JP2004207788A - Access control method, access controller, and access control system using the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To permit only one address to be assigned to a regular client to efficiently and exactly assign pooled addresses. <P>SOLUTION: An authentication server 60 authenticates a PC (personal computer) 50, based on a circuit ID given to a RADIUS (remote authentication dial-in user service) access request by a PE router 20, and then a DHCP (dinamic host configuration pritocol) server 10 assigns user set information, based on a user class ID given to a message of a DHCP request from the PC 50 and the circuit ID given by the PE router 20. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention provides access control for controlling access to a network and a server using a DHCP (DynamicHost Configuration Protocol: RFC2131) in order to connect a client terminal device (personal computer, hereinafter, referred to as “PC”) to a heterogeneous network. The present invention relates to a method, an access control device, and an access control system using the device.
[0002]
[Prior art]
A conventional access control method, for example, as disclosed in Patent Document 1, when a PC connects to a network, establishes connection request information and assignment setting information for this request between a PC and a DHCP server connected within the same network. Some broadcast proposals, as well as request authentication and authenticate this request.
[0003]
However, in recent years, in order to receive a communication service (for example, moving image distribution, etc.) provided by a communication carrier or the like, a backbone network such as a WAN (Wide Area Network) and a LAN (Local Area Network) or different types of LANs are used. The need to perform authentication between networks has arisen. As in this conventional example, in a method in which a PC and a DHCP server are connected to the same user's LAN to perform authentication, a communication carrier is required to operate the user in operation. It was difficult to manage communication services correctly. Further, in this method, since the DHCP server is provided in the user's network, there is a problem in operation and management of the server.
[0004]
Therefore, conventionally, as shown in the configuration diagram of the access control system in FIG. 45, the DHCP server 10 is connected on the core network A, and is connected via the PE router 20 or the concentrator 30 or the concentrators 30 and 40 which are relay agents. In some cases, the client making a connection request authenticates each PC 50 and assigns an IP address.
[0005]
In this system, as shown in the DHCP sequence diagram of FIG. 46, since the PC 50 making the connection request does not have an IP address, the discovery (Discover) in which the source address is “0” and the destination is “broadcast” is performed. ) Send the message. The concentrator 30 transfers the discover message to the PE router 20 by multiplex transmission by tag VLAN. When the PE router 20 captures the discover message, the PE router 20 rewrites the source address to the “IP address of the own device 20” and the destination address to the “IP address of the DHCP server 10”, and transfers the discover message to the core network A. I do.
[0006]
Upon receiving the discover message, the DHCP server 10 transmits an offer message with the source address “IP address of the DHCP server 10” and the destination address “IP address of the PE router 20” to the core network A. To respond. When the PE router 20 captures the offer message, the PE router 20 rewrites the source address to “the IP address of the own device 20” and the destination to “broadcast”, and transfers the offer message to the port that has just received the discover message. .
[0007]
Next, when the PC 50 transmits a request (Request) message whose source address is “0” and the destination is “broadcast”, the PE router 20 sets the source address to “the IP address of the own device 20” and the destination The address is rewritten to the “IP address of the DHCP server 10”, and the request message is transferred to the core network A. Upon receiving this request message, the DHCP server 10 assigned a specific IP address from among the pooled addresses, created an Ack message with this address, and responded to the PC 50.
[0008]
[Patent Document 1]
JP 2001-326696 A (pages 2, 4, and 5; FIGS. 1 to 3)
[0009]
[Problems to be solved by the invention]
However, in the above conventional example, a pooled address is assigned in response to a plurality of address requests from a client PC, so that one PC can acquire a plurality of IP addresses, and the There has been a problem that exhaustion may be caused.
[0010]
Further, in this conventional example, it is not possible to properly cope with a case where an unauthorized user obtains identification information such as an ID and a MAC address of a legitimate client, obtains an IP address using this information, and receives data distribution. There was a problem.
[0011]
The present invention has been made in view of the above problems, and has an access control method and an access control method in which only one address can be assigned to a legitimate client, and a pooled address can be efficiently and accurately assigned. An object is to provide an apparatus and an access control system using the apparatus.
[0012]
[Means for Solving the Problems]
In order to achieve the above object, in the access control method according to the first aspect, when transmitting a connection request to a network from a terminal device to a DHCP server connected to the network, a request message for the connection request is transmitted. In an access control method for transferring to a DHCP server via an access control device, a request transmitting step in which an authentication server is connected to the network, and the terminal device adds identification information of a user class ID to the request message and transmits the request message. In response to the request message, the access control device assigns identification information of the user class ID to an access request message for an access request, and transmits the identification information to the authentication server. Based on the identification information given to the access request message, the authentication server, An authentication step of performing authentication of the terminal device and responding to the authentication, and the request message in which the access control device assigns at least identification information of the user class ID in response to an authentication response from the authentication server. A request transfer step of transmitting the request information to the DHCP server, and in accordance with the identification information given to the request message, the DHCP server extracts information necessary for a connection request of the terminal device from information pooled in advance in the DHCP server. A data transfer step of allocating and responding to the terminal device via the access control device.
[0013]
According to the present invention, based on the identification information of the user class ID, the authentication required by the authentication server and the information necessary for the connection request of the terminal device by the DHCP server after the response of the authentication are performed, so that the legitimate client is assigned to the authorized client. Only one address is assigned and the pooled address is assigned.
[0014]
Further, in the access control method according to claim 2, according to the storage step of storing information required for a connection request of the terminal device transmitted from the DHCP server in the access control device, And determining whether the received packet is relayed by the access control device.
[0015]
According to the present invention, information necessary for a connection request of a terminal device is stored in a table of an access control device, and based on the information in the table, it is determined whether or not a packet received from a network is relayed, and filtering of data relay is performed. I do.
[0016]
In the access control method according to claim 3, the terminal device transmits a discover message for detecting a DHCP server, and the access control device transmits the received port to the discover message. Providing a circuit ID for identifying and transmitting the DHCP server to the DHCP server, and providing the DHCP server in response to the offer message provided with the circuit ID in response to the discover message. Is further included.
[0017]
According to the present invention, by providing a circuit ID to a received discover message, it is possible to provide this circuit ID to an offer message from a DHCP server, and the access control apparatus can identify the transfer destination port of the offer message. enable.
[0018]
In the access control method according to claim 4, the access control device attaches the circuit ID to a message transferred from the terminal device to the DHCP server, transfers the message to the DHCP server, and transfers the message to the DHCP server. When the circuit ID is deleted from the message to be transferred to the terminal device and transferred to the terminal device, the DHCP server transmits the response message in response to the message received from the access control device. And transmitting the circuit ID assigned to the received message to the access control device by attaching the circuit ID to the response message.
[0019]
According to the present invention, by assigning a circuit ID to all messages transferred from the terminal device to the DHCP server, it is possible to assign the circuit ID to a message responded from the DHCP server, The transfer destination port can be identified, and at the time of transfer, an unnecessary circuit ID is deleted and transferred.
[0020]
In the access control method according to claim 5, when the authentication server responds to a message from the access control device, the authentication server adds a circuit ID assigned to the message from the access control device to the response message. The message is added to the response message and transmitted to the access control device.
[0021]
According to the present invention, even in the authentication server, the circuit ID assigned to the message from the access control device is assigned to the response message and transmitted, so that the authentication of the terminal device which has requested the connection from any port can be performed. Is recognizable.
[0022]
In the access control method according to claim 6, in the data transfer step, the access control device sets a source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device. The data is changed and transferred to the terminal device.
[0023]
According to the present invention, by rewriting the address of the DHCP server, which is the source address added to the information necessary for the connection request of the terminal device, to the address of the access control device and transferring the address to the terminal device, Enables re-authentication by the authentication server in response to an update request to the server.
[0024]
In the access control method according to the seventh aspect, when transmitting a connection request to a network from a terminal device to a DHCP server connected to the network, a request message for the connection request is transmitted via the access control device. In the access control method of transferring to the DHCP server, the access control device stores information required for the connection request of the terminal device, and the terminal device stores user class ID identification information in the request message. A request transmitting step of transmitting a request to the authentication server, in response to the request message, the access control device assigns identification information of the user class ID to an access request message for an access request, and Transmitting the identification information to be transmitted, based on the identification information given to the access request message. The authentication server performs authentication of the terminal device, and performs an authentication step of responding to the authentication; and in response to an authentication response from the authentication server, the access control device selects one of information pooled in advance. A data transmission step of allocating necessary information to the connection request of the terminal device and responding to the terminal device.
[0025]
According to the present invention, the access control device is provided with the function of a DHCP server, and based on the identification information of the user class ID, the access control device is required to perform authentication at the authentication server and a connection request of the terminal device after the response of the authentication. By allocating the information, only the assignment of one address to a legitimate client is permitted, and the pooled address is allocated.
[0026]
The access control method according to claim 8, further comprising a determining step of determining whether or not the received packet is relayed by the access control device according to the stored information.
[0027]
According to the present invention, when information necessary for connection is allocated, it is determined whether or not a packet received from the network is relayed by using information stored in the table, and data relay filtering is performed.
