JPWO2018173099A1 - Gateway and relay method - Google Patents

Abstract

The server gateway (130) includes a filter table storage unit (133) that stores a filter table that can specify an authenticated source address, and an IPv6 communication unit that receives an IPv6 packet corresponding to IPv6 from the IPv6 Internet ( 131), the first INPUT filter unit (132) for determining whether or not the IPv6 address that is the source address of the IPv6 packet matches the authenticated source address, and the IPv6 address is the authenticated source An address conversion unit (137) that converts an IPv6 packet into an IPv4 packet corresponding to IPv4 and an IPv4 communication unit (140) that transmits the IPv4 packet to the IPv4 Internet when the addresses match.

Description

  The present invention relates to a gateway and a relay method, and more particularly to a gateway and a relay method that perform protocol conversion.

  With IoT (Internet of Things), it has become necessary to connect many devices that did not need to be connected to the Internet to the Internet. On the other hand, the IPv4 (Internet Protocol Version 4) address normally used for Internet connection has already been exhausted.

  The carrier (provider) side operates NAT (Network Address Translation) and distributes the local IPv4 address to the device side to deal with such a situation. However, such a countermeasure increases. There is a limit to one device.

  For this reason, the Internet connection has started using IPv6 (Internet Protocol Version 6), which has a large address space, instead of IPv4. On the other hand, the server to which the device is connected often remains IPv4, which is an obstacle to IPv6 migration.

  RFC 6877-464XLAT describes an architecture in which a user-side device having an IPv4 address can connect to a provider-side server having an IPv4 address via the Internet corresponding to IPv6.

  According to RFC 6877-464XLAT, a CLAT (customer-side translator) installed on the user side converts the private IPv4 address of the user side device into a global IPv6 address by an address translation technology compliant with RFC6145. Then, a provider-side translator (PLAT) installed on the provider side converts the global IPv6 address into a global IPv4 address by using an address translation technology compliant with RFC6146.

With such an architecture, communication between devices and servers to which only IPv4 addresses are assigned can be performed via the Internet corresponding to IPv6.
Even when an IPv6 address is assigned to a user-side device, a device that converts an IPv6 address into an IPv4 address is required on the provider side.

As a device for converting an IPv6 address into an IPv4 address, NAT64 conforming to RFC6146-Stateful NAT64 is used. The NAT 64 performs an operation similar to normal NAT. When the NAT 64 receives a packet from the IPv6 side, the NAT 64 creates a translation cache called a BIB (Binding Information Base) entry, records the original IPv6 address and the destination IPv4 address, and records the IPv6 header of the packet in the IPv4 header. Convert.
When the NAT 64 receives a packet from the IPv4 side, if the corresponding cache for conversion exists, the original IPv6 address described in the cache is extracted, and the IPv4 header is converted into an IPv6 header. If there is no translation cache, the NAT 64 discards the received IPv4 packet.

In this operation, the IPv6 side corresponds to the inside of the normal NAT, and the IPv4 side corresponds to the outside. In such a configuration, since the IPv6 side is the Internet, the NAT 64 can receive packets from an unspecified number of IPv6 addresses. If there is no restriction on the IPv6 side, the NAT64 tries to convert to an IPv4 address without restriction, and therefore, in addition to hardware resources such as the CPU (Central Processing Unit) and memory of the NAT64, the IPv4 address resource is wasted. It will be.
Even if resources are not wasted, NAT64 may be used as a platform when attacking other devices on the IPv4 side from the IPv6 Internet.

  In order to prevent unauthorized access to the network via NAT as described above, Patent Document 1 discloses authentication using the model names (manufacturer name and product model name) of electronic devices connected to the local network. A router is described that does not translate private addresses in the local network into global addresses until successful.

Patent Document 2 describes a technique for authenticating a terminal connected to a local network and transmitting the packet of the terminal to the IPv4 network via the IPv6 network.
In the technique described in Patent Document 2, the authentication server authenticates the terminal connected to the local network, and when the authentication is successful, the customer edge router connecting the local network and the IPv6 network is connected to the IPv6 network. The address of the border router that connects the network and the IPv4 network is notified as the end point address. The customer edge router notified of the end point address encapsulates the IPv4 packet received from the terminal with the IPv6 header, and transmits the encapsulated IPv6 packet to the end point address. The border router determines that the packet that has reached the end point address is a packet from a legitimate user, and performs decapsulation and transfer without performing authentication.

JP 2010-283553 A JP 2012-191453 A

  The router described in Patent Document 1 restricts access from the local network to the global network, and performs authentication using the model name of the electronic device, and obtains the model name of the electronic device. If it cannot, authentication cannot be performed.

Since the border router described in Patent Document 2 does not receive an authentication result, it cannot dynamically block and release communication according to the authentication result.
In the technique described in Patent Document 2, it is not premised that the IPv6 network is closed within a circuit provider or ISP (Internet Service Provide) and is open to the unspecified number. For this reason, the technique described in Patent Document 2 does not assume that the border router itself is attacked.
Furthermore, as a protocol for communicating IPv4 packets via an IPv6 network, the technique described in Patent Document 2 is based on the assumption that tunneling is used, and the use of NAT is not considered.
In addition, the authentication server described in Patent Document 2 has a first purpose of returning a communication destination address, and does not have an accounting concept such as start and stop of communication.

  Therefore, an object of the present invention is to allow only authorized devices to access the second network via the first network.

  The gateway according to one aspect of the present invention is connected to a first network corresponding to the first protocol and a second network corresponding to a second protocol different from the first protocol, and the first protocol And a gateway that performs protocol conversion between the second protocol, a filter information storage unit that stores filter information that can identify an authenticated source address, and the first network, The first communication unit that receives the first packet corresponding to the first protocol and the first source address that is the source address of the first packet match the authenticated source address. A filter unit for determining whether or not the first transmission source address matches the authenticated transmission source address. A conversion unit that converts a packet into a second packet that corresponds to the second protocol, and a second communication unit that transmits the second packet to the second network. .

