JP2009118267A - Communication network system, communication network control method, communication control apparatus, communication control program, service control device and service control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent the occurrence of large wasteful cost of facility investment, while securing safety by preventing misunderstanding on the part of user. <P>SOLUTION: This service control device associatively stores and manages ID-address pairs and an expiration date acquired from a communication control apparatus as ID-address management information. The service control device provides service by permitting processing, based on the content of a service request as succeeding in authentication of the user of a terminal unit which is a transmitter of the service request, when user IDs mutually match, by comparing the user IDs contained in the ID-address pairs of a record with the user ID acquired from the service request; when the record (ID-address pairs) corresponding to an IP address acquired from this service request exists in the ID-address management information; and when the service request is received from the terminal unit. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication network system, a communication network control method, a communication control device, a communication control program, a service control device, and a service control program.

  2. Description of the Related Art Conventionally, various technologies for authenticating a user who uses a service when providing IP telephone, electronic commerce, and other various services through a communication network system such as the Internet have been proposed.

  For example, Patent Document 1 discloses a technique for shortening a service use start time by a user and making a special calculation capability for user authentication processing unnecessary.

  This technique will be briefly described below. When the service user terminal device requests connection to the communication network system, the communication network system authenticates the terminal device and obtains an identifier (user ID) of the user. Also, the IP address (user IP address) used by the terminal device as its own address is delivered to the terminal device by IP communication through this communication network system. At this time, the communication network system manages the user ID obtained as a result of authentication and the user IP address assigned to the terminal device in association with each other (hereinafter, the associated user IP and user IP address). Is referred to as an ID-address pair).

  Further, the communication network system notifies the ID-address pair to the service providing system that provides the service. The service providing system stores the ID-address pair notified from the communication network.

  Then, the terminal device connects to the communication system using the user IP address received from the communication network system, and requests a service from the service control device through the communication network system.

  Upon receiving the service request from the terminal device, the service providing system performs simple authentication of the terminal device (authentication using the authentication result of the user of the terminal device by the communication network system). Specifically, in the service providing system, the pair of the user ID included in the service request and the IP address indicating the source of the service request matches the ID-address pair received from the communication network system and stored. Confirm whether or not to do.

  As a result of the simple authentication, when the ID-address pair matches, the service providing system considers that the service request is certainly transmitted from the user terminal device indicated by the user ID, and corresponds to the user ID ( In other words, a service (provided for this user ID) is provided to the terminal device.

JP 2007-2001 A

  However, the above-described conventional technology potentially has a problem of generating a lot of useless capital investment costs.

That is, in the above-described conventional technology, the communication network system notifies the service providing system of the ID-address pair related to the terminal device every time the terminal device is connected. Since there is not necessarily one service providing system that provides services to terminal devices through this communication network, the communication network system notifies all service providing systems that can be used by the terminal device of ID-address pairs. It is necessary to keep.

  On the other hand, when the terminal device connects to the communication network system, the service is not always received from all the service providing systems. As a result, it can be considered that many unnecessary and wasteful items are generated.

  In particular, a communication network system uses a mobile terminal device (a user carries between connection bases) by a wireless access interface (for example, Wi-Fi, WiMAX, etc.) based on IEEE 802.11, IEEE 802.16e, etc. When a network connection is provided to a device to be used, it is easily imagined that the following situation occurs.

  For example, when the connection point (so-called wireless access point, etc.) to the communication network system is dynamically changed due to the movement of the terminal device, the connection / disconnection of the terminal device to / from the communication network system is repeated. The notification of the ID-address pair from the communication network system to the service providing system is repeatedly performed each time.

  In addition, when the radio wave condition is bad due to the presence of a large number of terminal devices near the same connection point, the terminal device is repeatedly connected to and disconnected from the communication network system. The ID-address pair notification to the service providing system is repeatedly performed each time.

  Furthermore, considering the limitations and limitations of the computing capability of portable terminal devices, it is rare that multiple services are used simultaneously and in parallel on the same terminal device, and even if there are available services. Even if there are many, it is considered that only a few of them are selectively used.

  Under the circumstances as described above, since there is a high probability that a large number of ID-address pairs are notified and frequently occur, the ID-address pairs are notified to the service providing system from the communication network system. As a result, a large number of unnecessary and useless items may be generated.

  Thus, in order to cope with the occurrence of many unnecessary and useless ID-address pairs, it is necessary to provide more computer resources than originally required in the communication network system and the service providing system. Potentially has the problem of generating capital investment costs.

  In view of the above problems, a method of improving the above conventional technique as follows is also conceivable. That is, one of the improved methods is to store the ID-address pair in the communication network system, and the service providing system needs the ID-address pair (when authenticating the terminal device that is the source of the service request). This is a method of acquiring from a communication network system. Another improvement method is to temporarily store (cache) the ID-address pair once acquired from the communication network system by the service providing system, and at the stage where the ID-address pair is required, the corresponding ID- This is a method of obtaining from the communication network system when the address pair is stored and retrieved or used, or when the corresponding ID-address cannot be retrieved from the stored one.

  However, in the first improvement method, in the service in which the authentication of the terminal device by the service providing system is repeatedly generated, if the ID-address pair is acquired for each authentication, the speed of service provision is impaired. In addition, there is a problem from the viewpoint of computer resources and it is not realistic.

  The second improvement method can reduce the acquisition frequency of ID-address pairs, but the ID-address pairs cached by the service providing system are effective when the ID-address pairs are required. Therefore, there is a risk of misidentification of the terminal device.

