JP7076051B1 - Devices, methods and programs for providing communication services to access IP networks - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a device, a method and a program which enable the access without going through a radio access network for cellular communication by using a communication infrastructure connected to the communication infrastructure of an MNO. SOLUTION: A device 200 receives a session generation request including a subscriber identifier 232 of a communication service from an IoT device 230, and is included in a communication infrastructure 220 on a cloud connected to a communication infrastructure 210 of an MNO. Send a provisioning call for the GTP tunnel between the second instances. From the first or second instance, the ID associated with the subscriber identifier and the source address that is the source of the GTP-U session are received. Send a provisioning call to the first instance, including the source address and public key, for the VPN tunnel between the IoT device and the first instance. The connection information is transmitted to the IoT device that stores the private key corresponding to the public key. [Selection diagram] Fig. 2

Description

The present invention relates to a device, a method, and a program for providing a communication service for accessing an IP network.

Wireless communication services using cellular networks have traditionally been provided by MNOs (mobile network operators), and users can start using them by contracting with the MNO, receiving a SIM card from the MNO, and attaching it to the device. can do.

In recent years, with the advent of MVNOs (Virtual Mobile Network Operators), retailing of wireless communication lines has progressed, and in this case, users receive SIM cards from MVNOs instead of MNOs. MVNOs can be broadly divided into two types: those that do not have any communication infrastructure in-house, and those that have communication infrastructure in-house and connect the communication infrastructure to the communication infrastructure of MNOs to provide wireless communication services. Compared to the former, the latter (see Fig. 1) has its own communication infrastructure, so as an example, it is possible to set prices according to communication quality such as communication speed and communication capacity, and meet various needs. Is being tried.

A remarkable increase in the need for wireless communication services in recent years is the movement of IoT to add communication functions to all things and connect them to the Internet. Hereinafter, devices that can be connected to a computer network including the Internet are referred to as "IoT devices". By installing a SIM card, IoT devices can access IP networks using cellular communication.

In addition, MVNE (Virtual Mobile Communication Service Provider), which provides support services for MVNO to carry out smooth business, intervenes between MNO and MVNO, and MVNE receives SIM card from MNO, and it May also be provided to the MVNO. For example, it is conceivable that the MVNE's communication infrastructure will be connected to the MNO's communication infrastructure to realize wireless communication services, and the MVNO, which does not have its own communication infrastructure, will be responsible for retailing.

However, if you want to enable IoT devices to access the IP network without using cellular communication, more specifically without using a wireless access network for cellular communication, you want to use the MVNO as described above. Alternatively, it is necessary to manage each of them using a communication service separate from the wireless communication service provided by the MVNE, or to develop a communication system for managing multiple communication services in-house, which is a management cost. , Development costs and other costs increase.

The present invention has been made in view of such problems, and an object thereof is to provide an IoT device with a communication service for accessing an IP network by using a communication infrastructure connected to the communication infrastructure of an MNO. The purpose of the device, method and program for providing the device is to enable the access without going through a radio access network for cellular communication.

Further, a more general object of the present invention is to use a communication infrastructure connected to the communication infrastructure of an MNO in a communication service for an IoT device to access an IP network, via a wireless access network for cellular communication. The purpose is to enable the access without.

The terms MNO, MVNO and MVNE may have different definitions. In this specification, MNO owns 3G SGSN and LTE S-GW as communication infrastructure, does not distinguish between MVNO and MVNE, and is comprehensive with operators who have communication infrastructure connected to MNO's communication infrastructure. May be called. Examples of communication infrastructure owned by the operator include 3G GGSN and LTE P-GW.

In the above explanation, the SIM card is attached to the IoT device as an example, but it is not limited to the physical SIM card, but it is not limited to the physical SIM card, but also to the semiconductor chip embedded in the IoT device and the secure area in the module of the IoT device. It may be implemented by the installed software, etc., and these are collectively referred to as "SIM" below. The SIM stores a SIM identifier that identifies the SIM. Examples of SIM identifiers include IMSI, ICCID, MSISDN and the like.

