JP3382162B2 - Access management method and communication device - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access management method and a communication device in, for example, an optical cable network connected in a ring shape.

[0002]

2. Description of the Related Art In recent years, there has been a demand for the development of a broadband ISDN based on a globally unified user network interface.
SDH (Synchronous Digital Hierarchy) that can uniformly multiplex various high-speed services and existing low-speed services
Has been standardized. In this trend, SD
Various communication devices conforming to the H system have been developed, and work for laying large-capacity optical submarine cables internationally and connecting SDH communication devices provided in each country with each other is also in progress.

SDH is based on the premise of communication by optical fiber, and by utilizing its enormous capacity, various control information can be exchanged between communication devices. Taking advantage of this feature, and from the viewpoint of resistance to failures and ease of maintenance work, a network in which communication devices of each country are connected to each other in a ring shape has been constructed and has been put into practical use.

In such an international ring network system, the communication carriers of each country jointly operate the network. That is, each telecommunications carrier owns at least one monitoring control device, and uses this to monitor the communication device on the network and the network itself and perform various settings.

[0005]

However, there are problems peculiar to such an international ring network system, and it has been pointed out that the following problems occur. That is, in the above system, the access from the monitoring control device to the communication device is not restricted in order to allow the communication carriers of each country to operate jointly. In other words, the monitoring and control device of any business operator has permitted unlimited access to the communication device of another business operator.

[0006] Furthermore, the supervisory control device has the same function for all the communication devices to be monitored and controlled. In other words, since there is no difference between the supervisory control function for the communication device at the A station (in A country) and the supervisory control function for the communication device at the B station (in B country), access to all functions provided in each communication device is performed. Is possible.

However, among the functions provided in each communication device, some of the functions belonging to the operation closed for each telecommunications carrier in each country may be accessed from the monitoring control device of another country (for example, an alarm generating function). There are things I want to avoid. For this reason, it is necessary to limit access by some method, but a system satisfying such a request has not yet been known.

In summary, in the international ring network system, since the supervisory control device has the same function for all the communication devices to be monitored and controlled, the supervisory control device can access the communication device. To
It may be necessary to limit it by some method.

The present invention has been made under the above circumstances,
An object of the present invention is to provide an access management method and a communication device capable of restricting access to the communication device from the monitoring control device.

[0010]

In order to achieve the above object, the present invention provides: (1) a plurality of communication devices connected in a ring shape via a transmission line to form a ring network;
A method of managing access from the monitoring control device to the communication device, in a ring network system comprising a monitoring control device that performs monitoring control of the ring network, wherein an access request to the communication device is generated from the monitoring control device. In this case, the first acquisition of the identification information of the supervisory controller that is the source of the access request
And a first table in which the level of the monitoring control device is associated in advance with the identification information of the monitoring control device,
From the second step in which the level of the requesting supervisory control device is retrieved by searching using the identification information obtained in the first step as a key, and the supervisory control device from the request message received from the supervisory control device. A third step of extracting the control function of the communication device which requests access and the operation type for the control function, and the allowable supervisory control device for each operation type performed for each of the control functions. The second table in which the levels are associated in advance is searched using the control function and the operation type obtained in the third step and the level of the supervisory control device obtained in the second step as keys. And a fourth step of determining whether or not the access request is permitted.

The present invention also relates to the communication device used in the above ring network system,
(2) When the monitor control device issues an access request to the device itself, an identification unit that acquires identification information of the monitor control device that is the requester of the access, and the monitor control device in the identification information of the monitor control device. Storage means for storing a first table in which the levels are associated in advance, and the monitoring control device of the request source by searching the first table using the identification information acquired by the identification means as a key. A level determining means for acquiring the level of the control function, and an extracting means for extracting, from the request message received from the monitoring control device, the control function of the own device to which the monitoring control device requests access and the operation type for the control function. , A second table storing a second table in which the level of the allowable monitoring control device is associated in advance for each operation type performed for each of the control functions. The second storage means and the second table are searched by using the control function and the operation type extracted by the extraction means and the level of the supervisory control device acquired by the level determination means as keys, And an access determination unit that determines whether or not the access request is permitted.

Further, in the present invention, in order to identify the supervisory controller of the access request source, information or a request message at the time when the communication device establishes a communication path with the supervisory controller of the access request source is sent. It is characterized by using.

