KR102365775B1 - Billing-based routing processing system in distributed gateway environment and method therefor - Google Patents

Abstract

In accordance with one embodiment of the present disclosure, a node includes a communication circuit, a processor operatively connected with the communication circuit, and a memory operatively connected with the processor, and storing a connection control application. The memory can store instructions which, when executed by the processor, cause the node to: sense a network connection event for a destination network through the connection control application; check whether a data flow and a tunnel corresponding to the destination network and applied from an external server exist, through the connection control application; and transmit a data packet through the tunnel if the data flow and the tunnel exist. The tunnel is generated between the node and the gateway based on information received from the external server. The information received from the external server includes information about a corresponding tunnel and gateway when there is a data capacity connected to a cloud network and transmittable through data packet processing total-amount management, or includes information about a tunnel and gateway for the node to perform tunneling through a network other than the cloud network when there is no transmittable data capacity, among at least one tunnel and gateway listed by the external server. Therefore, the present invention is capable of enabling network expansion in accordance with the scale of use.

Description

BILLING-BASED ROUTING PROCESSING SYSTEM IN DISTRIBUTED GATEWAY ENVIRONMENT AND METHOD THEREFOR

Embodiments disclosed in this document relate to a billing reference routing processing system in a distributed gateway environment and a method therefor.

A distributed gateway environment based on a cloud network uses a cloud network to handle fast access even without using a dedicated line to solve the problem of inevitably slowing down when distributed terminals access a centralized destination network due to geographical restrictions. provide a way to

Cloud networks are made in the form of a cloud network by borrowing a network from a dedicated line operator, and are billed in units of data packets (Giga Byte, Tera Byte). If you need to handle predictable traffic differently from calculating the cost, you can pay more efficiently than renting a dedicated line.

However, in the case of multinational corporations or corporations with branches in various regions, the number of distributed gateways to manage increases, and data flow-based access based on the cost characteristics of cloud networks and tunnel routing technology that goes through one or more gateways Due to the characteristics of the control technology, when a data packet goes through various clouds from a transmission point to an arrival point, there is a characteristic that the cost is different for each section.

For example, if the edge gateway is in South Africa, the core gateway is in the US West region, and the destination network is in a specific city within the US West region, then the rates from South Africa to the US West and the rates from the West US to the specific city. must pay for each.

In the case of a leased line operator, since it manages all networks, it is possible to calculate and bill collectively, but in a cloud network, it is difficult to calculate and bill collectively. There is a problem in that it is difficult to calculate the cost because it has to be set at the exchange rate of the country when it is provided on a global service basis.

In particular, users who use a distributed gateway environment based on a cloud network generally have a limited range of budgets they can spend on a monthly or yearly basis. There is a need to manage the total amount of data packets available taking into account the cost-benefit point.

However, the network must guarantee connectivity at all times, and if the contract capacity of data packets that can be processed exceeds the contract capacity, the service cannot be provided, such as blocking network access. You will need a way to route them.

In addition, when traffic is contracted for each region, when the corresponding traffic is exceeded, when traffic remains in other regions, etc., a method is required so that the user can completely use all the contracted traffic.

Various embodiments disclosed in this document induce access to the cloud network by the total amount contracted (or data transmission possible) through regional billing policy and data packet processing total management in a distributed gateway environment based on a cloud network. It provides a method to secure transmission performance and maintain the inherent security inherent in data flow access control technology while inducing access to the general network when the contracted amount is exceeded.

In addition, various embodiments disclosed in this document provide a method for a user to efficiently use a cloud network by securing an automated billing and billing system for each cloud network section.

A node according to an embodiment disclosed herein comprises a communication circuit, a processor operatively coupled to the communication circuit, and a memory operatively coupled to the processor and storing a connection control application, the memory comprising: , when executed by the processor, the node detects, through the access control application, a network connection event to a destination network, and, through the access control application, a data flow corresponding to the destination network and authorized from an external server; check whether a tunnel exists, and if the data flow and tunnel exist, transmit a data packet through the tunnel, wherein the tunnel is created between the node and the gateway based on information received from the external server; The information received from the external server includes, among one or more tunnels and gateways listed by the external server, if there is a data capacity that can be transmitted through the data packet processing amount management after being connected to the cloud network, the corresponding tunnel and gateway information, or , or when there is no transmittable data capacity, tunnel and gateway information through which the node can tunnel to a network other than the cloud network may be included.

According to an embodiment, when the data capacity of the gateway exceeds the total data capacity transmittable through the data packet processing total amount management while the node is connected through the cloud network, the external server connects with the existing gateway and create a new tunnel between the node and the non-cloud network to switch to the non-cloud network in order to remove the tunnel of the node and maintain the connection between the node and the destination network.

According to an embodiment, in connecting the node to the cloud network, it is checked whether a path accessible to the cloud network exists among the paths accessible to the node, and there is a path accessible to the cloud network. , check whether a cloud network use contract exists based on the billing policy, and if the cloud network use contract exists, check whether available traffic exists based on the billing policy and billing table; When there is available traffic, establishing a cloud network standard tunnel path, and transmitting a set of information for creation of the tunnel to the node and the gateway, wherein the set of information includes tunnel identification information, a gateway Identification information may include a series of information for identifying a tunnel that the external server tried to create between the node and the gateway.

According to an embodiment, the cloud network reference tunnel path may include a path through which the node connects to a gateway having the closest distance to the node among gateways existing on the cloud network.

According to an embodiment, when the gateway forwards the data packet to the destination network through the tunnel, the gateway records the data packet size transmitted for updating the charging table and measuring the usage of the cloud network of the node in the data flow table. It can be configured to update to .

A server according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, a processor operatively connected to the communication circuit, and a processor operatively connected to the communication circuit and the memory, , the processor receives, from a connection control application of a node, a first request requesting a network connection to a destination network of a target application stored in the node, wherein the first request includes identification information of a control flow and information of the destination network. including identification information -, based on the identification information of the control flow and the database, confirming whether the destination network is reachable, and if the destination network is accessible, generating a data flow including data packet inspection information, , when the data flow cannot be created or the authentication time of the created data flow expires and needs to be updated, a second request for network access is received from the access control application, and from the access control application, the destination In order to access the network, the type of node included in the control flow, the location information of the node, and information about the network in which the node is included are received, and the data capacity of the gateway among tunnels and gateways listed based on the information stores instructions for the node to transmit tunneling and gateway information capable of performing tunneling to the node according to If there is capacity, the node may be connected to the cloud network, and if there is no data capacity of the gateway, the node may be connected to a network other than the cloud network.

A method of operating a network access control system according to an embodiment disclosed in this document includes: detecting, in an access control application of a node, a network access event to a destination network; checking, through the access control application, whether a data flow and a tunnel corresponding to the destination network and authorized from an external server exist; and if the data flow and the tunnel exist, transmitting a data packet through the tunnel, wherein the tunnel is created between the node and the gateway based on information received from the external server, and The information received from the server includes, among one or more tunnels and gateways listed by the external server, when there is a data capacity that can be transmitted through the cloud network and transmittable through the data packet processing total amount management, or Alternatively, when there is no transmittable data capacity, tunnel and gateway information through which the node can tunnel to a network other than the cloud network may be included.

According to an embodiment, the method of operating a network access control system further includes measuring the network traffic capacity and the remaining amount based on the IP allocated by the server, and measuring the network traffic capacity and the remaining amount based on the IP address allocated by the server The step of confirming the gateway to which the IP address is assigned; collecting capacity processed through the cloud network; collecting capacity processed through a network other than the cloud network; measuring a traffic capacity processed in a section between the node and the gateway; calculating and updating the traffic and cost in the section based on the source IP address and the destination IP address; inquiring a cost in the cloud network; and calculating total traffic and a residual amount based on the measured capacities.

