JP2007243655A - Vpn management device, program and vpn management method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a VPN management device, a program, and a VPN management method for appropriately managing whether or not VPN connection is permitted between a given terminal and the other terminal on the basis of a connection relation between the terminals. <P>SOLUTION: The VPN management device has: a terminal management information storage means for storing terminal management information on a router to which the terminals are connected; a connection relation storage means for storing connection relation information to which terminal a terminal is VPN-connected; a position relation storage means for storing position relation information on the connection relation between routers; a VPN disconnection request signal receiving means for receiving a VPN disconnection request signal for requiring the disconnection of the VPN connection from the given terminal to the other terminal; and a VPN connection releasing means for releasing the VPN connection between the router to which the other terminal is connected and each router to which the router is connected on the basis of terminal management information, the connection relation information, and the position relation information when the VPN disconnection request signal is received. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a VPN management device, a program, and a VPN management method, and more particularly to a VPN management device, a program, and a VPN management method for performing communication between a plurality of terminals via a network.

  The communication path on the Internet goes through various points, and there is a risk that the contents of communication will be wiretapped by a third party. As a technique for preventing eavesdropping, there is conventionally a VPN (Virtual Private Network) technique for constructing a virtual private network by encrypting a communication path. In order to construct a VPN, complicated device settings are required, and it is generally difficult to easily realize multipoint VPN connection. As a prior art for easily realizing VPN, those described in Patent Document 1 and Non-Patent Document 1 are known.

Patent Document 1 discloses a technique for solving the complexity of VPN construction between multiple points by transferring a received packet by a relay node. Non-Patent Document 1 discloses a technique for solving the complexity of device setting between two points by easily constructing a VPN between any two points.
JP 2004-153366 A An on-demand VPN system using two-tier PKI, Information Processing Society of Japan paper vol. 46, no. 5, May 2005

  However, the techniques described in Patent Document 1 and Non-Patent Document 1 cause problems when an invitation type multi-point VPN connection is configured. Here, the invitation type multi-point VPN connection is to establish a VPN group by opening a VPN, and from the VPN connection source terminal, the VPN connection destination terminal is given authority to connect to the VPN group. By expanding the VPN connection relationship so that connection to the VPN group can be permitted even in the terminal of, it is possible to establish a state where all the base stations can communicate with each other.

  For example, the case where the technique of patent document 1 and nonpatent literature 1 is applied to a medical field is demonstrated. Here, when doctor A needs to ask for a patient's diagnosis from other doctors (Doctor B, Doctor C, Doctor D), these doctors are connected to the VPN he uses. A description will be given of a case where processing is performed based on the following procedures (1) to (6).

(1) Doctor A diagnosed the patient.
(2) Since the patient had symptoms that could not be judged by Dr. A alone, in order to ask Dr. B at another hospital for cooperation, a VPN was established, and the VPN group to which Dr. A and Dr. B belonged was established. Configured.
(3) Dr. A asked Dr. B to view data related to the patient's symptoms through the VPN and talked about the expertise related to the symptoms.
(4) Doctor B's decision was that “Doctor B and Doctor C in another hospital should discuss and diagnose”.
(5) Therefore, Dr. B invites Dr. C to the VPN group for the contents currently being discussed by the VPN, so that Dr. C is connected to the VPN, and doctors A, B, C The three people discussed and diagnosed.
(6) In addition, Dr. C received an indication that “I know Dr. D from a university hospital who has been in charge of surgery for a similar symptom. Therefore, through Dr. C, Dr. D from the university hospital was invited to the VPN group, and Dr. D was connected to the VPN.
As a result, doctors A, B, C, and D belong to the VPN group.

  FIG. 17 shows the VPN connection configuration of doctor A, doctor B, doctor C, and doctor D after the procedures (1) to (6) as described above. Arrows D1 to D3 in FIG. 17 indicate the direction of invitation to the VPN group. That is, Doctor A permits Doctor B to connect to VPN (arrow D1), Doctor B permits VPN connection to Doctor C (arrow D2), and Doctor C provides VPN to Doctor D. Is permitted (arrow D3).

When a VPN connection as shown in FIG. 17 is performed, a charge is made to the original terminal (Doctor A in FIG. 17) according to the time and the number of terminals constituting the VPN group formed thereby. There is a case. In this case, communication between the doctor A and the doctor B, which is the section where the VPN is established, between the doctor B and the doctor C, and between the doctor C and the doctor D is charged.
When the discussion between the doctors A and D is completed and the communication of contents that can only be disclosed to the doctor A to the doctor B is performed, as shown in FIG. 18, the doctor D who is permitted to connect to the VPN from the doctor C and the doctor C Must be separated from the VPN group.
However, even if the VPN connection established between Dr. B and Dr. C is disconnected, the VPN connection remains between Dr. C and Dr. D, and charging for Dr. A continues. There is a problem of becoming. Further, there is a problem that even a terminal that has lost the authority to connect to the VPN continues to be able to connect to the VPN.

