JP2006005606A - Communication system, communicating method, address distributing system, address distributing method and communication terminal - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a secure communication means by a function for deleting an temporary allocated IP address explicitly by dinamically assigning a temporary global IP address corresponding, to a communication partner, an application to be used, a communication session, etc., at a terminal. <P>SOLUTION: A communication system includes a structure for distributing the temporary IP address (hereinafter called one time address) to the terminal, that is, one time address distribution system in the network. Consequently, according to the one time address distribution request from the terminal or the notification request of the address to the terminal from other system, the one time address is distributed to the terminal. And, the communication session is started based on the distributed one time address. The distributed one time address is discarded at the terminal side after the communication session is finished. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an Internet communication method in a network based on an Internet protocol (hereinafter abbreviated as IP), an address distribution system, an address distribution method, and a communication terminal capable of improving security during Internet communication.

  There is a method called a global address as an IP address assignment method (address distribution method) in an IP network. According to this method, a terminal can be identified in a globally unique address space.

  A terminal having such a global address can be reached from any terminal connected to the IP network, and can communicate peer-to-peer. However, depending on the application, when a user who uses the device communicates with an unspecified terminal or a terminal with insufficient security measures, the IP address is known to an unauthorized third party, so that the terminal can be used illegally on the Internet. There is a risk of being attacked or misused for unauthorized use.

  In order to solve such a problem, the conventional IP network uses a one-time address to communicate with an unspecified communication partner while minimizing the disclosure of a fixed global address. However, there is a mechanism that enables end-to-end communication using global addresses. In addition, by deleting a global address that has been used from the terminal, it is possible to make direct communication with the terminal impossible when the global address is illegally obtained. As a mechanism for this, there are a dynamic host configuration protocol (DHCP), a temporary address (RFC3041) using an IPv6 address, and the like.

IETF RFC2131 “Dynamic Host Configuration Protocol” IETF RFC3041 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6“

  The former DHCP is a mechanism for distributing an IP address when a terminal is connected to an IP network. However, DHCP distributes an IP address at a timing when the terminal is connected to the network, and the IP address cannot be properly used depending on the application. Further, when the terminal terminates the network connection, the address distributed explicitly is not collected, and the terminal is not requested to delete the address.

  Further, the latter temporary address method assumes only that the terminal is a caller and does not have a function of accepting an incoming call to the terminal itself.

  A conventional IP address is an identifier for uniquely identifying a terminal fixedly connected to an IP network.

  However, recently, since the mobility of a terminal has increased, an IP address is becoming an identifier for identifying an endpoint of an IP network to which the terminal is connected rather than specifying the terminal itself. In particular, when an IP address is automatically generated at the timing when it is connected to the network as in an IPv6 network, the tendency becomes strong. Further, in IPv6 networking, the number of IP addresses that can be handled in a subnetwork is so large that it is considered to be almost unlimited as compared with IPv6 networks, so it is practically possible for one terminal to use a plurality of IP addresses. .

  The present invention has been made in view of the above problems. As one aspect thereof, an IP address (global address) is assigned to a terminal (address distribution) corresponding to a communication partner, an application used, a communication session, etc. in the IP network, and the assigned IP address (distribution address) is deleted. An IP address distribution system for deleting, discarding, or managing IP addresses from terminals is provided.

  That is, according to the present invention, secure communication can be realized by using the temporary IP address corresponding to the communication partner or application by utilizing the above-described feature of the IP address. Specifically, a mechanism for distributing temporary IP addresses (hereinafter referred to as one-time addresses) to terminals, that is, providing a one-time address distribution system in a network, so that one-time address distribution requests from terminals or other The one-time address is distributed to the terminal according to the address notification request to the terminal from the system, and a communication session between the terminals is started based on the distributed one-time address. The one-time address distributed to the terminal is deleted, discarded or managed on the terminal side after the communication session ends.

  According to the present invention, even when the IP address of the terminal remains in the communication partner terminal, it is possible to avoid unnecessary communication using the IP address again after the communication is completed. Thereby, unauthorized communication access by a third party can be prevented.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

<System configuration>
FIG. 1 is a configuration diagram showing the concept of a network system to which the present invention is applied.

As shown in FIG. 1, this system includes a one-time address distribution system 1, an address search system 2, a plurality of terminals (terminals 3a and 3b), a plurality of routers (4a and 4b), and a network 5.
A network 5 connects a one-time address distribution system 1, an address search system 2, and routers 4a and 4b.

The terminals 3a and 3b are connected to the network 5 via routers 4a and 4b, respectively.
Examples of the network 5 include a LAN based on the IPv6 protocol, an IP network using a dedicated line, the Internet (public IP network), a mobile IP network, and a network in which these networks are interconnected.