[0028]
In the access control method according to the ninth aspect, when a request for connection to at least one specific network is transmitted from a terminal device to a DHCP server connected to the network, a request message for the connection request is accessed. In the access control method of transferring to a DHCP server via a control device, at least one heterogeneous network different from the specific network is interposed between the terminal device and at least one specific network to which the DHCP server is connected. And each of the specific networks is connected to an authentication server together with the DHCP server. The terminal device includes, in the request message, identification of a user class ID corresponding to a specific network among the specific networks. Add information and send A request transmitting step, an identification information transmitting step of adding identification information of the user class ID to an access request message for an access request, and transmitting the identification information to an authentication server connected to the specific network; Based on the provided identification information, the authentication server authenticates the terminal device, and performs an authentication step of responding to the authentication, and, in response to an authentication response from the authentication server, the access control device includes: A request transfer step of transmitting the request message added with the identification information of the user class ID to a DHCP server connected to the certain network, and the DHCP server according to the identification information given to the request message, Allocate necessary information to the connection request of the terminal device from among the pooled information in advance, and Characterized in that it comprises a data transfer step of responding to the terminal device via the access control device.
[0029]
According to the present invention, for example, when there are a plurality of networks to which a connection request can be made by the terminal device, the terminal device performs authentication in the authentication server and a response to the authentication based on the identification information of the user class ID corresponding to the specific network. By allocating information necessary for a terminal device connection request by the DHCP server later, only a single address can be assigned to a plurality of networks for a legitimate client, and a pooled address can be assigned. Make an assignment.
[0030]
The access control method according to claim 10, wherein the access control device stores information necessary for a connection request of the terminal device transferred from the DHCP server for each of the networks, A determining step of determining whether or not the received packet is relayed by the access control device according to the information.
[0031]
According to the present invention, when there are a plurality of connectable networks, information necessary for a connection request of a terminal device assigned to each network changes, and this information is stored in a table of the access control device. Based on this information, it is determined whether or not the packet received from the network is relayed, thereby filtering the data relay.
[0032]
In the access control method according to claim 11, in the data transfer step, the access control device sets a source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device. The data is changed and transferred to the terminal device.
[0033]
According to the present invention, by rewriting the address of the DHCP server, which is the source address added to the information necessary for the connection request of the terminal device, to the address of the access control device and transferring the address to the terminal device, Enables re-authentication by the authentication server in response to an update request to the server.
[0034]
In the access control apparatus according to the twelfth aspect, a request message for connection request to the network, which is connected between the terminal apparatus and the network and transmitted from the terminal apparatus, is transmitted to a DHCP server connected to the network. An access control device for transferring and transmitting an access request message for an access request to an authentication server connected to the network, wherein the access control device responds to the request message to which the identification information of the user class ID transmitted from the terminal device is added. And information control means for providing identification information of the user class ID to an access request message for an access request, transmission control means for transmitting the access request message to the authentication server, and the identification information is provided. Holding means for holding a request message; Transfer the held request message to the DHCP server in response to the authentication response from the server, and transfer the information required for the connection request of the terminal device transmitted from the DHCP server to the terminal device. And control means.
[0035]
According to the present invention, based on the identification information of the user class ID given to the access request message from the access control device, the authentication at the authentication server is enabled, and further, the request message transmitted from the access control device after the response of the authentication. By assigning information necessary for a connection request of a terminal device by the DHCP server based on the identification information of the user class ID given to the client, only one address can be assigned to a legitimate client and the pool can be assigned. The assigned address.
[0036]
The access control device according to claim 13 stores the information required for the connection request of the terminal device transmitted from the DHCP server, and receives the information in accordance with the information stored in the storage device. Determining means for determining whether or not to relay the packet.
[0037]
According to the present invention, information necessary for a connection request of the terminal device is stored in the storage device of the access control device, and the presence / absence of the relay of the packet received from the network is determined by the determination device based on the information in the storage device. , Perform data relay filtering.
[0038]
Further, the access control device according to claim 14 searches circuit ID storage means for storing a circuit ID corresponding to a reception port of a message, and circuit ID storage means based on the circuit ID given to the message. Further comprising identification means for identifying a port that has received the message, wherein the transfer control means identifies a port that has received the discover message in a discover message for detecting the DHCP server transmitted from the terminal device. To the DHCP server, and deletes the circuit ID assigned to the offer message transmitted from the DHCP server, and based on the deleted circuit ID, identifies the identification means. To the port identified by And wherein the transfer of fur message.
[0039]
According to the present invention, a circuit ID is assigned to a received discover message and transferred, a circuit ID storage unit is searched from a circuit ID assigned to a received offer message, a port is identified, and an offer message is assigned to this port. By transferring the offer message, the offer message can be transferred to the port that has received the discover message.
[0040]
Further, in the access control apparatus according to claim 15, the transfer control means transfers the message after deleting a circuit ID given to a message transmitted from the DHCP server.
[0041]
According to the present invention, unnecessary data transfer is reduced by transferring a message from the DHCP after deleting an unnecessary circuit ID in the terminal device.
[0042]
17. The access control device according to claim 16, wherein the transfer control unit changes a source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device, and Characterized by being transferred to
[0043]
According to the present invention, the transfer control means rewrites the address of the DHCP server, which is the source address added to the information required for the connection request of the terminal device, to the address of the own device and transfers the address to the terminal device. Re-authentication by the authentication server is enabled in response to an update request from the device to the DHCP server.
[0044]
An access control device according to claim 17 is connected between a terminal device and a network, and transmits a request message for a connection request to the network transmitted from the terminal device to a DHCP server connected to the network. In an access control device for transferring and transmitting an access request message for an access request to an authentication server connected to the network, a storage unit for storing information necessary for a connection request of the terminal device; and Information control means for providing the identification information of the user class ID to an access request message for an access request in response to the transmitted request message to which the identification information of the user class ID has been added; Message transmission control means for transmitting the message to an authentication server; Information allocating means for allocating information necessary for a connection request of the terminal device from information pooled in advance in accordance with an authentication response from a server, and storing the allocated information in the storage device; And information transmission control means for transmitting the information.
[0045]
According to the present invention, the access control device is provided with the information allocating means, and the information necessary for the connection request is allocated from the pooled information based on the identification information of the user class ID. Allows assignment of only one address and assigns pooled addresses.
[0046]
Further, the access control device according to claim 18 further comprises a judging means for judging whether or not the received packet is relayed according to the information stored in the storage means.
[0047]
According to the present invention, information necessary for a connection assigned at the time of assignment is stored in a table, the presence or absence of relay of a packet received from the network side is determined using this table, and data relay filtering is performed.
[0048]
In the access control apparatus according to claim 19, a request message for connection request to the specific network, which is connected between the terminal apparatus and at least one specific network, is transmitted from the terminal apparatus to the specific network. An access control device for transferring to a connected DHCP server and transmitting an access request message for an access request to an authentication server connected to the specific network, comprising: Information control means for giving the identification information of the user class ID to an access request message for an access request in response to the request message to which the identification information of the user class ID is given; Connected to Transmission control means for transmitting the request message to the authentication server, holding means for holding the request message to which the identification information is added, and connecting the held request message to the certain network in response to an authentication response from the authentication server. Transfer control means for transferring the information required for the connection request of the terminal device transmitted from the DHCP server to the terminal device while transferring the information to the designated DHCP server.
[0049]
According to the present invention, based on the identification information of the user class ID given to the access request message from the access control device, it is possible to perform authentication at the authentication server of each network, and further transmitted from the access control device after the response of the authentication. The DHCP server of each network allocates information necessary for a connection request of a terminal device based on the identification information of the user class ID given to the request message to be transmitted to a plurality of networks for a legitimate client. Only assignment of addresses is allowed, and pooled addresses can be assigned.
[0050]
Further, the access control device according to claim 20 stores the information required for the connection request of the terminal device transmitted from the DHCP server, and receives the information in accordance with the information stored in the storage device. Determining means for determining whether or not to relay the packet.
[0051]
According to the present invention, even when there are a plurality of connectable networks, information assigned to each network is stored in the storage unit, and the presence / absence of relay of the received packet is determined by the information in the storage unit based on the information in the storage unit. By judging, data relay filtering is performed.
[0052]
22. The access control device according to claim 21, wherein the transfer control unit changes a transmission source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device, and Characterized by being transferred to
[0053]
According to the present invention, the transfer control means rewrites the address of the DHCP server, which is the source address added to the information required for the connection request of the terminal device, to the address of the own device and transfers the address to the terminal device. Re-authentication by the authentication server is enabled in response to an update request from the device to the DHCP server.
[0054]
The access control system according to claim 22, wherein in response to a connection request to a network, the access control system responds with information necessary for the connection request. A terminal device that adds and transmits information, and the access control device according to any one of claims 12 to 16, which is connected between the network and the terminal device, and which is connected to the network and is connected to the access control device. Based on the identification information of the user class ID assigned to the access request message of the above, the terminal device is authenticated, and an authentication server for responding to the authentication, and an identification server connected to the network and assigned to the request message A DHCP server for responding to the information necessary for the terminal device connection request in accordance with the information. Characterized in that was.
[0055]
According to the present invention, based on the request message transmitted by the access control device and the identification information of the user class ID given to the access request message, the authentication by the authentication server and the connection of the terminal device by the DHCP server after the response of the authentication are performed. By allocating information necessary for the request, only one address can be assigned to a legitimate client, and a pooled address is allocated.