  The present invention has been made in view of the above circumstances, and its purpose is to appropriately determine whether or not to permit VPN connection between a predetermined terminal and another terminal based on the connection relationship between the terminals. An object of the present invention is to provide a VPN management apparatus, a program, and a VPN management method that can be managed.

  The present invention has been made to solve the above problems, and the invention according to claim 1 is a VPN management apparatus for managing VPN connections between a plurality of terminals, wherein the routers are connected to the terminals. Terminal management information storage means for storing terminal management information on the connection, connection relation storage means for storing connection relation information on which terminal the VPN connection is made to, and a position of the connection relation between the routers When receiving the VPN disconnection request signal, the positional relationship storage means for storing the relationship information, the VPN disconnection request signal receiving means for receiving the VPN disconnection request signal for requesting disconnection of the VPN connection from the predetermined terminal to the other terminal, and the VPN disconnection request signal In addition, based on the terminal management information, the connection relation information, and the positional relation information, the router to which the other terminal is connected and the router connected to the router A VPN management apparatus characterized by having a VPN disconnection means for disconnecting the VPN connection with the router.

  The invention according to claim 2 further includes a VPN connection request signal receiving means for receiving a VPN connection request signal for requesting a VPN connection from a predetermined terminal to another terminal, the terminal management information storage means, When the VPN connection request signal receiving means receives a VPN connection request signal, the connection relation storage means and the positional relation storage means turn the terminal management information, the connection relation information, and the positional relation information into information indicating connection. The VPN management device according to claim 1, wherein each of the VPN management devices is updated.

  Further, the invention according to claim 3 further comprises distribution means for distributing the terminal management information, the connection relation information, and the positional relation information to the router. It is a VPN management apparatus of description.

  Further, in the invention according to claim 4, the VPN connection disconnection means connects the router to which the other terminal is connected and the router by applying a Warshall algorithm to the positional relationship information. The VPN management device according to any one of items 1 to 3, further comprising a determination unit that determines whether or not to disconnect the VPN connection with each router.

  The invention according to claim 5 is the first step of storing terminal management information for a router to which a terminal is connected, and connection relation information about which terminal the VPN connection is made to. A second step of storing, a third step of storing positional relationship information about the connection relationship between the routers, and a VPN disconnection request signal for requesting disconnection of a VPN connection from another terminal to another terminal When the fourth step and the VPN disconnection request signal are received, based on the terminal management information, the connection relation information, and the positional relation information, the router to which the other terminal is connected and the router And a fifth step of disconnecting the VPN connection with each connected router.

  The invention described in claim 6 is a VPN management method for managing VPN connection between a plurality of terminals, comprising: a terminal management information storage process for storing terminal management information for a router to which the terminals are connected; A connection relation storing process for storing connection relation information on which terminal the VPN connection is made to, a position relation storing process for storing position relation information on the connection relation between the routers, and a predetermined terminal A VPN disconnection request signal receiving process for receiving a VPN disconnection request signal for requesting disconnection of a VPN connection from another terminal to the other terminal, and when receiving the VPN disconnection request signal, the terminal management information, the connection relation information, and the location Based on the relationship information, the VPN connection disconnection that disconnects the VPN connection between the router to which the other terminal is connected and each router connected to the router. A VPN management method characterized by comprising the steps, a.

In the present invention, the connection relation information about the connection source terminal and the connection destination terminal of the VPN is stored in the connection relation storage means, and the positional relation information about the connection relation between the routers to which each terminal is connected is stored in the positional relation storage means. And determining whether or not a predetermined terminal can establish a VPN connection with another terminal based on the connection relation information and the positional relation information by the first determination means, and by the first determination means When it is determined that connection is possible, a predetermined terminal and another terminal are VPN-connected by the control means.
Thereby, since the state of the VPN connection can be managed based on the connection relation information and the position relation information, the VPN connection between each terminal can be appropriately connected or disconnected, Whether or not to permit VPN connection with the terminal can be appropriately managed based on the connection relationship between the terminals.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
In the VPN management system according to the embodiment of the present invention, the configuration of the VPN connection between multiple points is changed by performing the following processes (1-1) to (1-3).
(1-1) The VPN connection relationship and the router positional relationship are stored in a management server that manages the VPN connection state as a matrix.
(1-2) When there is a change in the VPN connection relationship, the Warshall algorithm is applied and VPN configuration information is generated by the management server.
(1-3) At the time of VPN configuration between multiple points, VPN configuration information is distributed from the management server.

In the VPN management system according to the embodiment of the present invention, the following conditions (2-1) to (2-4) are assumed.
(2-1) A VPN connection is established between routers.
(2-2) A VPN connection cannot be made redundantly to a terminal that has made a VPN connection once.
(2-3) If there is a terminal already connected by VPN under the router, other terminals under the router cannot be VPN-connected.
(2-4) No closed circuit is formed by VPN.