As an example of the address search system 2, a name resolution system based on a session initiation protocol (SIP) or a domain name system (DNS) protocol can be considered. Since these are well known, a detailed description thereof will be omitted.
<Configuration of one-time address distribution system 1>
FIG. 2 is a functional block diagram showing the configuration of the one-time address distribution system 1. 3, 4, and 5 show tables stored in the functional blocks 102, 104, and 1072 of the one-time address distribution system 1.

  The one-time address distribution system 1 includes a user information management unit 101, a user information storage unit (memory) 102, an address distribution policy management unit 103, an address distribution policy storage unit (memory) 104, an address generation unit 105, and address generation history information storage. A unit (memory) 106, an address search unit 107, and a communication control unit 108. The one-time address distribution system includes a signaling processing unit 109. This signaling processing unit 109 is not necessarily required and may be omitted depending on circumstances.

The user information storage unit 102 stores a user information table 1021 shown in FIG. In the table, a user name, a user ID, a fixed IP address, a Prefix, and the like are entered. The address policy information storage unit 104 stores the address distribution policy 1041 shown in FIG. In the table, a user ID, a transmission source address, an address distribution policy, and the like are entered. The address search unit 107 includes an address correspondence information storage unit 1071 and an address correspondence information management unit 1072. The address correspondence information storage unit 1071 stores a fixed address search table 10711 shown in FIG. In the table, a user ID, a fixed IP address, a user URI, and the like are entered. Further, the address correspondence information management unit 1072 of the address search unit 107 includes the domain aaa. aaa. It manages JP.
<Configuration of terminal 3>
FIG. 6 shows the configuration of the terminal 3a. The terminal 3a includes a network interface (NIF) 31, an OS 32, and a plurality of applications 35a and 35b. The OS 32 includes a communication control unit 33.

The communication control unit 33 includes an address management unit 331, a packet processing unit 332, and a session management unit 333. The address management unit 331 includes a memory for storing an address holding table 3311 and a source address correspondence table 3312 as shown in FIGS. An IP address, an address type, and the like are entered in the table 3311. In the table 3312, a destination address, a port number, a used address, and the like are entered. The packet processing unit 332 includes a memory that stores a source address assignment table 3321 as shown in FIG. In this table, a destination address, a port number, a source address, and the like are entered. The communication partner terminal 3b is configured similarly.
<Example 1>
FIG. 10 is a sequence diagram in the first embodiment of the present invention. The first embodiment is an example in which DNS is used as the address search system 2. Further, the first embodiment is an example in which the terminal 3a accepts an incoming call from the terminal 3b by a dynamically generated one-time address. That is, this is an example in which the terminal 3a is the receiving source (incoming side) and the terminal 3b is the transmitting source (outgoing side).

First, in step S101, the terminal 3a is connected to the network 5 via the router 4a and set to a state where IP communication is possible. That is, registration of a fixed address (X :: 1) to the terminal 3a and setting of a routing table to the router 4a are performed between the terminal 3a and the router 4a. As an address registration mechanism, an IP address is automatically generated with a router, an IP address is directly set from the router 4a to the terminal 3a, and a stateless address automatic setting (RFC2462) method, and an address is automatically generated by a DHCP server. A distribution (RFC1541) method can be considered. With either method, the terminal 3a acquires a fixed address from the router 4a, and the router 4a creates a routing table corresponding to the address of the terminal 3a.
Next, in step S102, the terminal 3a transmits a user registration request, user information (see FIG. 3), and address distribution policy information (see FIG. 4) to the one-time address distribution system 1 using the acquired fixed address. To do. The user information includes the user name of the user or terminal (terminal A), user ID (A), fixed IP address (X :: 1), Prefix value (X :: / 64) for creating an address, and address distribution policy. Information (list of IP addresses that may be notified of fixed addresses) is included. Note that the fixed IP address and the Prefix value can be substituted by the source address information included in the IP packet transmitted by the terminal 3a.

In step S103, when the one-time address distribution system 1 receives the user registration request and user information transmitted from the terminal 3a, it performs user registration.
User registration and address distribution policy registration will be described with reference to FIG. 11a.

  First, the user registration request and user information transmitted from the terminal 3a are supplied to the user information management unit 101 via the communication control unit 108 of the one-time address distribution system 1 in step S102, and the user information management unit Received. In step S103, the user information management unit 1011 follows the user registration request and enters the corresponding entry (user ID, fixed IP) in the user registration table 1021 in the user information storage unit 102 based on the received user information (see FIG. 3). Address, Prefix value). Note that the fixed IP address and Prefix value can also be collected and generated from the source header of the IP packet received from the terminal 3a.

  Next, the user information management unit 101 transmits the user ID and fixed IP address of the terminal 3 a to the address correspondence information management unit 1071 in the address search unit 107. The address correspondence information management unit 1071 generates a URI (A@aaa.aaa.jp) of the terminal 3 a from the received user identifier (user ID, fixed IP address), and an address search table 10721 in the address correspondence information storage unit 1072. Add an entry corresponding to.

