WO2024038606A1 - Communication control system, communication control method, and communication control program - Google Patents

Communication control system, communication control method, and communication control program Download PDF

Info

Publication number
WO2024038606A1
WO2024038606A1 PCT/JP2022/031449 JP2022031449W WO2024038606A1 WO 2024038606 A1 WO2024038606 A1 WO 2024038606A1 JP 2022031449 W JP2022031449 W JP 2022031449W WO 2024038606 A1 WO2024038606 A1 WO 2024038606A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
information
vpn
management device
unit
Prior art date
Application number
PCT/JP2022/031449
Other languages
French (fr)
Japanese (ja)
Inventor
幸司 杉園
伸也 河野
克真 宮本
浩輝 加納
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/031449 priority Critical patent/WO2024038606A1/en
Publication of WO2024038606A1 publication Critical patent/WO2024038606A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer

Definitions

  • the present invention relates to a communication control system, a communication control method, and a communication control program.
  • a mobile service provider builds a virtual private cloud for each company within its own cloud computing, and then creates a virtual private cloud using communication equipment to access mobile services provided by the mobile service provider. Provides a means of access.
  • a method is known in which an overlay tunnel is set up between a virtual private cloud access gateway and a virtual private cloud, and between a virtual private cloud access gateway and a terminal device.
  • the former is a method that uses tunneling protocols such as GRE (Generic Routing Encapsulation) and MPLS (Multi-Protocol Label Switching).
  • the latter is a method that combines a PDU (Protocol Data Unit)/PDN (Packet Data Network) session in a mobile network and the above-mentioned tunneling protocol (see, for example, Non-Patent Document 1).
  • the gateway process analyzes the arriving packet data and, if the included destination belongs to the target virtual private cloud, forwards the packet to the overlay tunnel that is set up towards the target virtual private cloud. Forward.
  • the process that executes the gateway process may be run on a general-purpose server when the gateway process is implemented as software.
  • you stop the general-purpose server or stop the operation of the aforementioned gateway process you will not be able to transfer data to the corresponding virtual private cloud.
  • the general-purpose server had to keep the gateway process running while there was a virtual private cloud service user (hereinafter referred to as "user"), which could result in increased power consumption.
  • user virtual private cloud service user
  • a method has been adopted in which virtual machines are collectively operated on a specific server, and the power required for operating the virtual machine is reduced by improving the server's CPU utilization rate and reducing the number of operating servers (for example, (See Patent Document 2).
  • the amount of resources used by the gateway process decreases, and as a result, the number of virtual machines and containers implementing the gateway is reduced. It becomes possible to operate with Therefore, as described above, by reducing the number of servers serving as a platform, it is possible to reduce power consumption.
  • the communication control system of the present invention constructs an overlay tunnel path for data transfer used for connecting a terminal device belonging to a connection network to a dedicated network for each contract organization.
  • a communication control system having a connected terminal number management device that performs deletion, wherein the connected terminal number management device includes contract information that is information that identifies a dedicated network for each of the contracted organizations, and an area to which the terminal device connects.
  • a counting unit that counts the number of connected terminals, which is the number of the terminal devices accessing the dedicated network for each of the contracted organizations, using anchor GW identification information that is information that identifies the overlay tunnel route transfer device to which it belongs; and the connected terminals.
  • start the VPN gateway configure the VPN gateway and the overlay tunnel route transfer device to connect to the dedicated network for each contracted organization, and configure the a setting unit that constructs an overlay tunnel route, and when the number of connected terminals becomes 0 from 1 or more, deletes the settings of the VPN gateway and the overlay tunnel route transfer device, stops the VPN gateway, and deletes the settings of the VPN gateway and the overlay tunnel route transfer device; A deletion unit that deletes a transfer overlay tunnel route.
  • the present invention has the advantage of being able to count the number of communicable users existing in the network and dynamically start and stop gateway processes based on the presence or absence of users.
  • FIG. 1 is a diagram illustrating an example of an overview of a communication control method of a communication control system according to a first embodiment.
  • FIG. 2 is a diagram illustrating an example of the operation of the gateway according to the first embodiment.
  • FIG. 3 is a diagram illustrating an example of the device configuration of the terminal device according to the first embodiment.
  • FIG. 4 is a diagram showing an example of the device configuration of the VPN gateway according to the first embodiment.
  • FIG. 5 is a table diagram showing an example of information stored in the transfer destination storage unit of the VPN gateway according to the first embodiment.
  • FIG. 6 is a diagram illustrating an example of the device configuration of the overlay tunnel route transfer device according to the first embodiment.
  • FIG. 1 is a diagram illustrating an example of an overview of a communication control method of a communication control system according to a first embodiment.
  • FIG. 2 is a diagram illustrating an example of the operation of the gateway according to the first embodiment.
  • FIG. 3 is a diagram illustrating an example of the device configuration of the terminal device
  • FIG. 7 is a table diagram showing an example of table form 1 stored in the transfer destination storage unit of the overlay tunnel route transfer device according to the first embodiment.
  • FIG. 8 is a table diagram illustrating an example of table format 2 stored in the transfer destination storage unit of the overlay tunnel route transfer device according to the first embodiment.
  • FIG. 9 is a diagram illustrating an example of the device configuration of the terminal location information management device according to the first embodiment.
  • FIG. 10 is a table diagram showing an example of information stored in the terminal device connection destination VPN storage unit of the terminal location information management device according to the first embodiment.
  • FIG. 11 is a table diagram showing an example of information stored in the anchor GW storage unit of the terminal location information management device according to the first embodiment.
  • FIG. 12 is a diagram showing an example of the device configuration of the contract information management device according to the first embodiment.
  • FIG. 13 is a table diagram showing an example of information stored in the contract information storage unit of the contract information management device according to the first embodiment.
  • FIG. 14 is a diagram illustrating an example of the device configuration of the connected terminal number management device according to the first embodiment.
  • FIG. 15 is a table diagram showing an example of information stored in the connected terminal number storage unit of the connected terminal number management device according to the first embodiment.
  • FIG. 16 is a diagram illustrating an example of the device configuration of the transfer information management device according to the first embodiment.
  • FIG. 17 is a table diagram showing an example of a connected terminal number management device reply table stored in the address storage unit of the transfer information management device according to the first embodiment.
  • FIG. 18 is a table diagram showing an example of a terminal device reply table stored in the address storage unit of the transfer information management device according to the first embodiment.
  • FIG. 19 is a diagram illustrating an example of a flowchart of the communication control method according to the first embodiment.
  • FIG. 20 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to Embodiment 1'.
  • FIG. 21 is a diagram illustrating an example of the device configuration of the connected terminal number management device according to Embodiment 1'.
  • FIG. 22 is a diagram illustrating an example of a flowchart of the communication control method according to Embodiment 1'.
  • FIG. 23 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to the first embodiment.
  • FIG. 20 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to Embodiment 1'.
  • FIG. 21 is a diagram illustrating an example of the device configuration
  • FIG. 24 is a diagram illustrating an example of a flowchart of the communication control method according to the first embodiment.
  • FIG. 25 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to the second embodiment.
  • FIG. 26 is a diagram illustrating an example of an overview of the operation of the communication control system according to the second embodiment.
  • FIG. 27 is a diagram illustrating an example of an overview of establishing an encrypted path according to the second embodiment.
  • FIG. 28 is a diagram illustrating an example of the device configuration of a mobile gateway according to the second embodiment.
  • FIG. 29 is a table diagram showing an example of information stored in the VPN search table storage unit of the mobile gateway according to the second embodiment.
  • FIG. 30 is a diagram illustrating an example of a flowchart of the communication control method (pattern 1) according to the second embodiment.
  • FIG. 31 is a diagram illustrating an example of a flowchart of the communication control method (pattern 2) according to the second embodiment.
  • FIG. 32 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to Embodiment 2-1.
  • FIG. 33 is a diagram showing an example of a block diagram of various devices forming the communication control system according to Embodiment 2-1.
  • FIG. 34 is a diagram illustrating an example of an overview of the operation of the communication control system according to Embodiment 2-1.
  • FIG. 35 is a diagram illustrating an example of a device configuration of an overlay tunnel route transfer device for an IP network according to Embodiment 2-1.
  • FIG. 36 is a diagram illustrating an example of a flowchart of the communication control method according to Embodiment 2-1.
  • FIG. 37 is a diagram illustrating an example of a computer on which various devices of the communication control system according to each embodiment are implemented.
  • the communication control system 1 in each embodiment is configured so that a terminal device 100 belonging to a connection network connects to a dedicated network (for example, a virtual private cloud, etc., hereinafter simply referred to as "dedicated network") for each contract organization. Constructs and deletes overlay tunnel paths for data transfer used for data transfer.
  • a dedicated network for example, a virtual private cloud, etc., hereinafter simply referred to as "dedicated network”
  • the counting unit 631 of the connected terminal number management device 600 included in the communication control system 1 collects contract information (hereinafter referred to as "connection destination VPN ID”), which is information that identifies the dedicated network, and the terminal device 100 connected to.
  • Connection destination VPN ID which is information that identifies the dedicated network
  • Number of connected terminals which is the number of terminal devices 100 that access the dedicated network
  • anchor GW ID in charge anchor GW identification information
  • the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 0 to 1 or more. In that case, the setting unit 634 of the connected terminal number management device 600 starts the VPN (Virtual Private Network) gateway 200 and provides a VPN connection for the VPN gateway 200 and the overlay tunnel route transfer device 300 to connect to the dedicated network.
  • An address hereinafter referred to as "VPN connection address" is set, and an overlay tunnel path for data transfer is constructed.
  • the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 1 or more to 0. In that case, the deletion unit 635 of the connected terminal number management device 600 deletes the settings of the VPN connection address of the VPN gateway 200 and the overlay tunnel route transfer device 300, stops the VPN gateway 200, and deletes the overlay tunnel route for data transfer. Delete.
  • Embodiment 1 Starting and stopping the VPN gateway according to the number of connected terminals
  • FIG. 1 is a schematic diagram showing a situation in which a terminal device 100 connected to a certain arbitrary area is connected to a dedicated network.
  • the terminal device 100 sends to the terminal location information management device 400 terminal device information (hereinafter referred to as "terminal ID") that is information that identifies the terminal device 100, the connection destination VPN ID, and the above-mentioned information. and a registration request for registering the terminal location information management device 400 in the terminal location information management device 400 (see (1) in FIG. 1).
  • terminal ID terminal device information
  • the registration unit 433 of the terminal location information management device 400 registers the terminal ID and connection destination VPN ID received from the terminal device 100.
  • the registration unit 433 of the terminal location information management device 400 acquires the connection destination VPN ID identified by the terminal ID from the contract information management device 500. and register it (see (2) in Figure 1). Then, the terminal location information management device 400 establishes a D-plane session based on the connection request, which is a D-plane session establishment request, transmitted by the terminal device 100 (see (3) in FIG. 1).
  • the transmitter 434 of the terminal location information management device 400 transmits the assigned anchor GW ID and the connection destination VPN ID to the connected terminal number management device 600 (see (4) in FIG. 1).
  • the counting unit 631 of the connected terminal number management device 600 calculates the number of connections to the overlay tunnel route transfer device 300 that belongs to the area to which the terminal device 100 connects, based on the accepted anchor GW ID and connection destination VPN ID. Count and update the number of connected terminals.
  • the acquisition unit 633 of the connected terminal number management device 600 updates the transfer information management device 700.
  • the connection destination VPN ID is sent to the private network, and the VPN connection address corresponding to the dedicated network is obtained (see (5) in FIG. 1).
  • the setting unit 634 of the connected terminal number management device 600 starts the VPN gateway 200, sets the acquired VPN connection address to the VPN gateway 200 and the overlay tunnel route transfer device 300, and sets the acquired VPN connection address to the overlay tunnel route transfer device 300. Build a tunnel route (see (6) in Figure 1).
  • the terminal device 100 connects to the dedicated network using the data transfer overlay tunnel path constructed by the communication control system 1 (see (7) in FIG. 1).
  • the deletion unit 635 of the connected terminal number management device 600 deletes the VPN gateway 200 and the overlay tunnel route.
  • the settings of the transfer device 300 are deleted, the VPN gateway 200 is stopped, and the overlay tunnel route for data transfer is deleted (see (8) in FIG. 1).
  • the VPN according to the first embodiment is configured with an MEC (Multi Access Edge Cloud) and an overlay tunnel path for data transfer.
  • MEC Multi Access Edge Cloud
  • a front-end server for example, "front-end server 10" in Figure 1
  • the terminal device 100 is given a VPN terminal address by the transfer information management device 700.
  • FIG. 2 shows a terminal device 100 having a "destination: 10A", a terminal device 101 having a “destination: 10C”, and a terminal device 102 having a "destination: 10B", respectively.
  • the VPN gateway 200 and the overlay tunnel route transfer device 300 analyze the packet headers transmitted by each terminal device and distribute the packets to the overlay tunnel route for data transfer according to the destination. Specifically, the VPN gateway 200 and the overlay tunnel route transfer device 300 distribute the communication of the terminal device 100 and the communication of the terminal device 102 to the overlay tunnel route X for data transfer, and the communication of the terminal device 101 is distributed to the data transfer Allocate to transfer overlay tunnel route Y.
  • the communication control system 1 in the first embodiment includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600. , and a transfer information management device 700.
  • the following items provide detailed explanations of the functional units of each device. Note that in the following description, descriptions of functional units (communication unit, storage unit, control unit, etc.) having similar functions in each device will be omitted as appropriate.
  • the terminal device 100 includes a communication section 110, a storage section 120, and a control section 130.
  • the terminal device 100 may include an input unit (for example, a keyboard, a mouse, etc.) that accepts various operations, and a display unit (for example, a display) for displaying various information.
  • the terminal device 100 may be a desktop personal computer, a notebook PC, a smartphone, a tablet, a PDA (Personal Digital Assistant), or the like. Next, detailed functions of each part will be described below.
  • the communication unit 110 is realized by a NIC (Network Interface Card) or the like, and controls communication via a telecommunication line such as a LAN (Local Area Network) or the Internet.
  • the communication unit 110 is connected to a network by wire or wirelessly as necessary, and can transmit and receive information in both directions.
  • the storage unit 120 stores data and programs necessary for various processing by the control unit 130.
  • the storage unit 120 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.
  • a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory
  • a storage device such as a hard disk or an optical disk.
  • the control unit 130 includes an address management unit 131 and a communication session management unit 132.
  • the control unit 130 has an internal memory for temporarily storing programs and processing data that define various processing procedures, and includes electronic circuits such as a CPU (Central Processing Unit) and an MPU (Micro Processing Unit). It is realized by integrated circuits such as ASIC (Application Specific Integrated Circuit) and FPGA (Field Programmable Gate Array).
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • the address management unit 131 receives a VPN terminal address for the terminal device given to the terminal device 100 and stores it in the storage unit 120.
  • the communication session management unit 132 requests the terminal location information management device 400 to establish C-plane and D-plane sessions when the terminal device 100 establishes a network connection. Furthermore, when making the above-mentioned session establishment request, the communication session management unit 132 transmits the terminal ID and the connection destination VPN ID if held by the terminal device 100 to the terminal location information management device 400. .
  • the VPN gateway 200 includes a communication section 210, a storage section 220, and a control section 230.
  • the functions of the communication unit 210 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
  • the VPN gateway 200 controlled by the communication control system 1 may be a virtual gateway (vGW) implemented using software.
  • the storage unit 220 stores data and programs necessary for various processing by the control unit 230.
  • the storage unit 220 includes a transfer destination storage unit 221 .
  • the forwarding destination storage unit 221 stores information regarding the forwarding destination as a forwarding table. Specifically, the transfer destination storage unit 221 stores the items "address" and "transfer destination tunnel" as shown in FIG. Note that the transfer destination storage unit 221 is not limited to the above-mentioned items as items to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 5 is just an example and is not limited to the information described.
  • the control unit 230 includes a packet header analysis unit 231 and a transfer processing unit 232.
  • the packet header analysis unit 231 analyzes a packet header transmitted when the terminal device 100 performs communication, and extracts destination information (eg, IP address, etc.).
  • destination information eg, IP address, etc.
  • Transfer processing unit 232 performs distribution to the target overlay tunnel route for data transfer based on the above-mentioned destination information.
  • overlay tunnel route transfer device 300 includes a communication section 310, a storage section 320, and a control section 330. Note that the functions of the communication unit 310 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
  • the storage unit 320 stores data and programs necessary for various processing by the control unit 330.
  • the storage unit 320 includes a transfer destination storage unit 321.
  • the forwarding destination storage unit 321 stores information regarding the forwarding destination as a forwarding table. Specifically, the transfer destination storage unit 321 analyzes the packet header transmitted from the terminal device 100 and maps the included destination information (for example, IP address, etc.) to the overlay tunnel route for data transfer of the VPN gateway 200. As a table form 1 related to , as shown in FIG. 7, the items "address” and “transfer destination tunnel” are stored. Further, the transfer destination storage unit 321 stores “Mobile NW tunnel” and “Mobile NW tunnel” as shown in FIG. Store the item "Transfer destination tunnel to VPN gateway".
  • the transfer destination storage unit 321 stores “Mobile NW tunnel” and “Mobile NW tunnel” as shown in FIG. Store the item "Transfer destination tunnel to VPN gateway".
  • the transfer destination storage unit 321 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIGS. 7 and 8 is merely an example, and is not limited to the information described.
  • the control unit 330 includes a packet header analysis unit 331 and a transfer processing unit 332.
  • the packet header analysis unit 331 analyzes a packet header transmitted when the terminal device 100 performs communication, and extracts destination information (eg, IP address, etc.).
  • Transfer processing unit 332 The transfer processing unit 332 performs distribution to the target overlay tunnel route for data transfer based on the destination information described above.
  • the terminal location information management device 400 includes a communication section 410, a storage section 420, and a control section 430. Note that the functions of the communication unit 410 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted. In addition, the terminal location information management device 400 may utilize MME (Mobility Management Entity) and AMF (Access and Mobility management Function).
  • MME Mobility Management Entity
  • AMF Access and Mobility management Function
  • the storage unit 420 stores data and programs necessary for various processing by the control unit 430.
  • the storage unit 420 includes a terminal device connection destination VPN storage unit 421 and an anchor GW storage unit 422.
  • the terminal device connection destination VPN storage unit 421 stores a terminal device-connection destination VPN management table as information regarding the overlay tunnel route for data transfer connecting to the dedicated network. Specifically, the terminal device connection destination VPN storage unit 421 stores the items “terminal ID” and “connection destination VPN ID” as a terminal device-connection destination VPN management table as shown in FIG. Note that the terminal device connection destination VPN storage unit 421 is not limited to the above-mentioned items as information to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 10 is just an example, and the information is not limited to the information described.
  • Anchor GW storage unit 422 stores a location management table as information for identifying overlay tunnel route transfer device 300 belonging to the area to which terminal device 100 connects. Specifically, the anchor GW storage unit 422 stores the items "terminal ID" and "in-charge anchor GW ID" as a location management table, as shown in FIG. Note that the anchor GW storage unit 422 is not limited to the above-mentioned items as information to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 11 is just an example and is not limited to the information described.
  • the control unit 430 includes a reception unit 431, a notification unit 432, a registration unit 433, and a transmission unit 434.
  • the reception unit 431 determines that the terminal device 100 holds the connection destination VPN ID. In that case, the receiving unit 431 receives terminal device information (terminal ID), which is information for identifying the terminal device 100, and contract information (connection destination VPN ID) from the terminal device 100. On the other hand, the reception unit 431 determines that the terminal device 100 does not hold the connection destination VPN ID. In that case, the reception unit 431 sends terminal device information (terminal ID) that is information that identifies the terminal device 100, terminal device information (terminal ID), and contract information (connection destination VPN ID) to the terminal location information management device. 400 is received from the terminal device 100.
  • terminal ID terminal device information
  • terminal ID terminal ID
  • contract information connection destination VPN ID
  • the reception unit 431 receives a connection request from the terminal device 100, which is a request for connection from the mobile network to the data network.
  • the reception unit 431 is not limited to the above-mentioned information, and may accept other information as necessary.
  • the notification unit 432 notifies the contract information management device 500 of the terminal ID when the terminal device 100 does not hold the connection destination VPN ID. Note that the notification unit 432 is not limited to the above-mentioned information, and may notify other information as necessary.
  • the registration unit 433 registers the terminal device information (terminal ID) and contract information (connection destination VPN ID) received from the terminal device 100. On the other hand, if the terminal device 100 does not hold contract information, the registration unit 433 registers the contract information management device 500 using the terminal device information (terminal ID) based on the terminal ID received from the terminal device 100 and the registration request. Register the contract information (connection destination VPN ID) obtained from .
  • the registration unit 433 registers the terminal ID transmitted by the terminal device 100 and the connection destination VPN ID transmitted by the transmission unit 532 of the contract information management device 500, which will be described later.
  • the registration unit 433 is not limited to the above-mentioned information, and may accept other information as necessary.
  • the transmitter 434 transmits contract information (connection destination VPN ID) and anchor GW identification information (anchor GW ID in charge) to the connected terminal number management device 600 based on the connection request. Note that the transmitter 434 is not limited to the above-mentioned information, and may transmit other information as necessary.
  • the contract information management device 500 includes a communication section 510, a storage section 520, and a control section 530. Note that the functions of the communication unit 510 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted. In addition, the contract information management device 500 may work in conjunction with an HSS (Home Subscriber Server) and a UDM (Unified Data Management).
  • HSS Home Subscriber Server
  • UDM Unified Data Management
  • the storage unit 520 stores data and programs necessary for various processing by the control unit 530.
  • the storage unit 520 includes a contract information storage unit 521.
  • the contract information storage unit 521 stores a contract management table including connection destination VPN IDs as contract information. Specifically, the contract information storage unit 521 stores items such as "terminal ID" and "connection destination VPN ID” as shown in FIG. 13 as a contract management table. Note that the information stored in the contract information storage section 521 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIG. 13 is just an example, and the information is not limited to the information described.
  • the control unit 530 includes a reception unit 531 and a transmission unit 532.
  • the reception unit 531 receives the terminal ID notified by the notification unit 432 of the terminal location information management device 400. Note that the reception unit 531 is not limited to the above-mentioned information, and may accept other information as necessary.
  • the transmitter 532 transmits the connection destination VPN ID corresponding to the terminal ID accepted by the receiver 531 to the terminal location information management device 400. Note that the transmitter 532 is not limited to the above-mentioned information, and may transmit other information as necessary.
  • the connected terminal number management device 600 constructs and deletes an overlay tunnel path for data transfer used by the terminal device 100 belonging to the connection network to connect to a dedicated network for each contract organization.
  • the connected terminal number management device 600 includes a communication section 610, a storage section 620, and a control section 630. Note that the functions of the communication unit 610 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
  • the storage unit 620 stores data and programs necessary for various processing by the control unit 630.
  • the storage unit 620 includes a connected terminal number storage unit 621.
  • the number of connected terminals storage unit 621 stores a number of connected terminals management table as information used to count the number of connected terminals. Specifically, the number of connected terminals storage unit 621 stores items such as "anchor GW ID in charge”, "connection destination VPN ID”, and "number of connected terminals" as shown in FIG. 15 as a number of connected terminals management table.
  • the information stored by the number of connected terminals storage unit 621 is not limited to the above-mentioned items, and may store other items.
  • the input information for each item shown in FIG. 15 is just an example, and the information is not limited to the information described.
  • the control section 630 includes a counting section 631, a determining section 632, an obtaining section 633, a setting section 634, and a deleting section 635.
  • the counting unit 631 includes contract information (connection destination VPN ID), which is information that identifies a dedicated network for each contract organization, and anchor GW, which is information that identifies the overlay tunnel route transfer device 300 that belongs to the area to which the terminal device 100 connects. Using the identification information (anchor GW ID in charge), the number of connected terminals, which is the number of terminal devices 100 accessing the dedicated network for each contracted organization, is counted, and the number of connected terminals is updated. Note that the counting unit 631 is not limited to the above-mentioned information, and may perform counting using other information as necessary.
  • the determining unit 632 determines whether a predetermined condition is satisfied based on the connected terminal number information counted and updated by the counting unit 631. For example, the determining unit 632 determines that the setting unit 634 performs the process when the number of connected terminals is updated from 0 to 1 or more, and when the number of connected terminals is 0 for a predetermined time or more, that is, the number of connected terminals is If the value is updated from 1 or more to 0, it is determined that the deletion unit 635 performs the process.
  • the determining unit 632 may also determine that the deletion unit 635 performs the process when the number of connected terminals is updated from 1 or more to 0 and the number of connected terminals remains 0 for a certain period of time or more. Further, the determination unit 632 is not limited to the aforementioned determination conditions, and may make determinations based on other determination conditions as necessary.
  • the acquisition unit 633 uses the contract information (connection destination VPN ID) to obtain information (VPN connection address) for connecting to a dedicated network for each contracted organization to which the terminal device 100 connects from the transfer information management device 700. get.
  • the acquisition unit 633 is not limited to the above-mentioned information, and may acquire other information as necessary.
  • the setting unit 634 activates the VPN gateway 200 and transfers the VPN gateway 200 and the overlay tunnel route transfer device 300.
  • the setting unit 634 activates the VPN gateway 200 and sends the request to the VPN gateway 200 and the overlay tunnel route transfer device 300. Then, set the VPN connection address and construct an overlay tunnel route for data transfer.
  • the setting unit 634 is not limited to the above-mentioned information, and may use other information as necessary to perform settings for any device.
  • the deletion unit 635 deletes the settings of the VPN gateway 200 and the overlay tunnel route transfer device 300, and deletes the settings of the VPN gateway 200 and the overlay tunnel route transfer device 300 when the determination result of the determination unit 632 satisfies a predetermined condition, that is, when the number of connected terminals changes from 1 or more to 0.
  • the gateway 200 is stopped and the overlay tunnel route for data transfer is deleted.
  • the deletion unit 635 deletes the VPN connection set for the VPN gateway 200 and the overlay tunnel route transfer device 300. address, stop the VPN gateway 200, and release the overlay tunnel route for data transfer.
  • the deletion unit 635 is not limited to the above-mentioned information, and may delete settings of any device using other information as necessary.
  • the transfer information management device 700 includes a communication section 710, a storage section 720, and a control section 730. Note that the functions of the communication unit 710 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
  • the storage unit 720 stores data and programs necessary for various processing by the control unit 730.
  • the storage unit 720 includes an address storage unit 721.
  • the address storage unit 721 stores a connected terminal number management device reply table and a terminal device reply table as information regarding the VPN connection address for connecting to the dedicated network. Specifically, the address storage unit 721 stores the items "connection destination VPN ID" and "VPN connection address” as a table for replying to the number of connected terminals management device, as shown in FIG.
  • the address storage unit 721 stores items such as "Service connection URI (Uniform Resource Identifier)/URL (Uniform Resource Locator)" and "VPN terminal address” as shown in FIG. 18 as a terminal device reply table. do.
  • the information stored in the address storage section 721 is not limited to the above-mentioned items, and may store other items.
  • the input information for each item shown in FIGS. 17 and 18 is just an example, and the information is not limited to the information described.
  • the address storage unit 721 of the transfer information management device 700 may utilize DNS (Domain Name System) as a function of the terminal reply table.
  • DNS Domain Name System
  • the control section 730 includes a reception section 731 and a transmission section 732.
  • the reception unit 731 receives the connection VPN ID transmitted by the acquisition unit 633 of the connected terminal number management device 600. Note that the reception unit 731 is not limited to the above-mentioned information, and may accept other information as necessary.
  • the transmission unit 732 Based on the connection VPN ID received by the reception unit 731, the transmission unit 732 transmits the corresponding VPN connection address to the connected terminal number management device 600 and the corresponding VPN terminal address to the terminal device 100. Note that the transmitter 732 is not limited to the above-mentioned information, and may transmit other information as necessary.
  • the reception unit 431 of the terminal location information management device 400 receives a terminal ID and a registration request to the C-plane of the mobile network from the terminal device 100 (step S11).
  • the reception unit 431 of the terminal location information management device 400 determines that the terminal device 100 holds the connection destination VPN ID (Yes in step S12). In that case, the receiving unit 431 of the terminal location information management device 400 receives the connection destination VPN ID from the terminal device 100 (step S13). Subsequently, the registration unit 433 of the terminal location information management device 400 registers the terminal ID and the connection destination VPN ID corresponding to the terminal ID (step S16).
  • the reception unit 431 of the terminal location information management device 400 determines that the terminal device 100 does not hold the connection destination VPN ID (No in step S12). In that case, the notification unit 432 of the terminal location information management device 400 notifies the contract information management device 500 of the terminal ID (step S14). Then, the transmitting unit 532 of the contract information management device 500 transmits the connection destination VPN ID corresponding to the terminal ID to the terminal location information management device 400 (step S15). Subsequently, the registration unit 433 of the terminal location information management device 400 registers the terminal ID transmitted by the terminal device 100 and the connection destination VPN ID transmitted by the contract information management device 500 (step S16).
  • the terminal location information management device 400 establishes a C-plane session with the terminal device 100 (step S17). Subsequently, the receiving unit 431 of the terminal location information management device 400 receives a connection request for establishing a D-plane session from the terminal device 100 (step S18). Subsequently, the terminal location information management device 400 determines the overlay tunnel route transfer device 300 to be connected, and establishes a D-plane session within the mobile network (step S19).
  • the transmitting unit 434 of the terminal location information management device 400 transmits the connection destination VPN ID and the anchor GW ID in charge to the connected terminal number management device 600 (step S20). Subsequently, the counting unit 631 of the connected terminal number management device 600 counts and updates the number of connected terminals based on the received connection destination VPN ID and assigned anchor GW ID (step S21).
  • the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 0 to 1 or more (step S22). In that case, the acquisition unit 633 of the connected terminal number management device 600 transmits the connection destination VPN ID to the transfer information management device 700 and acquires the VPN connection address (step S23). Subsequently, the setting unit 634 of the connected terminal number management device 600 starts the VPN gateway 200, sets the acquired VPN connection address for the VPN gateway 200 and the overlay tunnel route transfer device 300, and sets the acquired VPN connection address to the overlay tunnel route transfer device 300 for data transfer. A tunnel route is constructed (step S24).
  • the transfer information management device 700 transmits the VPN terminal address to the terminal device 100 (step S25). Then, the terminal device 100 uses the VPN terminal address transmitted by the transfer information management device 700 to connect to the dedicated network via the data transfer overlay tunnel path (step S26). Thereafter, the terminal device 100 continues to connect to the dedicated network (step S27).
  • the terminal location information management device 400 measures the non-communication time of the terminal device 100 (step S28). Then, if the non-communication time exceeds a predetermined threshold, the terminal location information management device 400 disconnects the D-plane session (step S29). Subsequently, the counting unit 631 of the connected terminal number management device 600 subtracts the number of connected terminals corresponding to the overlay tunnel route transfer device 300 via which the terminal device 100 communicates with the VPN (step S30). When the number of connected terminals is changed from 1 or more to 0 by the above-described subtraction, the determining unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 1 or more to 0. (Yes in step S31).
  • the deletion unit 635 of the connected terminal number management device 600 deletes the VPN connection addresses set in the VPN gateway 200 and the overlay tunnel route transfer device 300, stops the VPN gateway 200, and deletes the overlay tunnel route for data transfer. It is released, and the process ends (step S32).
  • the determining unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has not been updated from 1 or more to 0 (No in step S31). In that case, the process returns and the communication control system 1 continues the process.
  • the communication control system 1 includes a connected terminal number management device 600 that constructs and deletes an overlay tunnel path for data transfer used for connecting a terminal device 100 belonging to a connection network to a dedicated network for each contract organization.
  • anchor GW identification information anchor GW ID in charge
  • the number of connected terminals which is the number of terminal devices 100 that access the dedicated network for each contract organization, is counted, and the connected terminals are If the number is from 0 to 1 or more, start the VPN gateway 200, configure the VPN gateway 200 and overlay tunnel route transfer device 300 to connect to the dedicated network for each contract organization, and connect the overlay for data transfer.
  • the settings of the VPN gateway 200 and overlay tunnel route transfer device 300 are deleted, the VPN gateway 200 is stopped, and the overlay tunnel route for data transfer is changed. It is characterized by deleting. Therefore, according to this embodiment, the following effects are achieved.
  • the general-purpose server that executes the gateway process keeps the gateway process on standby even when packet data does not arrive, and the memory is occupied by the gateway process, resulting in a low power consumption. continue to consume. Therefore, if there are multiple gateway processes, each providing gateway functions to different dedicated networks, the memory of the operating server that can be used by the active gateway processes may decrease, and packet forwarding performance may deteriorate. Ta.
  • the communication control system 1 of the first embodiment dynamically sets the gateway process according to an increase or decrease in the number of connected terminals. This provides the effect of reducing power and avoiding unnecessary occupation of resources.
  • Embodiment 1' Selection of a server for operating a VPN gateway in consideration of the load on the server for operating a VPN gateway]
  • the communication control system 1 selects the operating server to be operated in consideration of the load on the operating server of the VPN gateway 200.
  • the communication control system 1 in Embodiment 1' periodically acquires the CPU usage rate of the operating server and the number of VPN gateways 200 in operation as information regarding the operating status of the VPN gateways 200, A server for operation that satisfies predetermined conditions (for example, low CPU usage rate, high power efficiency, low load, etc.) is determined.
  • predetermined conditions for example, low CPU usage rate, high power efficiency, low load, etc.
  • FIG. 20 shows a situation where, as operating servers of the VPN gateway 200, there are an operating server 20A with a CPU usage rate of 20% and an operating server 20B with a CPU usage rate of 80%.
  • the monitoring unit 636 of the connected terminal number management device 600 monitors the CPU usage rates of the operating server 20A and the operating server 20B, and acquires information regarding the CPU usage rate at predetermined time-series intervals (( (see 1)).
  • the monitoring unit 636 of the connected terminal number management device 600 selects an operating server on which to operate the VPN gateway 200 based on the obtained information regarding the CPU usage rate.
  • the monitoring unit 636 of the connected terminal number management device 600 uses the operating server 20A as the operating server. Determine.
  • the monitoring unit 636 of the connected terminal number management device 600 also monitors the number of VPN gateways in operation, memory usage rate, number of connected terminals, etc.
  • the operating server to be operated may be determined using this information.
  • the communication control system 1 in Embodiment 1' includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600.
  • the device configuration includes a transfer information management device 700 and a transfer information management device 700. The following items provide detailed explanations of the functional units of each device.
  • Embodiment 1' is the same as in Embodiment 1, and in this article, only the monitoring unit 636 of the connected terminal number management device 600, which is a different functional unit, will be explained, and other detailed explanations will be omitted. Omitted.
  • the monitoring unit 636 acquires information regarding the operating status of the operating server that operates the VPN gateway 200, and determines the operating server to be operated based on the information regarding the operating status. For example, the monitoring unit 636 monitors the operating server of the VPN gateway 200, and provides information regarding the operating status of the operating server (for example, CPU usage rate, memory usage rate, memory usage amount, and the operating status of the VPN gateway 200). number of etc.). Note that the monitoring unit 636 is not limited to the above-mentioned information, and may monitor and acquire other information as necessary.
  • the monitoring unit 636 of the connected terminal number management device 600 monitors the operating status of the operating server of the VPN gateway 200 (step S31). Then, the monitoring unit 636 of the connected terminal number management device 600 acquires information regarding the operating status of the operating server (step S32). Further, the monitoring unit 636 of the connected terminal number management device 600 determines the operating server to be used based on the information regarding the operating status (step S33).
  • the communication control system 1 in Embodiment 1' dynamically selects the operating server that operates the VPN gateway 200 according to the operating status of the operating server, so the load distribution of the operating server and the packet transfer performance are improved. Provides the effect of suppressing deterioration.
  • Embodiment 1'' Operation when changing overlay tunnel route transfer device due to area movement
  • Embodiment 1'' will be described as a further different embodiment.
  • Embodiment 1'' is an embodiment in which the terminal device 100 moves between areas and the overlay tunnel route transfer device 300 in charge is changed.
  • FIG. 23 shows that the terminal device 100 moves between “area A” and “area B” which are logically different areas. Further, as a premise, the terminal location information management device 400 belonging to each area holds the assigned anchor GW ID of the overlay tunnel route transfer device 300 belonging to the corresponding area. Therefore, the terminal location information management device 400 and overlay tunnel route transfer device 300 in charge determine the base station to which the terminal device 100 connects when registering with the mobile network.
  • area A is the terminal location information management device 400A and overlay tunnel route transfer device 300A
  • area B is the terminal location information management device 400B and overlay tunnel route transfer device 300B.
  • Embodiment 1'' will be explained with continued reference to FIG. 23.
  • the terminal device 100 moves across areas from area A to area B (see (1) in FIG. 23).
  • the terminal location information management device 400B in the destination area B registers the terminal ID and connection destination VPN ID of the terminal device 100 (see (2) in FIG. 23).
  • the terminal location information management device 400B establishes a D-plane session within the mobile network (see (3) in FIG. 23).
  • the counting unit 631 of the connected terminal number management device 600 performs a process of adding up the number of connected terminals in area B.
  • the terminal location information management device 400A terminates the D-plane session in area A (see (4) in FIG. 23).
  • the counting unit 631 of the connected terminal number management device 600 performs a process of subtracting the number of connected terminals in area A.
  • a communication control system 1 in embodiment 1'' includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device. 600 and a transfer information management device 700. Note that the system configuration in Embodiment 1'' is the same as that in Embodiment 1, so detailed explanation will be omitted.
  • the terminal device 100 moves from an arbitrary area A to a different area B (step S41).
  • the terminal location information management device 500B of the destination area B registers the terminal ID and connection destination VPN ID of the terminal device 100 that has moved between areas in the terminal location information management device 400B (step S42).
  • the terminal location information management device 400B determines the overlay tunnel route transfer device 300B to be connected to, and establishes a D-plane session within the mobile network, similarly to the procedure of the first embodiment (step S43).
  • the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals in area B, adds it, and updates it (step S44).
  • the terminal location information management device 500A terminates the D-plane session in area A (step S45).
  • the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals in area A, subtracts it, and updates it (step S46).
  • the terminal location information management device 400 of the area movement destination is the terminal device.
  • Information necessary for counting the number of connected terminals is acquired from the device 100, and the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals.
  • the setting unit 634 and deletion unit 635 of the connected terminal number management device 600 dynamically control the VPN gateway 200 and the overlay tunnel route transfer device 300, thereby saving resources of the operating server and distributing the load of the gateway process. Provides the effect of increasing efficiency.
  • Embodiment 2 When the terminal device connects to the VPN via WiFi] Embodiment 2 will now be described as a further different embodiment. In the second embodiment, an embodiment will be described in which the terminal device 100 connects to a VPN from WiFi via a mobile network.
  • the terminal device 100 that performs a WiFi connection connects to the WiFi router R (see (1) in FIG. 25).
  • the WiFi router R transfers the packet data to the mobile gateway 800 (see (2) in FIG. 25).
  • the mobile gateway 800 uses the destination information (for example, IP address etc.), determines the VPN connection address and connection destination VPN ID, and establishes a D-plane session on behalf of the terminal device 100.
  • the mobile gateway 800 then transfers the data to the D-plane session corresponding to the destination VPN (see (3) in FIG. 25). Note that the subsequent counting of the number of connected terminals is the same as in the first embodiment, and will therefore be omitted.
  • the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 when starting a VPN connection (see (1) in FIG. 26). Subsequently, the mobile gateway 800 further transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (see (2) in FIG. 26). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (see (3) in FIG. 26). ). Note that when the VPN authentication server 900 transmits the VPN terminal address, the mobile gateway 800 acquires the corresponding connection destination VPN ID from the contract information management device 500 based on the VPN terminal address (( (See 4).
  • the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 or the contract information management device 500 to the terminal location information management device 400 (see (5) in FIG. 26).
  • the terminal location information management device 400 further transmits the connection destination VPN ID to the transfer information management device 700 and acquires the corresponding VPN connection address (see (6) in FIG. 26).
  • the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (see (7) in FIG. 26).
  • the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID.
  • Case 2 will be explained using FIG. 27.
  • the terminal device 100 detects a WiFi connection, it establishes an encrypted path C with the mobile gateway 800 (see (1) in FIG. 27).
  • the terminal device 100 stops the procedure for establishing the encrypted route C.
  • the mobile gateway 800 performs VPN authentication in the same manner as in case 1 described above, obtains the VPN connection address and the connection destination VPN ID, and sets them to itself after mapping.
  • the mobile gateway 800 transmits a registration completion message to the terminal device 100 via the encrypted path C (see (2) in FIG. 27).
  • the communication control system 1 in the second embodiment includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600. , a transfer information management device 700, and a mobile gateway 800.
  • the following items provide detailed explanations of the functional units of each device. Note that the device configuration of the second embodiment other than the mobile gateway 800 is the same as that of the first embodiment, and in this section, only the different mobile gateway 800 will be explained, and detailed explanation of the other components will be omitted.
  • mobile gateway 800 As shown in FIG. 28, mobile gateway 800 includes a communication section 810, a storage section 820, and a control section 830. Note that the functions of the communication unit 810 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
  • the storage unit 820 stores data and programs necessary for various processing by the control unit 830.
  • the storage unit 820 has a VPN search table 821 storage unit.
  • the VPN search table storage unit 821 stores a VPN search table that maps and sets the acquired VPN connection address and connection destination VPN ID. Specifically, the VPN search table storage unit 821 stores the items "VPN connection address" and "connection destination VPN ID" as a VPN search table, as shown in FIG. Note that the information stored in the VPN search table storage section 821 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIG. 29 is just an example, and the information is not limited to the information described.
  • the control unit 830 includes a distribution unit 831, a transmission unit 832, a setting unit 833, and a session establishment unit 834.
  • the distribution unit 831 assigns a VPN based on pre-held information regarding the destination address (VPN connection address), information regarding the corresponding VPN (connection destination VPN ID), and destination information (IP address) transmitted by the terminal device 100.
  • the connection address and connection destination VPN ID are determined, and communication is distributed to the D-plane session corresponding to the destination VPN.
  • the transmitter 832 transmits the authentication request (including the user ID, password, etc.) received from the terminal device 100 to the VPN authentication server 900. Further, the transmitter 832 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400. Furthermore, the transmitter 832 transmits a registration completion message to the terminal device 100.
  • the setting unit 833 maps and sets the VPN connection address acquired from the transfer information management device 700 and the connection destination VPN ID held by the mobile gateway 800.
  • the session establishment unit 834 includes contract information (connection destination VPN ID), information for connecting to a dedicated network for each contracted organization to which the terminal device 100 connects (VPN connection address), and packets transmitted by the terminal device 100. Based on the destination information included in the data, an overlay tunnel path for data transfer is established with the terminal location information management device 400 instead of the terminal device 100.
  • the session establishment unit 834 performs the following steps based on the mapped VPN connection address and connection destination VPN ID.
  • the destination VPN connection address and connection destination VPN ID are determined from the destination information (IP address) included in the packet data transmitted by the terminal device 100.
  • the session establishment unit 834 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data.
  • the terminal device 100 connects to the WiFi router R (step S51). Subsequently, the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 at the time of starting the VPN connection (step S52). Next, the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S53). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S54).
  • a VPN authentication request including a password and user ID
  • the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S53).
  • the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S54).
  • the transmitter 832 of the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400 (step S55).
  • the acquisition unit 435 of the terminal location information management device 400 then acquires the VPN connection address from the transfer information management device 700 (step S56).
  • the transmitter 434 of the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (step S57).
  • the setting unit 833 of the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID (step S58).
  • the WiFi router R transfers the packet data to the mobile gateway 800 (step S59).
  • the session establishment unit 834 of the mobile gateway 800 determines the destination VPN connection address from the destination information included in the packet data transmitted by the terminal device 100, based on the mapped VPN connection address and connection destination VPN ID. and the connection destination VPN ID is determined (step S60). Then, the session establishment unit 834 of the mobile gateway 800 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data (step S61).
  • the terminal device 100 connects to the WiFi router R (step S71). At this time, the terminal device 100 establishes an encrypted path C with the mobile gateway 800 (step S72). Subsequently, the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 at the time of starting the VPN connection (step S73). Next, the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S74). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S75).
  • a VPN authentication request including a password and user ID
  • the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S74).
  • the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S
  • the transmitter 832 of the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400 (step S76).
  • the acquisition unit 435 of the terminal location information management device 400 acquires the VPN connection address from the transfer information management device 700 (step S77).
  • the transmitter 434 of the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (step S78).
  • the setting unit 833 of the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID (step S79).
  • the transmitter 832 of the mobile gateway 800 transmits a registration completion message to the terminal device 100 (step S80).
  • the WiFi router R transfers the packet data to the mobile gateway 800 (step S81).
  • the session establishment unit 834 of the mobile gateway 800 determines the destination VPN connection address from the destination information included in the packet data transmitted by the terminal device 100, based on the mapped VPN connection address and connection destination VPN ID. and the connection destination VPN ID is determined (step S82). Then, the session establishment unit 834 of the mobile gateway 800 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data (step S83).
  • the communication control system 1 has the following effects.
  • the terminal device 100 when performing WiFi communication, the terminal device 100 only has the destination IP address of the data packet to be transferred to the VPN as information for identifying the VPN to be accessed, and the mobile gateway 800 has only the destination IP address of the data packet transferred to the VPN. It was necessary to attach identifying information to the session establishment signaling message.
  • the device corresponding to the mobile gateway 800 cannot derive information identifying the VPN to be accessed from the destination IP address of the arriving packet, it is possible to connect the device to the VPN through signaling of the mobile network as soon as the packet arrives. An overlay tunnel route for data transfer could not be established.
  • the communication control system 1 in the second embodiment searches for a mapped VPN connection address from the destination information (IP address) of packet data arriving at the mobile gateway 800, establishes an overlay tunnel path for data transfer, and connects the Provides the effect of making it possible to count the number of terminals.
  • IP address destination information
  • Embodiment 2-1 When a terminal device connects to a VPN via an IP network] Embodiment 2-1 will now be described as a similar form to Embodiment 2. In FIG. 32, an embodiment will be described in which the terminal device 100 connects to a VPN from WiFi via an IP network.
  • FIG. 32 shows a case where the terminal device 100 connects to the fixed network access router SR via the WiFi router R, and a case where the terminal device 100 connects directly to the fixed network access router SR.
  • the communication control system 1 when the terminal device 100 accesses via the IP network, the communication control system 1 cannot count the number of connected terminals based on D-plane session establishment and release. Therefore, the communication control system 1 in Embodiment 2-1 uses a terminal operation check performed using "heartbeat", "ping”, etc. as a trigger after establishing the VPN authentication and data transfer overlay tunnel path described in Embodiment 2. and count the number of connected terminals.
  • an overlay tunnel route transfer device 300 for the IP network (hereinafter referred to as “overlay tunnel route transfer device 300") is installed between the IP network and the data network.
  • the communication control system 1 communicates with a VPN authentication server 900 (hereinafter referred to as "VPN authentication server 900") for multiple IP networks in order to identify the overlay tunnel route transfer device 300.
  • VPN authentication server 900 a configuration including a plurality of access point APs (for example, a residential WiFi router, etc.).
  • the terminal device 100 transmits VPN connection information (user ID, password, etc.) to the VPN authentication server 900 via the WiFi router R and the fixed network access router SR, or only the fixed network access router SR (see FIG. 34). (see (1)).
  • VPN connection information user ID, password, etc.
  • the VPN authentication server 900 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge (see (2) in FIG. 34). Then, the connected terminal number management device 600 counts and adds up the number of connected terminals connected to the target VPN to be connected to the dedicated network from the corresponding overlay tunnel route transfer device 300. Note that the procedure for constructing an overlay tunnel path for data transfer after addition is the same as the method described in the first embodiment.
  • the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 performs terminal survival confirmation using "heartbeat", "ping”, etc. (see (3) in FIG. 34). Then, if there is no response from the terminal device 100 as a result of the terminal survival confirmation, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 sends the connection destination VPN ID and the anchor GW ID in charge to the connected terminal number management device 600. (See (4) in FIG. 34). Then, based on the above-mentioned notification, the connected terminal number management device 600 counts and subtracts the number of connected terminals connected to the VPN to be connected to the dedicated network. Note that the procedure for deleting the overlay tunnel path for data transfer after subtraction is the same as the method described in the first embodiment.
  • the communication control system 1 in Embodiment 2-1 connects a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300 for an IP network, a terminal location information management device 400, and a contract information management device 500.
  • This device configuration includes a terminal number management device 600 and a transfer information management device 700.
  • Embodiment 2-1 other than the overlay tunnel route transfer device 300 is the same as in Embodiment 1, and in this item, only the different overlay tunnel route transfer device 300 will be explained, and other detailed explanations will be provided. Omitted. Furthermore, since the overlay tunnel route transfer device 300 in Embodiment 2-1 has the same functions as the overlay tunnel route transfer device 300 in Embodiment 1, only the terminal survival confirmation unit 333, which is a different functional unit, will be explained. will be carried out, and other explanations will be omitted.
  • the control unit 330 includes a packet header analysis unit 331, a transfer processing unit 332, and a terminal survival confirmation unit 333.
  • Terminal survival confirmation unit 333 transmits an identification signal to the terminal device 100 connected to the dedicated network via the IP network, and confirms whether the terminal device 100 is currently connected to the dedicated network.
  • the terminal survival confirmation unit 333 uses "heartbeat", “ping”, etc. to confirm the terminal survival, and determines whether there is a response from the terminal device 100. Then, the terminal survival confirmation unit 333 notifies the connection destination VPN ID and the assigned anchor GW ID to the connected terminal number management device 600 based on the determination result of the terminal survival confirmation described above. Then, as a result of the terminal survival confirmation, if there is no response from the terminal device 100, the terminal survival confirmation unit 333 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge.
  • the terminal device 100 transmits VPN connection information (user ID, password, etc.) to the VPN authentication server 900 via the WiFi router R and the fixed network access router SR or only the fixed network access router SR (step S91). . Further, the VPN authentication server 900 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge (step S92).
  • VPN connection information user ID, password, etc.
  • the number of connected terminals management device 600 determines the number of connected terminals that connect to the target VPN via the corresponding overlay tunnel route transfer device 300 based on the connection destination VPN ID and the anchor GW ID in charge notified by the VPN authentication server 900. are counted, added, and updated (step S93). Subsequently, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 uses "heartbeat", "ping", etc. to confirm the terminal survival (step S94).
  • the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 determines that there is no longer a response from the terminal device 100 (Yes in step S95). In that case, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 notifies the connected terminal number management device 600 of the connection destination VPN ID and the assigned anchor GW ID (step S96). Then, the counting unit 631 of the number of connected terminals management device 600 calculates the number of connected terminals connected to the target VPN based on the connection destination VPN ID and the anchor GW ID in charge notified by the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300. is counted, subtracted, and updated (step S97).
  • the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 determines that there is a response from the terminal device 100, and the process continues (No in step S95).
  • the communication control system 1 has the following effects.
  • the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 performs terminal survival confirmation on the terminal device 100, and subtracts the number of connected terminals based on the response result from the terminal device 100. Thereby, the communication control system 1 can count the number of connected terminals even in the case of a connection via an IP network where the number of connected terminals cannot be counted using the method described in Embodiment 1. This provides the effect of enabling dynamic control of the tunnel route transfer device 300.
  • each component of each device shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings.
  • the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads and usage conditions. Can be integrated and configured.
  • all or any part of each processing function performed by each device can be realized by a CPU and a program that is analyzed and executed by the CPU, or can be realized as hardware using wired logic.
  • various devices constituting the communication control system 1 can be implemented by installing a display program that executes the above-described learning into a desired computer as package software or online software. For example, by causing an information processing device to execute the above display program, it can be made to function as various devices constituting the communication control system 1.
  • the information processing device referred to here includes a desktop or notebook personal computer.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as slate terminals such as PDAs (Personal Digital Assistants).
  • FIG. 37 is a diagram showing an example of a computer on which various devices constituting the communication control system 1 are implemented.
  • Computer 1000 includes, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • Hard disk drive interface 1030 is connected to hard disk drive 1090.
  • Disk drive interface 1040 is connected to disk drive 1100.
  • Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the various devices constituting the communication control system 1 is implemented as a program module 1093 in which code executable by a computer is written. Program module 1093 is stored in hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration of various devices making up the communication control system 1 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • SSD Solid State Drive
  • the setting data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary, and executes the processing of the embodiment described above.
  • program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • program module 1093 and program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.).
  • Program module 1093 and program data 1094 may then be read by CPU 1020 from another computer via network interface 1070.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This communication control system (1) comprises a connection terminal number management device (600) which constructs and removes an overlay tunnel path which is for data transmission and is used by terminal devices (100) which belong to a connection network, in order to be connected to a dedicated network for each contract organization. In addition, the connection terminal number management device (600): uses contract information, which is information for identifying the dedicated network for each contract organization, and anchor GW identification information which is information for identifying an overlay tunnel path transmission device (300) that belongs to an area to which the terminal devices (100) are connected, to count the number of connection terminals, which is the number of the terminal devices (100) that access the dedicated network for each contract organization; and performs, on the basis of prescribed conditions, start and stop of a VPN gateway (200), setting for connecting the VPN gateway (200) and the overlay tunnel path transmission device (300) to the dedicated network for each contract organization, and removal of the setting.