  Here, the VPN configuration information is information about which terminal communicates with the VPN and to which terminal the transmission is made. As VPN configuration information, for example, (3-1) interface (where VPN connection is made), (3-2) connection source terminal, (3-3) connection source router, (3-4) connectable router (3-5) Connectable terminals.

FIG. 1 is a conceptual diagram of a VPN management system according to an embodiment of the present invention. This VPN management system includes routers A, B, C, D, and E, and terminals a1, a2, b1, b2, c1, c2, d1, and e1.
The routers A, B, C, D, and E establish a VPN connection between arbitrary routers and disconnect the VPN connection between routers. Here, VPN connections V1, V2, V3, and V4 are established between routers A and B, between routers B and C, between routers C and D, and between routers B and E.
Terminals a1 and a2, terminals b1 and b2, terminals c1 and c2, terminal d1, and terminal e1 are connected to routers A, B, C, D, and E via physical connections P1 to P8, respectively.
Here, the directions from the VPN connection source to the VPN connection destination are the direction F1 from the terminal a1 to the terminal b1, the direction F2 from the terminal b1 to the terminal c1, the direction F3 from the terminal c1 to the terminal d1, and the direction F3 from the terminal b1 to the terminal e1. The direction is F4.

Next, the point of “(1-1) storing the VPN connection relationship and the router positional relationship as a matrix in the management server that manages the VPN connection state” will be described.
In order to generate the VPN configuration information, two matrices (neighboring router matrix and connection matrix) described below and one table (terminal management table) are required.

FIG. 2A is a diagram showing an example of the adjacent router matrix Y according to the embodiment of the present invention. The adjacent router matrix is a matrix for managing a VPN established between any two routers. For a set of routers in which a VPN is established, the corresponding matrix element is set to 1, and the VPN is For a set of routers that are not established, the corresponding matrix element is 0.
FIG. 2A shows the positional relationship between the routers A, B, C, D, and E in FIG. 1 as an adjacent router matrix. That is, when the matrix element in the i-th row and j-th column is represented as (i, j), (i, j) = (1, 2), (2, 1), (2, 3), (2, 5 ), (3, 2), (3,4), (4, 3), (5, 2) matrix elements are 1 and other matrix elements are 0 elements.

  FIG. 2B is a diagram illustrating an example of the connection matrix X according to the embodiment of the present invention. The connection matrix is a matrix for managing the connection relationship between any two terminals belonging to a VPN-connected group between multiple points. The matrix element corresponding to the connection destination from the connection source of VPN connection is 1. Other matrix elements are set to 0. FIG. 2B represents the connection relationship of the terminals a1, b1, c1, d1, and e1 in FIG. That is, the matrix elements (i, j) = (1,2), (2,3), (2,5), (3,4) are 1 and the other matrix elements are 0. Yes.

  FIG. 2C is a diagram showing an example of the terminal management table Z according to the embodiment of the present invention. The terminal management table is a table for managing the correspondence between a terminal and the VPN router to which it belongs. FIG. 2C shows to which router the terminals constituting the VPN of FIG. 1 belong. That is, the terminals a1, b1, c1, d1, and e1 belong to the routers A, B, C, D, and E, respectively.

Next, a description will be given of “(1-2) When the VPN connection relationship changes, the Warshall algorithm is applied and VPN configuration information is generated by the management server”.
By applying the Warshall algorithm for determining whether or not to reach a vertex from a certain vertex to an adjacent router matrix, it is possible to obtain a router or terminal that can be connected from a certain router, and to generate VPN configuration information. .

Here, the Warshall algorithm refers to the following algorithm.

  Next, “(1-3) VPN configuration information is distributed from the management server at the time of VPN configuration between multiple points” described above is described above. This can be realized by using the technique.

FIG. 3 is a configuration diagram of a VPN management system according to an embodiment of the present invention. Here, a case where the VPN management system includes a management server S, routers A, B, C, and D, terminals a1, b1, c1, and d1 will be described.
The management server S is connected to the network N1 and controls whether or not to make a VPN connection between the terminals a1, b1, c1, and d1 connected to the routers A, B, C, and D, respectively.
Routers A, B, C, and D are all connected to the network N1. Routers A, B, C, and D are connected to networks N2, N3, N4, and N5, respectively. When a router receives a VPN connection request signal or a VPN disconnection request signal from a terminal under its own router, the router establishes a VPN connection between that terminal and a terminal under the control of another router.
Terminals a1, b1, c1, and d1 are devices such as a PC (Personal Computer) used by a user, and are connected to networks N2, N3, N4, and N5, respectively. The terminal transmits a VPN connection request signal for requesting VPN connection with another terminal and a VPN disconnection request signal for requesting disconnection of the VPN connection with another terminal to the router.

