JP5742268B2 - COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD - Google Patents

Description

  The present invention relates to a communication system, a control device, a communication method, and a program, and more particularly, to a communication system, a control device, a communication method, and a program having a control device that centrally controls nodes arranged in a network.

  With the spread of networks such as the Internet, users can connect devices such as computers to the network to communicate with other devices and receive various services.

  When devices connected to the network communicate with each other, the devices communicate based on their identification information. An example of identification information is an IP address. The IP address is an identifier (ID) for identifying a device connected to the network, and has a role as position information indicating the position of the device in the network. For example, an IP address prefix is position information. When the devices communicate with each other, it is possible to execute route control based on the position information with reference to the position information.

  On the other hand, with the recent increase in portable devices (hereinafter referred to as “mobile devices”), a technique for separating and managing an identifier for identifying a mobile device and position information indicating the position of the mobile device has become widespread. doing. When using identification information including both an identifier and location information, such as an IP address, if the connection point between the mobile device and the network changes as the mobile device moves, the identification information allocated to the mobile device is also changed. End up. This is because the location information changes when the connection point changes. When the identification information is changed, the identifier of the mobile device is also changed, so that it is difficult to maintain the network connection of the mobile device. This is the reason why techniques for separately managing identifiers and location information of mobile devices are widespread.

  From the background as described above, Patent Document 1 describes the position receiving unit that holds the position information of its own device and receives the position information of the wireless communication device of the communication partner, the position information of the wireless communication device of the communication partner, and its own information. Based on the position information of the device, distance calculation means for calculating the distance to the communication partner wireless communication device, distance measurement means for measuring the distance to the communication partner wireless communication device, and the communication partner calculated by the distance calculation means A position determining unit that determines whether or not the position information of the wireless communication device of the communication partner is correct based on the distance from the wireless communication device and the distance of the wireless communication device of the communication partner measured by the distance measuring unit; There is disclosed a wireless communication device having communication enable / disable determining means for determining whether or not communication with a wireless communication device of a communication partner is possible based on the determination result by the above.

JP 2008-236262 A

Nick McKeown and 7 others, “OpenFlow: Enabling Innovation in Campus Networks”, [online], [December 22, 2010 search], Internet <URL: http: // www. openflowswitch. org // documents / openflow-wp-latest. pdf> “OpenFlow Switch Specification” Version 1.0.0. (Wire Protocol 0x01) [Search on December 22, 2010], Internet <URL: http: // www. openflowswitch. org / documents / openflow-spec-v1.0.0. pdf>

  The following analysis is given by the present invention. As described above, under the situation where the technique for separately managing the identifier and the location information is widespread, it becomes difficult to determine the location of the terminal from the identifier of the terminal, and the terminal moves from the appropriate location to the access destination. There is a problem that it is not possible to guarantee that the connection is being made. Conversely, if it can be confirmed that the terminal is in an appropriate position, there is a need to allow access within a certain range.

  In this regard, the technique disclosed in Patent Document 1 has a problem in that each mobile device must be provided with a distance measuring means for communicating with each other.

  The present invention has been made in view of the above-described circumstances, and its object is to provide a communication system, a control device, and a communication method having the above-described terminal location guarantee function and an access control function according to the location. And to provide a program.

According to a first aspect of the present invention, a plurality of nodes that transfer packets, a terminal that connects to at least one of the plurality of nodes and accesses a network, and the terminal is connected among the plurality of nodes. In response to a request from a node, a control device that controls a node on a transfer path of a packet transmitted from the terminal among the plurality of nodes to perform packet transfer, and for each user of the terminal, An authentication device that notifies the control device of constraint information in which location information of a packet transmission source, location information of a transmission destination of the packet, and information indicating whether or not to permit connection are associated with each other; wherein said control unit includes means for storing position information of each of the plurality of nodes, among the nodes which the terminal is connected, the nodes to impose a position constraint of the destination, the certification Means for storing the constraint information notified from the device, the position information of the node in which the terminal is connected, on the basis of said constraint information, means for determining a transfer possibility of the packet, the communication system including the provided The

According to a second aspect of the present invention, the plurality of nodes are connected to a plurality of nodes that transfer a packet transmitted from a terminal, and the plurality of nodes are configured in response to a request from a node to which the terminal is connected. Among the nodes, means for controlling a node on a transfer path of a packet transmitted from the terminal to perform packet transfer , position information of a node connectable to the terminal for each user of the terminal, and the terminal Means for receiving constraint information in which position information of a transmission destination of a packet transmitted from is associated with information indicating whether or not to permit connection, and means for storing position information of each of the plurality of nodes When, among the nodes which the terminal is connected, the nodes to impose a position constraint of the destination, and means for storing the received restriction information, the position information of the node that sent the setting request, Based on the serial constraint information, the controller comprising means for determining a transfer possibility of the packet, is provided.