Description

通信制御システム、通信制御方法および通信制御プログラムCommunication control system, communication control method, and communication control program
 本発明は、通信制御システム、通信制御方法および通信制御プログラムに関する。 The present invention relates to a communication control system, a communication control method, and a communication control program.
 モバイルサービス事業者が、組織や企業ごとにクラウドサービスを提供する事例が存在する。例えば、モバイルサービス事業者は、自身が有するクラウドコンピューティング内に企業ごとの仮想プライベートクラウドを構築し、更にモバイルサービス事業者が提供するモバイルサービスにアクセスするための通信装置を用いて仮想プライベートクラウドにアクセスする手段を提供している。前述の仮想プライベートクラウドへのアクセス手段として、仮想プライベートクラウドアクセス用ゲートウェイと仮想プライベートクラウドの間、ならびに仮想プライベートクラウドアクセス用ゲートウェイと端末装置の間にオーバレイトンネルを設定する方法が知られている。前者は、GRE(Generic Routing Encapsulation:総称ルーティングカプセル化)や、MPLS(Multi-Protocol Label Switching)等のトンネリングプロトコルを利用する方法である。 There are cases where mobile service providers provide cloud services to different organizations and companies. For example, a mobile service provider builds a virtual private cloud for each company within its own cloud computing, and then creates a virtual private cloud using communication equipment to access mobile services provided by the mobile service provider. Provides a means of access. As a means of accessing the above-mentioned virtual private cloud, a method is known in which an overlay tunnel is set up between a virtual private cloud access gateway and a virtual private cloud, and between a virtual private cloud access gateway and a terminal device. The former is a method that uses tunneling protocols such as GRE (Generic Routing Encapsulation) and MPLS (Multi-Protocol Label Switching).
 他方、後者は、モバイルネットワークにおけるPDU(Protocol Data Unit)/PDN(Packet Data Network)セッションと、前述したトンネリングプロトコルを組み合わせた方法である(例えば、非特許文献1を参照)。前述した技術に基づき、ゲートウェイプロセスは、到着したパケットデータを解析し、含まれる宛先が対象の仮想プライベートクラウドに属するものであれば、対象の仮想プライベートクラウドに向けて設定するオーバレイトンネルへとパケットを転送する。 On the other hand, the latter is a method that combines a PDU (Protocol Data Unit)/PDN (Packet Data Network) session in a mobile network and the above-mentioned tunneling protocol (see, for example, Non-Patent Document 1). Based on the technology described above, the gateway process analyzes the arriving packet data and, if the included destination belongs to the target virtual private cloud, forwards the packet to the overlay tunnel that is set up towards the target virtual private cloud. Forward.
 なお、ゲートウェイ処理を実行するプロセスは、ゲートウェイプロセスをソフトウェアとして実装する場合に汎用サーバ上で稼働させる場合がある。その場合、汎用サーバを停止したり、前述のゲートウェイプロセスの稼働を停止したりすると、対応する仮想プライベートクラウドにデータを転送することができない。そのため、仮想プライベートクラウドのサービス利用者(以降、「ユーザ」と表記)が存在する間、汎用サーバがゲートウェイプロセスを稼働させ続ける必要があり、その結果、電力の消費量が増加する場合があった。従って、従来技術では、仮想マシンを特定のサーバで集約稼働させ、サーバのCPU利用率向上とサーバ稼働台数削減により、仮想マシン稼働時に要する電力を削減する、方法が採用されていた(例えば、非特許文献2を参照)。 Note that the process that executes the gateway process may be run on a general-purpose server when the gateway process is implemented as software. In that case, if you stop the general-purpose server or stop the operation of the aforementioned gateway process, you will not be able to transfer data to the corresponding virtual private cloud. As a result, the general-purpose server had to keep the gateway process running while there was a virtual private cloud service user (hereinafter referred to as "user"), which could result in increased power consumption. . Therefore, in the conventional technology, a method has been adopted in which virtual machines are collectively operated on a specific server, and the power required for operating the virtual machine is reduced by improving the server's CPU utilization rate and reducing the number of operating servers (for example, (See Patent Document 2).
 前述の方法では、VPNゲートウェイを経由してVPNにアクセスするユーザが少ないか存在しない場合、ゲートウェイプロセスによるリソースの使用量が下がり、結果として、ゲートウェイを実装した仮想マシンやコンテナを少ない台数でのサーバで稼働することが可能となる。従って、前述した通りプラットフォームとなるサーバの台数を削減することで、電力の削減が可能となる。 In the method described above, if there are few or no users accessing the VPN via the VPN gateway, the amount of resources used by the gateway process decreases, and as a result, the number of virtual machines and containers implementing the gateway is reduced. It becomes possible to operate with Therefore, as described above, by reducing the number of servers serving as a platform, it is possible to reduce power consumption.
 しかしながら、従来技術では、ネットワーク内に存在する通信可能な状態のユーザ数を計数し、ユーザの有無に基づいてゲートウェイプロセスの起動および停止を動的に行うことができない場合があった。 However, in the conventional technology, it may not be possible to count the number of communicable users existing in the network and dynamically start and stop the gateway process based on the presence or absence of users.
 具体的には、現行のモバイルネットワークの仕様では、サービスごとのモバイルネットワーク内のユーザ数を計数する方法が存在しないためユーザ数の計数ができず、ユーザの有無に基づいてゲートウェイプロセスの起動および停止を動的に実施することができなかった。従って、仮想プライベートクラウドのユーザがモバイルネットワーク内に存在しない場合も、ゲートウェイプロセスが稼働する汎用サーバを稼働させ続ける必要が生じ、問題となる場合があった。 Specifically, current mobile network specifications make it impossible to count the number of users because there is no way to count the number of users in the mobile network for each service, and gateway processes are started and stopped based on the presence or absence of users. could not be performed dynamically. Therefore, even if the user of the virtual private cloud does not exist within the mobile network, it is necessary to continue operating the general-purpose server on which the gateway process operates, which may pose a problem.
 上記の課題を解決し目的を達成するために、本発明の通信制御システムは、接続用ネットワークに属する端末装置が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う接続端末数管理装置を有する通信制御システムであって、前記接続端末数管理装置は、前記契約組織ごとの専用ネットワークを識別する情報である契約情報と、前記端末装置が接続するエリアに属するオーバレイトンネル経路転送装置を識別する情報であるアンカーGW識別情報を用いて、前記契約組織ごとの専用ネットワークにアクセスする前記端末装置の数である接続端末数を計数する計数部と、前記接続端末数が0から1以上となる場合に、VPNゲートウェイを起動し、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置に対して前記契約組織ごとの専用ネットワークに接続するための設定を行い、前記データ転送用オーバレイトンネル経路を構築する設定部と、前記接続端末数が1以上から0になる場合に、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置の設定を削除し、前記VPNゲートウェイを停止して、前記データ転送用オーバレイトンネル経路を削除する削除部と、を有する、ことを特徴とする。 In order to solve the above problems and achieve the objectives, the communication control system of the present invention constructs an overlay tunnel path for data transfer used for connecting a terminal device belonging to a connection network to a dedicated network for each contract organization. A communication control system having a connected terminal number management device that performs deletion, wherein the connected terminal number management device includes contract information that is information that identifies a dedicated network for each of the contracted organizations, and an area to which the terminal device connects. a counting unit that counts the number of connected terminals, which is the number of the terminal devices accessing the dedicated network for each of the contracted organizations, using anchor GW identification information that is information that identifies the overlay tunnel route transfer device to which it belongs; and the connected terminals. If the number is from 0 to 1 or more, start the VPN gateway, configure the VPN gateway and the overlay tunnel route transfer device to connect to the dedicated network for each contracted organization, and configure the a setting unit that constructs an overlay tunnel route, and when the number of connected terminals becomes 0 from 1 or more, deletes the settings of the VPN gateway and the overlay tunnel route transfer device, stops the VPN gateway, and deletes the settings of the VPN gateway and the overlay tunnel route transfer device; A deletion unit that deletes a transfer overlay tunnel route.
 本発明は、ネットワーク内に存在する通信可能な状態のユーザ数を計数し、ユーザの有無に基づいてゲートウェイプロセスの起動および停止を動的に行うことを可能とする、という効果を奏する。 The present invention has the advantage of being able to count the number of communicable users existing in the network and dynamically start and stop gateway processes based on the presence or absence of users.
図1は、実施形態1に係る通信制御システムの通信制御方法の概要の一例を示す図である。FIG. 1 is a diagram illustrating an example of an overview of a communication control method of a communication control system according to a first embodiment. 図2は、実施形態1に係るゲートウェイの動作の一例を示す図である。FIG. 2 is a diagram illustrating an example of the operation of the gateway according to the first embodiment. 図3は、実施形態1に係る端末装置の装置構成の一例を示す図である。FIG. 3 is a diagram illustrating an example of the device configuration of the terminal device according to the first embodiment. 図4は、実施形態1に係るVPNゲートウェイの装置構成の一例を示す図である。FIG. 4 is a diagram showing an example of the device configuration of the VPN gateway according to the first embodiment. 図5は、実施形態1に係るVPNゲートウェイの転送先記憶部が記憶する情報の一例を示すテーブル図である。FIG. 5 is a table diagram showing an example of information stored in the transfer destination storage unit of the VPN gateway according to the first embodiment. 図6は、実施形態1に係るオーバレイトンネル経路転送装置の装置構成の一例を示す図である。FIG. 6 is a diagram illustrating an example of the device configuration of the overlay tunnel route transfer device according to the first embodiment. 図7は、実施形態1に係るオーバレイトンネル経路転送装置の転送先記憶部が記憶するテーブル形態1の一例を示すテーブル図である。FIG. 7 is a table diagram showing an example of table form 1 stored in the transfer destination storage unit of the overlay tunnel route transfer device according to the first embodiment. 図8は、実施形態1に係るオーバレイトンネル経路転送装置の転送先記憶部が記憶するテーブル形態2の一例を示すテーブル図である。FIG. 8 is a table diagram illustrating an example of table format 2 stored in the transfer destination storage unit of the overlay tunnel route transfer device according to the first embodiment. 図9は、実施形態1に係る端末位置情報管理装置の装置構成の一例を示す図である。FIG. 9 is a diagram illustrating an example of the device configuration of the terminal location information management device according to the first embodiment. 図10は、実施形態1に係る端末位置情報管理装置の端末装置接続先VPN記憶部が記憶する情報の一例を示すテーブル図である。FIG. 10 is a table diagram showing an example of information stored in the terminal device connection destination VPN storage unit of the terminal location information management device according to the first embodiment. 図11は、実施形態1に係る端末位置情報管理装置のアンカーGW記憶部が記憶する情報の一例を示すテーブル図である。FIG. 11 is a table diagram showing an example of information stored in the anchor GW storage unit of the terminal location information management device according to the first embodiment. 図12は、実施形態1に係る契約情報管理装置の装置構成の一例を示す図である。FIG. 12 is a diagram showing an example of the device configuration of the contract information management device according to the first embodiment. 図13は、実施形態1に係る契約情報管理装置の契約情報記憶部が記憶する情報の一例を示すテーブル図である。FIG. 13 is a table diagram showing an example of information stored in the contract information storage unit of the contract information management device according to the first embodiment. 図14は、実施形態1に係る接続端末数管理装置の装置構成の一例を示す図である。FIG. 14 is a diagram illustrating an example of the device configuration of the connected terminal number management device according to the first embodiment. 図15は、実施形態1に係る接続端末数管理装置の接続端末数記憶部が記憶する情報の一例を示すテーブル図である。FIG. 15 is a table diagram showing an example of information stored in the connected terminal number storage unit of the connected terminal number management device according to the first embodiment. 図16は、実施形態1に係る転送用情報管理装置の装置構成の一例を示す図である。FIG. 16 is a diagram illustrating an example of the device configuration of the transfer information management device according to the first embodiment. 図17は、実施形態1に係る転送用情報管理装置のアドレス記憶部が記憶する接続端末数管理装置返信用テーブルの一例を示すテーブル図である。FIG. 17 is a table diagram showing an example of a connected terminal number management device reply table stored in the address storage unit of the transfer information management device according to the first embodiment. 図18は、実施形態1に係る転送用情報管理装置のアドレス記憶部が記憶する端末装置返信用テーブルの一例を示すテーブル図である。FIG. 18 is a table diagram showing an example of a terminal device reply table stored in the address storage unit of the transfer information management device according to the first embodiment. 図19は、実施形態1に係る通信制御方法のフローチャートの一例を示す図である。FIG. 19 is a diagram illustrating an example of a flowchart of the communication control method according to the first embodiment. 図20は、実施形態1’に係る通信制御システムの通信制御方法の概要の一例を示す図である。FIG. 20 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to Embodiment 1'. 図21は、実施形態1’に係る接続端末数管理装置の装置構成の一例を示す図である。FIG. 21 is a diagram illustrating an example of the device configuration of the connected terminal number management device according to Embodiment 1'. 図22は、実施形態1’に係る通信制御方法のフローチャートの一例を示す図である。FIG. 22 is a diagram illustrating an example of a flowchart of the communication control method according to Embodiment 1'. 図23は、実施形態1’’に係る通信制御システムの通信制御方法の概要の一例を示す図である。FIG. 23 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to the first embodiment. 図24は、実施形態1’’に係る通信制御方法のフローチャートの一例を示す図である。FIG. 24 is a diagram illustrating an example of a flowchart of the communication control method according to the first embodiment. 図25は、実施形態2に係る通信制御システムの通信制御方法の概要の一例を示す図である。FIG. 25 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to the second embodiment. 図26は、実施形態2に係る通信制御システムの動作の概要の一例を示す図である。FIG. 26 is a diagram illustrating an example of an overview of the operation of the communication control system according to the second embodiment. 図27は、実施形態2に係る暗号化経路確立の概要の一例を示す図である。FIG. 27 is a diagram illustrating an example of an overview of establishing an encrypted path according to the second embodiment. 図28は、実施形態2に係るモバイルゲートウェイの装置構成の一例を示す図である。FIG. 28 is a diagram illustrating an example of the device configuration of a mobile gateway according to the second embodiment. 図29は、実施形態2に係るモバイルゲートウェイのVPN検索用テーブル記憶部が記憶する情報の一例を示すテーブル図である。FIG. 29 is a table diagram showing an example of information stored in the VPN search table storage unit of the mobile gateway according to the second embodiment. 図30は、実施形態2に係る通信制御方法(パターン1)のフローチャートの一例を示す図である。FIG. 30 is a diagram illustrating an example of a flowchart of the communication control method (pattern 1) according to the second embodiment. 図31は、実施形態2に係る通信制御方法(パターン2)のフローチャートの一例を示す図である。FIG. 31 is a diagram illustrating an example of a flowchart of the communication control method (pattern 2) according to the second embodiment. 図32は、実施形態2-1に係る通信制御システムの通信制御方法の概要の一例を示す図である。FIG. 32 is a diagram illustrating an example of an outline of a communication control method of the communication control system according to Embodiment 2-1. 図33は、実施形態2-1に係る通信制御システムを構成する各種装置のブロック図の一例を示す図である。FIG. 33 is a diagram showing an example of a block diagram of various devices forming the communication control system according to Embodiment 2-1. 図34は、実施形態2-1に係る通信制御システムの動作の概要の一例を示す図である。FIG. 34 is a diagram illustrating an example of an overview of the operation of the communication control system according to Embodiment 2-1. 図35は、実施形態2-1に係るIP網用のオーバレイトンネル経路転送装置の装置構成の一例を示す図である。FIG. 35 is a diagram illustrating an example of a device configuration of an overlay tunnel route transfer device for an IP network according to Embodiment 2-1. 図36は、実施形態2-1に係る通信制御方法のフローチャートの一例を示す図である。FIG. 36 is a diagram illustrating an example of a flowchart of the communication control method according to Embodiment 2-1. 図37は、各実施形態に係る通信制御システムの各種装置が実現されるコンピュータの一例を示す図である。FIG. 37 is a diagram illustrating an example of a computer on which various devices of the communication control system according to each embodiment are implemented.
 以下、図面を参照しながら、本発明を実施するための形態(以降、「実施形態」)について説明する。なお、各実施形態は、以下に記載する内容に限定されない。 Hereinafter, modes for carrying out the present invention (hereinafter referred to as "embodiments") will be described with reference to the drawings. Note that each embodiment is not limited to the content described below.
〔1.通信制御システムの概要〕
 各実施形態における通信制御システム1は、接続用ネットワークに属する端末装置100が契約組織ごとの専用ネットワーク(例えば、仮想プライベートクラウド等のことで、以降は単に「専用ネットワーク」と表記)に接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う。 [1. Overview of communication control system]
The communication control system 1 in each embodiment is configured so that a terminal device 100 belonging to a connection network connects to a dedicated network (for example, a virtual private cloud, etc., hereinafter simply referred to as "dedicated network") for each contract organization. Constructs and deletes overlay tunnel paths for data transfer used for data transfer.
 以下の項目で、本実施形態における通信制御システム1の概要について説明する。まず、通信制御システム1が有する接続端末数管理装置600の計数部631は、専用ネットワークを識別する情報である契約情報(以降、「接続先VPN ID」と表記)と、端末装置100が接続するエリアに属するオーバレイトンネル経路転送装置300を識別する情報であるアンカーGW識別情報(以降、「担当アンカーGW ID」と表記)を用いて、専用ネットワークにアクセスする端末装置100の数である接続端末数を計数する。 An overview of the communication control system 1 in this embodiment will be explained in the following items. First, the counting unit 631 of the connected terminal number management device 600 included in the communication control system 1 collects contract information (hereinafter referred to as "connection destination VPN ID"), which is information that identifies the dedicated network, and the terminal device 100 connected to. Number of connected terminals, which is the number of terminal devices 100 that access the dedicated network, using anchor GW identification information (hereinafter referred to as "anchor GW ID in charge"), which is information that identifies the overlay tunnel route transfer device 300 belonging to the area. Count.
 続けて、接続端末数管理装置600の判定部632は、接続端末数が0から1以上に更新されたと判定する。その場合、接続端末数管理装置600の設定部634は、VPN(Virtual Private Network)ゲートウェイ200を起動し、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300に対して専用ネットワークに接続するためのVPN接続用アドレス(以降、「VPN接続用アドレス」と表記)の設定を行い、データ転送用オーバレイトンネル経路を構築する。 Subsequently, the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 0 to 1 or more. In that case, the setting unit 634 of the connected terminal number management device 600 starts the VPN (Virtual Private Network) gateway 200 and provides a VPN connection for the VPN gateway 200 and the overlay tunnel route transfer device 300 to connect to the dedicated network. An address (hereinafter referred to as "VPN connection address") is set, and an overlay tunnel path for data transfer is constructed.
 その後、接続端末数管理装置600の判定部632は、接続端末数が1以上から0に更新されたと判定する。その場合、接続端末数管理装置600の削除部635は、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300のVPN接続用アドレスの設定を削除し、VPNゲートウェイ200を停止して、データ転送用オーバレイトンネル経路を削除する。 Thereafter, the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 1 or more to 0. In that case, the deletion unit 635 of the connected terminal number management device 600 deletes the settings of the VPN connection address of the VPN gateway 200 and the overlay tunnel route transfer device 300, stops the VPN gateway 200, and deletes the overlay tunnel route for data transfer. Delete.
〔2.実施形態1:接続端末数に応じたVPNゲートウェイの起動と停止〕
 ここから、実施形態1として、通信制御システム1が実現する「接続端末数に応じたVPNゲートウェイの起動と停止」について説明を行う。まずは、図1を用いて、概要の説明を行う。 [2. Embodiment 1: Starting and stopping the VPN gateway according to the number of connected terminals]
From here, as a first embodiment, "starting and stopping a VPN gateway according to the number of connected terminals" realized by the communication control system 1 will be explained. First, an overview will be given using FIG. 1.
 図1では、ある任意のエリアに接続する端末装置100が、専用ネットワークに接続する状況を表す概略図である。まず、端末装置100は、端末位置情報管理装置400に対して、端末装置100を識別する情報である端末装置情報(以降は、「端末ID」と表記)および接続先VPN IDと、前述の情報を端末位置情報管理装置400に登録するための登録要求と、を送信する(図1の(1)を参照)。 FIG. 1 is a schematic diagram showing a situation in which a terminal device 100 connected to a certain arbitrary area is connected to a dedicated network. First, the terminal device 100 sends to the terminal location information management device 400 terminal device information (hereinafter referred to as "terminal ID") that is information that identifies the terminal device 100, the connection destination VPN ID, and the above-mentioned information. and a registration request for registering the terminal location information management device 400 in the terminal location information management device 400 (see (1) in FIG. 1).
 ここで、端末装置100が接続先VPN IDを保持する場合には、端末位置情報管理装置400の登録部433は、端末装置100から受け付ける端末IDと接続先VPN IDを登録する。他方、端末装置100が接続先VPN IDを保持していない場合には、端末位置情報管理装置400の登録部433は、該端末IDによって識別される接続先VPN IDを契約情報管理装置500から取得し、登録する(図1の(2)を参照)。そして、端末位置情報管理装置400は、端末装置100の送信するD-planeセッション確立要求である接続要求に基づき、D-planeセッションを確立する(図1の(3)を参照)。 Here, if the terminal device 100 holds the connection destination VPN ID, the registration unit 433 of the terminal location information management device 400 registers the terminal ID and connection destination VPN ID received from the terminal device 100. On the other hand, if the terminal device 100 does not hold the connection destination VPN ID, the registration unit 433 of the terminal location information management device 400 acquires the connection destination VPN ID identified by the terminal ID from the contract information management device 500. and register it (see (2) in Figure 1). Then, the terminal location information management device 400 establishes a D-plane session based on the connection request, which is a D-plane session establishment request, transmitted by the terminal device 100 (see (3) in FIG. 1).
 次に、端末位置情報管理装置400の送信部434は、担当アンカーGW IDと接続先VPN IDを、接続端末数管理装置600に送信する(図1の(4)を参照)。そして、接続端末数管理装置600の計数部631は、受け付けた担当アンカーGW IDと接続先VPN IDに基づいて、端末装置100が接続するエリアに属するオーバレイトンネル経路転送装置300への接続数である接続端末数を計数し、更新する。 Next, the transmitter 434 of the terminal location information management device 400 transmits the assigned anchor GW ID and the connection destination VPN ID to the connected terminal number management device 600 (see (4) in FIG. 1). Then, the counting unit 631 of the connected terminal number management device 600 calculates the number of connections to the overlay tunnel route transfer device 300 that belongs to the area to which the terminal device 100 connects, based on the accepted anchor GW ID and connection destination VPN ID. Count and update the number of connected terminals.
 続けて、接続端末数が0から1以上に更新されたという接続端末数管理装置600の判定部632の判定に基づいて、接続端末数管理装置600の取得部633は、転送用情報管理装置700に接続先VPN IDを送信し、専用ネットワークに対応するVPN接続用アドレスを取得する(図1の(5)を参照)。そして、接続端末数管理装置600の設定部634は、VPNゲートウェイ200を起動し、VPNゲートウェイ200とオーバレイトンネル経路転送装置300に対して、取得したVPN接続用アドレスを設定して、データ転送用オーバレイトンネル経路を構築する(図1の(6)を参照)。続けて、端末装置100は、通信制御システム1が構築したデータ転送用オーバレイトンネル経路を用いて、専用ネットワークに接続する(図1の(7)を参照)。 Subsequently, based on the determination by the determining unit 632 of the connected terminal number management device 600 that the number of connected terminals has been updated from 0 to 1 or more, the acquisition unit 633 of the connected terminal number management device 600 updates the transfer information management device 700. The connection destination VPN ID is sent to the private network, and the VPN connection address corresponding to the dedicated network is obtained (see (5) in FIG. 1). Then, the setting unit 634 of the connected terminal number management device 600 starts the VPN gateway 200, sets the acquired VPN connection address to the VPN gateway 200 and the overlay tunnel route transfer device 300, and sets the acquired VPN connection address to the overlay tunnel route transfer device 300. Build a tunnel route (see (6) in Figure 1). Subsequently, the terminal device 100 connects to the dedicated network using the data transfer overlay tunnel path constructed by the communication control system 1 (see (7) in FIG. 1).
 その後、接続端末数が1以上から0に更新されたという接続端末数管理装置600の判定部632の判定に基づいて、接続端末数管理装置600の削除部635は、VPNゲートウェイ200とオーバレイトンネル経路転送装置300の設定を削除し、VPNゲートウェイ200を停止して、データ転送用オーバレイトンネル経路を削除する(図1の(8)を参照)。 Thereafter, based on the determination by the determining unit 632 of the connected terminal number management device 600 that the number of connected terminals has been updated from 1 or more to 0, the deletion unit 635 of the connected terminal number management device 600 deletes the VPN gateway 200 and the overlay tunnel route. The settings of the transfer device 300 are deleted, the VPN gateway 200 is stopped, and the overlay tunnel route for data transfer is deleted (see (8) in FIG. 1).
 ここから、実施形態1に係るVPNの構成について、補足して説明する。実施形態1に係るVPNは、MEC(Multi Access Edge Cloud)とデータ転送用オーバレイトンネル経路で構成されている。そして、MEC内には、ユーザからのデータリクエストを受理し、システムからの結果をユーザに返答するフロントエンドサーバ(例えば、図1では「フロントエンドサーバ10」)が存在しており、それぞれ固有の接続用アドレス(前述のVPN接続用アドレス)を保持している。他方、端末装置100には、転送用情報管理装置700からVPN端末用アドレスが付与される。 From here, the configuration of the VPN according to the first embodiment will be supplementarily explained. The VPN according to the first embodiment is configured with an MEC (Multi Access Edge Cloud) and an overlay tunnel path for data transfer. Within the MEC, there is a front-end server (for example, "front-end server 10" in Figure 1) that receives data requests from users and returns results from the system to the users. It holds a connection address (the above-mentioned VPN connection address). On the other hand, the terminal device 100 is given a VPN terminal address by the transfer information management device 700.
 次に、図2を用いて、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300がVPN接続用アドレスに基づき、転送先のデータ転送用オーバレイトンネル経路へと振り分ける仕組みについて説明を行う。まず、図2では、それぞれ「宛先:10A」である端末装置100と、「宛先:10C」である端末装置101と、「宛先:10B」である端末装置102と、が示されている。 Next, using FIG. 2, a description will be given of a mechanism in which the VPN gateway 200 and the overlay tunnel route transfer device 300 allocate data to a destination overlay tunnel route for data transfer based on the VPN connection address. First, FIG. 2 shows a terminal device 100 having a "destination: 10A", a terminal device 101 having a "destination: 10C", and a terminal device 102 having a "destination: 10B", respectively.