  For example, it is assumed that a terminal device having a user ID “1001” connects to the communication network system and receives a user IP address “DD.CC.BB.AA”. When this terminal device sends a service request to the service providing system, the service providing system obtains a pair of the user ID “1001” and the user IP address “DD.CC.BB.AA” from the communication network system and authenticates it. And the pair of the user ID “1001” and the user IP address “DD.CC.BB.AA” is cached.

  Thereafter, when the terminal device is disconnected from the communication network system and another terminal device having the user ID “1009” is connected to the communication network system, the user IP address “DD.CC. BB.AA "is paid out. In this state, when the other terminal device receives a service request insisting on the user ID “1001” which is not authentic, the service providing system receives the user ID “1001” and the user IP address “DD.CC” which is still cached. .BB.AA "is used to authenticate the other terminal device, and the user of the other terminal device is misidentified as the use of the user ID" 1001 "to provide the service. Therefore, the second improvement method is not realistic as the first improvement method.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and when authenticating a user of a terminal device that receives a service via a network, the user is prevented from misidentification and is safe. To provide a communication network system, a communication network control method, a communication control device, a communication control program, a service control device, and a service control program capable of ensuring the reliability and preventing the generation of many unnecessary capital investment costs With the goal.

  In order to solve the above-described problems and achieve the object, the present invention provides a terminal device that transmits a service request to a service control device using an IP address received from the communication control device as a transmission source address, and the terminal device A service control device that provides a service in response to a service request from the terminal, a communication that controls network connection of the terminal device and responds to a user information request from the service control device that requests information on a transmission source of the service request A communication network system including a control device and a transmission system that connects the terminal device, the communication control device, and the service control device through a network in a state where they can communicate with each other, the communication control For each IP address assigned to the terminal device, the device An address information storage unit that stores a withdrawal prohibition period indicating a period during which withdrawal is prohibited, and a terminal identifier for specifying a terminal device that is an IP address delivery destination, and authentication for issuing the IP address Stored in the user information storage means and the user information storage means for storing the terminal identifier of the terminal device that has succeeded in association with the user identifier for specifying the user of the terminal device specified by the terminal identifier. From the IP addresses stored by the address information storage means, on the condition that there is a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device in the user identifier Select one of the remaining IP addresses after excluding those that are within the withdrawal prohibition deadline, and address withdrawal required An address payout unit that pays out to the terminal device that is the source of the payout, and a new setting of the payout prohibition time limit for the IP address that is paid out to the terminal device that is the source of the payout request by the address payout unit, A payout prohibition time limit registering means for associating the newly set payout prohibition time limit with the terminal identifier of the terminal device that is the transmission source of the payout request and registering it in the address information storage means; and the address information storage means. From the stored withdrawal prohibition time limit and the terminal identifier, a withdrawal prohibition time limit and a terminal identifier corresponding to an IP address included in the user information request received from the service control device are acquired, and the user information storage means The user identification corresponding to the acquired terminal identifier among the user identifiers stored by An expiration date of the identifier address pair set within a range that does not exceed the previously obtained payout prohibition time limit and the identifier address pair consisting of the acquired user identifier and the IP address included in the user information request. User information transmission means for transmitting to the service control device as a response to the user information request, the service control device, the identifier address pair acquired from the communication control device, and the identifier address pair An identifier address pair storage unit that associates and stores an expiration date, and an identifier address pair that corresponds to an IP address that indicates a transmission source of the service request when the service request is received by the identifier address pair storage unit It is checked whether it exists in the stored identifier address pair and If it is confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored by the identifier address pair storage means, the identifier address pair further exists. Confirming means for confirming whether or not the expiration date stored in the identifier address pair storage means in association with the confirmed identifier address pair has been exceeded, and by the confirmation means, the source of the service request When it is confirmed that the identifier address pair corresponding to the IP address indicating is not present in the identifier address pair stored by the identifier address pair storage means, or the IP address indicating the transmission source of the service request Identifier address pair corresponding to the identifier address pair stored in the identifier address pair storage means. A user information request for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control apparatus when it is confirmed that the service pair exists in a state where the expiration date has been exceeded. Transmitting means; user information receiving means for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control apparatus as a response to the user information request transmitted by the user information request transmitting means; and An IP address indicating the source of the service request by the user information registering means for registering the identifier address pair received by the receiving means and the validity period of the identifier address pair in the identifier address pair storage means in association with each other. An identifier address pair corresponding to the address is stored by the identifier address pair storage means. If it is confirmed that it exists in the identifier address pair that has not expired, it is included in the identifier address pair that has been confirmed to exist without exceeding the expiration date. Provide the service to the terminal device that is the source of the service request on condition that the user identifier and the user identifier included in the service request match, and indicate the source of the service request by the confirmation unit When it is confirmed that the identifier address pair corresponding to the IP address does not exist in the identifier address pair stored by the identifier address pair storage means, or corresponds to the IP address indicating the source of the service request The identifier address pair that has been registered is valid within the identifier address pair stored by the identifier address pair storage means. When it is confirmed that the service request exists in an excess state, the user identifier included in the service request and the user identifier included in the identifier address pair received from the communication control device by the user information receiving unit match. And a service providing means for providing a service to the terminal device that is the transmission source of the service request.