[0056]
The access control system according to claim 23, wherein in response to a connection request to a network, the access control system responds with information necessary for the connection request. 19. A terminal device for adding and transmitting information, the access control device according to claim 17 connected between the network and the terminal device, and an access request message from the access control device connected to the network. Based on the identification information of the assigned user class ID, performs authentication of the terminal device, and comprises an authentication server for responding to the authentication, according to the authentication response from the authentication server, the access control device, Information necessary for a connection request of the terminal device is returned to the terminal device.
[0057]
According to the present invention, the access control device is provided with a function of a DHCP server, and based on the identification information of the user class ID given to the access request message transmitted by the access control device, the authentication by the authentication server and the terminal device By allocating information necessary for a connection request, only one address can be assigned to a legitimate client and a pooled address is allocated.
[0058]
Further, in the access control system according to claim 24, in the access control system for responding to information required for a connection request for each specific network in response to a connection request to at least one specific network, 22. A terminal device for transmitting a request message for the connection request to which identification information of a user class ID corresponding to a specific network is added, and the terminal device is connected between each of the specific networks and the terminal device. The access control device according to one and connected to each of the specific networks, based on the identification information of the user class ID given to the access request message from the access control device, and performs authentication of the terminal device, An authentication server for responding to the authentication, and A DHCP server that is connected to each other and responds to the information required for the connection request of the terminal device according to the identification information given to the request message, and authenticates the terminal device for each specific network and It is characterized by responding to information required for a connection request.
[0059]
According to the present invention, for example, when there are a plurality of networks to which a connection request can be made by a terminal device, based on identification information of a user class ID corresponding to a certain specific network, authentication at an authentication server and a DHCP server after an authentication response are performed. In this case, the information necessary for the connection request of the terminal device is assigned, and only the assignment of one address to each of a plurality of networks is permitted to the authorized client, and the pooled addresses are assigned.
[0060]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, preferred embodiments of an access control method, an access control device, and an access control system using the device according to the present invention will be described with reference to the accompanying drawings of FIGS. In the following drawings, the same components as those in FIG. 45 are denoted by the same reference numerals for convenience of explanation.
[0061]
(Embodiment 1)
FIG. 1 is a configuration diagram showing a configuration of an access control system according to a first embodiment of the present invention. FIG. 1 differs from FIG. 45 in that an authentication server is connected to the core network A and the PC requesting the connection is authenticated using the RADIUS protocol, and the DHCP server 10 and the PE The difference is that the configurations and operations of the router 20 and the PC 50 are different.
[0062]
First, as shown in FIG. 2, the DHCP server 10 is connected to the core network A to perform input / output of a packet such as a message, and a packet transmitting unit which is connected to the LAN interface 11 and transmits and receives a packet. 12, a packet receiving unit 13, a DHCP control unit 14 for controlling the processing of messages using DHCP, and a user setting information table 15 in which user setting information is entered.
[0063]
The DHCP control unit 14 performs packet processing according to the type of the DHCP packet, and performs processing control such as allocating a pooled IP address to the PC of the client that made the request using a request message. This processing will be described later.
[0064]
As shown in FIG. 3, the user setting information table 15 includes a user ID of the PC 50 of each client making a connection request, an assigned IP address, a subnet mask, an IP address of a PE router that relays, and a not shown. It consists of data consisting of the IP address of a DNS (Domain Name System) server and the available time of the assigned address.
[0065]
In this system, a DHCP message packet transmitted between the DHCP server 10 and the PC 50 is configured by a DHCP message to which a MAC header, an IP header, and a UDP header are added as shown in the format of FIG. . When this DHCP message is transmitted from the client to the DHCP server, among the UDP port numbers in the UDP header, d port has a value of “67”, s port has a value of “68”, and When transmitted from the DHCP server to the client, the d port has a value of “68” and the s port has a value of “67”.
[0066]
As shown in the format of FIG. 5, the DHCP message includes fields of op, htype, hlen, hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, chaddr, sname, file, and options. Of the fields of this message, those of particular interest in this embodiment are the fields iaddr and options.
[0067]
The yaaddr is an IP address assigned to the client PC that has made a connection access request from the DHCP server, and the options field is a field for setting operation parameters. Among the options fields, those particularly relevant in this embodiment are, as shown in the format of FIGS. 6 to 13, a DHCP message type, a user class ID, relay agent information, an agent circuit ID, a subnet mask, a router, and the like. , Domain name server and IP address lease time.
[0068]
In the DHCP server 10, as shown in the flowchart for explaining the data processing operation in FIG. 14, the packet receiving unit 13 receives a packet from the LAN interface 11 (step 101). If the received packet is a DHCP packet (step 102), the DHCP control unit 14 first determines whether the received DHCP packet is a discover message (step 103). (Step 104). This message is determined by the DHCP message type option type "1-8" defined by the code "53" shown in FIG. Here, type “1” is a discover message, type “2” is an offer message, type “3” is a request message, type “4” is a DECLINE message, and type “5” is an ACK message. , Type “6” indicates a NAK message, type “7” indicates a release (RELEASE) message, and type “8” indicates an inform (INFORM) message.
[0069]
If the received DHCP message is an offer message (step 105), the packet is discarded (step 106). If the received DHCP message is a request message (step 107), a user class ID option (FIG. 7) is extracted, and the user ID in the user class data is extracted and searched for in the user setting information table 15. When this user ID is searched, each information entered in this table 15 is retrieved from the DHCP option. An ACK message is created by adding it to the field, and transmitted from the packet transmission unit 12 to the client (step 108).
[0070]
If the received DHCP message is an ACK message (Step 109), the packet is discarded (Step 110). If the received DHCP message is a discline message (Step 111), the IP address assigned in the ACK message is changed. It is determined that the packet is abnormal (step 112). In the case of a NAK message (step 113), this packet is discarded (step 114). In the case of a release message (step 115), the IP address assigned to the client is pooled. (Step 116), and in the case of an inform message (step 117), this message is recorded (step 118). If the received packet is not a message of any of these types, the packet is discarded (step 119), and the operation of the flowchart is terminated.
[0071]
FIG. 15 is a configuration diagram showing the configuration of the PE router 20 shown in FIG. In the figure, a PE router 20 is connected to a core network A or a line concentrator 30, and transmits and receives a packet. A packet transmitting unit 21 and a packet receiving unit 22, and an IP relay control unit 23 that performs a packet filtering process and a relay process. A DHCP control unit 24 that controls processing of a DHCP message using DHCP, an authentication control unit 25 that controls processing of a RADIUS message using RADIUS, and a filtering table 26 connected to the IP relay control unit 23. , And a circuit ID table 27 connected to the DHCP control unit 24.
[0072]
When receiving the packet from the core network A or the concentrator 30, the packet receiving unit 22 performs a receiving process. That is, in the PE router 20, as shown in the flowchart of FIG. 16, when the packet receiving unit 22 receives a packet (Step 201), the processing shifts to data processing in the packet receiving unit 22 (Step 202). It is determined whether the packet is either an IP packet or an ARP packet (step 203). Here, if the received packet is one of the IP / ARP packets, the received packet is output to the IP relay processing unit, and the processing shifts to data processing in the IP relay control unit 23 (step 204). If the packet is not any of the IP / ARP packets, the packet is discarded (step 205).
[0073]
The IP relay control unit 23 relays or blocks the packet based on the type of the packet received by the packet receiving unit 22 and the contents entered in the filtering table 26. 17, the filtering table 26 includes destination address and subnet mask information, source address and subnet mask information, packet input port, output port, and packet relaying information. / Entry information is associated with the entry.
[0074]
As shown in FIG. 16, when the processing operation of the PE router 20 shifts to the control of the IP relay processing unit (step 204), the IP relay control unit 23 first determines whether the received packet is a DHCP message packet (step 204). 206), in the case of a DHCP message packet, shift to the data processing of the DHCP control unit 24 (step 207). If the received packet is not a DHCP message packet, it is determined whether the received packet is a RADIUS message packet (step 208). If the received packet is a RADIUS message packet, the process proceeds to the data processing of the authentication control unit 25 (step 209).
[0075]
If the received packet is not a RADIUS message packet, the IP relay control unit 23 extracts the destination address and the source address in the received packet, and searches the filtering table based on the destination address and the source address. Then, it is determined whether the received packet is a relay packet from the relay / block information of the corresponding entry (step 211). If the received packet is not a relay packet, the received packet is discarded (step 205). If the received packet is a relay packet, the received packet is transmitted from the packet transmitting unit 21 (step 212). ).
[0076]
The DHCP control unit 24 controls the data processing according to the type of the DHCP message received using the DHCP protocol and, when receiving the discover message, refers to the circuit ID table 27 and sets the relay agent. Information is added and transferred to the DHCP server 10, and upon receiving the request message, the user class ID is taken out and the RADIUS message is transferred to the authentication server 60. In the circuit ID table 27, as shown in the configuration diagram of FIG. 18, the physical port to which the message is input, the VLAN number to which the physical port belongs, and the circuit ID information are entered in association with each other. I have.