According to the embodiments disclosed in this document, it provides an environment in which terminals distributed by region can quickly access through a distributed gateway environment based on a cloud network rather than a dedicated line in order to access a centralized destination network, and in particular, data flow access By providing a control-based access environment, an environment in which a network can be safely accessed from anywhere can be provided.

Furthermore, by distributing edge gateways to cloud operators with high network processing performance by region and connecting the corresponding terminals, the variation in regional network processing performance of a single cloud operator can be reduced, and edge gateways can be deployed by selecting cost-effective cloud operators. Because of this, the cost can be reduced.

In particular, in the case of leased lines, since there are different operators in each region, a network bandwidth-based contract must be performed for each operator. There is a problem that cannot be done, and unlike the high initial cost, when using a cloud network-based pay-as-you-go distributed gateway environment as in the embodiment disclosed in this document, anytime, anywhere, quickly and easily, pay-as-you-go rates Payment is possible, and because there is no limit to the bandwidth due to the nature of the cloud network, the network can be expanded according to the size of use.

In addition, when using a cloud network, there is a problem of having to pay a higher cost than a dedicated line when a certain data packet throughput is exceeded. Because it can induce network access but maintain the security level based on data flow, it is possible to use a cost-effective cloud network at all times.

Furthermore, since the billing can be made by integrating the network usage fees for each section of various cloud providers, it is possible to solve the complex billing problem that occurs when contracting each cloud or dedicated line.

In addition, various effects directly or indirectly identified through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment in accordance with various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments of the present disclosure;
4 illustrates a functional block diagram of a node in accordance with various embodiments.
5 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.
6 shows a signal flow diagram for controller connection.
7 shows a user interface screen for connecting to a controller.
8 illustrates a signal flow diagram for user authentication according to various embodiments of the present disclosure.
9 shows a signal flow diagram for processing a network connection.
10 shows a signal flow diagram for processing a tunnel creation request.
11 shows a flowchart for forwarding a data packet according to various embodiments.
12 is a flowchart illustrating a data flow table synchronization of a gateway according to various embodiments of the present disclosure;
13 is a flowchart for releasing a tunnel according to various embodiments.
14 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;
15 illustrates a signal flow diagram for disconnecting a controller according to various embodiments of the present disclosure;
16 illustrates a user interface screen for releasing a network connection according to various embodiments of the present disclosure.
17 illustrates a signal flow diagram for charging and tunnel policy confirmation according to various embodiments of the present disclosure.
18 is a signal flow diagram for rate information synchronization according to various embodiments of the present disclosure.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.

In this document, the singular form of a noun corresponding to an item may include one or a plurality of items, unless the context clearly indicates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A; Each of the phrases such as "at least one of B, or C" may include any one of, or all possible combinations of, items listed together in the corresponding one of the phrases. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish the element from other elements in question, and may refer to elements in other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is "coupled" or "connected" to another (eg, second) component, with or without the terms "functionally" or "communicatively". Where referenced, it may mean that one component can be connected to the other component directly (eg, by wire), wirelessly, or through a third component.

Each component (eg, a module or a program) of components described in this document may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, or omitted. or one or more other operations may be added.

As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or an application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one of the one or more instructions stored from the storage medium and execute it. This may enable the device to be operated to perform at least one function according to the called at least one command. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not include a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided by being included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store or between two user devices (eg smartphones). It can be distributed directly or online (eg, downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be temporarily stored or temporarily created in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a relay server.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device. , or a home appliance, and is not limited to the above-described devices. For example, the source node 101 may include a server or gateway capable of sending data packets through an application. The source node 101 may also be referred to as an 'electronic device' or a 'terminal'. On the other hand, the destination node 102 may include the same and similar device as the above-described origin node 101 .

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20 . The source node 101 may transmit data to the destination node 102 through the gateway 103 and the tunnel 105 .

When the access of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, so that the source node 101 is malicious. ) can be exposed from program attack. For example, the source node 101 is a trusted and/or secure application, such as an Internet web browser 110a, business application 110b, as well as malicious code 110c, infected (infected) ) may receive data from an untrusted or unsecured application, such as business application 110d.

The source node 101 infected with the malicious program may attempt to access and/or transmit data to the second network 20 . When the second network 20 is formed based on IP such as VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and the application in the OSI layer It may be vulnerable to security layer or transport layer. In addition, if the source node 101 includes a malicious application after the tunnel has already been created, the data of the malicious application is transmitted to another electronic device (eg, the destination node 102 ) in the second network 20 . can

2 illustrates an architecture within a network environment in accordance with various embodiments.

Referring to FIG. 2 , the number of the node 201 , the gateway 203 , and the destination node 204 is not limited to the number illustrated in FIG. 2 . For example, the node 201 (or terminal) may transmit data to a plurality of destination nodes through a plurality of gateways, and the controller 202 may manage a plurality of source nodes, gateways, and destination nodes. On the other hand, some terminals 201-3 may transmit data without going through some core gateways 203-2, and some terminals 201-4 may transmit data to an edge gateway 203-1 and some core gateways 203- Data can be transmitted without going through 2). The node 201 or the terminals 201-1, 201-2, 201-3, and 201-4 may perform the same and similar functions as the source node 101 shown in FIG. 1, and the edge gateway 203-1 ) and the core gateways 203-2 and 203-3 may perform the same and similar functions as the gateway 103 shown in FIG. 1, and the destination node 204 is connected to the destination node 102 shown in FIG. The same can perform similar functions.

Node 201 includes terminal 201-1 in area A, terminal 201-2 in area B, terminal 201-3 in area C, and terminal 201-4 in area C. may include Node 201 may include a connection control application and a network driver for all network access control for applications within node 201 . When a network connection occurs, the node 201 checks whether access is possible from the controller 202, and only when the connection is possible, through the data flow information generated by the controller 202, to the gateway 203 existing at the boundary of the connection target network. Data packets can be transmitted. Tunnel and data flow-based connectivity control technology provides a structure in which communication is possible only when a tunnel 210 and a data flow authorized by the controller 202 exist for the node 201 to access the target network, and the tunnel and when the data flow does not exist, the node 201 may provide a structure in which communication cannot be performed.

According to various embodiments described in this document, the node 201 may include a connection control application (not shown) and a network driver (not shown) for managing network connections of applications stored in the node 201 . For example, the access control application may control transmission of data packets through a network driver and a kernel including an operating system in the node 201 .

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within the network environment by managing data transmission between the node 201 , the gateway 203 , and the destination node 204 . The controller 202 controls the network access of the node 201, checks whether the tunnel 210 is created between the gateway 203 and the gateway 203, and responds to the security event received from each node 201 and the gateway 203. It is possible to maintain a secure network state at all times, such as removing the generated data flow and isolating the terminal through a blacklist. For example, the controller 202 manages the connection of the node 201 to the destination node 204 through policy information or blacklist information, or an authorized tunnel 210 between the node 201 and the gateway 203 . ) may be created, or the tunnel 210 may be removed according to a security event collected from the node 201 or the gateway 203 . The node 201 can communicate with the destination node 204 only through the tunnel 210 authorized by the controller 202, and if the authorized tunnel 210 does not exist, the terminal 2014 returns to the destination node 204. access may be blocked. According to an embodiment, the controller 202 transmits and receives control data packets to and from the node 201 to perform various operations (eg, registration, approval, authentication, update, termination, etc.) associated with the network connection of the node 201 . can do. In addition, the controller 202 transmits control data packets with the destination node 204 to perform various operations (eg, register, approve, authenticate, update, terminate, etc.) associated with network access and network reception of the destination node 204 . can transmit and receive. A flow in which a control data packet is transmitted may be referred to as a control flow. Meanwhile, the controller 202 may include a server or an external server. The controller 202 optimizes the access environment of the node 201 based on the charging policy and the charging table at various stages such as controller connection, user authentication, control flow update, and tunnel connection release and at any time (eg, at a certain time) based on the charging table. It is possible to perform tunneling-based connection with the edge gateway and periodically check whether or not to continue using the cloud network. If the cloud network cannot be used due to the billing policy, the tunneling with the corresponding edge gateway 203-1 is released, and the connection with the edge gateway existing in the destination network is performed through the general network. A screen for access may be displayed (eg, (e) of FIG. 7). The controller 202 may be coupled to the cloud service 206 .