  In the relay method according to one aspect of the present invention, a first packet corresponding to the first protocol is received from a first network corresponding to the first protocol, and a transmission source address of the first packet is The first packet is converted to a second packet corresponding to a second protocol different from the first protocol when the authenticated source address is matched, and the second packet is converted to the second packet It transmits to the 2nd network corresponding to a 2nd protocol, It is characterized by the above-mentioned.

  According to one aspect of the present invention, by controlling access from the first network to the second network, only authorized devices access the second network via the first network. be able to.

It is a block diagram which shows roughly the structure of the communication system which concerns on Embodiment 1 and Embodiment 3. FIG. It is a block diagram which shows roughly the structure of the server gateway in Embodiment 1 and Embodiment 3. FIG. 4 is a schematic diagram showing an IPv6 address converted from an IPv4 address in Embodiment 1. FIG. (A) And (B) is a block diagram which shows the hardware structural example. 6 is a block diagram schematically showing a communication system according to a first modification of the first embodiment. FIG. 7 is a block diagram schematically showing a communication system according to a second modification of the first embodiment. FIG. 7 is a block diagram schematically showing a communication system according to a third modification of the first embodiment. FIG. FIG. 10 is a block diagram schematically showing a communication system according to a fourth modification example of the first embodiment. 3 is a block diagram schematically showing a configuration of a communication system according to a second embodiment. FIG. FIG. 10 is a block diagram schematically showing a configuration of a server gateway in the second embodiment. FIG. 10 is a block diagram schematically showing a communication system according to a modified example of the second embodiment. It is a block diagram which shows roughly the structure of the server gateway in the modification of Embodiment 2. FIG. FIG. 10 is a sequence diagram illustrating IPv6 filter control by an account protocol in the third embodiment. FIG. 10 is a block diagram schematically showing a configuration of a communication system according to a fourth embodiment. FIG. 10 is a block diagram schematically showing a configuration of a server gateway in a fourth embodiment. FIG. 20 is a sequence diagram showing IPv6 filter control by an account protocol in the fourth embodiment. 12 is a block diagram schematically showing a configuration of a communication system according to a modification of the fourth embodiment. FIG. 10 is a block diagram schematically showing a configuration of a server gateway in a modification of the fourth embodiment.

Embodiment 1 FIG.
FIG. 1 is a block diagram schematically showing a configuration of a communication system 100 according to the first embodiment.
The communication system 100 includes a device 110, an IoT gateway 120, a server gateway 130, and a server 150.
The IoT gateway 120 and the server gateway 130 are connected to the IPv6 Internet 101, which is the Internet compliant with IPv6, and the server gateway 130 and the server 150 are connected to the IPv4 Internet 102, which is the Internet compliant with IPv4.

  Here, IPv6 is also referred to as a first protocol, IPv4 as a second protocol, IPv6 Internet 101 as a first network, and IPv4 Internet 102 as a second network.

The device 110 performs communication according to IPv4. The device 110 may be anything as long as it is connected to the network. For example, the device 110 is any information processing device such as a PC (Personal Computer), home appliances such as a television, a refrigerator, a washing machine, and an air conditioner, and a sensor device that detects physical quantities such as temperature, humidity, and speed. .
The IoT gateway 120 performs protocol conversion between IPv4 and IPv6. For example, the IoT gateway 120 performs conversion between the private IPv4 address of the device 110 and the global IPv6 address by an address conversion technique compliant with RFC6145.
The server gateway 130 performs protocol conversion between IPv4 and IPv6. For example, the server gateway 130 performs conversion between a global IPv6 address and a global IPv4 address by using an address conversion technique compliant with RFC6146. Note that the method of relaying packets by the server gateway 130 is the relay method in the first embodiment.
The server 150 performs communication according to IPv4.

FIG. 2 is a block diagram schematically showing the configuration of the server gateway 130 in the first embodiment.
The server gateway 130 includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 134, an authentication database (hereinafter referred to as an authentication DB) 135, an account database (hereinafter referred to as an account DB). 136), an address conversion unit 137, a BIB storage unit 138, a first OUTPUT filter unit 139, an IPv4 communication unit 140, a second INPUT filter unit 141, and a second OUTPUT filter unit 142.

The IPv6 communication unit 131 communicates with the IPv6 Internet 101. For example, the IPv6 communication unit 131 receives an IPv6 packet corresponding to IPv6 from the IPv6 Internet 101, and provides the IPv6 packet to the first INPUT filter unit 132.
Here, the IPv6 packet received by the IPv6 communication unit 131 is also referred to as a first packet, and the IPv6 communication unit 131 is also referred to as a first communication unit.

The first INPUT filter unit 132 performs a filtering process on the IPv6 packet given from the IPv6 communication unit 131.
For example, the first INPUT filter unit 132 is initially set so as not to pass all packets except for an authentication account packet that is a packet used for authentication and account creation. The first INPUT filter unit 132 passes the authentication account packet unconditionally.
When the authentication is successful, the IPv6 address that passes through the first INPUT filter unit 132 is registered in the filter table stored in the filter table storage unit 133. For this reason, the first INPUT filter unit 132 determines whether or not the source IPv6 address matches that registered in the filter table for IPv6 packets other than the authentication account packet, and passes only when they match. . Note that the first INPUT filter unit 132 discards the IPv6 packet if they do not match.

The authentication account packet that has passed through the first INPUT filter unit 132 is given to the authentication processing unit 134, and the IPv6 packet other than the authentication account packet that has passed through the first INPUT filter unit 132 is sent to the address conversion unit 137. Given.
In addition, the first INPUT filter unit 132 prepares for an authentication and account attack (brute force attack, etc.) and does not pass the authentication account packet unconditionally, so that the authentication account packet is set to a predetermined reception rate or less. May be thinned out.
The first INPUT filter unit 132 is also simply referred to as a filter unit.