[0077]
In this system, a RADIUS packet transmitted between the PE router 20 and the authentication server 60 is composed of a RADIUS message to which a MAC header, an IP header, and a UDP header are added, as shown in the format of FIG. . As shown in the format of FIG. 22, this RADIUS message is composed of a message code, an identifier, a message length, authentication data for authenticating the message, and an attribute value. The format includes a type, a message length, a value, and the like. In this embodiment, the fields of user name and user password indicating the type include a user ID and a password. This is the point that information is given.
[0078]
In the DHCP control unit 24, as shown in the flowchart for explaining the data processing operation of FIG. 19, when the packet receiving unit 22 receives a DHCP message packet (step 301), the DHCP control unit 24 first receives the received DHCP message packet. It is determined whether the received DHCP packet is a discover message (step 302), and if it is a discover message, the relay agent information adding process shown in FIG. 20 is performed (step 303). As described above, this message is also determined based on the DHCP message type option type "1-8" defined by the code "53" shown in FIG.
[0079]
In FIG. 20, the DHCP control unit 24 acquires the physical port and VLAN ID of the received discover message (step 401), searches the circuit ID table 27 from the acquired physical port and VLAN ID, and finds the corresponding circuit ID. Is detected (step 402). Then, it is determined whether there is a circuit ID (step 403). If the circuit ID is not in the circuit ID table 27, the received discover message is discarded, and the subsequent data processing is not performed (step 404). If there is a circuit ID, the circuit ID added to the agent information in the relay agent information option shown in FIG. 8 is added to the discover message (step 405).
[0080]
In step 303 of FIG. 19, the DHCP control unit 24 rewrites the destination address of the discover message to “the address of the DHCP server 10” and rewrites the source address to “the IP address of the own device (PE router 20)”. Send it to server 10. If the received packet is an offer message (step 304), the destination address of the offer message is rewritten to “broadcast” and the source address is rewritten to “the IP address of the own device 20” and transmitted to the PC 50 as a client (step 304). Step 305).
[0081]
If the received DHCP message is a request message (step 306), the user ID and password given to the user class data (see FIG. 7) in the user class ID option in the message are extracted. By adding these to the attribute value fields, an access-request message in the RADIUS message is created and transmitted to the authentication server 60, and the DHCP request message is stored and the access-request message in the RADIUS message is stored. Wait for an accept message to be received (step 307).
[0082]
If the received DHCP message is an ACK message (step 308), the destination address is rewritten to “broadcast” and the source address is rewritten to “IP address of own device 20” and transmitted to the client PC. At the same time, the IP address to be distributed by DHCP is registered in the filtering table 26 of the PE router 20, and the relay is permitted. Further, information on the use time in the ACK message is obtained, and a client monitoring timer (not shown) in the apparatus is restarted (step 309). The use time for permitting data relay is set for each client in this monitoring timer, and when the timer expires (step 411) as shown in the flowchart of FIG. Is changed to “blocking” to block the relay of the client, and thereafter, the data relay of the client is stopped (step 412).
[0083]
In FIG. 19, if the received DHCP message is a discline message (step 310), similar to the Discover message, an additional process of adding relay agent information to the option field is performed, and the destination address is changed to “DHCP”. The source address is rewritten to the “address of the server 10” to the “address of the own device” and transmitted to the DHCP server 10 (step 311). In the case of a NAK message (step 312), the destination address of the message is rewritten to “broadcast” and the source address is rewritten to “the IP address of the own device 20” and transmitted to the client (step 313).
[0084]
If the received DHCP message is a release message (step 314), an additional process of adding relay agent information to an option field is performed as in the case of the discover message, and the destination address is set to the address of the DHCP server 10, It rewrites the source address to its own address and sends it to the DHCP server 10, deletes the corresponding entry in the filtering table 26, and stops the client monitoring timer (step 315).
[0085]
Further, if the received DHCP message is an inform message (step 316), an additional process of adding relay agent information to an option field is performed as in the case of the discover message, and the destination address is changed to the "address of the DHCP server 10". ”And rewrite the source address to“ the address of the own device ”and transmit it to the DHCP server 10 (step 317). If the received packet is not any of these types of messages, the packet is discarded (step 318), and the operation of the flowchart is terminated.
[0086]
Next, the authentication control unit 25 performs processing control according to the code of the received RADIUS message using the RADIUS protocol. That is, as shown in the flowchart of FIG. 25, when the RADIUS packet is received from the authentication server 60 (step 421), the authentication control unit 25 determines from the code of the received packet, and determines the access-accept (Access-Accept-Access). In the case of an (Accept) message (step 422), it is determined that the authentication has been permitted, and a DHCP request message is transmitted to the DHCP server 10 (step 423).
[0087]
If the received RADIUS packet is an access-reject message (Step 424), it is determined that the authentication is not permitted, and the stored DHCP request message is discarded (Step 425). ), End the above operation.
[0088]
FIG. 26 is a configuration diagram showing a configuration of the PC 50 shown in FIG. In the figure, a PC 50 is connected to a PE router 20 via a concentrator 30 and a layer 2 switch 40, and a LAN interface 51 for inputting / outputting a DHCP packet, a packet transmitting unit 52 for transmitting / receiving a packet, and a packet receiving unit It comprises a unit 53 and a DHCP processing unit 54 for controlling the processing of the DHCP message using the DHCP protocol.
[0089]
In the PC 50, as shown in the flowchart of FIG. 27, when the DHCP is restarted by the initialization process or the command of the PC 50 (step 431), the DHCP processing unit 54 performs a request for connection access to the network. , Creates a discover message, transmits the discover message from the packet transmitting unit 52 to the PE router 20 via the LAN interface 51 (step 432), activates a monitoring timer provided therein, and waits for an offer message to be received. (Step 433).
[0090]
Until the timer times out (step 434), it is determined whether or not the offer message has been received (step 435). When the timer times out, the state transits to the communication disabled state, and the PC 50 is reset by the command to make the DHCP restart. It is in a state of waiting for activation (step 436). Next, when the offer message is received, a request message to which the user class ID is added is created, and the request message is transmitted to the PE router 20 (step 437), and the monitoring timer is started to activate the ACK message. The state transits to the reception waiting state (step 438).
[0091]
Until the timer times out, it is determined whether or not an ACK message has been received (step 440). When the timer times out (step 439), a transition is made to a communication disabled state, and the command causes the PC 50 to restart the DHCP. It is in a state of waiting for activation (step 436). Next, when an ACK message is received (step 440), information such as an IP address, a router address, and a DNS server address obtained from the message is set in an internal table (not shown), and an address use timer is started. (Step 441). Next, when this address use timer expires (step 442), a request message is transmitted to the PE router with the user class ID added.
[0092]
FIG. 28 is a configuration diagram showing the configuration of the authentication server 60. In the figure, an authentication server 60 includes a LAN interface 61 connected to the core network A for inputting / outputting a packet such as a message, and a packet transmitting unit 62 and a packet receiving unit 63 connected to the LAN interface 61 for transmitting / receiving packets. , An authentication control unit 64 that performs authentication process control using the RADIUS protocol, and an access network user authentication table 65.
[0093]
The authentication control unit 64 authenticates the received RADIUS message based on the user authentication information entered in the access network user authentication table 65. In the access network user authentication table 65, as shown in the configuration diagram of FIG. 29, a user ID and a password of a client are previously associated with each other and entered.
[0094]
In such a configuration, when the packet receiving unit 63 receives a packet via the LAN interface 61 (step 451) as shown in the flowchart of FIG. 30, the authentication server 60 determines whether the packet is a RADIUS message. (Step 452). If the packet is not a RADIUS message, the received packet is discarded (step 453). If the packet is a RADIUS message, the access network user authentication table 65 is searched from the user authentication information in the message to perform authentication. User authentication is performed by the authentication processing operation of the control unit 64 (step 454).
[0095]
When the user ID and the password in the received access-request message match the contents entered in the access network user authentication table 65, the authentication control unit 64 gives authentication permission. If the authentication has been performed (step 455), the authentication control unit 64 creates an access-accept message for the RADIUS message (step 456). If the authentication has not been permitted (step 455), the access-rejection has been performed. Is generated (step 457), and transmitted from the packet transmitting unit 62 to the core network A via the LAN interface 61 (step 458).
[0096]
Next, the operation of access control in the access control system will be described based on a sequence diagram showing a DHCP protocol sequence corresponding to authentication in FIG. 31 and a flow chart showing a message flow of the first embodiment in the entire system in FIG. explain.
[0097]
In FIG. 31 and FIG. 32, first, the PC 50 that issues a connection access request to the network in initialization processing or the like creates a DHCP discover message with a source address of “0” and a destination address of “broadcast”. The data is transmitted to the PE router 20 via the device 30 or the line concentrators 30 and 40.
[0098]
The PE router 20 that has received the discover message acquires the physical port and the VLAN ID that have received the message, searches the circuit ID table 27 from the information of the physical port and the VLAN ID, and extracts the corresponding circuit ID. . Then, a relay agent information option to which the extracted circuit ID is added is added to the discover message, the source address is “IP address of own device 20”, and the destination address is “IP address of DHCP server 10”. And transfers it to the DHCP server 10 via the core network A.
[0099]
The DHCP server 10 that has received the discover message addressed to the own device recognizes that the message is discovery and recognizes the circuit ID from the type information of the type option of the DHCP message. Next, the DHCP server 10 adds a relay agent information option (a relay agent information option added to the received discover message) to which the circuit ID has been added to the response offer message, and sets the source address to “ The destination address is set to the “IP address of the own device 10” and the “IP address of the PE router 20”, and is transmitted to the PE router 20 via the core network A.