The gateway 203 may include an edge gateway 203 - 1 , a core gateway 203 - 2 , and a core gateway 203 - 3 (which serves as an edge gateway). The gateway 203 checks the 5 tuples information (protocol, source IP, source port, destination IP, destination port information) among the data packets received through the authorized tunnel 210 among the received data packets to determine the source IP and destination IP, When data flow information corresponding to destination port information exists, forwarding may be performed to the destination node 204 . The number of edge gateways 203 - 1 and core gateways 203 - 2 and 203 - 3 is not limited to the number shown in FIG. 2 .

The edge gateway 203-1 provides the type of terminal to be supported for each region and coverage, the average distance, the number and processing capacity of terminals to be processed, the tunneling type and load distribution according to the network situation, and the network connection type (wireless network, WIFI, wired network, etc.), and may be deployed in a cloud network in consideration of factors for high availability.

Each edge gateway 203-1 is directly connected to the destination node 204 according to the cloud network environment, or through a core gateway 203-2 existing at the boundary of the destination node 204, the terminal and the destination node 204. By providing a way to connect the node 201 through an efficient routing path on the cloud network and a dedicated network between the edge gateway 203-1 and the core gateway 203-2 or the destination node 204, the network and regional boundaries It is possible to solve the problem of network performance degradation that may occur according to various situations such as

Also, the edge gateway 203 - 1 may exist in the cloud network, which is a charging section, and may exist in a general network section, which is a non-charged section.

The node 201 controlled by the controller 202 creates a control flow (a kind of session and control data packet flow) with the controller 202 and controls it in a centralized manner such as node 201 and user authentication, network connection request, etc. In the path of the control flow, the node 201 and the controller 202 may communicate directly without going through the edge gateway 203 - 1 or may communicate through the edge gateway 203 - 1 .

3 is a functional block diagram illustrating a database stored in a controller (eg, controller 202 of FIG. 2 ) in accordance with various embodiments. 3 shows only the memory 330 , the controller is an external electronic device (eg, terminals 201-1, 201-2, 201-3, 201-4 in FIG. 2 ), gateway 203 or destination node 204 . )) and a communication circuit for performing communication (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller may be further included.

Referring to FIG. 3 , the controller may store databases 311 to 317 for controlling network access and data transmission in the memory 330 .

The access policy database 311 may include information on networks and/or services to which the identified network, terminal, destination node, user, or application can access. For example, when a connection to the destination node 204 is requested from the node 201, the controller 202 identifies a network (eg, a network to which the terminal belongs) based on the access policy database 311, the node ( 201 ), a user (eg, a user of node 201 ), and/or an application (eg, an application included in node 201 ) may determine whether the destination node 204 is reachable. In an embodiment, the access policy database 311 may include data packet inspection information. For example, the data packet inspection information may indicate whether data packet inspection is required and include a rule database. Here, the rule database includes a data packet inspection method (eg, single data packet inspection, multiple data packet inspection), a pattern to be applied when inspecting a data packet, a location to be applied when inspecting a data packet, and a processing method after inspection (eg, blocking data packets, data packet replacement and data packet copying).

The tunnel policy database 312 stores the type of tunnel to be connected to the gateway existing at the boundary between the terminal and the network on the connection path, encryption method, and encryption level information, the location of the terminal, network type information, the status of the gateway, etc. It may include gateway information that can be accessed preferentially according to various environmental factors. For example, when a connection to the destination node 204 is requested from the node 201 , the controller 202 determines an optimal tunnel for accessing the destination node 204 based on the tunnel policy database 312 and the related information may be provided to the terminal.

The blacklist policy database 313 may include a policy for permanently or temporarily blocking access of a specific node (eg, node 201 or destination node 204 ). The policy of the blacklist policy database 313 is identified through risk level, occurrence period, and/or behavior analysis of security events among security events periodically collected from node 201 , destination node 204 or gateway 203 . information (eg, at least one of a terminal identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be generated.

The blacklist database 314 may include a list of at least one of a terminal, a destination node, an IP address, a MAC address, and a user blocked by the blacklist policy database 313 . For example, if the identification information of the node 201 requesting access to the destination node 204 is included in the blacklist database 314, the controller 202 isolates the terminal from the destination node by rejecting the access request of the terminal. can do it

The control flow table 315 is a session for managing the flow (eg, control flow) of control data packets generated between a node (eg, node 201 or destination node 204 ) and the controller 202 . This is an example of a table. When the node 201 successfully connects to the controller 202 , control flow information and identification information for control flow identification may be generated by the controller 202 . The control flow information may include at least one of identification information of the control flow, an IP address each identified when accessing and authenticating a controller, a node ID (terminal ID), and a user ID. For example, when access to the destination node is requested from the terminal, the controller 202 searches for control flow information through the control flow identification information received from the node 201, and an IP address included in the retrieved control flow information; By mapping at least one of the terminal ID and the user ID to the access policy database 311, it is possible to determine whether the terminal can access and whether to generate a data flow.

According to one embodiment, the control flow may have an expiration time. The node (eg, the node 201 or the destination node 204 ) must update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate access blocking is necessary according to a security event collected from the terminal or gateway, or in response to the terminal's request to terminate the access, the controller 201 may remove the control flow. When the control flow is removed, all of the previously generated data flows are recovered, so that all connections of the terminal may be blocked.

The tunnel table 316 is a table for managing a tunnel connected between the terminal and the gateway, and the gateway and the gateway (eg, the edge gateway 203 - 1 and the core gateway 203 ). The tunnel may be created, for example, in units of devices or IPs. For example, the tunnel table 316 is a table for managing a tunnel connected between the node 201 and the gateway 203 and the gateway 203-1 and the gateway 203-2. When a valid tunnel exists , tunnel table 316 includes tunnel identification information (tunnel ID) for managing and identifying a tunnel, control flow identification information for control between the gateway 203 and the controller 202 (control flow ID), and a tunnel endpoint ( tunnel end point (TEP), tunnel start point (TSP), tunnel algorithm, tunnel type, and/or additional information for managing the tunnel may be included.

The data flow table 317 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between a terminal and a gateway, and a TCP session within a tunnel created in units of terminals or IPs, application of a source terminal , or you can manage data flow in more granular units. The data flow table 317 includes data flow identification information, dependent control flow identification information when a data flow is dependent on a control flow, an application ID for identifying whether the data packet transmitted from the terminal is an authorized data packet, a source IP address, destination IP address, and/or service port. Also, the data flow table 317 may include identification information of a tunnel through which the data flow is to be used. Also, the data flow table 317 may include a header (or header information) for determining whether a data packet is valid. In addition, the data flow table 317 may further include whether a data flow header, which is authentication information, is inserted into the data packet, an insertion method of the header, whether or not authentication of the data flow is required, an authentication state, and/or an authentication expiration time. . Also, the data flow table 317 may include terminal information (eg, source IP) of the destination node, service port information, and receivable application information. In one embodiment, the data flow table 317 may include data packet inspection information. For example, the data packet inspection information may indicate whether data packet inspection is required and may include a rule database. Here, the rule database includes a data packet inspection method (eg, single data packet inspection, multiple data packet inspection), a pattern to be applied when inspecting a data packet, a location to be applied when inspecting a data packet, and a processing method after inspection (eg, blocking data packets, data packet replacement and data packet copying). Also, the data flow table 317 may include data packet forwarding information for tracking how many data packets are transmitted using the data flow.