According to a third aspect of the present invention, a unit connected to a plurality of nodes that transfer packets transmitted from a terminal and stores position information of each of the plurality of nodes, and for each user of the terminal, Means for receiving constraint information in which position information of a node connectable to a terminal, position information of a transmission destination of a packet transmitted from the terminal, and information indicating whether or not to permit connection are associated with each other; A controller that stores the received restriction information for a node that imposes a positional restriction on a destination among the nodes to which the terminal is connected, and the terminal is connected to the terminal among the plurality of nodes. In response to a request from a node, a step of determining whether or not to transfer a packet based on position information of the node to which the terminal is connected and the constraint information, and as a result of the determination, packet transfer And if it is determined, among the plurality of nodes, communication method comprising the steps of: controlling the nodes on the transfer route of the packets sent to perform packet transfer from said terminal is provided. This method is linked to a specific machine called a control device that controls the plurality of nodes described above.

  According to a fourth aspect of the present invention, there are provided means for storing position information of each of the plurality of nodes connected to a plurality of nodes that transfer packets transmitted from the terminal, and a node to which the terminal is connected. Among these, a node that imposes a positional constraint on a transmission destination, a storage unit that stores restriction information that defines a transmission destination that cannot be transmitted from the node, In response to a request from the node to which the terminal is connected among the nodes, a process for determining whether or not to transfer a packet based on position information of the node to which the terminal is connected and the constraint information; and As a result, when it is determined that the packet can be transferred, the process of controlling the node on the transfer path of the packet transmitted from the terminal among the plurality of nodes to perform the packet transfer With the program for the execution is provided. This program can be recorded on a computer-readable storage medium. That is, the present invention can be embodied as a computer program product.

  According to the present invention, it is possible to provide the network side with a terminal location guarantee function and an access control function according to the location.

It is a figure for demonstrating the outline | summary of this invention. It is a figure showing the structure of the 1st Embodiment of this invention. It is a block diagram showing the structure of the node of the 1st Embodiment of this invention. It is a figure which shows the structure of the process rule set to the node of the 1st Embodiment of this invention. It is a figure for demonstrating the processing content set to the action field of the processing rule of FIG. It is a block diagram showing the structure of the control apparatus of the 1st Embodiment of this invention. It is an example of the table hold | maintained at the location database (location DB) of the control apparatus of the 1st Embodiment of this invention. It is an example of the table hold | maintained at the restrictions information database (restriction information DB) of the control apparatus of the 1st Embodiment of this invention. It is a flowchart showing operation | movement of the node of the 1st Embodiment of this invention. It is a flowchart showing operation | movement of the control apparatus of the 1st Embodiment of this invention. It is a figure showing the structure of the 2nd Embodiment of this invention. It is a block diagram showing the structure of the control apparatus of the 2nd Embodiment of this invention. It is an example of the table hold | maintained at the authentication information database (authentication information DB) of the authentication apparatus of FIG. It is a flowchart showing operation | movement of the control apparatus of the 2nd Embodiment of this invention. It is a flowchart showing operation | movement of the authentication apparatus of the 2nd Embodiment of this invention.

  First, an outline of the present invention will be described with reference to FIG. Note that the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.

  As shown in FIG. 1, the present invention responds to requests from a plurality of nodes 10A to 10N that transfer packets and a node (node 10A or node 10B in FIG. 1) to which a terminal 30 is connected among the plurality of nodes. Accordingly, it can be realized by a configuration including a control device 20 that controls a node on a transfer path of a packet transmitted from the terminal among the plurality of nodes and performs packet transfer.

  The control device 20 includes a node (node position information storage unit 22A) that stores position information of each of a plurality of nodes, and a node that imposes positional restrictions on a destination among nodes connected to the terminal. Based on the means (constraint information storage unit 23A) for storing constraint information that defines destinations that can or cannot be transmitted from the node, the location information of the node to which the terminal is connected, and the constraint information (Transfer enable / disable determination unit 26A).

  For example, when the restriction information is set such that transmission from the node 10A to the transmission destination 40N is impossible and transmission from the node 10B to the transmission destination 40N is possible, the terminal 30 transmits a packet addressed to the transmission destination 40N. Consider a case where the connected node requests the control device 20 to set a packet transfer path. When the terminal 30 is connected to the node 10A, the control device 20 instructs the node 10A to discard the packet received from the terminal 30 in accordance with the restriction information indicating that transmission from the node 10A to the transmission destination 40N is impossible, for example. To do.

  Thereafter, when the terminal 30 moves, connects to the node 10B, transmits a packet addressed to the transmission destination 40N, and receives a request for setting the transfer path of the packet from the node 10B, the control device 20 receives the request from the node 10B. A path between the terminal 30 and the transmission destination 40N is set according to the restriction information indicating that transmission is possible to the transmission destination 40N, and packets are transferred to the nodes 10B, 10A, and 10N on the path.

  As described above, a node that has made a packet transfer path setting request can grasp the position of a terminal and control whether or not to transfer a packet based on the position.

[First Embodiment]
Next, a first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 2 is a diagram showing the configuration of the first exemplary embodiment of the present invention. Referring to FIG. 2, the terminal 30, the plurality of servers 41B to 41N, the plurality of nodes 10A to 10N that transfer packets between the terminal 30 and the servers 41B to 41N, and the plurality of nodes 10A to 10N are controlled. A configuration including the control device 20 is shown.

  The terminal 30 is a terminal used by a user such as a computer, a mobile device, and a television. In addition, although one terminal is shown in FIG. 2, there may be a plurality of terminals.