FIG. 4A is a diagram showing an example of the configuration of the management server S (FIG. 3) according to the embodiment of the present invention. The management server S includes a connection / disconnection request reception unit 10, a VPN configuration information generation unit 11, a VPN configuration information distribution unit 12, a positional relationship DB (Data Base) · 13, a connection relationship DB · 14, and a subordinate terminal DB · 15. .
The connection / disconnection request receiving unit 10 receives a VPN connection request signal and a VPN disconnection request signal from the terminal via the router. The VPN configuration information generation unit 11 generates VPN connection information such as an adjacent router matrix, a connection matrix, and a terminal management table based on a VPN connection request signal or a VPN disconnection request signal transmitted from the terminal via the router. The VPN configuration information distribution unit 12 transmits the VPN configuration information generated by the VPN configuration information generation unit 11 to the router.
The positional relationship DB 13 stores the adjacent router matrix described with reference to FIG. The connection relation DB 14 stores the connection matrix described in FIG. The subordinate terminal DB 15 stores the terminal management table described in FIG.

FIG. 4B is a diagram showing an example of the configuration of the router A (FIG. 1) according to the embodiment of the present invention. The router A includes a VPN configuration information receiving unit 20 and a VPN configuration processing unit 21. Since the configurations of the routers B, C, and D are the same as the configuration of the router A, the description thereof is omitted.
The VPN configuration information receiving unit 20 receives VPN configuration information from the management server S. The VPN configuration processing unit 21 receives VPN configuration information from the management server S, and controls establishment or disconnection of a VPN connection between routers based on the VPN configuration information.

FIG.4 (c) is a figure which shows an example of a structure of the terminal a1 (FIG. 3) by embodiment of this invention. The terminal a1 includes a connection / disconnection request unit 30. Note that the configurations of the terminals b1, c1, and d1 are the same as the configuration of the terminal a1, and thus the description thereof is omitted.
The connection / disconnection request unit 30 transmits a VPN connection request signal or a VPN disconnection request signal to the management server S via the router based on an operation of the user of the terminal a1.

  FIG. 5 is a sequence diagram showing an example of processing of the VPN management system according to the embodiment of the present invention. In FIG. 5, first, VPN connection is performed by transmitting a VPN connection request signal from router A to router B (steps S001 to S005). Next, a VPN connection request signal is transmitted from router B to router C. Is transmitted (steps S006 to S012), and finally the VPN connection between the router A and the router B is disconnected (steps S013 to S021).

First, a VPN connection request signal from the terminal a1 to the terminal b1 is transmitted from the terminal a1 to the management server S via the router A (step S001).
The management server S performs a connection relationship construction process between the router A and the router B (step S002). This connection relationship construction process will be described later with reference to FIG.
The management server S performs VPN configuration information generation processing between the router A and the router B (step S003). The VPN configuration information generation process will be described later with reference to FIG.
The management server S transmits the VPN configuration information generated in step S003 to the router A (step S004).
In addition, the management server S transmits the VPN configuration information generated in step S003 to the router B (step S005).

Next, a VPN connection request signal from the terminal b1 to the terminal c1 is transmitted from the terminal b1 to the management server S via the router B (step S006).
The management server S performs a connection relationship construction process between the router B and the router C (step S007).
The management server S performs VPN configuration information generation processing between the router B and the router C. Further, the management server S, based on the generated VPN configuration information between the router B and the router C, and the VPN configuration information between the router A and the router B generated in step S003, VPN configuration information is generated (step S008).
The management server S transmits the VPN configuration information between the router B and the router C generated in step S008 to the router B (step S009).
Also, the management server S transmits the VPN configuration information between the router B and the router C generated in step S008 to the router C (step S010).
Then, the management server S transmits the VPN configuration information between the router A and the router C generated in step S008 to the router B (step S011).
Also, the management server S transmits the VPN configuration information between the router A and the router C generated in step S008 to the router C (step S012).

Next, a VPN disconnection request signal from the terminal a1 to the terminal b1 is transmitted from the terminal a1 to the management server S via the router A (step S013).
The management server S performs a VPN connection relationship disconnection process between the router A and the router B (step S014). This VPN connection disconnection process will be described later with reference to FIG.
The management server S performs VPN configuration information generation processing between the router A and the router B (step S015).
The management server S transmits the VPN configuration information generated in step S015 to the router A (step S016).
Also, the management server S transmits the VPN configuration information generated in step S015 to the router B (step S017).
The management server S transmits the VPN configuration information between the router B and the router C generated in step S015 to the router B (step S018).
In addition, the management server S transmits the VPN configuration information between the router B and the router C generated in step S015 to the router C (step S019).
Then, the management server S transmits the VPN configuration information between the router A and the router C generated in step S015 to the router B (step S020).
The management server S transmits the VPN configuration information between the router A and the router C generated in step S015 to the router C (step S021).