The charging policy database 318 includes regional edge gateways that the node 201 can access (“region A”, “region B”, and “region C” in 203-1 of FIG. 2) and the cloud provider to which the corresponding edge gateway is deployed. Information, the total amount of data packets that can be used when using the cloud network through the gateway, and policy settings to use the remaining amount of data packets in other regions when the total amount of data packets are used When the total amount is exceeded, policy information such as general network switching may be included.

The billing table 319 periodically updates and manages the total amount of data packets that each gateway-connected terminal transmits to the destination network using the cloud network and billing information, so that the total amount of data packets that can be used for each region according to the billing policy. and can be used as information for deciding whether to switch to a general network or perform additional billing based on the billing policy based on the data. An exemplary embodiment of the charging table 319 is as follows.

When the data packet is forwarded, the gateway 203 may update the data flow table 317 with the data packet size transmitted for updating the charging table 319 and continuously measuring the cloud network usage of the node 201 .

Also, the data flow table structure included in the controller 202 may be equally applied to the node 201 and the gateway 203 .

4 illustrates a functional block diagram of a node (eg, node 201 and destination node 204 in FIG. 2 ) in accordance with various embodiments.

Referring to FIG. 4 , a node (eg, node 201 ) may include a processor 410 , a memory 420 , and a communication circuit 430 . According to an embodiment, the node may further include a display 440 to interface with the user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include one processor core or a plurality of processor cores. For example, the processor 410 may include a multi-core such as a dual-core, a quad-core, or a hexa-core. According to embodiments, the processor 410 may further include a cache memory located internally or externally. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, and a graphical processing unit (GPU).

All or part of the processor 410 is electrically or operatively coupled to other components within the node (eg, memory 420 , communication circuitry 430 , or display 440 ). It can be coupled with or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process a message, data, command, or signal received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, instruction, or signal based on the received message, data, instruction, or signal. The processor 410 may provide the processed or generated message, data, instruction, or signal to the memory 420 , the communication circuitry 430 , or the display 440 .

The processor 410 may process data or signals generated or generated in a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may write (or store) or update instructions, data, or signals to the memory 420 to execute or control a program.

The memory 420 may store a command for controlling a node, a control command code, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS) (eg, Microsoft Windows, Google Android, Apple iOS, MacOS, etc.), middleware, or a device driver. may contain one.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). may include The nonvolatile memory may include a read only memory (ROM), a programmable ROM (PROM), an electrically programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory, and the like. The memory 420 includes a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), and a universal flash storage (UFS). may include more.

According to an embodiment, the memory 420 may store some of information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the tunnel table 316 , the data flow table 317 , the charging policy 318 , and the charging table 319 described in FIG. 3 .

Communication circuit 430 establishes, and establishes, a wired or wireless communication connection between a node (eg, node 201 in FIG. 2 ) and an external electronic device (eg, controller 202 or gateway 203 in FIG. 2 ) It can support performing communication through the established connection. According to one embodiment, communication circuitry 430 may include wireless communication circuitry (eg, cellular communication circuitry, near field communication circuitry, or global navigation satellite system (GNSS) communication circuitry) or wired communication circuitry (eg, local area network (LAN) circuitry). ) communication circuit, or power line communication circuit), and using the corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct or IrDA (infrared data association) or a cellular network, Internet, or long-distance communication such as a computer network It can communicate with an external electronic device through a network. The above-described various types of communication circuits 430 may be implemented as a single chip or as separate chips.

The display 440 may visually output content, data, or a signal. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being coupled with a plurality of touch sensors (not shown) capable of receiving a touch input or the like. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

Meanwhile, the server (eg, the controller 202 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410 , the memory 420 , and the communication circuit 430 included in the server may be substantially the same as the above-described processor 410 , the memory 420 , and the communication circuit 430 .

5 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.

According to an embodiment, it is blocked at the kernel end of the network driver and the operating system, so that no data packet except for the access control application 211 may be transmitted to the network (access blocked in the access control application).

According to an embodiment, in the case of an unmanaged terminal in which the access control application 211 is not installed among the terminals 210 existing in the network, the network access application may transmit an unauthorized data packet to the network, but at the network boundary. Because the existing gateway (eg, the edge gateway 203-1) blocks all data packets for which the authorized tunnel and data flow do not exist, the terminal's data packet, particularly the data packet for TCP session creation, is actually blocked. It can be (blocking access at the gateway due to non-existence of the tunnel).

As such, when the access in the access control application 211 is blocked or when the access is blocked at the gateway due to the non-existence of the tunnel, the node 201 is the target network (eg, the destination node 204 cannot be reached). , that is, it can be in an isolated state.

6 to 7 may explain an operation for connecting a controller according to various embodiments of the present disclosure. 6 shows a signal flow diagram for controller connection, and FIG. 7 shows a user interface screen for controller connection.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 sends the controller 202 a control flow (control data packet flow and serial Session of the node 201 can be attempted to access the controller by requesting creation of the Also, the access control application 211 may include the access control application 211 in FIG. 2 .

Referring to FIG. 6 , in operation 605 , the node 201 may detect a controller access event. For example, the node 201 may detect that the access control application 211 is installed and executed in the node 201 , and that access to the controller 202 is requested through the access control application 211 .

For example, referring to FIG. 7 , when the access control application 211 is executed, the node 201 may display a user interface screen 710 for receiving information necessary for accessing the controller. The user interface screen 710 includes an input window 711 for inputting an IP or domain of the controller 202, an input window 712 for inputting a user ID, an input window 713 for inputting a password, and / Alternatively, it may include an input window 714 for inputting a connection location. After information on the input windows 711 to 714 is input, the node 201 may detect a controller access event by receiving a button 715 for an authenticated user's controller access. For another example, if user authentication of the node 201 is not yet completed, the node 201 detects a controller access event by receiving a button 716 for controller access of an unauthorized user (ie, a guest). can do.

In operation 610 , the node 201 may request a controller connection from the controller 202 in response to detecting the controller connection event. The node 201 may request a controller connection through the access control application 211 . According to one embodiment, the access control application 211 is the identification information (eg, terminal ID, IP address, MAC address) of the node 201, the type of the node 201, location information, environment, the node 201 Identification information of the included network, and/or identification information of the access control application 211 , and basic area information selected by the user may be transmitted to the controller 202 .

In operation 615 , the controller 202 may identify whether the node 201 is reachable in response to the received request. According to an embodiment, the controller 202 may check whether the node 201 is accessible based on a database included in the memory of the controller 202 (eg, the memory 330 of FIG. 3 ). The controller 202 determines whether the information received from the access control application 211 is included in the access policy database, and identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database. It can be checked whether the node 201 is accessible or not based on whether or not. For example, the controller 202 accesses information requested by the access control application 211 (type of the terminal, location information, environment and network including the terminal, access control application information, basic area information selected by the user, etc.) It is possible to check whether the access of the node 201 is possible based on whether the state is accessible by the policy and/or whether the terminal and network identification information (terminal ID, IP, MAC address, etc.) is included in the blacklist database. there is.