 ここで、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300は、各端末装置が送信するパケットヘッダを解析し、宛先に応じたデータ転送用オーバレイトンネル経路へと振り分けを行う。具体的には、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300は、端末装置100の通信と端末装置102の通信についてはデータ転送用オーバレイトンネル経路Xへ振り分けを行い、端末装置101の通信についてはデータ転送用オーバレイトンネル経路Yに振り分けを行う。 Here, the VPN gateway 200 and the overlay tunnel route transfer device 300 analyze the packet headers transmitted by each terminal device and distribute the packets to the overlay tunnel route for data transfer according to the destination. Specifically, the VPN gateway 200 and the overlay tunnel route transfer device 300 distribute the communication of the terminal device 100 and the communication of the terminal device 102 to the overlay tunnel route X for data transfer, and the communication of the terminal device 101 is distributed to the data transfer Allocate to transfer overlay tunnel route Y.
〔2-1.通信制御システムの構成〕
 ここから、実施形態1における通信制御システム1の構成について、図3から図18を用いて説明を行う。実施形態1における通信制御システム1は、端末装置100と、VPNゲートウェイ200と、オーバレイトンネル経路転送装置300と、端末位置情報管理装置400と、契約情報管理装置500と、接続端末数管理装置600と、転送用情報管理装置700と、を含む装置構成である。以下の項目で、各装置の機能部について詳細な説明を行う。なお、以降の説明では、各装置において同様の機能を有する機能部(通信部と、記憶部と、制御部等)については、説明を適宜省略する。 [2-1. Communication control system configuration]
From here, the configuration of the communication control system 1 in the first embodiment will be explained using FIGS. 3 to 18. The communication control system 1 in the first embodiment includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600. , and a transfer information management device 700. The following items provide detailed explanations of the functional units of each device. Note that in the following description, descriptions of functional units (communication unit, storage unit, control unit, etc.) having similar functions in each device will be omitted as appropriate.
(端末装置100)
 まず、端末装置100の構成について、図3を用いて説明する。図3に示すように、端末装置100は、通信部110と、記憶部120と、制御部130と、を有する。なお、図示していないが、端末装置100は、各種操作を受け付ける入力部(例えば、キーボードやマウス等)や、各種情報を表示するための表示部(例えば、ディスプレイ等)を備えてもよい。また、端末装置100は、デスクトップ型パーソナルコンピュータ(Personal Computer)や、ノート型PC、スマートフォンやタブレット、PDA(Personal Digital Assistant)等であってよい。続いて、以下に各部の詳細な機能について記載する。 (Terminal device 100)
First, the configuration of the terminal device 100 will be explained using FIG. 3. As shown in FIG. 3, the terminal device 100 includes a communication section 110, a storage section 120, and a control section 130. Although not shown, the terminal device 100 may include an input unit (for example, a keyboard, a mouse, etc.) that accepts various operations, and a display unit (for example, a display) for displaying various information. Further, the terminal device 100 may be a desktop personal computer, a notebook PC, a smartphone, a tablet, a PDA (Personal Digital Assistant), or the like. Next, detailed functions of each part will be described below.
(通信部110)
 通信部110は、NIC(Network Interface Card)等で実現され、LAN(Local Area Network)やインターネット等の電気通信回線を介して通信を制御する。そして、通信部110は、必要に応じてネットワークと有線または無線で接続され、双方向に情報の送受信を行うことができる。 (Communication Department 110)
The communication unit 110 is realized by a NIC (Network Interface Card) or the like, and controls communication via a telecommunication line such as a LAN (Local Area Network) or the Internet. The communication unit 110 is connected to a network by wire or wirelessly as necessary, and can transmit and receive information in both directions.
(記憶部120)
 記憶部120は、制御部130による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部120は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置等で実現する。 (Storage unit 120)
The storage unit 120 stores data and programs necessary for various processing by the control unit 130. The storage unit 120 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.
(制御部130)
 制御部130は、アドレス管理部131と、通信用セッション管理部132と、を有する。そして、制御部130は、各種の処理手順等を規定したプログラムや処理データを一時的に格納するための内部メモリを有し、CPU(Central Processing Unit)やMPU(Micro Processing Unit)等の電子回路やASIC(Application Specific Integrated Circuit)やFPGA(Field Programmable Gate Array)等の集積回路によって実現される。 (Control unit 130)
The control unit 130 includes an address management unit 131 and a communication session management unit 132. The control unit 130 has an internal memory for temporarily storing programs and processing data that define various processing procedures, and includes electronic circuits such as a CPU (Central Processing Unit) and an MPU (Micro Processing Unit). It is realized by integrated circuits such as ASIC (Application Specific Integrated Circuit) and FPGA (Field Programmable Gate Array).
(アドレス管理部131)
 アドレス管理部131は、端末装置100に付与される端末装置用のVPN端末用アドレスを受け付け、記憶部120に記憶する。 (Address management section 131)
The address management unit 131 receives a VPN terminal address for the terminal device given to the terminal device 100 and stores it in the storage unit 120.
(通信用セッション管理部132)
 通信用セッション管理部132は、端末装置100がネットワーク接続を行う際に、端末位置情報管理装置400に対して、C-planeおよびD-planeセッションの確立要求を行う。さらに、通信用セッション管理部132は、前述のセッション確立要求を行う際に、端末IDと、端末装置100が保持している場合には接続先VPN IDを、端末位置情報管理装置400に送信する。 (Communication session management unit 132)
The communication session management unit 132 requests the terminal location information management device 400 to establish C-plane and D-plane sessions when the terminal device 100 establishes a network connection. Furthermore, when making the above-mentioned session establishment request, the communication session management unit 132 transmits the terminal ID and the connection destination VPN ID if held by the terminal device 100 to the terminal location information management device 400. .
(VPNゲートウェイ200)
 次に、VPNゲートウェイ200の構成について、図4を用いて説明する。図4に示すように、VPNゲートウェイ200は、通信部210と、記憶部220と、制御部230と、を有する。なお、通信部210の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。加えて、通信制御システム1が制御するVPNゲートウェイ200は、ソフトウェアで実装した仮想ゲートウェイ(vGW:virtual Gateway)であってよい。 (VPN gateway 200)
Next, the configuration of the VPN gateway 200 will be explained using FIG. 4. As shown in FIG. 4, the VPN gateway 200 includes a communication section 210, a storage section 220, and a control section 230. Note that the functions of the communication unit 210 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted. In addition, the VPN gateway 200 controlled by the communication control system 1 may be a virtual gateway (vGW) implemented using software.
(記憶部220)
 記憶部220は、制御部230による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部220は、転送先記憶部221を有する。 (Storage unit 220)
The storage unit 220 stores data and programs necessary for various processing by the control unit 230. The storage unit 220 includes a transfer destination storage unit 221 .
(転送先記憶部221)
 転送先記憶部221は、フォワーディングテーブルとして転送先に関する情報を記憶する。具体的には、転送先記憶部221は、図5に示すように「アドレス」と「転送先トンネル」という項目を記憶する。なお、転送先記憶部221は、記憶する項目として前述の項目に限定されず、その他の項目を記憶してよい。また、図5に示す各項目の入力情報は、あくまで一例であり記載の情報に限定されるものではない。 (Forwarding destination storage unit 221)
The forwarding destination storage unit 221 stores information regarding the forwarding destination as a forwarding table. Specifically, the transfer destination storage unit 221 stores the items "address" and "transfer destination tunnel" as shown in FIG. Note that the transfer destination storage unit 221 is not limited to the above-mentioned items as items to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 5 is just an example and is not limited to the information described.
(制御部230)
 制御部230は、パケットヘッダ解析部231と転送処理部232を有する。 (Control unit 230)
The control unit 230 includes a packet header analysis unit 231 and a transfer processing unit 232.
(パケットヘッダ解析部231)
 パケットヘッダ解析部231は、端末装置100が通信を行う際に送信するパケットヘッダを解析し、宛先情報(例えば、IPアドレス等)を抽出する。 (Packet header analysis unit 231)
The packet header analysis unit 231 analyzes a packet header transmitted when the terminal device 100 performs communication, and extracts destination information (eg, IP address, etc.).
(転送処理部232)
 転送処理部232は、前述の宛先情報に基づいて、対象となるデータ転送用オーバレイトンネル経路への振り分けを行う。 (Transfer processing unit 232)
The transfer processing unit 232 performs distribution to the target overlay tunnel route for data transfer based on the above-mentioned destination information.
(オーバレイトンネル経路転送装置300)
 次に、オーバレイトンネル経路転送装置300の構成について、図6を用いて説明する。図6に示すように、オーバレイトンネル経路転送装置300は、通信部310と、記憶部320と、制御部330と、を有する。なお、通信部310の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。 (Overlay tunnel route transfer device 300)
Next, the configuration of the overlay tunnel route transfer device 300 will be described using FIG. 6. As shown in FIG. 6, overlay tunnel route transfer device 300 includes a communication section 310, a storage section 320, and a control section 330. Note that the functions of the communication unit 310 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
(記憶部320)
 記憶部320は、制御部330による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部320は、転送先記憶部321を有する。 (Storage unit 320)
The storage unit 320 stores data and programs necessary for various processing by the control unit 330. The storage unit 320 includes a transfer destination storage unit 321.
(転送先記憶部321)
 転送先記憶部321は、フォワーディングテーブルとして転送先に関する情報を記憶する。具体的には、転送先記憶部321は、端末装置100から送信されるパケットヘッダを解析し、含まれる宛先情報(例えば、IPアドレス等)とVPNゲートウェイ200のデータ転送用オーバレイトンネル経路とのマッピングに係るテーブル形態1として、図7に示すように「アドレス」と「転送先トンネル」という項目を記憶する。さらに、転送先記憶部321は、モバイルネットワーク内のトンネルと、VPNゲートウェイ200へのデータ転送用オーバレイトンネル経路とのマッピングに係るテーブル形態2として、図8に示すように「モバイルNWトンネル」と「VPNゲートウェイへの転送先トンネル」という項目を記憶する。 (Forwarding destination storage unit 321)
The forwarding destination storage unit 321 stores information regarding the forwarding destination as a forwarding table. Specifically, the transfer destination storage unit 321 analyzes the packet header transmitted from the terminal device 100 and maps the included destination information (for example, IP address, etc.) to the overlay tunnel route for data transfer of the VPN gateway 200. As a table form 1 related to , as shown in FIG. 7, the items "address" and "transfer destination tunnel" are stored. Further, the transfer destination storage unit 321 stores “Mobile NW tunnel” and “Mobile NW tunnel” as shown in FIG. Store the item "Transfer destination tunnel to VPN gateway".
 なお、テーブル形態1とテーブル形態2の項目について、転送先記憶部321は、前述の項目に限定されずその他の項目を記憶してよい。また、図7および図8に示す各項目の入力情報は、あくまで一例であり記載の情報に限定されるものではない。 Note that regarding the items of table format 1 and table format 2, the transfer destination storage unit 321 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIGS. 7 and 8 is merely an example, and is not limited to the information described.
(制御部330)
 ここから、図6に戻り説明を続ける。制御部330は、パケットヘッダ解析部331と転送処理部332を有する。 (Control unit 330)
From here, we return to FIG. 6 and continue the explanation. The control unit 330 includes a packet header analysis unit 331 and a transfer processing unit 332.
(パケットヘッダ解析部331)
 パケットヘッダ解析部331は、端末装置100が通信を行う際に送信するパケットヘッダを解析し、宛先情報(例えば、IPアドレス等)を抽出する。 (Packet header analysis unit 331)
The packet header analysis unit 331 analyzes a packet header transmitted when the terminal device 100 performs communication, and extracts destination information (eg, IP address, etc.).
(転送処理部332)
 転送処理部332は、前述の宛先情報に基づいて、対象となるデータ転送用オーバレイトンネル経路への振り分けを行う。 (Transfer processing unit 332)
The transfer processing unit 332 performs distribution to the target overlay tunnel route for data transfer based on the destination information described above.
(端末位置情報管理装置400)
 次に、端末位置情報管理装置400の構成について、図9を用いて説明する。図9に示すように、端末位置情報管理装置400は、通信部410と、記憶部420と、制御部430と、を有する。なお、通信部410の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。加えて、端末位置情報管理装置400は、MME(Mobility Management Entity)およびAMF(Access and Mobility management Function)を活用してもよい。 (Terminal location information management device 400)
Next, the configuration of the terminal location information management device 400 will be explained using FIG. 9. As shown in FIG. 9, the terminal location information management device 400 includes a communication section 410, a storage section 420, and a control section 430. Note that the functions of the communication unit 410 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted. In addition, the terminal location information management device 400 may utilize MME (Mobility Management Entity) and AMF (Access and Mobility management Function).
(記憶部420)
 記憶部420は、制御部430による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部420は、端末装置接続先VPN記憶部421と、アンカーGW記憶部422を有する。 (Storage unit 420)
The storage unit 420 stores data and programs necessary for various processing by the control unit 430. The storage unit 420 includes a terminal device connection destination VPN storage unit 421 and an anchor GW storage unit 422.
(端末装置接続先VPN記憶部421)
 端末装置接続先VPN記憶部421は、専用ネットワークに接続するデータ転送用オーバレイトンネル経路に関する情報として、端末装置-接続先VPN管理テーブルを記憶する。具体的には、端末装置接続先VPN記憶部421は、端末装置-接続先VPN管理テーブルとして、図10に示すように「端末ID」と「接続先VPN ID」という項目を記憶する。なお、端末装置接続先VPN記憶部421は、記憶する情報として前述の項目に限定されずその他の項目を記憶してよい。また、図10に示す各項目の入力情報はあくまで一例であり、記載の情報に限定されるものではない。 (Terminal device connection destination VPN storage unit 421)
The terminal device connection destination VPN storage unit 421 stores a terminal device-connection destination VPN management table as information regarding the overlay tunnel route for data transfer connecting to the dedicated network. Specifically, the terminal device connection destination VPN storage unit 421 stores the items “terminal ID” and “connection destination VPN ID” as a terminal device-connection destination VPN management table as shown in FIG. Note that the terminal device connection destination VPN storage unit 421 is not limited to the above-mentioned items as information to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 10 is just an example, and the information is not limited to the information described.
(アンカーGW記憶部422)
 アンカーGW記憶部422は、端末装置100が接続するエリアに属するオーバレイトンネル経路転送装置300を識別する情報として、ロケーション管理用テーブルを記憶する。具体的には、アンカーGW記憶部422は、ロケーション管理用テーブルとして、図11に示すように「端末ID」と「担当アンカーGW ID」という項目を記憶する。なお、アンカーGW記憶部422は、記憶する情報として前述の項目に限定されずその他の項目を記憶してよい。また、図11に示す各項目の入力情報は、あくまで一例であり記載の情報に限定されるものではない。 (Anchor GW storage unit 422)
Anchor GW storage unit 422 stores a location management table as information for identifying overlay tunnel route transfer device 300 belonging to the area to which terminal device 100 connects. Specifically, the anchor GW storage unit 422 stores the items "terminal ID" and "in-charge anchor GW ID" as a location management table, as shown in FIG. Note that the anchor GW storage unit 422 is not limited to the above-mentioned items as information to be stored, and may store other items. Furthermore, the input information for each item shown in FIG. 11 is just an example and is not limited to the information described.
(制御部430)
 ここから、図9に戻り説明を続ける。制御部430は、受付部431と、通知部432と、登録部433と、送信部434を有する。 (Control unit 430)
From here, we return to FIG. 9 and continue the explanation. The control unit 430 includes a reception unit 431, a notification unit 432, a registration unit 433, and a transmission unit 434.
(受付部431)
 受付部431は、端末装置100が接続先VPN IDを保持すると判定を行う。その場合には、受付部431は、端末装置100を識別する情報である端末装置情報(端末ID)と、契約情報(接続先VPN ID)と、を端末装置100から受け付ける。他方、受付部431は、端末装置100が接続先VPN IDを保持しないと判定を行う。その場合には、受付部431は、端末装置100を識別する情報である端末装置情報(端末ID)と、端末装置情報(端末ID)と契約情報(接続先VPN ID)を端末位置情報管理装置400へ登録する要求である登録要求と、を端末装置100から受け付ける。 (Reception Department 431)
The reception unit 431 determines that the terminal device 100 holds the connection destination VPN ID. In that case, the receiving unit 431 receives terminal device information (terminal ID), which is information for identifying the terminal device 100, and contract information (connection destination VPN ID) from the terminal device 100. On the other hand, the reception unit 431 determines that the terminal device 100 does not hold the connection destination VPN ID. In that case, the reception unit 431 sends terminal device information (terminal ID) that is information that identifies the terminal device 100, terminal device information (terminal ID), and contract information (connection destination VPN ID) to the terminal location information management device. 400 is received from the terminal device 100.
 さらに、受付部431は、モバイルネットワークからデータネットワークへの接続の要求である接続要求を端末装置100から受け付ける。なお、受付部431は、前述した情報に限定されず、必要に応じてその他の情報を受け付けてもよい。 Further, the reception unit 431 receives a connection request from the terminal device 100, which is a request for connection from the mobile network to the data network. Note that the reception unit 431 is not limited to the above-mentioned information, and may accept other information as necessary.
(通知部432)
 通知部432は、端末装置100が接続先VPN IDを保持しない場合には、端末IDを契約情報管理装置500に通知する。なお、通知部432は、前述した情報に限定されず、必要に応じてその他の情報を通知してもよい。 (Notification section 432)
The notification unit 432 notifies the contract information management device 500 of the terminal ID when the terminal device 100 does not hold the connection destination VPN ID. Note that the notification unit 432 is not limited to the above-mentioned information, and may notify other information as necessary.
(登録部433)
 登録部433は、端末装置100が接続先VPN IDを保持する場合は、端末装置100から受け付ける端末装置情報(端末ID)と契約情報(接続先VPN ID)を登録する。他方、登録部433は、端末装置100が契約情報を保持しない場合には、端末装置100から受け付ける端末IDと、登録要求に基づいて、端末装置情報(端末ID)を用いて契約情報管理装置500から取得する契約情報(接続先VPN ID)を登録する。 (Registration Department 433)
If the terminal device 100 holds a connection destination VPN ID, the registration unit 433 registers the terminal device information (terminal ID) and contract information (connection destination VPN ID) received from the terminal device 100. On the other hand, if the terminal device 100 does not hold contract information, the registration unit 433 registers the contract information management device 500 using the terminal device information (terminal ID) based on the terminal ID received from the terminal device 100 and the registration request. Register the contract information (connection destination VPN ID) obtained from .
 言い換えると、登録部433は、端末装置100が送信する端末IDと、後述の契約情報管理装置500の送信部532が送信する接続先VPN IDを登録する。なお、登録部433は、前述した情報に限定されず、必要に応じてその他の情報を受け付けてもよい。 In other words, the registration unit 433 registers the terminal ID transmitted by the terminal device 100 and the connection destination VPN ID transmitted by the transmission unit 532 of the contract information management device 500, which will be described later. Note that the registration unit 433 is not limited to the above-mentioned information, and may accept other information as necessary.
(送信部434)
 送信部434は、接続要求に基づいて、契約情報(接続先VPN ID)と、アンカーGW識別情報(担当アンカーGW ID)と、を接続端末数管理装置600に送信する。なお、送信部434は、前述した情報に限定されず、必要に応じてその他の情報を送信してもよい。 (Transmission unit 434)
The transmitter 434 transmits contract information (connection destination VPN ID) and anchor GW identification information (anchor GW ID in charge) to the connected terminal number management device 600 based on the connection request. Note that the transmitter 434 is not limited to the above-mentioned information, and may transmit other information as necessary.
(契約情報管理装置500)
 次に、契約情報管理装置500の構成について、図12を用いて説明する。図12に示すように、契約情報管理装置500は、通信部510と、記憶部520と、制御部530と、を有する。なお、通信部510の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。加えて、契約情報管理装置500は、HSS(Home Subscriber Server)およびUDM(Unified Data Management)と連動してよい。 (Contract information management device 500)
Next, the configuration of the contract information management device 500 will be described using FIG. 12. As shown in FIG. 12, the contract information management device 500 includes a communication section 510, a storage section 520, and a control section 530. Note that the functions of the communication unit 510 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted. In addition, the contract information management device 500 may work in conjunction with an HSS (Home Subscriber Server) and a UDM (Unified Data Management).
(記憶部520)
 記憶部520は、制御部530による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部520は、契約情報記憶部521を有する。 (Storage unit 520)
The storage unit 520 stores data and programs necessary for various processing by the control unit 530. The storage unit 520 includes a contract information storage unit 521.
(契約情報記憶部521)
 契約情報記憶部521は、契約情報として接続先VPN IDを含む契約管理用テーブルを記憶する。具体的には、契約情報記憶部521は、契約管理用テーブルとして、図13に示すように「端末ID」と「接続先VPN ID」という項目を記憶する。なお、契約情報記憶部521が記憶する情報は、前述の項目に限定されずその他の項目を記憶してよい。また、図13に示す各項目の入力情報はあくまで一例であり、記載の情報に限定されるものではない。 (Contract information storage unit 521)
The contract information storage unit 521 stores a contract management table including connection destination VPN IDs as contract information. Specifically, the contract information storage unit 521 stores items such as "terminal ID" and "connection destination VPN ID" as shown in FIG. 13 as a contract management table. Note that the information stored in the contract information storage section 521 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIG. 13 is just an example, and the information is not limited to the information described.
(制御部530)
 ここから、図12に戻り説明を続ける。制御部530は、受付部531と送信部532を有する。 (Control unit 530)
From here, the explanation returns to FIG. 12 and continues. The control unit 530 includes a reception unit 531 and a transmission unit 532.
(受付部531)
 受付部531は、端末位置情報管理装置400の通知部432が通知する端末IDを受け付ける。なお、受付部531は、前述した情報に限定されず、必要に応じてその他の情報を受け付けてもよい。 (Reception Department 531)
The reception unit 531 receives the terminal ID notified by the notification unit 432 of the terminal location information management device 400. Note that the reception unit 531 is not limited to the above-mentioned information, and may accept other information as necessary.
(送信部532)
 送信部532は、受付部531が受け付ける端末IDに対応する接続先VPN IDを端末位置情報管理装置400に送信する。なお、送信部532は、前述した情報に限定されず、必要に応じてその他の情報を送信してもよい。 (Transmission unit 532)
The transmitter 532 transmits the connection destination VPN ID corresponding to the terminal ID accepted by the receiver 531 to the terminal location information management device 400. Note that the transmitter 532 is not limited to the above-mentioned information, and may transmit other information as necessary.
(接続端末数管理装置600)
 次に、接続端末数管理装置600の構成について、図14を用いて説明する。接続端末数管理装置600は、接続用ネットワークに属する端末装置100が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う。図14に示すように、接続端末数管理装置600は、通信部610と、記憶部620と、制御部630と、を有する。なお、通信部610の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。 (Number of connected terminals management device 600)
Next, the configuration of the connected terminal number management device 600 will be explained using FIG. 14. The connected terminal number management device 600 constructs and deletes an overlay tunnel path for data transfer used by the terminal device 100 belonging to the connection network to connect to a dedicated network for each contract organization. As shown in FIG. 14, the connected terminal number management device 600 includes a communication section 610, a storage section 620, and a control section 630. Note that the functions of the communication unit 610 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
(記憶部620)
 記憶部620は、制御部630による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部620は、接続端末数記憶部621を有する。 (Storage unit 620)
The storage unit 620 stores data and programs necessary for various processing by the control unit 630. The storage unit 620 includes a connected terminal number storage unit 621.
(接続端末数記憶部621)
 接続端末数記憶部621は、接続端末数を計数するために用いる情報として、接続端末数管理テーブルを記憶する。具体的には、接続端末数記憶部621は、接続端末数管理テーブルとして、図15に示すように「担当アンカーGW ID」と、「接続先VPN ID」と、「接続端末数」という項目を記憶する。なお、接続端末数記憶部621が記憶する情報は、前述の項目に限定されずその他の項目を記憶してよい。また、図15に示す各項目の入力情報はあくまで一例であり、記載の情報に限定されるものではない。 (Number of connected terminals storage unit 621)
The number of connected terminals storage unit 621 stores a number of connected terminals management table as information used to count the number of connected terminals. Specifically, the number of connected terminals storage unit 621 stores items such as "anchor GW ID in charge", "connection destination VPN ID", and "number of connected terminals" as shown in FIG. 15 as a number of connected terminals management table. Remember. Note that the information stored by the number of connected terminals storage unit 621 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIG. 15 is just an example, and the information is not limited to the information described.
(制御部630)
 ここから、図14に戻り説明を続ける。制御部630は、計数部631と、判定部632と、取得部633と、設定部634と、削除部635と、を有する。 (Control unit 630)
From here, the explanation returns to FIG. 14 and continues. The control section 630 includes a counting section 631, a determining section 632, an obtaining section 633, a setting section 634, and a deleting section 635.
(計数部631)
 計数部631は、契約組織ごとの専用ネットワークを識別する情報である契約情報(接続先VPN ID)と、端末装置100が接続するエリアに属するオーバレイトンネル経路転送装置300を識別する情報であるアンカーGW識別情報(担当アンカーGW ID)を用いて、契約組織ごとの専用ネットワークにアクセスする端末装置100の数である接続端末数を計数し、接続端末数を更新する。なお、計数部631は、前述した情報に限定されず、必要に応じてその他の情報を用いて計数を行ってよい。 (Counting section 631)
The counting unit 631 includes contract information (connection destination VPN ID), which is information that identifies a dedicated network for each contract organization, and anchor GW, which is information that identifies the overlay tunnel route transfer device 300 that belongs to the area to which the terminal device 100 connects. Using the identification information (anchor GW ID in charge), the number of connected terminals, which is the number of terminal devices 100 accessing the dedicated network for each contracted organization, is counted, and the number of connected terminals is updated. Note that the counting unit 631 is not limited to the above-mentioned information, and may perform counting using other information as necessary.