  The servers 41B to 41N are computers that operate with application programs and provide services such as provision of information to the terminal 30 and reception of various applications. Although FIG. 2 shows three servers, the number is not limited to three. In addition, each server may provide the same service, or each server may provide a different service.

  Although the nodes 10A to 10N can use network switches and routers, in the present embodiment, description will be given below assuming that the OpenFlow switches of Non-Patent Documents 1 and 2 are used as the nodes 10A to 10N.

  FIG. 3 is a block diagram showing the configuration of the nodes 10A to 10N (hereinafter, the nodes 10A to 10N are referred to as the node 10 when it is not necessary to distinguish them). Referring to FIG. 3, the node 10 stores a flow entry (processing rule) transmitted from the control device 20 and a flow entry (processing rule) that matches the received packet from the flow entry storage unit 12. ) And a packet processing unit 11 for processing the packet.

  Here, the open flow (OpenFlow) will be described. OpenFlow captures communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. The OpenFlow switch (corresponding to the nodes 10A to 10N) includes a secure channel for communication with the OpenFlow controller (corresponding to the control device 20), and a processing rule (flow entry) that is appropriately added or rewritten from the OpenFlow controller. Works according to.

  FIG. 4 is a diagram illustrating a configuration of a flow entry (processing rule) stored in the flow entry storage unit 12. In the example of FIG. 4, the flow entry (processing rule) includes a matching rule (matching rule) that matches the packet header of the received packet, and an action (Actions) that defines the processing content to be applied to a packet that matches the matching rule. , And flow statistics information (Stats).

  FIG. 5 shows action names and action contents defined in Non-Patent Document 2. OUTPUT is an action to be output to a designated port (interface). SET_VLAN_VID to SET_TP_DST are actions for modifying the field of the packet header. Also, by not writing an action name, the packet is discarded.

  For example, when the packet processing unit 11 of the node 10 receives a packet, the packet processing unit 11 receives an entry having a matching rule that matches the header information of the received packet from the flow entry storage unit 12 storing the flow entry (processing rule) as described above. Search for. When an entry that matches the received packet is found as a result of the search, the packet processing unit 11 of the node 10 performs the processing content described in the action field of the entry on the received packet. On the other hand, if no entry matching the received packet is found as a result of the search, the packet processing unit 11 of the node 10 sends the received packet (or flow entry (processing rule)) to the control device 20 via the secure channel. A request for setting a flow entry (processing rule) including information necessary for creating a request). The flow entry (processing rule) created by the control device 20 is stored in the flow entry storage unit 12.

  FIG. 6 is a block diagram showing the configuration of the control device 20. Referring to FIG. 6, a node management unit 21, a location DB (location database) 22, a constraint information DB (constraint information database) 23, a topology DB (topology database) 24, a reception unit 25, and a transfer availability determination unit. 26, the structure provided with the path | route production | generation part 27 and the transmission part 28 is shown.

  When receiving a packet (or a flow entry (processing rule) setting request including information necessary for creating a flow entry (processing rule)) from the node 10, the receiving unit 25 receives the node management unit 21 and the transfer availability determination unit 26. Then, the packet received from the node 10, the information of the node of the transmission source of the packet and its reception port, etc. are transferred.

  The node management unit 21 checks whether or not the terminal 30 is registered as a known terminal in the topology DB 24 based on the packet received from the receiving unit 25, the information on the node that transmitted the packet, and its receiving port. If the terminal 30 is not registered as a known terminal, the terminal position information is registered in the location DB 22 and the topology DB 24.

  FIG. 7 is a diagram illustrating an example of a table held in the location DB 22. In the example of FIG. 7, an entry is stored in which a node ID for uniquely identifying the node 10, the terminal 30, and the servers 40B to 40N is associated with position information indicating a location where the node is installed.

  As the node ID in FIG. 7, a Datapath ID (DPID) assigned to the node 10, an IP address, a MAC address, or the like can be used. Note that the node IDs of the servers 40B to 40N and the terminal 30 can be obtained from the packet header of the packet received from the node 10. Alternatively, a node ID may be determined according to a predetermined rule, and an IP address, a MAC address, or a Datapath ID (DPID) may be used as additional information.

  In addition to the location information on the network of each node 10 and the servers 40B to 40N, the location information in FIG. 7 includes the names of provinces (state names) such as Europe and Eurasia, country names (region names), and regional names (regions). Name), administrative division names such as prefectures and municipalities, street names, street addresses, building names, etc. can be used as more detailed information. Further, as a description form of the position information, a character string representing each position may be used, or an identification value (including a zip code and a ZIP code) assigned to each position may be used. Further, the granularity (hierarchy) of these position information does not need to be unified, and it is only necessary to match the entry (constraint information) of the constraint information DB 23 described later. For example, if you want to set whether to transfer packets to servers in Kawasaki City, Kanagawa, Japan, servers outside Kawasaki, Kanagawa, Japan, and servers in the United States, depending on the user's location, Is described in Kawasaki City, Kanagawa Prefecture, Japan, and a certain node is in the United States, so that it can be distinguished from nodes other than Kawasaki City, Kanagawa Prefecture, Japan.