The filter table storage unit 133 stores a filter table for registering an IPv6 address that the first INPUT filter unit 132 passes when authentication is successful. The IPv6 address registered in the filter table is an authenticated source address.
Here, the filter table is also referred to as filter information, and the filter table storage unit 133 is also referred to as a filter information storage unit.

The authentication processing unit 134 is a processing unit that performs authentication of the transmission source and creation of an account for communication with the transmission source based on the authentication account packet that has passed through the first INPUT filter unit 132.
Authentication protocols include, but are not limited to, RADIUS (Remote Authentication Dial In User Service), DIAMETER and TACACS +, which are successors of RADIUS.

When starting IPv6 communication with the server gateway 130, the IoT gateway 120 transmits an authentication request packet as an authentication account packet.
As an option of the authentication request packet, identification information of the device 110 that is connected to the IoT gateway 120 and that is an IPv4 device to transmit a packet from now on is added. As this identification information, information obtained by converting the IPv4 address of the device 110 into an IPv6 address by the IoT gateway is used.

FIG. 3 is a schematic diagram showing an IPv6 address converted from the IPv4 address of the device 110.
The IPv6 address 160 includes an IPv6 prefix 160a and an interface identifier 160b.
The IPv6 prefix 160a indicates a position in the network. For this reason, in many cases, the IPv6 address 160 can specify the position of the IoT gateway 120 in the IPv6 Internet 101 using only the IPv6 prefix 160a.
The interface identifier 160b is used to identify individual devices in the local network. An IPv4 address before being converted to an IPv6 address can be optionally added to the lower 32 bits of the interface identifier 160b.
If an option cannot be added to the authentication request packet, the identification information (IPv4 address) of the device 110 may be omitted.

Returning to FIG. 2, when the authentication request packet is received from the first INPUT filter unit 132, the authentication processing unit 134 refers to the authentication DB 135 and determines whether or not the authentication is successful. For example, when the IPv6 address of the device 110 or the IoT gateway 120 is included in the authentication request packet, the authentication processing unit 134 determines whether authentication is successful for this IPv6 address.
Then, the authentication processing unit 134 responds the determination result to the IoT gateway 120 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131. For example, if the authentication is successful, the authentication processing unit 134 responds with an authentication success packet indicating the success of authentication, and if the authentication is not successful, returns an authentication failure packet indicating the authentication failure.

  The authentication processing unit 134 releases the filter of the first INPUT filter unit 132 of the server gateway 130 when transmitting the authentication success packet to the IoT gateway 120. When releasing the filter of the first INPUT filter unit 132, a record that can specify the IPv6 address so as to pass the IPv6 address that is the source address of the device 110, which is added to the option of the authentication request packet (Item) is registered (added) to the filter table stored in the filter table storage unit 133.

If there is no option in the authentication request packet, the authentication processing unit 134 may release the filter of the first INPUT filter unit 132 of the server gateway 130 for the IPv6 address prefix of the IoT gateway 120 when authentication is successful. The IPv6 address of the IoT gateway 120 can be obtained from the source address of the authentication request packet. In such a case, the authentication processing unit 134 registers the IPv6 prefix of the IoT gateway 120 that has been successfully authenticated in the filter table. As a result, all IPv6 packets whose source IPv6 address is the IPv6 prefix pass through the first INPUT filter unit 132 of the server gateway 130. In this case, packets from all the devices 110 that communicate via the IoT gateway 120 can pass through the server gateway 130.
In other words, the record registered in the filter table may indicate the IPv6 address itself, or may indicate the prefix of the IPv6 address.

  The authentication DB 135 is an authentication data storage unit that stores authentication data that is data for authentication. It is assumed that data predetermined according to the authentication protocol is stored as the authentication data.

  The account DB 136 stores account information indicating the start, continuation, and stop of communication. For example, when communication with the IoT gateway 120 is started, the authentication processing unit 134 stores the communication start time in the account DB 136 in association with the IPv6 address of the IoT gateway 120 as account information, and continues communication. In this case, as account information, the communication continuation time (update time) is stored in the account DB 136 in association with the IPv6 address of the IoT gateway 120, and when the communication is stopped, the communication stop time is set as the account information. It is stored in the account DB 136 in association with the IPv6 address of the gateway 120.

Upon receiving an IPv6 packet other than the authentication account packet from the first INPUT filter unit 132, the address conversion unit 137 converts the IPv6 packet into an IPv4 packet. In other words, the address conversion unit 137 converts the IPv6 packet into an IPv4 packet when the source address of the IPv6 packet other than the authentication account packet matches the authenticated source address. The converted IPv4 packet is also referred to as a second packet. Further, the source address of an IPv6 packet other than the authentication account packet is also referred to as a first source address.
For example, the address conversion unit 137 converts an IPv6 packet into an IPv4 packet by converting a global IPv6 address and a global IPv4 address by an address conversion technique based on RFC6146. Here, the IPv4 address converted by the address conversion unit 137 is also referred to as a second transmission source address.
Further, the address conversion unit 137 records an entry including the original IPv6 address and the destination IPv4 address in the BIB stored in the BIB storage unit 138 in accordance with RFC6146.
The IPv4 packet converted in this way is given to the first OUTPUT filter unit 139.

The BIB storage unit 138 stores a BIB that conforms to RFC6146.
When a packet being communicated is interrupted for a certain time, the corresponding entry of the BIB stored in the BIB storage unit 138 times out. In this case, since it is not necessary to register the filter table in the first INPUT filter unit 132, the authentication processing unit 134 may delete the related record in the filter table in conjunction with the deletion of the entry in the BIB.
In other words, when the address conversion unit 137 does not perform conversion between the IPv6 packet and the IPv4 packet for a predetermined period, the authentication processing unit 134 deletes the corresponding record from the filter table.