(判定部632)
 判定部632は、計数部631が計数し、更新する接続端末数情報に基づいて、所定の条件を満たすか否かを判定する。例えば、判定部632は、接続端末数が0から1以上に更新される場合に設定部634が処理を行うと判定し、所定の時間以上接続端末数が0である場合、すなわち接続端末数が1以上から0に更新される場合には、削除部635が処理を行うと判定する。なお、判定部632は、接続端末数が1以上から0に更新され一定時間以上接続端末数が0となる場合にも、削除部635が処理を行うと判定してよい。さらに、判定部632は、前述した判定条件に限定されず、必要に応じてその他の判定条件に基づき判定をしてよい。 (Determination unit 632)
The determining unit 632 determines whether a predetermined condition is satisfied based on the connected terminal number information counted and updated by the counting unit 631. For example, the determining unit 632 determines that the setting unit 634 performs the process when the number of connected terminals is updated from 0 to 1 or more, and when the number of connected terminals is 0 for a predetermined time or more, that is, the number of connected terminals is If the value is updated from 1 or more to 0, it is determined that the deletion unit 635 performs the process. Note that the determining unit 632 may also determine that the deletion unit 635 performs the process when the number of connected terminals is updated from 1 or more to 0 and the number of connected terminals remains 0 for a certain period of time or more. Further, the determination unit 632 is not limited to the aforementioned determination conditions, and may make determinations based on other determination conditions as necessary.
(取得部633)
 取得部633は、契約情報(接続先VPN ID)を用いて、端末装置100が接続対象とする契約組織ごとの専用ネットワークに接続するための情報(VPN接続アドレス)を転送用情報管理装置700から取得する。なお、取得部633は、前述した情報に限定されず、必要に応じてその他の情報を取得してよい。 (Acquisition unit 633)
The acquisition unit 633 uses the contract information (connection destination VPN ID) to obtain information (VPN connection address) for connecting to a dedicated network for each contracted organization to which the terminal device 100 connects from the transfer information management device 700. get. Note that the acquisition unit 633 is not limited to the above-mentioned information, and may acquire other information as necessary.
(設定部634)
 設定部634は、判定部632の判定結果が所定の条件を満たす場合、すなわち接続端末数が0から1以上となる場合に、VPNゲートウェイ200を起動し、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300に対して契約組織ごとの専用ネットワークに接続するための設定を行い、データ転送用オーバレイトンネル経路を構築する。具体的には、設定部634は、接続端末数が0から1以上に更新されたと判定部632が判定する場合に、VPNゲートウェイ200を起動し、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300に対して、VPN接続用アドレスを設定し、データ転送用オーバレイトンネル経路を構築する。なお、設定部634は、前述した情報に限定されず、必要に応じてその他の情報を用いて、任意の装置に対して設定を行ってよい。 (Setting section 634)
When the determination result of the determination unit 632 satisfies a predetermined condition, that is, when the number of connected terminals increases from 0 to 1 or more, the setting unit 634 activates the VPN gateway 200 and transfers the VPN gateway 200 and the overlay tunnel route transfer device 300. Configure settings to connect to a dedicated network for each contracted organization, and construct an overlay tunnel path for data transfer. Specifically, when the determining unit 632 determines that the number of connected terminals has been updated from 0 to 1 or more, the setting unit 634 activates the VPN gateway 200 and sends the request to the VPN gateway 200 and the overlay tunnel route transfer device 300. Then, set the VPN connection address and construct an overlay tunnel route for data transfer. Note that the setting unit 634 is not limited to the above-mentioned information, and may use other information as necessary to perform settings for any device.
(削除部635)
 削除部635は、判定部632の判定結果が所定の条件を満たす場合、すなわち接続端末数が1以上から0になる場合に、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300の設定を削除し、VPNゲートウェイ200を停止して、データ転送用オーバレイトンネル経路を削除する。具体的には、削除部635は、接続端末数が1以上から0に更新されたと判定部632が判定する場合に、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300に対して設定されているVPN接続用アドレスを削除し、VPNゲートウェイ200を停止して、データ転送用オーバレイトンネル経路を解放する。なお、削除部635は、前述した情報に限定されず、必要に応じてその他の情報を用いて、任意の装置の設定を削除してよい。 (Deletion section 635)
The deletion unit 635 deletes the settings of the VPN gateway 200 and the overlay tunnel route transfer device 300, and deletes the settings of the VPN gateway 200 and the overlay tunnel route transfer device 300 when the determination result of the determination unit 632 satisfies a predetermined condition, that is, when the number of connected terminals changes from 1 or more to 0. The gateway 200 is stopped and the overlay tunnel route for data transfer is deleted. Specifically, when the determining unit 632 determines that the number of connected terminals has been updated from 1 or more to 0, the deletion unit 635 deletes the VPN connection set for the VPN gateway 200 and the overlay tunnel route transfer device 300. address, stop the VPN gateway 200, and release the overlay tunnel route for data transfer. Note that the deletion unit 635 is not limited to the above-mentioned information, and may delete settings of any device using other information as necessary.
(転送用情報管理装置700)
 次に、転送用情報管理装置700の構成について、図16を用いて説明する。図16に示すように、転送用情報管理装置700は、通信部710と、記憶部720と、制御部730と、を有する。なお、通信部710の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。 (Transfer information management device 700)
Next, the configuration of the transfer information management device 700 will be described using FIG. 16. As shown in FIG. 16, the transfer information management device 700 includes a communication section 710, a storage section 720, and a control section 730. Note that the functions of the communication unit 710 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
(記憶部720)
 記憶部720は、制御部730による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部720は、アドレス記憶部721を有する。 (Storage unit 720)
The storage unit 720 stores data and programs necessary for various processing by the control unit 730. The storage unit 720 includes an address storage unit 721.
(アドレス記憶部721)
 アドレス記憶部721は、専用ネットワークに接続するためのVPN接続用アドレスに関する情報として、接続端末数管理装置返信用テーブルおよび端末装置返信用テーブルを記憶する。具体的には、アドレス記憶部721は、接続端末数管理装置返信用テーブルとして、図17に示すように「接続先VPN ID」と「VPN接続用アドレス」という項目を記憶する。 (Address storage unit 721)
The address storage unit 721 stores a connected terminal number management device reply table and a terminal device reply table as information regarding the VPN connection address for connecting to the dedicated network. Specifically, the address storage unit 721 stores the items "connection destination VPN ID" and "VPN connection address" as a table for replying to the number of connected terminals management device, as shown in FIG.
 他方、アドレス記憶部721は、端末装置返信用テーブルとして、図18に示すように「サービス接続用URI(Uniform Resource Identifier)/URL(Uniform Resource Locator)」と「VPN端末用アドレス」という項目を記憶する。なお、アドレス記憶部721が記憶する情報は、前述の項目に限定されずその他の項目を記憶してよい。また、図17および図18に示す各項目の入力情報はあくまで一例であり、記載の情報に限定されるものではない。さらに、転送用情報管理装置700のアドレス記憶部721は、端末返信用テーブルが有する機能として、DNS(Domain Name System)を活用してもよい。 On the other hand, the address storage unit 721 stores items such as "Service connection URI (Uniform Resource Identifier)/URL (Uniform Resource Locator)" and "VPN terminal address" as shown in FIG. 18 as a terminal device reply table. do. Note that the information stored in the address storage section 721 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIGS. 17 and 18 is just an example, and the information is not limited to the information described. Further, the address storage unit 721 of the transfer information management device 700 may utilize DNS (Domain Name System) as a function of the terminal reply table.
(制御部730)
 ここから、図16に戻り説明を続ける。制御部730は、受付部731と送信部732を有する。 (Control unit 730)
From here, the explanation returns to FIG. 16 and continues. The control section 730 includes a reception section 731 and a transmission section 732.
(受付部731)
 受付部731は、接続端末数管理装置600の取得部633が送信する接続VPN IDを受け付ける。なお、受付部731は、前述した情報に限定されず、必要に応じてその他の情報を受け付けてよい。 (Reception Department 731)
The reception unit 731 receives the connection VPN ID transmitted by the acquisition unit 633 of the connected terminal number management device 600. Note that the reception unit 731 is not limited to the above-mentioned information, and may accept other information as necessary.
(送信部732)
 送信部732は、受付部731が受け付ける接続VPN IDに基づいて、対応するVPN接続用アドレスを接続端末数管理装置600に、対応するVPN端末用アドレスを端末装置100に送信する。なお、送信部732は、前述した情報に限定されず、必要に応じてその他の情報を送信してよい。 (Transmission unit 732)
Based on the connection VPN ID received by the reception unit 731, the transmission unit 732 transmits the corresponding VPN connection address to the connected terminal number management device 600 and the corresponding VPN terminal address to the terminal device 100. Note that the transmitter 732 is not limited to the above-mentioned information, and may transmit other information as necessary.
〔2-2.通信制御方法の手順〕
 ここから、図19を用いて、実施形態1において通信制御システム1が行う通信制御方法を説明する。まず、端末位置情報管理装置400の受付部431は、端末装置100から端末IDと、モバイルネットワークのC-planeへの登録要求を受け付ける(工程S11)。 [2-2. Procedures for communication control method]
From here, a communication control method performed by the communication control system 1 in the first embodiment will be described using FIG. 19. First, the reception unit 431 of the terminal location information management device 400 receives a terminal ID and a registration request to the C-plane of the mobile network from the terminal device 100 (step S11).
 次に、端末位置情報管理装置400の受付部431は、端末装置100が接続先VPN IDを保持していると判定する(工程S12のYes)。その場合、端末位置情報管理装置400の受付部431は、端末装置100から接続先VPN IDを受け付ける(工程S13)。続けて、端末位置情報管理装置400の登録部433は、端末IDと、端末IDに対応する接続先VPN IDを登録する(工程S16)。 Next, the reception unit 431 of the terminal location information management device 400 determines that the terminal device 100 holds the connection destination VPN ID (Yes in step S12). In that case, the receiving unit 431 of the terminal location information management device 400 receives the connection destination VPN ID from the terminal device 100 (step S13). Subsequently, the registration unit 433 of the terminal location information management device 400 registers the terminal ID and the connection destination VPN ID corresponding to the terminal ID (step S16).
 他方、端末位置情報管理装置400の受付部431は、端末装置100が接続先VPN IDを保持していないと判定する(工程S12のNo)。その場合、端末位置情報管理装置400の通知部432は、端末IDを契約情報管理装置500に通知する(工程S14)。そして、契約情報管理装置500の送信部532は、端末IDに対応する接続先VPN IDを、端末位置情報管理装置400へ送信する(工程S15)。続けて、端末位置情報管理装置400の登録部433は、端末装置100が送信する端末IDと、契約情報管理装置500が送信する接続先VPN IDを登録する(工程S16)。 On the other hand, the reception unit 431 of the terminal location information management device 400 determines that the terminal device 100 does not hold the connection destination VPN ID (No in step S12). In that case, the notification unit 432 of the terminal location information management device 400 notifies the contract information management device 500 of the terminal ID (step S14). Then, the transmitting unit 532 of the contract information management device 500 transmits the connection destination VPN ID corresponding to the terminal ID to the terminal location information management device 400 (step S15). Subsequently, the registration unit 433 of the terminal location information management device 400 registers the terminal ID transmitted by the terminal device 100 and the connection destination VPN ID transmitted by the contract information management device 500 (step S16).
 次に、端末位置情報管理装置400は、端末装置100とC-planeセッションを確立する(工程S17)。続けて、端末位置情報管理装置400の受付部431は、端末装置100からD-planeセッション確立のための接続要求を受け付ける(工程S18)。続けて、端末位置情報管理装置400は、接続先のオーバレイトンネル経路転送装置300を決定し、モバイルネットワーク内にD-planeセッションを確立する(工程S19)。 Next, the terminal location information management device 400 establishes a C-plane session with the terminal device 100 (step S17). Subsequently, the receiving unit 431 of the terminal location information management device 400 receives a connection request for establishing a D-plane session from the terminal device 100 (step S18). Subsequently, the terminal location information management device 400 determines the overlay tunnel route transfer device 300 to be connected, and establishes a D-plane session within the mobile network (step S19).
 そして、端末位置情報管理装置400の送信部434は、接続先VPN IDと担当アンカーGW IDを、接続端末数管理装置600へ送信する(工程S20)。続けて、接続端末数管理装置600の計数部631は、受け付けた接続先VPN IDと担当アンカーGW IDに基づいて接続端末数を計数し、更新する(工程S21)。 Then, the transmitting unit 434 of the terminal location information management device 400 transmits the connection destination VPN ID and the anchor GW ID in charge to the connected terminal number management device 600 (step S20). Subsequently, the counting unit 631 of the connected terminal number management device 600 counts and updates the number of connected terminals based on the received connection destination VPN ID and assigned anchor GW ID (step S21).
 そして、接続端末数管理装置600の判定部632は、接続端末数が0から1以上に更新されたと判定する(工程S22)。その場合、接続端末数管理装置600の取得部633は、接続先VPN IDを転送用情報管理装置700へ送信し、VPN接続用アドレスを取得する(工程S23)。続けて、接続端末数管理装置600の設定部634は、VPNゲートウェイ200を起動し、VPNゲートウェイ200とオーバレイトンネル経路転送装置300に対して取得したVPN接続用アドレスを設定して、データ転送用オーバレイトンネル経路を構築する(工程S24)。 Then, the determination unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 0 to 1 or more (step S22). In that case, the acquisition unit 633 of the connected terminal number management device 600 transmits the connection destination VPN ID to the transfer information management device 700 and acquires the VPN connection address (step S23). Subsequently, the setting unit 634 of the connected terminal number management device 600 starts the VPN gateway 200, sets the acquired VPN connection address for the VPN gateway 200 and the overlay tunnel route transfer device 300, and sets the acquired VPN connection address to the overlay tunnel route transfer device 300 for data transfer. A tunnel route is constructed (step S24).
 次に、転送用情報管理装置700は、端末装置100へVPN端末用アドレスを送信する(工程S25)。そして、端末装置100は、転送用情報管理装置700が送信するVPN端末用アドレスを用いて、データ転送用オーバレイトンネル経路を経由して専用ネットワークに接続する(工程S26)。その後、端末装置100は、専用ネットワークへの接続を継続する(工程S27)。 Next, the transfer information management device 700 transmits the VPN terminal address to the terminal device 100 (step S25). Then, the terminal device 100 uses the VPN terminal address transmitted by the transfer information management device 700 to connect to the dedicated network via the data transfer overlay tunnel path (step S26). Thereafter, the terminal device 100 continues to connect to the dedicated network (step S27).
 その後、端末位置情報管理装置400は、当該端末装置100の未通信時間を計測する(工程S28)。そして、未通信時間が所定の閾値を超える場合、端末位置情報管理装置400は、D-planeセッションを切断する(工程S29)。続けて、接続端末数管理装置600の計数部631は、端末装置100の通信先のVPNと経由するオーバレイトンネル経路転送装置300に対応する接続端末数を減算する(工程S30)。そして、前述の減算により接続端末数が1以上から0に変更された場合には、接続端末数管理装置600の判定部632は、接続端末数が1以上から0に更新されたと判定する。(工程S31のYes)。その場合、接続端末数管理装置600の削除部635は、VPNゲートウェイ200とオーバレイトンネル経路転送装置300に設定されたVPN接続用アドレスの削除およびVPNゲートウェイ200を停止し、データ転送用オーバレイトンネル経路を解放し、工程が終了する(工程S32)。 After that, the terminal location information management device 400 measures the non-communication time of the terminal device 100 (step S28). Then, if the non-communication time exceeds a predetermined threshold, the terminal location information management device 400 disconnects the D-plane session (step S29). Subsequently, the counting unit 631 of the connected terminal number management device 600 subtracts the number of connected terminals corresponding to the overlay tunnel route transfer device 300 via which the terminal device 100 communicates with the VPN (step S30). When the number of connected terminals is changed from 1 or more to 0 by the above-described subtraction, the determining unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has been updated from 1 or more to 0. (Yes in step S31). In that case, the deletion unit 635 of the connected terminal number management device 600 deletes the VPN connection addresses set in the VPN gateway 200 and the overlay tunnel route transfer device 300, stops the VPN gateway 200, and deletes the overlay tunnel route for data transfer. It is released, and the process ends (step S32).
 他方、接続端末数が0にならない場合は、接続端末数管理装置600の判定部632は、接続端末数が1以上から0に更新されていないと判定する(工程S31のNo)。その場合は工程を戻り、通信制御システム1は、処理を継続する。 On the other hand, if the number of connected terminals does not become 0, the determining unit 632 of the connected terminal number management device 600 determines that the number of connected terminals has not been updated from 1 or more to 0 (No in step S31). In that case, the process returns and the communication control system 1 continues the process.
〔2-3.効果〕
 実施形態1に係る通信制御システム1は、接続用ネットワークに属する端末装置100が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う接続端末数管理装置600を有する通信制御システム1であって、接続端末数管理装置600は、契約組織ごとの専用ネットワークを識別する情報である契約情報(接続先VPN ID)と、端末装置100が接続するエリアに属するオーバレイトンネル経路転送装置300を識別する情報であるアンカーGW識別情報(担当アンカーGW ID)を用いて、契約組織ごとの専用ネットワークにアクセスする端末装置100の数である接続端末数を計数し、接続端末数が0から1以上となる場合に、VPNゲートウェイ200を起動し、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300に対して契約組織ごとの専用ネットワークに接続するための設定を行い、データ転送用オーバレイトンネル経路を構築し、接続端末数が1以上から0になる場合に、VPNゲートウェイ200およびオーバレイトンネル経路転送装置300の設定を削除し、VPNゲートウェイ200を停止して、データ転送用オーバレイトンネル経路を削除する、ことを特徴とする。そのため本実施形態によれば、以下のような効果を奏する。 [2-3. effect〕
The communication control system 1 according to the first embodiment includes a connected terminal number management device 600 that constructs and deletes an overlay tunnel path for data transfer used for connecting a terminal device 100 belonging to a connection network to a dedicated network for each contract organization. In the communication control system 1 having Using anchor GW identification information (anchor GW ID in charge), which is information that identifies the tunnel route transfer device 300, the number of connected terminals, which is the number of terminal devices 100 that access the dedicated network for each contract organization, is counted, and the connected terminals are If the number is from 0 to 1 or more, start the VPN gateway 200, configure the VPN gateway 200 and overlay tunnel route transfer device 300 to connect to the dedicated network for each contract organization, and connect the overlay for data transfer. When a tunnel route is constructed and the number of connected terminals goes from 1 or more to 0, the settings of the VPN gateway 200 and overlay tunnel route transfer device 300 are deleted, the VPN gateway 200 is stopped, and the overlay tunnel route for data transfer is changed. It is characterized by deleting. Therefore, according to this embodiment, the following effects are achieved.
 従来の方式では、vGWをすべてのエリアに用意して、更にエリア別インスタンス情報を事前設定する必要があった。加えて、すべてのエリアにおいてvGWを起動状態にし、稼働用サーバは専用ネットワークごとに固定する必要があった。さらに、ゲートウェイプロセスを実行する汎用サーバ(以降、「稼働用サーバ」と表記)は、パケットデータが到着しない間もゲートウェイプロセスを待機させており、ゲートウェイプロセスによりメモリが占有されている状態となり、電力を消費し続ける。従って、複数のゲートウェイプロセスが存在し、それぞれ別の専用ネットワークへのゲートウェイ機能を提供する場合、稼働中のゲートウェイプロセスが使用できる稼働用サーバのメモリが減少し、パケット転送性能が低下する場合があった。 In the conventional method, it was necessary to prepare vGWs in all areas and further set instance information for each area in advance. In addition, it was necessary to activate the vGW in all areas, and to fix the operating server for each dedicated network. Furthermore, the general-purpose server that executes the gateway process (hereinafter referred to as the "operating server") keeps the gateway process on standby even when packet data does not arrive, and the memory is occupied by the gateway process, resulting in a low power consumption. continue to consume. Therefore, if there are multiple gateway processes, each providing gateway functions to different dedicated networks, the memory of the operating server that can be used by the active gateway processes may decrease, and packet forwarding performance may deteriorate. Ta.
 しかしながら、実施形態1の通信制御システム1は、接続端末数の増減によりゲートウェイプロセスを動的に設定、言い換えるとデータ転送用オーバレイトンネル経路を構築するVPNゲートウェイ200とオーバレイトンネル経路転送装置300を動的に制御することにより、電力削減およびリソースの不必要な占有を回避する効果を提供する。 However, the communication control system 1 of the first embodiment dynamically sets the gateway process according to an increase or decrease in the number of connected terminals. This provides the effect of reducing power and avoiding unnecessary occupation of resources.
〔3.実施形態1’:VPNゲートウェイ稼働用サーバの負荷を考慮したVPNゲートウェイ稼働用サーバの選択〕
 次に、別の実施形態として、実施形態1’について説明を行う。実施形態1’では、通信制御システム1は、VPNゲートウェイ200の稼働用サーバの負荷を考慮して、稼働させる稼働用サーバの選択を行う。具体的には、実施形態1’における通信制御システム1は、VPNゲートウェイ200の稼働状況に関する情報として、稼働用サーバのCPU使用率や、稼働中のVPNゲートウェイ200の数を定期的に取得し、所定の条件(例えば、CPU使用率が低い、電力効率が高い、低負荷である等)を満たす稼働用サーバを判定する。 [3. Embodiment 1': Selection of a server for operating a VPN gateway in consideration of the load on the server for operating a VPN gateway]
Next, Embodiment 1' will be described as another embodiment. In embodiment 1', the communication control system 1 selects the operating server to be operated in consideration of the load on the operating server of the VPN gateway 200. Specifically, the communication control system 1 in Embodiment 1' periodically acquires the CPU usage rate of the operating server and the number of VPN gateways 200 in operation as information regarding the operating status of the VPN gateways 200, A server for operation that satisfies predetermined conditions (for example, low CPU usage rate, high power efficiency, low load, etc.) is determined.
 前述した内容の具体例について、図20を用いて説明を行う。図20では、VPNゲートウェイ200の稼働用サーバとして、CPU使用率20%の稼働用サーバ20Aと、CPU使用率80%の稼働用サーバ20Bが存在している状況を表している。まず、接続端末数管理装置600の監視部636は、稼働用サーバ20Aおよび稼働用サーバ20BのCPU使用率を監視し、所定の時系列間隔でCPU使用率に関する情報を取得する(図20の(1)を参照)。 A specific example of the above-mentioned content will be explained using FIG. 20. FIG. 20 shows a situation where, as operating servers of the VPN gateway 200, there are an operating server 20A with a CPU usage rate of 20% and an operating server 20B with a CPU usage rate of 80%. First, the monitoring unit 636 of the connected terminal number management device 600 monitors the CPU usage rates of the operating server 20A and the operating server 20B, and acquires information regarding the CPU usage rate at predetermined time-series intervals (( (see 1)).
 そして、接続端末数管理装置600の監視部636は、取得したCPU使用率に関する情報に基づいて、VPNゲートウェイ200を稼働させる稼働用サーバを選択する。図20で示す事例においては、稼働用サーバ20Bに比べ稼働用サーバ20AのCPU使用率が低いことから、接続端末数管理装置600の監視部636は、稼働用サーバ20Aを稼働用サーバとして用いることを判定する。 Then, the monitoring unit 636 of the connected terminal number management device 600 selects an operating server on which to operate the VPN gateway 200 based on the obtained information regarding the CPU usage rate. In the example shown in FIG. 20, since the CPU usage rate of the operating server 20A is lower than that of the operating server 20B, the monitoring unit 636 of the connected terminal number management device 600 uses the operating server 20A as the operating server. Determine.
 なお、図20の例では、CPU使用率について言及したが、接続端末数管理装置600の監視部636は、その他にも稼働するVPNゲートウェイの数や、メモリ使用率や、接続端末数等のその他の情報を用いて、稼働させる稼働用サーバを判定してよい。 Although the example in FIG. 20 refers to the CPU usage rate, the monitoring unit 636 of the connected terminal number management device 600 also monitors the number of VPN gateways in operation, memory usage rate, number of connected terminals, etc. The operating server to be operated may be determined using this information.
〔3-1.通信制御システムの構成〕
 ここから、実施形態1’における通信制御システム1の構成について、図21を用いて説明を行う。実施形態1’における通信制御システム1は、端末装置100と、VPNゲートウェイ200と、オーバレイトンネル経路転送装置300と、端末位置情報管理装置400と、契約情報管理装置500と、接続端末数管理装置600と、転送用情報管理装置700と、を含む装置構成である。以下の項目で、各装置の機能部について詳細な説明を行う。なお、実施形態1’におけるシステム構成は実施形態1と同様であり、本項目では差異のある機能部である、接続端末数管理装置600の監視部636のみ説明し、それ以外の詳細な説明は省略する。 [3-1. Communication control system configuration]
From here, the configuration of the communication control system 1 in Embodiment 1' will be explained using FIG. 21. The communication control system 1 in Embodiment 1' includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600. The device configuration includes a transfer information management device 700 and a transfer information management device 700. The following items provide detailed explanations of the functional units of each device. Note that the system configuration in Embodiment 1' is the same as in Embodiment 1, and in this article, only the monitoring unit 636 of the connected terminal number management device 600, which is a different functional unit, will be explained, and other detailed explanations will be omitted. Omitted.
(監視部636)
 監視部636は、VPNゲートウェイ200を稼働する稼働用サーバから、稼働用サーバの稼働状況に関する情報を取得し、稼働状況に関する情報に基づき稼働させる稼働用サーバを判定する。例えば、監視部636は、VPNゲートウェイ200の稼働用サーバを監視して、稼働用サーバの稼働状況に関する情報(例えば、CPU使用率や、メモリ使用率や、メモリ使用量や、稼働中のVPNゲートウェイの数等)を取得する。なお、監視部636は、前述した情報に限定されず、必要に応じてその他の情報を監視および取得してよい。 (Monitoring unit 636)
The monitoring unit 636 acquires information regarding the operating status of the operating server that operates the VPN gateway 200, and determines the operating server to be operated based on the information regarding the operating status. For example, the monitoring unit 636 monitors the operating server of the VPN gateway 200, and provides information regarding the operating status of the operating server (for example, CPU usage rate, memory usage rate, memory usage amount, and the operating status of the VPN gateway 200). number of etc.). Note that the monitoring unit 636 is not limited to the above-mentioned information, and may monitor and acquire other information as necessary.