[0100]
When receiving the offer message, the PE router 20 rewrites the source address of the offer message to “the IP address of the own device 20” and the destination address to “broadcast”. Further, the PE router extracts the circuit ID given to the received offer message, searches the circuit ID table 27 from the circuit ID, extracts a corresponding physical port, and extracts the created offer message from the extracted offer message. Via the physical port (the physical port that has previously received the discover message).
[0101]
When receiving this offer message, the PC 50 adds a user class ID option to which a user ID and a password are added, and creates a DHCP request message with a source address of “0” and a destination address of “broadcast”. This request message is transmitted to the PE router 20.
[0102]
Upon receiving this request message, the PE router 20 extracts the user ID and password (see FIG. 7) assigned to the user class ID in the message, and attaches them to the attribute value fields (see FIGS. 21 and 22). Then, a RADIUS access-request message is created, and the access-request message is transmitted to the authentication server 60. Further, the PE router 20 acquires the physical port and the VLAN that have received the request message, searches the circuit ID table 27 from the information on the physical port and the VLAN, and extracts the corresponding circuit ID. Next, the PE router 20 adds, to the request message, a relay agent information option to which the extracted circuit ID is added, and holds the request message in, for example, an internal buffer.
[0103]
Upon receiving the access-request message, the authentication server 60 extracts the user class ID from the message, and if the content of the user class ID matches the content entered in the access network user authentication table 65, The extracted user class ID is assigned to an attribute value field (see FIGS. 21 and 22), an access-accept message is created, and this message is transmitted to the PE router 20.
[0104]
Upon receiving the access-accept message, the PE router 20 extracts the user class ID (see FIGS. 21 to 23) assigned to the access-accept message. Next, the PE router 20 sets the source address of the DHCP request message held therein to “the IP address of its own device 20” and the destination address to “the IP address of the DHCP server 10”, Via A, a request message to which the relay agent information option and the user class ID are assigned is transmitted to the DHCP server 10.
[0105]
Upon receiving this request message, the DHCP server 10 extracts the user ID in the user class ID option, searches the user setting information table 15 from this user ID, and finds out the information of the corresponding entry including the assigned IP address. An ACK message is created by adding it to the field of the provided DHCP option, and the DHCP option and the relay agent information option (relay agent information option added to the received request message) to which the circuit ID is added are added. The transmitted ACK message is transmitted to the PE router 20.
[0106]
When receiving the ACK message, the PE router 20 deletes the relay agent information option from the ACK message and transmits the ACK message to the PC 50 via the concentrator 30 or the concentrators 30 and 40. When a charging server or the like is connected on the network, it is also possible to exchange a RADIUS accounting request and an accounting accept between the PE router and the charging server to exchange information regarding charging.
[0107]
Further, it is conceivable that the PC 50 acquires the IP address once, and then reacquires the IP address before the lease time expires. In this case, the user class shown in (5) of FIG. The DHCP request with the ID is transmitted from the PC 50 to the DHCP server 10. Then, by performing a sequence of repeating the operations from (5) onward in FIG. 32, it is possible to receive a continuous communication service.
[0108]
As described above, in this embodiment, the address to be assigned from the DHCP server is determined based on the combination of the class ID from the client and the circuit ID of the PE router. Therefore, only one address is assigned to one class ID. Assignment is possible, and pooled addresses can be assigned accurately. For this reason, for example, even when connecting to the network from different access points, the client can be uniquely specified by the combination of the class ID and the circuit ID. An authorized client can be specified and an address can be easily assigned.
[0109]
In addition, in this embodiment, a communication service such as content distribution is provided only to authorized clients because the filter that allows only packets addressed to the address assigned by the PE router is automatically set at the same time when the address is distributed to the client. It is possible to eliminate the client from performing a DoS (Denial of Service) attack (denial of service attack) by performing address spoofing or the like.
[0110]
Also, in this embodiment, since the multiplexing is performed using the tag VLAN, the connected line can be known depending on which VLAN. Therefore, in the present invention, for example, a VLAN ID, which is a VLAN identifier, is assigned to the value (Value) field of the agent circuit ID suboption shown in FIG. 9 and assigned from the DHCP server in combination with the circuit ID. It is also possible to configure to determine the address. In this case, the above effect can be obtained by using the access point fixedly.
[0111]
In this embodiment, only the DHCP discover message is transmitted from the client PC 50. However, the present invention is not limited to this, and a user class ID can be added to this discover message and transmitted. . In this case, it is possible to transmit an access-request message from the PE router 20 to the authentication server 60 before transferring the discover message to the DHCP server 10. As a result, an inquiry about authentication in the authentication server 60 is made. Can be performed. Therefore, in this case, when authentication is not possible, access to the DHCP server 10 becomes unnecessary, and unnecessary message transfer can be reduced.
[0112]
According to the present invention, at the time of transferring the ACK message, the IP relay control unit 23 of the PE router 20 changes the source address of the ACK message from the IP address of the DHCP server 10 to the IP address of the router 20 itself, It is also possible to transfer to the PC 50 which is a client. In this case, the next time an update request is sent from the PC 50 to the DHCP server 10, an access-request message can be transmitted to the authentication server 60 by the authentication control of the authentication control unit 25. Thus, re-authentication of the PC 50 can be enabled, and the reliability of client authentication can be improved.
[0113]
The user class ID and the circuit ID can be defined in vendor extension information which is one of the options of the DHCP message, for example, in addition to the options of the DHCP message described above. In this case, the user class ID option and the circuit ID option can be continuously added to the value (Value) of the vendor extension information using the respectively defined codes.
[0114]
(Embodiment 2)
FIG. 33 is a configuration diagram illustrating a configuration of the PE router according to the second embodiment. In the following drawings, the same components as those in FIGS. 15 and 32 are denoted by the same reference numerals for convenience of description.
[0115]
33 differs from the PE router shown in the first embodiment in that the router has a built-in function of a DHCP server, that is, the function of this server is incorporated in the DHCP control unit 24 and the user of FIG. A user setting information table 28 having the same configuration as the setting information table is connected to the DHCP control unit 24.
[0116]
In the DHCP control unit 24, as shown in the flowchart for explaining the data processing operation in FIG. 34, when the packet receiving unit 22 receives a DHCP message packet (step 501), the DHCP control unit 24 first receives the received DHCP message packet. It is determined whether the received DHCP packet is a discover message (step 502), and if it is a discover message, an offer message is transmitted to the client PC 50 (step 503).
[0117]
If the received packet is an offer message (step 504), the offer message is discarded (step 505), and if the received packet is a request message (step 506), the user class ID of the user class ID option in the message (step 506) The user ID and the password assigned to the authentication server 60 are taken out, the access-request message in the RADIUS message is created by adding the user ID and the password to the attribute value fields, and the message is transmitted to the authentication server 60. This DHCP request message is saved, and the system waits for the RADIUS access-accept to be received (step 507).
[0118]
If the received DHCP message is an ACK message (step 508), the ACK message is discarded (step 509). If the received DHCP message is a discline message (step 510), the assigned address is determined to be abnormal. (Step 511). If the message is a NAK message (step 512), the NAK message is discarded (step 513). If the message is a release message (step 514), the assigned address is returned to the pool (step 515). Further, when the received DHCP message is an inform message (step 516), the message is recorded (step 517). If the received packet is not any of these types of messages, the packet is discarded (step 518), and the operation of the flowchart is terminated.
[0119]
Next, the authentication control unit 25 performs processing control according to the code of the received RADIUS message using the RADIUS protocol. That is, as shown in the flowchart of FIG. 35, when the RADIUS packet is received from the authentication server 60 (step 551), the authentication control unit 25 determines from the code of the received packet, (Step 552), it is determined that the authentication is permitted, and the DHCP ACK message is transmitted to the client PC 50 (step 553).
[0120]
If the received RADIUS packet is an access-reject message (step 554), it is determined that the authentication has not been permitted, and the DHCP request message being held is discarded (step 555). finish.
[0121]
Next, an operation of access control in the access control system will be described based on a flowchart showing a message flow of the second embodiment in the entire system of FIG.
[0122]
Upon receiving the discover message from the PC 50, the PE router 20 transmits an offer message to the PC 50 via the port that has received the discover message.
[0123]
When receiving the offer message, the PC 50 creates a request message to which a user class ID option with a user ID and a password has been added, and transmits the request message to the PE router 20.
[0124]
The PE router 20 that has received the request message extracts the user ID and the password assigned to the user class ID in the message, assigns them to the attribute value fields, and creates a RADIUS access-request message. , Sends the access-request message to the authentication server 60.
[0125]
Upon receiving the access-request message, the authentication server 60 extracts the user class ID from the message, and if the content of the user class ID matches the content entered in the access network user authentication table 65, The extracted user class ID is assigned to the attribute value field to create an access-accept message, and this message is transmitted to the PE router 20.
[0126]
When receiving the access-accept message, the PE router 20 determines that the authentication is permitted, extracts the user ID of the user class ID option from the request message, and searches the user setting information table 28 from the user ID. An ACK message is created by adding a DHCP option field to which information of the corresponding entry including the assigned IP address is added, and the ACK message is transmitted to the PC 50.
