JP2002084306A - Packet communication apparatus and network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent an unauthorized user from using a network system, in an unauthorized manner. SOLUTION: A LAN 100 is provided with a packet relay part 101, a plurality of network interfaces 102 to 107, an address learning table 108 and a state change instruction packet processing part 109. In the processing part 109, a state change instruction packet which holds an instruction to change the state of a specific network interface to a 'connective state', a 'nonconnective state' or a 'no state' is received from an authentication server 401 via the part 101, and the state change instruction packet is transmitted to a state control part 203 inside the specific network interface. In the part 203, on the basis of the state change instruction packet, the state of the specific network interface is changed into the 'connective state', the 'nonconnective state' or the 'no state'.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet communication device and a network system, and more particularly, to a packet communication device and a network system for preventing unauthorized use of a network using a LAN switch or a router. .

[0002]

2. Description of the Related Art In recent years, the necessity of an information security technique for restricting the use of networks has been recognized in order to secure trust in information held by various networks. On the other hand, considering the convenience of the network, for example,
EEE (Institute of Electrical and Electronics En
gineers, Inc.) specified CSMA / CD (Car
carrier Sense Multiple Access with Collision Detectio
LAN (L) typified by n) type 802.3 network
ocal Area Network) can be used as long as the terminal is connected to the network.

[0003] IETF (Internet Engineering T)
DHCP (Dynamic Host Co) standardized by ask Force
Using the nfiguration protocol), an address can be automatically assigned to a newly connected terminal. With these networks and portable terminals such as notebook computers, information outlet systems have emerged that allow the users of the terminals to use the networks wherever they are needed. As a technique relating to this information outlet system, for example, there is a technique described in JP-A-11-68765.

[0004]

However, since the use of the network is facilitated, even an unauthorized user (illegal user) who does not have permission to use the network can simply connect a terminal to the network. In such a case, it is assumed that a network can be used. Therefore, resources such as a file server connected to the network
There is a security disadvantage that the user is exposed to unauthorized access from an unauthorized user.

[0005] As a technique used to prevent such unauthorized access by an unauthorized user, "packet filtering" by a packet communication device such as a router is known. However, packet filtering conditions must be set in advance. On the other hand, in a network in which an address dynamically distributed at an arbitrary position is used by a terminal as in the information outlet system described above, it is difficult to determine packet filtering conditions in advance.

[0006] In view of the above, it is an object of the present invention to provide a packet communication device and a network system which prevent an unauthorized user from using a network illegally.

Further, according to the present invention, even if a user connects a user terminal to a network at a free position and using a different address each time, the user accesses only network resources permitted to the user. It is an object of the present invention to provide a packet communication device and a network system that cannot be used.

[0008]

According to the present invention, there is provided a packet communication apparatus in a network system for transmitting and receiving packets between a user terminal, an authentication server, and a file server arranged via a network, comprising a plurality of network interfaces. And an address learning table including information for specifying a network interface to which a packet should be transmitted, and a learning table,
A packet relay unit for selecting a packet relay destination based on the state of the network interface, relaying or discarding a packet between the user terminal, the authentication server and the file server, and connecting or disconnecting a specific network interface state. A state change instruction packet processing unit that receives a state change instruction packet holding an instruction to change to one of a state and a state without a state from an authentication server via a packet relay unit, and a specific network interface. Receiving the state change instruction packet from the state change instruction packet processing unit, and changing the state of the specific network interface to one of the connected state, the disconnected state, and the absence of the state based on the state change instruction packet. Packet with state manager Communication apparatus is provided.

Further, according to the present invention, there is provided a packet communication device in a network system for transmitting and receiving a packet between a user terminal, an authentication server, and a file server arranged via a network, the physical interface for connecting to the network. A packet relay unit for selecting a relay destination of the packet, a filtering table including information for relaying or discarding the packet, and a packet processing unit for discarding or transmitting the packet to the packet relay unit based on the contents of the filtering table. And
A filtering processing unit arranged between the physical interface and the packet relay unit for performing packet filtering; transmitting a filtering change instruction from the authentication server to the filtering processing unit; and discarding all received packets. Information for changing the information in the filtering table initially set in accordance with the instruction from the authentication server, and relaying a packet having the source terminal address of the user terminal authenticated by the authentication server to the file server. And a filtering change instruction processing unit for sequentially adding a packet to a filtering table.

Further, according to the present invention, there is provided a packet communication device in a network system for transmitting / receiving a packet between a user terminal, an authentication server, and a file server arranged via a network, the user terminal, the authentication server, and the file server. A network interface for transmitting / receiving packets from the server, an IP address registration table for registering the addresses of the user terminals authenticated by the authentication server, and a packet having the source address as the address registered in the IP address registration table. There is provided a packet communication device including a packet relay unit that encapsulates a packet having an address that is not registered in the IP address registration table as a source address and then transmits the packet to a specific address.

One of the features of the present invention is that the packet communication device holds a plurality of network interfaces, a packet relay unit, and whether each network interface is in a connected state, a disconnected state, or no state. And a management unit. The state of each network interface affects the selection of a packet relay destination in the packet relay unit.

Another feature of the present invention is that the packet communication device has a state change instruction packet processing unit, and changes the state of the network interface specified by the state change instruction packet to the state specified by the state change instruction packet. It can be changed.

Another feature of the present invention is that each network interface has a line disconnection detecting unit, and when a line disconnection is detected by the line disconnection detecting unit, the packet communication device changes the state of the network interface to a disconnected state. That is what you can do.

In the present invention, the state of each network interface may be initialized to a non-connection state at the time of initialization.

Another feature of the present invention is that the packet communication device can relay a packet received from a non-connected network interface to only a specific network interface.

According to the present invention, the packet communication device comprises:
The packet received from the network interface in the non-connection state may not be relayed to the network interface in the non-connection state or the connection state.

In the present invention, the packet communication device comprises:
The packet received from the connected network interface may not be relayed to the disconnected network interface.

In the present invention, the state of the network interface to which the terminal used by the authenticated user is connected may be changed to the connection state by the packet communication device.

Another feature of the present invention is a plurality of network interfaces, a packet relay unit, a filtering table, a packet filtering unit for performing packet filtering according to the contents of the filtering table, and a filtering unit for changing the contents of the filtering table according to an external instruction. A packet communication device having a change instruction processing unit, in which the contents of the filtering table are set so as to discard all received packets in the initial state, allows the packet communication device to relay a packet having a specific source address. , Can be sequentially added to the filtering table by an external instruction.

In the present invention, the contents to be sequentially added to the filtering table may be information indicating permission to relay a packet having the address of the terminal used by the authenticated user as the source address.

Another feature of the present invention is that a packet communication device has a plurality of network interfaces, a packet relay unit, a filtering table, an address learning table, and a status change instruction packet processing unit, and filters a source address of a received packet. When a status change instruction packet instructing to register a specific address registered in the filtering table in the address learning table is received, the state change instruction packet processing unit registers the specific address registered in the filtering table. This is to register the address in the address learning table.

In the present invention, the packet communication device relays a packet addressed to an address registered in the learning table. For a packet addressed to an address not registered in the learning table and registered in the filtering table, Relaying may be performed only when a specific source address is provided.

In the present invention, the packet communication device can be instructed to register the terminal address used by the authenticated user in the learning table.

In the present invention, the packet communication device includes a plurality of network interfaces, a packet relay unit,
And an address registration table, relaying a packet having an address registered in the address registration table as a source address,
For a packet whose source address is an address not registered in the address registration table, the packet may be encapsulated and then transmitted to a specific address.

In the present invention, when the packet communication device encapsulates and transmits a packet having an address not registered in the address registration table as a source address, the destination address is the address of the device that authenticates the user. There may be.

In the present invention, the packet communication device may register the address of the terminal used by the authenticated user in the address registration table.

In the present invention, it is possible to manage whether or not each network interface of the packet communication device is in the “non-connection state”, and to disconnect the communication when the network interface is in the “non-connection state”.

In the present invention, when a terminal is disconnected from the network, the network interface that has detected the disconnection may automatically switch to the “non-connection state”.

In the present invention, the packet communication device may grasp the address assigned to the user and set the packet filtering based on the grasped address.

[0030]

Embodiments of the present invention will be described below in detail with reference to the drawings.

FIG. 1 is a configuration diagram of a packet communication device according to an embodiment of the present invention.

The LAN switch 100 includes, for example, a packet relay unit 101, a plurality of network interfaces 102 to 107, an address learning table 108, and a status change instruction packet processing unit 109. Names (A to F in the figure) are assigned to the network interfaces 102 to 107 to uniquely identify each of them. Note that the name may be a number or the like as long as it can be uniquely identified.

These network interfaces 1
02 to 107 are respectively connected to different networks and transmit and receive packets. In the present embodiment, it is assumed that a CSMA / CD type 802.3 network specified by IEEE is connected by a twisted pair line as a network.
The present invention is also applicable to other networks (for example, wireless networks).

The packet relay unit 101 is connected to all the network interfaces 102 to 107, and relays a packet in a data link layer of an OSI (Open System Interconnection) reference model. The address learning table 108 stores information necessary for the packet relay unit 101 to determine a network interface to which a packet should be transmitted.

FIG. 3 is a configuration diagram (1) of the address learning table 108.

Each entry of the address learning table 108 includes an address field 301 and a transmission port field 302. The address field 301 stores a physical address (hereinafter, referred to as a MAC address), and the transmission port field 302 stores the name of a network interface. Here, when each packet of the address learning table 108 is relayed, the destination address of the packet is set in the address field 30.
When the number matches 1, the packet is transmitted from the network interface indicated by the transmission port field 302 of the same entry. Note that a plurality of network interfaces can be registered in the transmission port field 302. For example, as a special case, when the MAC address of the LAN switch 100 itself is registered in the address field 301 and the transmission port field 302 is set to “X”, this entry sets the corresponding packet as a packet addressed to the LAN switch 100. Indicates that processing is to be performed.

The state change instruction packet processing unit 109
Via one of the networks connected to the AN switch 100, an external device (for example, an authentication server 40 described later)
1) The status change instruction packet sent to the LAN switch 100 is received via the packet relay unit 101. Further, the state change instruction packet processing unit 109 notifies the contents of the state change instruction packet to the appropriate network interfaces 102 to 107. The state change instruction packet holds an instruction to change the state of a specific network interface to a specific state as information. As a protocol, for example, SNMP (Si
mple Network Management Protocol), but also telnet (telecommunications network protocol)
col) or a protocol such as HTTP (Hyper Text Transfer Protocol). Further, in the present embodiment, the LAN switch 100 is used as a packet communication device, but the present invention can be applied to other packet communication devices such as a router.

FIG. 2 shows the network interface 1
It is a block diagram of 02-107.

Network interface 102-1
Reference numeral 07 denotes, for example, a physical interface 201 for connecting to a network, a line disconnection detection unit 202 for detecting whether the network is usable, and a state management unit 203 for managing the state of the network interface.
The physical interface 201 and the state management unit 20
3 are connected to the packet relay unit 101, respectively.

The line disconnection detection unit 202 electrically determines whether a network line (cable) is connected or whether a terminal connected via the line is in a usable state (power-on state). To be detected. In addition, the line disconnection detection unit 202 reports the detected line disconnection to the state management unit 20.
Notify 3. In the present embodiment, line disconnection detecting section 202
In detecting the line disconnection, when the link down state notified from the physical interface 201 continues for 100 ms or more, it is determined that the line is disconnected. In the case where an optical fiber is used as a line, the presence or absence of an optical signal can be used for detecting disconnection of a line, and the presence or absence of a radio wave can be used for detection of disconnection in the case of wireless.

The state management unit 203 manages whether the state of the network interface is “connected state”, “non-connected state”, or “no state”. The user (switch administrator) can use each network interface 1
It is possible to preset the status management units 203 to 02 to 107 so that the status is always “connected” or “no status”. Each network interface 102-
The state of 107 is "disconnected state" if there is a setting by the user, and if there is no setting. Further, when the line disconnection detection unit 202 notifies the state management unit 203 of the line disconnection, the state of the corresponding network interface becomes “non-connection state” when there is no prior setting by the user. Further, the state change instruction packet processing unit 10
9, the state of the corresponding network interface is changed to one of the three states based on the instruction.