  Further, the user information management unit 1071 transmits the address distribution policy information (see FIG. 4) of the terminal 3a to the address distribution policy management unit 103. Based on the received address distribution policy information, the address distribution policy management unit 103 creates an address distribution policy table 1041 of the terminal 3a in the address distribution policy storage unit 103 as shown in FIG.

  Next, the address correspondence information management unit 1071 transmits the completion of registration of the address correspondence information and the URI (A@aaa.aaa.jp) of the terminal 3a to the user information management unit 101.

  Next, when registration completion communication is received from the address correspondence information management unit 1071 in step S104, the user management unit 101 transmits URI information and a user registration completion notification to the terminal 3a.

  Thus, user registration and address distribution policy registration are executed.

  Next, in step S105, the terminal 3b of the terminal 3a acquires the URI (A@aaa.aaa.jp) of the terminal 3a in advance with respect to the address search system 2 in step S105. The IP address corresponding to is inquired. The terminal 3b acquires the URI (A@aaa.aaa.jp) of the terminal 3a in advance.

In the case of the present embodiment, since DNS is adopted as the address search system (address disclosure system) 2, the address search unit 107 in the one-time address distribution system 1 operates as a DNS server to which the terminal 3a belongs. By domain inquiry and reply with a single or plural DNS servers in the address disclosure system 2, the terminal 3b finally sends the URI of the terminal 3a to the one-time address distribution system 1 (A@aaa.aaa. inquires about the IP address corresponding to jp).
Hereinafter, the inquiry about the IP address of the terminal 3a from the terminal 3b will be described with reference to FIG.

The address information management unit 1071 that has received the address inquiry from the terminal 3 b transmits the user ID (A) of the terminal 3 a and the IP address (Z :: 1) of the terminal 3 b to the address distribution policy management unit 103. In step S107, the address distribution policy management unit 103 searches the address distribution policy table 1041 (see FIG. 4) of the terminal 3a stored in the address distribution policy storage unit 104 for a policy entry corresponding to the terminal 3b.
In the case of this embodiment, the IP address for the terminal 3b relating to the user ID (A) is a one-time address (X :: 1234: 1234: 1234: 1234 in FIG. 9). The address distribution policy management unit 103 transmits a policy search result to the address correspondence information management unit 1071. Upon receiving the policy search result, the address correspondence information management unit 1071 transmits a one-time address generation request and the user ID (A) of the terminal 3a to the address generation unit 105.

  In step 108, the address generation unit 105 that has received the one-time address generation request and the user ID of the terminal 3a generates a one-time address and transmits a one-time address registration request to the terminal 3a.

  One-time address generation will be described with reference to FIG. 11c.

  Upon receiving the one-time address generation request and the user ID (A) of the terminal 3a, the address generation unit 105 sends the Prefix value inquiry request of the terminal 3a and the user ID (A) of the terminal 3a to the user information management unit 101. Send. The user information management unit 101 that has received the inquiry request from the address generation unit 105 searches the user registration table 1021 in the user information storage unit 102 for a Prefix value corresponding to the user ID (A), and this Prefix value (X: : / 64) is transmitted to the address generator 105. The address generation unit 105 that has received the Prefix value generates a one-time address to be used by the terminal 3a by combining the value of the lower 64 bits of the IP address generated using a random number and the Prefix value. In step S108, the address generation unit 105 confirms that an entry in the address generation history table (not shown) stored in the address generation history information storage unit 106 does not have the same one-time address as generated. An entry corresponding to the one-time address is added to the address generation history table. At this time, if the generated address is currently used or has already been used, the one-time address may be regenerated.

  Next, after generating the one-time address, the address generation unit 105 transmits the one-time address registration request and the generated one-time address information to the terminal 3a in step S109.

  Upon receiving the one-time address registration request and the generated one-time address information in step S110, the address management unit 331 of the terminal 3a adds a new entry to the IP address holding table 3311 stored in the address management unit 331. .

  Next, in step S111, when the registration of the one-time address is completed, the address management unit 331 transmits a one-time address registration completion notification to the one-time address distribution system 1.

  In addition, when the one-time address registration completion notification is received from the terminal 3a, the address generation unit 105 notifies the address information management unit 1071 that the one-time address generation and registration has been completed.

  Thereafter, in step S112, the address information management unit 1071 returns the generated one-time address to the terminal 3b as an address corresponding to the URI (A@aaa.aaa.jp) of the terminal 3a.

  The one-touch address generation, one-touch address registration to the terminal 3a, and address notification to the terminal 3b are thus completed.

  After acquiring the one-time address of the terminal 3a, the terminal 3b establishes a communication session with the terminal 3a using the acquired one-time address in steps S113 to S115. That is, the terminal 3b makes a communication session request SYN with a one-touch address with the terminal 3a in step S113, receives a communication session response SYNACK from the terminal 3a in step 114, and starts a communication session ACK in step 115. .

  When the communication is completed, the terminal 3b and the terminal 3a perform session termination processing in steps S116 to S119. That is, when the session management unit 333 message FIN, ACK of the terminal 3a is received, that is, when the session end is identified, the one-time address information used in the ended session is transmitted to the address management unit 331. In step S120, the address management unit 331 that has received the one-time address information deletes, discards, or manages the corresponding entry from the IP address holding table 3311 (see FIG. 7) of the management unit.

  In the first embodiment, the one-time address distribution history system 106 is controlled by the one-time address distribution system 1. For example, simultaneously with the deletion of the one-time address in the terminal 3a, the terminal 3a notifies the address distribution system 1 that the one-time address has been used, and the address generation history information storage unit 106 in the one-time address distribution system 1 has already used the one-time address. Moved to entry.

  As another embodiment, the one-time address distribution system 1 may be configured such that the one-time address distributed after a lapse of a certain time is transferred to a used entry in the address generation history information storage unit 106. In that case, the time (aging time) to be transferred to the used entry may be determined based on designation from the terminal or setting as a system parameter.

  As another embodiment, an embodiment in which only the address generation history is managed for the one-time address generated and given by the address generation history information storage unit 106 may be used.

  FIG. 12 is a sequence diagram in the second embodiment of the present invention. In the second embodiment, SIP is used as the address search system 2. Further, similarly to the first embodiment, the terminal 3a is an example in which an incoming call from the terminal 3b is received by a dynamically generated one-time address.

  The fixed address registration (S201) in step 201, the user registration request and user information transmission in step S202, the user registration in step S203, and the user registration completion notification in step S204 are performed in steps S101, S102, and S103 of the first embodiment. The same as step S104. Therefore, the description is omitted.

  Hereinafter, session establishment between the terminal 3b and the terminal 3a will be described.

  In step S205, the terminal 3b that has acquired the URI (A@aaa.aaa.jp) of the terminal 3a in advance includes the URI of the terminal 3a (A@aaa.aaa.jp) in step S205. An establishment request message INVITE is transmitted to establish a communication session.

  In the present embodiment, since SIP is adopted as the address search system (address disclosure system) 2, the signaling processing unit 109 (see FIG. 2) in the one-time address distribution system 1 is the SIP proxy to which the terminal 3a belongs. Acts as a server. The address search unit 107 operates as a location server for the signaling processing unit 109. In step S206, the communication session establishment request message is finally received by the signaling processing 109 in the one-time address distribution system 1 through a relay between one or more SIP servers in the address disclosure system 2. . The signaling processing unit 109 inquires of the address correspondence information management unit 1071 about the IP address corresponding to the URI (A@aaa.aaa.jp) of the terminal 3a and transmits the IP address of the terminal 3b. The address information management unit 1071 that has received the address inquiry from the terminal 3 b transmits the user ID (A) of the terminal 3 a and the IP address of the terminal 3 b to the address distribution policy management unit 103.

  Policy search in step S209, one-time address creation in step S210, one-time address registration request in step S211, one-time address registration in step S212, one-time address registration completion notification in step S213, etc. This is the same as Step S107, Step S108, Step S109, Step S110, and Step S111. Therefore, the detailed description is abbreviate | omitted.

  Hereinafter, the sequence after the one-time address completion notification in step S213 will be described.

  When the address generation unit 105 of the one-time address distribution system 1 receives the one-time address registration completion notification from the terminal 3a in step S213, the generation and registration of the one-time address is completed with respect to the address information management unit 1071. Notify that. The address information management unit 1071 returns the generated one-time address to the signaling processing unit 109 as an address corresponding to the URI (A@aaa.aaa.jp). In step S214, the signaling processing unit 109 transmits a session request message to the terminal 3a using the one-time address.

  Next, in step S215, the terminal 3a transmits a session request acceptance message including the one-time address information to the one-time address distribution system 1.

  Upon receiving the session request acceptance message, the signaling processing unit 109 transfers the session request acceptance message of the terminal 3a to the address search system 2 in step S216.

  In step S217, the address search system 2 transmits a session request acceptance message to the terminal 3b via a single server or a plurality of servers.

  In step S218, the terminal 3b transmits to the address search system 2 a message that it has received a session request acceptance message.

  Then, the message that the session request acceptance message has been received is transmitted to the terminal 3a via the address search system 2 and the signaling processing unit 109 in the one-time address distribution system 1 in steps S219 and S220. .

  With the above steps, communication session preparation between the terminal 3b and the terminal 3a can be started.

  Next, in step S221, by making a call from the terminal 3b to the terminal 3a, a communication session that arrives at the terminal 3a is established, and communication is performed.

