JP5459039B2 - Communication device - Google Patents

Description

  The present invention relates to a communication apparatus that controls communication.

  Due to the growing awareness of energy saving, MFPs (Multi-Function Peripherals) equipped with communication devices automatically respond to communications that can be automatically responded by hardware, thereby reducing the number of returns from the energy saving mode and saving energy. Techniques for improving the performance are widely known.

  In addition, with security awareness, IPSec (Security Architecture for Internet Protocol) communication has begun to spread in MFP communication. Since IPSec communication requires a large amount of computation, the IPSec processing unit is becoming hardware.

  In IPSec communication, it is necessary to exchange and share encrypted information between communicating devices in advance to establish SA (Security Association). However, when encryption and decryption of IPSec packets are performed by hardware (hereinafter referred to as hardware communication). Called), there is an upper limit to the number of registered SAs. In addition, enormous calculation is required to establish SA. For this reason, for example, in Patent Document 1, it is determined whether or not the SA is registered in hardware. If registered, hardware communication is performed. If not registered, IPSec packets are encrypted and decrypted by software. A technique for improving communication performance as a whole network system (hereinafter referred to as software communication) is already known.

  In recent years, there has been a strong demand to improve user convenience by shortening the startup time of electronic devices, and each company is surpassing the shortening of the return time from the energy saving mode, which is also a selling point. However, if hardware that increases energy efficiency through automatic response so far is combined with a system that increases communication efficiency by using software and hardware communication together, and it is going to improve both energy efficiency and communication efficiency, it will switch to energy saving mode. It is necessary to add control by software at the time of transfer from the energy saving mode.

  When switching to the energy saving mode, packets that can be automatically responded are determined to be software communication, and in order not to cause a return from the energy saving mode, hardware communication is mainly used from the mode that uses software / hardware communication together. Switching control to the mode is necessary.

  When returning from the energy saving mode, it is necessary to control switching from a mode mainly using hardware communication to a mode using both software and hardware communication in order to improve communication efficiency.

  In addition, when using software and hardware communication together, the software needs to know the internal state of the hardware in order to control communication efficiently. For example, for automatic response during the energy saving mode, When the SA registration is switched, a difference occurs in the internal state of the hardware before and after the energy saving mode. Therefore, after the return from the energy saving mode, the software needs to re-control the internal state of the hardware.

  Therefore, when trying to achieve both communication efficiency and energy saving efficiency with conventional hardware, there is a problem that the return time from the energy saving mode increases due to the addition of the above control when returning from the energy saving mode. .

  Therefore, the present invention has been made in view of the above problems, and an object of the present invention is to provide a communication device that can shorten the return time from the energy saving mode.

In order to solve the above problems, a communication apparatus according to the present invention is a communication apparatus controlled by a CPU (Central Processing Unit) having at least two operation modes of a normal operation mode and an energy saving mode. A state detecting means for detecting a state transition between the mode and the energy saving mode, and a security association for performing security communication with the communication partner in correspondence with each of a plurality of communication partners, When the security association constructing means for registering the constructed security association in the recording means and the state detecting means detect that the transition from the energy saving mode to the normal operation mode is detected, the registration contents of the recording means are determined. Determining means for performing the security association construction When the state detecting means detects that the state of the energy saving mode is detected, the security association corresponding to the new partner is received in response to receiving data from the new partner for which the security association is not established. Is registered in the recording unit, and the determination unit notifies the CPU when there is a change in the registered content of the recording unit .

The communication apparatus according to the present invention, the state detecting means, when the power of the CPU is shifted from the power saving mode by Rukoto thrown into the normal operation mode, the registered contents of the determination means is said recording means If it is determined that there is a change, it may have a notification means for performing notification for the CPU.

The communication apparatus according to the present invention, when receiving the automatic response can be communicated from the communication partner device or the new destination apparatus, and an automatic response means for the automatic response from the new destination device You may make it further have a request means which requests | requires return from the said energy-saving mode , when the communication which cannot respond automatically is received.

The communication apparatus according to the present invention, the information registered in the recording means, the security to be created to establish the exchange and sharing to the communication path encryption information prior to encryption communication using IPSec communication it may be there in the association.

Further, in the communication device according to the present invention, the security association constructing means registers the registration contents of the recording means in which the security association constructed by the security association constructing means is registered, and the security association corresponding to the new partner is registered. When rewriting the registered contents, the registered contents of the recording means may be rewritten in order from the oldest registered order.

Further, in the communication device according to the present invention, the security association constructing means registers the registration contents of the recording means in which the security association constructed by the security association constructing means is registered, and the security association corresponding to the new partner is registered. When rewriting to the registered contents, the recording means to be rewritten may be selected based on the order of registration and the number of times of reference, and the registered contents of the selected recording means may be rewritten.