  The first OUTPUT filter unit 139 performs a filtering process on the IPv4 packet given from the address translation unit 137. In the first embodiment, the first OUTPUT filter unit 139 passes all the IPv4 packets and gives them to the IPv4 communication unit 140. For this reason, in Embodiment 1, the 1st OUTPUT filter part 139 does not need to be provided.

The IPv4 communication unit 140 performs communication with the IPv4 Internet 102. For example, the IPv4 communication unit 140 transmits the IPv4 packet given from the first OUTPUT filter unit 139 to the server 150.
Here, the IPv4 communication unit 140 is also referred to as a second communication unit.

  The second INPUT filter unit 141 performs a filtering process on the IPv4 packet given from the IPv4 communication unit 140. In the first embodiment, the second INPUT filter unit 141 passes all IPv4 packets and gives them to the address translation unit 137. For this reason, in Embodiment 1, the 2nd INPUT filter part 141 does not need to be provided.

  The second OUTPUT filter unit 142 performs a filtering process on the IPv6 packet given from the address conversion unit 137 and the authentication processing unit 134. In the first embodiment, the second OUTPUT filter unit 142 passes all IPv6 packets and gives them to the IPv6 communication unit 131. For this reason, in Embodiment 1, the 2nd OUTPUT filter part 142 does not need to be provided.

  One of the IPv6 communication unit 131, the first INPUT filter unit 132, the authentication processing unit 134, the address conversion unit 137, the first OUTPUT filter unit 139, the IPv4 communication unit 140, the second INPUT filter unit 141, and the second OUTPUT filter unit 142 described above. For example, as shown in FIG. 4A, a part or all of a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuits) or an FPGA (Field Programmable) (Gate Array) or the like.

  The IPv6 communication unit 131, the first INPUT filter unit 132, the authentication processing unit 134, the address conversion unit 137, the first OUTPUT filter unit 139, the IPv4 communication unit 140, the second INPUT filter unit 141, and a part of the second OUTPUT filter unit 142 are For example, as shown in FIG. 4B, the memory 11 and a processor 12 such as a CPU (Central Processing Unit) that executes a program stored in the memory 11 may be used. Such a program may be provided through a network, or may be provided by being recorded on a recording medium. That is, such a program may be provided as a program product.

  The filter table storage unit 133, the authentication DB 135, and the account DB 136 can be configured by a non-volatile memory (not shown).

  As described above, according to the first embodiment, it is possible to control an unspecified number of connections from the IPv6 Internet 101 and permit only the permitted device 110 to communicate via the IPv6 Internet 101. Thereby, the server gateway 130 which is a relay apparatus can be protected from an unspecified number of attacks.

The source IPv4 address recognized by the server 150 connected to the IPv4 Internet 102 is the IPv4 address of the server gateway 130, and the address information of the device 110 corresponding to IPv4 behind the IoT gateway 120. Is lost and the actual communication partner is unknown.
However, according to Embodiment 1, since the IPv6 address converted from the IPv4 address of the device 110 remains in the account information as an account log, the account information can be used for analysis when a problem occurs later.

In FIG. 1, the server 150 is connected to the IPv4 Internet 102, but the first embodiment is not limited to such an example.
For example, as in the communication system 100 # 1 shown in FIG. 5, for example, the server gateway 130 # 1 and the server 150 # 1 are installed at the same location, and the server gateway 130 # 1 and the server 150 # 1 are installed. May be connected via a LAN (Local Area Network) 103.
In such a case, the address translation unit 137 # 1 (see FIG. 2) of the server gateway 130 # 1 translates the global IPv6 address and the local IPv4 address.

1 shows a communication system 100 compliant with RFC6877-464XLAT, but the first embodiment is not limited to the communication system 100 compliant with RFC6877-464XLAT.
For example, as shown in FIG. 6, a device 110 # 1 that performs communication corresponding to IPv6 may be connected to the IPv6 Internet 101.
In such a case, the destination IPv6 address when the device 110 # 1 connects to the server 150 is as shown in FIG. For example, the IPv6 prefix 160a of the upper bit specifies the IPv6 address prefix of the server gateway 130, and the IPv4 address of the server 150 to be connected to the lower bit IPv4 address.

In the communication system 100 # 2 shown in FIG. 6, the device 110 # 1 itself corresponding to IPv6 needs to have the authentication function of the server gateway 130 and the client function of the account.
However, when the device 110 # 2 corresponding to IPv6 is connected to the IoT gateway 120 # 1 as in the communication system 100 # 3 shown in FIG. 7, the device 110 # 2 is connected to the server gateway. There is no need to have 130 authentication and account client functions. In such a case, the IoT gateway 120 # 1 has a function of performing processing corresponding to the DNS 64 in addition to the server gateway 130 authentication and account client functions. In other words, the IoT gateway 120 # 1 relays the name resolution request when the device 110 # 2 compatible with IPv6 performs name resolution of the server 150 compatible with IPv4. Upon receiving the name resolution response from the outside, the IoT gateway 120 # 1 rewrites the IPv4 address of the response result with the IPv6 address 160 in the format shown in FIG. 3, and transfers it to the device 110 # 2. That is, in the configuration shown in FIG. 7, the IoT gateway 120 # 1 performs the processing in the first embodiment, and the device 110 # 2 only needs to perform an operation according to the standard IPv6.

In the communication system 100 illustrated in FIG. 1, one server gateway 130 is provided, but the number of server gateways 130 in the first embodiment is not limited to one. A plurality of server gateways 130A and 130B may be provided as in the communication system 100 # 4 illustrated in FIG.
In such a case, it is assumed that the IoT gateway 120 # 2 knows the IPv6 addresses of the plurality of server gateways 130A and 130B in advance.