  FIG. 8 is a diagram illustrating an example of a table held in the constraint information DB 23. In the example of FIG. 8, an entry (constraint information) in which position information of a transmission source, position information of a transmission destination, and a value (allow / deny) indicating permission or rejection is associated is stored. The location information of the transmission source or the transmission destination does not necessarily indicate a specific node. For example, by describing the location information of the region where the location restriction is to be imposed as the location information of the transmission source, Constraints can be imposed on transmissions from

  Therefore, as the position information set in the constraint information DB 23, various information is used as long as it can determine whether or not the packet transfer from the transmission source to the transmission destination is possible based on the position information of each node in the location DB 22 described above. be able to. For example, in addition to the location information on the network of each node 10 and the servers 40B to 40N, the names of administrative divisions such as Oshu name (state name), country name (region name), local name (region name), prefecture, municipality, Furthermore, street names, street addresses, building names, etc. can be used as detailed information. Further, a correspondence table that defines the correspondence between the position information of each node in the location DB 22 and the position information in the constraint information DB 23 may be used together.

  In addition, when a difference in granularity (hierarchy) of position information is allowed, it is possible to set a priority order for each hierarchy. Further, the priority can be increased as the granularity of the position information becomes finer (becomes more detailed). For example, an entry (constraint information) that basically prohibits packet transfer from Japan to A country, an entry that permits packet transfer from Kanagawa Prefecture to A country (constraint information), and a country B By providing entries (restriction information) that allow packet transfer to the state in a superimposed manner, packet transfer from only Kanagawa Prefecture in Japan to country A is allowed, or only packet transfer to country A in state B is allowed You can do it.

  The topology DB 24 stores network topology information indicating the connection relationship between the node 10, the servers 40B to 40N, and the terminal 30. Examples of network topology information include node IDs of nodes 10, servers 40B to 40N, and terminals 30 connected to each port of each node 10 in a list format, and the relationship between the port of each node and the node ID. Stored in a table can be used. As the node IDs of the servers 40B to 40N and the terminal 30, the IP address and MAC address acquired from the packet header of the packet received from the node 10 can be used.

  The transfer enable / disable determining unit 26 includes the node ID of the transmission source of the packet transferred from the reception unit 25 (including the case of the IP address or the MAC address) and the node ID of the transmission destination of the packet (the IP address or the above). Packet information from the transmission source to the transmission destination of the packet by searching the location information corresponding to each position information from the constraint information DB 23 Judgment is made.

  As a result of the determination, if it is determined that the packet transfer is not possible, the transfer permission determination unit 26 causes the node 10 that is the packet transmission source to discard the packet and the subsequent packet via the transmission unit 28 ( Process rule).

  On the other hand, if it is determined as a result of the determination that the packet transfer is possible, the transfer permission determination unit 26 transfers the packet to the route generation unit 27, and realizes route generation and packet transfer according to the route. Request creation / setting of flow entry (processing rule).

  The path generation unit 27 refers to the topology DB 24 and generates a path from the transmission source to the transmission destination of the packet transferred from the transfer availability determination unit 26. In addition, the route generation unit 27 creates a flow entry (processing rule) that causes a node on the generated route to perform packet transfer according to the route, and sends it to each node on the route via the transmission unit 28. Set. As a route calculation method in the route generation unit 27, a Dijkstra method or the like can be used.

  The control device 20 as described above is realized by a configuration in which functions corresponding to the location DB 22, the constraint information DB 23, and the transfer feasibility determination unit 26 are added based on the OpenFlow controllers of Non-Patent Documents 1 and 2. Is possible.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. FIG. 9 is a flowchart showing the operation of the node 10 at the time of packet reception. Referring to FIG. 9, first, the packet processing unit 11 of the node 10 searches the flow entry storage unit 12 for a flow entry (processing rule) having a matching rule that matches the packet header of the received packet (S101).

  As a result of the search, when a flow entry (processing rule) having a matching rule that matches the packet header of the received packet is found (Yes in step S102), the packet processing unit 11 uses the action field of the flow entry (processing rule). The processing contents defined in (1) are executed (step S103).

  On the other hand, when a flow entry (processing rule) having a matching rule that matches the packet header of the received packet is not found (No in step S102), the packet processing unit 11 transfers the received packet to the control device 20, A setting of a flow entry (processing rule) is requested (step S104).

  FIG. 10 is a flowchart showing the operation of the control device 20 that has received a flow entry (processing rule) setting request from the node 10. Referring to FIG. 10, first, the node management unit 21 that has received a received packet and its transmission source node, reception port, and the like from the reception unit 25 determines that the terminal 30 that is the transmission source of the received packet has a corresponding position (flow entry It is confirmed whether or not it is registered in the (processing rule) setting request source node and its reception port) (step S201). Specifically, it is confirmed whether or not the source IP address or source MAC address of the received packet matches the IP address and MAC address of the device connected to the port of the corresponding node 10 in the topology DB 24.

  Here, when it is determined that the terminal 30 that is the transmission source of the received packet is not registered in the topology DB 24 (Yes in step S201), the node management unit 21 moves the terminal 30 to the corresponding position (flow entry (flow entry ( The processing rule) setting request source node and its reception port), the location of the flow entry (processing rule) setting request source node 10 is searched from the location DB 22 and the location DB 22 is used as the location information of the terminal 30. (Step S202).