By taking such means, when the monitoring control device in the network requests access to a certain communication device, the identification information of the monitoring control device is first acquired in the communication device and the corresponding monitoring is performed. The level of the controller is determined. For example, the monitoring control device of the same business operator has a high level and the monitoring control device of another business operator has a low level. The level is stored in each communication device, and the determination of the level is made based on this table.

On the other hand, from the access request received by the communication device, the function of the communication device for which the monitoring control device requests access and the type of operation for that function are extracted.
A second table as shown in, for example, FIG. 5 is stored in advance in each communication device in which the level of operation permitted for each function is associated with each level of the monitoring control device. By using the determined level and the extracted function and operation type as keys, permission / prohibition of the transmitted access request is determined based on the second table.

That is, information indicating (a) which monitoring control device is the request source, (b) what function, and (c) what the user wants to do with the function is acquired. Whether or not to permit the sent access request is determined based on the information in (1).

By providing such a function, on the communication device side, for functions that need to be commonly operated by a plurality of communication carriers, access from the monitoring control device of each communication carrier is permitted, For a function individually closed by each communication carrier, only the access from the monitor control device of a specific communication carrier can be permitted, and the access from other monitor control devices can be denied.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a substance configuration diagram of an information communication system according to an embodiment of the present invention. The present embodiment is premised on an SDH-compliant ring network, and m transmission devices N1 to N1 as communication devices are used.
Nm is connected in a ring via a high speed line FL such as an STM-16 line. Of the information transmitted on the high-speed line FL, information on any channel is transmitted by the transmission devices N1 to N.
At m, it is dropped on the low-speed line SL and sent to a communication device (not labeled) such as a switch.

Here, the supervisory control devices WS1 to WSm are connected to the respective transmission devices N1 to Nm via LANs (Local Area Networks) L1 to Lm, respectively. These monitor and control devices WS1 to WSm are realized, for example, as general-purpose workstations, and perform status monitoring for the high-speed line FL and various settings for the transmission devices N1 to Nm.

FIG. 2 shows a logical configuration of the information communication system according to this embodiment. Each monitoring control device WS1 to W
A communication management network MNW for exchanging various control information between Sm and each of the transmission devices N1 to Nm is formed. This communication management network M
The NW may be either multiplexed on the high-speed line FL or formed by a line different from the high-speed line FL.

FIG. 3 shows a transmission device N according to this embodiment.
1 shows the main part configuration of Nm. That is, each transmission device N1
To Nm are communication control units 6 that perform control related to communication with the monitoring control devices WS1 to WSm and other transmission devices.
And sub-controllers 11 and 12 to which dedicated functions such as communication path setting and alarm detection are assigned, respectively.
And a main controller 2.

Here, the main controller 2 monitors and controls the sub-controllers 11 and 12 WS1-W.
In order to manage access from Sm, an access management control unit 3, a storage unit 4 storing various data and programs related to this management control, and a message distribution unit 5 are provided.

The access management control unit 3 includes the extraction means 31.
And a level determination means 32 and an access determination means 33, and the storage unit 4 includes the level determination table 4
1 and the access determination table 42 are stored in advance.

The level determination table 41, as shown in FIG. 4, is an identification name (I
D) is associated with a predetermined level of each supervisory control device. In addition, the access determination table 42
As shown in FIG. 5, the monitoring control for permitting access for each function (target function 1, target function 2, ...) Of each monitoring control device and operation type (GET, SET, ...) For the function. It corresponds to the level of the device.
That is, for each access target function, it is predetermined which operation type is permitted up to which level the monitoring control device.

Extraction means 3 in the access management control unit 3
1 is a function (sub-controller 11, which the monitor controller of the request source requests access from the received request message).
The functions implemented by each of 12 are, for example, functions such as communication path management) and the operation types (settings for communication paths) for the functions are extracted.

The level determination means 32 searches the level determination table 41 with the identification information of the requesting supervisory control device obtained by the identifying means 61 (described later) as a key to determine the level of the requesting supervisory control device. It is a thing. The access judging means 33 makes an access by using the function of the requesting supervisory control device obtained by the extracting means 31, the operation type for this function, and the level of the supervisory control device obtained by the level determining means 32 as keys. The determination table 42 is searched to determine whether or not the sent access request can be permitted.

When the requested access is permitted, the message distributing means 5 causes the sub-controller which realizes the control function of the request destination to execute that function.

The communication control section 6 comprises an identification means 61 and an association table 62. Of these, the identification means 61
When receiving an access request for its own device from any of the monitor control devices WS1 to WSm, the monitor control device determines the monitor control device from the information at the time when the communication path with the monitor control device of the request source is established, or the request message itself. It is to identify.