  Further, in the present invention, the communication control device performs authentication of the terminal device when receiving an authentication request from the terminal device, and the terminal identifier of the terminal device that has succeeded in authentication, A terminal authentication registration unit that associates a user identifier of a user of a terminal device that has succeeded in authentication and registers in the user information storage unit, and an IP that allows the transmission system to allow transmission of communication from the terminal device Filtering rule registration means for registering a filtering rule consisting of a pair of an address and a terminal identifier, and the user information storage means associates the terminal identifier registered by the terminal authentication registration means with the user identifier. Storing, and the terminal device transmits an authentication request to the communication control device before requesting an IP address. The transmission system includes a filtering rule storage unit that stores the filtering rule that has received registration from the communication control device, and an IP address and a terminal identifier that are stored as the filtering rule by the filtering rule storage unit. Communication permission means for permitting transmission of only communication from the terminal device corresponding to the pair.

  Also, the present invention provides the terminal of the terminal device according to the above invention, wherein the communication control device uses the address issuing unit to issue an IP address to the terminal device that is the transmission source of the address issue request. A user identifier corresponding to an identifier is further obtained from the user identifier stored in the user information storage means and registered in the address information storage means. The address information storage means further comprises: A user identifier registered by the user identifier registration unit is further stored in association with the withdrawal prohibition time limit and the terminal identifier for each IP address included in the IP address group, and the address dispensing unit includes the address dispensing request A user identifier corresponding to the terminal identifier of the terminal device that is the transmission source of the address information Each of the user identifier stored in the storage means and the user identifier stored in the user information storage means, and when the acquired user identifiers match each other, On the condition that the IP address stored in the address information storage means in association with the terminal identifier of the terminal device that is the transmission source is within the payout prohibition time limit, the terminal device that is the transmission source of the address payment request An IP address identical to the IP address stored in the address information storage means in association with the terminal identifier is paid out to the terminal device that is the source of the address payout request.

  Further, the present invention provides the communication disconnection information transmission means for transmitting the communication disconnection device information including the terminal identifier of the terminal device with which the established connection is disconnected to the communication control device in the above invention. Further, the communication control device, when transmitting the identifier address pair and the expiration date to the service control device as a response to the user information request by the user information transmission means, associates the identifier address pair with the expiration date. A service device identifier storage means for storing a service device identifier for specifying the identifier address pair and a service control device that is a transmission destination of an expiration date, and a terminal identifier included in the communication disconnection information received from the transmission system. As keys, the terminal identifier and user stored in the user information storage means Delete the identifier, search for the service device identifier that is the transmission destination of the identifier address pair corresponding to the deleted terminal identifier and user identifier from the service device identifier stored in the service device identifier storage means, Deletion instruction transmission means for transmitting an identifier address pair corresponding to the deleted terminal identifier and user identifier, and an expiration date deletion instruction corresponding to the identifier address pair, using the retrieved service device identifier as a transmission destination. The service control device further includes an identifier address that is a target of the deletion instruction from among the identifier address pairs stored in the identifier address pair storage unit when the deletion instruction is received from the communication control device. It further comprises a deletion means for searching for and deleting pairs and expiration dates. That.

  The present invention also provides a terminal device that transmits a service request to a service control device using the IP address received from the communication control device as a transmission source address, and provides a service in response to the service request from the terminal device. A service control device, a communication control device that controls network connection of the terminal device and requests a user information request from the service control device that requests information on a transmission source of the service request, and the terminal device via a network And a communication network system including a transmission system that connects the communication control device and the service control device in a state in which they can communicate with each other, wherein the communication control device is configured to send each IP address to the terminal device. Withdrawal prohibition period indicating the time limit for withdrawal of IP address Address information storage means for storing the terminal identifier for specifying the terminal device that is the IP address payout destination, the terminal identifier of the terminal device that has been successfully authenticated for paying out the IP address, User information storage means for storing a user identifier for specifying a user of the terminal device specified by the terminal identifier in association with the user identifier stored in the user information storage means. From the IP addresses stored in the address information storage means, those that are within the withdrawal prohibition period are excluded on the condition that there is a user identifier corresponding to the terminal identifier included in the address withdrawal request received from Select one of the remaining IP addresses and issue it to the terminal device that is the source of the address issue request Address payout means, and newly setting the payout prohibition deadline for the IP address paid out to the terminal device that is the sender of the payout request by the address payout means, the newly set payout prohibition deadline, and A withdrawal prohibition time limit registration unit that associates a terminal identifier of a terminal device that is a transmission source of a payout request and registers the terminal identifier in the address information storage unit, and the withdrawal prohibition time limit and the terminal identifier stored in the address information storage unit From among the user identifiers stored in the user information storage means, and obtaining a withdrawal prohibition time limit and a terminal identifier corresponding to the IP address included in the user information request received from the service control device A user identifier corresponding to the acquired terminal identifier is acquired, and the acquired user identifier And user information transmission means for transmitting the expiration date of the user identifier set in a range not exceeding the payout prohibition time acquired previously to the service control device as a response to the user information request, and The service control apparatus receives, for each IP address indicating the source of the service request, the address / identifier storage means for storing the user identifier corresponding to the IP address and the expiration date in association with each other, and the service request received The user identifier corresponding to the IP address indicating the transmission source of the service request is present in the user identifier stored in the address / identifier storage means, and the service request A user identifier corresponding to the IP address as the transmission source is sent by the address / identifier storage means. When it is confirmed that the user identifier exists in the stored user identifier, an expiration date stored in the address / identifier storage unit in association with the user identifier confirmed to exist is further stored. Confirmation means for confirming whether or not the user identifier corresponding to the IP address indicating the transmission source of the service request is stored in the address / identifier storage means by the confirmation means. Or the user identifier corresponding to the IP address that is the source of the service request has exceeded the expiration date in the user identifier stored by the address / identifier storage means If it is confirmed that the service request exists, the IP address indicating the source of the service request is included. A user information request transmitting means for transmitting a user information request to the communication control apparatus; and a response to the user information request transmitted by the user information request transmitting means as a response from the communication control apparatus to the user identifier and the validity of the user identifier. User address receiving means for receiving a time limit, the user identifier received by the user information receiving means, the expiration date of the user identifier, and the IP address indicating the source of the service request in association with the address / identifier storage The user information registration means registered in the means and the confirmation means, the user identifier corresponding to the IP address indicating the transmission source of the service request is expired in the user identifier stored in the address / identifier storage means. If it is confirmed that it does not exceed Provide a service to the terminal device that is the transmission source of the service request on the condition that the user identifier that has been confirmed to exist without exceeding the expiration date matches the user identifier included in the service request. When the confirmation unit confirms that the user identifier corresponding to the IP address indicating the transmission source of the service request does not exist in the user identifier stored by the address / identifier storage unit, or When it is confirmed that the user identifier corresponding to the IP address indicating the source of the service request exists in the user identifier stored by the address / identifier storage means in an expired state , The user identifier included in the service request, and the user information receiving means from the communication control device On condition that the signal has been user identifier is consistent, characterized in that and a service providing means for providing a service to the terminal device serving as a transmission source of the service request.