If node 201 is reachable, in operation 620 , controller 202 may create a control flow between node 201 and controller 202 . In this case, the controller 202 generates control flow identification information in the form of a random number, and uses the node 201 and/or identification information of the network to which the node 201 belongs (eg, terminal ID, IP address, MAC address, etc.) It can be stored in the control flow table. Information stored in the control flow table (eg, control flow identification information and/or control flow information) may include: user authentication of the node 201 , updating information of the node 201 , checking a policy for network access of the node 201 , and / or can be used for validation.

If the node 201 is unreachable or included in the blacklist, the controller 202 does not generate a control flow in operation 615 and transmits a response indicating that the node 201 is unable to connect to the controller to the node 201 . can If the terminal is in an unreachable state, the access control application may display an access unavailable message and reason on the screen.

In operation 625, in the access policy and tunnel policy matched with the identified information (terminal, source network information, etc.), the controller 202 determines a destination network (destination node) information that the currently connected node 201 can basically connect to. can be checked to see if it exists.

In operation 625, if access is possible, information such as the type of terminal included in the control flow, location information, environment, and the network including the terminal and the controller 202 in order for the node 201 to access the destination network List the tunneling types and gateways that the terminal can connect to through the IP address of the terminal identified through the terminal and the IP address of the terminal identified from the terminal, and check the status (throughput, failure) of the listed gateways. It is possible to identify one tunnel and one gateway optimized for the corresponding terminal from among the gateways. The gateway 203 may be an edge gateway 203 - 1 .

In operation 630, a charging and tunnel policy check procedure may be performed, and the result may be transmitted.

In operation 635 , if a tunnel and a gateway accessible to the node 201 exist, the controller 202 transmits to the gateway 203 authentication and a series of information for the terminal to create a tunnel to the node 201 . and registers the corresponding tunnel creation information in the tunnel table 316 , and transmits the corresponding tunnel creation information to the gateway 203 . In operation 640 , the gateway 203 (edge gateway 203 - 1 ) may receive a tunnel creation request from the controller 202 .

In addition, when the corresponding gateway 203 can perform the control flow related processing of the node 201 , the corresponding node 201 requests a control flow related processing to the corresponding gateway 203 (control flow) IP address and port information of the gateway for processing, whether the control flow is distributed processing, a list of commands that can be processed by the gateway, etc.) of information (such as control flow information for the corresponding terminal) may be transmitted.

If there are tunnels and gateways accessible to the node 201, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

In operation 645 , the node 201 may process the connection request result value received from the controller 202 . If the connection is not possible, the execution of the access control application may be stopped and terminated, or a related error message may be displayed. According to an embodiment, upon receiving a response indicating that the connection to the node 201 is impossible, the node 201 may output a user interface screen indicating that the gateway connection is impossible to the user. For example, referring to FIG. 7 , the node 201 may display the user interface screen 720 through the access control application 211 . The user interface screen 720 indicates that there is no accessable gateway at the corresponding location of the node 201 in (b) of FIG. 7 ( 717 ), and attempts to access again after 30 seconds in (c) of FIG. It may include a user interface indicating that (718), in FIG. 7(d), that the connection to the gateway is terminated and an attempt is made to access another gateway (719).

In operation 650 , when tunnel creation is required, the node 201 may make a tunnel creation request to the gateway 203 . In operation 635 , when the tunnel 210 and the gateway 203 accessible to the node 201 exist, the node 201 may create the tunnel 210 in the gateway 203 received from the controller 202 . Using the existing authentication and a set of information, a tunnel creation request can be made, and in operation 640 , the gateway 203 (edge gateway 203-1) uses the corresponding tunnel creation received from the controller 202 to transmit the node 201 ), the requested tunnel can be created.

8 illustrates a signal flow diagram for user authentication according to various embodiments of the present disclosure.

In order for the node 201 to be granted detailed access to the destination network, the access control application 211 of the node 201 (eg, the access control application 211 in FIG. 2 ) is transmitted from the controller 202 to the node 201 ) of the user can be authenticated. The access control application 211 may perform user authentication in order to be granted detailed access rights to the network, and may transmit user ID and password or authentication information by a reinforced authentication method.

Referring to FIG. 8 , in operation 805 , the source node 201 may receive an input for user authentication. The input for user authentication may be, for example, a user input inputting a user ID and password. As another example, the input for user authentication may be a user input (eg, biometric information, fingerprint, iris, etc.) for more enhanced authentication.

In operation 810 , the source node 201 may request user authentication from the controller 202 . For example, the access control application 211 may transmit input information for user authentication to the controller 202 . If the control flow between the source node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with the control flow identification information.

In operation 815 , the controller 202 may authenticate the user based on the information received from the node 201 . For example, the controller 202 may include a user ID, password, and/or enhanced authentication information included in the received information, and a database (eg, the access policy database of FIG. 3 ) included in the memory of the controller 202 . Based on 311 or the blacklist database 314), it is possible to check whether the user is blocked by checking whether the user is an accessible user and whether the user is included in the blacklist.

In case of an accessible user, in operation 820, a control flow is searched for in the control flow table using the transmitted control flow identification information (control flow ID), and user identification information (user ID) is added to the searched control flow identification information. can be added For example, if the user is authenticated, the controller 202 may add the user's identification information (eg, user ID) to the control flow identification information, and the added user identification information may include the authenticated user's controller access or network access. can be used for The controller 202 may return an authentication completion status and access policy information of the authenticated user as a result of user authentication.

In operation 825, the controller 202 determines whether there is destination network information that the currently connected terminal can basically connect to in the access and tunnel policy matched with the identified information (eg, terminal, source network information, user ID, etc.) can be checked

In operation 830, a charging and tunnel policy check procedure may be performed, and the result may be transmitted. When access is possible, information such as the type of terminal included in the control flow, location information, environment, and the network including the terminal and the controller ( Tunneling types and gateways 203 that the node 201 can connect to are listed through the IP address of the terminal identified through 202 and the IP address of the terminal identified in the terminal, and the status (throughput) of the listed gateways , failure), one of the tunnels and gateways optimized for the terminal can be identified from among the listed gateways.

According to an embodiment, when the tunnel 210 and the gateway 203 accessible to the terminal 209 exist, the controller 202 determines that the node 201 creates the tunnel 210 in the gateway 203 . Possible authentication and a series of information may be transmitted to the node 201 , the corresponding tunnel creation information may be registered in the tunnel table 316 , and the corresponding tunnel creation information may be transmitted to the gateway 203 .

If there are tunnels and gateways accessible to the terminal, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, when the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 820, the controller 202 transmits information indicating that user authentication is impossible to the source node 201, and in operation 825, the source node 201 displays a user interface screen indicating that user authentication has failed. It can be output through

9 may explain an operation of controlling a network connection according to various embodiments of the present disclosure. 9 shows a signal flow diagram for processing a network connection.

After the node 201 is authorized from the controller 202, the source node 201 trusts by controlling the network connections of other applications stored in the source node 201 through the connection control application 211 of the node 201. data transmission can be guaranteed.

Referring to FIG. 9 , in operation 905 , the access control application 211 may detect a network access event. For example, the access control application 211 may detect that a target application, such as a web browser, is attempting to connect to a destination network including the destination node 204, such as the Internet. For example, the user may launch a web browser and input and call a web address to access.

In operation 910, when the access control application needs to communicate with the service server, it may check whether data flow information exists based on application identification information, destination IP, and port information to communicate with the service server. Data packets can be transmitted when tunnels and data flows exist. If a data flow exists but is not valid (eg, a data packet transmission disabled state), the data packet may be dropped (DROP).

In operation 915, if the data packet does not exist, the authentication time expires, and the update is required, and if the data flow needs to be updated due to other matters (eg, when network access fails), according to the validation policy A validation procedure can be performed. The validation check may include a check on the integrity and safety of the access application (eg, whether the application is forged or tampered with, a code signing check, a fingerprint check, etc.).