〔3-2.通信制御方法の手順〕
 次に、図22を用いて、実施形態1’において通信制御システム1が行う通信制御方法を説明する。まず、接続端末数管理装置600の監視部636は、VPNゲートウェイ200の稼働用サーバの稼働状況を監視する(工程S31)。そして、接続端末数管理装置600の監視部636は、稼働用サーバの稼働状況に関する情報を取得する(工程S32)。さらに、接続端末数管理装置600の監視部636は、稼働状況に関する情報に基づき、使用する稼働用サーバを判定する(工程S33)。  [3-2. Procedures for communication control method]
Next, a communication control method performed by the communication control system 1 in Embodiment 1' will be described using FIG. 22. First, the monitoring unit 636 of the connected terminal number management device 600 monitors the operating status of the operating server of the VPN gateway 200 (step S31). Then, the monitoring unit 636 of the connected terminal number management device 600 acquires information regarding the operating status of the operating server (step S32). Further, the monitoring unit 636 of the connected terminal number management device 600 determines the operating server to be used based on the information regarding the operating status (step S33).
〔3-3.効果〕
 実施形態1’において、通信制御システム1は、以下のような効果を奏する。 [3-3. effect〕
In Embodiment 1', the communication control system 1 has the following effects.
 従来技術では、専用ネットワークの利用開始時にゲートウェイプロセスならびにオーバレイの設定を、すべて実施する静的設定が用いられる。この静的な設定方法では、専用ネットワークごとに対応するゲートウェイプロセスの稼働用サーバも、設定時に決定される。そのため、従来技術では、稼働用サーバの稼働やゲートウェイプロセスの稼働状況に応じて、稼働用サーバ間でゲートウェイプロセスの負荷分散を行うための方法が存在しなかった。従って、ある稼働用サーバで稼働するゲートウェイプロセスが担当する専用ネットワークへの接続端末数が多い場合、特定の稼働用サーバにトラヒックが集中し、パケット転送性能が劣化する事態が発生する場合があった。 In the conventional technology, static settings are used in which all gateway process and overlay settings are performed when a dedicated network starts to be used. In this static setting method, the server for operating the gateway process corresponding to each dedicated network is also determined at the time of setting. Therefore, in the prior art, there is no method for distributing the load of the gateway process between the operating servers depending on the operating status of the operating server and the operating status of the gateway process. Therefore, if there are a large number of terminals connected to a dedicated network handled by a gateway process running on a certain operating server, traffic may concentrate on that specific operating server, resulting in a situation where packet forwarding performance deteriorates. .
 しかしながら、実施形態1’における通信制御システム1は、稼働用サーバの稼働状況に応じてVPNゲートウェイ200を稼働する稼働用サーバを動的に選択するため、稼働用サーバの負荷分散やパケット転送性能の劣化を抑制する効果を提供する。 However, the communication control system 1 in Embodiment 1' dynamically selects the operating server that operates the VPN gateway 200 according to the operating status of the operating server, so the load distribution of the operating server and the packet transfer performance are improved. Provides the effect of suppressing deterioration.
〔4.実施形態1’’:エリア移動によるオーバレイトンネル経路転送装置の変更時の動作〕
 次に、更に異なる実施形態として、実施形態1’’について、説明を行う。実施形態1’’は、端末装置100がエリア間の移動を行い、担当するオーバレイトンネル経路転送装置300が変更となる場合の実施形態である。 [4. Embodiment 1'': Operation when changing overlay tunnel route transfer device due to area movement]
Next, Embodiment 1'' will be described as a further different embodiment. Embodiment 1'' is an embodiment in which the terminal device 100 moves between areas and the overlay tunnel route transfer device 300 in charge is changed.
 以下、図23を用いて、実施形態1’’の概要を説明する。図23では、論理的に異なるエリアである「エリアA」と「エリアB」の間を、端末装置100が移動することを表している。さらに、前提として各エリアに属する端末位置情報管理装置400は、該当のエリアに属するオーバレイトンネル経路転送装置300の担当アンカーGW IDを保持している。そのため、端末装置100がモバイルネットワークに登録する際に接続する基地局に応じて、担当の端末位置情報管理装置400およびオーバレイトンネル経路転送装置300が決定する。 Hereinafter, an overview of Embodiment 1'' will be explained using FIG. 23. FIG. 23 shows that the terminal device 100 moves between “area A” and “area B” which are logically different areas. Further, as a premise, the terminal location information management device 400 belonging to each area holds the assigned anchor GW ID of the overlay tunnel route transfer device 300 belonging to the corresponding area. Therefore, the terminal location information management device 400 and overlay tunnel route transfer device 300 in charge determine the base station to which the terminal device 100 connects when registering with the mobile network.
 具体的には、エリアAは端末位置情報管理装置400Aおよびオーバレイトンネル経路転送装置300Aとなり、エリアBは端末位置情報管理装置400Bおよびオーバレイトンネル経路転送装置300Bとなる。言い換えると、端末装置100がエリアを跨ぐ移動を行うと登録先の端末位置情報管理装置400が変更となり、その結果、接続対象のオーバレイトンネル経路転送装置300が変更となる。 Specifically, area A is the terminal location information management device 400A and overlay tunnel route transfer device 300A, and area B is the terminal location information management device 400B and overlay tunnel route transfer device 300B. In other words, when the terminal device 100 moves across areas, the terminal location information management device 400 that is the registration destination changes, and as a result, the overlay tunnel route transfer device 300 that is the connection target changes.
 ここから、実施形態1’’の具体例を、引き続き図23を用いて説明する。まず、端末装置100は、エリアAからエリアBへとエリアを跨ぐ移動を行う(図23の(1)を参照)。続いて、移動先のエリアBの端末位置情報管理装置400Bは、端末装置100の端末IDと接続先VPN IDを登録する(図23の(2)を参照)。 From here, a specific example of Embodiment 1'' will be explained with continued reference to FIG. 23. First, the terminal device 100 moves across areas from area A to area B (see (1) in FIG. 23). Subsequently, the terminal location information management device 400B in the destination area B registers the terminal ID and connection destination VPN ID of the terminal device 100 (see (2) in FIG. 23).
 続いて、実施形態1の手順と同様に、端末位置情報管理装置400Bは、モバイルネットワーク内にD-planeセッションを確立する(図23の(3)を参照)。そして、図23には図示していないが、接続端末数管理装置600の計数部631は、エリアBにおける接続端末数を加算する処理を行う。次に、端末位置情報管理装置400Aは、エリアBでD-planeセッションが確立した際に、エリアAのD-planeセッションを終端する(図23の(4)を参照)。そして、図23には図示していないが、接続端末数管理装置600の計数部631は、エリアAにおける接続端末数を減算する処理を行う。 Subsequently, similar to the procedure in Embodiment 1, the terminal location information management device 400B establishes a D-plane session within the mobile network (see (3) in FIG. 23). Although not shown in FIG. 23, the counting unit 631 of the connected terminal number management device 600 performs a process of adding up the number of connected terminals in area B. Next, when the D-plane session is established in area B, the terminal location information management device 400A terminates the D-plane session in area A (see (4) in FIG. 23). Although not shown in FIG. 23, the counting unit 631 of the connected terminal number management device 600 performs a process of subtracting the number of connected terminals in area A.
〔4-1.通信制御システムの構成〕
 ここから、実施形態1’’における通信制御システム1の構成について、説明を行う。実施形態1’’における通信制御システム1は、端末装置100と、VPNゲートウェイ200と、オーバレイトンネル経路転送装置300と、端末位置情報管理装置400と、契約情報管理装置500と、接続端末数管理装置600と、転送用情報管理装置700と、を含む装置構成である。なお、実施形態1’’におけるシステム構成は実施形態1と同様であるため、詳細な説明は省略する。 [4-1. Communication control system configuration]
From here, the configuration of the communication control system 1 in Embodiment 1'' will be explained. A communication control system 1 in embodiment 1'' includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device. 600 and a transfer information management device 700. Note that the system configuration in Embodiment 1'' is the same as that in Embodiment 1, so detailed explanation will be omitted.
〔4-2.通信制御方法の手順〕
 次に、図24を用いて、実施形態1’’において通信制御システム1が行う通信制御方法を説明する。まず、端末装置100は、任意のエリアAから異なるエリアBへと移動する(工程S41)。次に、移動先のエリアBの端末位置情報管理装置500Bは、エリア間移動した端末装置100の端末IDと接続先VPN IDを、端末位置情報管理装置400Bに登録する(工程S42)。そして、端末位置情報管理装置400Bは、実施形態1の手順と同様に、接続先のオーバレイトンネル経路転送装置300Bを決定し、モバイルネットワーク内にD-planeセッションを確立する(工程S43)。 [4-2. Procedures for communication control method]
Next, a communication control method performed by the communication control system 1 in the first embodiment'' will be described using FIG. 24. First, the terminal device 100 moves from an arbitrary area A to a different area B (step S41). Next, the terminal location information management device 500B of the destination area B registers the terminal ID and connection destination VPN ID of the terminal device 100 that has moved between areas in the terminal location information management device 400B (step S42). Then, the terminal location information management device 400B determines the overlay tunnel route transfer device 300B to be connected to, and establishes a D-plane session within the mobile network, similarly to the procedure of the first embodiment (step S43).
 続けて、接続端末数管理装置600の計数部631は、エリアBにおける接続端末数を計数し、加算して更新する(工程S44)。次に、エリアBでD-planeセッションが確立後に、端末位置情報管理装置500Aは、エリアAのD-planeセッションを終端する(工程S45)。そして、接続端末数管理装置600の計数部631は、エリアAにおける接続端末数を計数し、減算して更新する(工程S46)。 Continuously, the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals in area B, adds it, and updates it (step S44). Next, after the D-plane session is established in area B, the terminal location information management device 500A terminates the D-plane session in area A (step S45). Then, the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals in area A, subtracts it, and updates it (step S46).
〔4-3.効果〕
 実施形態1’’において、通信制御システム1は、以下のような効果を奏する。 [4-3. effect〕
In Embodiment 1'', the communication control system 1 has the following effects.
 実施形態1’’に係る通信制御システム1は、端末装置100がエリア間を移動し、担当するオーバレイトンネル経路転送装置300が変更となる場合でも、エリア移動先の端末位置情報管理装置400が端末装置100から端末接続数の計数に必要な情報を取得し、接続端末数管理装置600の計数部631が端末接続数を計数する。そして、接続端末数管理装置600の設定部634および削除部635は、動的にVPNゲートウェイ200およびオーバレイトンネル経路転送装置300を制御することにより、稼働用サーバのリソースの節約ならびにゲートウェイプロセスの負荷分散効率を上昇させる効果を提供する。 In the communication control system 1 according to the first embodiment, even when the terminal device 100 moves between areas and the overlay tunnel route transfer device 300 in charge is changed, the terminal location information management device 400 of the area movement destination is the terminal device. Information necessary for counting the number of connected terminals is acquired from the device 100, and the counting unit 631 of the connected terminal number management device 600 counts the number of connected terminals. The setting unit 634 and deletion unit 635 of the connected terminal number management device 600 dynamically control the VPN gateway 200 and the overlay tunnel route transfer device 300, thereby saving resources of the operating server and distributing the load of the gateway process. Provides the effect of increasing efficiency.
〔5.実施形態2:端末装置がWiFi経由でVPNに接続する場合〕
 ここから、更に異なる実施形態として実施形態2を説明する。実施形態2では、端末装置100がWiFiからモバイル網を経由して、VPNに接続する場合の実施形態を説明する。 [5. Embodiment 2: When the terminal device connects to the VPN via WiFi]
Embodiment 2 will now be described as a further different embodiment. In the second embodiment, an embodiment will be described in which the terminal device 100 connects to a VPN from WiFi via a mobile network.
 まず、実施形態2の概要について、図25を用いて説明する。まず、WiFi接続を行う端末装置100は、WiFiルータRに接続する(図25の(1)を参照)。次に、WiFiルータRは、モバイルゲートウェイ800へパケットデータを転送する(図25の(2)を参照)。そして、モバイルゲートウェイ800は、予め保持する宛先アドレス(VPN接続用アドレス)に関する情報と、対応するVPNに関する情報(接続先VPN ID)に基づいて、端末装置100が送信する宛先情報(例えば、IPアドレス等)に基づきVPN接続用アドレスと接続先VPN IDを判定し、端末装置100に代わりD-planeセッションを確立する。そして、モバイルゲートウェイ800は、宛先VPNに対応するD-planeセッションへとデータを転送する(図25の(3)を参照)。なお、以降の接続端末数の計数については、実施形態1と同様のため省略する。 First, an overview of Embodiment 2 will be explained using FIG. 25. First, the terminal device 100 that performs a WiFi connection connects to the WiFi router R (see (1) in FIG. 25). Next, the WiFi router R transfers the packet data to the mobile gateway 800 (see (2) in FIG. 25). Then, the mobile gateway 800 uses the destination information (for example, IP address etc.), determines the VPN connection address and connection destination VPN ID, and establishes a D-plane session on behalf of the terminal device 100. The mobile gateway 800 then transfers the data to the D-plane session corresponding to the destination VPN (see (3) in FIG. 25). Note that the subsequent counting of the number of connected terminals is the same as in the first embodiment, and will therefore be omitted.
 ここから、更にモバイルゲートウェイ800の詳細な動作の流れを説明する。まず、モバイルゲートウェイ800が接続先VPN IDを取得する方法については、「ケース1:端末装置がVPN認証を行う際に接続先VPN IDを取得」と「ケース2:端末装置がWiFi接続時に、一定時間アナウンスメッセージを送信」がある。まずは、ケース1について、図26を用いて説明を行う。 From here, the detailed operation flow of the mobile gateway 800 will be further explained. First, regarding the method by which the mobile gateway 800 acquires the connection destination VPN ID, we will explain ``Case 1: The terminal device acquires the connection destination VPN ID when performing VPN authentication'' and ``Case 2: When the terminal device connects to WiFi, "Send time announcement message". First, case 1 will be explained using FIG. 26.
 図26では、端末装置100は、VPN接続開始時にVPN認証リクエスト(パスワード、ユーザIDを含む)を、モバイルゲートウェイ800に送信する(図26の(1)を参照)。続けて、モバイルゲートウェイ800は、端末装置100から受け付けた認証リクエストを、更にVPN認証サーバ900に送信する(図26の(2)を参照)。そして、VPN認証サーバ900は、受け付けた認証リクエストに含まれる情報に基づいて、認証レスポンス(接続先VPN IDもしくはVPN端末用アドレス)を、モバイルゲートウェイ800に送信する(図26の(3)を参照)。なお、VPN認証サーバ900がVPN端末用アドレスを送信する場合は、モバイルゲートウェイ800は、該VPN端末用アドレスに基づき、契約情報管理装置500から対応する接続先VPN IDを取得する(図26の(4)を参照)。 In FIG. 26, the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 when starting a VPN connection (see (1) in FIG. 26). Subsequently, the mobile gateway 800 further transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (see (2) in FIG. 26). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (see (3) in FIG. 26). ). Note that when the VPN authentication server 900 transmits the VPN terminal address, the mobile gateway 800 acquires the corresponding connection destination VPN ID from the contract information management device 500 based on the VPN terminal address (( (See 4).
 次に、モバイルゲートウェイ800は、VPN認証サーバ900もしくは契約情報管理装置500から取得した接続先VPN IDを、端末位置情報管理装置400に送信する(図26の(5)を参照)。端末位置情報管理装置400は、更に転送用情報管理装置700へ接続先VPN IDを送信し、対応するVPN接続用アドレスを取得する(図26の(6)を参照)。続けて、端末位置情報管理装置400は、取得したVPN接続用アドレスをモバイルゲートウェイ800に送信する(図26の(7)を参照)。そして、モバイルゲートウェイ800は、取得したVPN接続用アドレスと保持する接続先VPN IDをマッピングして、設定する。 Next, the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 or the contract information management device 500 to the terminal location information management device 400 (see (5) in FIG. 26). The terminal location information management device 400 further transmits the connection destination VPN ID to the transfer information management device 700 and acquires the corresponding VPN connection address (see (6) in FIG. 26). Subsequently, the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (see (7) in FIG. 26). Then, the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID.
 ここから、ケース2について、図27を用いて説明を行う。まず、端末装置100は、WiFi接続を検知するとモバイルゲートウェイ800との間で暗号化経路Cを確立する(図27の(1)を参照)。なお、端末装置100は、所定の時間内に暗号化経路Cが確立できない場合は、暗号化経路Cの確立手順を停止する。そして、モバイルゲートウェイ800は、前述のケース1の際と同様の方法でVPN認証を実施して、VPN接続用アドレスおよび接続先VPN IDを取得し、マッピング後に自身に設定する。続けて、モバイルゲートウェイ800は、暗号化経路Cを経由して登録完了メッセージを端末装置100に送信する(図27の(2)を参照)。 From here, Case 2 will be explained using FIG. 27. First, when the terminal device 100 detects a WiFi connection, it establishes an encrypted path C with the mobile gateway 800 (see (1) in FIG. 27). Note that if the terminal device 100 cannot establish the encrypted route C within a predetermined time, the terminal device 100 stops the procedure for establishing the encrypted route C. Then, the mobile gateway 800 performs VPN authentication in the same manner as in case 1 described above, obtains the VPN connection address and the connection destination VPN ID, and sets them to itself after mapping. Subsequently, the mobile gateway 800 transmits a registration completion message to the terminal device 100 via the encrypted path C (see (2) in FIG. 27).
〔5-1.通信制御システムの構成〕
 次に、実施形態2における通信制御システム1の構成について、図28を用いて説明を行う。実施形態2における通信制御システム1は、端末装置100と、VPNゲートウェイ200と、オーバレイトンネル経路転送装置300と、端末位置情報管理装置400と、契約情報管理装置500と、接続端末数管理装置600と、転送用情報管理装置700と、モバイルゲートウェイ800と、を含む装置構成である。以下の項目で、各装置の機能部について詳細な説明を行う。なお、実施形態2におけるモバイルゲートウェイ800以外の装置構成は実施形態1と同様であり、本項目では差異のあるモバイルゲートウェイ800のみ説明し、それ以外の詳細な説明は省略する。 [5-1. Communication control system configuration]
Next, the configuration of the communication control system 1 in the second embodiment will be explained using FIG. 28. The communication control system 1 in the second embodiment includes a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300, a terminal location information management device 400, a contract information management device 500, and a connected terminal number management device 600. , a transfer information management device 700, and a mobile gateway 800. The following items provide detailed explanations of the functional units of each device. Note that the device configuration of the second embodiment other than the mobile gateway 800 is the same as that of the first embodiment, and in this section, only the different mobile gateway 800 will be explained, and detailed explanation of the other components will be omitted.
(モバイルゲートウェイ800)
 図28に示すように、モバイルゲートウェイ800は、通信部810と、記憶部820と、制御部830と、を有する。なお、通信部810の機能は、端末装置100の通信部110で説明した機能と同様であるため省略する。 (Mobile gateway 800)
As shown in FIG. 28, mobile gateway 800 includes a communication section 810, a storage section 820, and a control section 830. Note that the functions of the communication unit 810 are the same as those described for the communication unit 110 of the terminal device 100, so a description thereof will be omitted.
(記憶部820)
 記憶部820は、制御部830による各種処理に必要なデータおよびプログラムを格納する。そして、記憶部820は、VPN検索用テーブル821記憶部を有する。 (Storage unit 820)
The storage unit 820 stores data and programs necessary for various processing by the control unit 830. The storage unit 820 has a VPN search table 821 storage unit.
(VPN検索用テーブル記憶部821)
 VPN検索用テーブル記憶部821は、取得するVPN接続用アドレスと接続先VPN IDをマッピングして設定する、VPN検索用テーブルを記憶する。具体的には、VPN検索用テーブル記憶部821は、VPN検索用テーブルとして、図29に示すように「VPN接続用アドレス」と「接続先VPN ID」という項目を記憶する。なお、VPN検索用テーブル記憶部821が記憶する情報は、前述の項目に限定されずその他の項目を記憶してよい。また、図29に示す各項目の入力情報はあくまで一例であり、記載の情報に限定されるものではない。 (VPN search table storage unit 821)
The VPN search table storage unit 821 stores a VPN search table that maps and sets the acquired VPN connection address and connection destination VPN ID. Specifically, the VPN search table storage unit 821 stores the items "VPN connection address" and "connection destination VPN ID" as a VPN search table, as shown in FIG. Note that the information stored in the VPN search table storage section 821 is not limited to the above-mentioned items, and may store other items. Furthermore, the input information for each item shown in FIG. 29 is just an example, and the information is not limited to the information described.
(制御部830)
 ここから、図28に戻り説明を続ける。制御部830は、振分部831と、送信部832と、設定部833と、セッション確立部834と、を有する。 (Control unit 830)
From here, the explanation returns to FIG. 28 and continues. The control unit 830 includes a distribution unit 831, a transmission unit 832, a setting unit 833, and a session establishment unit 834.
(振分部831)
 振分部831は、予め保持する宛先アドレス(VPN接続用アドレス)に関する情報および対応するVPNに関する情報(接続先VPN ID)と、端末装置100が送信する宛先情報(IPアドレス)に基づいて、VPN接続用アドレスと接続先VPN IDを判定し、該宛先VPNに対応するD-planeセッションへと通信の振り分けを行う。 (Distribution section 831)
The distribution unit 831 assigns a VPN based on pre-held information regarding the destination address (VPN connection address), information regarding the corresponding VPN (connection destination VPN ID), and destination information (IP address) transmitted by the terminal device 100. The connection address and connection destination VPN ID are determined, and communication is distributed to the D-plane session corresponding to the destination VPN.
(送信部832)
 送信部832は、端末装置100から受け付ける認証リクエスト(ユーザIDやパスワード等を含む)を、VPN認証サーバ900に送信する。さらに、送信部832は、VPN認証サーバ900から取得した接続先VPN IDを、端末位置情報管理装置400に送信する。また、送信部832は、登録完了メッセージを端末装置100に送信する。 (Transmission unit 832)
The transmitter 832 transmits the authentication request (including the user ID, password, etc.) received from the terminal device 100 to the VPN authentication server 900. Further, the transmitter 832 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400. Furthermore, the transmitter 832 transmits a registration completion message to the terminal device 100.
(設定部833)
 設定部833は、転送用情報管理装置700から取得するVPN接続用アドレスと、モバイルゲートウェイ800が保持する接続先VPN IDをマッピングして、設定する。 (Setting section 833)
The setting unit 833 maps and sets the VPN connection address acquired from the transfer information management device 700 and the connection destination VPN ID held by the mobile gateway 800.
(セッション確立部834)
 セッション確立部834は、契約情報(接続先VPN ID)と、端末装置100が接続対象とする契約組織ごとの専用ネットワークに接続するための情報(VPN接続アドレス)と、端末装置100が送信するパケットデータに含まれる宛先情報に基づいて、端末装置100の代わりに端末位置情報管理装置400とデータ転送用オーバレイトンネル経路を確立する。 (Session establishment unit 834)
The session establishment unit 834 includes contract information (connection destination VPN ID), information for connecting to a dedicated network for each contracted organization to which the terminal device 100 connects (VPN connection address), and packets transmitted by the terminal device 100. Based on the destination information included in the data, an overlay tunnel path for data transfer is established with the terminal location information management device 400 instead of the terminal device 100.
 具体的には、端末装置100のD-planeセッション確立要求に基づいて、D-planeセッションを確立するために、セッション確立部834は、マッピングしたVPN接続用アドレスと接続先VPN IDに基づいて、端末装置100が送信するパケットデータに含まれる宛先情報(IPアドレス)から、宛先となるVPN接続用アドレスと接続先VPN IDを判定する。そして、セッション確立部834は、該当の宛先VPNに対応するD-planeセッションを確立し、パケットデータを転送する。 Specifically, in order to establish a D-plane session based on a D-plane session establishment request from the terminal device 100, the session establishment unit 834 performs the following steps based on the mapped VPN connection address and connection destination VPN ID. The destination VPN connection address and connection destination VPN ID are determined from the destination information (IP address) included in the packet data transmitted by the terminal device 100. Then, the session establishment unit 834 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data.
〔5-2.通信制御方法の手順〕
 次に、実施形態2において通信制御システム1が行う通信制御方法を説明する。前述したように実施形態2においては、モバイルゲートウェイ800が接続先VPN IDを取得する方法が2つ存在するため、それぞれのケースで手順を分けて説明する。最初に、前述のケース1に該当する場合の手順を、図30を用いて説明する。 [5-2. Procedures for communication control method]
Next, a communication control method performed by the communication control system 1 in the second embodiment will be described. As described above, in the second embodiment, there are two methods for the mobile gateway 800 to obtain the connection destination VPN ID, so the procedures for each case will be explained separately. First, the procedure for the case corresponding to the above-mentioned case 1 will be explained using FIG. 30.
 まず、端末装置100は、WiFiルータRに接続する(工程S51)。続けて、端末装置100は、VPN接続開始時にVPN認証リクエスト(パスワード、ユーザIDを含む)を、モバイルゲートウェイ800に送信する(工程S52)。次に、モバイルゲートウェイ800の送信部832は、端末装置100から受け付けた認証リクエストを、VPN認証サーバ900に送信する(工程S53)。そして、VPN認証サーバ900は、受け付けた認証リクエストに含まれる情報に基づいて、認証レスポンス(接続先VPN IDもしくはVPN端末用アドレス)を、モバイルゲートウェイ800に送信する(工程S54)。 First, the terminal device 100 connects to the WiFi router R (step S51). Subsequently, the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 at the time of starting the VPN connection (step S52). Next, the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S53). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S54).
 次に、モバイルゲートウェイ800の送信部832は、VPN認証サーバ900から取得した接続先VPN IDを、端末位置情報管理装置400に送信する(工程S55)。そして、端末位置情報管理装置400の取得部435は、転送用情報管理装置700からVPN接続用アドレスを取得する(工程S56)。続けて、端末位置情報管理装置400の送信部434は、取得したVPN接続用アドレスをモバイルゲートウェイ800に送信する(工程S57)。モバイルゲートウェイ800の設定部833は、取得したVPN接続用アドレスと保持する接続先VPN IDをマッピングして、設定する(工程S58)。 Next, the transmitter 832 of the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400 (step S55). The acquisition unit 435 of the terminal location information management device 400 then acquires the VPN connection address from the transfer information management device 700 (step S56). Subsequently, the transmitter 434 of the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (step S57). The setting unit 833 of the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID (step S58).
 次に、WiFiルータRは、モバイルゲートウェイ800へパケットデータを転送する(工程S59)。続けて、モバイルゲートウェイ800のセッション確立部834は、マッピングしたVPN接続用アドレスと接続先VPN IDに基づいて、端末装置100が送信するパケットデータに含まれる宛先情報から、宛先となるVPN接続用アドレスと接続先VPN IDを判定する(工程S60)。そして、モバイルゲートウェイ800のセッション確立部834は、該当の宛先VPNに対応するD-planeセッションを確立し、パケットデータを転送する(工程S61)。 Next, the WiFi router R transfers the packet data to the mobile gateway 800 (step S59). Next, the session establishment unit 834 of the mobile gateway 800 determines the destination VPN connection address from the destination information included in the packet data transmitted by the terminal device 100, based on the mapped VPN connection address and connection destination VPN ID. and the connection destination VPN ID is determined (step S60). Then, the session establishment unit 834 of the mobile gateway 800 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data (step S61).
