JP2001144756A - Network configuration system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To network-configurate an optional IP node connected onto an IP network as a desired IP node. SOLUTION: In this network configuration system of the IP node connected to a network through a public Internet and a gateway GW, the IP node 7 has a means reading authentication information when a card-shaped recording medium on which the authentication information and the address of a home gateway are recorded is inserted, a means (S33) enciphering the read authentication information and transmitting the authentication information to the GW, and means (S44 and S45) network-configurating the IP node when the authentication information transmitted from the GW is decided as proper, and the GW has a means (S41) which collates the transmitted authentication information with information for authentication stored in the GW and decides the identify of the authentication information and means (S42 and S43) transmitting the decision result of the identify of the authentication information to the IP node.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network configuration system which enables an arbitrary IP node connected on an IP network to be easily configured as a desired IP node.

[0002]

2. Description of the Related Art Conventionally, in order to configure a personal computer (hereinafter, referred to as a PC) or the like as an IP node on a LAN such as a LAN that requires security, a manual operation is performed for each PC. Is required, and
P connected to an external network on the IP network
In order to log in to the LAN from C, it is necessary to install password setting and software for performing an authentication procedure with the remote access server on the LAN on the PC, and to perform an input operation to log in manually. In addition, Mobile IP (Mobile IP)
When connecting to the LAN using the above protocol, the mobile IP implements the above protocol and the L
Home Agent on AN
And other information must be set.

Japanese Patent Application Laid-Open No. H11-252068 discloses a method for setting a data communication environment on another communication device, and accessing the specified communication device safely and optimally even from a remote place. An IC card that records information for establishing data communication and information for authentication is set in the communication device, and a personal identification card is authenticated. The communication relay device identifies the other communication device from the information obtained from the communication device. A technique for decrypting the electronic signature using the public key of the other communication device, authenticating the validity of the communication device to the communication relay device, and enabling communication between the communication device, the communication relay device, and the other communication device. Is disclosed.

[0004]

However, the above-mentioned LAN
In order to log in to a network protected by security, such as from an external network, carry around the PC itself on which software for remote access including authentication and a password or ID for login are set, or In the case of Mobile IP, Mobile IP
, And a mobile IP in which an address for registration with a home agent is set, and it is necessary to set the software each time, which is troublesome.

In the technique disclosed in the above publication, an IC card storing information for establishing data communication and information for authentication is mounted on a communication device, and the communication device establishes and authenticates a data communication environment. In this way, it is intended to enhance the user's convenience for data communication, but there is a lot of information related to authentication in the IC card, and a communication device, a communication relay device, and a partner communication device for the authentication process. There is a problem that processing between the devices is required and the system becomes complicated.

SUMMARY OF THE INVENTION In view of the above-mentioned various problems, it is an object of the present invention to store login information to a network to log in to a storage medium such as a card, thereby enabling the network or any other network on the IP network to be stored. Network that allows the attached IP node to be automatically configured to be used as an IP node on its own network by attaching the storage medium to the IP node of the network.
It is to provide a configuration method.

[0007]

The present invention employs the following means in order to solve the above-mentioned problems.

A first means is a network configuration system of an IP node connected to a public network and a home network interconnected via a home gateway, wherein the IP node transmits authentication information and an address of the home gateway. Means for reading the authentication information when the recorded card-shaped recording medium is mounted, means for encrypting the read authentication information and transmitting it to the home gateway of the read home gateway address, Means for network-configuring the IP node when it is determined that the authentication information is valid, the home gateway encrypts the transmitted authentication information. Decrypt and Means for determining the validity of the authentication information against the authentication information arm gateway is stored,
Means for transmitting a judgment result of the validity of the authentication information to the IP node.

A second means is a network configuration method of an IP node connected to a home network interconnected via the public Internet and a home gateway, wherein the IP node transmits authentication information and an address of the home gateway. Means for reading the authentication information when the recorded card-shaped recording medium is mounted, means for encrypting the read authentication information and transmitting the encrypted authentication information to the home gateway at the read home gateway address, Means for transmitting the password to the home gateway,
When it is determined that the authentication information transmitted from the home gateway is valid, and that the password transmitted from the home gateway is consistent. Means for network-configuring the IP node, wherein the home gateway decrypts the transmitted authentication information and verifies the encrypted authentication information against the authentication information stored in the home gateway. Means for judging the validity of the information, comparing the transmitted password with the stored password stored in the home gateway, and judging the consistency of the password; Means for transmitting the judgment result and the judgment result of the coincidence of the password. The features.