[0127]
As described above, in this embodiment, the DHCP server is built in the PE router, and the address to be assigned by the PE router is determined only by the class ID from the client. Therefore, there is no need to set the circuit ID and a table for storing the circuit ID. Thus, the processing procedure is almost halved, the addresses can be quickly and easily assigned from the PE router, and the pooled addresses can be accurately assigned.
[0128]
Further, in this embodiment, since there are no components such as a table relating to the DHCP server and the circuit ID, it is possible to provide an access control system in which the number of parts of the access control system is reduced and the production cost is reduced. it can.
[0129]
(Embodiment 3)
FIG. 37 is a configuration diagram showing a configuration of the third embodiment of the access control system according to the present invention. In FIG. 37, the backbone networks of, for example, ISPs (Internet Service Providers) 1 to 3 that are communication carriers are connected to the PE router 70 connected to the core network A, and the authentication server 80, 82, 84 and DHCP servers 81, 83, 85 are connected in pairs. The authentication server and the DHCP server have the same configuration as the authentication server 60 and the DHCP server 10 described in the first embodiment, and the authentication servers 80, 82, 84 and the DHCP servers 81, 83, 85 It performs authentication and IP address assignment of clients that make connection access requests to the backbone network of the ISP.
[0130]
In addition, a transparent connection service is provided between the PE routers 20 and 70, in which data is relayed by tunneling over a network by using MPLS (Multi Protocol Label Switching).
[0131]
In such a system configuration, the PE router 20 is configured such that the MPLS relay control unit 31 and the MPLS label table 32 are added to the PE router described in the first embodiment, and the circuit ID table is deleted. The MPLS relay control unit 31 controls the data relay by tunneling over the core network A. The MPLS label table 32 stores the label, the corresponding VPN group number, and the information on the port to which the MPLS belongs. Has been entered.
[0132]
In the PE router 20, as shown in the flowchart of FIG. 40, when the packet receiving unit 22 receives a packet (step 601), the processing shifts to data processing in the packet receiving unit 22 (step 602). It is determined whether the packet is any of the ARP packet and the ARP packet (step 603). If the received packet is not an IP / ARP packet, it is determined whether the received packet is an MPLS packet (step 604). If the received packet is an MPLS packet, the flow shifts to a relay process by the MPLS relay control unit 31 (step 604). 605) If the packet is not an MPLS packet, the packet is discarded (step 606).
[0133]
As shown in the MPLS relay processing of FIG. 41, the MPLS relay control unit 31 searches the MPLS label table for the label value of the received packet (step 651), and if there is an entry that hits (step 652), The label is removed and the data is relayed to the port to which it belongs (step 653). If there is no entry to be hit, the packet is discarded (step 654).
[0134]
In FIG. 40, when the processing operation of the PE router 20 shifts to the control of the IP relay processing unit (step 607), the IP relay control unit 23 first determines whether the received packet is a DHCP message packet (step 608). In the case of a DHCP message packet, the flow shifts to data processing of the DHCP control unit 24 (step 609). If the received packet is not a DHCP message packet, it is determined whether the received packet is a RADIUS message packet (step 610). If the received packet is a RADIUS message packet, the process proceeds to the data processing of the authentication control unit 25 (step 611).
[0135]
If the received packet is not a RADIUS message packet, the IP relay control unit 23 extracts a destination address in the received packet, searches a filtering table based on the destination address (step 612), and receives the received packet. It is determined whether the packet is a relay packet from the relay / block information of the corresponding entry (step 613). If the received packet is not a relay packet, the received packet is discarded (step 606). If the received packet is a relay packet, a label is added to the received packet. Transmit (step 614).
[0136]
In the DHCP control unit 24, as shown in the flowchart for explaining the data processing operation of FIG. 42, when the packet receiving unit 22 receives the DHCP message packet (step 701), the DHCP control unit 24 first receives the received DHCP message packet. It is determined whether the DHCP packet is a discover message (step 702). If it is a discover message, a process of adding relay agent information is performed. Then, the DHCP control unit 24 rewrites the destination address of the discover message to the address of the DHCP server and rewrites the source address to the IP address of the own device (PE router 20), and transmits the rewritten address to the DHCP server (step 703). When transmitting a message to an authentication server or a DHCP server, the message is transmitted to a server managed for each ISP according to the value of the user class ID. This enables each ISP to perform user management and address management.
[0137]
If the received packet is an offer message (Step 704), the destination address of the offer message is rewritten to “broadcast” and the source address is rewritten to “IP address of own apparatus” and transmitted to the PC 50 (Step 705). . If the received DHCP message is a request message (step 706), the user ID and the password assigned to the user class ID option in the message are extracted, and these are assigned to the attribute value fields. An access-request message in the RADIUS message is created and transmitted to the authentication server 60, and the DHCP request message is stored to wait for the RADIUS access-accept to be received (step 707).
[0138]
If the received DHCP message is an ACK message (step 708), the destination address is rewritten to “broadcast” and the source address is rewritten to “IP address of own device” and transmitted to the client PC. (Step 709). If the received DHCP message is a discline message (step 710), as in the case of the discover message, an additional process of adding relay agent information to the option field is performed, and the destination address is changed to "DHCP server address". Then, the source address is rewritten to “the address of the own device” and transmitted to the DHCP server (step 711). In the case of a NAK message (step 712), the destination address of the message is rewritten to “broadcast” and the source address is rewritten to “IP address of own device” and transmitted to the client (step 713).
[0139]
If the received DHCP message is a release message (step 714), an additional process of adding relay agent information to the option field is performed as in the case of the discover message, and the destination address is set to the “DHCP server address”. The source address is rewritten to the "address of the own device" and transmitted to the DHCP server (step 715).
[0140]
Further, if the received DHCP message is an inform message (step 716), an additional process of adding relay agent information to the option field is performed as in the case of the discover message, and the destination address is set to the “DHCP server address”. Next, the source address is rewritten to “the address of the own device” and transmitted to the DHCP server (step 717). If the received packet is not a message of any of these types, the packet is discarded (step 718), and the operation of the flowchart is terminated.
[0141]
Next, the authentication control unit 25 performs processing control according to the code of the received RADIUS message using the RADIUS protocol. That is, as shown in the flowchart of FIG. 43, when the RADIUS packet is received from the authentication server 60 (step 801), the authentication control unit 25 determines from the code of the received packet, (Step 802), it is determined that the authentication is permitted, and a DHCP request message is transmitted to the DHCP server (step 803).
[0142]
If the received RADIUS packet is an access-reject message (step 804), it is determined that the authentication has not been permitted, the DHCP request message being held is discarded (step 805), and the above operation is performed. finish.
[0143]
Next, an access control operation in the access control system will be described based on a flowchart showing a message flow of the third embodiment in the entire system of FIG. FIG. 44 illustrates a case where a connection access request is made to the authentication server 80 and the DHCP server 81 of the ISP 1.
[0144]
First, the PC 50 making a connection access request creates a discover message to which a user class ID option with a user ID and a password is added, and transmits the message to the PE router 20 via the concentrator 30 or the concentrators 30 and 40. I do. In this case, the PC 50 previously sets a different user class ID for each ISP that issues an access request. In this case, for example, the PC 50 assigns a user class ID corresponding to ISP1 to the discover message and transmits the message.
[0145]
The PE router 20 that has received the discover message determines that the message is a discover message addressed to the DHCP server 81 of the ISP 1 based on the user class ID assigned to the message, and transfers the message to the DHCP server 81.
[0146]
The DHCP server 81 that has received the discover message addressed to the own device extracts a user class ID from the discover message, assigns the extracted user class ID, creates an offer message for response, and transmits the message to the PE router 20. I do. When receiving the offer message, the PE router 20 transfers the offer message to the PC 50 via the port that has received the discover message.
[0147]
When receiving the offer message, the PC 50 transmits a request message to which the user class ID option (see FIG. 7) is added to the PE router, and the PE router 20 transmits the user ID and the password assigned to the user class ID in the message. The access-request message is extracted and added to the attribute value field to create a RADIUS access-request message, and the access-request message is transmitted to the authentication server 80.
[0148]
Upon receiving the access-request message, the authentication server 80 extracts the user class ID from the message, and if the content of the user class ID matches the content entered in the access network user authentication table, the access-request. It creates an accept message and sends this message to the PE router 20. Upon receiving the access-accept message, the PE router 20 transmits the DHCP request message (the message to which the user class ID option is added) held to the DHCP server 81.
[0149]
Upon receiving the request message, the DHCP server 81 extracts the user ID in the user class ID option, searches the user setting information table from the user ID, and adds each information of the corresponding entry including the assigned IP address. An ACK message to which the field of the added DHCP option is added is created, and the ACK message to which the DHCP option is added is transmitted to the PE router 20. The PE router 20 transmits the received ACK message to the PC 50 via the concentrator 30 or the concentrators 30 and 40.
[0150]
As described above, in this embodiment, the address to be assigned from the DHCP server is determined by the class ID set for each ISP from the client, so that only one address can be assigned for each ISP, The ISP can appropriately assign the assigned address. This enables each ISP to perform user management and address management.