Then, the IoT gateway 120 # 2 transmits an authentication request packet to the server gateway 130A before starting communication with the server gateway 130A.
Even when the received authentication request packet is from the normal IoT gateway 120 # 2, the server gateway 130A is not able to manage the server because of the number of registered BIB entries, the number of registered filter tables, the CPU load, and the traffic volume. If it is determined that the load on the gateway 130A is high, a rejection response may be returned.

Next, the IoT gateway 120 # 2 whose authentication request is rejected transmits the request to the other server gateway 130B. If there is no response from the server gateway 130A, the IoT gateway 120 # 2 retransmits the specified number of times, and if there is no response, the IoT gateway 120 # 2 transmits a request to the other server gateway 130B.
If there is a success response from the server gateway 130B, the IoT gateway 120 # 2 starts communication with the server gateway 130B.

By the operation as described above, it is possible to simultaneously perform duplexing and load balancing in preparation for failure of the server gateways 130A and 130B.
The order in which the IoT gateway 120 # 2 selects the server gateways 130A and 130B is preferably a random order in order to avoid load concentration.

Embodiment 2. FIG.
In the first embodiment, the server gateway 130 authenticates the IoT gateway 120, but an external authentication server may perform authentication.
FIG. 9 is a block diagram schematically showing a configuration of the communication system 200 according to the second embodiment.
The communication system 200 includes a device 110, an IoT gateway 120, a server gateway 230, a server 150, and an authentication server 270.
The communication system 200 according to the second embodiment is configured in the same manner as the communication system 100 according to the first embodiment except for the server gateway 230 and the authentication server 270.

The IoT gateway 120, the server gateway 230, and the authentication server 270 are connected to the IPv6 Internet 101, and the server gateway 230 and the server 150 are connected to the IPv4 Internet 102.
Note that the method of relaying packets by the server gateway 230 is the relay method in the second embodiment.

FIG. 10 is a block diagram schematically showing the configuration of the server gateway 230 in the second embodiment.
The server gateway 230 includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 234, an account DB 136, an address conversion unit 137, a BIB storage unit 138, and a first OUTPUT filter. Unit 139, IPv4 communication unit 140, second INPUT filter unit 141, and second OUTPUT filter unit 142.
IPv6 communication unit 131, first INPUT filter unit 132, filter table storage unit 133, account DB 136, address conversion unit 137, BIB storage unit 138, first OUTPUT filter unit 139, IPv4 communication unit 140 of server gateway 230 in the second embodiment. The second INPUT filter unit 141 and the second OUTPUT filter unit 142 are configured in the same manner as the corresponding parts of the server gateway 130 in the first embodiment.

Based on the authentication account packet that has passed through the first INPUT filter unit 132, the authentication processing unit 234 causes the authentication server 270 to perform authentication of the IoT gateway 120 and creates an account. The account creation is the same as in the first embodiment.
For example, when receiving the authentication request packet from the first INPUT filter unit 132, the authentication processing unit 234 transfers the authentication request packet to the authentication server 270 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131.

The authentication server 270 refers to an authentication database (not shown) and determines whether or not the authentication is successful. For example, when the IPv6 address of the device 110 or the IoT gateway 120 is included in the authentication request packet, the authentication server 270 determines whether or not the authentication is successful for this IPv6 address.
Then, the authentication server 270 responds to the server gateway 230 with the determination result. For example, if the authentication is successful, the authentication server 270 responds with an authentication success packet indicating the success of the authentication, and if the authentication fails, the authentication server 270 returns an authentication failure packet indicating the authentication failure.

When the authentication processing unit 234 receives the authentication success packet and the authentication failure packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 234 sends these packets to the IoT through the second OUTPUT filter unit 142 and the IPv6 communication unit 131. Transmit to the gateway 120.
Here, the authentication processing unit 234 releases the filter of the first INPUT filter unit 132 of the server gateway 230 when transmitting the authentication success packet to the IoT gateway 120.

  As described above, in the second embodiment, the server gateway 230 can cause the external authentication server 270 to perform authentication processing.

  In the communication system 200 according to the second embodiment, the authentication server 270 is connected to the IPv6 Internet 101. However, like the communication system 200 # 1 shown in FIG. 11, the authentication server 270 # 1 is connected to the IPv4 Internet. 102 may be connected.

FIG. 12 is a block diagram schematically showing a configuration of server gateway 230 # 1 in a modification of the second embodiment.
The server gateway 230 # 1 includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 234 # 1, an account DB 136, an address conversion unit 137, and a BIB storage unit 138. The first OUTPUT filter unit 139, the IPv4 communication unit 140, the second INPUT filter unit 141, and the second OUTPUT filter unit 142 are provided.
IPv6 communication unit 131, first INPUT filter unit 132, filter table storage unit 133, account DB 136, address conversion unit 137, BIB storage unit 138, first OUTPUT filter unit 139 of server gateway 230 # 1 in the modification of the second embodiment, The IPv4 communication unit 140, the second INPUT filter unit 141, and the second OUTPUT filter unit 142 are configured in the same manner as the corresponding parts of the server gateway 130 in the first embodiment.

Upon receiving the authentication request packet from the first INPUT filter unit 132, the authentication processing unit 234 # 1 transfers the authentication request packet to the authentication server 270 # 1 via the first OUTPUT filter unit 139 and the IPv4 communication unit 140.
When the authentication processing unit 234 # 1 receives the authentication success packet and the authentication failure packet via the IPv4 communication unit 140 and the second INPUT filter unit 141, the authentication processing unit 234 # 1 passes these packets to the second OUTPUT filter unit 142 and the IPv6 communication unit 131. To the IoT gateway 120.
Here, the authentication processing unit 234 # 1 releases the filter of the first INPUT filter unit 132 of the server gateway 230 when transmitting the authentication success packet to the IoT gateway 120.