As shown in FIG. 13, the association table 62 is a file used when the identification name (ID) of the supervisory control device acquired by the identifying means 61 is used to establish an association with the supervisory control device. The descriptors are associated with each other and recorded in a table format. The recorded contents of the association table 62 are dynamically updated (added and deleted). When establishing an association with a plurality of supervisory control devices, different file descriptors are used for each supervisory control device by opening different streams for each supervisory control device. Can be something.

The extraction means 31, the level determination means 32, the access determination means 33, the message distribution means 5, and the identification means 6 are realized as a program (software) written in a recording medium such as a semiconductor memory. . The level determination table 41, the access determination table 42, and the association table 62 are SRAMs.
(Static Random Access Memory) or Flash memory (Flash EEPROM: Flash Electrically E)
Rewritable storage means such as rasable Programmable Read Only Memory (RAM (Random Access Memor)
y)).

Next, the access management control unit 3 of this embodiment
The processing procedure in FIG. 6 will be described. Prior to this, the message flow in the above configuration will be described with reference to the message flow diagram in FIG.

In FIG. 6, monitoring control devices WS1 to WS are provided.
The request message 1000 sent from m is sent to the access management control unit 3 after the request source information is added by the identification unit 61 in the communication control unit 6. In the access management control unit 3, the level determination unit 32 determines the level of the monitoring control device based on the acquired request source information, and passes the determination result 4000 to the access determination unit 33. Also,
The extraction unit 31 extracts the information 3000 indicating the access target function and its operation type, and the access determination unit 3 extracts the information 3000.
Give to 3.

The access determination means 33 determines permission / non-permission of the access request based on these pieces of information. If the access determination unit 33 determines that the access is not permitted, the rejection response 5000 is returned to the communication control unit 6,
This refusal response 5000 is returned to the monitoring control device that has made the access request. Then, only the request message 1000 from the supervisory control device to which access is permitted is sent to the message distribution means 5 and transferred to the target sub-controller (11 or 12).

Now, the processing procedure for identifying the control device in the above configuration will be described with reference to the flowchart of FIG. In step S1 of FIG. 7, the identification means 61 opens a stream with the process that implements the communication protocol, and in step S2 that follows, monitors the exchange of the association establishment request. Here, if it is determined that the association establishment request is received or transmitted (Yes),
In the following step S3, the identification means 61 acquires the identification information of the monitoring control device from the association establishment request.

Here, each opened stream can be identified by a file descriptor. Therefore, the identifying means 61 associates the supervisory control device identification information with the file descriptor in step S4, and holds this in the association table 62.

Next, the identifying means 61 moves to step S5 and determines whether or not the request message sent from the monitor controller is received. If it is determined that the message has been received (Yes), the identifying unit 61 proceeds to step S6,
The association table 62 is searched by using the file descriptor used when the request message is received as a key, the monitoring control device of the request message transmission source is identified, the result is added to the received message, and the access management control unit 3 is added. hand over.

On the other hand, if the request message is not received in step S5 (No), the identifying means 61 moves to step S7 and determines whether the association release request or the disconnection request is given or received. Transfer here / Yes (Yes)
If so, the identifying unit 61 acquires the file descriptor of the association in step S8, and deletes the association between the file descriptor and the identification information from the association table 62 in subsequent step S9.

By the processing procedure as described above, the supervisory control device that has issued the operation request to this transmission device is identified, and the result is returned to the communication control unit 6. Next, a control procedure for extracting the access target function and the operation type for the function in the access management control unit 3 will be described. In the following description, OSI (Open System Interconnection)
), The CMIP (Common
A method of extracting the access target function and its operation type from the request message using the Management Information Protocol will be described as an example.

FIG. 8A shows an example of the request message structure in CMIP. Each operation defined in CMIP (GET, SET, CREATE)
E, DELETE, ACTION) has a common configuration from the header information of FIG. 8A to the object instance. As a format of the request message 1000 to which the request source information is added, which is passed from the identifying unit 61 to the access management control unit 3, for example, the format shown in FIG. 8B can be considered.

In the flowchart of FIG. 9, the extracting means 31 extracts the object class 303, the object instance 304, and the operation value 302 from the request message 1000 sent from the communication control unit 6 in step S10.

In the next step S11, the extraction means 31
Uses the object class 303 and the object instance 304 as the access target functions, and identifies the operation type from the operation value 302.

