating a common encryption key to be used in encryption and authentication of IPsec communication between the first and second IPsec processing apparatuses; transmitting the generated common encryption key to first and second IPsec processing apparatuses; in response to a reply from the second IPsec processing apparatus, generating SA (Security Association) parameters to be used in the IPsec communication between the first and second IPsec processing apparatuses based on contents of the request from the first IPsec processing apparatus message and the retrieved policy rules; transmitting a distribution message including at least the retrieved policies and generated SA parameters in response to receiving the request; and receiving a second request from the first IPsec processing apparatus for communication with the second IPsec processing apparatus before a term of the validity of an SA (Security Association) parameter expires, and in response, generating and transmitting new IPsec setting to the first and second IPsec processing apparatuses, wherein the common encryption key is generated to be used in encryption and authentication of the IPsec communications between the first IPsec processing apparatus and the second IPsec processing apparatus; and transmitting the generated common encryption key from said IPsec setting apparatus to the IPsec processing apparatus. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification