JP2007226620A - Home gateway device and accounting management system for network system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a home gateway device and an accounting management system for a network system, assuring security or managing accounting information same as in a conventional BRAS (Broadband Remote Access Server) without using the BRAS, in a DHCP (Dynamic Host Configuration Protocol)-based system. <P>SOLUTION: This home gateway device connected to the network system having a management server managing a communication amount in each terminal is provided with: a switch means; a measurement means measuring the traffic of the terminal connected to the switch means; and a notification means notifying the management server of the traffic measured by the measurement means. The notification means notifies the management server of the traffic at predetermined time intervals. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to Internet access technology, and more particularly, to an in-home gateway apparatus that performs access control without using BRAS (Broadband Remote Access Server) and an accounting management system for a network system.

2. Description of the Related Art Recently, PPPoE (Point to Point Protocol over Ether) has been widely used as a broadband access method in rapidly developing Internet services, and user authentication has been performed by a BRAS server.
In general, when the BRAS performs authentication, first, a session is established by PPPoE between a terminal such as a router on the user side and the BRAS. In the next PPPoE session stage, a PPP session is started, negotiation by an LCP (Link Control Protocol) packet is performed, and an authentication protocol is requested from the terminal. Once an authentication protocol such as PAP (Password Authentication Protocol) or CHAP (Challengage Handshake Authentication Protocol) is determined, authentication information is sent from the terminal to the BRAS, and the BRAS authenticates whether the terminal requesting the connection is an authorized user. Do. When the authentication is successful, the IP address of the BRAS is notified by an IPCP (IP Control Protocol) packet. The terminal side requests an IP address from the BRAS, and the IP address is issued from the BRAS. In this way, Internet access by IP becomes possible.

Also, in PPPoE, after authentication, keep alive is performed to check whether or not the connection is alive. Once disconnection is detected, re-authentication is required, and an unauthorized user impersonates a legitimate user and connects. To prevent.
Such a conventional network system and accounting method will be described with reference to FIG. In conventional PPPoE authentication, devices such as a personal computer (PC) 607, a broadband (BB) router 608, or a VoIP (Voice over IP) adapter 609 connected to the line terminators 112 to 114 are connected to the concentrator 604 and the aggregation SWs 106 and 602. It has been authenticated by the BRAS 601 connected via. Since the connection to the IP network 100 after authentication also passes through the BRAS 601, all communication of the terminal is concentrated in the BRAS 601.

On the other hand, for accounting management, since all services are used via the BRAS 601, the BRAS 601 uses a PPPoE session for each service (video access service such as Internet access, IP phone, and VOD) used by each terminal. Established and measured and recorded the traffic for each user or service.
As described above, the conventional BRAS not only functions as an original access router but also performs terminal management such as user authentication, accounting management, and IP allocation. Along with the increase, the load of BRAS becomes higher and a system that replaces the expensive centralized management of BRAS is demanded.

  In addition, the RADIUS (Remote Automation Dial-In User Service) server may perform the BRAS without performing user authentication. In this case, after establishing the PPPoE session, the authentication information sent from the terminal by PPPoE is converted into a RADIUS packet by BRAS and sent to the RADIUS server of the service provider used by the user. When the authentication with the RADIUS server is successful, the BRAS issues an IP address, and manages and controls the established session. Such authentication and accounting by the RADIUS server are described in detail in a standard document (Non-patent Documents 1 and 2) defined by the industry organization IETF (Internet Engineering Task Force).

Non-Patent Document 3 proposes distributed management using an edge switch as a method to replace BRAS.
RFC 2865 (RADIUS certification) RFC 2866 (RADIUS accounting) “FUJITSU ACCESS REVIEW Vol.13 No.1” (p45-51)

  However, the conventional technology as described above has an advantage that all communication of the user passes through the BRAS and is easy to manage. However, the processing capability of the BRAS is limited. In the conventional PPPoE connection, each user is authenticated by BRAS, and all user communications are aggregated into BRAS and performed via BRAS. Therefore, even if the capacity of an access relay network below BRAS is increased, the BRAS capacity becomes a bottleneck. . Moreover, in order to increase the line capacity, it is necessary to increase the number of expensive BRAS installed, and there is a problem in terms of cost.

  In order to solve this problem, Non-Patent Document 3 proposes a method of performing IEEE 802.1x authentication using EAPoL (Extensible Authentication Protocol over LAN) on the edge side instead of performing PPPoE authentication with BRAS. However, in this case, a device that performs processing other than authentication, such as IP address assignment and accounting management, performed in BRAS, instead of BRAS is required. For example, even when an IP address is assigned by a DHCP (Dynamic Host Configuration Protocol) server, a mechanism for performing accounting management and security assurance is required.

  In accounting management, when an expensive BRAS is not used, it is necessary to measure a data communication amount per unit time of a user at any location in the system. Some concentrators can measure the amount of traffic for each user, but in order to measure the amount of traffic for each service, the contents of the data that passes through the concentrator must be analyzed and the performance of the concentrator. And cost.

  On the other hand, in the case of a system that performs IEEE 802.1x authentication, IEEE 802.1x authentication has a re-authentication function, but the RADIUS server authenticates a device to be authenticated (such as a home gateway) under the control of many concentrators. There is a problem that the traffic of re-authentication for the RADIUS server and the processing load become high, and this time, the performance of the RADIUS server becomes a bottleneck.

In terms of security, in the case of a system using IEEE802.1x authentication, a mechanism for preventing connection to an unauthorized device after being authenticated once is required, as in conventional PPPoE.
In view of the above problems, an object of the present invention is to provide an in-home gateway device that enables management of accounting information and security ensuring equivalent to those performed in a conventional BRAS without using a BRAS in a DHCP-based system, and It is to provide a network system accounting management method.

The invention according to claim 1 is an in-home gateway device connected to a network system including a management server that manages a communication amount for each terminal, and a measuring unit that measures the communication amount of a terminal connected to the switching unit. And a notification means for notifying the management server of the communication volume measured by the measurement means.
According to a second aspect of the present invention, in the residential gateway device according to the first aspect, the notifying unit notifies the management server of the communication amount at a predetermined time interval.

The invention according to claim 3 is characterized in that, in the in-home gateway device according to claim 1 or 2, authentication request means for performing IEEE 802.1x authentication by a supplicant is provided.
According to a fourth aspect of the present invention, there is provided an accounting management method for a network system that includes the residential gateway device according to any one of the first to third aspects and includes a management server that manages a communication amount for each terminal. It is characterized by comprising a concentrator having keep-alive means for periodically sending out and confirming the state of the session.

According to a fifth aspect of the present invention, in the accounting management method for the network system according to the fourth aspect, the concentrator is provided with a cutting means for disconnecting a session with the in-home gateway device, and the concentrator is periodically transmitted. When there is no response to the EAPoL, the disconnection unit disconnects the session.
The invention according to claim 6 is the network system accounting management method according to claim 5, wherein re-authentication request means for requesting re-authentication to the in-home gateway device is provided, and the concentrator is in session with the in-home gateway device. In the case where the home gateway device is disconnected, the re-authentication request means requests the re-authentication to the concentrator.

  In the present invention, even in a network system that does not use BRAS, the communication volume for each user and the communication volume for each service can be measured without imposing a load on the management server. In addition, accounting management can be performed when the home gateway device notifies the management server of the measured information or the management server requests the home gateway device. In particular, since the traffic volume is measured by the home gateway device closest to the user side, the load on these devices can be reduced compared to the case where the traffic volume is measured by an aggregation switch, a concentrator, etc., and the conventional BRAS is used. It is possible to collect information equivalent to the existing accounting management.

  Furthermore, by performing a keep-alive operation between the line concentrator and the home gateway apparatus, the line concentrator can detect disconnection, and the load on the accounting management server can be reduced. Further, since EAPoL is used for the keep alive operation, it is possible to prevent an access in which a keep alive frame is camouflaged, and to ensure the same security as the conventional one.

(First embodiment)
FIG. 1 shows a network system of “accounting management method for home gateway apparatus and network system” according to the present invention, and mainly depicts an L3SW (layer 3 switch) 101 connected to an IP network (Internet network) 100. The L3SW 101 includes a DHCP server 102, a monitoring server 103 using SNMP (Simple Network Management Protocol), a RADIUS server 104 that performs accounting management, an automatic setting server 105 that automatically performs terminal firmware version upgrades, VoIP adapter settings, and the like. Is connected. In this embodiment, accounting management of the network system is realized by installing a home gateway device having an accounting function in the user home.

  Under the L3SW 101, layer 2 switches, aggregation SWs 106 to 108 for performing VLAN control, QoS control, and the like are connected. Below the aggregation SWs 106 to 108, in the case of an optical fiber network, an OLT (Optical Line) shown in the line concentrator 109 is provided. When the term (Terminal) is ADSL (Asymmetric Digital Subscriber Line), a DSLAM (Digital Subscriber Line Access Multiplexer) shown in the line concentrator 111, or a concentrator 110 of a CATV or other communication network is connected. Under the line concentrator (OLT) 109, line terminating units (ONU: Optical Network Units) 112 to 114 on the subscriber's home side are connected. Further, below the line concentrator (DSLAM) 111, a line terminating device (ADSL modem) 116 at the subscriber's house is connected. Alternatively, an in-house line termination device 115 corresponding to the line concentrator 110 is connected to another line concentrator 110 such as CATV.

  In-line gateway devices 117 to 119 according to the present invention are connected to each line terminating device on the subscriber's home side. The in-home gateway devices 117 to 119 have a broadband router function for connecting a plurality of personal computers, a VoIP adapter function for connecting IP telephones, and PCs 120 and 122 used in the subscriber premises and IP telephones 121 and 123. All communications such as are performed through the home gateway devices 117 to 119. In addition, the in-home gateway devices 117 to 119 manage the home LAN side with a private address, and the outside WAN side acquires a global address from a DHCP server and connects to it. Further, the in-home gateway devices 117 to 119 are equipped with a supplicant function for IEEE 802.1x authentication.

  Here, the home gateway device 117 will be described. The home gateway devices 118 and 119 have the same structure as the home gateway device 117. FIG. 2 is a block diagram of the in-home gateway device 117. The switch unit 201, the communication amount measuring unit 202, the notification unit 203, the authentication request unit 204, the network side connection port 205, the terminal side connection ports 206 and 207, and the VoIP adapter 208 are illustrated. And 209 and keep alive response means 210. The PC 120 or 122 is connected to the connection ports 206 and 207 on the terminal side, and the IP telephone 121 or 123 is connected to the VoIP adapters 208 and 209, respectively. The switch unit 201 routes packet data transmitted and received by the PCs 120 and 122 or the IP telephones 121 and 123 according to the destination.

  The communication amount measuring unit 202 measures the communication amount for each terminal of packet data passing through the switch unit 201 or for each service used by the terminal. For example, the Internet traffic access to the network side by the PC 120 was started at 10:00 and was connected for 50 minutes, or the communication volume such as a call from the IP telephone 121 was performed for 30 minutes from 12:10 was measured. Is done. The communication amount data measured by the communication amount measuring unit 202 is sent by the notification unit 203 via the switch unit 201 to the RADIUS server 104 that is an accounting management server.

Further, the notification unit 203 transmits the traffic data to the RADIUS server 104 even when the traffic data is requested from the RADIUS server 104.
On the other hand, the authentication request unit 204 sends an authentication request to the line concentrator (OLT) 109 when starting a session with the line concentrator (OLT) 109 or when the session is disconnected, and obtains authentication for session establishment.

  Furthermore, the keep alive response means 210 returns a response to the keep alive message by the EAPoL packet periodically sent from the line concentrator (OLT) 109. As a result, the line concentrator (OLT) 109 confirms that the in-home gateway device 117 is in session operation. If there is no response of the EAPoL packet from the home gateway device 117, the session with the home gateway device 117 is disconnected. When disconnected, the authentication request unit 204 requests re-authentication to the line concentrator (OLT) 109 in the same procedure as the authentication request as the re-authentication request unit. In this embodiment, for the sake of easy understanding, the keep-alive response unit 210 is provided as an independent block. However, the authentication request unit 204 using EAPoL may be performed.

As described above, the home gateway device according to the present embodiment has a function for measuring the amount of transmitted / received data passing through the WAN-side port, and the measured information is periodically notified to the accounting management server, or information is sent from the accounting management server. By collecting, it is possible to accumulate and manage the traffic for each user or service.
Next, the line concentrator (OLT) 109 will be described. The line concentrator 110 and the line concentrator (DSLAM) 111 have the same structure as the line concentrator (OLT) 109 except that the communication medium is different. FIG. 3 is a block diagram of the line concentrator (OLT) 109. 301 is a switch means, 302 is a disconnect means, 303 is a keep alive means, 304 is a network side connection I / F, 305 to 308 are terminal side connection I / Fs. F and 309 respectively indicate authentication means. The line concentrator (OLT) 109 here is an OLT for concentrating optical fiber lines, and line terminators (ONUs) 112 to 114 are connected to each connection I / F on the terminal side. Lines terminated at line termination units (ONUs) 112 to 113 are connected to in-home gateway devices 117 to 119, respectively, and terminals such as PCs and IP telephones are connected.

  The authentication unit 309 of the line concentrator (OLT) 109 inquires the RADIUS server 104 about the information included in the EAPoL start message sent from the in-home gateway device 117 and determines whether or not it is a registered regular user (terminal). Authenticate When authenticated by the authentication unit 309, the in-home gateway device 117 can communicate with the uplink side via the switch unit 301 of the concentrator (OLT) 109 and receives an IP address from the DHCP server 102.

  The keep alive means 303 of the line concentrator (OLT) 109 periodically sends an EAPoL packet to the in-home gateway device 117 via the line terminator 112 connected to the connection I / F 305, and the EAPoL packet from the in-home gateway device 117. Make sure you come back. If there is no response of the EAPoL packet from the home gateway device 117, the session with the home gateway device 117 is disconnected.

  Next, an operation sequence of the network system will be described. FIG. 4 is a diagram showing an authentication and accounting sequence of the home gateway apparatus 117. 1 denote the same components as those in FIG. First, the in-home gateway device 117 sends an EAPoL start message (401) to the concentrator (OLT) 109. The concentrator (OLT) 109 converts the EAPoL packet into a RADIUS packet (402) and includes a start message. The RADIUS server 104 is inquired whether the information is information registered in advance. In the case of registered regular users and devices, the RADIUS server 104 performs authentication, and returns an authentication message (403) as a RADIUS packet to the line concentrator (OLT) 109. The line concentrator (OLT) 109 converts the received authentication message (403) into an authentication message (404) of an EAPoL packet and returns it to the in-home gateway device 117.

  When authenticated by the RADIUS server 104, the in-home gateway device 117 can access the uplink side, requests the DHCP server 102 to issue an IP address via the L3SW 101, and issues an IP address from the DHCP server 102 ( 405). Thereafter, the home gateway device 117 accesses the automatic setting server 105 to acquire server information (406), and sets the VoIP adapters 208 and 209.

  Next, the home gateway device 117 notifies the RADIUS server 104, which is an accounting management server, of the start of communication (407), and enables Internet access (408, 410). Thereafter, the home gateway device 117 periodically notifies the RADIUS server 104 of the transmission / reception amount (407, 409, 411). Alternatively, the RADIUS server 104 may periodically request information from the home gateway device 117.

  In this embodiment, the accounting management server is the RADIUS server 104 and the in-home gateway device 117 is operated as a RADIUS client. However, in the in-home gateway device 117, the measurement information of the traffic is expanded MIB (Management Information Base) information. It is also possible to collect MIB information periodically from the SNMP manager of the monitoring server 103.

  In this way, by accounting on the home gateway device side for accounting for the traffic volume, even in a network that does not use BRAS, the traffic volume for each user and the traffic volume for each service can be reduced without imposing a load on the accounting management server. Measurement is possible. The measured information can be managed by the home gateway device notifying the accounting management server or the management server requesting the home gateway device.

In addition, by measuring the communication volume with the gateway device closest to the user side, it can be realized more easily than when measuring the communication volume with an aggregation switch, line concentrator, etc., and the load on these devices is also increased. This makes it possible to collect information equivalent to the accounting management using the conventional BRAS.
Concentrators such as OLT and DSLAM are equipped with a client function for IEEE 802.1x authentication, can perform IEEE 802.1x authentication for the downlink line, and connect only the authenticated terminal apparatus to the uplink line. .

  In particular, the residential gateway device according to the present embodiment has a VoIP adapter function for connecting an IP telephone and a broadband router function for connecting a plurality of personal computers. There is no need to prepare a new. Therefore, since a home gateway apparatus can be installed instead of such a conventional apparatus, a new physical space is not required, and the user's resistance to installation can be reduced.

(Second Embodiment)
Next, a second embodiment of the “home gateway device and network system and accounting management method” according to the present invention will be described. Since the configuration of the network system is the same as that of FIG. 1 of the first embodiment, the operation of the network system will be described here. FIG. 5 is a diagram showing the authentication and accounting sequence of the home gateway apparatus. The sequence of accounting start notification (407), data communication (408) and accounting information notification (409) is the same as that in the first embodiment.

  Even after the accounting start notification (407) is sent to the RADIUS server 104, the accounting information is periodically notified to the RADIUS server 104 (409), but the time interval is coarser than in the first embodiment. Instead, the in-home gateway device 117 performs a keep-alive operation with the concentrator (OLT) 109 at a preset short cycle. In the keep alive operation, the EAPoL packet (501) is sent from the keep alive means 303 of the concentrator (OLT) 109 to the in-home gateway apparatus 117, and the keep alive response means 210 of the in-home gateway apparatus 117 that receives the EAPoL packet (502) ) To the line concentrator (OLT) 109. Similarly, in response to the EAPoL packet (503) of the line concentrator (OLT) 109, the home gateway apparatus 117 returns the EAPoL packet (504) to the line concentrator (OLT) 109, and the EAPoL packet (506) of the line concentrator (OLT) 109 The home gateway device 117 returns an EAPoL packet (507) to the line concentrator (OLT) 109.

  Here, the EAPoL packet (505) may be periodically returned from the residential gateway device 117 to the line concentrator (OLT) 109. If the EAPoL packet is not returned from the home gateway device 117 within a predetermined time with respect to the EAPoL packet (508) of the line concentrator (OLT) 109, the keep alive means 303 of the line concentrator (OLT) 109 It is determined that the gateway device 117 is not operating. Ping may be used instead of EAPoL, but it is desirable to use encrypted EAPoL for security.

When the keep alive means 303 of the line concentrator (OLT) 109 detects a non-operating terminal, the disconnecting means 302 closes the communication path with the in-home gateway device 117 and puts it into an unauthenticated state. When the home gateway device 117 performs communication again, the authentication request unit 204 of the home gateway device 117 makes a re-authentication request.
When the accounting information is periodically notified from the home gateway device 117 to the RADIUS server 104, the method of acquiring the IP address of the RADIUS server 104 is, for example, immediately after the home gateway device 117 acquires the IP address from the DHCP server 102. In addition, there is a method of accessing an IP address designated in advance (embedded in the home gateway device 117 in advance) and notifying the IP address of the RADIUS server 104.