  On the other hand, when the terminal 30 that is the transmission source of the received packet is registered in the topology DB 24 (No in step S201), the transfer availability determination unit 26 uses the transmission source IP address, the transmission source MAC address, and the like of the received packet. The DB 22 is searched and the position of the transmission source device is specified. Further, the transfer possibility determination unit 26 searches the location DB 22 using the transmission destination IP address, the transmission destination MAC address, and the like of the received packet, and specifies the position of the transmission destination device (step S203).

  Next, the transfer enable / disable determining unit 26 searches the constraint information DB 23 for an entry (constraint information) that matches the position of the identified transmission source and transmission destination (step S204).

  As a result of the search, when transmission permission / inhibition of the obtained entry (constraint information) is connection permission (allow) (Yes in step S205), the transfer permission determination unit 26 generates a route for the route generation unit 27. Request. The route generation unit 27 refers to the topology DB 24 and calculates a route from the node having the transmission source IP address and MAC address of the received packet to the node having the transmission destination IP address and MAC address (step S206).

  Next, the route generation unit 27 generates a flow entry (processing rule) to be set in the node 10 on the calculated route, and sets it in the flow entry storage unit 12 of each node 10 via the transmission unit 28 ( Step S207). Specifically, for each node on the route, the transmission IP address and the reception IP address of the received packet are designated, and the remaining tuple has a matching rule that is a wild card and is connected to the next node of the calculated route. A flow entry (processing rule) that defines an action for transferring a packet from the port is created.

  Next, the path generation unit 27 transmits the packet received in step S201 to the node 10 that is the transmission source of the received packet via the transmission unit 28, and instructs to transfer the packet from the port according to the path (step S201). S208).

  On the other hand, as a result of the search in step S204, when the transmission availability information of the obtained entry (constraint information) is connection refusal (deny) (No in step S205), the transfer availability determination unit 26 follows the received packet. A flow entry (processing rule) that causes the packet to be discarded is generated, and set in the flow entry storage unit 12 of the node 10 that is the transmission source of the received packet via the transmission unit 28 (step S209).

  As described above, according to the present embodiment, it is possible to control whether or not a packet can be transferred according to the position of the terminal in accordance with the contents set in the constraint information DB 23 described above. In addition, by setting a flow entry (processing rule) that causes packet discarding in step S209 as described above, packets having the same packet header are discarded at the node to which the terminal 30 is connected. The response load to the setting request of the flow entry (processing rule) of the control device 20 is reduced. On the other hand, the user can cause the control device 20 to set a packet transfer path by moving the terminal 30 and connecting to a node where packet transfer to the target server is permitted and transmitting the packet again. it can.

  In the above-described embodiment, the position of the transmission source node of the received packet is handled as the position of the terminal 30, but each port of the node can also be handled as position information. In this way, even in a configuration in which a switch other than a wireless LAN access point or an OpenFlow switch is connected to the node 10, it is possible to control whether or not a packet can be transferred according to its detailed position. .

  Further, in the above-described embodiment, it has been described that the node 10 that is the transmission source of the received packet is instructed to return the received packet and forward it from the port according to the route. It is also possible to transfer the packet to the node 10 corresponding to the end point of the route.

  Further, in the above-described embodiment, it has been described that the position of the terminal 30 is registered in the location DB 22 and the topology DB 24 when a packet is received from the node 10. However, the port of the node 10 is linked up, and a status update message is displayed. As a result, the location of the terminal may be registered in the location DB 22 and the topology DB 24.

  Further, in the above-described embodiment, the timing of deleting the terminal position information from the location DB 22 and the topology DB 24 was not mentioned, but the link down of the port to which the terminal 30 is connected from the node 10 to which the terminal 30 is connected. Can be triggered by this notification. Specifically, the node ID (ID, IP address, MAC address, etc.) connected to the corresponding port of the corresponding node 10 is deleted from the topology DB 24, and the node ID (ID, IP address, MAC address) is deleted from the location DB 22. A process for deleting an entry having an address or the like is performed.

[Second Embodiment]
Next, a second embodiment of the present invention in which the location DB 22 and the constraint information DB 23 are updated by a cooperative operation with the authentication apparatus will be described in detail with reference to the drawings.

  FIG. 11 is a diagram showing the configuration of the second exemplary embodiment of the present invention. The structural difference from the first embodiment shown in FIG. 2 is that an authentication device 50 including an authentication information database (authentication information DB) 51 is connected to the control device 20B. Further, in the present embodiment, the configuration and operation of the control device are different from those of the first embodiment, and therefore, these differences will be mainly described.

  FIG. 12 is a block diagram showing the configuration of the control device according to the second embodiment of the present invention. Referring to FIG. 12, a configuration including a location DB 22, a constraint information DB 23, a topology DB 24, a receiving unit 25A, a transfer enable / disable determining unit 26, a route generating unit 27, and a transmitting unit 28 is shown. . A major difference in configuration from the first embodiment is that the node management unit 21 is omitted, and information is exchanged with the authentication device 50 instead.

  When receiving the authentication packet from the node 10, the receiving unit 25 </ b> A transfers the authentication packet to the authentication device 50. When receiving the packet (or a flow entry (processing rule) setting request including information necessary for creating a flow entry (processing rule)) from the node 10, the receiving unit 25 </ b> A sends the terminal 30 to the transfer enable / disable determining unit 26. The packet received from the node, the node of the transmission source of the packet, the information of the reception port, and the like are transferred.