The present invention has been made in view of such problems, and an object thereof is to access an IP network to an IoT device by using the equipment provided in the communication infrastructure on the cloud connected to the communication infrastructure of MNO. A method for providing a communication service for receiving a session generation request including a subscriber identifier for identifying a subscriber of the communication service, and storing an ID in association with the subscriber identifier. In the first provisioning call to generate a GTP-U session between the first instance and the second instance in the first instance and the second instance included in the facility. The step of transmitting the first provisioning call including the ID, and the source of the GTP-U session in response to the first provisioning call from the first instance or the second instance. A second provisioning call for generating a VPN session between the IoT device and the first instance in the first instance and the step of receiving the source address. And to the IoT device that stores the step of transmitting the second provisioning call including the first credential and the first credential or the second credential corresponding to the first credential. A step of transmitting connection information including an address and a destination address of the first instance is included.

The second aspect of the present invention is the method of the first aspect, and the connection information includes the port number of the first instance.

Further, the third aspect of the present invention is the method of the first or second aspect, in which the first credential is a public key and the second credential is a secret corresponding to the public key. It's the key.

Further, the fourth aspect of the present invention is the method of any one of the first to third aspects, and the first instance and the second instance are instances on a cloud or a public cloud.

Further, the fifth aspect of the present invention is the method of any one of the first to fourth aspects, and the session generation request is received from the IoT device.

A sixth aspect of the present invention is to provide an IoT device with a communication service for accessing an IP network by using the equipment provided in the communication infrastructure on the cloud connected to the communication infrastructure of the MNO in the device. A program for executing a method for receiving a session generation request including a subscriber identifier for identifying a subscriber of the communication service, and an ID associated with the subscriber identifier. And a first provisioning to generate a GTP-U session between the first instance and the second instance in the first instance and the second instance contained in the facility. A call, the step of transmitting a first provisioning call including the ID, and the transmission of the GTP-U session from the first instance or the second instance in response to the first provisioning call. A second provisioning call for generating a VPN session between the IoT device and the first instance in the step of receiving the original source address and the transmission of the first instance. To the IoT device that stores the step of sending a second provisioning call containing the original address and the first credential and the second credential corresponding to the first credential or the first credential. It includes a step of transmitting connection information including a source address and a destination address of the first instance.

A seventh aspect of the present invention is a device for providing a communication service for accessing an IP network to an IoT device by using the equipment provided in the communication infrastructure on the cloud connected to the communication infrastructure of the MNO. A first instance included in the facility, which receives a session generation request including a subscriber identifier for identifying a subscriber of the communication service, stores an ID in association with the subscriber identifier, and the facility. A first provisioning call for generating a GTP-U session between the first instance and the second instance, which is a first provisioning call including the ID, is transmitted to the second instance. Then, in response to the first provisioning call, the source address that is the source of the GTP-U session is received from the first instance or the second instance, and the first instance receives the source address. A second provisioning call for generating a VPN session between the IoT device and the first instance, the second provisioning call including the source address and the first credential is transmitted. Connection information including the source address and the destination address of the first instance is transmitted to the IoT device that stores the first credential or the second credential corresponding to the first credential.

Eighth aspect of the present invention is for an IoT device to access an IP network using a communication infrastructure on a cloud having a first instance and a second instance in which a GTP-U session is generated during that time. A VPN packet in which the first instance encapsulates a credential stored in the IoT device or an IP packet encrypted by a temporary credential from the IoT device. The receiving step and the first instance obtain the credential or temporary credential corresponding to the source address or temporary key contained in the VPN packet to decrypt the encrypted IP packet. And each transmission with one or more source addresses held in the first instance, based on the source address contained in the header of the decrypted IP packet. With reference to the association with the destination of the GTP session to which the original address is assigned, the step of determining the second instance and the first instance are decoded with respect to the second instance. The step of transmitting a GTP packet using the IP packet as the GTP packet, and the second instance removing the GTP header from the GTP packet and using the IP packet as the GTP packet as an external or internal IP of the equipment. Includes steps to send to the network.