FIG. 6 is a flowchart showing an example of the VPN connection relationship construction process (steps S002 and S007 in FIG. 5). This VPN connection relation construction process is performed by the VPN configuration information generation unit 11 of the management server S.
First, a connection matrix stored in the connection relation DB 14 is updated by adding a terminal for constructing a VPN to the connection matrix (step S101).
Then, by adding the router to which the added terminal belongs to the adjacent router matrix (step S102), the adjacent router matrix stored in the positional relationship DB 13 is updated.
And the terminal management table memorize | stored in subordinate terminal DB * 15 is updated by adding the terminal which construct | assembles VPN to a terminal management table (step S103).

FIG. 7 is a flowchart showing an example of the VPN configuration information generation process (steps S003, S008, and S015 in FIG. 5). This VPN configuration information generation process is performed by the VPN configuration information generation unit 11 of the management server S.
First, one router that has not generated VPN configuration information is selected (step S201).
Next, one router adjacent to the router selected in step S201 is selected based on the adjacent router matrix stored in the positional relationship DB 13 (step S202).
Then, for the VPN connection established between the router selected in step S201 and the router selected in step S202, a terminal connectable from the router selected in step S201 is obtained based on the Warshall algorithm. (Step S203).
Then, a terminal belonging to the router selected in step S201 is obtained (step S204).
Then, VPN configuration information in the router selected in step S201 is generated for the terminal connectable from the router selected in step S202 (step S205). This VPN configuration information is generated for each router and includes information such as an interface (VPN path), a connection source terminal, a connection source router, a connectable router, and a connectable terminal.
Then, it is determined whether there is any neighboring router remaining in the router in step S201 (step S206). If there is a neighboring router remaining in the router in step S201, it is determined as “N” in step S206, and the process proceeds to step S202. On the other hand, if there is no remaining neighboring router in the router in step S201, “Y” is determined in step S206, and the process proceeds to step S207.
Then, it is determined whether VPN configuration information has been generated for all routers (step S207). If VPN configuration information has not been generated for all routers, it is determined as “N” in step S207, and the process proceeds to step S201. On the other hand, if VPN configuration information has been generated for all routers, “Y” is determined in step S207, and the processing according to the flowchart of FIG. 7 ends.

FIG. 8 is a flowchart showing an example of the VPN connection relationship disconnection process (step S014 in FIG. 5). The VPN connection relationship disconnection process is performed by the VPN configuration information generation unit 11 of the management server S.
First, by disconnecting the VPN, a terminal (remaining connected terminal) that can be connected to the VPN from the original terminal (here, the terminal a1) that is the starting point of the VPN connection is obtained based on the Warshall algorithm (step S301). .
Then, terminals other than the remaining connected terminals are deleted from the terminal management table. At this time, the router having no terminals is also deleted (step S302), and the terminal management table stored in the subordinate terminal DB 15 is updated.
Then, the connection matrix is reconstructed at the remaining connection terminals (step S303), and the connection matrix stored in the connection relation DB 14 is updated.
Then, the adjacent router matrix is reconstructed by the router to which the remaining connected terminal belongs (step S304), and the adjacent router matrix stored in the positional relationship DB 13 is updated.

Next, an example of a specific operation of the VPN management system according to the embodiment of the present invention will be described. Here, as shown in FIG. 9, a case where a router and a terminal are arranged in the same manner as in FIG. 1 will be described. In FIG. 9, the management server S is not shown.
The VPN management system disconnects the VPN connection by performing the following processes (4-1) to (4-5).

(4-1) By establishing the VPN connection V1 between the router A and the router B, the VPN connection from the terminal a1 to the terminal b1 is performed.
(4-2) The VPN connection from the terminal b1 to the terminal c1 is established by establishing the VPN connection V2 between the router B and the router C.
(4-3) By establishing the VPN connection V3 between the router C and the router D, the VPN connection from the terminal c1 to the terminal d1 is performed.
(4-4) By establishing the VPN connection V4 between the router B and the router E, the VPN connection from the terminal b1 to the terminal e1 is performed.
(4-5) By disconnecting the VPN connection V4 between the router B and the router C, the VPN connection from the terminal b1 to the terminal c1 is disconnected.

FIGS. 10A and 10B show the above-mentioned “(4-1) VPN connection from the terminal a1 to the terminal b1 by establishing the VPN connection V1 between the router A and the router B”. It is a figure for demonstrating a process.
As shown in FIGS. 10A and 10B, the terminal a1 that is the VPN connection source sends a VPN connection request signal to the terminal b1 that is the VPN connection destination via the routers A and B. Send. The management server S generates a connection matrix X01, an adjacent router matrix Y01, and a terminal management table Z01 shown in FIG. 10B, and stores them in the connection relation DB 14, the positional relation DB 13, and the subordinate terminal DB 15, respectively. To do.
Here, since the VPN connection request signal is transmitted from the terminal a1 to the terminal b1, the matrix element (i, j) = (1, 2) of the connection matrix X01 is 1.
Further, since the VPN connection V1 is established between the router A under the control of the terminal a1 and the router B under the control of the terminal b1, (i, j) = (1,2,2) in the adjacent router matrix Y01. The matrix element of (2, 1) is 1.
Further, since the terminal a1 is under the router A and the terminal b1 is under the router B, a table such as the terminal management table Z01 is generated.