  Note that the modification described with reference to FIGS. 5 to 8 can also be applied to the second embodiment.

Embodiment 3 FIG.
In the first embodiment, when the authentication is successful, the filter of the first INPUT filter unit 132 of the server gateway 130 is released. In this case, there is a problem of when the release of the filter is canceled and the IPv6 packet from the designated IoT gateway 120 can be discarded.
Therefore, in the third embodiment, a method for releasing a filter at the start of an account, not at the time of successful authentication will be described.

As illustrated in FIG. 1, the communication system 300 according to the third embodiment includes a device 110, an IoT gateway 120, a server gateway 330, and a server 150.
The communication system 300 according to the third embodiment is configured in the same manner as the communication system 100 according to the first embodiment except for the server gateway 330.

As shown in FIG. 2, the server gateway 330 in the third embodiment includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 334, an authentication DB 135, An account DB 136, an address conversion unit 137, a BIB storage unit 138, a first OUTPUT filter unit 139, an IPv4 communication unit 140, a second INPUT filter unit 141, and a second OUTPUT filter unit 142 are provided.
The server gateway 330 in the third embodiment is configured in the same manner as the server gateway 130 in the first embodiment except for the authentication processing unit 334.
Note that the method of relaying packets by the server gateway 330 is the relay method in the third embodiment.

  The authentication processing unit 334 in the third embodiment performs authentication of the IoT gateway 120 and creation of an account based on the authentication account packet that has passed through the first INPUT filter unit 132, as in the authentication processing unit 134 in the first embodiment. Do. However, the authentication processing unit 334 according to the third embodiment performs the release of the filter of the first INPUT filter unit 132 and the stop of the release according to the start and stop of the account.

  For example, when an account is created based on an account start request packet that is an authentication account packet, the authentication processing unit 334 can specify an IPv6 address that is a transmission source address of the start request packet. Is registered in the filter table. Then, when the account is stopped based on the account stop request packet, which is an authentication account packet, the authentication processing unit 334 displays a record corresponding to the IPv6 address that is the source address of the stop request packet. Delete from.

  Note that any authentication protocol used by the authentication processing unit 334 has an account function. The authentication protocol account function records the start and stop of communication, and is generally used for communication metering.

FIG. 13 is a sequence diagram illustrating IPv6 filter control according to the account protocol in the third embodiment.
The IoT gateway 120 that has detected the start of communication with the external server 150 by the subordinate device 110 transmits an account protocol start request packet to the server gateway 330 (S10).
In the server gateway 330, when the first INPUT filter unit 132 receives the start request packet via the IPv6 communication unit 131, the first INPUT filter unit 132 gives it to the authentication processing unit 334 (S11).

  If the identification information of the requester included in the start request packet is correct, the authentication processing unit 334 records the start of communication in the account DB 136 in association with the identification information (S12). The identification information of the account requester is the IPv6 address of the device 110 or the IPv6 address of the IoT gateway 120.

The authentication processing unit 334 that has successfully recorded the start of the account returns a success response packet to the IoT gateway 120 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S13).
Also, the authentication processing unit 334 releases the filter of the first INPUT filter unit 132 by registering a record indicating identification information in the filter table stored in the filter table storage unit 133 (S14).

The IoT gateway 120 that has received the success response packet in response to the account start request packet converts the packet from the subordinate device 110 into an IPv6 packet, and starts relaying to the server gateway 330 (S15).
While the communication of the device 110 continues, the IoT gateway 120 periodically transmits an account update request packet to the server gateway 330 (S16).

In the server gateway 330, when the first INPUT filter unit 132 receives the update request packet via the IPv6 communication unit 131, it gives it to the authentication processing unit 334 (S17).
The authentication processing unit 334 records the continuation of communication corresponding to the requester identification information included in the update request packet in the account DB 136 (S18). Thereby, the release of the filter of the first INPUT filter unit 132 is maintained.
Then, the authentication processing unit 334 returns a success response packet to the IoT gateway 120 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S19).

The IoT gateway 120 that determines that the communication from the subordinate device 110 has ended transmits an account stop request packet to the server gateway 330 (S20).
In the server gateway 330, when the first INPUT filter unit 132 receives the stop request packet via the IPv6 communication unit 131, the first INPUT filter unit 132 gives it to the authentication processing unit 334 (S17).
The authentication processing unit 334 records the communication stop corresponding to the requester identification information included in the stop request packet in the account DB 136 (S22).
Then, the authentication processing unit 334 returns a success response packet to the IoT gateway 120 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S23).

  In addition, the authentication processing unit 334 deletes the record indicating the requester's identification information included in the stop request packet from the filter table stored in the filter table storage unit 133, so that the filter of the first INPUT filter unit 132 has the filter. Release is stopped (S24).

  Even when the update request packet is not received from the IoT gateway 120 for a certain period after the account starts, the authentication processing unit 334 records the corresponding account suspension in the account DB 136 to stop communication and cope with it. The record indicating the identification information to be deleted is deleted from the filter table, and the release of the filter is stopped.

  Note that the modification described with reference to FIGS. 5 to 8 can also be applied to the third embodiment.

Embodiment 4 FIG.
In the third embodiment, the account is managed in the server gateway 330, but an account may be managed by an external account server.
FIG. 14 is a block diagram schematically showing a configuration of a communication system 400 according to the fourth embodiment.
The communication system 400 includes a device 110, an IoT gateway 120, a server gateway 430, a server 150, and an account server 480.
The communication system 400 according to the fourth embodiment is configured in the same manner as the communication system 100 according to the first embodiment except for the server gateway 430 and the account server 480.