Further, the ninth aspect of the present invention is for the IoT device to access the IP network to the first instance and the second instance of the communication infrastructure on the cloud in which the GTP-U session is generated during that time. A program for executing a method of providing a communication service, wherein the first instance is encrypted from the IoT device by a credential stored in the IoT device or a temporary credential. The step of receiving the VPN packet in which the IP packet is encapsulated, and the first instance obtains the credential or the temporary credential corresponding to the source address or the temporary key contained in the VPN packet, and encrypts it. The step of decrypting the decrypted IP packet and the first instance being held in the first instance based on the source address included in the header of the decrypted IP packet 1 Alternatively, the step of determining the second instance by referring to the association between a plurality of source addresses and the destination of the GTP session to which each source address is assigned, and the first instance are the second. A step of transmitting a GTP packet having the decrypted IP packet as the GTP packet to the instance of the above, and the second instance removing the GTP header from the GTP packet to obtain the IP packet which is the GTP packet. Includes the step of transmitting to an IP network outside or inside the facility.

Further, the tenth aspect of the present invention is a communication infrastructure on the cloud for providing a communication service for an IoT device to access an IP network, and a first aspect in which a GTP-U session is generated during the communication infrastructure. It has an instance and a second instance, and the first instance receives a VPN packet from the IoT device that encapsulates an IP packet stored in the IoT device or encrypted by a temporary credential. Then, the credential corresponding to the source address or the temporary key included in the VPN packet or the temporary credential is acquired to decrypt the encrypted IP packet, and the first instance decrypts the encrypted packet. Based on the source address contained in the header of the IP packet, one or more source addresses held in the first instance and the destination of the GTP session to which each source address is assigned are used. With reference to the association, the second instance is determined, and a GTP packet using the decrypted IP packet as the GTP packet is transmitted to the second instance, and the second instance causes the second instance. , The GTP header is removed from the GTP packet, and the IP packet which is the GTP payload is transmitted to the IP network outside or inside the facility.

According to one aspect of the present invention, a concealed line is provided on an IP network such as the Internet by a VPN tunnel, and the IoT device is a communication infrastructure connected to the communication infrastructure of MNO through the concealed line, and is a GTP tunnel. It will be possible to connect to a communication infrastructure that can send data to an IP network through and receive data from the IP network without going through a wireless access network.

It is a diagram schematically showing an MVNO that provides a wireless communication service by connecting its own communication infrastructure to the communication infrastructure of an MNO. It is a figure which shows the apparatus for providing the communication service for accessing the IP network which concerns on one Embodiment of this invention. It is a figure which shows the flow of the method for providing the communication service for accessing the IP network which concerns on one Embodiment of this invention. It is a figure which shows the flow of the method for providing the communication service for accessing the IP network which concerns on one Embodiment of this invention. It is a figure which shows the flow of the data transmission in the communication service for the IoT device which concerns on one Embodiment of this invention to access an IP network.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 2 shows an apparatus for providing a communication service for accessing an IP network according to an embodiment of the present invention. The device 200 communicates with the MVNO communication infrastructure 220 and the IoT device 230 connected to the MNO communication infrastructure 210 on the IP network. The device 200 is also called a connection device because the device 200 is for establishing a connection for the IoT device 230 to access the IP network. The MVNO communication infrastructure 220 is composed of a plurality of instances on a cloud or a public cloud.

Here, the term "cloud" as used herein refers to a system capable of dynamically provisioning and providing computing resources such as CPU, memory, storage, and network bandwidth according to demand on the network. For example, the cloud can be used by AWS or the like. Further, in the present specification, the “public cloud” means a cloud in which a plurality of tenants can receive the provision of computing resources.

The device 200 includes a communication unit 201 such as a communication interface, a processing unit 202 such as a processor and a CPU, and a storage device such as a memory and a hard disk or a storage unit 203 including a storage medium, and provides a program for performing each processing. It can be configured by running. The device 200 may include one or more devices, computers or servers. In addition, the program may include one or more programs, and may be recorded on a computer-readable storage medium to be a non-transient program product. The program can be stored in a storage device or storage medium such as a database 204 accessible from the storage unit 203 or the device 200 via the IP network, and can be executed by the processing unit 202. The data described below as being stored in the storage unit 203 may be stored in the database 204, and vice versa.

The device 200 can be one or more instances on the cloud or public cloud, and may be one or more instances on the same cloud as the MVNO's communication infrastructure 220. Although not shown, each instance of the MVNO communication infrastructure 220 can have the same hardware configuration as the connection device 200.

In the following, the generation of the session required for the communication service will be described first, and then the transmission of data to the IP network using the generated session will be described.