In a general network system, in order to save the user's trouble, a method of accessing the automatic setting server 105 in which firmware version upgrade or VoIP adapter setting is determined in advance is employed. If such an automatic setting server 105 is accessed to notify the address, the above method does not require additional equipment.
Thus, in IEEE802.1x re-authentication, the load distribution to the edge side can be achieved by using the keep-alive function by EAPoL, so that the load on the RADIUS server 104 as an accounting server can be greatly reduced. Can do. In particular, since the re-authentication interval of heavy IEEE 802.1x is coarsened and the keep alive operation is performed with the line concentrator (OLT) 109 at a fixed period, the re-authentication of IEEE 802.1x is frequently performed. Equivalent security can be ensured.

  In addition, since EAPoL is used instead of simple Ping for the keep alive operation, access in which a keep alive frame is camouflaged can be prevented, and security is improved.

It is a block diagram of the network system which implement | achieves the accounting management system based on this invention. It is a block diagram of the residential gateway apparatus which concerns on this invention. It is a block diagram of a concentrator concerning the present invention. It is an operation | movement sequence of the 1st Embodiment of this invention. It is an operation | movement sequence of the 2nd Embodiment of this invention. This is a conventional system configuration for performing PPPoE authentication with BRAS.

Explanation of symbols

101 ... L3SW
102: DHCP server 103: Monitoring server (SNMP manager)
104 ... RADIUS server 105 ... automatic setting server 106,107,108 ... aggregation switch (aggregation SW)
109 ... Concentrator (OLT)
110 ... Telephone (for IP phone)
111 ... Concentrator (DSLAM)
112, 113, 114, 115, 116 ... line termination devices 117, 118, 119 ... home gateway monitoring devices 120, 122, 607 ... PC
201, 301 ... switch means 202 ... communication amount measuring means 203 ... notification means 204 ... authentication request means 205 ... connection port (network side)
206, 207, 208, 209... Connection port (terminal side)
210 ... keep alive response means 302 ... cutting means 303 ... keep alive means 601 ... BRAS
608 ... Broadband router 609 ... VoIP adapter

Claims (6)

In a home gateway device connected to a network system having a management server for managing the communication amount for each terminal,
Switch means;
Measuring means for measuring a communication amount of a terminal connected to the switch means;
An in-home gateway device, comprising: notification means for notifying the management server of a communication amount measured by the measurement means. In the in-home gateway device according to claim 1,
The in-home gateway device characterized in that the notifying means notifies the management server of the communication amount at a predetermined time interval. In the residential gateway device according to claim 1 or 2,
An in-home gateway device comprising authentication request means for performing IEEE 802.1x authentication by a supplicant. In the accounting management method of a network system comprising the residential gateway device according to any one of claims 1 to 3 and comprising a management server that manages a communication amount for each terminal,
Network system accounting characterized by comprising a line concentrator having keep alive means for periodically checking EAPoL (Extended Authentication Protocol over LAN) and confirming the session state, and IEEE 802.1x authentication authentication means Management method. In the accounting management system of the network system according to claim 4,
A disconnecting means for disconnecting a session with the in-home gateway device is provided in the line concentrator,
An accounting management method for a network system, wherein the concentrator disconnects a session by the disconnecting means when there is no response to the EAPoL that is periodically transmitted. In the accounting management system of the network system according to claim 5,
Providing re-authentication request means for requesting re-authentication to the home gateway device;
An accounting management method for a network system, wherein when the concentrator disconnects a session with the in-home gateway device, the in-home gateway device requests re-authentication to the concentrator by the re-authentication request means.

Images