  The authentication device 50 performs user authentication processing with the terminal 30 based on the authentication packet received from the receiving unit 25A. And when user authentication is successful, the authentication apparatus 50 produces | generates the entry (restriction information) registered into restriction | limiting information DB23 based on the position of the said terminal 30 acquired from location DB22, and the content of authentication information DB51. The operation of registering in the constraint information DB 23 is performed.

  FIG. 13 is a diagram illustrating an example of a table held in the authentication information DB 51 of the authentication device 50. In the example of FIG. 13, for each individual user, an entry that associates the position information of the transmission source, the position information of the transmission destination, and a value (allow / deny) indicating permission or rejection is stored.

  The position information set in the authentication information DB 51 may be any information as long as it can generate an entry (constraint information) registered in the constraint information DB. For example, in addition to the location information of each node 10 and servers 40B to 40N on the network, the names of Oshu (state name), country (region name), country (region name), prefecture, municipality, etc., such as Europe and Eurasia Street names, street addresses, building names, etc. can be used as administrative division names and more detailed information. Also, a correspondence table that defines the correspondence between the location information of each node in the location DB 22 and the constraint information DB 23 and the location information in the authentication information DB 51 may be used together.

  The operations of the other components are the same as those in the first embodiment, and the transferability determination unit 26 determines whether packets can be transferred to the transmission source and the transmission destination based on the location DB 22 and the constraint information DB 23. When it is determined that packet transfer is possible, the route generation unit 27 generates a route and sets a flow entry (processing rule).

  Next, the operation of this embodiment will be described in detail with reference to the drawings. FIG. 14 is a flowchart showing the operation of the control device 20B that has received a packet from the node 10. Referring to FIG. 14, first, the receiving unit 25A determines whether or not the packet received from the node 10 is an authentication packet (step S300). For example, when IEEE802.1x is used as the authentication standard, it can be determined whether or not the Ether type field of the packet is 0x888E (EAPoL (Extensible Authentication Protocol over LAN) frame).

  When the packet received from the node 10 is an authentication packet (Yes in Step S300), the receiving unit 25A transfers the authentication packet to the authentication device 50 (Step S301). Further, when a message exchange is required between the authentication device 50 and the terminal 30, a response from the authentication device 50 is transferred to the terminal 30 to the node (for example, the node 10A in FIG. 11) of the authentication packet transmission source. The flow entry (processing rule) to be set is set. Specifically, as a matching rule, the source MAC address is the MAC address of the authentication device 50, the MAC address of the terminal 30 is specified as the destination MAC address, and the action is a flow of transferring to the port to which the terminal 30 is connected as an action. An entry (processing rule) is set.

  Hereinafter, the operation of the control device in steps S201 to S209 in FIG. 14 is the same as that in the first embodiment described above, and thus the description thereof is omitted.

  Next, the operation of the authentication device 50 that has received the transfer of the authentication packet from the receiving unit 25A of the control device 20B will be described in detail with reference to the drawings. FIG. 15 is a flowchart showing the operation of the authentication device 50 that has received the transfer of the authentication packet.

  Referring to FIG. 15, first, the authentication device 50 performs user authentication processing based on the authentication packet received from the terminal 30 (step S401). If the user authentication process fails (No in step S402), the subsequent process is not performed. In this case, the authentication device 50 may notify the control device 20 to that effect and set a flow entry (processing rule) for discarding the packet from the terminal 30.

  On the other hand, when the user authentication is successful (Yes in Step S402), the authentication device 50 acquires the position information of the terminal 30 from the location DB 22 of the control device 20 (Step S403).

  Next, the authentication device 50 uses the table (see FIG. 13) of the authentication information DB 51 and the acquired location information, MAC address, IP address, etc. of the terminal 30 to register in the constraint information DB 23 of the control device 20. (Constraint information) is generated and registered in the constraint information DB 23 of the control device 20 (steps S404 and S405).

  Specifically, the authentication device 50 matches the authenticated user from the table of the authentication information DB 51 (see FIG. 13), and either the transmission source or the transmission destination is a part of the position acquired in step S403. Extract those that match.

  The authentication device 50 deletes the user information from each of the extracted entry groups, and the one that matches the location information acquired in step S403 among the transmission destination or the transmission source is the MAC address, IP address, etc. of the terminal 30 To replace the terminal information.

  As a result, the following entry (constraint information) is generated.

Terminal information, location, allow or deny
Location, terminal information, allow or deny
By registering the entries (constraint information) as described above in the constraint information DB 23 of the control device 20, as in the first embodiment described above, the source and destination of the transmission by the transferability determination unit 26 of the control device 20A. Based on the positional relationship, whether or not transfer is possible is determined, the route generation unit 27 that receives the result calculates the route, and sets the flow entry (processing rule).

  As described above, the present invention can also be realized by a configuration in cooperation with the authentication apparatus.

  In the above embodiment, the registration process of the entry (constraint information) in the constraint information DB 23 by the authentication device 50 has been described. However, the authentication device 50 deletes the entry (constraint information) from the constraint information DB 23. It is also possible.