Session Generation Figures 3A and 3B show the flow of a method for providing a communication service for accessing an IP network according to an embodiment of the present invention. First, the device 200 receives a session generation request including a subscriber identifier for identifying a subscriber of the communication service from the IoT device 230 (S301). The session generation request can be transmitted by an internet communication line other than the cellular line, and as an example, it may be transmitted by a fixed internet line or may be transmitted via the cellular line.

In FIG. 2, the IoT device 230 has a SIM identifier 231 that identifies a SIM for using a communication service for accessing an IP network provided via a wireless access network by using the communication infrastructure 220 of the MVNO. In addition to being stored, the subscriber identifier 232 for using the communication service for accessing the IP network provided without going through the radio access network is stored. In FIG. 2, since the subscriber identifier 232 is considered to be a virtual SIM identifier when a connection is established using the subscriber identifier 232, it is shown as "V-SIM (Virtual SIM)" for convenience. Further, the IoT device 230 may store a token for legitimately making a session generation request. The SIM identifier 231 does not necessarily have to be stored in the IoT device 230.

After verifying the token included in the received session generation request as necessary, the connection device 200 generates and stores an ID in association with the subscriber identifier 232 included in the session generation request (S302). It is also conceivable that the session generation request is transmitted to the connection device 200 from a device other than the IoT device 230 that can legitimately access the subscriber identifier 232 for the IoT device 230.

As an example of a device other than the IoT device 230, a computer used by an administrator who manages the IoT device 230 can be mentioned. If the administrator can access the subscriber identifier 232 and is given a token necessary for making a session generation request to the connection device 200, the administrator uses the token to include the subscriber identifier 232. A session generation request can be made for the IoT device 230. As another example, as a device other than the IoT device 230, authentication that can authenticate the IoT device 230 using the SIM identifier 231 stored in the IoT device 230 and establish a secret line with the IoT device 230. The server is mentioned. It can be said that the authentication server that has received the subscriber identifier 232 from the IoT device 230 through the established secret line is legitimately accessing the subscriber identifier 232. When the SIM identified by the SIM identifier 231 is issued by a business operator having a communication infrastructure 220 connected to the communication infrastructure 210 of the MNO, the authentication server is one or more included in the equipment of the communication infrastructure 220. Can be an instance.

Next, the connection device 200 adopts the first instance and the second instance of the communication infrastructure 220 (S303), and for the second instance, the first instance and the second instance Send a provisioning call to generate a GTP-U session between (S304). This provisioning call can include the ID stored in the connecting device 200 and the first destination address such as the IP address, host name, etc. of the first instance adopted by the connecting device 200.

The first instance can be adopted from the first node group, and the second instance can be adopted from the second node group. When the MVNO communication infrastructure 220 provides the IoT device 230 with access to the IP network via the wireless access network, the first server adopted from the first server group connected to the MNO communication infrastructure 210. And the second server adopted from the second server group connected to the first server is used, and at least a part of the second node group is the same as at least a part of the second server group. Can be.

The second instance sends the answer of the provisioning call to the second instance to the connection device 200 (S305). Then, the second instance is in the standby state of the GTP-U session (S306). The response can include the source address, such as the ID and the source IP address for the GTP-U session, which can be adopted by the second instance. Further, although it is described here that the standby state is set after the response is transmitted, the order may be reversed. The source address may be assigned by the connecting device 200 instead of the second instance. In this case, the source address may be included in the provisioning call to the second instance. In any case, the second instance can store the source address in association with the ID. Further, in the device 200, the source address can be stored in association with the subscriber identifier 232.

The connecting device 200 then sends a provisioning call to the first instance to generate a GTP-U session between the first instance and the second instance (S307). This provisioning call can include the ID stored in the connecting device 200, the source address, and the second destination address of the second instance adopted by the connecting device 200.

After that, the first instance is in the standby state of the GTP-U session (S308). Here, a GTP-U session is generated between the first instance and the second instance, and a so-called GTP tunnel is established. The connection device 200 receives the answer of the provisioning call for the first instance (S309). It is conceivable that the first instance will be in the standby state after transmitting the response, but it is preferable to transmit the response after the response is in the standby state so that there is no time during which the connection cannot be established.