In step S222, when the communication session is terminated, for example, in this embodiment, when the session is terminated from the terminal 3a, the terminal 3a sends a session termination request message BYE to the signaling unit 109 of the one-time address distribution system 1. Send.
In step S223, the signaling unit 109 transfers the received session end request message BYE to the address search system 2.

  In step S224, the address search system 2 transfers the received session end request message BYE to the terminal 3b.

In step S225, the terminal 3b transmits a session end request acceptance message OK to the address search system 2. The session end request acceptance message is transmitted to the terminal 3a via the address search system 2 and the signaling unit 109 in steps S226 and S227. Thus, the communication session ends.
The one-time address deletion / discard of step S228 is the same as step S120 of the first embodiment. Therefore, the description is omitted.

  In this embodiment, the IP address is changed for each IP address of the session / communication partner at the time of outgoing call.

  FIG. 13 is a sequence diagram according to the third embodiment of the present invention, and FIG. 14 is a detailed sequence of the communication session start request and filtering. The third embodiment is an example in which the terminal 3a is a transmission source (originating side) and the communication to the terminal 3b is performed using a one-time address dynamically generated based on an address distribution policy. .

  13 and 14, the fixed address registration in step S301, the user registration request and user information transmission in step S302, the user registration in step S303, the user registration completion notification in step S304, the steps S101 and S102 in the first embodiment. , Step S103 and step S104. Therefore, the description is omitted.

  In this embodiment, the address distribution policy 1 is registered in the address management unit 331 in the terminal 3a as a source address assignment policy, so that the one-time address distribution policy is not registered in the one-time address distribution system 1. Good.

  Next, in step S306, the terminal 3a transmits to the OS 32 of the terminal 3a. Here, the terminal 3a captures the IP address of the terminal 3b in advance in the application 34a in the terminal 3a (in this embodiment, the HTTP protocol is used).

Thereby, the application 34a transmits the IP address of the terminal 3b, the destination port number (80), and the datagram to the address management unit 331 and the communication control unit 33 of the OS 32 in order to start a communication session with the terminal 3b. .
In step S307, the address management unit 331 in the communication control unit 33 searches the source address correspondence table 3312 (see FIG. 8) for an entry corresponding to the received pair of the IP address and destination port number of the terminal 3b. In the case of the present embodiment, the policy corresponds to “address any, port number 80, one-time address”.

  The address management unit 331 transmits a one-time address creation request and a user ID (A) to the one-time address distribution system 1 based on the corresponding policy.

  Next, the user information management unit 101 in the one-time address distribution system 1 retrieves the Prefix value corresponding to the user ID (A) from the user registration table 1021 (see FIG. 3) in the user information storage unit 102, and the address The data is transmitted to the generation unit 105.

  In step S309, the address generation unit 105 that has received the Prefix value generates a one-time address used by the terminal 3a by combining the value of the lower 64 bits of the IP address generated using a random number and the Prefix value. The address generation unit 105 confirms that the entry in the address generation history table stored in the address generation history information storage unit 106 is not the same as the generated one-time address, and adds an entry corresponding to the generated one-time address. To do. At this time, if the generated address is currently used or has already been used, the one-time address may be regenerated.

  In step S310, the address generation unit 105 transmits a one-time address registration request and the generated one-time address information to the terminal 3a.

  Upon receiving the generated one-time address information in step S311, the address management unit 331 of the terminal 3a adds a new entry to the IP address holding table 3311 (see FIG. 7) stored in the address management unit 331, and The IP address, port number (80), and one-time address (X :: 1234: 1234: 1234: 1234) of the user terminal 3b are transmitted to the packet processing unit 332. The packet processing unit adds an entry to the source address assignment table 3321 (see FIG. 9) based on the received information.

When the one-time address registration is completed in step S312, the address management unit 331 may transmit a one-time address registration completion notification to the one-time address distribution system 1.
The IP packet processing unit 332 during the communication session searches the source address assignment table 3321 (see FIG. 9) based on the combination of the destination address and the destination port number transmitted from the address management unit 331, A source address is selected based on the corresponding entry, and an IP header is generated. The datagram is encapsulated by the generated IP header and transmitted to the network interface 31 1.

  Here, establishment of the communication session in steps S313 to S315 and termination of the communication session in steps S316 to S319 are the same as steps S113 to 119 of the first embodiment, respectively. Therefore, the description is omitted.

When the session management unit 333 of the terminal 3 a receives the communication session end message FIN in step S 318, the one-time address information used in the ended session is transmitted to the address management unit 331 and the IP packet processing unit 332. To do. The address management unit 331 that has received the one-time address information deletes the corresponding entry from the IP address holding table 3311. The IP packet processing unit 332 deletes the corresponding entry from the source address assignment table 3321 in step S320.
In the above three embodiments, the case where a one-time address is used has been described. However, by registering a communication partner with a fixed address in the address distribution policy, communication using a fixed address is possible. It is also possible to simultaneously perform communication using a one-time address and communication using a fixed address.