Next, the operation of the network system using the packet communication device according to the present invention will be described using the network system shown in FIG. 4 as an example.

FIG. 4 shows the LAN 100 in this embodiment.
FIG. 1 is a configuration diagram of a network system that uses a.

This network system is, for example, L
AN switch 100 (MAC address 22: 22: 0)
0: FF: FF: FF) and the authentication server 401 (MAC address 22: 22: 00: 1) connected to the network interface A102 of the LAN switch 100.
1:11:11) and network interface B
A file server 402 (MAC address 22: 22: 00: 22: 22: 22) connected to the network 103 and network interfaces C104 to F107, respectively, so that the user can freely connect the terminal and use the network. An information outlet 409 and a user terminal 403 (MAC address 22: 22: FF: 00: 00: 01) connected to the network interface C104 via the information outlet 409 are provided.

The authentication server 401 determines whether the user is permitted to use the network, and notifies the LAN switch 100 of the result. In the present embodiment, user authentication is performed using a user ID and a password. The settings of the network interfaces C102 to F107 of the LAN switch 100 are such that the network interface B103 is always set to “connected state” and the network interface A102 is set to “no state”.
No particular setting is made for 4-107. Therefore, the network interfaces C104 to F107 are in the “disconnected state” at the time of initialization (at this time, the learning table 108 of the LAN switch 100 is as shown in FIG. 3).

Next, in this network system, the user terminal 403 (MAC address 22: 22: F
F: 00: 00: 01) is connected to the information outlet 409 connected to the network interface C104.

FIG. 5 is a communication sequence diagram when the user connects the user terminal 403 to the information outlet 409.

First, an unauthenticated user terminal 40
3 accesses the file server 402, the user terminal 403 sends the destination address to the file server 40.
2 MAC address (22: 22: 00: 22: 22:
22) and the source address is M of the user terminal 403
AC address (22: 22: FF: 00: 00: 01)
Is transmitted to the file server.
Here, the LAN switch 10 that has received the packet 501
0 relay processing will be described.

FIG. 6 is a flowchart showing a relay process of the LAN switch 100 for packet reception.

The packet relay unit 101 of the LAN switch 100 having received the packet 501 sends the learning table 108
See The source address (MAC address 22: 22: F of the user terminal 403) included in the packet 501
F: 00: 00: 01) is not registered in the learning table 108, the packet relay unit 101
The address is registered in the address field 301 of one entry of the learning table 108. Further, the packet relay unit 101 registers the name C of the network interface that has received the packet 501 in the transmission port field 302.

FIG. 7 is a configuration diagram (2) of the address learning table 108.

In the address field of entry # 4 of learning table 108, the MAC address of user terminal 403 is registered as the source address as described above, and the network interface C is registered in the transmission port field.

Next, since the MAC address (22: 22: 00: 22: 22: 22) of the file server 402, which is the destination address, is already registered in the learning table 108 (step 602). Based on the contents of the transmission port field 302 of the entry where the destination address of the file server 402 is registered in the learning table 108, the information of the network interface B is acquired as the port to which the packet 501 is to be transmitted (process 603). And the packet relay unit 101
Performs the relay processing of the packet 501 (processing 604).

Here, the process 604 will be described.

FIG. 8 is a flowchart of the process 604.

First, the packet relay unit 101 sets the transmission port (in this case, the network interface B103)
Is determined to be the same as the receiving port (in this case, the network interface C104) (Step 80).
1). Here, since the transmission port and the reception port are different ports, the packet relay unit 101 performs packet relay based on a relay table 901 described later (process 802).

FIG. 9 is a configuration diagram of the relay table 901.

The relay table 901 is a table used to determine whether to relay or discard a packet based on the state of the receiving port and the state of the transmitting port. Here, the reception port (network interface C104) of the LAN switch 100 that receives the packet 501 transmitted from the user terminal 403 is in the “unconnected state”, and the transmission port (network interface B10
Since 3) is “connected”, the relay table 901 indicates “discard”. As a result, the packet 501 is discarded by the packet relay unit 101. As a result, access to the file server 402 from the user terminal 403 that has not been authenticated is avoided.

Next, a case where the user terminal 403 transmits the packet 502 addressed to the authentication server to the authentication server 401 will be described.

The user terminal 403 determines that the destination address is the MAC address of the authentication server 401 (22: 22: 00: 1).
1:11:11) and the source address is the MAC address of the user terminal 403 (22: 22: FF: 0).
0:00:01). The packet relay unit 101 of the LAN switch 100 that has received the packet 502 performs the relay processing according to the flowchart shown in FIG.

First, the MAC address (22: 22: FF: 00: 00: 01) of the user terminal 403 has already been registered in the learning table 108 when the previous packet 501 was received. The process passes through a process 601. Next, the authentication server 40 which is the destination address
1 MAC address (22: 22: 00: 11: 11)
Since 11) has already been registered in the learning table 108 (process 602), the authentication server 4 in the learning table 108
01 based on the contents of the transmission port field 302 of the entry in which the destination address of the packet 50 is registered.
The information of the network interface A is acquired as the port to which the packet No. 2 should be transmitted (process 603). Then, the packet relay unit 101 performs a relay process of the packet 502 (process 604).

Here, the processing 604 will be described again with reference to FIGS.

First, since the transmission port (in this case, the network interface A102) is different from the reception port (in this case, the network interface C104) (process 801), the process proceeds to process 802. Here, since the state of the network interface C104 as the receiving port is “disconnected” and the state of the network interface A102 as the transmitting port is “no state”, the relay table 901 indicates “relay”. As a result, the packet 502 is relayed by the packet relay unit 101 from the network interface A 102 to the authentication server 401.

Further, the packet 503 of the response from the authentication server 401 to the user terminal 403 is similarly relayed. In this case, the status of the network interface A102, which is the reception port of the packet 503, is "no status", and the status of the network interface C104, which is the transmission port, is "disconnected", so that the relay table 901 indicates "relay". Therefore, the packet 503
Is relayed from the network interface C104 to the user terminal 403 by the packet relay unit 101. That is, two-way communication is established between the authentication server 401 and the user terminal 403, and user authentication is performed.

In the authentication server 401, for example, when the user ID and the password 504 included in the packet 502 sent from the user terminal 403 match those of the user who is permitted to use the network,
The connection permission is notified to the AN switch 100. In this connection permission notification, the destination address is the LAN switch 1
00 MAC address (22: 22: 00: FF: F
F: FF) is used. The packet 505 includes a “state change to a connected state”
And the MAC address of the user terminal 403 (22: 22: F
F: 00: 00: 01) is included as information.

L that has received state change instruction packet 505
The packet relay unit 101 of the AN switch 100 refers to the learning table 108. In the learning table 108, the transmission port field 302 in the entry in which the MAC address of the LAN switch 100 itself, which is the destination address of the state change instruction packet 505, is registered indicates "X" (process 602). Therefore, the packet 505 is sent to the state change instruction packet processing unit 109 by the packet relay unit 101 (process 605). The state change instruction packet processing unit 109 obtains the MAC address (2
2: 22: FF: 00: 00: 01) and retrieve this MAC address from the address field 301 of the learning table 108. For the network interface (C in this case) indicated in the transmission port field 302 of the entry in which the MAC address of the user terminal 403 obtained by this search is registered, the state change instruction packet processing unit 109 To "Connected state".

In the network interface C104, the status management unit 203 changes the status from the “non-connection status” to the “connection status”. As a result, the user terminal 40
3 transmits the packet 506 addressed to the file server, the network interface C serving as the receiving port
104 becomes the “connected state”. In this case, since the network interface B103 serving as the transmission port is in the “connected state”, the relay table 901 indicates “relay”. Thus, the user terminal 403 can access the file server 402.

Next, the operation of the LAN switch 100 when the user terminal 403 is disconnected from the information outlet 409 will be described.

When the user disconnects the cable (twisted pair line) from the information outlet 409 and disconnects the user terminal 403, the network interface C104
Physical interface 201 becomes disconnected.
If 100 ms elapses in this state, the line disconnection detection unit 20
2 notifies the state management unit 203 of the line disconnection. The state management unit 203, which has been notified of the line disconnection, changes the state of the network interface C104 to the “disconnected state”.
This allows the new user terminal to use the same information outlet 4
Even if the user terminal is connected to 09, the user terminal cannot access the file server 402 until the user terminal is again authenticated.

As described above, by using the LAN switch 100 of the present embodiment, the user terminal 403 before authentication can be used.
From, access to the file server 402 is blocked, access is enabled after authentication, and after the user terminal 403 leaves, access to the file server 402 is prohibited until another user terminal performs authentication again. A blocked network system can be built. Also,
In the present embodiment, the user terminal 403 connects the information outlet 40 to the network interface C104.
9, the operation of the network interfaces C104 to F107 is the same, and the same effect can be obtained even if the user terminal 403 is connected to an arbitrary information outlet 409.

In this embodiment, the state of the network interface is changed to the “non-connection state” due to the line disconnection.
Is reinitialized. However, the user communicates with the authentication server 401 before leaving to notify the user of the withdrawal, and the authentication server 401 that has received the notification includes the information indicating “change to the non-connected state” and the MAC address of the user terminal 403. The packet is sent to the MAC address (22:
22: 00: FF: FF: FF), and the state of the network interface may be changed to the “non-connection state” by the instruction of the state change instruction packet processing unit 109 that has received the packet. According to this configuration,
The user can control whether to use the network without disconnecting the connection between the user terminal 403 and the information outlet 409. FIG. 10 is a diagram illustrating another configuration of the packet communication device.

The router 1000 includes, for example, a plurality of physical interfaces 1002 to 1007,
001, a plurality of filtering processing units 1012 to 101
7 and a filtering change instruction processing unit 1009. The physical interfaces 1002 to 1007 are connected to different networks, respectively, and transmit and receive packets. The packet relay unit 1001 is an IP (Inter
Net Protocol) relays packets based on the protocol. In the present embodiment, an IP protocol (IPv4 (IP version
4)), the present invention uses, for example, IPv6 (IPv4
It can be applied to other network layer protocols such as ersion 6). In this embodiment, the router 1000 is used as a packet communication device.
The present invention is also applicable to other packet communication devices such as N switches.

FIG. 11 shows a filtering processing unit 1012.
FIG.

Filtering units 1012 to 1017
Includes a filtering table 1101 and a packet processing unit 1102. The filtering table 1101 stores information for determining whether to relay or discard a packet. The packet processing unit 1102 discards a packet or transmits the packet to the packet relay unit 1001 based on the information in the filtering table 1101. The packet sent to the packet relay unit 1001 is sent to the physical interfaces 1002 to 1007. Each filtering table 1101 is connected to a filtering change instruction processing unit 1009, and can change the contents of the filtering table 1101 according to an instruction from the filtering change instruction processing unit 1009.

FIG. 12 shows the filtering table 110
1 is a configuration diagram (1).

The filtering table 1101 stores information for determining whether a packet is to be relayed or discarded.
1, a source address condition field 1202 and a relay / discard flag field 1203. In the destination address condition field 1201 and the source address condition field 1202, an IP address or information meaning "any" is registered. Relay / Discard flag field 1
Information 203 indicates whether a received packet whose destination address and source address match the destination address condition and the source address condition, respectively, should be relayed or discarded. If there is a packet that matches the information of a plurality of entries, the entry near the top of the table is applied to that packet. Further, a packet having no matching entry is sent to the packet relay unit 1001 by the filtering processing unit.

The filtering change instruction processing unit 1009
Communicates with an authentication server 1311 described below via a network, and receives a filtering change instruction from the authentication server 1311. In the present embodiment, telnet is assumed as a communication protocol, but HTTP or COPS is used.
A protocol such as (Common Open Policy Service) may be used. The filtering change instruction includes the contents of the target entry and instructions for addition / deletion. The filtering change instruction processing unit 1009 transmits the physical interface 1 connected to the subnet to which the IP address stored in the source address condition field 1202 belongs.
Filtering processing unit 10 corresponding to 002 to 1007
In the filtering tables 1101 of 12 to 1017,
Reflect that instruction.