Then, the connection device 200 transmits a provisioning call for generating a VPN session between the IoT device 230 and the first instance to the first instance (S310). This provisioning call includes the source address and the credentials associated with the IoT device 230. The credential may be stored in the database 204 in association with the subscriber identifier 232, or may be included in the session generation request from the IoT device 230.

The credential can be, for example, a public key. In this case, the private key corresponding to the public key is stored in the IoT device 230. An encryption method other than the public key encryption method may be used for the VPN session, and more generally, the first credential required for the encryption method is transmitted to the first instance, and the first instance is concerned. It suffices if one credential or a second credential corresponding thereto is stored in the IoT device 230.

After receiving the provisioning call for generating the VPN session, the first instance stores the source address and the credential, and enters the VPN session standby state (S311). Further, the connection device 200 receives a response to the provisioning call from the first instance (S312). The response may include, in one example, the source address and the first destination address of the first instance. It is conceivable that the first instance will be in the standby state after transmitting the response, but it is preferable to transmit the response after the response is in the standby state so that there is no time during which the connection cannot be established.

Upon receiving the response, the connection device 200 transmits the connection information to the IoT device 230 by adding the port number to the source address and the first destination address included in the response as needed (S313). When the port number is included in the response from the first instance, the received connection information may be transmitted to the IoT device 230. In the IoT device 230, device provisioning is performed based on the connection information, and connection to the first instance is attempted (S314). If a successful response is sent from the first instance to the IoT device 230 (S315), the handshake is successful and the VPN tunnel is established.

In the above description, in establishing the GTP tunnel, a provisioning call is made to the second instance and then a provisioning call is made to the first instance, but an implementation in which the order is reversed is also conceivable. More generally, the first instance and the second instance included in the equipment of the communication infrastructure 220 on the cloud connected to the communication infrastructure 210 of the MNO include the first instance and the second instance. Send a first provisioning call to generate a GTP-U session between, put the first and second instances in a standby state, and from the first instance or the second instance, GTP- It suffices if the source address of the U session can be received.

When the session generation request is transmitted from a device other than the IoT device 230 to the connection device 200, the response to the request is transmitted to the device other than the IoT device 230. If a secret line is established between a device other than the IoT device 230 and the IoT device 230, the connection information can be transmitted to the IoT device 230 through the secret line to perform device provisioning, so that the connection information can be obtained. It can be said that it is transmitted from the connection device 200 to the IoT device 230.

Further, at the time of handshaking, a temporary credential may be generated by using the credential stored in the first instance or the corresponding credential and stored in the first instance. In this case, in the first instance, the temporary credential is associated with the source address. Similarly, the temporary credentials are stored in the IoT device 230. Further, for example, a temporary key may be generated at the time of the first handshake, and in the first instance, in addition to associating the key with the source address, the temporary key may be associated with the key. Credentials are related.

Data transmission / reception FIG. 4 shows a flow of data transmission in a communication service for accessing an IP network according to the first embodiment of the present invention.

First, the IoT device 230 encapsulates the IP packet encrypted by the credential stored in the IoT device 230 or the temporary credential into the VPN packet and transmits it to the first instance (S401). The VPN packet includes an encrypted IP packet and VPN session information about the VPN session. The VPN session information includes a source address or a temporary key associated with it.

Upon receiving the VPN packet, the first instance obtains and encrypts the credential or temporary credential corresponding to the source address included in the VPN session information or the temporary key associated with the source address. Attempts to decrypt the IP packet (S402).

The routing information may be set in the IoT device 230 at the time of device provisioning in the session generation process. More specifically, even if the IoT device 230 determines whether or not to pass through the VPN tunnel according to the destination address of the encrypted IP packet sent from the IoT device 230 after the end of the GTP tunnel. good.

Next, the first instance has one or more source addresses and each source address held in the first instance based on the source address included in the header of the decrypted IP packet. The second instance to be the destination is determined by referring to the association with the destination of the assigned GTP session (S403). Then, the first instance transmits a GTP packet having the decrypted IP packet as the GTP payload to the determined second instance (S404). This terminates the VPN tunnel.

In the second instance, the GTP header is removed from the received GTP packet, and the IP packet which is the GTP payload is transmitted to the IP network outside or inside the communication infrastructure 220 of the MVNO (S405). The GTP header contains an ID, and the second instance can identify the source address by referring to the association between the ID stored in the second instance and the source address, and further, the device can identify the source address. The subscriber identifier can be transiently identified by referring to the association between the source address stored in the 200 and the subscriber identifier.