  Also, the present invention provides a service control device that issues an IP address in response to an address issue request received from a terminal device, controls network connection of the terminal device, and provides a service in response to a service request from the terminal device A communication control device that receives and responds to a user information request for requesting information related to a transmission source of a service request, and indicates a time limit for prohibition of IP address assignment for each IP address assigned to the terminal device Address information storage means for storing a terminal prohibition time limit and a terminal identifier for specifying a terminal device that is an IP address payout destination, and a terminal identifier of a terminal device that has succeeded in authentication for paying out the IP address And a user identifier for specifying a user of the terminal device specified by the terminal identifier The user identifier corresponding to the terminal identifier included in the address payout request received from the terminal device is present among the user information storage means for storing the information and the user identifier stored by the user information storage means. On the condition that the IP address stored in the address information storage means is selected from the IP addresses remaining as a result of excluding the IP addresses that are within the withdrawal prohibition period, and the sender of the address withdrawal request An address payout means for paying out to the terminal device, and a new setting for the payout prohibition deadline for the IP address payed out to the terminal device that is the transmission source of the payout request by the address payout means. The add-out prohibition deadline set in association with the terminal identifier of the terminal device that is the sender of the pay-out request The IP address included in the user information request received from the service control device out of the payout prohibition time limit registering means registered in the service information storage means, the payout prohibition time limit stored in the address information storage means, and the terminal identifier. The payout prohibition time limit and the terminal identifier corresponding to the address are acquired, and the user identifier corresponding to the acquired terminal identifier is acquired from the user identifiers stored by the user information storage unit, and the acquired A response to the user information request includes an identifier address pair consisting of a user identifier and an IP address included in the user information request, and an expiration date of the identifier address pair set in a range not exceeding the previously obtained payout prohibition time limit. User information transmission means for transmitting to the service control device as It is characterized by that.

  Also, the present invention provides a service control device that issues an IP address in response to an address issue request received from a terminal device, controls network connection of the terminal device, and provides a service in response to a service request from the terminal device A communication control program for causing a computer to execute a process of receiving and responding to a user information request for requesting information related to a service request transmission source, and for each IP address issued to the terminal device, an IP address is issued. An address information storage procedure for storing in a storage unit an association between a payout prohibition time limit indicating a prohibited time limit and a terminal identifier for specifying a terminal device as a payout destination of the IP address, and for paying out the IP address The terminal identifier of the terminal device that has been successfully authenticated, and the terminal specified by the terminal identifier A user information storage procedure for associating and storing the user identifier for specifying the user of the device in the storage unit, and the user identifier stored in the storage unit by the user information storage procedure, received from the terminal device Remaining as a result of excluding IP addresses stored by the address information storage procedure that are within the withdrawal prohibition period, on condition that a user identifier corresponding to the terminal identifier included in the issued address withdrawal request exists. An address payout procedure for selecting one of the IP addresses to be issued and paying out to the terminal device that is the source of the address payout request, and paying out to the terminal device that is the source of the payout request by the address payout procedure A new withdrawal prohibition period is set for the IP address, the newly set withdrawal prohibition period, and the withdrawal requirement A withdrawal prohibition period registration procedure in which the terminal identifier of the terminal device that is the transmission source is associated and registered in the storage unit, and among the withdrawal prohibition period and the terminal identifier stored in the storage unit by the address information storage procedure From the user prohibition time limit and terminal identifier corresponding to the IP address included in the user information request received from the service control device, and from among the user identifiers stored in the storage unit by the user information storage procedure, A user identifier corresponding to the acquired terminal identifier is acquired, and an identifier address pair consisting of the acquired user identifier and the IP address included in the user information request is within a range not exceeding the previously acquired payout prohibition time limit. The expiration date of the set identifier address pair as a response to the user information request It is characterized by causing a computer to execute a user information transmission procedure to be transmitted to a service control apparatus.