FIG. 11A and FIG. 11B show the above-mentioned “(4-2) VPN connection from the terminal b1 to the terminal c1 by establishing the VPN connection V2 between the router B and the router C”. It is a figure for demonstrating a process.
As shown in FIG. 11A and FIG. 11B, the terminal b1 that is the VPN connection source sends a VPN connection request signal to the terminal c1 that is the VPN connection destination via the routers B and C. Send. The management server S generates a connection matrix X02, an adjacent router matrix Y02, and a terminal management table Z02 shown in FIG. 11B and stores them in the connection relation DB 14, the position relation DB 13, and the subordinate terminal DB 15, respectively. To do.
Here, since the VPN connection request signal is transmitted from the terminal b1 to the terminal c1, the connection matrix of (4-1) in which the matrix component of (i, j) = (1,2) is 1. In addition to X01, the matrix element of (i, j) = (2,3) of the connection matrix X02 is 1.
Since the VPN connection V2 is established between the router B under the control of the terminal b1 and the router C under the control of the terminal c1, (i, j) = (1,2), (2,1) In addition to the (4-1) adjacent router matrix Y01 whose matrix component is 1, the matrix elements (i, j) = (2, 3) and (3, 2) of the adjacent router matrix Y02 are 1. It has become.
Since the terminal c1 is under the control of the router C, a table like the terminal management table Z02 is generated for the terminal management table Z01.

12 (a) and 12 (b) show the above-mentioned "(4-3) VPN connection from the terminal c1 to the terminal d1 by establishing the VPN connection V3 between the router C and the router D". It is a figure for demonstrating a process.
As shown in FIGS. 12A and 12B, the terminal c1 as the VPN connection source sends a VPN connection request signal to the terminal d1 as the VPN connection destination via the routers C and D. Send. The management server S generates the connection matrix X03, the adjacent router matrix Y03, and the terminal management table Z03 shown in FIG. 12B, and stores them in the connection relation DB 14, the positional relation DB 13, and the subordinate terminal DB 15, respectively. To do.
Here, since the VPN connection request signal is transmitted from the terminal c1 to the terminal d1, the matrix components of (i, j) = (1,2), (2,3) are 1 (4 In addition to the connection matrix X02 of -2), the matrix element of (i, j) = (3,4) of the connection matrix X03 is 1.
Since the VPN connection V3 is established between the router C under the control of the terminal c1 and the router D under the control of the terminal d1, (i, j) = (1,2), (2,1) , (2, 3), (3, 2) in addition to the adjacent router matrix Y02 of (4-2) in which the matrix component is 1, (i, j) = (3,4) of the adjacent router matrix Y03 , (4, 3) matrix element is 1.
Since the terminal d1 is under the control of the router D, a table like the terminal management table Z03 is generated for the terminal management table Z02.

FIGS. 13A and 13B show the above-mentioned “(4-4) VPN connection from the terminal b1 to the terminal e1 by establishing the VPN connection V4 between the router B and the router E”. It is a figure for demonstrating a process.
As shown in FIGS. 13A and 13B, the terminal b1 as the VPN connection source sends a VPN connection request signal to the terminal e1 as the VPN connection destination via the routers B and E. Send. The management server S generates a connection matrix X04, an adjacent router matrix Y04, and a terminal management table Z04 shown in FIG. 13B and stores them in the connection relation DB 14, the positional relation DB 13, and the subordinate terminal DB 15, respectively. To do.
Here, since the VPN connection request signal is transmitted from the terminal b1 to the terminal e1, the matrix components of (i, j) = (1,2), (2,3), (3,4) are In addition to the connection matrix X03 of (4-3) that is 1, the matrix element of (i, j) = (2, 5) of the connection matrix X04 is 1.
Further, since the VPN connection V4 is established between the router B under the control of the terminal b1 and the router E under the control of the terminal e1, (i, j) = (1,2), (2,1) , (2, 3), (3, 2), (3, 4), (4, 3) in addition to the adjacent router matrix Y03 of (4-3) in which the matrix component is 1, The matrix elements of (i, j) = (2,5), (5,2) are 1.
Further, since the terminal e1 is under the router E, a table like the terminal management table Z04 is generated for the terminal management table Z03.

  By performing the above-described processes (4-1) to (4-4), a VPN connection as shown in FIG. 14 is established. That is, VPN connections V1, V2, V3, and V4 are established between router A and router B, between router B and router C, between router C and router D, and between router B and router E, respectively.

  When the management server S receives a VPN disconnection request signal between the terminal b1 and the terminal c1 from the terminal b1 via the router B, it means that a VPN connection is established from the terminal b1 to the terminal c1. , 1 of the matrix component (i, j) = (2, 3) of the connection matrix X04 is set to 0. As a result, the following connection matrix X05 is obtained.

  The Warshall algorithm described above is applied to this connection matrix X05. As a result, the following connection matrix X06 is obtained.