The third means is a network configuration system of a home network interconnected with the public Internet via a home gateway, and an IP node connected to the network interconnected with the public Internet via a gateway. A means for reading the authentication information when a card-shaped recording medium on which authentication information and an address of a home gateway are recorded is mounted; and an address of the read home gateway by encrypting the read authentication information. Means for transmitting to the home gateway, and means for configuring the network of the IP node when it is determined that the result of determination of the validity of the authentication information transmitted from the home gateway is valid, The home gateway decrypts the encryption of the transmitted authentication information and determines the validity of the authentication information by comparing the encrypted authentication information with the authentication information stored in the home gateway. Means for transmitting a judgment result of the validity of the information.

A fourth means is a network configuration system of a home network interconnected with the public Internet via a home gateway, and an IP node connected to the network interconnected with the public Internet via a gateway. A means for reading the authentication information when a card-shaped recording medium on which authentication information and an address of a home gateway are recorded is mounted; and an address of the read home gateway by encrypting the read authentication information. Means for transmitting the password input from the IP node to the home gateway, and means for determining the validity of the authentication information transmitted from the home gateway. Means for, when it is determined that the passwords transmitted from the home gateway agree with each other, the network configuration of the IP node, wherein the home gateway performs the transmission The encryption of the received authentication information is decrypted, the validity of the authentication information is determined by comparing it with the authentication information stored in the home gateway, and the transmitted password is stored in the home gateway. Means for judging password consistency by comparing with a stored password, and means for transmitting a judgment result of the validity of the authentication information and a judgment result of the password consistency to the IP node. .

[0012]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS A first embodiment of the present invention will be described with reference to FIGS.

First, prior to the network configuration according to the present embodiment, a process of inputting login information to a storage medium will be described with reference to FIGS.

FIG. 1 is a diagram showing a blank network configuration medium which has been purchased and has not yet been written with login information as a card-shaped storage medium, and FIG. 2 is provided in an arbitrary network. Home Gateway HGW (Home Gateway)
FIG. 6 is a diagram showing a network configuration medium in which login information is written by ay).

[0015] In these figures, the home gateway HGW is connected to the public Internet such as the Internet or the like.
It has a function of transferring data between home networks constructed by an AN or the like.
A) and a home agent (Ho) that supports mobile IP communication in the home network A by performing various processes based on autonomous judgment by understanding the intention according to the situation.
and a network management table for writing the log-in information to the network configuration media 0 to 3 together with the network management table. At the time of purchase, each of the network configuration media 0 to 3 has a media ID X
ＩＤID W, but the home address and the authentication key (SPI: Securi) of the home agent HA.
(type parameter Index) is blank.

Network configuration
Writing of login information to media 0 to 3 is performed as shown in FIG.
As shown in (1), this is automatically performed by attaching each of the network configuration media 0 to 3 to the home gateway HGW A having a network management table. First, the home gateway HGWA
, Media IDs X to ID W are input from the respective network configuration media 0 to 3, and the home agents HA are respectively assigned to the respective network configuration media 0 to 3 accordingly.
Home address A, authentication keys (SPI) AK1 to AK
4 is given. Further, network login passwords XX to ZZ may be given as needed. If the network login password is given, it is possible to prevent unauthorized use by others when the network configuration media is lost.

Next, using the network configuration medium in which the login information is written,
The network configuration of the IP node in the home network according to the present embodiment will be described with reference to FIGS.

FIG. 3 is a diagram showing a state where the network configuration medium 0 is mounted on the IP node 0 and the network configuration of the IP node 0 is going to be performed. FIG. FIG. 6 is a diagram showing a state in which configuration has been completed.

In these figures, network A is:
It is connected to the Internet via a home gateway HGW consisting of a router A and a home agent HA having a home address A. IP nodes 1-3
Is a node already connected to the home network A and given IP addresses A1 to A3 (network address A and host addresses 0 to 3) from the DHCP server of the router A of the home gateway HGW.
The node 0 is a node that is connected to the network A, for example, is newly purchased, and performs IP address assignment and network configuration. The network configuration medium 0 has the media ID X, and has already been input with the home address A and the login information of the authentication key (SPI) AK1.