[0151]
Also, in the case of this embodiment, similarly to the above-described embodiment, at the same time as distributing the address to the client, a filter that allows only the packet addressed to the address assigned by the PE router is automatically set. Communication services such as content distribution can be provided only to users.
[0152]
In this embodiment, a transparent connection service is provided between the PE routers 20 and 70 for performing data relay by tunneling over the network using MPLS. However, the present invention is not limited to this, and the present invention is not limited to this. For example, using IP in IP Tunneling Protocol (RFC1853), IP in IPv6 (Generic Packet Tunneling in IPv6: RFC2473), or GRE (General Routing Encapsulation: RFC1701), data is transmitted over a ring using a network. Even when a transparent connection service is provided, a similar communication service can be provided.
[0153]
The present invention is not limited to these embodiments, and various modifications can be made without departing from the spirit of the present invention. For example, the inquiry to the authentication server can be optionally configured so that the user can select whether or not to inquire. In addition, the function of the authentication server and the function of the DHCP server can be provided together in one server.
[0154]
Further, according to the present invention, a distribution server for distributing contents is connected to the core network, and an IP connection is made between the distribution server and the PE router based on connection information such as an IP address obtained from a DHCP server. It is also possible to perform content distribution from the distribution server to the client by multicast.
[0155]
Further, in the present invention, for example, the system of the first or second embodiment and the system of the third embodiment can be combined. In this case, too, the identification information of the user class ID is set to a different value for each network. Therefore, it becomes possible to acquire a different IP address for each network even with the same PC.
[0156]
【The invention's effect】
As described above, according to the present invention, based on the request message transmitted from the terminal device and the identification information of the user class ID assigned to the access request message by the access control device, the authentication at the authentication server and the response of the authentication are performed. Since the information necessary for the terminal device connection request by the DHCP server is assigned, only one address can be assigned to a legitimate client, and the pooled addresses can be efficiently and accurately assigned.
[0157]
According to the present invention, information necessary for a connection request of a terminal device assigned by the DHCP server is stored in a storage unit of the access control device, and the information in the storage unit is used to determine whether a packet received by the access control device is relayed. Therefore, it is possible to appropriately perform filtering of data relay, and it is possible to prevent a client from performing a DoS (Denial of Service) attack (denial of service attack) by performing address spoofing or the like.
[0158]
Further, in the present invention, by providing a circuit ID to the discover message received by the access control apparatus and transferring the circuit ID to the DHCP server, it is possible to provide the offer message from the DHCP server with the circuit ID. It is easy to identify the destination port of the offer message.
[0159]
Further, in the present invention, the access control device is provided with a DHCP information allocation function, and based on the identification information of the user class ID, it is necessary to perform authentication at the authentication server and a connection request of the terminal device by the access control device after the response of the authentication. Since assignment of information is performed, only one address can be assigned to a legitimate client, and pooled addresses can be efficiently and accurately assigned.
[0160]
Further, in the present invention, when there are a plurality of networks to which a connection request can be made by the terminal device, the authentication by the authentication server of each network is performed based on the identification information of the user class ID given to the access request message from the terminal device. In addition, based on the identification information of the user class ID given to the request message transmitted from the access control device after the response of the authentication, the DHCP server of each network can allocate the information required for the connection request of the terminal device. Therefore, an authorized client can be assigned one address to each of a plurality of networks, and pooled addresses can be efficiently and accurately assigned.
[Brief description of the drawings]
FIG. 1 is a configuration diagram illustrating a configuration of an access control system according to a first embodiment of the present invention;
FIG. 2 is a configuration diagram illustrating a configuration of a DHCP server illustrated in FIG. 1;
FIG. 3 is a configuration diagram illustrating an example of a configuration of a user setting information table illustrated in FIG. 2;
FIG. 4 is a format diagram illustrating a configuration of a DHCP packet.
FIG. 5 is a format diagram showing a configuration of a DHCP message shown in FIG. 4;
FIG. 6 is a format diagram showing a configuration of a DHCP message type option.
FIG. 7 is a format diagram showing a configuration of a user class ID option.
FIG. 8 is a format diagram showing a configuration of a relay agent information option.
FIG. 9 is a diagram of a format showing a configuration of an agent circuit ID suboption.
FIG. 10 is a format diagram showing a configuration of a subnet mask option.
FIG. 11 is a format diagram showing a configuration of a router option.
FIG. 12 is a format diagram showing a configuration of a domain name server option.
FIG. 13 is a format diagram showing a configuration of an IP address lease time option.
FIG. 14 is a flowchart illustrating a data processing operation of the DHCP server shown in FIG. 2;
FIG. 15 is a configuration diagram illustrating a configuration of a PE router illustrated in FIG. 1;
FIG. 16 is a flowchart illustrating a data processing operation of the PE router illustrated in FIG. 15;
17 is a configuration diagram illustrating a configuration of a filtering table illustrated in FIG. 15;
18 is a configuration diagram showing the configuration of the circuit ID table shown in FIG. 15;
19 is a flowchart for explaining a data processing operation of the DHCP control unit shown in FIG.
FIG. 20 is a flowchart for explaining an operation of adding relay agent information shown in FIG. 19;
FIG. 21 is a diagram of a format showing a configuration of a RADIUS packet.
FIG. 22 is a format diagram illustrating a configuration of the RADIUS message illustrated in FIG. 21;
FIG. 23 is a diagram of a format showing a configuration of an attribute value shown in FIG. 22;
FIG. 24 is a flowchart illustrating the operation of a client monitoring timer of the DHCP control unit shown in FIG. 15;
25 is a flowchart illustrating a data processing operation of the authentication control unit illustrated in FIG.
FIG. 26 is a configuration diagram illustrating a configuration of the PC illustrated in FIG. 1;
FIG. 27 is a flowchart for explaining the operation at the time of initialization of the PC shown in FIG. 26 or restart of DHCP.
FIG. 28 is a configuration diagram illustrating a configuration of the authentication server illustrated in FIG. 1;
FIG. 29 is a configuration diagram illustrating a configuration of an access network user authentication table illustrated in FIG. 28;
FIG. 30 is a flowchart illustrating an authentication operation of the authentication server shown in FIG. 28;
FIG. 31 is a sequence diagram showing an authentication-compatible DHCP protocol sequence.
FIG. 32 is a flowchart showing a flow of a message according to the first embodiment in the entire access control system.
FIG. 33 is a configuration diagram illustrating a configuration of a PE router according to the second embodiment;
FIG. 34 is a flowchart illustrating a data processing operation of the DHCP control unit illustrated in FIG. 33;
FIG. 35 is a flowchart for explaining a data processing operation of the authentication control unit shown in FIG. 33;
FIG. 36 is a flowchart showing a message flow according to the second embodiment in the entire access control system.
FIG. 37 is a configuration diagram showing a configuration of an access control system according to a third embodiment of the present invention;
38 is a configuration diagram showing a configuration of a PE router shown in FIG. 37.
FIG. 39 is a configuration diagram showing a configuration of an MPLS label table shown in FIG. 38;
FIG. 40 is a flowchart illustrating a data processing operation of the PE router illustrated in FIG. 38;
FIG. 41 is a flowchart for explaining an MPLS relay processing operation of the MPLS relay control unit shown in FIG. 38;
FIG. 42 is a flowchart for explaining a data processing operation of the DHCP control unit shown in FIG. 38;
FIG. 43 is a flowchart illustrating a data processing operation of the authentication control unit illustrated in FIG. 38;
FIG. 44 is a flowchart showing a message flow according to the third embodiment in the entire access control system.
FIG. 45 is a configuration diagram showing a configuration of a conventional access control system.
FIG. 46 is a sequence diagram showing a DHCP protocol sequence in the access control system shown in FIG. 45;
[Explanation of symbols]
1-3 ISP
10,81,83,85 DHCP server
11, 51, 61 LAN interface
12,21,52,62 Packet transmission unit
13,22,53,63 Packet receiving unit
14,24 DHCP control unit
15 User setting information table
20,70 router
23 IP relay control unit
25, 46, 64 Authentication control unit
26 Filtering table
27 Circuit ID table
28 User setting information table
30 Concentrator
31 MPLS relay control unit
32 MPLS label table
50 PC
54 DHCP processing unit
60,80,82,84 Authentication server
65 Access Network User Authentication Table
70 PE router
A Core Network

Claims (24)

An access control method for transmitting a request message for the connection request to the DHCP server via an access control device when transmitting a connection request to the network from a terminal device to a DHCP server connected to the network,
Connecting an authentication server to the network,
A request transmission step of, in the terminal device, adding identification information of a user class ID to the request message and transmitting the request message;
In response to the request message, the access control device, in the access request message for the access request to give the identification information of the user class ID, identification information transmission step of transmitting to the authentication server,
Based on the identification information given to the access request message, in the authentication server, while authenticating the terminal device, an authentication step of responding to the authentication,
A request transfer step of transmitting, to the DHCP server, the request message to which at least the identification information of the user class ID has been added, in the access control device according to an authentication response from the authentication server;
According to the identification information given to the request message, the DHCP server allocates information necessary for a connection request of the terminal device from among pooled information in advance, and allocates the terminal device via the access control device. A data transfer process responding to the
An access control method comprising: In the access control method,
A storage step of storing, in the access control device, information necessary for a connection request of the terminal device transmitted from the DHCP server,
A determination step of determining whether the received packet is relayed according to the stored information by the access control device;
The access control method according to claim 1, further comprising: In the access control method, a detection step of transmitting a discover message for detecting a DHCP server in the terminal device;
A discovery transfer step of, in the access control device, adding a circuit ID for identifying the received port to the received discover message and transmitting the circuit ID to the DHCP server;
Providing, at the DHCP server, responding to the offer message with the circuit ID in response to the discover message;
The access control method according to claim 1, further comprising: In the access control method, the access control device assigns the circuit ID to a message transferred from the terminal device to the DHCP server, transfers the message to the DHCP server, and transfers a message transferred from the DHCP server to the terminal device. And deletes the circuit ID from the terminal device and transfers it to the terminal device.