In this way, a secret line is provided on the IP network such as the Internet by the VPN tunnel, and the IoT device 230 connects the MVNO communication infrastructure 220 that performs data communication by the GTP protocol to the communication infrastructure 220 of the MVNO via the IP network without going through the wireless access network. Can be connected.

Although the transmission of data is shown in FIG. 4, the communication infrastructure 220 of the MVNO is as follows when receiving data from the IP network. When an IP packet addressed to the IoT device 230 arrives for the second instance, the GTP-U session corresponding to the address of the destination IoT device 230 is specified, and a GTP header is added to the IP packet. Send to the first instance. Then, in the first instance, the GTP header is removed from the received GTP packet, and the IP packet information addressed to the IoT device 230 is obtained. The corresponding VPN session is identified from the destination address of the IP packet, and the IP packet is encapsulated in the VPN packet using the credential or temporary credential corresponding to the temporary key associated with the VPN session, and the VPN It transmits to the IoT device 230 via the tunnel. The IoT device 230 acquires the credential corresponding to the temporary key associated with the received VPN packet based on the VPN session information or the temporary credential, decrypts the encrypted IP packet, and performs IP. Process the packet.

200 Equipment 201 Communication unit 202 Processing unit 203 Storage unit 204 Database 210 Communication infrastructure of MNO 220 Communication infrastructure connected to the communication infrastructure of MNO

Claims (3)

In the meantime, the IoT device becomes an IP network using the communication infrastructure on the cloud that has the first instance and the second instance in which the GTP-U session was generated and is connected to the communication infrastructure of MNO. It is a method of providing communication services for access,
A step in which the first instance receives a VPN packet from the IoT device, which encapsulates an IP packet encrypted by a credential stored in the IoT device or a temporary credential.
A step in which the first instance obtains a credential or a temporary credential corresponding to a source address or a temporary key contained in the VPN packet to decrypt the encrypted IP packet.
The first instance is assigned one or more source addresses and each source address held in the first instance based on the source address contained in the header of the decrypted IP packet. With reference to the association with the destination of the GTP session, the step of determining the second instance and
A step in which the first instance transmits a GTP packet having the decrypted IP packet as a GTP payload to the second instance.
The second instance includes removing the GTP header from the GTP packet and transmitting the IP packet, which is the GTP payload, to an IP network outside or inside the communication infrastructure . In the meantime, a GTP-U session was generated, and it is a program to execute the method of providing communication services for IoT devices to access the IP network to the communication infrastructure on the cloud connected to the communication infrastructure of MNO. So, the above method is
A step in which a first instance of the communication infrastructure receives a VPN packet from the IoT device, which is an IP packet encapsulated by a credential stored in the IoT device or a temporary credential.
A step in which the first instance obtains a credential or a temporary credential corresponding to a source address or a temporary key contained in the VPN packet to decrypt the encrypted IP packet.
The first instance is assigned one or more source addresses and each source address held in the first instance based on the source address contained in the header of the decrypted IP packet. A second instance of the communication infrastructure that can send IP packets to an IP network outside or inside the communication infrastructure, with reference to the association with the destination of the GTP session. And the step to determine
A step in which the first instance transmits a GTP packet having the decrypted IP packet as a GTP payload to the second instance.
Including . A communication infrastructure on the cloud connected to the MNO's communication infrastructure to provide communication services for IoT devices to access IP networks.
In the meantime, it has a first instance and a second instance in which a GTP-U session was generated.
The first instance receives a VPN packet from the IoT device that encapsulates an IP packet encrypted by a credential stored in the IoT device or a temporary credential, and a source included in the VPN packet. Obtain the credential or temporary credential corresponding to the address or temporary key to decrypt the encrypted IP packet and decrypt it.
The first instance is assigned one or more source addresses and each source address held in the first instance based on the source address contained in the header of the decrypted IP packet. With reference to the association with the destination of the GTP session, the second instance is determined, and the decrypted IP packet is used as the GTP payload for the second instance. Send and
The second instance removes the GTP header from the GTP packet and sends the IP packet, which is the GTP payload, to the IP network outside or inside the communication infrastructure .

Images