FIG. 13 is a configuration diagram of a network system using the router 1000.

This network system includes, for example, the physical interfaces 1002 to 1002 of the router 1000.
07 connected to subnets A1302-
F1307, the authentication server 1311 connected to the subnet A1302, the file server 1322 connected to the subnet B1303, and the subnet C13.
A plurality of information outlets 409 connected to the terminals 04 to F1307, respectively, to which the user can freely connect terminals, and a user terminal 1333 connected to the subnet C1304 via the information outlet 401 are included.

The filtering processing unit A of the router 1000
Nothing is registered in each of the filtering tables 1101 in 1012 and B1013 in the initial state.
The same contents as those shown in FIG. 12 are set in the respective filtering tables 1101 in the filtering processing units C1014 to F1017.

Next, a case where the user terminal 1333 is connected to the information outlet 409 connected to the subnet C 1304 in this network system will be described.

FIG. 14 shows that the user terminal 13
FIG. 14 is a communication sequence diagram when the connection is made to an information outlet 409.

User terminal 1333 that has not been authenticated
Has access to the file server 1322, the IP address of the file server 1322 (192.168.
2.2) A packet 1401 addressed to the file server addressed to is transmitted. In this case, the packet 1401
Is sent to the filtering processing unit C1014 via the physical interface C1004. As shown in FIG. 12, in the filtering table 1101 of the filtering processing unit C1014, the entry whose contents of the destination address condition field 1201 correspond to the destination address included in the packet 1401 is the entry of # 2. The filtering processing unit C1014 refers to the entry of # 2 in the filtering table 1101, and checks the contents of the source address condition field 1202 and the relay / exhaust flag field 1203. The contents of the relay / exhaust flag field 1203 in the entry of # 2 in the filtering table 1101 indicate "discard". Therefore, the filtering processing unit C1014 determines the packet 1401 according to the contents of the filtering table 1101.
Discard. Therefore, the user terminal 1 that has not been authenticated
The packet 1401 transmitted by 333 does not reach the file server 1322.

Next, the operation when the user terminal 1333 is authenticated and accesses the file server 1322 will be described.

The user terminal 1333 receives the IP address (192.16) of the authentication server 1311 in order to be authenticated.
8.1.1). The packet 1402 is received by the physical interface C1004 of the router 1000, and is received by the filtering processing unit C101.
4 The filtering processing unit C1014 sends the filtering table 11
01 is searched. In this case, the contents of the destination address condition field 1201 of both entries # 1 and # 2 of the entries of the filtering table 1101 correspond to the destination address included in the packet 1401. Therefore, the entry of # 1 registered at the top of the table is applied to the packet 1402. The contents of the relay / exhaust flag field 1203 in the entry of # 1 in the filtering table 1101 indicate "relay". Therefore, the filtering processing unit C 1014 that refers to the entry # 1 in the filtering table 1101 sends the packet 1402 to the packet relay unit 1001 according to the contents of the relay / exhaust flag field 1203. The packet 1402 is relayed by the packet relay unit 1001 from the physical interface A 1002 to the authentication server 1311. Thereby, communication from the user terminal 1333 to the authentication server 1311 is established.

The authentication server 1311 sends the user terminal 133
3 is received by the physical interface A1002 and sent to the filtering processing unit A1012. Filtering processing unit A1
Nothing is registered in the filtering table 1101 of 012. Therefore, the packet 1403 is sent from the filtering processing unit A 1012 to the packet relay unit 1001. The packet relay unit 1001 transmits the packet 1403 from the physical interface C 1004 to the user terminal 13.
33. Thereby, two-way communication between the user terminal 1333 and the authentication server 1311 is established, and the user terminal 1333 can be authenticated by the authentication server 1311.

The packet 1403 is transmitted to the user terminal 1433
Requesting transmission of a user ID and a password.
Therefore, the user terminal 133 that has received the packet 1403
The user inputs a user ID and a password with respect to 3. A packet 1404 including the input user ID and password is transmitted from the user terminal 1333 to the authentication server 131.
Sent to 1. The packet 1404 is relayed by the router 1000 as described above and received by the authentication server 1311. The authentication server 1311 includes the user terminal 133
When the user ID and the password included in the packet 1404 sent from the router 3 match those of the user who is permitted to connect to the network, the router communicates with the filtering change instruction processing unit 1009 of the router 1000, and The content of the destination address condition field 1201 is “arbitrary”, the content of the source address condition field 1202 is “192.168.3.3” which is the IP address of the user terminal 1333, and the content of the relay / discard flag field 1203 is “ An instruction 1405 is added to add an entry “relay”.

FIG. 15 shows the filtering table 110.
1 is a configuration diagram (2) of FIG.

Filtering change instruction processing unit 1009
Indicates that the subnet (subnet C1304) to which the source address condition “192.168.3.3” specified by the authentication server 1311 belongs is the physical interface C1.
004, the filtering unit C1
The designated entry is added to the filtering table 1101 of 014. As a result, as shown in FIG. 15, the filtering table 1101 of the filtering processing unit C1014 has a new entry # 1.
, And the entries # 1 to # 3 are registered in the filtering table 1101.

After that, when the user terminal 1333 transmits a packet 1406 addressed to the file server 1322, the source address included in the packet 1406 matches the filtering table 110 of the filtering processing unit C1014.
1 corresponds to the source address condition of the entry of # 1. Therefore, the packet 1406 is sent from the filtering processing unit C1014 to the packet relay unit 1001,
The file is relayed to the file server 1322. As a result, the user terminal 1333 can access the file server 1322.

As described above, by using the router 1000, access to the file server 1322 from the user terminal 1333 that has not been authenticated by the authentication server 1311 is prevented, and after the user terminal 1333 has been authenticated, A network system in which access from 1333 to the file server 1322 is permitted can be constructed. Each of the physical interfaces 1002 to 1007 of the router 1000 can handle a plurality of information outlets 409. Further, by providing an individual filtering processing unit for each physical interface, the load of the filtering processing in the router 1000 can be distributed.

FIG. 16 is a diagram showing another configuration of the packet communication device.

The LAN switch 1600 includes, for example, a packet relay unit 1601, a plurality of network interfaces 1602 to 1605, an address learning table 160
6, a filtering table 1607 and a status change instruction packet processing unit 1608. Names (A to D in the figure) are assigned to the network interfaces 1602 to 1605 to uniquely identify each of them. Note that the name may be a number or the like as long as it can be uniquely identified.

These network interfaces 1
Reference numerals 602 to 1605 are connected to different networks and transmit and receive packets. The network is an IEEE 802.3 network.
In the following description, the network interface A1602 is referred to as “uplink”, and the network interfaces B1603 to D1605 are referred to as “downlink”.

The packet relay unit 1601 relays packets between networks based on information held in the address learning table 1606 and the filtering table 1607. The state change instruction packet processing unit 1608 includes:
Upon receiving a state change instruction packet from the authentication server 1901 described later, the contents of the filtering table 1607 and the learning table 1606 are changed. The status change instruction packet includes an IP address and information indicating “permission / prohibition”.

FIG. 17 shows the filtering table 160
7 is a configuration diagram of FIG.

[0097] In the filtering table 1607, information for identifying packets for which relaying is not permitted is registered. Each entry of the filtering table 1607 includes a MAC address field 1701,
Address field 1702, connection port field 1
703. In the MAC address field 1701, the MAC address to be filtered is
In the address field 1702, the IP address corresponding to the MAC address is stored in the connection port field 17.
In 03, the names of the network interfaces 1602 to 1605 connected to the network to which the user terminal having the MAC address belongs are registered.

FIG. 18 is a configuration diagram (1) of the learning table 1606.

In the learning table 1606, information on a packet relay destination network interface is registered. Each entry of the learning table 1606 is M
An AC address field 1801 and a connection port field 1802 are included. MAC address field 180
1 indicates the MAC address to be relayed, and the connection port field 1802 indicates the destination MA included in the packet.
The names of the network interfaces 1602-1605 to which a packet whose C address matches the content of the MAC address field are to be relayed are registered. In addition, an entry that has not been used for a predetermined time is set to be automatically deleted from the learning table 1606.

Next, the operation of the network system using the LAN switch 1600 will be described using the network shown in FIG. 19 as an example.

FIG. 19 is a configuration diagram of a network system using the LAN switch 1600.

This network system is, for example, L
A user connected to each of the downlink network interfaces B1603 to D1605 via the AN switch 1600, the networks A to D connected to each of the network interfaces 1602 to 1605 of the LAN switch 1600, and the networks B to D, respectively. Multiple information outlets 40 to which terminals can be freely connected
9, a user terminal 1905 connected to the network B via the information outlet 409, a router 1904 connected to the uplink network interface A via the network A, and a file connected to the router 1904 via the network. Server 1902, D
An HCP server 1903 and an authentication server 1901 are included.

The router 1904 has a BOOTP relay agent function and relays packets based on the IP protocol. DHCP server 1903 uses DHCP
The IP address is distributed to the user terminal based on the protocol. The authentication server 1901 notifies the LAN switch 1600 of the result of the user authentication as a status change instruction packet. In this network system, devices connected to each network are provided with I
A P address is assigned (an address indicated as an IP address in the figure). The interface of each device connected to each network has a physical address (hereinafter referred to as MAC
Address) is set. The MAC address required in the following description is described as “MAC address” in the figure.

Next, a case where the user terminal 1905 is connected to the information outlet 409 of the network B will be described.

FIG. 20 is a communication sequence diagram when the user terminal 1905 is connected to the information outlet 409 of the network B.

In the initial state, nothing is registered in the filtering table 1607 of the LAN switch 1600. The learning table 1606 stores one MAC address (22: 22: 00: 44: 44: 44) of the router 1904 in the MAC address field 1801 and the name of the network interface A 1602 in the connection port field 1802. Have an entry.

First, when the user terminal 1905 is connected to the information outlet 409, an address request packet 2 for requesting an IP address by the DHCP protocol is used.
001 is transmitted. In this case, the user terminal 1905 transmits the destination address of the packet 2001 as a broadcast address. The packet 2001 is transmitted to the network interface B1603 of the LAN switch 1600.
And transmitted to the packet relay unit 1601.

The relay processing of the LAN switch 1600 that has received the packet 2001 will be described.

FIG. 21 is a flowchart showing a relay process of the packet relay unit 1601 of the LAN switch 1600 for receiving a packet.

Upon receiving the packet 2001, the packet relay unit 1601 searches whether the destination address of the packet 2001 is registered in the learning table 1606 (processing 2101). Since the destination address is not registered in the learning table 1606, it is determined whether the destination address is a broadcast address (process 2102). Since the destination address is a broadcast address, it is determined whether the receiving port is an uplink (process 2103). Since the receiving port is the network interface B 1603 and is not an uplink, it searches whether the source address of the packet 2001 is registered in the learning table 1606 (processing 2104). User terminal 190 that is the source address
5 MAC address (22: 22: FF: 00: 00:
01) is not registered in the learning table 1606. Since this source address is not registered in the filtering table 1607, the packet relay unit 1601
Is the MAC address of the user terminal 1905 (22:22:
FF: 00: 00: 01) to filtering table 1
MAC address field 1 of one entry 607
701 (step 2105).

In this case, as shown in FIG. 17, information indicating “unregistered” is stored in the IP address field 1702 of the entry of the filtering table 1607, and the name “B” of the network interface B 1603 is stored in the connection port field 1703, respectively. be registered.

Then, the packet relay section 1601 relays the packet 2001 only to the uplink, and
4 (processing 2105).

Since the packet 2001 is an address request packet, it is relayed to the DHCP server 1903 by the BOOTP relay agent function of the router 1904.

In FIG. 20, a DHCP server 1903
The address distribution packet 2002 transmitted from the router 1904 is transmitted to the MAC address (22: 2) of the user terminal 1905 by the BOOTP relay agent function of the router 1904.
2: FF: 00: 00: 01).