In the communication apparatus according to the present invention, the security association construction unit may limit the rewritable recording unit when in the energy saving mode .

The communication apparatus according to the present invention further includes a second recording unit that establishes a security association corresponding to the new partner and registers the constructed security association, and the security association construction unit includes the energy saving unit. In the mode , the second recording means may be rewritten.

  According to the present invention, the return time from the energy saving mode can be shortened.

It is a figure which shows the structural example of the communication apparatus which concerns on embodiment of this invention. It is a figure which shows the processing operation in the communication apparatus which concerns on embodiment of this invention. It is a figure which shows the processing operation in the communication apparatus which concerns on embodiment of this invention.

  Next, embodiments for carrying out the invention will be described in detail with reference to the drawings.

<Configuration Example of Communication Device 100>
A configuration example of the communication apparatus 100 according to the embodiment of the present invention will be described with reference to FIG.

  The reception packet selector 110 grasps the power state of the CPU based on the notification from the energy saving detection unit 108. When the CPU is powered on, whether to perform software communication or hardware communication based on the condition set by the software It is determined whether the packet is determined to be hardware communication, whether it is an IPsec related packet or a normal packet (unencrypted packet). When the CPU is powered off, it only determines whether it is an IPsec-related packet or a normal packet.

  The normal packet processing unit 104 converts received packets into data and transmission data into packets.

  The IPsec processing unit 109 performs packet encryption / decryption and SA construction. Regarding the constructed SA, registration information is stored in the internal SA registration table. In the SA registration table, for example, encryption with the counterpart device, authentication method, and key are registered.

  There are various methods of storing the constructed SA in the SA table when there is a request for SA construction when there is no free space in the SA registration table.

  For example, among the SAs registered in the SA registration table, a method of rewriting from the oldest registered order may be used. By doing so, the contents of the table correspond to the latest communication environment, and communication can be efficiently performed when returning from the energy saving mode.

  Further, a method of rewriting a table with low usage frequency from the registered order and the number of times of reference may be used. This reduces the number of table rewrites and enables efficient communication.

  Further, when the CPU is powered off, a method that uses only a table that is limited to be rewritable may be used. In this way, the control when the software rechecks the communication device internal table when returning from the energy saving mode is minimized, and the return time from the energy saving mode is shortened.

  Alternatively, a dedicated table when the CPU is powered off may be mounted and a method using the table may be used. This table is not a table to which software refers. Therefore, when a dedicated table for when the CPU is powered off is mounted, the SA change notification unit 106 does not notify the CPU of an interrupt even if the table is changed. That is, the CPU is not notified of the table change. In this way, there is no change in the table referenced by the software during the energy saving mode, so there is no need for the software to recheck the communication device internal table when returning from the energy saving mode, and the return time from the energy saving mode is eliminated. Can be shortened.

  The automatic response control unit 103 determines whether an automatic response of the received packet is possible, generates response data if possible, and transfers the data to the memory if not possible.

  The SA change notification unit 106 grasps the power state of the CPU based on the notification from the energy saving detection unit 108, and notifies an interrupt when there is a change in the SA registration table of the IPsec processing unit 109 while the CPU power is on. When the CPU power is cut off and the SA registration table of the IPsec processing unit 109 is changed, an interrupt is notified when the CPU is turned on.

<Operation flow when CPU power is on>
With reference to FIG. 2, an operation flow when the CPU of the communication apparatus according to the embodiment of the present invention is turned on will be described.

  The communication device 100 receives a packet through the network I / F 112 (S101).

  The reception packet selector 110 determines whether or not the CPU is in the energy saving mode state (power cut-off state) from the energy saving detection unit 108 (S102).

  When the power of the CPU is turned on (S102, Yes), the received packet selector 110 determines in advance whether the received packet is supported by software communication or hardware communication according to the set condition by software (S103). ).

  If it is determined in step S103 that the software communication is supported (S103, Yes), the received packet is transferred to the received data selector 102 and transferred to the memory as it is via the memory I / F 101 (S104). ).

  If it is determined in step S103 that the hardware communication is supported (S103, No), the received packet selector 110 further determines whether the received packet is an IPsec-related packet (S105).

  If it is determined that the received packet is an IPsec-related packet (S105, Yes), the received packet is transferred to the IPsec processing unit 109, and the IPsec processing unit 109 determines whether the received packet is a request for SA construction. Determine (S106)

  If it is determined in step S106 that the received packet is a request for SA construction (S106, Yes), the SA processing unit 109 constructs the SA, rewrites the SA registration table, and the SA change notification unit 106 sends the information to the CPU. An interrupt is notified (S107). That is, it notifies that the SA registration table has been changed.