The embodiment of the present invention has been described only when the one-time address is distributed to one terminal involved in the communication session. However, the method of the present invention can also be applied to the use of a one-time address for both terminals involved in a communication session, and can also be applied to n (plural) to m communication and one to m (multiple) communication other than one-to-one communication. Obviously it is possible.
In some embodiments, the method of the present invention is applied only in communication with a specific terminal. In this case, it is possible to set up a database for identifying terminals and use one-time addresses for address search requests or address notification requests from specific terminals. This embodiment has an effect that a communication session using a one-time address is possible only for a specific terminal.

Further, as another embodiment of the present invention, when a specific communication application is executed in the originating terminal, there is a configuration in which a one-time address is requested and used as an address used for a communication session for executing the application. In this embodiment, there is an effect that it is possible to use one-time addresses properly according to applications.
As described above, when the IP address of the terminal remains in the communication partner's terminal by dynamically generating and using a one-time IP address for a communication session that meets a specific condition However, it is possible to avoid unnecessary communication using the IP address again after the communication is completed. In addition, even if the IP address used after the communication ends is illegally obtained from a communication partner terminal by a third party and the third party uses the IP address to attempt a DOS attack, the terminal is not damaged. It is also possible to prevent the terminal from being used as a platform.

1 is an overall configuration diagram of a system according to an embodiment of the present invention. It is a block diagram of a one-time address distribution system. It is a figure which shows an example of the user registration table which the one-time address distribution system hold | maintains. It is a figure which shows an example of the address delivery policy table of the user A which a one-time address delivery system hold | maintains. It is a figure which shows an example of a fixed address table. It is a figure which shows the structure of a terminal. It is a figure which shows an example of the address holding table which a terminal hold | maintains. It is a figure which shows an example of the source address correspondence table which a terminal hold | maintains. It is a figure which shows an example of the source address provision table which a terminal hold | maintains. It is a sequence diagram for demonstrating distribution and deletion of the one-time address in a 1st Example. It is a user registration sequence. It is an address distribution policy registration sequence. It is a one-time address generation sequence diagram. It is a sequence diagram for demonstrating delivery and deletion of the one-time address in a 2nd Example. It is a sequence diagram for demonstrating the distribution and deletion of the one-time address in a 3rd Example. FIG. 14 is a sequence diagram of a communication session start request and filtering in FIG. 13.

Explanation of symbols

1: One-time distribution system 2: Address search system 3a, 3b: Terminal 4a, 4b: Router 5: Network 101: User information management unit 102: User information storage unit 103: Address distribution policy management unit 104: Address distribution policy storage unit 105: Address generation unit 106: Address generation history information storage unit 107: Address search unit 1071: Address correspondence information management unit 1072: Address correspondence information storage unit 108: Communication control unit 109: Signaling processing unit 1021: User registration table 1041: User A's address distribution policy table 31: NIF
32: OS
33: Communication control unit 331: Address management unit 332: Packet processing unit 333: Session management unit 34a, 34b: Application 3311: Address holding table 3312: Source address correspondence table 3321: Source address assignment table

Claims (24)