FIG. 5 shows that in home network A,
9 is a flowchart illustrating a processing procedure for configuring a network of an IP node using a network configuration medium.

In step 1, the IP node 0 is connected to the home network A, and the network configuration medium 0 in which the login information is written
Is mounted on the IP node 0 to start network configuration. In step 2,
The connection processing at the data link level is performed between the home agent HA A and the IP node 0, and the data link is established. In step 3, the home gateway HGW
The IP address (network address A, host address 0) is assigned to IP node 0 by the DHCP server of router A of A. In step 4, the IP node 0 compares the obtained IP address (network address A, host address 0) with the network address A of the home agent HA to determine that the IP node 0 is inside the home network A. . In step 5, the IP node 0 transmits the authentication parameters to the home agent HAA of the home gateway HGW by encrypting the data. The transmission contents include a flag indicating that the IP node 0 is inside the home network A, the authentication key (SPI) AK1 obtained from the network configuration medium 0, and the media ID X.
It is. In step 6, home agent HAA receives the authentication parameters, and in step 7, determines whether a network login password is required if a network login password has been set. Here, the network login password may be required only when the external flag is set, or may be required regardless of the internal / external flag. If it is determined in step 7 that a network login password is required, in step 8 the IP node 0 is requested to transmit a network login password. When the IP node 0 receives the password request in step 9, the input of the network login password is confirmed in step 10. If the network login password has been input, the network agent is sent to the home agent HAA in step 11. The login password XX is encrypted and transmitted. If the network login password has not been entered, step 18 signals that the network login has failed. In step 12, the home agent HA A receives the network login password XX, and in step 13, sends the transmitted network login password XX and authentication key (SPI) AK1 to:
The matching of the password and the validity of the authentication key are determined by comparing the data stored in the network management table shown in FIG. If no match and validity are found, a network login response (N
G) is transmitted to the IP node 0, and if the match and the validity are recognized, a network login response (OK) is transmitted to the IP node 0. In step 16, IP node 0 receives the network login response, and if it is a network login response (OK), completes the network configuration in IP node 0 in step 17 and returns to network login response. Response (NG)
If so, step 18 signals that the network login has failed. Further, if the match and the validity are recognized in step 13, the IP address on the home network A is further determined in step 19.
At the same time as registering the IP address of node 0 (network address A, host address 0),
Register that the configuration media 0 is on the internal network, and
Complete configuration.

According to the present embodiment, the network configuration medium 0 is transferred to the IP node 0
, The network-configured state is maintained. Here, if the network configuration media 0 is removed from the IP node 0, the network configuration is released.

In this embodiment, a newly purchased IP
The configuration in the case where the node 0 is connected to the home network A has been described.
May be configured by installing the network configuration media 0, in which case the network configuration is performed according to the network configuration media 0, and the network configuration media 0 is installed. When removed, it can be returned to the original configuration state.

As described above, according to the present embodiment, in the home network A, a new or arbitrary IP node is loaded with a network configuration medium to automatically configure the IP node in the network configuration. Can be

Next, a second embodiment of the present invention will be described with reference to FIGS.

Note that the network configuration prior to the network configuration
The process of inputting login information to the media is the same as in the first embodiment.

FIG. 6 is a diagram showing a state in which the network configuration medium 0 is being mounted on the IP node 7 and a network configuration is to be performed. FIG. FIG. 11 is a diagram showing a state in which the network configuration has been completed with media 0 loaded.

Next, the network configuration in the IP node connected to the other network B connected to the public Internet outside the home network A using the network configuration medium 0 in which the login information is written. explain.

In FIG. 6 and FIG. 7, the home network A has the same configuration as that shown in FIG. 3 except that the IP node 0 is not connected, and therefore the description is omitted. The network B is connected to the Internet via a home gateway HGW B including a router B and a home agent HA having a home address B. Here, the IP nodes 4 to 4 including the IP node 7
7 is already connected to the network B and the IP address of the router B of the home gateway HGW B by the DHCP server.
Address (network address B, host address 4
~ Network address B, host address 7). The IP node 7 carries out network configuration by mounting the network configuration medium 0 carried by the operator on the IP node 7. The network configuration medium 0 includes the first embodiment. As in the case of the embodiment, it has the media ID X, and the home address A and the login information of the authentication key (SPI) AK1 have already been written.