Then, in the following step S12, the extraction means 31 passes the information 3000 indicating the obtained access target function and operation type to the access determination means 33.
Next, a control procedure in the access management control unit 3 for determining the level of the monitor control device as the access request source will be described with reference to the flowchart of FIG. Level determination means 3
2 is the request message 10 in step S13 of FIG.
00 to retrieve the information indicating the requesting supervisory control device.
This information is added to the received message by the identifying means 61.

In the next step S14, the level determination means 32 searches the level determination table 41 using the received request source information as a key to determine the level of the monitor control device of the request source, and in the subsequent step S15 this level. Judgment result 4
000 is passed to the access determination means 33.

Next, the procedure of the access management control unit 3 for determining whether to permit or deny the requested access will be described with reference to the flowchart of FIG. In step S16 of FIG. 11, access determination means 33
Is information 300 indicating the access target function and its operation type.
0 is received from the extraction means 31.

In the subsequent step S17, the access determination means 33 uses the received access target function and the information 3000 indicating the operation type as a key to determine the access determination table 4
Search for 2 to get the allowed levels.

In the next step S18, the access judging means 33 compares the level of access permitted with the level of the requesting supervisory control apparatus, and the requesting supervisory control apparatus determines that the access is permitted. If it is included in the permitted level, it is judged as "permitted", and if it is not included, it is judged as "rejected".

Here, when it is determined that the message requesting access is permitted, the access determination means 33
The received request message 1000 is passed to the message distribution means 5 in step S19. On the other hand, step S18
When the refusal is determined in step S3, the access determination unit 33
The rejection response 5000 is passed to the communication control unit 6 and the received request message 1000 is discarded. This rejection response 5
000 is sent via the communication control unit 6 to the supervisory control device that is the source of the request message.

The above processing procedure will be collectively described below. For example, the identification information of each of the monitoring control devices WS1 to WSm indicates Tokyo1 and Tokyo that are shown in order from the top of FIG.
2, the Hong Kong 2 ... Is set, the access determination table 42 of FIG. 5 is stored in the transmission device N1, and it is assumed that the access request from the monitoring control device WS1 is received in the transmission device N1. To do.

Then, the transmission device N1 first obtains the identification information (Tokyo1) of the supervisory control device WS1 as shown in the flowchart of FIG. 12 (step S2).
1). Then, in the transmission device N1, this monitoring control device WS
The level of 1 is determined with reference to the level determination table 41 of FIG. 4 (step S22). Therefore, it is determined here as "level 1".

Then, the transmission device N1 extracts the operation type and the access target function that the monitoring control device WS1 requests to access (step S23). here,
Target function 1 in the access determination table 42 of FIG.
Then, it is assumed that the operation type ACTION is extracted. Finally, the transmission device N1 refers to the access determination table 42 and determines whether or not the access is permitted (step S24).

In the access determination table 42, the ACTION command for the target function 1 is permitted to the level 1 or level 2 monitoring control device. Therefore, access from the visual control device WS1 is permitted,
This access request is passed to the sub-controller (for example, the sub-controller 11) that realizes the target function 1, and the ACTION command for the target function 1 is executed.

Similarly, the monitoring control device WS5 (identification name Sa
n FRAN1) to control function 1 from ACTIO
The N request is also permitted because the level of the monitor control device WS5 is 2. On the other hand, from the supervisory controller WS2 (level 3) to the ACTI for the target function 1
When the execution of the ON command is requested, the access determination table 42 does not permit access to the level 3 supervisory controller, so the request is rejected.

Thus, in this embodiment, the transmission devices N1 to N1.
Each Nm first acquires the identification information of the monitor control device that requested access, and determines the level uniquely determined for each monitor control device WS1 to WSm. Further, the supervisory control device identifies the function requesting access and its operation type, and then determines whether or not the access is permitted based on a predetermined table.

Since this is done, the transmission devices N1 to Nm
On the side, for functions that need to be commonly operated among multiple telecommunications carriers, for functions that are permitted to be accessed from the supervisory controller of each telecommunications carrier and individually closed by each telecommunications carrier, Then, it becomes possible to permit only the access from the monitor and control device of a specific communication carrier and to deny the access from other monitor and control devices.

[0054]

As described in detail above, according to the present invention, it is possible to provide an access management method and a communication device capable of restricting access to the communication device from the monitor control device.

[Brief description of drawings]

FIG. 1 is a diagram showing a substantial configuration of an information communication system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a logical configuration of an information communication system according to an embodiment of the present invention.