Then, in the connection matrix X06, a connectable terminal is obtained from the terminal (here, the terminal a1) that is the starting point of the VPN connection. That is, in the connection matrix X06, the matrix component in the i = 1st row indicating the terminal a1 that is the starting point of the VPN connection is 1 (i, j) = (1,2), (1,5 ) These (i, j) = (1, 2) and (1, 5) indicate the terminals b1 and e1.
The remaining connection terminal T is obtained by adding the terminal a1 which is the starting point of the connection to the terminals b1 and e1. The remaining connection terminal T is as follows.

  And the terminal which does not belong to said remaining connection terminal T is deleted from the terminal management table Z04. Here, the terminals c1 and d1 that do not belong to the remaining connected terminal T are deleted from the terminal management table Z04, and the following terminal management table Z05 is generated.

  Based on the terminal management table Z05, a router under which a terminal belonging to the remaining connection terminal T is subordinate is obtained. Thereby, the router set R to which the remaining connected terminals belong is obtained. The router set R to which the remaining connected terminal belongs is expressed as follows.

  Based on the router set R, the neighboring router matrix is regenerated. Specifically, rows and columns corresponding to routers not belonging to the router set R are deleted from the adjacent router matrix Y04 (see FIG. 13B). As a result, the following adjacent router matrix Y05 is generated.

The Warshall algorithm is repeatedly applied to the above adjacent router matrix Y05 to obtain a set of terminals that can be connected from each interface of each router. Specifically, the following processing is executed.
For example, in order to obtain a set of terminals that can be connected from the interface between the terminal b1 and the terminal a1, the router B in which the terminal b1 is subordinate to the router A in which the terminal b1 is subordinate to the subordinate router matrix Y05 described above. And (i, j) = (1,2), (2,1) matrix components indicating whether or not are VPN-connected. As a result, the following adjacent router matrix Y06 is generated from the adjacent router matrix Y05.

  Then, the Warshall algorithm is applied to the adjacent router matrix Y06. As a result, the following adjacent router matrix Y07 is generated.

In the adjacent router matrix Y07, the router (here, router A) corresponding to the column (here, the first column) which is 0 among the matrix components in the second row indicating the router B is It becomes a connectable router. That is, it can be seen that the router that can be connected from the interface from the router B to the router A is the router A. Furthermore, based on the terminal management table Z05, it can be seen that the terminals under the routers B and A are the terminals b1 and a1, respectively.
Therefore, the following VPN configuration information may be generated for the interface (B → A) from the router B to the router A.

  At this time, a router that can be connected by an interface (A → B) from the router A to the router B in the router A can also be obtained. That is, when the neighboring router matrix Y08 before the application of the Warshall algorithm is expressed as follows,

  The neighboring router matrix Y09 after application of the Warshall algorithm can be obtained as follows.

In the above adjacent router matrix Y09, in the first row meaning the terminal A, the row corresponding to the column whose matrix element is 0 is a router connectable from the router A. That is, it can be seen that the routers that can be connected from the interface of the terminal a1 to the terminal b1 are the routers B and E.
As described above, by repeatedly applying the Warshall algorithm, the VPN configuration information between the routers B and C is deleted, and the VPN configuration information between the routers C and D is deleted.

FIG. 15A and FIG. 15B show “(4-5) disconnecting the VPN connection from the terminal b1 to the terminal c1 by disconnecting the VPN connection V2 between the router B and the router C”. It is a figure for demonstrating a process.
As shown in FIGS. 15A and 15B, the terminal b1 as the VPN connection source sends a VPN disconnection request signal to the terminal c1 as the VPN connection destination via the routers B and C. Send. The management server S generates a connection matrix X10, an adjacent router matrix Y05, and a terminal management table Z05 shown in FIG. 15B and stores them in the connection relation DB 14, the positional relation DB 13, and the subordinate terminal DB 15, respectively. To do.
Here, since the VPN disconnection request signal is transmitted from the terminal b1 to the terminal c1, the matrix elements (i, j) = (1, 2), (2, 3) are set to 1, and the others The matrix element of is set to 0.
By performing the above-described processes (4-1) to (4-5), a VPN connection as shown in FIG. 16 is established. That is, VPN connections V1 and V4 are established between the router A and the router B and between the router B and the router E, respectively.

  In the conventional technology, in a VPN connection at a multipoint, simply deleting the VPN configuration information about the VPN connection between two points belonging to the VPN group, between the terminals in which the connection relationship in the VPN group is deleted However, there is a possibility that the state in which VPN connection is possible may be maintained, but if the VPN management system according to the embodiment of the present invention is used, a router or a terminal that has a VPN connection relationship remains. By regenerating the VPN configuration information, it is possible to disconnect from the VPN connection except for routers and terminals that maintain the VPN connection.