The packet 2002 is sent to the LAN switch 160
0 is received by the network interface A 1602 and sent to the packet relay unit 1601. The packet relay unit 1601 relays the packet 2002 according to the flowchart shown in FIG. The packet relay unit 1601 stores the MAC address of the user terminal 1905, which is the destination address of the packet 2002, in the learning table 1
A search is made as to whether or not it is registered in 606 (process 2101).
Since the destination address is not registered in the learning table 1606, it is determined whether the destination address is a broadcast address (process 2102). Since the destination address is not a broadcast address, it is searched whether the destination address is registered in the filtering table 1607 (processing 2).
106). Since the MAC address of the user terminal 1905 is registered in the filtering table 1607, it is determined whether the receiving port is an uplink (process 2107). The receiving port of the packet 2002 is the network interface A 1602, and the packet 2002 is the uplink. It is determined whether the communication protocol is an IP protocol (processing 2108). Since the communication protocol is the IP protocol, it is determined whether the source IP address included in the packet 2002 is the IP address of the relay agent (router 1904) or the authentication server (process 210).
9). Since the source IP address is the IP address of the relay agent (router 1904), the packet relay unit 1601 relays the packet 2002. In this case, the packet relay unit 1601 refers to entry # 1 of the filtering table 1607 in which the destination address of the packet 2002 matches the contents of the MAC address field 1701. Connection port field 1703 of entry # 1
Since the name of the network interface B1603 is registered in the packet interface 1601, the packet relay unit 1601 transmits the packet 2002 to the network interface B1603.
To be transmitted from the network interface B 1603 (process 2110). As a result, the address distribution packet 2002 is sent to the user terminal 1905. Here, the DHCP server 1 is connected to the user terminal 1905.
The IP address distributed from 903 is “192.16.
8.5.1. "

Next, a case where the user terminal 1905 attempts to access the file server 1902 without being authenticated by the authentication server will be described. However, IP is used as a protocol for access.

In the network system shown in FIG. 19, the file server 1902 (IP address 19
2.168.1.2) and the user terminal 1905 (IP address 192.168.5.1) have different subnets to which they are connected. Therefore, the user terminal 1905
Transmitted to access the file server 1902, the IP address of the file server 1902 (192.168.
1.2), and the router 19 as the destination MAC address.
04 MAC address (22: 22: 00: 44: 4)
4:44). The packet 2003 has the user terminal 19
05, and received by the network interface B 1603 of the LAN switch 1600. The network interface B receives the packet 2003
To the packet relay unit 1601.

The processing of the packet relay unit 1601 of the LAN switch 1600 that has received the packet 2003 will be described with reference to the flowchart shown in FIG.

Upon receiving the packet 2003, the packet relay unit 1601 searches whether the destination MAC address of the packet 2003 is registered in the learning table 1606 (processing 2101). Router 1 which is the destination MAC address
The MAC address 904 is registered in the learning table 1606. Therefore, the packet relay unit 1601 checks whether the communication protocol of the packet 2003 is the IP protocol and whether the source MAC address included in the packet 2003 is registered in the filtering table 1607 (processing 2111). Packet 2003
Is the IP protocol, and the MAC address of the user terminal 1905, which is the source MAC address, is registered in the filtering table 1607. Therefore, the packet relay unit 1601 determines the M of the user terminal 1905 in the filtering table 1607.
The source IP address included in the packet 2003 is registered in the IP address field 1702 of the entry in which the AC address is registered (step 2111).
In this case, as shown in FIG. 17, information indicating “unregistered” is originally registered in the IP address field 1702 of the entry in the filtering table 1607 in which the MAC address of the user terminal 1905 is registered. , The information is changed to the source IP address included in the packet 2003. The source IP address included in the packet 2003 is DH
The IP address (192.168.5.1) distributed from the CP server 1903 to the user terminal 1905.

Thereafter, the packet relay unit 1601 relays the packet 2003 to the uplink according to the contents of the connection port field 1802 in the entry where the destination MAC address is registered in the learning table 1606. The packet 2003 is transmitted from the uplink to the router 19
04. The packet 2003 is relayed to the file server 1902 by the router 1904 based on the specification of the IP protocol.

The file server 1902 stores the packet 20
When receiving “03”, a packet 2004 including the data requested by the user terminal 1905 is transmitted as a response packet. The packet 2004 is received by the router 1904, relayed, and sent to the LAN switch 1600. The network interface A 1602 of the LAN switch 1600 receives the packet 2004 and sends it to the packet relay unit 1601.

Next, the LAN that has received the packet 2004
The processing of the packet relay unit 1601 of the switch 1600 will be described with reference to the flowchart shown in FIG.

First, the packet 2004 has the MAC address (2) of the user terminal 1905 as the destination MAC address.
2: 22: FF: 00: 00: 01), and the IP address of the user terminal 1905 (192.
168.5.1), the IP address of the file server 1902 (192.168.1.
2).

[0124] The packet relay unit 1601
A search is performed to determine whether the MAC address of the user terminal 1905, which is the destination MAC address of the user terminal 04, is registered in the learning table 1606 (processing 2101). Since the destination MAC address is not registered in the learning table 1606, the destination MA
It is determined whether the C address is a broadcast address (processing 2102). Since the destination MAC address is not a broadcast address, it is searched whether the destination MAC address is registered in the filtering table 1607 (processing 2106). Since the MAC address of the user terminal 1905 is registered in the filtering table 1607, it is determined whether the receiving port is an uplink (step 210).
7) Since the receiving port of the packet 2004 is the network interface A1602 and is the uplink, it is determined whether the communication protocol of the packet 2004 is the IP protocol (processing 2108). Communication protocol is IP
Since the protocol is a protocol, the source IP address included in the packet 2004 is the relay agent (router 190
4) Or it is determined whether it is the IP address of the authentication server (processing 2109). The source IP address is the file server 19
Since the IP address is 02, the packet 2004 is discarded (processing 2109). That is, the packet 2004 is LA
It is not transmitted from the N switch 1600 to the user terminal 1905. Therefore, access from the user terminal 1905 to the file server 1902 is not established.

Next, the user terminal 1905 is connected to the authentication server 1
A case where authentication is received from 901 will be described.

The user inputs a user ID and a password to the user terminal 1905 in order to be authenticated by the authentication server 1901. The user terminal 1905 transmits a packet 2005 including the input user ID and password to the authentication server 1901. In this case, the authentication server (IP address 192.168.1.1) and the user terminal 1905 (IP address 192.168.5.
The subnet to which each of 1) belongs is different. For that reason,
The packet 2005 has the IP address of the authentication server 1901 (192.168.1.1) as the destination IP address.
And the M of the router 1904 as the destination MAC address.
AC address (22: 22: 00: 44: 44: 44)
including. The packet 2005 is transmitted from the user terminal 1905 and received by the network interface B 1603 of the LAN switch 1600. The network interface B sends the received packet 2005 to the packet relay unit 1601.

The processing of the packet relay unit 1601 of the LAN switch 1600 that has received the packet 2005 will be described with reference to the flowchart shown in FIG.

Upon receiving the packet 2005, the packet relay unit 1601 searches whether the destination MAC address of the packet 2005 is registered in the learning table 1606 (processing 2101). Router 1 which is the destination MAC address
The MAC address 904 is registered in the learning table 1606. Therefore, the packet relay unit 1601 checks whether the communication protocol of the packet 2005 is the IP protocol and whether the source MAC address included in the packet 2005 is registered in the filtering table 1607 (processing 2111). Packet 2005
Is the IP protocol, and the MAC address of the user terminal 1905, which is the source MAC address, is registered in the filtering table 1607. Further, the source IP address included in the packet 2005 is also registered in the filtering table 1607. Therefore, the packet relay unit 1601 relays the packet 2005 to the uplink according to the contents of the connection port field 1802 in the entry where the destination MAC address is registered in the learning table 1606.
The packet 2005 is sent from the uplink to the router 1904. The packet 2005 is relayed to the authentication server 1901 by the router 1904 based on the specification of the IP protocol.

The authentication server 1901 is connected to the user terminal 190
User ID included in packet 2005 sent from 5
If the password and the password belong to a user who is permitted to use the network, the status change instruction notification packet 20
06 to the status change instruction notification packet processing unit 1608 of the LAN switch 1600. This status change instruction notification packet 2006 includes the IP address (192.168.5.1) of the user terminal 1905 and information indicating “permission”. The status change instruction notification packet 2006 is relayed by the router 1904 to the LAN switch 1600. The network interface A 1602 of the LAN switch 1600 sends a status change instruction notification packet 2006
And sends it to the state change instruction notification packet processing unit 1608 via the packet relay unit 1601. Upon receiving the status change instruction notification packet 2006, the status change instruction notification packet processing unit 1608 receives the status change instruction notification packet 200.
IP address included in No. 6 (192.168.5.1)
From the filtering table 1607. The status change instruction notification packet processing unit 1608 determines the IP address (192.16) from the filtering table 1607.
8.5.1) is found, and from the MAC address field 1701 and connection port field 1703 of the entry, the MAC address (22:
22: FF: 00: 00: 01) and the name (B) of the connection port. State change instruction notification packet processing unit 1
A learning table 1606 stores a new entry in which the read MAC address and the name of the connection port are registered.
Add to

FIG. 22 is a configuration diagram (2) of the learning table 1606. As shown in FIG. 22, the learning table 22 stores the MAC address (22:
22: FF: 00: 00: 01) and the name of the connection port (B).

After the authentication of the authentication server 1901, when the user terminal 1905 transmits a packet 2007 to access the file server 1902 again, the packet 2007 is relayed by the LAN switch 1602 and the router 1904 and transmitted to the file server as described above. It is sent to 1902.

The file server 1902 stores the packet 20
07, the packet 2008 including the data requested by the user terminal 1905 is transmitted as a response packet. The packet 2008 is received by the router 1904, relayed, and sent to the LAN switch 1600. The network interface A 1602 of the LAN switch 1600 receives the packet 2008 and sends it to the packet relay unit 1601. The packet relay unit 1601 that has received the packet 2008 performs the following processing according to the flowchart shown in FIG.

The packet 2008 has the MAC address (22: 2) of the user terminal 1905 as the destination MAC address.
2: FF: 00: 00: 01), the IP address (192.16) of the user terminal 1905 as the destination IP address
8.5.1), the IP address of the file server 1902 (192.168.1.2) as the source IP address
including.

The packet relay section 1601 stores the packet 20
A search is performed to determine whether the MAC address of the user terminal 1905, which is the destination MAC address 08, is registered in the learning table 1606 (processing 2101). The destination MAC address is the MAC address of the user terminal 1905 (22; 22: F
F: 00: 00: 01), it is registered in the learning table 1606 as shown in FIG. Therefore, the packet relay unit 1601 checks whether the communication protocol of the packet 2008 is the IP protocol and whether the source MAC address included in the packet 2008 is registered in the filtering table 1607 (step 2111). Since the communication protocol of the packet 2008 is the IP protocol, and the MAC address of the router 1904, which is the source MAC address, is not registered in the filtering table 1607, nothing is registered in the filtering table 1607. Then, the packet relay unit 1601 relays the packet 2008 to the network interface B 1603 according to the contents of the connection port field 1802 in the entry where the destination MAC address is registered in the learning table 1606. The packet 2008 is sent from the network interface B 1603 to the user terminal 1905.
As a result, the user terminal 1905 sends the file server 1
Access to 902 is established.

After the authentication, if the user terminal 1905 has not communicated with the file server for a certain period of time, the entry (entry # 2) in the learning table 1606 is automatically deleted. Therefore, until the user terminal 1905 is again authenticated by the authentication server, the file server 1902
Will no longer have access to Also, DHCP server 1
In the address distribution according to 903, the expiration date of the distributed address is usually set. For this reason, DH
The CP server 1903 sends a timeout notification 2009 to the authentication server 1901 when a predetermined time has elapsed since the address distribution to the user terminal 1905 and the expiration date of the address has passed. Upon receiving the timeout notification 2009, the authentication server sets the IP address whose expiration date has passed (in this case, 192.168.5.1) and “prohibited”
Is transmitted to the status change instruction notification packet processing unit 1608 of the LAN switch 1600. The status change instruction notification packet 2010 is transmitted from the router 1904 to the LAN switch 1.
It is relayed to 600. The network interface A 1602 of the LAN switch 1600 receives the status change instruction notification packet 2010 and sends it to the status change instruction notification packet processing unit 1608 via the packet relay unit 1601. Upon receiving the state change instruction notification packet 2010, the state change instruction notification packet processing unit 1608 receives the IP address (19) included in the state change instruction notification packet 2010.
2.168.5.1) to the filtering table 160
Search from 7. Status change instruction notification packet processing unit 16
08 finds an entry in which the IP address (192.168.5.1) is registered from the filtering table 1607, and finds the MAC address (22: 22: FF:
00:00:01). The status change instruction notification packet processing unit 1608 further searches the learning table 1606 for the read MAC address, and finds an entry in which the MAC address is registered. The status change instruction notification packet processing unit 1608 deletes the found entries from both the filtering table 1607 and the learning table 1606. As a result, the user terminal 1905 cannot access the file server 1902 unless it is again authenticated.