In a communication system that enables communication between terminals, such as a network that connects a plurality of terminals and the plurality of terminals or the Internet that interconnects a plurality of networks,
In the network or the Internet, an address that enables a communication session between the terminals in the network or the Internet is generated in response to a request from the terminal when communicating between the plurality of terminals. An address distribution system for distributing the generated address to the requesting terminal based on the address distribution request from the terminal or the address notification request from the second terminal is provided, and the first terminal on the address distribution request side In response to the request for registration of the distribution address and the registration of the first terminal on the address distribution request side based on the end of the communication session between the first and second terminals based on the distribution address. A communication system, wherein a distribution address is discarded or managed as used. The communication system according to claim 1, wherein registered address management in the terminal is performed based on address generation history information in the address distribution system. In a system comprising a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, a communication session between the terminals is enabled in the network or the Internet in response to a request from the terminals A step of generating an address, and a step of distributing the generated address to the requesting terminal based on a request for distributing the generated address from the first terminal of the terminal or a notification request for the generated address from a second terminal. And registering with the first terminal on the distribution address distribution request side, and the second terminal of the terminal based on the distribution address registration completion notification from the first terminal receiving the distribution address. A step of notifying the distribution address of one terminal, and a communication security between the first and second terminals. The distribution address registered in the first terminal on the side receiving the distribution address based on the end of the communication session is discarded or managed when the communication session ends. Communication method. 4. The communication method according to claim 3, wherein the registered address management at the terminal is performed based on address generation history information at the distribution address. In a system consisting of a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, the network or an address used in the Internet corresponds to the start of a communication session between the plurality of terminals. A one-time address distribution system having an address management unit that distributes to any of the plurality of terminals and discards or manages the distribution address as used in response to the end of the communication session. A communication method using a one-time address, wherein the management unit of the distribution system recognizes the start of the communication session based on an address search request for the terminal from the address search system. In a system consisting of a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, the network or an address used in the Internet corresponds to the start of a communication session between the plurality of terminals. A one-time address management system that distributes to any of the plurality of terminals and discards or manages the distribution address as used in response to the end of the communication session. A communication method using a one-time address, which recognizes the start of the communication session based on an address distribution request by any of the terminals. The communication method according to claim 5, wherein the address search system is a domain name system. 6. The communication method according to claim 5, wherein the address search system is a system based on a session initiation protocol. In a system comprising a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, a one-time address used in the network or the Internet is used for a communication session between the plurality of terminals. Distribute to one of the plurality of terminals in response to the start, discard or manage the distribution address as used in response to the end of the communication session, and manage the distribution address in the one-time address distribution system. A communication method using a one-time address, which is based on address generation history information. 10. The one-time address communication method according to claim 9, wherein the address generation history information is managed by identifying a used state of the distribution address or a used state of the distribution address. 10. The one-time address communication method according to claim 9, wherein the address generation history information is managed as a used address based on a lapse of a predetermined time after the distribution address is distributed. In a system comprising a plurality of terminals and a network that connects the plurality of terminals or the Internet that interconnects the plurality of networks, communication of a specific communication application between the plurality of terminals by using an address used in the network or the Internet A communication method using a one-time address, which is distributed to any of the plurality of terminals in response to the start of a session, and is discarded or managed as the used address corresponding to the end of the communication session. In a system comprising a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, an address used in the network or the Internet is communicated with a specific terminal among the plurality of terminals In this case, it is distributed to any of the terminals involved in the communication session in response to the start of the communication session with the specific terminal, and the distribution address is discarded as used in response to the end of the communication session. Alternatively, a communication method using a one-time address characterized by managing. In the method for identifying the specific terminal, an address used in the network or the Internet is distributed to any of the plurality of terminals in response to the start of a communication session between the plurality of terminals, and the communication session 14. The database search for identifying the specific terminal provided in the one-time address management system that discards or manages the distribution address as used in response to the termination of the one-way address, Communication method by time address. 14. The one-time address according to claim 13, wherein the method for identifying the specific terminal is a database search for identifying the specific terminal included in the originating terminal among the plurality of terminals. Communication method. In a system consisting of a plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, the network or an address used in the Internet corresponds to the start of a communication session between the plurality of terminals. One-time address management that distributes to any one of the plurality of terminals, some of the plurality of terminals, or all terminals, and discards or manages the distribution address as used in response to the end of the communication session A communication method using a one-time address characterized by having a system. A one-time address distribution system provided in a network connecting a plurality of terminals and the plurality of terminals or in the Internet interconnecting a plurality of networks,
A one-time address generation unit that generates a one-time address that enables a communication session between the terminals in the network or the Internet in response to a request from a calling terminal in communication between the plurality of terminals; A one-time address distribution unit that distributes a time address to the called or calling terminal of the terminal, and a registration request for the distribution address to the called or calling terminal on the side to which the one-time address is distributed And a one-time notification for notifying the calling side or called side terminal of the one-time address based on a registration completion notification of the one-time address at the called side terminal or the calling side terminal And a registered one-time address of the callee or caller terminal based on the end of the communication session between the caller and the callee terminal One-time distribution system, characterized by comprising a discard unit or management unit discards or managed as spent. The one-time distribution system includes a user information management unit, a user information storage unit, an address search unit, an address distribution policy management unit, an address distribution policy storage unit, and an address generation unit.
The user information management unit stores user information from the terminal in a user information storage unit based on a user registration request of the called or calling terminal, and stores the user ID and fixed IP address of the user information in the address Which is sent to the search department,