  Further, the present invention is a service control device that receives a service request from a terminal device whose source address is an IP address paid out from a communication control device, and provides a service according to the terminal device, An identifier address pair storage unit that associates and stores the identifier address pair acquired from the communication control device and an expiration date of the identifier address pair, and when the service request is received, a source of the service request It is confirmed whether or not the identifier address pair corresponding to the indicated IP address exists in the identifier address pair stored by the identifier address pair storage means, and corresponds to the IP address indicating the transmission source of the service request The identified identifier address pair exists in the identifier address pair stored by the identifier address pair storage means. If it is confirmed that the expiration date stored in the identifier address pair storage unit is associated with the identifier address pair confirmed to exist, it is further confirmed. The confirmation means and the confirmation means confirm that the identifier address pair corresponding to the IP address indicating the source of the service request does not exist in the identifier address pair stored by the identifier address pair storage means. Or the identifier address pair corresponding to the IP address indicating the transmission source of the service request exists in the identifier address pair stored in the identifier address pair storage means in a state where the expiration date has been exceeded. Is confirmed, a user information request including an IP address indicating the source of the service request is sent. A user information request transmitting means for transmitting to the communication control device, and receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device as a response to the user information request transmitted by the user information request transmitting means. User information receiving means, user information registration means for registering the identifier address pair received by the user information receiving means and the validity period of the identifier address pair in association with the identifier address pair storage means, and the confirmation means Confirm that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the identifier address pair storage means in a state where the expiration date has not been exceeded. In such a case, the expiration date may not exist. Provide a service to the terminal device that is the transmission source of the service request on the condition that the user identifier included in the confirmed identifier address pair matches the user identifier included in the service request; When it is confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request does not exist in the identifier address pair stored by the identifier address pair storage means, or the service request When it is confirmed that the identifier address pair corresponding to the IP address indicating the transmission source of the identifier address pair exists in the identifier address pair stored by the identifier address pair storage means in an expired state, The user identifier included in the service request and the communication control device by the user information receiving means. On condition that the user identifier included in the received identifier address pairs are consistent, characterized in that and a service providing means for providing a service to the terminal device serving as a transmission source of the service request.

  The present invention also provides a service for receiving a service request from a terminal device whose source address is an IP address paid out from a communication control device, and causing a computer to execute a process of providing a service corresponding to the terminal device A control program, the identifier address pair storage procedure for storing the identifier address pair acquired from the communication control device and the expiration date of the identifier address pair in association with each other in the storage unit; and the service request is received And confirming whether or not the identifier address pair corresponding to the IP address indicating the transmission source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage procedure, The identifier address pair corresponding to the IP address indicating the source of the service request is the identifier address pair. When it is confirmed by the storing procedure that the identifier address pair stored in the storage unit is present, the identifier address pair storing procedure is further associated with the identifier address pair confirmed to exist. And a confirmation procedure for confirming whether or not the expiration date stored in the storage unit has been exceeded, and according to the confirmation procedure, an identifier address pair corresponding to an IP address indicating a transmission source of the service request is When it is confirmed by the pair storing procedure that the identifier address pair does not exist in the identifier address pair stored in the storage unit, or the identifier address pair corresponding to the IP address indicating the source of the service request is the identifier address pair It is confirmed that the expiration date has been exceeded in the identifier address pair stored in the storage unit by the storage procedure. If so, a user information request transmission procedure for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device, and the user information transmitted by the user information request transmission procedure. As a response to the request, a user information reception procedure for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device, an identifier address pair received by the user information reception procedure, and an expiration date of the identifier address pair The identifier information pair corresponding to the IP address indicating the transmission source of the service request is stored in the storage unit by the identifier address pair storage procedure by the user information registration procedure for registering them in the storage unit in association with each other and the confirmation procedure. Exists in the identifier address pair that has not expired If it is confirmed that the user identifier included in the identifier address pair confirmed to exist without exceeding the expiration date matches the user identifier included in the service request. Providing a service to the terminal device that is the transmission source of the service request, and by the confirmation procedure, an identifier address pair corresponding to an IP address indicating the transmission source of the service request is stored in the storage unit by the identifier address pair storage procedure. When it is confirmed that it does not exist in the stored identifier address pair, or the identifier address pair corresponding to the IP address indicating the source of the service request is stored in the storage unit by the identifier address pair storage procedure If it is confirmed that it exists in the identifier address pair that has expired, the previous On the condition that the user identifier included in the service request matches the user identifier included in the identifier address pair received from the communication control device by the user information reception procedure, the terminal device that is the transmission source of the service request And a service providing procedure for providing the service to a computer.