As described above, by using the LAN switch 1600, the user terminal 1905 which has not been authenticated can be used.
Thus, a network system in which access to the file server 1902 from the file server 1902 is prevented and access from the authenticated user terminal 1905 to the file server 1902 is permitted can be constructed. In addition, when the user terminal connected to the information outlet has not communicated for a certain period of time or when the expiration date of the address distributed to the user terminal has passed,
Automatically change the table in the AN switch 1600,
File server 1 until the user terminal is again authenticated
Access to 902 can also be prevented.

FIG. 23 is a configuration diagram of a network system using a router 2300 as a packet communication device.

The router 2300 includes, for example, a plurality of network interfaces A2302 to D2305, a packet relay unit 2301, and an IP address registration table 2306.

The packet relay unit 2301 relays a packet based on the IP protocol. The packet relay unit 2301 performs encapsulation processing on a packet from a user terminal having an IP address not registered in the IP address registration table 2306. The network interfaces A2302 to D2305 are connected to different networks, respectively, and transmit and receive packets. IP
The IP address of the authenticated user terminal is registered in the address registration table 2306.

The network system includes, for example, a router 2300 and an authentication server 2310 and a file server 2 connected to the network interface A 2302 of the router 2300 via the network A.
311 and network interface B 2303-
D2305 includes a plurality of information outlets 409 which are connected via networks BD to D, respectively, to which a user can freely connect a terminal, and a user terminal 2312 which is connected to network B2313 via information outlet 409. The authentication server 2310 performs user authentication, notifies the router 2300 of the result, and transmits and receives an encapsulated packet described later.

Next, a case where the user terminal 2312 is connected to the information outlet 409 connected to the network B 2313 in this network system will be described.

FIG. 27 is a configuration diagram of the IP address registration table 2306 in the initial state. FIG. 24 is a communication sequence diagram when the user connects the user terminal 2312 to the information outlet 409.

When the user terminal 2312 is connected to the authentication server 2310
A case will be described in which an attempt is made to access the file server 2311 without being authenticated by.

Unauthenticated user terminal 2312
Accesses the file server 2311, the IP address of the file server 2311 (192.168.
10.2). In this case, the packet 2400 is received by the network interface B 2303 of the router 2300 and sent to the packet relay unit 2301. The packet relay unit 2301
Receiving the packet 2400 from the user terminal 2312,
Perform relay processing.

FIG. 25 is a flowchart showing a relay process of the packet relay device 2301 of the router 2300.

Upon receiving packet 2400, packet relay section 2301 determines whether the destination address of packet 2400 is an encapsulation address of router 2300 (step 2501). The destination address of the packet 2400 is the IP address of the file server 2311 and is not a router encapsulation address. Therefore, packet 24
It is searched whether the source address of 00 is registered in the IP address registration table 2306 (step 2502). The IP address of the user terminal 2312 that is the source address is IP
Since the packet is not registered in the address registration table 2306, the packet relay unit 2301 encapsulates the packet 2400 (Step 2503).

Here, “encapsulation” means that the entire packet 2400 including the IP header is regarded as one data,
For this data, the authentication server 2
310 encapsulation addresses (192.168.10
0.100) and the encapsulation address of the router 2300 (192.168.100.10) as the source address.
A new packet (encapsulated packet) is created by adding an IP header including 1). Therefore, the encapsulated packet is transmitted to the authentication server 2310 regardless of the original destination address (for example, the IP address of the file server 2311) (process 2504).

Here, the process of the authentication server 2310 that has received the encapsulated packet will be described.

FIG. 26 is a flowchart showing the processing of the authentication server 2310 which has received a packet.

Upon receiving the encapsulated packet, authentication server 2310 determines whether the destination address of the packet is the address for encapsulation of the authentication server (step 260).
1). Since the destination address of the encapsulated packet is the encapsulation address of the authentication server, it is determined whether the source address of the packet is the encapsulation address of the router 2300 (process 2602). Since the source address is the address for encapsulation of the router, the encapsulation of the received packet is released, and the original packet 2400 is restored (processing 2603). To unencapsulate,
Remove the IP header from the encapsulated packet,
This is to extract the unencapsulated packet 2400 included as data in the encapsulated packet.

Next, authentication server 2310 determines whether or not the destination address of decapsulated packet 2400 is the IP address of the authentication server (step 2604).
The destination address of the packet 2400 is the file server 23
11 of the authentication server 2310
Not a P address. Therefore, the authentication server 2310 discards the packet 2400.

As a result, the user terminal 2312 that has not been authenticated cannot access the file server 2311.

Next, the user terminal 2312 is connected to the authentication server 2
24 and 25 regarding the case of receiving authentication from the user 310
This will be described with reference to FIG.

The user inputs a user ID and a password to the user terminal 2312 in order to be authenticated by the authentication server 2310. The user terminal 2312 transmits a packet 2401 including the input user ID and password to the authentication server 2310. The packet 2401 is transmitted to the network interface B 2303 of the router 2300.
Is received. Network interface B230
3 transmits the received packet 2401 to the packet relay unit 230
Send to 1.

Router 230 receiving packet 2401
The process of the packet relay unit 2301 of 0 will be described with reference to the flowchart shown in FIG.

Upon receiving the packet 2401, the packet relay unit 2301 determines whether the destination address of the packet 2401 is an encapsulation address of the router 2300 (process 2501). The destination address of the packet 2401 is the IP address of the authentication server 2310, not the encapsulation address of the router. Therefore, the packet 2401
A search is made as to whether the source address of the is registered in the IP address registration form 2306 (step 2502). Since the IP address of the user terminal 2312, which is the source address, is not registered in the IP address registration table 2306, the packet relay unit 2301 encapsulates the packet 2401 (process 2503). Then, the packet relay unit 2301
The encapsulated packet is transmitted to the authentication server 2310 (process 2504).

As shown in FIG. 26, the authentication server 23
Upon receiving the encapsulated packet, the 10 determines whether the destination address of the packet is the encapsulation address of the authentication server (step 2601). Since the destination address of the encapsulated packet is the encapsulation address of the authentication server, the source address of the packet is
It is determined whether the address is an encapsulation address of 0 (step 26).
02). Since the source address is the encapsulation address of the router, decapsulate the received packet,
The original packet 2401 is taken out (process 2603).
Next, the authentication server 2310 determines whether the destination address of the decapsulated packet 2401 is the IP address of the authentication server (Step 2604). Packet 24
Since the destination address of 01 is the IP address of the authentication server 2310, authentication is performed (step 2605). In the authentication process, the authentication server 2310 compares whether the user ID and the password included in the packet 2401 match those of the user who has been given permission to use the network, and if they match, the authentication of the user terminal 2312 is successful. Is generated, and the packet 2402 is further encapsulated and transmitted (process 2606).
The packet 2402 has the user terminal 23 as the destination address.
It has an IP header containing 12 IP addresses. The encapsulation by the authentication server 2310 is performed by encapsulating an address (192.16) of the router 2300 as a destination address.
8.100.101), the encapsulation address of the authentication server 2310 (192.168.
100.100) in the packet 240
2 to create a new packet (encapsulated packet). Therefore, the encapsulated packet is transmitted to the router 2300.

The encapsulated packet is received by the network interface A 2302 and sent to the packet relay section 2301. According to the flowchart shown in FIG. 25, the packet relay unit 2301 determines whether the destination address of the received packet is the router encapsulation address (process 2501). Since the destination address is the encapsulation address of the router 2300, it is determined whether the source address is the encapsulation address of the authentication server 2310 (step 2505). Since the source address is the encapsulation address of the authentication server 2310, the packet relay unit 2301 releases the encapsulation of the received packet and extracts the original packet 2402 (Process 2).
506). Then, the packet relay unit 2301 relays the packet 2402 (processing 2507), and the user terminal 23
12 is transmitted.

If the authentication of the user terminal 2312 succeeds, the authentication server 2310 sends the IP address (192.16) of the user terminal 2312 to the router 2300.
8.3.3) is transmitted to the IP address registration table 2306.

The packet 2403 is received by the network interface A 2302,
It is sent to 301. Upon receiving the packet 2403, the packet relay unit 2301 stores the user terminal 2 in the IP address registration table 2306 according to the instruction of the packet 2403.
The IP address 312 (192.168.3.3) is registered.

Then, the case where the user terminal 2312 accesses the file server 2311 will be described.

The user terminal 2312 is connected to the file server 2
In order to access 311, a packet 2404 addressed to the IP address (192.168.10.2) of the file server 2311 is transmitted. The packet 2404 is sent to the router 2
The packet is received by the network interface B 2303 and is sent to the packet relay unit 2301.

As shown in FIG.
Upon receiving the packet No. 4, the packet relay unit 2301 determines whether the destination address of the packet 2404 is the encapsulation address of the router 2300 (step 2501). Packet 24
04 is the IP address of the file server 2311.
Address, not the encapsulation address of the router. Therefore, the source address of the packet 2404 is IP
It is searched whether it is registered in the address registration table 2306 (process 2502). User terminal 2 that is the source address
Since the IP address 312 is registered in the IP address registration table 2306, the router relay unit 2301
Then, the packet 2404 is transmitted to the file server 2311 (step 2508).

The file server 2311 stores the packet 24
When receiving the packet 04, the packet 2405 including the data requested by the user terminal 2312 is transmitted as a response packet. The packet 2405 is received by the network interface A 2302 and sent to the packet relay unit 2301. The packet relay unit 2301 determines whether the destination address of the packet 2405 is an encapsulation address of the router 2300 (process 2501). The destination address of the packet 2405 is the IP address of the user terminal 2312.
Address, not the encapsulation address of the router. Therefore, the source address of the packet 2405 is IP
It is searched whether it is registered in the address registration table 2306 (process 2502). The address (192.168.10.2) of the file server 2311 as the transmission source address is registered in the IP address registration table 2306. Therefore, the router relay unit 2301 relays the packet 2405 (processing 2508), and transfers the packet 2405 to the user terminal 23.
12 is transmitted. Thus, after the user terminal 2312 has been authenticated by the authentication server 2310, the user terminal 2312 can access the file server 2311.

The authentication server 2310 is connected to the user terminal 231
After the successful authentication of ICMP2, ICMP (Internet Control Message Protocol) is periodically sent to the user terminal 2312.
An ICMP echo request 2406 according to l) is transmitted, and it is confirmed that an ICMP echo reply 2407 as response data to the ICMP echo request 2406 is returned from the user terminal 2312.

Within a certain period of time after transmitting the ICMP echo request 2406, the ICM
If the P echo reply 2407 has not been sent, the authentication server 2310 sends a packet instructing the router 2300 to delete the IP address (192.168.3.3) of the user terminal 2312 from the IP address registration table. The packet is sent to network interface A
The packet is received by the packet 2302 and sent to the packet relay unit 2301. Upon receiving the packet, the packet relay unit 2301 deletes the IP address (192.168.3.3) of the user terminal 2312 from the IP address registration table 2306 according to the instruction given by the packet. As a result, the user terminal 2312 cannot access the file server 2311 until the user terminal 2312 is again authenticated.

As described above, by using the router 2300, access from the unauthenticated user terminal 2312 to the file server 2311 is prevented, and access from the authenticated user terminal 2312 to the file server 2311 is permitted. Network system can be constructed. Also, the authentication server 2310 periodically transmits the ICMP echo reply 24 from the user terminal 2311.
07, the user terminal 2311
When the user leaves the network or stops using the network, the IP address of the user terminal
It can be automatically deleted from the P address registration table 2306 to prevent the user terminal 2311 from accessing the file server 2311.