  For example, (1) the expiration date of a predetermined entry (constraint information) has arrived, (2) the movement of the terminal 30 is detected (the terminal 30 is connected to a different node 10), (3) the user is logged out (connection is terminated) Etc., the entry (constraint information) from the constraint information DB 23 can be deleted. Of course, when a timeout value is set in the flow entry (processing rule) itself and the corresponding packet cannot be received for a certain period of time, or when a certain period of time has elapsed since the setting of the flow entry (processing rule), the node 10 The flow entry (processing rule) may be deleted.

  In the above-described embodiment, the flow entry (processing rule) search processing in the node 10 has been described as being the same as that in the first embodiment, but there are a plurality of flow entries (processing rules) that match the received packet. It is also preferable to use a node that selects a flow entry (processing rule) based on the priority information given to the flow entry (processing rule) when detected. For example, a matching rule that discards packets other than the authentication packet and a flow entry (processing rule) that defines processing contents are stored in the flow entry storage unit 12 of the node 10 as low priority so that authentication is performed. It is possible to cause the notebook 10 to discard the user packet sent without being sent.

  It is also possible to set a flow entry (processing rule) for discarding packets other than authentication packets for each port of the node 10. Further, when setting a flow entry (processing rule) for the user after successful authentication, the flow entry (processing rule) for discarding the user packet may be deleted. In addition, a flow entry (processing rule) for discarding packets other than the authentication packet from the specific port when the expiration date of user authentication has come may be set.

  In the embodiment described above, the authentication device 50 has been described as directly updating the constraint information DB 23. However, the authentication device 50 notifies only the authentication result to the control device 20, and the control device based on this notifies the constraint information DB 23. It is also possible to adopt a configuration for updating. Of course, a function corresponding to the authentication device 50 may be provided in the control device 20 itself.

  The preferred embodiments of the present invention have been described above. However, the present invention is not limited to the above-described embodiments, and further modifications, replacements, and replacements may be made without departing from the basic technical idea of the present invention. Adjustments can be made.

  For example, in the first and second embodiments described above, when packet transfer from a transmission source to a transmission destination is not permitted, a flow entry (processing rule) for performing processing to discard a packet from the terminal is provided. Although described as being set, a route connecting to a server that transmits a message indicating that packet transfer is prohibited from the position or a message notifying the position where the packet can be transferred to the destination may be set. . In this way, it is possible to inform the user of the reason why the packet cannot be transferred and the target method for enabling the packet to be transferred.

  Similarly, when packet transfer from the transmission source to the transmission destination is not permitted, a route connecting to the authentication device, the export procedure server (data transmission (import) procedure server), and the user registration server is set. May be. These servers perform the same operation as the authentication device 50 of the second embodiment, and add an entry permitting packet transfer from the terminal to the transmission destination in the constraint information DB 23 of the control device 20. That's fine.

  It is also possible to use these processes properly. For example, the transmission / rejection information in the constraint information DB 23 of the control device 20 includes not only binary values of allow or deny but also specific processing contents such as transmission of the message and connection to the authentication device. The defined control information may be set so that the control device 20 operates according to the control information.

Finally, a preferred form of the invention is summarized.
[First embodiment]
(Refer to the communication system according to the first viewpoint)
[Second form]
In the communication system of the first form,
The controller is
A communication system that determines a packet transfer path based on position information of each of the plurality of nodes and a connection relationship between the plurality of nodes.
[Third embodiment]
In the communication system of the first or second form,
Furthermore, an authentication device for performing user authentication with the terminal is included,
The restriction information is a communication system that is updated based on a result of user authentication.
[Fourth form]
In the communication system according to any one of the first to third aspects,
The constraint information is a table in which position information of a node that imposes positional constraints on the transmission destination, position information on the transmission destination, and transmission availability information indicating whether transmission from the transmission source to the transmission destination is associated with each other. The communication system comprised by.
[Fifth embodiment]
In the communication system according to any one of the first to fourth aspects,
The constraint information is described by position information having a hierarchy,
A communication system that determines whether or not a packet can be transferred according to a predetermined priority between hierarchies when a plurality of pieces of constraint information conflict.
[Sixth embodiment]
In the communication system according to any one of the first to fifth aspects,
The location information of the constraint information is described by one or more of Oshu name, country name, region name, region name, administrative division name,
The control apparatus, wherein the control device determines whether or not to transfer a packet depending on whether or not the packet transmitted from the terminal is destined for a position where transmission is possible from a node to which the terminal is connected.
[Seventh form]
(Refer to the control device according to the second viewpoint)
[Eighth form]
In the control device of the seventh aspect,
A control apparatus further comprising means for determining a packet transfer path based on position information of each of the plurality of nodes and a connection relationship between the plurality of nodes.
[Ninth Embodiment]
In the control device of the seventh or eighth aspect,
A control device that updates the constraint information based on a result of user authentication received from an authentication device that performs user authentication with the terminal.
[Tenth embodiment]
In the control device according to any one of the seventh to ninth aspects,
The constraint information is a table in which position information of a node that imposes positional constraints on the transmission destination, position information on the transmission destination, and transmission availability information indicating whether transmission from the transmission source to the transmission destination is associated with each other. The control device that is configured by.
[Eleventh form]
In the control device according to any one of the seventh to tenth aspects,
The constraint information is described by position information having a hierarchy,
A control device that determines whether or not a packet can be transferred according to a predetermined priority between hierarchies when a plurality of pieces of constraint information conflict.
[Twelfth embodiment]
In the control device according to any one of the seventh to eleventh aspects,
The location information of the constraint information is described by one or more of Oshu name, country name, region name, region name, administrative division name,
A control device that determines whether or not a packet can be transferred based on whether or not the packet transmitted from the terminal is destined for a position that can be transmitted from a node to which the terminal is connected.
[13th form]
(Refer to the communication method according to the third viewpoint)
[14th form]
(Refer to the program from the fourth viewpoint above.)