  In the embodiment described above, the connection / disconnection request reception unit 10, the VPN configuration information generation unit 11, the VPN configuration information distribution unit 12, the VPN configuration information reception unit 20 in FIGS. 4 (a) to 4 (c), The function of the VPN configuration processing unit 21 and the connection / disconnection request unit 30 or a program for realizing a part of these functions is recorded on a computer-readable recording medium, and the program recorded on the recording medium is stored in a computer system. The VPN management system may be controlled by being read and executed. The “computer system” here includes an OS and hardware such as peripheral devices.

  The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” dynamically holds a program for a short time, like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, it is also assumed that a server that holds a program for a certain time, such as a volatile memory inside a computer system that serves as a server or client. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes designs and the like that do not depart from the gist of the present invention.

It is a conceptual diagram of the VPN management system by embodiment of this invention. It is a figure which shows an example of the adjacent router matrix by embodiment of this invention. It is a block diagram of the VPN management system by embodiment of this invention. It is a figure which shows an example of a structure of management server S (FIG. 3) by embodiment of this invention. It is a sequence diagram which shows an example of a process of the VPN management system by embodiment of this invention. It is a flowchart which shows an example of a connection relationship construction process (step S002 of FIG. 5, S007). 6 is a flowchart illustrating an example of VPN configuration information generation processing (steps S003, S008, and S015 in FIG. 5). It is a flowchart which shows an example of a VPN connection relation cutting | disconnection process (step S014 of FIG. 5). It is a figure for demonstrating an example of the specific operation | movement of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement (4-1) of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement (4-2) of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement (4-3) of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement (4-4) of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement (4-5) of the VPN management system by embodiment of this invention. It is a figure for demonstrating an example of the specific operation | movement of the VPN management system by embodiment of this invention. It is a figure for demonstrating the VPN connection by a prior art. It is a figure for demonstrating the VPN connection by a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Connection / disconnection request reception part, 11 ... VPN structure information generation part, 12 ... VPN structure information delivery part, 13 ... Position relation DB, 14 ... Connection relation DB, 15 ... Subordinate terminal DB, 20 ... VPN configuration information receiving unit, 21 ... VPN configuration processing unit, 30 ... Connection / disconnection request unit, A, B, C, D, E ... Router, a1, a2, b1, b2, c1, c2, d1, e1... terminal, S.

Claims (6)

A VPN management device that manages VPN connections between a plurality of terminals,
Terminal management information storage means for storing terminal management information about the router to which the terminal is connected;
Connection relation storage means for storing connection relation information as to which terminal is VPN-connected to;
Positional relationship storage means for storing positional relationship information about the connection relationship between the routers;
A VPN disconnection request signal receiving means for receiving a VPN disconnection request signal for requesting disconnection of a VPN connection from another terminal to another terminal;
When receiving the VPN disconnection request signal, based on the terminal management information, the connection relation information, and the positional relation information, a router to which the other terminal is connected and each router connected to the router VPN connection cutting means for cutting the VPN connection of
A VPN management device characterized by comprising: A VPN connection request signal receiving means for receiving a VPN connection request signal for requesting a VPN connection from a predetermined terminal to another terminal;
The terminal management information storage means, the connection relation storage means, and the positional relation storage means, when the VPN connection request signal receiving means receives a VPN connection request signal, the terminal management information, the connection relation information, the position The VPN management apparatus according to claim 1, wherein the relation information is updated to information indicating connection.   The VPN management apparatus according to claim 1, further comprising a distribution unit that distributes the terminal management information, the connection relation information, and the location relation information to the router.   The VPN connection disconnection unit disconnects a VPN connection between a router connected to the other terminal and each router connected to the router by applying a Warshall algorithm to the positional relationship information. The VPN management device according to any one of items 1 to 3, further comprising: a determination unit that determines whether or not. A first step of storing terminal management information for a router to which the terminal is connected;
A second step of storing connection relation information as to which terminal is VPN-connected to the terminal;
A third step of storing positional relationship information regarding connection relationships between the routers;
A fourth step of receiving a VPN disconnection request signal for requesting disconnection of a VPN connection from another terminal to another terminal;
When receiving the VPN disconnection request signal, based on the terminal management information, the connection relation information, and the positional relation information, a router to which the other terminal is connected and each router connected to the router A fifth step of disconnecting the VPN connection of
A program for running. A VPN management method for managing VPN connections between a plurality of terminals,
A terminal management information storage process for storing terminal management information about a router to which the terminal is connected;
A connection relation storage process for storing connection relation information as to which terminal is VPN-connected to;
A positional relationship storage process for storing positional relationship information about the connection relationship between the routers;
A VPN disconnection request signal receiving process for receiving a VPN disconnection request signal for requesting disconnection of a VPN connection from a predetermined terminal to another terminal;
When receiving the VPN disconnection request signal, based on the terminal management information, the connection relation information, and the positional relation information, a router to which the other terminal is connected and each router connected to the router VPN connection disconnection process for disconnecting the VPN connection of
A VPN management method characterized by comprising:

Images