  The present invention also provides a terminal device that transmits a service request to a service control device using the IP address received from the communication control device as a transmission source address, and provides a service in response to the service request from the terminal device. A service control device, a communication control device that controls network connection of the terminal device and requests a user information request from the service control device that requests information on a transmission source of the service request, and the terminal device via a network And a communication network control method applied to a communication network system including a transmission system that connects the communication control device and the service control device in a state in which they can communicate with each other, wherein the communication control device includes: For each IP address assigned to the terminal device, the IP address An address information storage step of storing in a storage unit an association between a withdrawal prohibition period indicating a period during which withdrawal is prohibited and a terminal identifier for specifying a terminal device to which an IP address is to be paid out; A user information storage step of storing a terminal identifier of a terminal device that has been successfully authenticated for authentication and a user identifier for specifying a user of the terminal device specified by the terminal identifier in the storage unit in association with each other; On the condition that the user identifier stored in the storage unit by the information storage step has a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device, the address information storage step IP addresses remaining as a result of removing the IP addresses that are within the withdrawal prohibition period from the stored IP addresses And an IP address issued to the terminal device that is the transmission source of the payout request by the address payout step. A withdrawal prohibition period registration step for newly setting the withdrawal prohibition period and registering the newly set withdrawal prohibition period and the terminal identifier of the terminal device that is the transmission request sender in the storage unit in association with each other And a payout prohibition time limit and a terminal corresponding to an IP address included in the user information request received from the service control device among the payout prohibition time limit and the terminal identifier stored in the storage unit by the address information storing step. User identification stored in the storage unit by the user information storage step while obtaining an identifier A user identifier corresponding to the acquired terminal identifier is acquired from the child, the identifier address pair consisting of the acquired user identifier and the IP address included in the user information request, and the previously obtained withdrawal prohibition period A user information transmission step of transmitting an expiration date of the identifier address pair set within a range not exceeding the user information request to the service control device as a response to the user information request, the service control device including the communication control An identifier address pair storage step for storing the identifier address pair acquired from the device in association with an expiration date of the identifier address pair in a storage unit; and when the service request is received, a source of the service request The identifier address pair corresponding to the indicated IP address is obtained by the identifier address pair storing step. Whether the identifier address pair stored in the storage unit exists or not is confirmed, and the identifier address pair corresponding to the IP address indicating the transmission source of the service request is stored in the storage unit by the identifier address pair storage step. Is stored in the storage unit by the identifier address pair storage step in association with the identifier address pair confirmed to exist. A confirmation step for confirming whether or not a valid expiration date has been exceeded, and an identifier address pair corresponding to an IP address indicating a source of the service request is stored in the identifier address pair storage step by the confirmation step. When it is confirmed that it does not exist in the identifier address pair stored in the section, or It is confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage step in an expired state. If so, a user information request transmitting step for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device, and the user information transmitted by the user information request transmitting step As a response to the request, a user information receiving step for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device; an identifier address pair received by the user information receiving step and an expiration date of the identifier address pair Are registered in the storage unit in association with each other. And the confirmation step causes the identifier address pair corresponding to the IP address indicating the transmission source of the service request to exceed the expiration date in the identifier address pair stored in the storage unit by the identifier address pair storage step. A user identifier included in the identifier address pair confirmed to exist in a state that does not exceed the expiration date, and a user identifier included in the service request, Provided that the identifier address pair corresponding to the IP address indicating the transmission source of the service request is provided in the identifier address pair by providing the service to the terminal device that is the transmission source of the service request. The pair storage step confirms that it does not exist in the identifier address pair stored in the storage unit. Or the identifier address pair corresponding to the IP address indicating the source of the service request exceeds the expiration date in the identifier address pair stored in the storage unit by the identifier address pair storage step. If it is confirmed that the user identifier is present, the user identifier included in the service request matches the user identifier included in the identifier address pair received from the communication control device in the user information receiving step. And a service providing step of providing a service to the terminal device that is the transmission source of the service request.

  According to the present invention, it is possible to prevent misidentification of a user who uses a service via a network to ensure safety, and to prevent generation of a lot of unnecessary capital investment costs. In other words, the service control device assigns an expiration date to the information (user identifier, etc.) necessary for authenticating the user and gives it from the communication control device, so that the expired information is service controlled when authenticating the user. It is possible to prevent the apparatus from being used, and it is possible to prevent misidentification of the user and ensure safety. In addition, since information (user identifier, etc.) for authenticating the user is acquired from the communication control device and used as required by the service control device, information that is unnecessary and wasted as a result. It is not necessary to provide computer resources for dealing with (for example, ID-address pairs), and it is possible to prevent the generation of a lot of unnecessary capital investment costs.

  Further, according to the present invention, it is possible to more strictly prevent a user ID from being spoofed by a user of a terminal device.

  Further, according to the present invention, when a certain user uses a predetermined terminal continuously or intermittently with a short interruption, the same IP address can be used continuously. In a service configuration that provides a service depending on the IP address of the terminal device, it is possible to ensure service continuity, for example, by maintaining a session.

  Further, according to the present invention, the transmission system transmits the terminal identifier of the terminal device whose established connection has been disconnected to the communication control device as communication disconnection device information, and the communication control device provides a service as a response to the user information request. When transmitting a user identifier and an expiration date to the control device, store the user identifier and a service device identifier for identifying the service control device that is the destination of the expiration date in association with the user identifier and the expiration date, and transmit Using the terminal identifier received as communication disconnection information from the system as a key, the terminal identifier and user identifier stored in the user connection information management unit are deleted, and the service device identifier that is the transmission destination of the deleted user identifier is stored. Search from among the service device identifiers, and using the searched service device identifier as a transmission destination, When the service control apparatus receives the deletion instruction from the communication control apparatus, the service control apparatus transmits a deletion instruction for the deleted user identifier and IP address. Since the user identifier and the IP address that are the target of the deletion instruction are deleted, a terminal device that has been disconnected due to radio wave conditions or the like, or a terminal device that has failed to re-authenticate and cannot communicate When it occurs, it is possible to delete useless information that is effectively unnecessary in the service control apparatus.

  Further, according to the present invention, it is possible to obtain a communication control device and a communication control program that can prevent misperception of a user who uses a service via a network and can ensure safety. In other words, the communication control device and the communication control program give the expiration date to the information (user identifier, etc.) necessary for authenticating the user in the service control device, thereby giving the expired information to the user. Can be prevented from being used by the service control apparatus during authentication.

  Further, according to the present invention, it is possible to obtain a service control apparatus and a service control program that can prevent the generation of a lot of unnecessary capital investment costs. That is, the service control apparatus can acquire and use information (user identifier or the like) for authenticating the user as needed from the communication control apparatus, and as a result, useless information (for example, It is not necessary to provide computer resources for dealing with ID-address pairs.

  Exemplary embodiments of a communication network system, a communication network control method, a communication control apparatus, a communication control program, a service control apparatus, and a service control program according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, after describing the communication network system according to Example 1 as one embodiment for carrying out the present invention, another embodiment for carrying out the present invention will be described in another embodiment.