  Upon receiving the interrupt notification, the software reads the changed SA registration table and changes the setting of the reception packet selector 110 as necessary (S108).

  If it is not determined in step S106 that the received packet is an SA request (S106, No), the received packet is decoded by the IPsec processing unit 109 and then transferred to the normal packet processing unit 104 to be converted into data. (S109).

  The normal packet processing unit 104 transfers the data converted from the received packet to the automatic response control unit 103, and the automatic response control unit 103 determines whether or not the received data packet is a packet that can be automatically answered. (S110).

  In step S110, if it is determined that the received packet converted into data can be automatically answered (S110, Yes), the automatic response control unit 103 transfers response data for the received packet to the normal packet processing unit 104, and The response data is packetized, transferred to the transmission packet selector 111, and transmitted to the network (S111). If the received packet is an IPsec packet, the response data is encrypted by the IPsec processing unit 109, transferred to the transmission packet selector 111, and transmitted to the network.

  In step S110, when it is determined that the received packet converted into data cannot be automatically responded (S110, No), the data converted from the received packet is transferred to the received data selector 102, and the memory I / F 101 is stored. (S112).

  If it is determined in step S105 that the received packet is not an IPsec-related packet (S105, No), the received packet selector 110 transfers the received packet to the normal packet processing unit 104, and the received packet is converted into data (S113). . The received packet converted into data is transferred to the automatic response control unit 103, and the operation flow from step S110 is performed.

<Operation flow when CPU power is off>
With reference to FIG. 3, an operation flow when the power of the CPU of the communication apparatus according to the embodiment of the present invention is cut off will be described.

  When the power of the CPU is cut off (S102, No), the received packet selector 110 does not determine soft communication and hardware communication, and determines whether the received packet is an IPsec-related packet (S201). .

  If the received packet is selected as an IPsec-related packet in step S201 (S202, Yes), the received packet is transferred to the IPsec processing unit 109. The IPsec processing unit 109 determines whether or not this received packet is a request for SA construction. Is determined (S202).

  If it is determined in step S202 that the received packet is a request for SA construction (S202, Yes), the SA processing unit 109 constructs the SA and rewrites the SA registration table (S203).

  If it is determined in step S202 that the received packet is not an SA request (S202, No), the received packet is decoded by the IPsec processing unit 109, transferred to the normal packet processing unit 104, and converted into data (S204). ).

  The normal packet processing unit 104 transfers the data converted from the received packet to the automatic response control unit 103, and the automatic response control unit 103 determines whether or not the received data packet is a packet that can be automatically answered. (S205).

  If it is determined in step S205 that the received packet can be automatically answered (S205, Yes), the automatic response control unit 103 transfers response data for the received packet to the normal packet processing unit 104, and the response data is , Packetized, transferred to the transmission packet selector 111, and transmitted to the network (S206). At this time, if the received packet is an IPsec packet, the response data is encrypted by the IPsec processing unit 109, transferred to the transmission packet selector 111, and transmitted to the network.

  If it is determined in step S205 that the received packet cannot be automatically answered (S205, No), the data converted from the received packet is transferred to the received data selector 102, and the energy saving return request unit 107 A return request from is output to the system (S207).

  After the energy saving detection unit 108 detects the return from the energy saving mode, the SA change notification unit 106 determines whether the SA registration table has been rewritten during the energy saving mode (S208).

  If it is determined in step S208 that the SA registration table has been rewritten (S208, Yes), the SA change notification unit 106 notifies the CPU of an interrupt (S209). That is, it notifies that the SA registration table has changed.

  When receiving the interrupt notification, the software reads the changed SA registration table and changes the setting of the received packet selector 110 as necessary (S210).

  After returning from the energy saving mode, the received data is transferred to the memory via the memory I / F 101 (S211).

  If it is determined in step S201 that the received packet is not an IPsec-related packet (S201, No), the received packet selector 110 transfers the received packet to the normal packet processing unit 104, and the received packet is converted into data (S212). . The received packet converted into data is transferred to the automatic response control unit 103, and the processing of the operation flow from step S205 is performed.

  As described above, in this embodiment, since the means for determining the transfer destination of the received packet according to the power state of the CPU is provided, the mode mainly using the soft communication and the hardware communication at the time of shifting to the energy saving mode and the hardware communication are mainly used. Switching control between and can be reduced.