The IoT gateway 120, the server gateway 430, and the account server 480 are connected to the IPv6 Internet 101, and the server gateway 430 and the server 150 are connected to the IPv4 Internet 102.
Note that the method of relaying packets by the server gateway 430 is the relay method in the fourth embodiment.

FIG. 15 is a block diagram schematically showing the configuration of the server gateway 430 in the fourth embodiment.
The server gateway 430 includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 434, an authentication DB 135, an address conversion unit 137, a BIB storage unit 138, and a first OUTPUT filter. Unit 139, IPv4 communication unit 140, second INPUT filter unit 141, and second OUTPUT filter unit 142.
IPv6 communication unit 131, first INPUT filter unit 132, filter table storage unit 133, authentication DB 135, address conversion unit 137, BIB storage unit 138, first OUTPUT filter unit 139, IPv4 communication unit 140 of server gateway 430 in the fourth embodiment. The second INPUT filter unit 141 and the second OUTPUT filter unit 142 are configured in the same manner as the corresponding parts of the server gateway 130 in the first embodiment.

  The authentication processing unit 434 performs authentication based on the authentication account packet that has passed through the first INPUT filter unit 132 and causes the account server 480 to manage the account in communication with the IoT gateway 120. The authentication process is the same as in the first embodiment.

  When a packet being communicated is interrupted for a certain time, the corresponding entry of the BIB stored in the BIB storage unit 138 times out. In this case, since it is not necessary to register the filter table in the first INPUT filter unit 132, the authentication processing unit 434 may delete the related record in the filter table in conjunction with the deletion of the entry in the BIB. When the related record is deleted from the filter table, the authentication processing unit 434 notifies the account server 480 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131, and the account server 480 stops communication. Record.

FIG. 16 is a sequence diagram illustrating IPv6 filter control according to the account protocol in the fourth embodiment.
The IoT gateway 120 that has detected the start of communication with the external server 150 by the subordinate device 110 transmits an account protocol start request packet to the server gateway 430 (S30).
In the server gateway 430, when the authentication processing unit 434 receives the start request packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 transmits it to the account server via the second OUTPUT filter unit 142 and the IPv6 communication unit 131. Transfer to 480 (S31).

  If the requester identification information included in the start request packet is correct, the account server 480 records the start of communication in association with the identification information in an account database (not shown) (S32). The identification information of the account requester is the IPv6 address of the device 110 or the IPv6 address of the IoT gateway 120.

The account server 480 having successfully recorded the account start returns a success response packet to the account start request to the server gateway 430 (S33).
Upon receiving the success response packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 registers a record indicating identification information in the filter table stored in the filter table storage unit 133. The filter of the first INPUT filter unit 132 is released (S34).
Then, the authentication processing unit 434 transfers the success response packet to the IoT gateway 120 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S35).

  The IoT gateway 120 that has received the success response packet in response to the account start request packet converts the packet from the subordinate device 110 into an IPv6 packet, and starts relaying to the server gateway 430 (S36).

While the communication of the device 110 continues, the IoT gateway 120 periodically transmits an account update request packet to the server gateway 430 (S37).
Upon receiving the update request packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 maintains a record corresponding to the identification information in the filter table stored in the filter table storage unit 133. Thus, the release of the filter of the first INPUT filter unit 132 is maintained (S38).
Then, the authentication processing unit 434 transfers the update request packet to the account server 480 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S39).

The account server 480 records the continuation of communication corresponding to the requester identification information included in the update request packet in the account database (S40).
Then, the account server 480 returns a success response packet to the server gateway 430 (S41).
Upon receiving the success response packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 of the server gateway 430 sends the success response packet via the second OUTPUT filter unit 142 and the IPv6 communication unit 131. The data is transferred to the IoT gateway 120 (S42).

The IoT gateway 120 that determines that the communication from the subordinate device 110 has ended transmits an account stop request packet to the server gateway 430 (S43).
Upon receiving the stop request packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 of the server gateway 430 includes the stop request packet from the filter table stored in the filter table storage unit 133. The release of the filter of the first INPUT filter unit 132 is stopped by deleting the record indicating the requester identification information (S44).
Also, the authentication processing unit 434 transfers the stop request packet to the account server 480 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131 (S45).

The account server 480 records the communication stop corresponding to the identification information of the requester included in the stop request packet in the account database (S46).
Then, the account server 480 transmits a success response packet to the stop request to the server gateway 430 (S47).
Upon receiving the success response packet via the IPv6 communication unit 131 and the first INPUT filter unit 132, the authentication processing unit 434 of the server gateway 430 sends the success response packet via the second OUTPUT filter unit 142 and the IPv6 communication unit 131. The data is transferred to the IoT gateway 120 (S48).

  Even when the update request packet is not received from the IoT gateway 120 for a certain period after the account starts, the authentication processing unit 434 deletes the record indicating the corresponding identification information from the filter table and stops releasing the filter. In addition, a stop request packet is transmitted to the account server 480 via the second OUTPUT filter unit 142 and the IPv6 communication unit 131.

  As described above, in the fourth embodiment, accounts can be managed by the external account server 480.

  In the communication system 400 according to the fourth embodiment, the account server 480 is connected to the IPv6 Internet 101. Like the communication system 400 # 1 shown in FIG. 17, the account server 480 # 1 is connected to the IPv4 Internet. 102 may be connected.