 続いて、前述のケース2に該当する場合の手順を、図31を用いて説明する。端末装置100は、WiFiルータRに接続する(工程S71)。この時、端末装置100は、モバイルゲートウェイ800との間で暗号化経路Cを確立する(工程S72)。続けて、端末装置100は、VPN接続開始時にVPN認証リクエスト(パスワード、ユーザIDを含む)をモバイルゲートウェイ800に送信する(工程S73)。次に、モバイルゲートウェイ800の送信部832は、端末装置100から受け付けた認証リクエストを、VPN認証サーバ900に送信する(工程S74)。そして、VPN認証サーバ900は、受け付けた認証リクエストに含まれる情報に基づいて、認証レスポンス(接続先VPN IDもしくはVPN端末用アドレス)を、モバイルゲートウェイ800に送信する(工程S75)。 Next, the procedure for the case corresponding to the above-mentioned case 2 will be explained using FIG. 31. The terminal device 100 connects to the WiFi router R (step S71). At this time, the terminal device 100 establishes an encrypted path C with the mobile gateway 800 (step S72). Subsequently, the terminal device 100 transmits a VPN authentication request (including a password and user ID) to the mobile gateway 800 at the time of starting the VPN connection (step S73). Next, the transmitter 832 of the mobile gateway 800 transmits the authentication request received from the terminal device 100 to the VPN authentication server 900 (step S74). Then, the VPN authentication server 900 transmits an authentication response (connection destination VPN ID or VPN terminal address) to the mobile gateway 800 based on the information included in the received authentication request (step S75).
 次に、モバイルゲートウェイ800の送信部832は、VPN認証サーバ900から取得した接続先VPN IDを、端末位置情報管理装置400に送信する(工程S76)。そして、端末位置情報管理装置400の取得部435は、転送用情報管理装置700からVPN接続用アドレスを取得する(工程S77)。続けて、端末位置情報管理装置400の送信部434は、取得したVPN接続用アドレスをモバイルゲートウェイ800に送信する(工程S78)。モバイルゲートウェイ800の設定部833は、取得したVPN接続用アドレスと保持する接続先VPN IDをマッピングして、設定する(工程S79)。そして、モバイルゲートウェイ800の送信部832は、登録完了メッセージを端末装置100に送信する(工程S80)。 Next, the transmitter 832 of the mobile gateway 800 transmits the connection destination VPN ID acquired from the VPN authentication server 900 to the terminal location information management device 400 (step S76). The acquisition unit 435 of the terminal location information management device 400 then acquires the VPN connection address from the transfer information management device 700 (step S77). Subsequently, the transmitter 434 of the terminal location information management device 400 transmits the acquired VPN connection address to the mobile gateway 800 (step S78). The setting unit 833 of the mobile gateway 800 maps and sets the acquired VPN connection address and the held connection destination VPN ID (step S79). Then, the transmitter 832 of the mobile gateway 800 transmits a registration completion message to the terminal device 100 (step S80).
 次に、WiFiルータRは、モバイルゲートウェイ800へパケットデータを転送する(工程S81)。続けて、モバイルゲートウェイ800のセッション確立部834は、マッピングしたVPN接続用アドレスと接続先VPN IDに基づいて、端末装置100が送信するパケットデータに含まれる宛先情報から、宛先となるVPN接続用アドレスと接続先VPN IDを判定する(工程S82)。そして、モバイルゲートウェイ800のセッション確立部834は、該当の宛先VPNに対応するD-planeセッションを確立し、パケットデータを転送する(工程S83)。 Next, the WiFi router R transfers the packet data to the mobile gateway 800 (step S81). Next, the session establishment unit 834 of the mobile gateway 800 determines the destination VPN connection address from the destination information included in the packet data transmitted by the terminal device 100, based on the mapped VPN connection address and connection destination VPN ID. and the connection destination VPN ID is determined (step S82). Then, the session establishment unit 834 of the mobile gateway 800 establishes a D-plane session corresponding to the corresponding destination VPN and transfers the packet data (step S83).
〔5-3.効果〕
 実施形態2において、通信制御システム1は、以下のような効果を奏する。 [5-3. effect〕
In the second embodiment, the communication control system 1 has the following effects.
 従来技術では、WiFi通信を行う場合、端末装置100は、アクセス先となるVPNを識別するための情報としてVPNに転送するデータパケットの宛先IPアドレスしか保有しておらず、モバイルゲートウェイ800がVPNを識別する情報をセッション確立用シグナリングメッセージに添付する必要があった。 In the conventional technology, when performing WiFi communication, the terminal device 100 only has the destination IP address of the data packet to be transferred to the VPN as information for identifying the VPN to be accessed, and the mobile gateway 800 has only the destination IP address of the data packet transferred to the VPN. It was necessary to attach identifying information to the session establishment signaling message.
 さらに、従来技術において、モバイルゲートウェイ800に相当する装置は、到着パケットの宛先IPアドレスからアクセス先のVPNを識別する情報を導出することができないため、パケット到着と同時にモバイル網のシグナリングを通じたVPNへのデータ転送用オーバレイトンネル経路の確立ができなかった。 Furthermore, in the conventional technology, since the device corresponding to the mobile gateway 800 cannot derive information identifying the VPN to be accessed from the destination IP address of the arriving packet, it is possible to connect the device to the VPN through signaling of the mobile network as soon as the packet arrives. An overlay tunnel route for data transfer could not be established.
 しかしながら、実施形態2における通信制御システム1は、モバイルゲートウェイ800に到着する、パケットデータの宛先情報(IPアドレス)から、マッピングしたVPN接続アドレスを検索し、データ転送用オーバレイトンネル経路の確立し、接続端末数の計数を可能とする効果を提供する。 However, the communication control system 1 in the second embodiment searches for a mapped VPN connection address from the destination information (IP address) of packet data arriving at the mobile gateway 800, establishes an overlay tunnel path for data transfer, and connects the Provides the effect of making it possible to count the number of terminals.
〔6.実施形態2-1:端末装置がIP網経由でVPNに接続する場合〕
 ここから、実施形態2の類似形態として実施形態2-1について、説明する。図32では、端末装置100がWiFiからIP網を経由して、VPNに接続する場合の実施形態を説明する。 [6. Embodiment 2-1: When a terminal device connects to a VPN via an IP network]
Embodiment 2-1 will now be described as a similar form to Embodiment 2. In FIG. 32, an embodiment will be described in which the terminal device 100 connects to a VPN from WiFi via an IP network.
 まず、図32では、端末装置100がWiFiルータRを介して固定網アクセスルータSRに接続する場合と、直接固定網アクセスルータSRに接続する場合が図示されている。図32においては、端末装置100がIP網を介してアクセスする場合、通信制御システム1は、D-planeセッション確立および解放に基づく接続端末数の計数ができない。そのため、実施形態2-1における通信制御システム1は、実施形態2で記載したVPN認証およびデータ転送用オーバレイトンネル経路の確立後に、「heartbeat」や「ping」等をトリガーとして行う端末動作確認を用いて、接続端末数を計数する。 First, FIG. 32 shows a case where the terminal device 100 connects to the fixed network access router SR via the WiFi router R, and a case where the terminal device 100 connects directly to the fixed network access router SR. In FIG. 32, when the terminal device 100 accesses via the IP network, the communication control system 1 cannot count the number of connected terminals based on D-plane session establishment and release. Therefore, the communication control system 1 in Embodiment 2-1 uses a terminal operation check performed using "heartbeat", "ping", etc. as a trigger after establishing the VPN authentication and data transfer overlay tunnel path described in Embodiment 2. and count the number of connected terminals.
 また、実施形態2-1における前提として、IP網とデータネットワークの間にIP網用のオーバレイトンネル経路転送装置300(以降、「オーバレイトンネル経路転送装置300」と表記)を設置する。そして、図33に示すように、通信制御システム1は、オーバレイトンネル経路転送装置300を特定するために、複数のIP網用のVPN認証サーバ900(以降、「VPN認証サーバ900」と表記)と、複数のアクセスポイントAP(例えば、住宅用のWiFiルータ等)を含む構成とする。 Furthermore, as a premise in Embodiment 2-1, an overlay tunnel route transfer device 300 for the IP network (hereinafter referred to as "overlay tunnel route transfer device 300") is installed between the IP network and the data network. As shown in FIG. 33, the communication control system 1 communicates with a VPN authentication server 900 (hereinafter referred to as "VPN authentication server 900") for multiple IP networks in order to identify the overlay tunnel route transfer device 300. , a configuration including a plurality of access point APs (for example, a residential WiFi router, etc.).
 ここから、図34を用いて、実施形態2-1における通信制御システム1の動作の概要を説明する。まず、端末装置100は、WiFiルータRと固定網アクセスルータSR、もしくは固定網アクセスルータSRのみを介して、VPN認証サーバ900にVPN接続情報(ユーザID、パスワード等)を送信する(図34の(1)を参照)。 From here, an overview of the operation of the communication control system 1 in Embodiment 2-1 will be explained using FIG. 34. First, the terminal device 100 transmits VPN connection information (user ID, password, etc.) to the VPN authentication server 900 via the WiFi router R and the fixed network access router SR, or only the fixed network access router SR (see FIG. 34). (see (1)).
 次に、VPN認証サーバ900は、接続先VPN IDおよび担当アンカーGW IDを、接続端末数管理装置600に通知する(図34の(2)を参照)。そして、接続端末数管理装置600は、該当のオーバレイトンネル経路転送装置300から専用ネットワークに接続する対象のVPNに接続する接続端末数を計数し、加算する。なお、加算後のデータ転送用オーバレイトンネル経路の構築の手順は実施形態1で記載した方法と同様とする。 Next, the VPN authentication server 900 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge (see (2) in FIG. 34). Then, the connected terminal number management device 600 counts and adds up the number of connected terminals connected to the target VPN to be connected to the dedicated network from the corresponding overlay tunnel route transfer device 300. Note that the procedure for constructing an overlay tunnel path for data transfer after addition is the same as the method described in the first embodiment.
 次に、オーバレイトンネル経路転送装置300の端末生存確認部333は、「heartbeat」や「ping」等を用いて端末生存確認を行う(図34の(3)を参照)。そして、オーバレイトンネル経路転送装置300の端末生存確認部333は、端末生存確認の結果、端末装置100から応答がなくなった場合は、接続端末数管理装置600に接続先VPN IDおよび担当アンカーGW IDを通知する(図34の(4)を参照)。そして、接続端末数管理装置600は、前述の通知に基づき、専用ネットワークに接続する対象のVPNに接続する接続端末数を計数し、減算する。なお、減算後のデータ転送用オーバレイトンネル経路の削除の手順は実施形態1で記載した方法と同様とする。 Next, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 performs terminal survival confirmation using "heartbeat", "ping", etc. (see (3) in FIG. 34). Then, if there is no response from the terminal device 100 as a result of the terminal survival confirmation, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 sends the connection destination VPN ID and the anchor GW ID in charge to the connected terminal number management device 600. (See (4) in FIG. 34). Then, based on the above-mentioned notification, the connected terminal number management device 600 counts and subtracts the number of connected terminals connected to the VPN to be connected to the dedicated network. Note that the procedure for deleting the overlay tunnel path for data transfer after subtraction is the same as the method described in the first embodiment.
〔6-1.通信制御システムの構成〕
 続いて、実施形態2-1における通信制御システム1の構成について、説明を行う。実施形態2-1における通信制御システム1は、端末装置100と、VPNゲートウェイ200と、IP網用のオーバレイトンネル経路転送装置300と、端末位置情報管理装置400と、契約情報管理装置500と、接続端末数管理装置600と、転送用情報管理装置700と、を含む装置構成である。 [6-1. Communication control system configuration]
Next, the configuration of the communication control system 1 in Embodiment 2-1 will be explained. The communication control system 1 in Embodiment 2-1 connects a terminal device 100, a VPN gateway 200, an overlay tunnel route transfer device 300 for an IP network, a terminal location information management device 400, and a contract information management device 500. This device configuration includes a terminal number management device 600 and a transfer information management device 700.
 なお、実施形態2-1におけるオーバレイトンネル経路転送装置300以外のシステム構成は実施形態1と同様であり、本項目では差異のあるオーバレイトンネル経路転送装置300のみ説明し、それ以外の詳細な説明は省略する。さらに、実施形態2-1におけるオーバレイトンネル経路転送装置300は、実施形態1のオーバレイトンネル経路転送装置300と同様の機能を有するため、差異のある機能部である端末生存確認部333のみの説明を行い、その他の説明は省略する。 Note that the system configuration in Embodiment 2-1 other than the overlay tunnel route transfer device 300 is the same as in Embodiment 1, and in this item, only the different overlay tunnel route transfer device 300 will be explained, and other detailed explanations will be provided. Omitted. Furthermore, since the overlay tunnel route transfer device 300 in Embodiment 2-1 has the same functions as the overlay tunnel route transfer device 300 in Embodiment 1, only the terminal survival confirmation unit 333, which is a different functional unit, will be explained. will be carried out, and other explanations will be omitted.
(制御部330)
 ここから、図35を用いて説明を行う。制御部330は、パケットヘッダ解析部331と、転送処理部332と、端末生存確認部333と、を有する。 (Control unit 330)
From here, explanation will be given using FIG. 35. The control unit 330 includes a packet header analysis unit 331, a transfer processing unit 332, and a terminal survival confirmation unit 333.
(端末生存確認部333)
 端末生存確認部333は、IP網を経由して専用ネットワークに接続する端末装置100に対して識別信号を送信し、端末装置100が専用ネットワークに接続中か否かを確認する。 (Terminal survival confirmation unit 333)
The terminal survival confirmation unit 333 transmits an identification signal to the terminal device 100 connected to the dedicated network via the IP network, and confirms whether the terminal device 100 is currently connected to the dedicated network.
 具体的には、端末生存確認部333は、「heartbeat」や「ping」等を用いて端末生存確認を行い、端末装置100から応答の有無を判定する。そして、端末生存確認部333は、前述の端末生存確認の判定結果に基づき、接続端末数管理装置600に接続先VPN IDおよび担当アンカーGW IDを通知する。そして、端末生存確認の結果、端末装置100から応答がなくなった場合には、端末生存確認部333は、接続端末数管理装置600に接続先VPN IDおよび担当アンカーGW IDを通知する。 Specifically, the terminal survival confirmation unit 333 uses "heartbeat", "ping", etc. to confirm the terminal survival, and determines whether there is a response from the terminal device 100. Then, the terminal survival confirmation unit 333 notifies the connection destination VPN ID and the assigned anchor GW ID to the connected terminal number management device 600 based on the determination result of the terminal survival confirmation described above. Then, as a result of the terminal survival confirmation, if there is no response from the terminal device 100, the terminal survival confirmation unit 333 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge.
〔6-2.通信制御方法の手順〕
 次に、図36を用いて、実施形態2-1に係る通信制御システム1が行う通信制御方法の手順を説明する。まず、端末装置100は、WiFiルータRと固定網アクセスルータSRもしくは固定網アクセスルータSRのみを介して、VPN認証サーバ900に、VPN接続情報(ユーザID、パスワード等)を送信する(工程S91)。さらに、VPN認証サーバ900は、接続先VPN IDおよび担当アンカーGW IDを、接続端末数管理装置600に通知する(工程S92)。 [6-2. Procedures for communication control method]
Next, the procedure of the communication control method performed by the communication control system 1 according to the embodiment 2-1 will be explained using FIG. 36. First, the terminal device 100 transmits VPN connection information (user ID, password, etc.) to the VPN authentication server 900 via the WiFi router R and the fixed network access router SR or only the fixed network access router SR (step S91). . Further, the VPN authentication server 900 notifies the connected terminal number management device 600 of the connection destination VPN ID and the anchor GW ID in charge (step S92).
 そして、接続端末数管理装置600は、VPN認証サーバ900が通知する接続先VPN IDおよび担当アンカーGW IDに基づき、該当のオーバレイトンネル経路転送装置300を経由して対象のVPNに接続する接続端末数を計数し、加算して更新する(工程S93)。続けて、オーバレイトンネル経路転送装置300の端末生存確認部333は、「heartbeat」や「ping」等を用いて端末生存確認を行う(工程S94)。 The number of connected terminals management device 600 then determines the number of connected terminals that connect to the target VPN via the corresponding overlay tunnel route transfer device 300 based on the connection destination VPN ID and the anchor GW ID in charge notified by the VPN authentication server 900. are counted, added, and updated (step S93). Subsequently, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 uses "heartbeat", "ping", etc. to confirm the terminal survival (step S94).
 そして、オーバレイトンネル経路転送装置300の端末生存確認部333は、端末装置100から応答がなくなったと判定する(工程S95のYes)。その場合、オーバレイトンネル経路転送装置300の端末生存確認部333は、接続端末数管理装置600に接続先VPN IDおよび担当アンカーGW IDを通知する(工程S96)。そして、接続端末数管理装置600の計数部631は、オーバレイトンネル経路転送装置300の端末生存確認部333が通知する接続先VPN IDおよび担当アンカーGW IDに基づき、対象のVPNに接続する接続端末数を計数し、減算して更新する(工程S97)。 Then, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 determines that there is no longer a response from the terminal device 100 (Yes in step S95). In that case, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 notifies the connected terminal number management device 600 of the connection destination VPN ID and the assigned anchor GW ID (step S96). Then, the counting unit 631 of the number of connected terminals management device 600 calculates the number of connected terminals connected to the target VPN based on the connection destination VPN ID and the anchor GW ID in charge notified by the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300. is counted, subtracted, and updated (step S97).
 他方、オーバレイトンネル経路転送装置300の端末生存確認部333は、端末装置100からの応答がある判定し、工程が継続する(工程S95のNo)。 On the other hand, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 determines that there is a response from the terminal device 100, and the process continues (No in step S95).
〔6-3.効果〕
 実施形態2-1において、通信制御システム1は、以下のような効果を奏する。 [6-3. effect〕
In the embodiment 2-1, the communication control system 1 has the following effects.
 通信制御システム1は、オーバレイトンネル経路転送装置300の端末生存確認部333が端末装置100に対して端末生存確認を行い、端末装置100からの応答結果に基づいて、接続端末数を減算する。それにより、通信制御システム1は、実施形態1で記載した方法では接続端末数を計数できないIP網を介する接続の場合にも、接続端末数の計数を可能とし、データ転送用オーバレイトンネル経路およびオーバレイトンネル経路転送装置300の動的な制御を可能とする効果を提供する。 In the communication control system 1, the terminal survival confirmation unit 333 of the overlay tunnel route transfer device 300 performs terminal survival confirmation on the terminal device 100, and subtracts the number of connected terminals based on the response result from the terminal device 100. Thereby, the communication control system 1 can count the number of connected terminals even in the case of a connection via an IP network where the number of connected terminals cannot be counted using the method described in Embodiment 1. This provides the effect of enabling dynamic control of the tunnel route transfer device 300.
〔7.ハードウェア構成〕
 図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [7. Hardware configuration]
Each component of each device shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings. In other words, the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads and usage conditions. Can be integrated and configured. Furthermore, all or any part of each processing function performed by each device can be realized by a CPU and a program that is analyzed and executed by the CPU, or can be realized as hardware using wired logic.
 また、本実施形態において説明した各処理のうち、自動的に行われるものとして説明した処理の全部または一部を公知の方法で手動的に行うこともできる。この他、図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Furthermore, among the processes described in this embodiment, all or part of the processes described as being performed automatically can also be performed manually using a known method. In addition, information including processing procedures, control procedures, specific names, and various data and parameters shown in the drawings can be arbitrarily changed unless otherwise specified.
[プログラム]
 一実施形態として、通信制御システム1を構成する各種の装置は、パッケージソフトウェアやオンラインソフトウェアとして、前述した学習を実行する表示プログラムを、所望のコンピュータにインストールさせることによって実装できる。例えば、上記の表示プログラムを情報処理装置に実行させることにより、通信制御システム1を構成する各種の装置として機能させることができる。ここで言う情報処理装置には、デスクトップ型またはノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等のスレート端末等がその範疇に含まれる。 [program]
As one embodiment, various devices constituting the communication control system 1 can be implemented by installing a display program that executes the above-described learning into a desired computer as package software or online software. For example, by causing an information processing device to execute the above display program, it can be made to function as various devices constituting the communication control system 1. The information processing device referred to here includes a desktop or notebook personal computer. In addition, information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as slate terminals such as PDAs (Personal Digital Assistants).
 図37は、通信制御システム1を構成する各種の装置が実現されるコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 37 is a diagram showing an example of a computer on which various devices constituting the communication control system 1 are implemented. Computer 1000 includes, for example, a memory 1010 and a CPU 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
 メモリ1010は、ROM(Read Only Memory)1011およびRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1090. Disk drive interface 1040 is connected to disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into disk drive 1100. Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120. Video adapter 1060 is connected to display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、通信制御システム1を構成する各種の装置の各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、通信制御システム1を構成する各種の装置における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the various devices constituting the communication control system 1 is implemented as a program module 1093 in which code executable by a computer is written. Program module 1093 is stored in hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration of various devices making up the communication control system 1 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、前述した実施形態の処理で用いられる設定データは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020は、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して、前述した実施形態の処理を実行する。 Further, the setting data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary, and executes the processing of the embodiment described above.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093およびプログラムデータ1094は、ネットワーク(LAN、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093およびプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 Note that the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, program module 1093 and program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). Program module 1093 and program data 1094 may then be read by CPU 1020 from another computer via network interface 1070.
〔8.その他〕
 以上、本実施形態について説明したが、本実施形態は、開示の一部をなす記述および図面により限定されることはない。すなわち、本実施形態に基づいて当業者等によりなされる他の実施形態、実施例および運用技術等はすべて本実施形態の範疇に含まれる。 [8. others〕
Although the present embodiment has been described above, the present embodiment is not limited by the description and drawings that form part of the disclosure. That is, all other embodiments, examples, operational techniques, etc. made by those skilled in the art based on this embodiment are included in the scope of this embodiment.
 1     通信制御システム
 10    フロントエンドサーバ
 10A   フロントエンドサーバ
 10B   フロントエンドサーバ
 10C   フロントエンドサーバ
 20A   稼働用サーバ
 20B   稼働用サーバ
 100   端末装置
 101   端末装置
 102   端末装置
 110   通信部
 120   記憶部
 130   制御部
 131   アドレス管理部
 132   通信用セッション管理部
 200   VPNゲートウェイ
 210   通信部
 220   記憶部
 221   転送先記憶部
 230   制御部
 231   パケットヘッダ解析部
 232   転送処理部
 300   オーバレイトンネル経路転送装置
 300A  オーバレイトンネル経路転送装置
 300B  オーバレイトンネル経路転送装置
 310   通信部
 320   記憶部
 321   転送先記憶部
 330   制御部
 331   パケットヘッダ解析部
 332   転送処理部
 333   端末生存確認部
 400   端末位置情報管理装置
 400A  端末位置情報管理装置
 400B  端末位置情報管理装置
 410   通信部
 420   記憶部
 421   端末装置接続先VPN記憶部
 422   アンカーGW記憶部
 430   制御部
 431   受付部
 432   通知部
 433   登録部
 434   送信部
 435   取得部
 500   契約情報管理装置
 510   通信部
 520   記憶部
 521   契約情報記憶部
 530   制御部
 531   受付部
 532   送信部
 600   接続端末数管理装置
 610   通信部
 620   記憶部
 621   接続端末数記憶部
 630   制御部
 631   計数部
 632   判定部
 633   取得部
 634   設定部
 635   削除部
 636   監視部
 700   転送用情報管理装置
 710   通信部
 720   記憶部
 721   アドレス記憶部
 730   制御部
 731   受付部
 732   送信部
 800   モバイルゲートウェイ
 810   通信部
 820   記憶部
 821   VPN検索用テーブル記憶部
 830   制御部
 831   振分部
 832   送信部
 833   設定部
 834   セッション確立部
 900   VPN認証サーバ
 R     WiFiルータ
 SR    固定網アクセスルータ
 AP    アクセスポイント
 DN    データネットワーク
 MN    モバイルネットワーク
 1000  コンピュータ
 1010  メモリ
 1011  ROM
 1012  RAM
 1020  CPU
 1030  ハードディスクドライブインタフェース
 1040  ディスクドライブインタフェース
 1050  シリアルポートインタフェース
 1060  ビデオアダプタ
 1070  ネットワークインタフェース
 1080  バス
 1090  ハードディスクドライブ
 1091  OS
 1092  アプリケーションプログラム
 1093  プログラムモジュール
 1094  プログラムデータ
 1100  ディスクドライブ
 1110  マウス
 1120  キーボード 1 Communication control system 10 Front-end server 10A Front-end server 10B Front-end server 10C Front-end server 20A Operation server 20B Operation server 100 Terminal device 101 Terminal device 102 Terminal device 110 Communication unit 120 Storage unit 130 Control unit 131 Address management unit 132 Communication session management unit 200 VPN gateway 210 Communication unit 220 Storage unit 221 Transfer destination storage unit 230 Control unit 231 Packet header analysis unit 232 Transfer processing unit 300 Overlay tunnel route transfer device 300A Overlay tunnel route transfer device 300B Overlay tunnel route transfer device 310 Communication section 320 Storage section 321 Transfer destination storage section 330 Control section 331 Packet header analysis section 332 Transfer processing section 333 Terminal survival confirmation section 400 Terminal location information management device 400A Terminal location information management device 400B Terminal location information management device 410 Communication section 420 Storage unit 421 Terminal device connection destination VPN storage unit 422 Anchor GW storage unit 430 Control unit 431 Reception unit 432 Notification unit 433 Registration unit 434 Transmission unit 435 Acquisition unit 500 Contract information management device 510 Communication unit 520 Storage unit 521 Contract information storage unit 530 Control unit 531 Reception unit 532 Transmission unit 600 Connected terminal number management device 610 Communication unit 620 Storage unit 621 Connected terminal number storage unit 630 Control unit 631 Counting unit 632 Judgment unit 633 Acquisition unit 634 Setting unit 635 Deletion unit 636 Monitoring unit 700 For transfer Information management device 710 Communication section 720 Storage section 721 Address storage section 730 Control section 731 Reception section 732 Transmission section 800 Mobile gateway 810 Communication section 820 Storage section 821 VPN search table storage section 830 Control section 831 Distribution section 832 Transmission section 833 Setting Part 834 Session establishment part 900 VPN authentication server R WiFi router SR Fixed network access router AP Access point DN Data network MN Mobile network 1000 Computer 1010 Memory 1011 ROM
1012 RAM
1020 CPU
1030 Hard disk drive interface 1040 Disk drive interface 1050 Serial port interface 1060 Video adapter 1070 Network interface 1080 Bus 1090 Hard disk drive 1091 OS
1092 Application program 1093 Program module 1094 Program data 1100 Disk drive 1110 Mouse 1120 Keyboard