  It should be noted that the disclosures of the above-mentioned patent documents and non-patent documents are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Various combinations and selections of various disclosed elements are possible within the scope of the claims of the present invention. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.

  INDUSTRIAL APPLICABILITY The present invention can be used as a system for controlling data movement and content import / export at various levels such as between countries, between regions, and between companies in addition to an access control system according to position.

10, 10A to 10N node 11 packet processing unit 12 flow entry storage unit 20, 20A, 20B control device 21 node management unit 22 location DB (location database)
22A Node position information storage unit 23 Constraint information DB (Constraint information database)
23A Constraint Information Storage Unit 24 Topology DB (Topology Database)
25, 25A Receiving unit 26 Transfer enable / disable determining unit 26A Transfer enable / disable determining unit 27 Route generating unit 28 Transmitting unit 30 Terminal 40B to 40N Destination 41B to 41N Server 50 Authentication device 51 Authentication information DB

Claims (9)

Multiple nodes forwarding packets,
A terminal connected to at least one of the plurality of nodes to access a network;
Control that controls the node on the transfer path of the packet transmitted from the terminal among the plurality of nodes in response to a request from the node to which the terminal is connected among the plurality of nodes. Equipment ,
For each user of the terminal, restriction information in which position information of the transmission source of the packet, position information of the transmission destination of the packet, and information indicating whether or not to permit connection are associated with each other is included in the control device. An authentication device for notifying
The controller is
Means for storing position information of each of the plurality of nodes;
Means for storing constraint information notified from the authentication device for a node that imposes positional constraints on a destination among nodes connected to the terminal;
Means for determining whether or not to transfer a packet based on position information of a node to which the terminal is connected and the constraint information;
A communication system comprising: The authentication device further rows that have the terminal and user authentication,
The communication system according to claim 1, wherein the restriction information is updated based on a result of the user authentication. The constraint information is described by position information having a hierarchy,
The communication system according to claim 1, wherein when a plurality of pieces of constraint information conflict, the communication system according to claim 1 or 2 determines whether or not a packet can be transferred according to a predetermined priority between hierarchies. The location information in the constraint information is described by one or more of Oshu name, country name, region name, region name, administrative division name,
Wherein the control device, a packet transmitted from the terminal, depending on whether the terminal is destined possible positions transmitted from a connected node, claim 1 to determine the transfer possibility of packet 3 any one of Communications system. Connected to multiple nodes that forward packets sent from the terminal,
Means for performing packet transfer by controlling a node on a transfer path of a packet transmitted from the terminal among the plurality of nodes in response to a request from a node to which the terminal is connected among the plurality of nodes. When,
For each user of the terminal, position information of a node connectable to the terminal, position information of a transmission destination of a packet transmitted from the terminal, and information indicating whether or not to permit connection are associated with each other Means for receiving constraint information;
Means for storing position information of each of the plurality of nodes;
Means for storing the received constraint information for a node that imposes location constraints on a destination among nodes connected to the terminal;
The position information of the node that sent the previous Kiyo determined, on the basis of said constraint information, means for determining a transfer possibility of the packet,
A control device comprising: 6. The control apparatus according to claim 5 , wherein the restriction information is updated based on a result of user authentication received from an authentication apparatus that performs user authentication with the terminal. The constraint information is described by position information having a hierarchy,
The control device according to claim 5 or 6 , wherein, when a plurality of pieces of constraint information conflict, the control device determines whether or not to transfer a packet in accordance with a predetermined priority order between hierarchies. The location information in the constraint information is described by one or more of Oshu name, country name, region name, region name, administrative division name,
The control apparatus according to claim 7 , wherein the packet transmitted from the terminal determines whether or not the packet can be transferred, depending on whether or not the destination is a position that can be transmitted from a node to which the terminal is connected. Connected to multiple nodes that forward packets sent from the terminal,
Means for storing position information of each of the plurality of nodes;
For each user of the terminal, position information of a node connectable to the terminal, position information of a transmission destination of a packet transmitted from the terminal, and information indicating whether or not to permit connection are associated with each other Means for receiving constraint information;
A storage device that stores the received constraint information for a node that imposes a positional constraint on a destination among nodes connected to the terminal,
In response to a request from a node to which the terminal is connected among the plurality of nodes, determining whether or not to transfer a packet based on position information of the node to which the terminal is connected and the constraint information;
A step of controlling the node on the transfer path of the packet transmitted from the terminal to perform the packet transfer when the packet is determined to be transferable as a result of the determination. Method.

Images