FIG. 28 shows a plurality of packet communication devices A to C.
FIG. 1 is a configuration diagram of a network system in which a plurality of networks are connected by 2801 and a router 2820.

This network system includes, for example, packet communication devices A to C 2801, a router 2820 connected to each of the packet communication devices A to C 2801, and a router 2820 via a network (IP subnet).
20, servers A to C 2803, a filtering state management device 2802, a DHCP server 2807,
An information outlet system 2830 including one or more networks (IP subnets) connected to each of the packet communication devices A to C2801, and an information outlet system 28
30 and one or more user terminals 2806 connected to any of the networks. Each packet communication device A
C2801 includes an address learning table 2811, a non-target address table 2812, and an authentication address table 2813.
Relaying or filtering (discarding) of a packet sent from the user terminal 2806 connected to “0”.
Each of the packet communication devices A to C2801 is a LAN switch that relays a packet in the data link layer of the OSI reference model. Each of the packet communication devices A to C2801 is a DH
Each connected IP with CP relay agent function
It is assumed that it has an IP address corresponding to the subnet.

Each of the servers A to C 2803 includes a user authentication unit 2804 and an authentication state detection unit 2805.
The user authentication unit 2804 includes a user account 2840 for storing information for identifying a user. The authentication status detection unit 2805 includes a subnet table 2814.
The user authentication unit 2804 is realized as software executed by each of the servers A to C 2803 (personal computer). As the user authentication unit 2804,
The login function of the OS (Operating System) is used, but another authentication method, for example, a WWW (World Wide Web) page that allows the user to input a password may be used. When a plurality of user authentication units 2804 exist in the network system, all of them may perform the same type of user authentication, or each may perform a different type of user authentication. Authentication state detector 28
05 is also realized as software executed by each of the servers A to C2803. User authentication unit 2804
When authentication (login) is performed, the user authentication unit 2804 notifies the authentication state detection unit 2805 operating in the same server 2803 of the IP address of the user terminal that has successfully authenticated (login).

The filtering state management device 2802 has a subnet table 2814. The filtering state management device 2802 communicates with the authentication state detection unit 2805 and the packet communication device 2801 of each of the servers A to C 2803 via a network.

In this network system, a user can freely connect a user terminal (notebook computer or the like) to one or more networks (IP subnets 147.3.1.0 to 147.
5.3.0), and a network system can be used.

In this network system, all communications are performed according to the IP protocol (IPv4).
Note that a network system using another communication protocol (for example, IPv6) may be used. Each network (IP subnet) is assigned an IP subnet number. All subnet masks are 2
It is assumed that the length is 4 bits. A device connected to each network is assigned an IP address belonging to that network. In FIG. 28, it is described as IP. All networks are C defined by IEEE
It is an SMA / CD type 802.3 network. still,
Each network may be another network. A physical address (hereinafter, referred to as a MAC address) is set for an interface of each device connected to each network. M required for the following description
The AC address is described as MAC in FIG.

The setting of each device in the initial state where no user terminal 2806 is connected to the information outlet system 2830 will be described.

The user authentication section 2804 registers the user ID and password of a user who is permitted to use the network. Since the user authentication (login) function of the OS is used as the user authentication unit 2804, the user account 2840 in the OS corresponds to the registration information. A subnet table 2814 is set in the authentication status detection unit 2805 and the filtering status management device 2802.

FIG. 29 is a configuration diagram of the subnet table 2814.

Each entry of the subnet table 2814 includes a subnet address field 2901, a subnet mask field 2902, an IP address field 2903 of the filtering state management device, and an IP address field 2904 of the packet communication device. In the IP address field 2904 of the packet communication device,
The packet communication device 2 to which an IP subnet having an address obtained by ANDing the subnet address and the subnet mask registered in the subnet address field 2901 and the subnet mask field 2902 is connected.
The IP address 801 is registered. The IP address of the filtering status management device 2802 that issues an instruction to the packet communication device 2801 having the IP address registered in the IP address field 2904 is registered in the IP address field 2903 of the filtering status management device. Since there is only one filtering state management device 2802 in the network system, the subnet table 2
814 of the filtering state management device of all entries
The same IP address is registered in the P address field 2903. A plurality of filtering status management devices 2802 are provided in the network system, and different IP addresses are registered for each entry of the subnet table 2814, and the filtering status management devices 2802 are registered.
Can be distributed. When detecting the login by the user, the authentication state detection unit 2805 searches the subnet table 2814 for the IP subnet to which the IP address of the user terminal 2806 used by the user belongs, and performs filtering to notify the login of the user from the contents of the corresponding entry. The state management device 2802 is determined. Similarly, the filtering state management device 2802 uses the packet communication device 2 to notify the IP address of the logged-in user terminal from the contents of the subnet table 2814.
801 is determined.

The address learning table 2811 included in each of the packet communication devices A to C 2801 has 1 in the initial state.
Neither entry is registered. The contents of the address learning table 2811 will be described later.

FIG. 30 shows an authentication address table 2813.
FIG.

The authentication address table 2813 includes the IP address of the server 2803 provided with the user authentication unit 2804 and the IP addresses of devices that provide other functions required for user authentication (for example, DNS (Domain Name System)).
The address is registered. The authentication address table 2813 shown in FIG.
The P address is registered. Further, the authentication address table 2813 may be used to register the IP address of a server having information that may be disclosed to a user who has not been authenticated.

FIG. 31 is a configuration diagram of the non-target address table 2812 of the packet communication device A 2801.

In the non-target address table 2812, the MAC address of an information device that the user can access without being authenticated is registered. Information devices to be registered in the non-target address table 2812 include a packet communication device such as a router, and a device such as a printer that cannot voluntarily perform user authentication (login). MA of these devices
The C address is registered in the non-target address table 2812 of the packet communication device 2801 connected to the same network as the device. In the non-target address table 2812 shown in FIG. 31, the MAC address of the network interface connected to the packet communication device A 2801 among the network interfaces provided in the router 2820 is registered.

In the initial state described above, when the user terminal 2806 is connected to the information outlet system 2830,
The user terminal 2806 performs communication with the DHCP server 2807 and ARP (Address Resol
ution Protocol) communication and communication with the user authentication unit 2804 are permitted. Other communications are filtered by the packet communication device A2801. Filtering is to discard packets for unauthorized communication.

In the network system shown in FIG. 28, the user terminal 2806 is connected to the network (IP subnet 147.3.1.3.0) in the information outlet system 2830 by the user, and user authentication (login) is performed by the user terminal 2806. FIG. 33 shows a communication sequence diagram in the case where the communication is performed.

It is assumed that the server 2803 with which the user terminal 2806 communicates to perform authentication (log-in) is the server A, and the IP address 137.1.1.1 of the server A is known to the user 2806 or the user of the user terminal 2806. It is assumed that

When the user terminal 2806 is connected to the network (IP subnet 1473.3.3.0) of the information outlet system 2830, no IP address is assigned to the user terminal 2806 at that time.
Thus, in the network system shown in FIG. 28, an IP address is assigned to the user terminal 2806 using DHCP. Note that an IP address may be assigned to the user terminal 2806 by a method other than DHCP. For example, the user terminal 2
An IP address may be set in 806. DHC
If a method other than P is used, the packet communication device 28
01 DHCP relay agent function is unnecessary.

First, the user terminal 2806 connects to the network (IP subnet 1) of the information outlet system 2830.
47.3.3.0), the user terminal 280
6 transmits an address request packet for requesting an IP address according to the DHCP protocol. In this case, the user terminal 2806 performs broadcast transmission using the destination address of the packet as the broadcast address.
The address request packet is received by the packet communication device A2801.

FIG. 32 is a flowchart showing a relay process of each of the packet communication devices A to C 2801 that has received a packet.

Upon receiving the address request packet from the user terminal 2806, the packet communication device A 2801 receives the source MAC address (22:22:
00: 11: 11: 11) in the address learning table 28
11 (processing 3201). Since no entry is registered in the address learning table 2811 in the initial state, the source MAC address of the packet is searched from the non-target address table 2812 (process 320).
2). However, as shown in FIG. 31, only the MAC address of the router 2820 is registered in the non-target address table 2812. That is, the user terminal 2806
Are not registered in any of the tables. Therefore, the packet communication device A 2801 registers the source MAC address in one entry of the address learning table 2811.

Thereafter, the packet communication device A 2801
Attempt to retrieve the destination IP address of the address request packet from the authentication address table 2813 (Process 3
204). However, since the destination address of the address request packet is a broadcast address, it is not registered in the authentication address table 2813. Therefore, the packet communication device A2801 determines that the received packet is DH
It is determined whether the packet is an address request packet by the CP (process 3205). Since the received packet is an address request packet, the packet communication device A 2801
The relay agent function relays the address request packet to the DHCP server 2807 via the router 2820 (process 3208).

In FIG. 33, a DHCP server 2807
Receives the address request packet and sends the user terminal 2806
Is assigned an IP address. DHCP server 2
807 is an IP belonging to a network (IP subnet 147.3.3.0) connected to the user terminal 2806.
The address (1473.3.3.1) is assigned to the user terminal 2806.
Assign to Then, an address distribution packet is transmitted to notify the user terminal 2806 of the IP address. At this time, the router 282 is used as the address of the default gateway in the network (IP subnet 147.3.3.0) to which the user terminal 2806 is connected.
The IP address 147.3.3.251 of 0 is also included in the address distribution packet and notified to the user terminal 2806. The IP address 147.3.3.251 of the router 2820 may be notified to the user terminal 2806 using a packet different from the address distribution packet. In addition,
The default gateway address to the user terminal 280
As a method of setting to 6, another method (for example, input by a user) may be used. The address distribution packet is sent to the packet communication device A 2801 by the router 2820.
Will be relayed to. The packet communication device A2801 processes the received packet in the same manner as described above, and transmits the address distribution packet to the MAC address (22: 22: 00: 11: 11: 1) of the user terminal by the DHCP relay agent function.
1) Send to This allows the user terminal 2806 to receive an IP
Address (1473.3.3.1) is assigned.

Next, the user terminal 2806 is connected to the server A 28
Authentication (login) to the user authentication unit 2804 of 03
Will be described.

When the IP address is assigned, the user terminal 2806 attempts authentication (login) to the user authentication unit of the server A2803. Since the user terminal 2806 and the server A belong to different networks (IP subnets), they communicate with each other via the router 2820.

In FIG. 33, the user terminal 2806
MA corresponding to the default gateway IP address 147.3.3.251 notified from the DHCP server
In order to obtain the C address, an ARP Request packet 3301 including a broadcast address as a destination address is broadcast transmitted. ARP Re
The quest packet 3301 includes the MAC address and the IP address of the user terminal 2806 as the source MAC address and the source IP address, respectively.

ARP Request packet 3301
Is received by the packet communication device A2801. A
Upon receiving the RP Request packet 3301,
The packet communication device A2801 first sets the ARP Request
ARP packet learning processing is performed on the ERP packet 3301, and then the ARP Request packet 330
1 is performed.

FIG. 34 shows each of the packet communication devices A to C28.
11 is a flowchart showing ARP packet learning processing by No. 01.

In the ARP packet learning process, the packet communication device A 2801 first sets the ARP Request
The source MAC address included in the packet 3301 is searched from the non-target address table 2812 (processing 34).
01). As shown in FIG. 31, since only the MAC address of the router 2820 is registered in the non-target address table 2812, the entry in which the source MAC address is registered is not included in the non-target address table 2812.
Not in Therefore, the packet communication device A 2801 stores the source MAC address in the address learning table 281.
The search is started from 1 (process 3402). In the initial state, nothing is registered in the learning table 2811 of the packet communication device A2801. Therefore, there is no entry in the learning table 2811 in which the source MAC address is registered. Next, the packet communication device A2801
Source IP included in Request packet 3301
The address is retrieved from the address learning table 2811 (process 3403). Similarly, since nothing is registered in the learning table 2811, there is no entry in the learning table 2811 in which the source IP address is registered. Therefore, the packet communication device A 2801 ends the ARP packet learning process.