Claims (8)

  1.  接続用ネットワークに属する端末装置が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う接続端末数管理装置を有する通信制御システムであって、
     前記接続端末数管理装置は、前記契約組織ごとの専用ネットワークを識別する情報である契約情報と、前記端末装置が接続するエリアに属するオーバレイトンネル経路転送装置を識別する情報であるアンカーGW識別情報を用いて、前記契約組織ごとの専用ネットワークにアクセスする前記端末装置の数である接続端末数を計数する計数部と、
     前記接続端末数が0から1以上となる場合に、VPNゲートウェイを起動し、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置に対して前記契約組織ごとの専用ネットワークに接続するための設定を行い、前記データ転送用オーバレイトンネル経路を構築する設定部と、
     前記接続端末数が1以上から0になる場合に、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置の設定を削除し、前記VPNゲートウェイを停止して、前記データ転送用オーバレイトンネル経路を削除する削除部と、を有する、
     ことを特徴とする通信制御システム。     A communication control system comprising a connected terminal number management device that constructs and deletes an overlay tunnel path for data transfer used for terminal devices belonging to a connection network to connect to a dedicated network for each contract organization,
    The connected terminal number management device includes contract information that is information that identifies a dedicated network for each contracted organization, and anchor GW identification information that is information that identifies an overlay tunnel route transfer device that belongs to an area to which the terminal device connects. a counting unit that counts the number of connected terminals, which is the number of terminal devices accessing the dedicated network for each contracted organization, using the
    When the number of connected terminals increases from 0 to 1 or more, start up the VPN gateway, configure the VPN gateway and the overlay tunnel route transfer device to connect to the dedicated network for each contracted organization, and a setting unit that constructs an overlay tunnel route for data transfer;
    a deletion unit that deletes the settings of the VPN gateway and the overlay tunnel route transfer device, stops the VPN gateway, and deletes the overlay tunnel route for data transfer when the number of connected terminals changes from 1 or more to 0; and has
    A communication control system characterized by:
  2.  前記通信制御システムは、端末位置情報管理装置を更に有し、
     前記端末位置情報管理装置は、前記端末装置を識別する情報である端末装置情報と、前記契約情報と、モバイルネットワークからデータネットワークへの接続の要求である接続要求と、を前記端末装置から受け付ける受付部と、
     前記端末装置情報と前記契約情報を登録する登録部と、
     前記接続要求に基づいて、前記契約情報と、前記アンカーGW識別情報と、を前記接続端末数管理装置に送信する送信部を有する、
     ことを特徴とする請求項1に記載の通信制御システム。     The communication control system further includes a terminal location information management device,
    The terminal location information management device receives terminal device information, which is information for identifying the terminal device, the contract information, and a connection request, which is a request for connection from a mobile network to a data network, from the terminal device. Department and
    a registration unit that registers the terminal device information and the contract information;
    a transmitter configured to transmit the contract information and the anchor GW identification information to the connected terminal number management device based on the connection request;
    The communication control system according to claim 1, characterized in that:
  3.  前記通信制御システムは、端末位置情報管理装置と契約情報管理装置を更に有し、
     前記端末位置情報管理装置は、前記端末装置を識別する情報である端末装置情報と、前記端末装置情報と前記契約情報を前記端末位置情報管理装置へ登録する要求である登録要求と、モバイルネットワークからデータネットワークへの接続の要求である接続要求と、を前記端末装置から受け付ける受付部と、
     前記登録要求に基づいて、前記端末装置情報と、前記端末装置情報を用いて前記契約情報管理装置から取得する前記契約情報を登録する登録部と、
     前記接続要求に基づいて、前記契約情報と、前記アンカーGW識別情報と、を前記接続端末数管理装置に送信する送信部を有する、
     ことを特徴とする請求項1に記載の通信制御システム。     The communication control system further includes a terminal location information management device and a contract information management device,
    The terminal location information management device receives terminal device information that is information for identifying the terminal device, a registration request that is a request to register the terminal device information and the contract information in the terminal location information management device, and a request from the mobile network. a reception unit that receives a connection request, which is a request for connection to a data network, from the terminal device;
    a registration unit that registers the terminal device information and the contract information acquired from the contract information management device using the terminal device information based on the registration request;
    a transmitter configured to transmit the contract information and the anchor GW identification information to the connected terminal number management device based on the connection request;
    The communication control system according to claim 1, characterized in that:
  4.  前記接続端末数管理装置は、前記契約情報を用いて、前記端末装置が接続対象とする前記契約組織ごとの専用ネットワークに接続するための情報を転送用情報管理装置から取得する取得部と、
     VPNゲートウェイを稼働する稼働用サーバから、前記稼働用サーバの稼働状況に関する情報を取得し、前記稼働状況に関する情報に基づき稼働させる前記稼働用サーバを判定する監視部と、を更に有する、
     ことを特徴とする請求項1に記載の通信制御システム。     The connected terminal number management device includes an acquisition unit that uses the contract information to acquire information for connecting to a dedicated network for each of the contracted organizations to which the terminal device is connected, from a transfer information management device;
    further comprising a monitoring unit that acquires information regarding the operating status of the operating server that operates the VPN gateway, and determines the operating server to be operated based on the information regarding the operating status;
    The communication control system according to claim 1, characterized in that:
  5.  前記通信制御システムは、モバイルゲートウェイを更に有し、
     前記モバイルゲートウェイは、前記契約情報と、前記端末装置が接続対象とする前記契約組織ごとの専用ネットワークに接続するための情報と、前記端末装置が送信するパケットデータに含まれる宛先情報に基づいて、前記端末装置の代わりに前期端末位置情報管理装置とデータ転送用オーバレイトンネル経路を確立するセッション確立部を、更に有する、
     ことを特徴とする請求項1に記載の通信制御システム。     The communication control system further includes a mobile gateway,
    The mobile gateway, based on the contract information, information for connecting to a dedicated network for each contract organization to which the terminal device connects, and destination information included in packet data transmitted by the terminal device, further comprising a session establishment unit that establishes an overlay tunnel path for data transfer with the terminal location information management device instead of the terminal device;
    The communication control system according to claim 1, characterized in that:
  6.  前記オーバレイトンネル経路転送装置は、IP網を経由して前記専用ネットワークに接続する前記端末装置に対して識別信号を送信し、前記端末装置が前記専用ネットワークに接続中か否かを確認する端末生存確認部と、を更に有する、
     ことを特徴とする請求項1に記載の通信制御システム。     The overlay tunnel route transfer device transmits an identification signal to the terminal device connected to the dedicated network via an IP network, and confirms whether the terminal device is connected to the dedicated network. further comprising a confirmation section;
    The communication control system according to claim 1, characterized in that:
  7.  接続用ネットワークに属する端末装置が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う接続端末数管理装置を有する通信制御システムであって、
     前記接続端末数管理装置は、前記契約組織ごとの専用ネットワークを識別する情報である契約情報と、前記端末装置が接続するエリアに属するオーバレイトンネル経路転送装置を識別する情報であるアンカーGW識別情報を用いて、前記契約組織ごとの専用ネットワークにアクセスする前記端末装置の数である接続端末数を計数する工程と、
     前記接続端末数が0から1以上となる場合に、VPNゲートウェイを起動し、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置に対して前記契約組織ごとの専用ネットワークに接続するための設定を行い、前記データ転送用オーバレイトンネル経路を構築する工程と、
     前記接続端末数が1以上から0になる場合に、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置の設定を削除し、前記VPNゲートウェイを停止して、前記データ転送用オーバレイトンネル経路を削除する工程と、を有する、
     ことを特徴とする通信制御方法。     A communication control system comprising a connected terminal number management device that constructs and deletes an overlay tunnel path for data transfer used for terminal devices belonging to a connection network to connect to a dedicated network for each contract organization,
    The connected terminal number management device includes contract information that is information that identifies a dedicated network for each contracted organization, and anchor GW identification information that is information that identifies an overlay tunnel route transfer device that belongs to an area to which the terminal device connects. counting the number of connected terminals, which is the number of terminal devices accessing the dedicated network for each contracted organization, using
    When the number of connected terminals increases from 0 to 1 or more, start up the VPN gateway, configure the VPN gateway and the overlay tunnel route transfer device to connect to the dedicated network for each contracted organization, and constructing an overlay tunnel path for data transfer;
    a step of deleting the settings of the VPN gateway and the overlay tunnel route transfer device, stopping the VPN gateway, and deleting the overlay tunnel route for data transfer when the number of connected terminals changes from 1 or more to 0; , has
    A communication control method characterized by:
  8.  接続用ネットワークに属する端末装置が契約組織ごとの専用ネットワークに接続するために用いるデータ転送用オーバレイトンネル経路の構築および削除を行う接続端末数管理装置を有する通信制御システムであって、
     前記接続端末数管理装置は、前記契約組織ごとの専用ネットワークを識別する情報である契約情報と、前記端末装置が接続するエリアに属するオーバレイトンネル経路転送装置を識別する情報であるアンカーGW識別情報を用いて、前記契約組織ごとの専用ネットワークにアクセスする前記端末装置の数である接続端末数を計数するステップと、
     前記接続端末数が0から1以上となる場合に、VPNゲートウェイを起動し、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置に対して前記契約組織ごとの専用ネットワークに接続するための設定を行い、前記データ転送用オーバレイトンネル経路を構築するステップと、
     前記接続端末数が1以上から0になる場合に、前記VPNゲートウェイおよび前記オーバレイトンネル経路転送装置の設定を削除し、前記VPNゲートウェイを停止して、前記データ転送用オーバレイトンネル経路を削除するステップと、を有する、
     ことを特徴とする通信制御プログラム。     A communication control system comprising a connected terminal number management device that constructs and deletes an overlay tunnel path for data transfer used for terminal devices belonging to a connection network to connect to a dedicated network for each contract organization,
    The connected terminal number management device includes contract information that is information that identifies a dedicated network for each contracted organization, and anchor GW identification information that is information that identifies an overlay tunnel route transfer device that belongs to an area to which the terminal device connects. counting the number of connected terminals, which is the number of terminal devices accessing the dedicated network for each contracted organization, using
    When the number of connected terminals increases from 0 to 1 or more, start up the VPN gateway, configure the VPN gateway and the overlay tunnel route transfer device to connect to the dedicated network for each contracted organization, and constructing an overlay tunnel path for data transfer;
    If the number of connected terminals changes from 1 or more to 0, deleting the settings of the VPN gateway and the overlay tunnel route transfer device, stopping the VPN gateway, and deleting the overlay tunnel route for data transfer; , has
    A communication control program characterized by:
PCT/JP2022/031449 2022-08-19 2022-08-19 Communication control system, communication control method, and communication control program WO2024038606A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/031449 WO2024038606A1 (en) 2022-08-19 2022-08-19 Communication control system, communication control method, and communication control program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/031449 WO2024038606A1 (en) 2022-08-19 2022-08-19 Communication control system, communication control method, and communication control program