  In the following first embodiment, the outline and features of the communication network system according to the first embodiment, the configuration and processing of the communication network system will be described in order, and finally the effects of the first embodiment will be described.

[Outline and Features of Communication Network System (Example 1)]
First, the outline and features of the communication network system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the communication network system according to the first embodiment.

  The communication network system according to the first embodiment outlines, for example, authenticating a user who uses a service when providing various services via an IP phone, electronic commerce, and other networks. The main feature is to prevent misidentification of the product and to ensure safety, and to prevent the generation of many unnecessary capital investment costs.

  This main feature will be specifically described below. For example, as shown in FIG. 1, the communication network system according to the first embodiment uses a terminal device that transmits a service request to a service control device using an IP address received from the communication control device as a transmission source address. A service control device that provides a service in response to a service request from a terminal device, controls network connection of the terminal device, and responds to a user information request from the service control device that requests information about a transmission source of the service request And a transmission system that connects the terminal device, the communication control device, and the service control device through a network in a state where they can communicate with each other.

  The communication control device pays out the IP address payout period for each IP address (each IP address that is within the control range of the communication control device and can be paid out to the terminal device). The terminal identifier of the terminal device that has been successfully authenticated when the IP address is paid out and is associated with the prohibition time limit and the terminal identifier for specifying the terminal device that is the payout destination of the IP address. And a user ID for specifying the user of the terminal device specified by the terminal device is stored and managed as user connection information in association with each other.

  The service control apparatus acquires from the communication control apparatus an IP address indicating a transmission source of the service request, an ID-address pair including a user ID corresponding to the IP address, and an expiration date of the ID-address pair. -Address pairs and expiration dates are associated with each other and stored and managed as ID-address management information.

  Here, the term of validity refers to an ID-address pair (user ID and IP address) corresponding to an IP address indicating the service request transmission source when information about the transmission source of the service request is requested from the communication control apparatus. When the ID-address pair is used in the authentication of the user of the terminal device that is the transmission source of the service request, the validity period of the correspondence between the user ID and the IP address is valid. (Time limit for guaranteeing the contents of the ID-address pair). Note that the expiration date is arbitrarily set in the communication control apparatus with the payout exclusion time limit as an upper limit.

  Then, the terminal device transmits a service request including the IP address and the user ID to the service control device using the IP address received from the communication control device as a transmission source address (see (1) in FIG. 1). The service control device receives the service request from the terminal device (see (2) in FIG. 1), authenticates the user of the terminal device that is the source of the service request (see (3) in FIG. 1), and authenticates. If successful, the service is provided to the user of the terminal device that is the source of the service request (see (4) in FIG. 1).

  More specifically, the service control apparatus checks whether or not a record (ID-address pair) corresponding to the IP address acquired from the service request exists in the ID-address management information.

  If the record (ID-address pair) corresponding to the IP address acquired from the service request exists in the ID-address management information as a result of the confirmation, the user ID included in the ID-address pair of the record, If the user IDs are compared with each other when compared with the user ID acquired from the service request, it is determined that the user of the terminal device that is the source of the service request has been successfully authenticated, and processing based on the content of the service request Allow and provide services.

  On the other hand, as a result of confirmation, even if a record (ID-address pair) corresponding to the IP address acquired from the service request exists in the ID-address management information, the expiration date of the corresponding record has passed, or If the record corresponding to the IP address acquired from the service request does not exist in the ID-address management information, the ID-address pair corresponding to this IP address is requested to the communication control device, and the ID-address When a user ID included in an ID-address pair acquired from a communication control device is compared with a user ID acquired from a service request by acquiring a pair and an expiration date from the communication control device. Includes processing based on the content of the service request, assuming that the user of the terminal device that is the source of the service request has been successfully authenticated. To provide a service permit.

  Also, the service control device requests the communication control device for an ID-address pair corresponding to the IP address that is the source of the service request, and associates the ID-address pair acquired from the communication control device with the expiration date. And registered as ID-address management information. This is intended to prepare for authentication at the next service request from the same user.

  As described above, the service control device requests the communication control device for an ID-address pair corresponding to the IP address that is the source of the service request, and performs communication control on the ID-address pair and the expiration date. The user ID acquired from the device and included in the ID-address pair acquired from the communication control device is compared with the user ID acquired from the service request. If the user IDs match each other, the service request is transmitted. The case of authenticating the user of the original terminal device has been described.

  However, the service control device is not limited to such a method, and requests the communication control device for a user ID corresponding to the IP address that is the source of the service request, and sets the user ID and expiration date to the communication control device. The user ID acquired from the communication control device is compared with the user ID acquired from the service request. When the user IDs match each other, the user of the terminal device that is the source of the service request You may make it authenticate. In this case, the service control device requests the communication control device for a user ID corresponding to the IP address that is the source of the service request, and obtains the user ID and expiration date acquired from the communication control device, the service request Is registered as ID-address management information in association with the IP address that is the transmission source of.

  For this reason, the communication network system according to the first embodiment prevents misidentification of the user when authenticating the user of the terminal device receiving the service via the network, as in the main feature described above. The main feature is to ensure safety and prevent the generation of many unnecessary capital investment costs.

  In other words, the service control device provides the service control device with information related to the transmission source of the service request with an expiration date guaranteed that the IP address has not been issued to another terminal. Thus, as long as the information acquired from the communication control device within the validity period is used to authenticate the user of the terminal device that is the transmission source of the service request, misidentification of the user is prevented.