In operation 920, the access control application 211 is based on the control flow identification information and application identification information for identifying the control flow generated with the controller 202 before the network access event, and the destination IP and port information of the server to be accessed. You can check the target to perform the network connection request with.

In operation 925, the controller 202 includes the identification information (application, destination IP, service port information, etc.) that has requested access in the access policy matched with the information identified on the control flow (terminal, user, source network information, etc.) It can be checked whether or not it is possible to connect to the gateway 203 existing between the destination server mapped with the corresponding identification information and the network boundary. If the connection is not possible, the controller 202 may transmit a connection failure result to the node 201 .

If access is possible, the gateway where the terminal is located is checked in the tunnel policy to allow access of the terminal connected to the network, and a tunnel is created between the gateway of the network boundary to which the terminal belongs and the gateway of the destination network to access. It can be checked whether or not the data flow is enabled, and it can be checked whether data flow information that can be accessed through the corresponding destination IP and port exists in the data flow table. If tunneling is created and there is no valid data flow information in the data flow table, data flow information is created based on the source IP, destination IP and port information to allow the access of the application, and the information is identified. Each can be transmitted to the gateway.

If accessible data flow information exists in the data flow table, the corresponding information may be transmitted to the terminal.

In operation 930, if access is possible, information such as the type of terminal included in the control flow, location information, environment, and the network including the terminal and the controller 202 in order for the node 201 to access the destination network Lists the tunneling types and gateways that the node 201 can connect to through the IP address of the terminal identified through the terminal and the IP address of the terminal identified in the terminal, and displays the status (throughput, failure, etc.) of the listed gateways. By checking, it is possible to identify a tunnel and a gateway optimized for the terminal from among the listed gateways.

If tunneling is created and there is no valid data flow information in the data flow table, data flow information is created based on the source IP address, destination IP address and port information to allow the application access, and the information Each can be transmitted to the identified gateway.

If accessible data flow information exists in the data flow table, the corresponding information may be transmitted to the terminal 202 .

If tunneling is not generated, the controller 202 may transmit a result of being unable to connect (connection failure) to the terminal.

In operation 935 , the gateway 203 may receive data flow information based on the source IP address, destination IP address, and port information to allow access of the corresponding application in operation 930 .

10 shows a signal flow diagram for processing a tunnel creation request.

In operation 1005 , the node 201 may detect a tunnel creation request event when tunnel creation is required. When creating a tunnel, the controller 202 does not receive detailed information (for example, information such as tunneling, gateway, and authentication) required for tunnel creation from the controller 202, and determines whether simple tunnel creation is required and the tunnel required to access the destination network. If only information for identification exists, a tunnel creation information request procedure may be performed to the controller 202 (operation 1010).

If detailed information required for tunnel creation exists, a tunnel creation request procedure may be performed (operation 1025).

In operation 1010 , the node 201 may request from the controller 202 a set of information required for tunnel creation including a gateway for tunnel creation and tunneling authentication.

In operation 1015 , when receiving a tunnel creation information request from the node 201 , charging and tunnel policy checking procedures may be performed, and the result may be transmitted to the node 201 and the edge gateway 203 - 1 . When access is possible, the terminal identified through the controller 202 and information such as the type of terminal included in the control flow, location information, environment, and the network including the terminal included in the control flow for the node 201 to access the destination network Lists the tunneling types and gateways that the terminal can connect to through the IP of the terminal and the terminal's IP identified in the terminal, and checks the status (throughput, failure) of the listed gateways to connect to the terminal from among the listed gateways. One optimized tunnel and one gateway can be identified.

If there is a tunnel and a gateway accessible to the terminal, the controller 202 transmits to the gateway 203 the authentication and a series of information for the node 201 to create the tunnel 210 to the node 201 . and registers the corresponding tunnel creation information in the tunnel table 316, and transmits the corresponding tunnel creation information to the gateway 203-1b (operation 1015-1).

If a tunnel and a gateway connectable to the node 201 exist, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the node 201 .

If, in response to a request for new tunnel creation information, the previously provided tunnel creation information to the terminal is invalid (eg, depending on the environment and network conditions of the terminal, it is impossible to access the gateway with the previously provided tunnel creation information. case, etc.), a request is made to delete the existing tunnel information so that tunnel creation cannot be performed using the corresponding tunnel creation information to the corresponding gateway 203-1a based on the tunnel information identified in the tunnel table 316 (operation 1015-2).

In operation 1020 , the node 201 may receive a tunnel creation information request result from the controller 202 . When gateway access is possible due to the existence of tunnel creation information, a tunnel creation request procedure can be performed. When gateway access is not possible due to the existence of tunnel creation information, a tunnel creation failure processing procedure is performed (operation 1040).

In operation 1030 , the node 201 may request the corresponding gateway to create a tunnel based on a series of information required for tunnel creation, such as a gateway for tunnel creation and tunneling authentication received from the controller.

If tunnel creation fails due to network conditions (gateway connection impossible) and terminal conditions (corresponding tunneling technology not supported, protocol incompatibility, etc.) and tunneling failure with other gateways, the tunnel failure handling procedure (operation 1040) can be performed. there is.

When tunnel creation is normally completed with the corresponding gateway, a tunnel creation completion processing procedure (operation 1035) is performed.

In operation 1035 , when the node 201 completes creation of the gateway 203 and the tunnel 210 , the node 201 transmits the tunnel creation completion information to the controller 202 , and the controller 202 receives the received tunnel creation completion information (terminal). The tunnel table 316 is updated (operation 1060) based on the IP or tunnel identification information assigned to can

In operation 1040, when the node 201 fails to create the tunnel 210 with the gateway 203, the node 201 requests a series of information required for tunnel creation from the controller 202, but transmits tunnel creation related information. If it is not received or there is no tunnel information that can be created, a process related to tunnel creation failure may be performed.

If the node 201 fails to create a tunnel with the gateway 203, a series of information related to tunnel creation (tunnel identification information or gateway identification information, etc.) information) may be transmitted to the controller 202 .

In operation 1045, a charging and tunnel policy check procedure may be performed, and the result may be transmitted to the node 201 and the edge gateway 203-1a. Based on the tunnel creation failure information transmitted by the terminal, previously registered in the tunnel table Identifies the tunnel and gateway information that is being created, and requests the corresponding gateway to remove the existing tunnel information so that tunnel creation cannot be made with the corresponding tunnel creation information based on the identified tunnel information.

If a tunnel 210 and a gateway 203 accessible to the node 201 exist, the controller 202 sends authentication and a series of information for the node 201 to create a tunnel to the gateway 203 and transmits a series of information for creating a tunnel to the corresponding gateway 210 to the node 201 .

If the corresponding tunnel creation information replaces the previously requested tunnel, the data flow information subordinate to the existing tunnel is changed to the updated tunnel, and the changed data flow information is transferred to the gateway (edge gateway 203-1a in FIG. 10). ) can be transmitted.

Also, the existing gateway (edge gateway 203 - 1b in FIG. 10 ) may request deletion of the previously created tunnel information (operation 1050 ).

If there are tunnels and gateways accessible to the node 201, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection is returned to the terminal (operation 1055).

In operation 1055 , the node 201 may receive a tunnel creation failure processing result from the controller 202 .

If new tunnel creation information exists, a tunnel creation request procedure may be performed (operation 1025).

11 shows a flowchart for forwarding a data packet according to various embodiments.