FIG. 8 shows a processing procedure for network-configuring an IP node 7 connected to a network B other than the home network A connected to the public network by using the network configuration medium 0. It is a flowchart which shows.

In this embodiment, since the IP node 7 is already connected to the network B, the IP address (network address B, host address 7) is assigned from the home agent HAB of the network B.

In step 31, the network configuration is started by mounting the network configuration medium 0 on which the login information is written to the IP node 7 of the network B. In step 32, the IP node 7 compares the assigned IP address (network address B, host address 7) with the network address A of the home agent HA A of the network configuration media 0, and Is located outside the home network A. In step 33, the IP node 7 transmits the authentication parameter to the home agent HA A by encrypting the data. The transmission contents include a flag indicating that the IP node 7 is outside the network A, and an authentication key (SPI) AK obtained from the network configuration medium 0.
1. Media ID X. In step 34, the home agent HAA receives the authentication parameters, and in step 35, determines whether it is necessary to enter a network login password if one has been set. Here, the network login password may require a password only when the external flag is set, or may require a password regardless of the internal / external flag. , Or may not be required at all. If the entry of the network login password is required, in step 36, the IP node 7 is requested to transmit the network login password. When the IP node 7 receives the password request in step 37,
In step 38, the input of the network login password is confirmed. If the network login password has been input, the network login password XX is encrypted and transmitted to the home agent HAA in step 39. Network login
If a password has not been entered, step 46 indicates that the network login has failed. In step 40, the home agent HA A receives the network login password XX, and in step 41, sends the transmitted network login password XX and authentication key (SPI) AK1 to:
The matching of the password and the validity of the authentication key are determined by comparing the data stored in the network management table shown in FIG. If no match and validity are found, a network login response (N
G) is transmitted to the IP node 7, and if agreement and validity are recognized, a network login response (OK) is transmitted to the IP node 7. If the IP node 7 receives the network login response (OK) in step 44 as a result of receiving the network login response, the network configuration in the IP node 7 is completed in step 45 and the network login is completed. In the case of a response (NG), in step 46, inform that the network login has failed. In addition, when the coincidence and the validity are recognized in step 41, further, in step 47, the external network B
The IP address (network address B, host address 7) of the above IP node 7 is registered as a tunneling destination, and at the same time, it is registered that the network configuration medium 0 is an external network. Complete. Here, the IP address (network address B, host address 7) is the IP address of step 33.
When the authentication parameter is transmitted to the home agent HA of the address 7, it can be obtained as the sender IP address. Thus, data addressed to the IP node 7 from the communication partner on the public Internet is tunneled via the home agent HA, and
Transferred to P node 7.

As described above, according to the present embodiment, the IP node 7 on the home network A is mounted by mounting the network configuration medium 0 on the IP node 7 of the network B other than the home network A. It can be automatically configured to be used like an IP node. Further, by attaching the network configuration medium 0 to the IP node 7, the network configuration state is secured. Thus, the IP node 7 connected to the network B
Can be used as if it is connected to the network A, and can freely access the home network A. Here, when the network configuration media 0 is removed from the IP node 7, the previous network configuration is released.

[0034]

According to the first to fourth aspects of the present invention, the card-shaped storage medium can be configured to be small and lightweight, so that the user can carry the card-shaped storage medium with him, and the user can use the IP network. By mounting the card-shaped storage medium on any of the above IP nodes, the IP node connected to the home network or a network other than the home network can be automatically configured.

Further, since it is only necessary to carry at least a storage medium storing authentication information, it is necessary to set software for remote access including authentication and a password or ID for login as in the prior art. A PC
There is no need to carry it.

Further, according to the second and fourth aspects of the present invention, by adding a password as a requirement of the network configuration, it is possible to prevent unauthorized use such as when the card-shaped storage medium is lost. .

[Brief description of the drawings]

FIG. 1 shows a blank network configuration media that has been purchased and has not yet been written with login information;

FIG. 2 is a diagram showing a network configuration medium on which login information is written by a home gateway HGW A.

FIG. 3 is a diagram illustrating a state in which a network configuration medium 0 is mounted on an IP node 0 according to the first embodiment and a network configuration is going to be performed.

FIG. 4 is a diagram illustrating a state where a network configuration has been completed in an IP node 0 according to the first embodiment.