Publications (1)

Publication Number Publication Date
WO2024038606A1 true WO2024038606A1 (en) 2024-02-22

Family

ID=89941605

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/031449 WO2024038606A1 (en) 2022-08-19 2022-08-19 Communication control system, communication control method, and communication control program

Country Status (1)

Country Link
WO (1) WO2024038606A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018037974A (en) * 2016-09-02 2018-03-08 日本電信電話株式会社 Gateway router, communication system, traffic flow control method, and program
US20210185752A1 (en) * 2019-12-17 2021-06-17 Cisco Technology, Inc. Techniques for providing a third generation partnership project (3gpp) fabric anchor for an enterprise fabric

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018037974A (en) * 2016-09-02 2018-03-08 日本電信電話株式会社 Gateway router, communication system, traffic flow control method, and program
US20210185752A1 (en) * 2019-12-17 2021-06-17 Cisco Technology, Inc. Techniques for providing a third generation partnership project (3gpp) fabric anchor for an enterprise fabric

Similar Documents

Publication Publication Date Title
US11758416B2 (en) System and method of network policy optimization
CN113225782B (en) Method, apparatus, and computer-readable storage medium for session management
CN101217497B (en) A path selecting method of wireless mesh network
CN113596191B (en) Data processing method, network element equipment and readable storage medium
CN105340244A (en) Dynamic content distribution network selection based on context from transient criteria
Ganz et al. A resource mobility scheme for service-continuity in the Internet of Things
CN114902634A (en) Apparatus and method for providing information of application server in mobile communication system
US11233694B2 (en) Method and device for processing communication path
US20220021754A1 (en) Network multi-path proxy selection to route data packets
WO2022033345A1 (en) Pdu session establishment method, terminal device, and chip system
JP2008546272A (en) Terminal apparatus having handover function based on SCTP and handover method
WO2023000940A1 (en) Data processing method and apparatus, and network element device, storage medium and program product
CN108141772B (en) Control device and storage medium
JP2021524204A (en) Quality of service monitoring methods, systems, and equipment
WO2021169291A1 (en) Route advertising method, network elements, system, and device
JP2017503407A (en) Packet processing method and apparatus
WO2015070763A1 (en) Self-establishing method and apparatus for x2 interface
WO2023035925A1 (en) Service processing method, apparatus and system
WO2024038606A1 (en) Communication control system, communication control method, and communication control program
US7768946B2 (en) Resource determination in IP-based networks
CN114980243A (en) Data forwarding method and device and storage medium
WO2011026355A1 (en) Method for a node accessing a home agent, home agent cluster system and service router
WO2013189130A1 (en) Communication system and communication method based on ad hoc network
US11570080B1 (en) Multiple state control interfaces between a control plane and a user plane in a disaggregated broadband network gateway architecture
CN112055083B (en) Request processing method and device, electronic equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22955778

Country of ref document: EP

Kind code of ref document: A1