When transmitting the response message in response to the message received from the access control device, the DHCP server appends the circuit ID assigned to the received message to the response message. The access control method according to any one of claims 1 to 3, wherein the access control method is transmitted to the access control device. The authentication server, when responding to the message from the access control device, assigns the circuit ID assigned to the message from the access control device to the response message to the response message, and The access control method according to any one of claims 1 to 4, wherein the access control method is transmitted to a control device. In the data transfer step, the access control device changes a source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device and transfers the address to the terminal device. The access control method according to claim 1, wherein An access control method for transmitting a request message for the connection request to the DHCP server via an access control device when transmitting a connection request to the network from a terminal device to a DHCP server connected to the network,
A storage step of storing information necessary for a connection request of the terminal device in the access control device,
A request transmission step of, in the terminal device, adding identification information of a user class ID to the request message and transmitting the request message;
In response to the request message, the access control device, in the access request message for the access request to give the identification information of the user class ID, identification information transmission step of transmitting to the authentication server,
Based on the identification information given to the access request message, in the authentication server, while authenticating the terminal device, an authentication step of responding to the authentication,
In response to an authentication response from the authentication server, the access control device assigns information necessary for a connection request of the terminal device from among information pooled in advance, and a data transmission step of responding to the terminal device,
An access control method comprising: The access control method according to claim 7, wherein the access control method further includes a determining step of determining whether or not the received packet is relayed by the access control device according to the stored information. . Access for transferring a request message for the connection request to the DHCP server via an access control device when transmitting a connection request to at least one specific network from a terminal device to a DHCP server connected to the network; In the control method,
At least one heterogeneous network different from the specific network is interposed between the terminal device and at least one specific network to which the DHCP server is connected, and each of the specific networks is provided together with the DHCP server. Connect each authentication server,
A request transmitting step of, in the terminal device, transmitting the request message with identification information of a user class ID corresponding to a specific network among the specific networks;
An identification information transmitting step of adding identification information of the user class ID to an access request message for an access request and transmitting the identification information to an authentication server connected to the specific network;
Based on the identification information given to the access request message, in the authentication server, while authenticating the terminal device, an authentication step of responding to the authentication,
A request transfer step of, in response to an authentication response from the authentication server, transmitting, by the access control device, the request message to which the identification information of the user class ID has been added, to a DHCP server connected to the specific network;
According to the identification information given to the request message, the DHCP server allocates information necessary for a connection request of the terminal device from among pooled information in advance, and allocates the terminal device via the access control device. A data transfer process responding to the
An access control method comprising: In the access control method,
A storage step of storing, in the access control device, information necessary for a connection request of the terminal device transferred from the DHCP server for each network,
A determination step of determining whether the received packet is relayed according to the stored information by the access control device;
The access control method according to claim 9, further comprising: In the data transfer step, the access control device changes a source address of information necessary for a connection request of the terminal device from the DHCP server to an address of the own device and transfers the address to the terminal device. The access control method according to claim 9 or 10, wherein An authentication server connected between a terminal device and a network, for transferring a request message for connection request to the network transmitted from the terminal device to a DHCP server connected to the network, An access control device for transmitting an access request message for an access request to
Information control means for providing the identification information of the user class ID to an access request message for an access request in response to the request message to which the identification information of the user class ID transmitted from the terminal device is provided;
Transmission control means for transmitting the access request message to the authentication server,
Holding means for holding a request message to which the identification information is added,
In accordance with an authentication response from the authentication server, the held request message is transferred to the DHCP server, and information necessary for the connection request of the terminal device transmitted from the DHCP server is transferred to the terminal device. Transfer control means for causing
An access control device comprising: A storage unit configured to store information necessary for a connection request of the terminal device transmitted from the DHCP server,
Judging means for judging the presence or absence of the relay of the received packet according to the information stored in the storage means,
The access control device according to claim 12, further comprising: The access control device,
Circuit ID storage means for storing a circuit ID corresponding to a message receiving port;
Based on the circuit ID given to the message, further comprising: an identification unit that searches a circuit ID storage unit and identifies a port that has received the message.
The transfer control unit adds a circuit ID for identifying a port that has received the discover message to a discover message for detecting the DHCP server transmitted from the terminal device, and transfers the message to the DHCP server. And deleting the circuit ID given to the offer message transmitted from the DHCP server, and transferring the offer message to the port identified by the identification means based on the deleted circuit ID. 14. The access control device according to claim 12, wherein: The access control device according to any one of claims 12 to 14, wherein the transfer control unit transfers the message after deleting a circuit ID given to a message transmitted from the DHCP server. 13. The transfer control unit according to claim 12, wherein a source address of information necessary for a connection request of the terminal device from the DHCP server is changed to an address of the own device and transferred to the terminal device. 16. The access control device according to any one of 15. An authentication server connected between a terminal device and a network, for transferring a request message for connection request to the network transmitted from the terminal device to a DHCP server connected to the network, An access control device for transmitting an access request message for an access request to
Storage means for storing information necessary for a connection request of the terminal device,
Information control means for providing the identification information of the user class ID to an access request message for an access request in response to the request message to which the identification information of the user class ID transmitted from the terminal device is provided;
Message transmission control means for transmitting the access request message to the authentication server,
In accordance with an authentication response from the authentication server, from the information pooled in advance, information necessary for the connection request of the terminal device is allocated, and information allocating means for storing in the storage means,
Information transmission control means for transmitting the assigned information to the terminal device,
An access control device comprising: 18. The access control device according to claim 17, wherein the access control device further includes a determination unit that determines whether or not the received packet is relayed according to the information stored in the storage unit. A request message for connection request to the specific network, which is connected between the terminal device and at least one specific network, and transmitted from the terminal device to a DHCP server connected to the specific network; An access control device for transmitting an access request message for an access request to an authentication server connected to a network,
In response to a request message from a terminal device to which identification information of a user class ID for a certain specific network among the specific networks has been added, the identification information of the user class ID is added to an access request message for an access request. Information control means;
Transmission control means for transmitting the access request message to an authentication server connected to the certain network,
Holding means for holding a request message to which the identification information is added,
In response to an authentication response from the authentication server, the request message stored is transferred to a DHCP server connected to the specific network, and information necessary for a connection request of the terminal device transmitted from the DHCP server is transmitted. Transfer control means for transferring to the terminal device,
An access control device comprising: A storage unit configured to store information necessary for a connection request of the terminal device transmitted from the DHCP server,
Judging means for judging the presence or absence of the relay of the received packet according to the information stored in the storage means,
20. The access control device according to claim 19, further comprising: 20. The transfer control unit according to claim 19, wherein a source address of information necessary for a connection request of the terminal device from the DHCP server is changed to an address of the own device and transferred to the terminal device. 21. The access control device according to 20. In an access control system that responds to a connection request to a network with information necessary for the connection request,
A terminal device for adding identification information of a user class ID to a request message for the connection request and transmitting the request message;
The access control device according to any one of claims 12 to 16, which is connected between the network and a terminal device;
An authentication server that is connected to the network and authenticates the terminal device based on identification information of a user class ID given to an access request message from the access control device, and performs a response to the authentication;
A DHCP server connected to the network and responding to the information required for the connection request of the terminal device according to the identification information given to the request message;
An access control system comprising: In an access control system that responds to a connection request to a network with information necessary for the connection request,
A terminal device for adding identification information of a user class ID to a request message for the connection request and transmitting the request message;
The access control device according to claim 17 or 18, wherein the access control device is connected between the network and a terminal device.
An authentication server that is connected to the network and authenticates the terminal device based on identification information of a user class ID given to an access request message from the access control device, and performs a response to the authentication;
An access control system, wherein the access control device responds to the terminal device with information necessary for a connection request of the terminal device in response to an authentication response from the authentication server. An access control system for responding to information required for a connection request for each specific network in response to a connection request to at least one specific network,
A terminal device that transmits a request message for the connection request to which identification information of a user class ID corresponding to a certain specific network is assigned,
The access control device according to any one of claims 19 to 21, wherein the access control device is connected between each of the specific networks and a terminal device.
An authentication server that is connected to each of the specific networks and performs authentication of the terminal device based on identification information of a user class ID given to an access request message from the access control device, and performs a response to the authentication;
A DHCP server connected to each of the specific networks, and responding to the information required for the connection request of the terminal device according to the identification information given to the request message;
And an access control system for performing authentication of a terminal device and response of information necessary for a connection request of the terminal device for each of the specific networks.

Images