FIG. 3 is a transmission device N1 according to the embodiment of the present invention.
The figure which shows the principal part structure of Nm.

FIG. 4 is a diagram showing the contents of a level determination table 41.

FIG. 5 is a diagram showing the contents of an access determination table 42.

FIG. 6 is a diagram showing a message flow in an access management procedure according to the embodiment of this invention.

FIG. 7 is a flowchart showing a processing procedure when identifying a supervisory control device that has sent an operation request to a transmission device according to an embodiment of the present invention.

FIG. 8 is a diagram showing an example of a request message structure in CMIP.

FIG. 9 is a flowchart showing a processing procedure for extracting an access target function and an operation type for the function according to the embodiment of the present invention.

FIG. 10 is a flowchart showing a processing procedure for determining the level of the monitor control device of the access request source according to the embodiment of the present invention.

FIG. 11 is a flowchart showing a processing procedure for determining permission / prohibition of a requested access according to the embodiment of the present invention.

FIG. 12 is a transmission device N1 according to the embodiment of the present invention.
The flowchart which summarized each processing procedure of-Nm.

FIG. 13 is a diagram showing the contents of an association table 62.

[Explanation of symbols]

N1 to Nm ... Transmission device WS1 to WSm ... Monitoring and control device L1 to Lm ... LAN (Local Area Network) FL ... High-speed line SL ... Low speed line MNW ... communication management network 11, 12 ... Sub controller 2 ... Main controller 3 ... Access management control unit 31 ... Extraction means 32 ... Level determination means 33 ... Access determination means 5: Message distribution means 4 ... storage unit 41 ... Level judgment table 42 ... Access determination table 6 ... Communication control unit 61 ... Identification means 62 ... Association table 1000 ... request message 3000 ... Information indicating the access target function and its operation type 4000 ... Level judgment result 5000 ... Rejection response

Continuation of front page (56) Reference JP-A-63-263937 (JP, A) JP-A-4-264864 (JP, A) JP-A-10-105516 (JP, A) JP-A-11-296467 (JP , A) (58) Fields investigated (Int.Cl. ⁷ , DB name) H04L 12/42

Claims (4)

(57) [Claims] 1. A monitoring control device in a ring network system, comprising: a plurality of communication devices connected in a ring shape via a transmission path to form a ring network; and a monitoring control device for performing monitoring control on the ring network. A method of managing access to the communication device, the method comprising: a first step of acquiring identification information of a monitor control device that is a request source of the access when the monitor control device issues an access request to the communication device. The monitoring control device of the request source is searched by searching the first table in which the identification information of the monitoring control device is associated with the level of the monitoring control device in advance, using the identification information acquired in the first step as a key. From the request message received from the monitoring controller, the second step of acquiring the level of A third method for extracting a control function of a communication device requested by the control device and an operation type for the control function
And a second table in which allowable levels of the monitoring and control device are associated in advance for each operation type performed for each of the control functions, the control function obtained in the third step. And using the operation type and the level of the supervisory control device obtained in the second step as keys,
A fourth step of determining whether or not the access request is permitted. 2. The first step is information at the time when the communication device establishes a communication path with the monitor controller of the access request source, or identification information of the monitor controller of the access request source from the request message. The access management method according to claim 1, characterized in that 3. The communication used in a ring network system, comprising: a plurality of communication devices connected in a ring shape via a transmission line to form a ring network; and a supervisory control device for performing supervisory control on the ring network. In the device, when the monitor control device issues an access request to the device itself, an identification unit that acquires identification information of the monitor control device that is the requester of the access, and the monitor control device in the identification information of the monitor control device. Storage means for storing a first table in which the levels are associated with each other in advance, and the monitoring control device of the request source by searching the first table using the identification information acquired by the identification means as a key. Level determining means for acquiring the level of the monitoring control device, and the request message received from the monitoring control device from the monitoring control device. Extraction means for extracting the control function of the device itself, which the device requests access, and the operation type for the control function, and the allowable level of the monitoring control device for each operation type performed for each of the control functions. And a second storage unit that stores a second table that associates with each other in advance, and the second table acquired by the control function and the operation type extracted by the extraction unit and the level determination unit. A communication device comprising: an access determination unit that determines whether or not the access request is permitted by searching with the level of the monitoring control device as a key. 4. The identifying means obtains information at the time when the device establishes a communication path with the monitor controller of the access request source or the identification information of the monitor controller of the access request source from the request message. The communication device according to claim 3, wherein the communication device is a device.