The address search unit includes an address correspondence information management unit and an address correspondence information storage unit, and the URI of the callee or caller terminal based on the user ID and fixed IP address of the callee or caller terminal. And storing the URI in the address correspondence information storage unit, sending the address distribution policy information to the address policy distribution management unit,
Further, based on the inquiry of the IP address corresponding to the URI of the called or calling terminal from the calling or called terminal, the user ID of the called or called terminal, the called party Alternatively, the IP address of the calling terminal is transmitted to the address distribution policy management unit, a policy search result by the address distribution policy management unit is received, and the address generation unit is requested to generate a one-time address,
Further, based on the one-time address generation and registration completion notification from the address generator, the one-time address is answered as an address corresponding to the URI to the called or calling terminal.
The address distribution policy management unit creates an address distribution policy table for the called or calling terminal based on the address distribution policy information of the called or calling terminal, and stores the address distribution policy table in the address distribution policy storage unit. ,
Further, the address distribution policy storage unit is searched based on the user ID of the called or calling terminal and the IP address of the called terminal, and the search result is transmitted to the address searching unit,
The address generation unit may query the user information management unit for a Prefix value of the called or calling terminal based on the one-time address generation request and the user ID of the called or calling terminal. The user ID user is transmitted, a one-time address is generated based on the search Prefix value at this time, the generated address is distributed to the called side or calling side terminal, and the registration request is made. One-time address generation and registration completion notification to the address search unit with a one-time address registration completion notification
The one-time address distribution system according to claim 17. A plurality of terminals and a network connecting the plurality of terminals or the Internet interconnecting the plurality of networks, and a one-time address provided in the network or the Internet and distributing a one-time address based on a request from the terminal In a terminal used for a communication system comprising a distribution system,
The interface unit for connecting to the network, a communication control unit, and an application unit, the communication control unit comprises an address management unit, a session management unit,
The session control unit of the communication control transmits user information and address distribution policy information to the one-time address distribution system and executes a user registration request. The terminal URI information and one-time address generated by the one-time address distribution system A communication terminal configured to receive information, register the one-time address information in the address management unit, and delete or manage the registered one-touch address based on the end of a communication session between the terminals . In a system comprising a plurality of terminals connected and a network that enables communication between the terminals or the Internet that connects a plurality of networks to each other,
Provide a one-time address distribution system in the network or the Internet,
The one-time distribution address creates a one-time address used in the network or the internetwork based on an inquiry from a second terminal on the address inquiry side of the terminal, and the one-time address is used as the inquiry. Making a one-time address registration request to the first terminal to communicate with the second terminal on the side, notifying the second terminal of the one-time address based on the one-time address registration completion notification of the first terminal, Based on a communication session request from the second terminal, the communication session between the first and second terminals can be started using the one-time address, and the communication session between the first and second terminals can be ended. The one-time address registered in the first terminal is deleted and discarded or managed based on the one-time address. Communication system according to claim. The one-time address distribution system includes a user information management unit that manages and stores user information from the first terminal, a user information storage unit, and an address distribution policy that manages and stores address distribution policy information from the first terminal. A management unit, an address distribution policy storage unit, and an address for searching for the address distribution policy information and creating the one-time address when an inquiry about the address of the first terminal is made from the second terminal via an address search system A search unit, an address generation unit, and a communication control unit for executing communication between the first terminal or the second terminal,
The first terminal includes an interface unit for connecting to the network, a communication control unit, and an application unit. The communication control unit includes an address management unit and a session management unit.
The session control unit of the communication control transmits user information and address distribution policy information to the one-time address distribution system and executes a user registration request. The terminal URI information and one-time address generated by the one-time address distribution system 21. The communication according to claim 20, configured to receive information, register the one-time address information in the address management unit, and delete or manage the registered one-touch address based on termination of a communication session between terminals. system. In a system comprising a plurality of terminals connected and a network that enables communication between the terminals or the Internet that connects a plurality of networks to each other,
Provide a one-time address distribution system in the network or the Internet,
The one-time distribution address creates a one-time address used in the network or the internetwork based on a one-time address creation request from the first terminal, and sends the one-time address to the first terminal. A first-time address registration completion notification of the first terminal 3a, and a communication session between the first and second terminals using the one-time address based on a communication session request from the first terminal. The one-time address registered in the first terminal is deleted and discarded or managed based on the end of the communication session between the first and second terminals. Communications system. A one-time address distribution system is provided in a network in which a plurality of terminals are connected and enables communication between the terminals or in the Internet connecting a plurality of networks to each other, and the one-time address is transmitted from the one-time address distribution system to the terminal Is a method of distributing
Creating a one-time address to be used in the network or the internetwork based on an inquiry from a second terminal on the address inquiry side of the terminal;
Making a one-time address registration request to the first terminal to communicate with the second terminal on the inquiry side,
Notifying the second terminal of the one-time address based on the one-time address registration completion notification of the first terminal;
Starting a communication session between the first and second terminals using the one-time address based on a communication session request from the second terminal;
A one-time address distribution method, wherein the one-time address registered in the first terminal is deleted and discarded or managed based on termination of a communication session between the first and second terminals. A one-time address distribution system is provided in a network in which a plurality of terminals are connected and enables communication between the terminals or in the Internet connecting a plurality of networks to each other, and the one-time address is transmitted from the one-time address distribution system to the terminal Is a method of distributing
The one-time distribution address creates a one-time address used in the network or the internetwork based on a one-time address creation request from the first terminal 3a,
Notifying the first terminal of the one-time address;
Upon receiving a one-time address registration completion notification of the first terminal, a communication session between the first and second terminals using the one-time address based on a communication session request from the first terminal 3 and the like,
A one-time address distribution method, wherein the one-time address registered in the first terminal is deleted and discarded or managed based on termination of a communication session between the first and second terminals.

Images