According to an embodiment, when the gateway 203 receives a data packet through an authorized tunnel (operation 1105), 5 Tuples of IP (Internet Protocol) information (protocol, source IP, source port, destination IP, destination port information) ), it may be checked whether a forwardable data flow exists in the data flow table based on the source IP, destination IP, and destination port information included in (operation 1110). If there is a data flow, the corresponding data packet may be forwarded (operation 1115). If there is no data flow, the corresponding data packet may be dropped (operation 1120). After forwarding the data packet, the gateway 203 may update the size of the data packet forwarded to the corresponding data flow (operation 1125 ).

12 is a flowchart illustrating a data flow table synchronization of a gateway according to various embodiments of the present disclosure;

In operation 1205 , the gateway 203 may detect a data flow table synchronization event.

In operation 1210 , in response to detecting the data flow table synchronization event, the gateway 203 transmits the data flow table information including the always forwarded data packet information to the controller 202 , so that the controller 202 transmits Data flow and billing tables can be updated based on the data flow table information.

In operation 1215 , the controller 202 may determine whether to maintain a path currently being used by each connected node 201 based on the charging policy 318 based on the updated charging table 319 .

If the route being used by each node 201 is a cloud network-based route and the route can no longer be used due to the charging policy, it is previously created in the gateway existing on the cloud network-based route set by the node 201 In order to delete the tunnel and data flow information, the tunnel table 316 and the data flow table 317 are deleted so that the corresponding gateway 203 and the node 201 cannot forward the data packet.

The controller 202 may transmit the updated tunnel table 316 and data flow table 317 to the gateway.

In operation 1220 , when it is necessary to remove the tunnel and data flow according to the updated tunnel table 316 and data flow table 317 , the gateway may remove the tunnel and data flow.

13 is a flowchart for releasing a tunnel according to various embodiments.

In operation 1305 , the access control application 211 may always monitor whether or not the tunnel connection is released and detect a tunnel release event.

In operation 1310, when the tunnel connection is released, a tunnel release request is performed to the controller 202, and upon request, information for identifying the released tunnel, for example, information including an IP assigned to the terminal or tunnel identification information may be transmitted. .

In operation 1315 , the controller 202 checks the received tunnel release information to check the corresponding tunnel identification information in the tunnel table 316 , and when it exists in the tunnel table 316 and if tunnel removal is required, the existing A tunnel removal request may be transmitted to the gateway 203-1b (edge gateway 203-1b in FIG. 13).

In operation 1315, the controller 202 terminates the corresponding tunnel connection release request depending on the network conditions of the terminal or gateway, or makes an existing tunnel connection release request to provide the terminal with an optimized tunnel according to a change in the access location, etc. In order to always maintain the connection between the 201 and the destination node 204, the connection and tunnel policy for creating a new tunnel may be checked.

In operation 1315 , the controller 202 checks the received tunnel release information to check the corresponding tunnel identification information in the tunnel table 316 , and when present in the tunnel table 316 and when tunnel removal is required, the gateway You can make a tunnel removal request to .

The controller 202 sends an existing tunnel connection release request in order to provide the node 201 with an optimized tunnel depending on whether the corresponding tunnel connection release request is terminated depending on the network conditions of the node 201 or gateway 203 or when the connection location changes to the node 201. In order to maintain a connection between the terminal and the destination network at all times, for example, a charging and tunnel policy check procedure for creating a new tunnel may be performed, and the result may be transmitted.

In operation 1320, the existing gateway may request deletion of previously created tunnel information.

If there are tunnels and gateways accessible to the terminal, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

If access is not possible, the controller may transmit a result of being unable to connect to the terminal (operation 1330).

14 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;

The node 201 may receive the updated control flow from the controller 202 by updating the expiration time of the control flow every specified period. Also, the node 201 transmits data packet information to the controller 202 in units of a predetermined period, thereby confirming that the node 201 is operating normally. For example, the access control application 211 maintains control flow information, and the current terminal's network access status (change of connected network information, for example, handed over from WIFI to a mobile network, or changed from wireless to wired network) case, etc.) and environment information (such as location information of a terminal) to the controller to receive an optimized tunnel from the controller, a control flow update request may be requested based on the periodically assigned control flow ID.

Referring to FIG. 14 , in operation 1405 , the access control application 211 of the node 201 may detect a control flow update event. For example, the access control application 211 may detect a control flow update event at a specified period.

In operation 1410 , the access control application 211 may request the controller 202 to update the control flow. For example, the access control application 211 may transmit control flow identification information to the controller 202 .

In operation 1415 , the controller 202 may check whether a control flow exists in the control flow table 315 based on the control flow identification information requested by the terminal.

If the control flow does not exist (for example, in the case of disconnection by another security system, over the update time, disconnection due to self-risk detection, etc.), the connection of the node 201 is invalid, so connection is impossible information can be returned.

If the control flow exists, the update time may be updated, and charging and tunnel policy confirmation may be requested.

In operation 1420, the controller 202 may perform a charging and tunnel policy check procedure and transmit the result, based on the network connection state and environment information transmitted by the node 201, IP information of the terminal identified at the time of update, etc. to check whether an alternate tunnel is created.

In order for the node 201 to access the destination network in order to check whether an alternative tunnel is created or not, the type of terminal included in the control flow, location information, environment, and information such as the network including the terminal and the controller 202 are identified List the tunneling types and gateways that the terminal can connect to through the IP of the terminal identified in the terminal and the IP of the terminal identified in the terminal, check the status (throughput, failure) of the listed gateways, and select the corresponding gateway among the listed gateways. One tunnel and one gateway optimized for the terminal can be identified.

If an alternative tunnel and gateway exist in the terminal through the above process, the controller transmits to the gateway authentication and a series of information for the terminal to create a tunnel, and transmits the tunnel creation information to the tunnel table 316 and can transmit the tunnel creation information to the gateway.

If the corresponding tunnel creation information replaces the previously created tunnel, the data flow information subordinate to the existing tunnel is changed to the updated tunnel, and the changed data flow information may be transmitted to the gateway (operation 1430).

Also, the existing gateway may request deletion of previously created tunnel information (operation 1425).

If the result of the control flow update is that access is not possible, the application may be terminated or all network connections of the application may be blocked. If the control flow update result is normal, if the existing tunnel needs to be removed, a tunnel release procedure may be performed (operation 1425). If a new tunnel needs to be connected, a tunnel creation request procedure may be performed (operation 1430).

15 illustrates a signal flow diagram for disconnecting a controller according to various embodiments of the present disclosure; 16 illustrates a user interface screen for releasing a network connection according to various embodiments of the present disclosure.

Referring to FIG. 15 , in operation 1505 , the node 201 may request the controller 202 to release the connection. For example, the node 201 may transmit identification information of a control flow between the node 201 and the controller 202 to the controller 202 together with information requesting release of the network connection (operation 1510 ).

According to an embodiment, the node 201 may attempt to disconnect the network in response to a network connection disconnection event, such as a user's request, a restart of the node 201, or a request of the access control application 211 . For example, referring to FIG. 16 , the node 201 may receive a user input for selecting the connection termination button 1615 on the user interface screen 1610 output through the display. The node 201 may reconfirm the connection termination to the user by outputting the user interface screen 1620 including the pop-up window 1625 . As another example, the node 201 may directly perform operation 1505 without outputting the user interface screen 1620 .

In operation 1515 , the controller 202 may remove (or release) the control flow corresponding to the received identification information in response to the request of the node 201 .

In operation 1515 , the controller 202 may remove (or release, update) a tunnel that is dependent on the removed control flow. For example, there may be multiple tunnels subject to the control flow being removed. In this case, the controller 202 may remove (or release) all tunnels that depend on the control flow to be removed.

In operation 1520 , the controller 202 may request the gateway 203 to remove a tunnel dependent on the removed control flow.

In operation 1525 , the gateway 203 may remove the tunnel in response to the request of the controller 202 .