  Conventionally, when software / hardware communication is used together, the software must always recheck the SA table inside the communication device when returning from the energy saving mode in order to control the communication efficiently. Met. On the other hand, the present embodiment includes means for notifying the outside when there is a change in the contents of the SA table in the communication apparatus, and means for controlling the notification timing according to the power state of the CPU. The control for reconfirming the SA table when returning from the energy saving mode may be performed only when the SA table is changed. Therefore, by using this embodiment, the return time from the energy saving mode can be shortened.

  The processing operation in the above-described embodiment can be executed by hardware, software, or a combined configuration of both.

  When processing by software is executed, the program is loaded from a ROM (Read Only Memory) storing a program recording a processing sequence to a memory (RAM) in a computer incorporated in dedicated hardware. The program can be read and executed, or the program can be installed and executed on a general-purpose computer capable of executing various processes.

  For example, the program can be recorded in advance on a hard disk or ROM as a recording medium. Alternatively, the program is stored on a removable recording medium such as a magnetic disk such as a floppy (registered trademark) disk, an optical disk such as a CD (Compact Disc) or DVD (Digital Versatile Disc), or a magneto-optical disk such as an MO (Magneto Optical) disk. It is possible to store (record) temporarily or permanently.

  Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the above-described removable recording medium, transferred wirelessly from the download site to the computer, or transferred to the computer via a network such as a LAN (Local Area Network) or the Internet. On the other hand, the computer can receive the transferred program and install it on a recording medium such as a built-in hard disk.

  In addition to being executed in time series in accordance with the processing operations described in the above embodiment, the processing capability of the apparatus that executes the processing, or a configuration to execute in parallel or individually as necessary Is also possible.

  In addition, the system described in the above embodiment can be configured to have a logical set configuration of a plurality of devices or to mix the functions of each device.

  The present invention has been described above by the preferred embodiments of the present invention. While the invention has been described with reference to specific embodiments thereof, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the invention as defined in the claims. is there.

100 Communication device 101 Memory I / F
DESCRIPTION OF SYMBOLS 102 Reception data selector 103 Automatic response control part 104 Normal packet processing part 105 Transmission data selector 106 SA change notification part 107 Energy saving return request part 108 Energy saving detection part 109 IPSec processing part 110 Reception packet selector 111 Transmission packet selector 112 Network I / F

JP 2008-312094 A

Claims (8)

A communication device controlled by a CPU (Central Processing Unit) having at least two operation modes of a normal operation mode and an energy saving mode,
State detecting means for detecting a state transition between the normal operation mode and the energy saving mode;
Security association construction means for constructing a security association for performing security communication with the communication counterparty in correspondence with each of a plurality of communication counterparties, and registering the constructed security association in a recording means; ,
A determination means for determining registration contents of the recording means when the state detection means detects that the energy saving mode has shifted to the normal operation mode;
In response to receiving data from a new destination for which the security association has not been established, when the state detection means detects that the state detection means is in the state of the energy saving mode, the security association construction means The communication apparatus is configured to register a security association corresponding to the above and register it in the recording unit, and the determination unit notifies the CPU when there is a change in the registered content of the recording unit. Said state detecting means, when the power of the CPU transitions from the energy saving mode to the normal operation mode by Rukoto is turned on and the determination means determines that there is a change in the registered contents of the recording means, said CPU the communication apparatus according to claim 1, characterized in that it comprises a notifying means for performing notification for the. An automatic response means for performing an automatic response when receiving a communication capable of automatic response from the communication partner device or the new partner device;
3. The communication device according to claim 1, further comprising request means for requesting a return from the energy saving mode when a communication that cannot be automatically answered is received from the new counterpart device. 4. . The information registered in the recording means is
The security association created in order to establish a communication path by exchanging and sharing encryption information prior to encrypted communication using IPSec communication, according to any one of claims 1 to 3. The communication device described. The security association construction means is registered when the registration content of the recording means in which the security association constructed by the security association construction means is registered is rewritten to the registration content in which the security association corresponding to the new partner is registered. The communication apparatus according to any one of claims 1 to 4, wherein the registration contents of the recording unit are rewritten in order from the oldest information. The security association construction means is registered when the registration content of the recording means in which the security association constructed by the security association construction means is registered is rewritten to the registration content in which the security association corresponding to the new partner is registered. 5. The communication apparatus according to claim 1, wherein a recording unit to be rewritten is selected based on the order of reference and the number of times referred to, and the registered content of the selected recording unit is rewritten. The security association construction means is
The communication device according to any one of claims 1 to 6, wherein a rewritable recording unit is limited in the energy saving mode . Further comprising a second recording means for constructing a security association corresponding to the new partner and registering the constructed security association ;
The security association construction means is
The communication device according to claim 1, wherein the second recording unit is rewritten in the energy saving mode .

Images