FIG. 5 is a flowchart showing a processing procedure for performing a network configuration of the IP node 0 using the network configuration medium 0 in the home network A according to the first embodiment.

FIG. 6 is a diagram illustrating a state in which a network configuration medium 0 is mounted on an IP node 7 according to the second embodiment and a network configuration is going to be performed.

FIG. 7 is a diagram illustrating a state in which a network configuration has been completed in an IP node 7 according to the second embodiment.

FIG. 8 is a flowchart showing a processing procedure for performing network configuration of an IP node 7 of a network other than the home network using the network configuration medium 0 according to the second embodiment.

[Explanation of symbols]

 HGW Home Gateway HA Home Agent

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 12/56 F-term (Reference) 5J104 AA07 KA01 NA05 NA33 NA38 NA41 PA07 5K030 GA10 GA15 GA17 HA08 HC01 HD03 JA10 JT03 KA01 KA06 LA08 LB02 LD19 5K033 AA09 CB01 CB08 CB14 CC01 DA01 DA06 DB20 EA03

Claims (4)

[Claims] 1. A network configuration method of an IP node connected to a public network and a home network interconnected via a home gateway, wherein the IP node has a card-like form in which authentication information and an address of the home gateway are recorded. Means for reading the authentication information when the recording medium is mounted, means for encrypting the read authentication information and transmitting the encrypted authentication information to the home gateway at the address of the read home gateway, and the authentication information transmitted from the home gateway If it is determined that the I is valid, the I
Means for network-configuring a P-node, wherein the home gateway decrypts the encryption of the transmitted authentication information and checks the authentication information against the authentication information stored in the home gateway. A network configuration method comprising: means for judging validity; and means for transmitting a result of judging the validity of the authentication information to the IP node. 2. A network configuration method of an IP node connected to a home network interconnected via the public Internet and a home gateway, wherein the IP node is a card-shaped card storing authentication information and an address of the home gateway. Means for reading the authentication information when the recording medium is mounted, means for encrypting the read authentication information and transmitting the encrypted authentication information to the home gateway at the address of the read home gateway;
Means for transmitting a password input from a node to the home gateway, the password transmitted from the home gateway being determined to be valid based on the result of determining the validity of the authentication information transmitted from the home gateway, Means for network configuration of the IP node when it is determined that they match with respect to the determination result of the matching, the home gateway decrypts the encryption of the transmitted authentication information, In addition to determining the validity of the authentication information by comparing it with the authentication information stored in the home gateway, the transmitted password is compared with the stored password stored in the home gateway to determine the consistency of the password. Means for determining, and the validity of the authentication information to the IP node Sectional results and network configuration method characterized by having a means for transmitting the consistency determination result of the password. 3. A network configuration system comprising: a home network interconnected with the public Internet via a home gateway; and an IP node connected to a network interconnected with the public Internet via a gateway. A node for reading the authentication information when the card-shaped recording medium on which the authentication information and the address of the home gateway are recorded is mounted; and encrypting the read authentication information to the home gateway of the address of the read home gateway. Means for transmitting, and when it is determined that the authentication information transmitted from the home gateway is valid,
Means for network-configuring a P-node, wherein the home gateway decrypts the encryption of the transmitted authentication information and checks the authentication information against the authentication information stored in the home gateway. A network configuration method comprising: means for judging validity; and means for transmitting a result of judging the validity of the authentication information to the IP node. 4. A network configuration system comprising: a home network interconnected with the public Internet via a home gateway; and an IP node connected to a network interconnected with the public Internet via a gateway. A node for reading the authentication information when the card-shaped recording medium on which the authentication information and the address of the home gateway are recorded is mounted; and encrypting the read authentication information to the home gateway of the address of the read home gateway. Transmitting means and the IP
Means for transmitting a password input from a node to the home gateway, the password transmitted from the home gateway being determined to be valid based on the result of determining the validity of the authentication information transmitted from the home gateway, Means for network configuration of the IP node when it is determined that they match with respect to the determination result of the matching, the home gateway decrypts the encryption of the transmitted authentication information, In addition to determining the validity of the authentication information by comparing it with the authentication information stored in the home gateway, the transmitted password is compared with the stored password stored in the home gateway to determine the consistency of the password. Means for determining, and the validity of the authentication information to the IP node Sectional results and network configuration method characterized by having a means for transmitting the consistency determination result of the password.