Thereafter, the packet communication apparatus A 2801 follows the flowchart shown in FIG.
The relay processing of the quest packet 3301 is performed. That is,
The packet communication device A2801 uses the ARP Request
The source MAC address included in the t packet 3301 is searched from the address learning table 2811 (processing 32).
01). As described above, the address learning table 2811
Is not registered in the packet communication device A2.
801 searches the source MAC address from the non-target address table 2812 (process 3202). FIG.
As shown in FIG. 1, only the MAC address of the router 2820 is registered in the non-target address table 2812, and the source MAC address is not registered in any entry. Therefore, the packet communication device A2801
Registers the source MAC address in the address learning table 2811 (processing 3203).

FIGS. 35, 36 and 37 are diagrams showing the structure of the address learning table 2811.

Each entry of the address learning table 2811 has a MAC address field, an IP address field, a status field, and a valid period field.
The MAC address field of each entry includes the M of the user terminal 2806 connected to the packet communication device 2801.
The AC address is registered. The IP address assigned to the user terminal 2806 having the MAC address registered in the same entry is registered in the IP address field. If the IP address of the user terminal 2806 is unknown or has not been assigned, “0.0.0.0” is registered. In the status field, information indicating that a packet including a source MAC address matching the MAC address registered in the same entry is discarded (filtering ON) or information indicating relaying (filtering OFF) is registered. . In the Validity Period field, the remaining time (valid time) for which the entry is valid
As described above, the packet communication device A 2801 stores the ARP Request packet 3
M of the user terminal 2806 which is the transmission source address of 301
AC address (22: 22: 00: 11: 11: 11)
Is registered in the MAC address field of the address learning table 2811, and “0.0.
0.0 ”, information indicating discarding“ filtering ON ”in the status field, and“ 3600 ”in the validity field.
Second ". FIG. 35 shows a configuration diagram of the address learning table in this state.

The time “3600 seconds” means that the entry is deleted from the address learning table 2811 when the user terminal 2806 connected to the network has not been assigned an IP address and has not performed authentication (login). Time. Note that, as long as the time is longer than the time required for IP address assignment and authentication (login) processing, any time different from the validity period of the entry “3600 seconds” may be used. If the validity period of the entry is shorter than the validity period of the information in the ARP cache provided in the device connected to the same network as the packet communication device 2801, the packet communication device 28
01 and the device may be inconsistent. Therefore, the validity period of the entry is longer than the validity period of the information in the ARP cache.

Next, the packet communication device A 2801
The destination IP address included in the RP Request packet 3301 is searched from the authentication address table 2813 (processing 3204). However, ARP Request
Since the st packet 3301 is not an IP packet,
It is determined whether the P Request packet 3301 is a DHCP packet (process 3205). ARP Req
Since the east packet 3301 is not a DHCP packet, it is determined whether the destination MAC address included in the ARP Request packet 3301 is a broadcast address (process 3206). Since the destination MAC address is a broadcast address, the packet communication device A28
01 relays the ARP Request packet 3301 only to the router 2820 (processing 3209).

The router 2820 checks the ARP Request
The t packet 3301 is received, and the ARP Reply packet 3302 is transmitted. The ARP Reply packet 3302 includes the MAC address (22: 22: 00: 00: 00: 03) and the IP address (147.3.3.251) of the router 2820 as the source MAC address and the source IP address, respectively. .

The packet communication device A 2801 has an ARP R
After receiving the apply packet 3302, the ARP packet learning process and the relay process are performed as follows.

In the ARP packet learning process, the packet communication device A 2801 first searches the non-target address table 2812 for the source MAC address contained in the ARP Reply packet 3302 (process 340).
1). As shown in FIG. 31, the MAC address of the router 2820 is registered in the non-target address table 2812. Therefore, the packet communication device A2801
Is the MA of the router 2820 which is the source MAC address.
The entry in which the C address is registered is found from the non-target address table 2812, and the ARP packet learning process ends.

Next, the packet communication apparatus A 2801 performs ARP Re according to the flowchart shown in FIG.
The source MAC address included in the ply packet 3302 is searched from the address learning table 2811 (process 3201). Since the MAC address of the router 2820 is not registered in the address learning table 2811, the packet communication device A 2801 searches for the source MAC address from the non-target address table 2812 (process 3202). Since the MAC address of the router 2820, which is the source MAC address, is registered in the non-target address table 2812, the packet communication device A 2801
Relays the ARP Reply packet 3302 (step 3211) and sends it to the user terminal 2806. The user terminal 2806 receives the ARP Reply packet 3302 and recognizes the MAC address of the router 2820.

The user terminal 2806 performs authentication (login).
User authentication unit 2804 of server A 2803
, A login request packet 3303 is transmitted. The login request packet 3303 includes the IP address of the server A 2803 as the destination IP address, the MAC address of the router 2820 as the destination MAC address, and the source MA.
The C address and the source IP address include the MAC address and the IP address of the user terminal 2806, respectively. The packet communication device A 2801 receives the login request packet 3303 and, according to the flowchart shown in FIG. 32, stores the source MAC address included in the login request packet 3303 in the address learning table 2811.
(Step 3201). The MAC address of the user terminal 2806 is already registered in the address learning table 2811. Therefore, the packet communication device A280
1 refers to the status field of the entry in which the source MAC address is registered. As shown in FIG.
Since the status field indicates “Filtering ON”, the destination I included in the login request packet 3303 is
The P address is retrieved from the authentication address table 2813 (process 3204). Authentication address table 281
Since the IP address of the server A 2803 is registered in No. 3, the packet communication device A 2801 checks whether the source IP address included in the login request packet 3303 is registered in the address learning table 2811. As shown in FIG. 35, the IP address field in the entry where the MAC address of the user terminal 2806 is registered in the address learning table 2811 is “0.0.
0.0 ”is registered and the IP address of the user terminal 2806 is registered.
The address has not been registered. Accordingly, the packet communication apparatus A2801 registers the IP address (147.3.1.3.1) of the user terminal 2806, which is the source IP address, in the IP address field (process 321).
0). In this case, the packet communication device A2801 does not change the time value held in the validity period field.

FIG. 36 shows the configuration of the address learning table in this state.

Then, the packet communication device A 2801 relays the login request packet 3303 (processing 321).
1) Send to router 2820. Login request packet 3
303 is relayed to the server A 2803 by the router 2820.

When server A 2803 receives login request packet 3303, user authentication section 2804 of server A 2803 transmits password request packet 3304 to user terminal 2806 requesting input of a password. The router 2820 sends the password request packet 33
04 to the packet communication device A2801. At this time, the router 2820 sends the password request packet 33
04 to the router 2820
And send it. Packet communication device A
2801 receives the password request packet 3304. The packet communication device A 2801 uses the address learning table 2811 and the non-target address table 2812 to store the source address contained in the password request packet 3304 in the same manner as the relay process of the ARP Reply packet 3302 according to the flowchart shown in FIG.
(Steps 3201 and 3202). Since the MAC address of the router 2820, which is the transmission source MAC address, is registered in the non-target address table 2812, the packet communication device A2801 relays the password request packet 3304 (process 3211) and transmits it to the user terminal 2806. When the user terminal 2806 receives the password request packet 3304, the user terminal 280
At 6, the user is prompted to enter a password. The user enters a password on the user terminal 2806. The user terminal 2806 transmits a packet 3305 including the input password. Packet communication device A
2801 receives the packet 3305 and executes the packet 3305 in the same manner as the relay process of the login request packet 3303.
The source MAC address included in 305 is searched from the address learning table 2811 (process 3201).
The destination IP address included in the packet 3305 is searched from the authentication address table 2813 (process 320).
4). The IP address of the server A 2803 which is the destination IP address is registered in the authentication address table 2813, and the IP address of the user terminal 2806 which is the source IP address is also registered in the address learning table 281.
1 (process 3210), the packet communication device A 2801 relays the packet 3305, and
20. The packet 3305 is relayed by the router 2820 to the server A 2803. Server A2803
Receives the packet 3305, the user authentication unit 280
No. 4 compares the password included in the packet 3305 with the regular password held as the user account 2840 to determine whether the password is correct. If the user authentication unit 2804 determines that the password included in the packet 3305 is correct, the user terminal 2806
Is permitted by the user authentication unit 2804.
The user authentication unit 2804 notifies the user terminal 2806 of the completion of the login by using a login completion packet 3306.
And notifies the authentication state detection unit 2805 in the server A 2803 of the IP address (147.3.1.3.1) of the user terminal 2806 and the completion of the login.

The authentication status detection unit 2805 holds, in the subnet address field 2901, an address obtained by logically ANDing the subnet mask held in the subnet mask field 2902 and the IP address of the user terminal 2806 in each entry of the subnet table 2814. Search for an entry that matches the entered subnet address. Upon finding the corresponding entry, the authentication state detection unit 2805 finds the IP address registered in the IP address field 2903 of the filtering state management device for that entry.
A connection notification packet 3307 including the IP address of the user terminal 2806 is transmitted to the address. For example, FIG.
In the subnet table shown in FIG. 9, the entry of # 3 includes the subnet address of the network (IP subnet) connected to the user terminal 2806, and corresponds to the above-described entry. Therefore, from the entry of # 3,
The IP address of the filtering status management device 2802 to which the connection notification packet 3307 should be sent is “137.2.
2.100 ".

The connection notification packet 3307 is sent to the router 282
0 is relayed to the filtering state management device 2802. Upon receiving the connection notification packet 3307, the filtering status management device 2802 sets the logical product of the subnet mask held in the subnet mask field 2902 and the notified IP address of the user terminal 2806 in the entries of the subnet table 2814. , An entry that matches the subnet address held in the subnet address field 2901 is searched. When the corresponding entry is found, the IP address field 290 of the packet communication device of the entry is found.
4 is recognized. In the subnet table shown in FIG. 29, since the entry of # 3 corresponds to the above-described entry, the IP address of the packet communication device is set to “147.3.1.2” from the entry of # 3.
20 "(IP address of packet communication device A2801)
It can be seen that it is. Filtering state management device 28
02 is a connection permission packet 330 including the IP address (147.3.1.3.1) of the user terminal 2806 addressed to the packet communication device A 2801 having the recognized IP address.
8 is transmitted.

The packet communication apparatus A 2801 notified of the connection permission packet 3308 sends the user terminal 2
806. The IP address (1477.3.3.1) of 806 is searched from the address learning table 2811. As shown in FIG. 36, the IP address of the user terminal 2806 is registered in one entry of the address learning table 2811. Therefore, the packet communication device A 2806 changes the information registered in the status field of the entry from “filtering ON” to “filtering OFF”, and newly sets “300 seconds” in the validity period field.
Set the time.

FIG. 37 shows the configuration of the address learning table in this state.

Then, the MAC address of the user terminal 2806 (22:22:00:
When the packet communication device 2801 receives the packet including the packet data 11:11:11), the packet communication device 2801 searches the address learning table 2811 for the source MAC address according to the flowchart shown in FIG. 32 (process 3201). In this case, the source MAC address is registered in one of the entries of the address learning table 2811, and the status field of the entry indicates “filtering OFF”. Therefore, the packet communication device A2801 always relays the received packet (process 3211). As a result, since the packet transmitted from the user terminal 2806 is not discarded by the packet communication device 2801, the user terminal 2801 can communicate freely.

Next, a description will be given of a detection method and processing in the packet communication apparatus A2801 when the user terminal 2806 leaves the network.

The packet communication device A 2801 starts the process of updating the validity period field in each entry of the address learning table 2811 at regular intervals. For example, the packet communication apparatus A2801 starts updating the validity period field every 30 seconds. The activation cycle depends on how accurate the validity period of the entry is guaranteed.

The process of updating the validity period field in the address learning table will be described with reference to FIG.

FIG. 38 shows each of the packet communication devices A to C28.
31 is a flowchart showing an update process of the address learning table 2811 by 01.