FIG. 18 is a block diagram schematically showing a configuration of server gateway 430 # 1 in a modification of the fourth embodiment.
The server gateway 430 # 1 includes an IPv6 communication unit 131, a first INPUT filter unit 132, a filter table storage unit 133, an authentication processing unit 434 # 1, an authentication DB 135, an address conversion unit 137, and a BIB storage unit 138. The first OUTPUT filter unit 139, the IPv4 communication unit 140, the second INPUT filter unit 141, and the second OUTPUT filter unit 142 are provided.
IPv6 communication unit 131, first INPUT filter unit 132, filter table storage unit 133, authentication DB 135, address conversion unit 137, BIB storage unit 138, first OUTPUT filter unit 139 of server gateway 430 # 1 in the modification of the fourth embodiment, The IPv4 communication unit 140, the second INPUT filter unit 141, and the second OUTPUT filter unit 142 are configured in the same manner as the corresponding parts of the server gateway 130 in the first embodiment.

  Upon receiving the account start request packet, the update request packet, and the stop request packet from the first INPUT filter unit 132, the authentication processing unit 434 # 1 accounts for these packets via the first OUTPUT filter unit 139 and the IPv4 communication unit 140. Transfer to server 480 # 1.

When the authentication processing unit 434 # 1 receives the authentication success packet and the authentication failure packet via the IPv4 communication unit 140 and the second INPUT filter unit 141, the authentication processing unit 434 # 1 passes through the second OUTPUT filter unit 142 and the IPv6 communication unit 131. Are transferred to the IoT gateway 120.
Here, when transmitting the authentication success packet to the IoT gateway 120, the authentication processing unit 234 # 1 releases a filter by registering a record indicating identification information corresponding to the filter table.

Further, when transferring the update request packet, the authentication processing unit 434 # 1 maintains the release of the filter by maintaining a record indicating the corresponding identification information in the filter table.
Furthermore, when transferring the stop request packet, the authentication processing unit 434 # 1 stops the release of the filter by deleting the record indicating the corresponding identification information in the filter table.

Note that the modification described with reference to FIGS. 5 to 8 can also be applied to the fourth embodiment.
Also in the fourth embodiment, as in the second embodiment, an external authentication server can be authenticated.

  100, 100 # 1, 100 # 2, 100 # 3, 100 # 4, 200, 200 # 1, 300, 400, 400 # 1 communication system, 110, 110 # 1, 110 # 2 equipment, 120, 120 # 1 , 120 # 2 IoT gateway, 130, 130 # 1, 230, 230 # 1, 330, 430, 430 # 1 server gateway, 131 IPv6 communication unit, 132 first INPUT filter unit, 133 filter table storage unit, 134, 234 234 # 1, 334, 434, 434 # 1 Authentication processing unit, 135 Authentication DB, 136 Account DB, 137, 137 # 1 Address conversion unit, 138 BIB storage unit, 139 First OUTPUT filter unit, 140 IPv4 communication unit, 141 1st 2 INPUT filter section, 142 2OUTPUT filter unit, 150 and 150 # 1 server, 270, 270 # 1 authentication server, 480, 480 # 1 account server, 10 processing circuit, 11 a memory, 12 processor.

Claims (14)

A first network corresponding to the first protocol and a second network corresponding to a second protocol different from the first protocol are connected between the first protocol and the second protocol. A gateway for protocol conversion,
A filter information storage unit that stores filter information that can identify an authenticated source address;
A first communication unit that receives a first packet corresponding to the first protocol from the first network;
A filter unit that determines whether or not a first source address that is a source address of the first packet matches the authenticated source address;
A conversion unit that converts the first packet into a second packet corresponding to the second protocol when the first source address matches the authenticated source address;
And a second communication unit that transmits the second packet to the second network. The gateway according to claim 1, wherein the filter unit discards the first packet when the first transmission source address does not match the authenticated transmission source address. A processing unit that performs an authentication process based on the authentication request packet received by the first communication unit;
When the authentication unit succeeds in authenticating the transmission source of the authentication request packet, the processing unit includes, in the filter information, an item that can identify the transmission source address of the authentication request packet as the authenticated transmission source address. The gateway according to claim 1, wherein the gateway is added. A processing unit that transfers the authentication request packet received by the first communication unit from the first communication unit or the second communication unit to an authentication server that performs an authentication process;
When the authentication server succeeds in authenticating the transmission source of the authentication request packet in the authentication server, the processing unit includes an item that can specify a transmission source address of the authentication request packet as the authenticated transmission source address. The gateway according to claim 1, wherein the gateway is added to the filter information. The gateway according to claim 3 or 4, wherein the item indicates the source address of the authentication request packet. The gateway according to claim 3 or 4, wherein the item indicates a prefix of the source address of the authentication request packet. When the conversion unit converts the first packet into the second packet, the conversion unit converts the first transmission source address into a second transmission source address corresponding to the second protocol. The gateway according to any one of claims 3 to 6, wherein the gateway is converted into: When the conversion unit does not perform conversion between the first transmission source address and the second transmission source address for a predetermined period, the processing unit deletes the item from the filter information. The gateway according to claim 7. A processing unit that creates the account based on the account start request packet received by the first communication unit;
When the processing unit creates the account based on the start request packet, the processing unit adds, to the filter information, an item that can identify the source address of the start request packet as the authenticated source address The gateway according to claim 1 or 2, wherein: A processing unit that transfers the account start request packet received by the first communication unit from the first communication unit or the second communication unit to an account server that manages the account;
The processing unit, when the account is created based on the start request packet in the account server, an item that can specify a source address of the start request packet as the authenticated source address The gateway according to claim 1, wherein the gateway is added to the filter information. The gateway according to claim 9 or 10, wherein the item indicates the source address of the start request packet. The gateway according to claim 9 or 10, wherein the item indicates a prefix of the source address of the start request packet. The processing unit deletes the item from the filter information based on the account stop request packet received by the first communication unit. The listed gateway. Receiving a first packet corresponding to the first protocol from a first network corresponding to the first protocol;
When the source address of the first packet matches the authenticated source address, the first packet is changed to a second packet corresponding to a second protocol different from the first protocol. Converted,
The relay method according to claim 1, wherein the second packet is transmitted to a second network corresponding to the second protocol.

Images