Through the above-described operation, the system including the destination node 204 can provide complete blocking and isolation from which data packets transmitted from the node 201 can no longer be received.

17 illustrates a signal flow diagram for charging and tunnel policy confirmation according to various embodiments of the present disclosure.

In operation 1705, in order for the corresponding node 201 to access the destination network, information such as the type, location information, environment, and network of the node 201 included in the control flow and the controller 202 Whether there is an accessible tunnel by listing the tunneling types and gateways that the node 201 can connect to through the IP of the node 201 identified through and the IP of the node 201 identified in the node 201, etc. can be checked.

If there is no connectable tunnel, a tunnel creation impossible process may be performed (operation 1760).

In operation 1710, if a tunnel exists, it may be checked whether a path through which a cloud network connection is possible among paths accessible to the node 201 through the tunnel exists.

In operation 1715, if there is a path accessible to the cloud network, it may be checked whether a cloud network use contract exists based on the billing policy.

In operation 1720, if there is a cloud network use contract, it may be checked whether available traffic exists based on a charging policy and a charging table. Usable traffic refers to traffic that can be used by the node 201 connected to the region, and when the limit cannot be exceeded by the billing table 219 because the usage limit is set or the usage limit is set for unlimited traffic. , refers to cases in which additional usage limit can be used in the form of sharing traffic in other regions even though the limit of traffic that can be used in the relevant region has been exceeded.

In operation 1740, if the cloud network is available, a cloud network reference tunnel path (the node 201 is connected to the node 201 existing on the cloud network and the edge gateway 203 - 1 located closest to it) is set and transmit a series of information for tunnel creation to the node 201 and the gateway 203 .

If the cloud network cannot be used according to the procedures of operations 1710, 1715, and 1720, a general network standard tunnel establishment procedure may be performed.

In operation 1725 , when the cloud network connection is not possible among the paths accessible to the node 201 , it may be checked whether tunnel information through which the node 201 has previously accessed the cloud network exists.

In operation 1730, if tunnel information accessing the cloud network exists, existing tunnel and data flow information may be deleted.

In operation 1750, if there is no tunnel information connected to the cloud network, a general network standard tunnel path (the node 201 is directly connected to a gateway that serves as a core and an edge in the destination network) is established and the tunnel is established. A set of information for generation may be transmitted to the node 201 and the gateway.

18 is a signal flow diagram for rate information synchronization according to various embodiments of the present disclosure.

The controller 202 periodically accesses the cloud service 206 and receives and updates the gateway arranged in the cloud network and the data packet forwarding unit price for each section relayed by the gateway from the cloud service, and calculates the billing table 319 in real time. In addition to the contract data packet, a method for calculating the fee by converting the contract amount into a contract amount may be provided (operations 1805, 1810, and 1815).

The above description is merely illustrative of the technical idea disclosed in this document, and those of ordinary skill in the art to which the embodiments disclosed in this document belong are not departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are for explanation rather than limiting the technical ideas disclosed in this document, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The protection scope of the technical idea disclosed in this document should be interpreted by the following claims, and all technical ideas within the equivalent range should be interpreted as being included in the scope of the present document.

Claims (8)

In the node,
communication circuit;
a processor operatively coupled to the communication circuitry; and
a memory operatively coupled to the processor and configured to store a connection control application, wherein the memory, when executed by the processor, causes the node to:
Through the access control application, to detect a network access event to the destination network,
Through the access control application, it is confirmed that there is a data flow and a tunnel corresponding to the destination network and authorized from an external server,
If the data flow and tunnel exist, transmit a data packet through the tunnel;
The tunnel is created between the node and the gateway based on information received from the external server,
The information received from the external server includes, among one or more tunnels and gateways listed by the external server, if there is a data capacity that can be transmitted through the data packet processing amount management while connected to the cloud network, the corresponding tunnel and gateway information or, when there is no transmittable data capacity, the node includes tunnel and gateway information through which the node can perform tunneling to a network other than the cloud network. The method of claim 1,
When the data capacity of the gateway exceeds the total data capacity transmittable through the data packet processing total amount management while the node is connected through the cloud network, the external server removes the tunnel with the gateway, but and create a new tunnel between the node and the non-cloud network to switch to the non-cloud network to maintain a connection between the destination networks. 3. The method of claim 2,
Connecting the node to the cloud network comprises:
Checking whether a path accessible to the cloud network exists among the paths accessible to the node,
If there is a path accessible to the cloud network, it is checked whether a cloud network use contract exists based on the billing policy,
If there is a use contract of the cloud network, check whether there is available traffic based on the charging policy and the charging table;
If available traffic exists, establish a tunnel route based on the cloud network,
Transmitting a series of information for creation of the tunnel to the node and the gateway,
The set of information includes tunnel identification information, gateway identification information, and a series of information for identifying a tunnel that the external server is trying to create between the node and the gateway. 4. The method of claim 3,
The cloud network reference tunnel path includes a path through which the node connects to a gateway having the closest distance to the node among gateways existing on the cloud network. 5. The method of claim 4,
The gateway is configured to update, in a data flow table, a data packet size transmitted for updating a charging table and measuring usage of the cloud network of the node when the gateway forwards a data packet to a destination network through the tunnel , node. in the server,
communication circuit;
a memory for storing the database;
a processor operatively coupled to the communication circuitry; and
a processor operatively coupled with the communication circuitry and the memory, the processor comprising:
Receive, from a connection control application of a node, a first request requesting a network connection to a destination network of a target application stored in the node, wherein the first request includes identification information of a control flow and identification information of the destination network -,
Checking whether the destination network is accessible based on the identification information of the control flow and the database,
When the destination network is reachable, generating a data flow including data packet inspection information;
When the data flow cannot be created or the authentication time of the created data flow expires and needs to be updated, receiving a second request for network access from the access control application;
Receive, from the access control application, the type of the node included in the control flow to access the destination network, the location information of the node, and information about the network in which the node is included,
Stores instructions for sending tunneling and gateway information that the node can perform tunneling to the node according to the data capacity of the gateway among the tunnels and gateways listed based on the information;
The server is
If there is a data capacity less than the data capacity that can be transmitted through data packet processing total amount management with respect to the cloud network of the gateway, connecting the node to the cloud network,
and connect the node to a network other than the cloud network when the data capacity of the gateway is not present. A method of operating a network access control system, comprising:
detecting, in a connection control application of a node, a network connection event to a destination network;
checking, through the access control application, whether a data flow and a tunnel corresponding to the destination network and authorized from an external server exist; and
If the data flow and the tunnel exist, transmitting a data packet through the tunnel;
The tunnel is created between the node and the gateway based on information received from the external server,
The information received from the external server includes, among one or more tunnels and gateways listed by the external server, if there is a data capacity that can be transmitted through the data packet processing amount management while connected to the cloud network, the corresponding tunnel and gateway information or, when there is no transmittable data capacity, the node includes tunnel and gateway information for performing tunneling to a network other than the cloud network. 8. The method of claim 7,
performing, at the node, a network connection request to the external server when the data flow does not exist; and
Measuring, in the external server, the network traffic capacity and the remaining amount based on the IP allocated in response to the network access request
further comprising,
Measuring, in the external server, the network traffic capacity and the remaining amount based on the IP address allocated in response to the network access request,
checking the gateway to which the IP address is assigned;
collecting capacity processed through the cloud network;
collecting capacity processed through a network other than the cloud network;
measuring a traffic capacity processed in a section between the node and the gateway;
calculating and updating the traffic and cost in the section based on the source IP address and the destination IP address;
inquiring a cost in the cloud network; and
Calculating total traffic and remaining amount based on the measured capacities
A method of operation of a network access control system comprising a.

Images