In the packet communication device A 2801, when the update processing of the address learning table 2811 is started, first, the update processing is performed from the remaining time (valid time) held in the valid period field of each entry of the address learning table 2811. "30"
Is subtracted, and the effective time is updated (process 380).
1). As a result of the subtraction, when the remaining time (updated valid time) held in the validity period field is a value greater than 60 seconds (twice the activation interval), the packet communication device A 2801 determines that the entry has no further value. The update process is temporarily ended without performing the process. If there is an entry whose updated valid time is greater than 0 seconds and less than or equal to 60 seconds, the packet communication device A 2801 changes the MAC address of the user terminal 2806 assigned to the IP address registered in the entry. To reconfirm, an ARP Request packet is transmitted to the IP subnet to which the user terminal 2806 is connected (process 3803). If there is an entry whose updated valid time is 0 second or less, the packet communication device A280
1 deletes the entry (step 3804). As a result, the address learning table 2811 indicates that the user terminal 2 having the MAC address registered in the entry is
806 returns to the state before it was connected to the network.

By executing the above update processing, packet communication apparatus A 2801 transmits an ARP Request packet periodically (about every four minutes in the above-described update processing) and confirms the presence of user terminal 2806.
If the user terminal 2806 is connected to the network, the ARPR is sent in response to the ARP Request packet.
The eply packet is transmitted from the user terminal 2806. Therefore, if there is no response to the ARP Request packet, the packet communication device A2801 interprets that the user terminal 2806 has left the network, and deletes the entry when the updated valid time becomes 0 second or less.

The activation interval of the update processing in the packet communication device A 2801 is 30 seconds, and the packet communication device A 2801
The condition for the 801 to transmit the ARP Request packet is that the updated valid time is 60 seconds or less (twice the activation interval).
Therefore, the ARP Request packet is transmitted twice before one entry is deleted. By setting various conditions under which the ARP Request packet is transmitted, the user terminal 2 can be set until the packet communication device A2801 deletes the entry.
It is possible to adjust the number of times that the existence of 806 is confirmed.

Further, packet communication apparatus A 2801 transmits the ARP Request sent from user terminal 2806.
The validity period held in the validity period field of the address learning table 2811 is updated by the st packet or the ARP Reply packet. Packet communication device A28
01 is the ARPR sent from the user terminal 2806.
The process of updating the validity time of the validity period field of the address learning table 2811 with the request packet or the ARP Reply packet will be described with reference to FIG.

First, since authentication (login) is performed by the user terminal 2806, one entry of the address learning table 2811 contains the MAC address, IP address, and relay of the user terminal 2806 as shown in FIG. It is assumed that the indicated information and the valid time have been registered, and that 120 seconds have elapsed since the valid time (300 seconds) was registered in the entry. Therefore, the valid time of the entry in the address learning table 2811 is 180 seconds.

Upon receiving the ARP Request packet or ARP Reply packet sent from user terminal 2806, packet communication apparatus A2801 executes ARP packet learning processing according to the flowchart shown in FIG. First, the source MAC address included in the ARP Request packet or the ARP Reply packet is stored in the non-target address table 2812.
(Step 3401). As shown in FIG. 31, the MAC address of the user terminal 2806 is not registered in the non-target address table 2812. Therefore, the packet communication device A2801 sends the source MAC
The address is retrieved from the address learning table 2811 (process 3402). The source MAC address is the MAC address of the user terminal 2806, and the entry in which the MAC address is registered is the address learning table 2811.
Exists. Therefore, the packet communication device A2801
ARP Request packet or ARP Rep
ly packet and the IP address registered in the entry of the address learning table 2811.
Address (147.3.3. 1) (processing 3
405). Normally, since the IP address assigned to the user terminal 2806 during communication does not need to be changed, the IP address registered in the address learning table 2811 matches the source IP address. As a result, if the valid time held in the entry is less than 300 seconds, the packet communication device A 2801 updates the valid time to 300 seconds (process 3406), and ends the ARP packet learning process. In this case, since the valid time is 180 seconds, the valid time is updated to 300 seconds.

ARP sent from user terminal 2806
The packet communication device A2801 actually uses the Request packet or the ARP Reply packet for updating the valid time of the entry of the address learning table 2811 by using the packet communication device A2801.
The interval at which the P Request packet is transmitted to the user terminal 2806 is longer than the above-mentioned regular interval (about 4 minutes). Therefore, the load on the network to which the user terminal 2806 is connected is reduced. User terminal 28
In the state where the communication is performed, the ARP Request packet or the ARP Reply packet is transmitted from the user terminal 2806 regularly or irregularly. Therefore, the transmission of the ARP Request packet to the user terminal 2806 by the packet communication device A2801 may have a possibility that the user terminal 2806 has left the network after a certain period of time has elapsed without performing communication. Only in the high state.

As described above, in the network system having the information outlet system in which the user can freely connect the user terminal, the packet of the user terminal 2806 which has not been authenticated (logged in) is discarded by using the packet communication device 2801. This prevents unauthorized users from using the network.

[0228]

According to the present invention, even if a user connects a user terminal to an information outlet at an arbitrary time and an arbitrary place, only an authenticated user can use resources such as a file server in a network system. In addition, the use of the resources of the network system by an unauthorized user who has not been authenticated is prevented.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a packet communication device according to an embodiment.

FIG. 2 shows network interfaces 102 to 107
FIG.

FIG. 3 is a configuration diagram of an address learning table 108;

FIG. 4 is a configuration diagram of a network system using the LAN 100.

FIG. 5 is a communication sequence diagram when the user terminal 403 is connected to the information outlet 409.

FIG. 6 is a flowchart showing a relay process of the LAN switch 100.

FIG. 7 is a configuration diagram of an address learning table.

FIG. 8 is a flowchart of a process 604 shown in FIG.

FIG. 9 is a configuration diagram of a relay table 901.

FIG. 10 is another configuration diagram of the packet communication device.

FIG. 11 is a configuration diagram of filtering processing units 1012 to 1017.

FIG. 12 is a configuration diagram of a filtering table 1101.

FIG. 13 is a configuration diagram of a network system using a router 1000.

FIG. 14 shows a case where a user terminal 1333 is connected to an information outlet 409.
Communication sequence diagram when connected to.

FIG. 15 is a configuration diagram of a filtering table 1101.

FIG. 16 is another configuration diagram of the packet communication device.

FIG. 17 is a configuration diagram of a filtering table 1607.

FIG. 18 is a configuration diagram of a learning table 1606.

FIG. 19 is a configuration diagram of a network system using a LAN switch 1600.

FIG. 20 is a communication sequence diagram when the user terminal 1905 is connected to the information outlet 409 of the network B.

FIG. 21 is a flowchart showing a relay process of the LAN switch 1600.

FIG. 22 is a configuration diagram of a learning table 1606.

FIG. 23 is a configuration diagram of a network system using a router 2300.

FIG. 24 shows a case where the user terminal 2312 is connected to a network B 231.
FIG. 6 is a communication sequence diagram when the information outlet is connected to the information outlet 3;

FIG. 25 is a flowchart showing a relay process of the router 2300.

FIG. 26 is a flowchart showing processing of the authentication server 2310 that has received a packet.

FIG. 27 is a configuration diagram of an IP address registration table 2306 in an initial state.

28 is a configuration diagram of a network system in which a plurality of networks are connected by a plurality of packet communication devices A to C2801 and a router 2820. FIG.

FIG. 29 is a configuration diagram of a subnet table 2814.

FIG. 30 is a configuration diagram of an authentication address table 2813.

FIG. 31 is a configuration diagram of a non-target address table 2812.

FIG. 32 is a flowchart showing a relay process of the packet communication device 2801.

FIG. 33 is a communication sequence diagram when the user terminal 2806 is connected to a network in the information outlet system 2830.

FIG. 34 is a flowchart showing ARP packet learning processing by the packet communication device 2801.

FIG. 35 is a configuration diagram of an address learning table 2811.

FIG. 36 is a configuration diagram of an address learning table 2811.

FIG. 37 is a configuration diagram of an address learning table 2811.

FIG. 38 is a flowchart showing an update process of the address learning table 2811 by the packet communication device 2801.

[Explanation of symbols]

 Reference Signs List 100 LAN switch 109 state change instruction packet processing unit 203 state management unit 401 authentication server 402 file server 403 user terminal 409 information outlet

──────────────────────────────────────────────────の Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 12/56 H04L 12/56 B 100 100Z (72) Inventor Shinji Nozaki 1 Horiyamashita, Hadano-shi, Kanagawa Stock (72) Inventor Yoshiyuki Tatsumi 1-6-27 Shinsuna, Koto-ku, Tokyo F-term in Hitachi Public Works Division (reference) 5K030 GA15 HA08 HB18 HC14 HD03 HD07 HD10 KA05 KA13 KX24 LB05 LC13 LD20 5K033 AA08 CB01 CB08 CC01 DA01 DA05 DB12 DB19 EA07 EC01 EC04

Claims (6)

[Claims] 1. A packet communication device in a network system for transmitting and receiving packets between a user terminal, an authentication server, and a file server arranged via a network, comprising: a plurality of network interfaces; An address learning table including information for identifying the packet; and selecting the relay destination of the packet based on the state of the network interface with reference to the learning table, and a packet between the user terminal, the authentication server, and the file server. A packet relay unit that relays or discards a status change instruction packet holding an instruction to change the state of a specific network interface to one of a connected state, a disconnected state, and no state through the packet relay unit. Acknowledgment State change instruction packet processing unit received from the certificate server, provided in a specific network interface, respectively, receives a state change instruction packet from the state change instruction packet processing unit, based on the state change instruction packet, A packet communication device comprising: a state management unit that changes a state of a specific network interface to one of a connection state, a non-connection state, and no state. 2. The network system according to claim 1, further comprising an address assignment server for dynamically distributing an address to a user terminal arranged via a network and a router, further comprising a filtering table for registering a source address of the received packet. The state change instruction packet processing unit, when receiving a state change instruction packet instructing to register a specific address registered in the filtering table in the address learning table, performs address learning on the specific address. If the destination address of the packet is registered in the address learning table, the packet is relayed, and the destination address of the packet is not registered in the address learning table and registered in the filtering table, Packet source address Less it is, if a router or authentication server, the packet communication apparatus according to claim 1 which is adapted to relay the packet. 3. The network interface further includes a line disconnection detecting unit for detecting whether a network is available, and the state management unit is configured to detect a line disconnection by the line disconnection detecting unit. Changing the state of the network interface in which disconnection is detected to a disconnected state, and when the user terminal is authenticated by the authentication server,
Changing the state of the network interface connected to the user terminal to a connected state, the packet relay unit, when receiving a packet from the non-connected network interface, the packet to the non-connected or connected network interface 2. The method according to claim 1, wherein the packet is not relayed, but is relayed only to a specific network interface, and when a packet is received from a connected network interface, the packet is not relayed to a non-connected network interface.
Or the packet communication device according to 2. 4. A packet communication device in a network system for transmitting and receiving packets between a user terminal, an authentication server, and a file server distributed via a network, comprising: a physical interface for connecting to the network; A packet relay unit for selecting a packet, a filtering table including information for relaying or discarding the packet, and a packet processing unit for discarding the packet or transmitting the packet to the packet relay unit based on the contents of the filtering table. A filtering processing unit arranged between the physical interface and the packet relay unit for performing packet filtering; transmitting a filtering change instruction from the authentication server to the filtering processing unit; Discard all The information in the filtering table initialized as described above is changed based on an instruction from the authentication server, and a packet having a source terminal address of a user terminal authenticated by the authentication server is transmitted to the file server. A packet change instruction processing unit for sequentially adding information for relaying to the filtering table to the filtering table. 5. A packet communication device in a network system for transmitting and receiving packets between a user terminal, an authentication server, and a file server arranged via a network, wherein the packet communication device transmits and receives packets from the user terminal, the authentication server, and the file server. A network interface, an IP address registration table for registering the address of the user terminal authenticated by the authentication server, and a packet having the source address as the address registered in the IP address registration table. A packet communication device comprising: a packet relay unit that encapsulates a packet having an unregistered address as a source address and then transmits the packet to a specific address. 6. The packet communication device according to claim 1, a user terminal connected to the packet communication device via a network, a file server, and the file for the user terminal. A network system comprising: an authentication server that performs authentication for permitting access to the server.