  In addition, when there is information for authenticating the user of the terminal device that is the transmission source of the service request in the ID-address management information managed by the service control device, the service control device renews information Therefore, a lot of useless capital investment cost for storing information for authenticating the user in advance is not required.

[Configuration of Communication Network System (Example 1)]
Next, the configuration of the communication network system according to the first embodiment will be described with reference to FIGS. 2 and 3. FIG. 2 is a diagram illustrating the configuration of the communication network system according to the first embodiment. FIG. 3 is a diagram illustrating the configuration of each device in the communication network system according to the first embodiment.

  As illustrated in FIG. 2, the communication network system according to the first embodiment uses a terminal device 20 that transmits a service request to the service control device 30 using the IP address received from the communication control device 10 as a transmission source address. A service control device 30 that provides a service in response to a service request from the terminal device 20, a network connection of the terminal device 20, and a service control device 30 that requests information about a transmission source of the service request. A communication control device that responds to a user information request, and a transmission system that connects the terminal device 20, the communication control device 10, and the service control device 30 via an IP network 41 in a state where they can communicate with each other. Consists of.

  The transmission system 40 is a system for performing IP communication among the terminal device 20, the communication control device 10, and the service control device 30. Composed. The transmission system 40 corresponds to the “transmission system” recited in the claims.

  The IP network 41 includes a communication path such as an IP router and an optical fiber for transferring IP communication performed between the terminal device 20, the communication control device 10, and the service control device 30. Between the terminal device 20 and the IP network 41, a wireless access point 42, which is a connection point of the terminal device 20, and a filter device 43 for blocking unauthorized IP communication from the terminal device 20 are connected. The

  The wireless access point 42 is a terminal connection device by wireless communication conforming to IEEE 802.11i, and after establishment of a wireless link, authentication from the terminal device 20 successfully authenticated by EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). Only communication is transmitted to the IP network 41.

  The wireless access point 42 uses the communication control device 10 (network connection authentication unit 14), which will be described later, as a back-end authentication server when the terminal device 20 is authenticated. That is, it is the communication control device 10 that actually authenticates the terminal device 20, and the wireless access point 42 relays an EAP-TLS message exchanged between them. The EAP-TLS message is transmitted between the terminal device 20 and the wireless access point 42 in a format (EAP over LAN) defined in IEEE 802.1X based on IEEE 802.11i. Further, the EAP-TLS message is encapsulated and transmitted as a message on the RADIUS (Remote Authentication Dial In User Service) protocol between the wireless access point 42 and the communication control apparatus 10.

  Furthermore, the wireless access point 42 stores a MAC (Media Access Control) address used in the terminal device 20 at the time of establishing a wireless link and at the time of network connection authentication. When communication is attempted using a different MAC address, a function is provided for blocking and discarding communication.

  The wireless access point 42 requests the terminal device 20 that has succeeded in the connection authentication to re-authenticate after a predetermined period of time after the network connection authentication of the terminal device 20 has succeeded, and the re-authentication has failed. In this case, a function of disconnecting the link with the terminal device 20 may be further provided.

  For the IP communication from the terminal device 20, the filter device 43 analyzes the terminal identifier of the terminal device 20, the IP address (source address) indicating the transmission source, and the protocol used, and registers the communication from the communication control device 10. The IP packet transmission apparatus determines whether or not the IP communication from the terminal apparatus 20 may be transmitted to the IP network 41 based on the filtering rule received and stored, and discards the IP communication as necessary. The filter device 43 corresponds to “filtering rule storage unit” and “communication permission unit” recited in the claims.

  In the initial state, the filter device 43 is other than communication related to a procedure necessary for the terminal device 20 to perform IP communication through the IP network (for example, communication for IP address issue performed by DHCP (Dynamic Host Configuration Protocol)). Discard all communications. Then, the filter device 43 transmits the IP communication that is not the target of discarding to the IP network 41 based on the filtering rule received and stored from the communication control device 10. Here, the filtering rule indicates that the IP network 41 is transmitted only for the IP communication of the terminal device 20 having the IP address issued from the communication control device 10 as the calling address after the authentication in the communication control device 10 is successful. to approve.

  Subsequently, the terminal device 20 is an information device (information processing device) having a wireless communication function and an IP communication function. As illustrated in FIG. 3, the authenticated unit 21, the wireless communication unit 22, and the IP communication unit 23 and a service using unit 24.

  The authenticated unit 21 holds a public key certificate necessary for authenticating a user of the terminal device 20 in EAP-TLS and a secret key corresponding to the public key certificate.

  The wireless communication unit 22 conforms to the IEEE 802.11i specification and supports EAP-TLS as an authentication method at the time of wireless connection. The IP communication unit 23 includes a DHCP client unit that automatically acquires an IP address necessary for performing IP communication with the service control device 30 after establishing a wireless connection.

  The service using unit 24 makes a service request to the service control device 30 using the IP address acquired by the IP communication unit 23 and uses the service in accordance with the service provided from the service control device 30. Software (for example, SIP (Session Initiation Protocol) terminal software).

  The terminal device 20 is not limited to a general-purpose information device such as a personal computer or a workstation. For example, when the service provided to the terminal device 20 is a connection control service based on a SIP session, the terminal device 20 Such a SIP dedicated terminal may be used. Further, data such as a private key and a public certificate held in the authenticated unit 21 and a cryptographic operation function using the private key and the public certificate are held in another terminal connected to the terminal device 20. May be.

  The communication control device 10 is a general-purpose information processing device having an IP communication function, and as shown in FIG. Unit 14, filter control unit 15, and user information providing unit 16.

  The address management unit 11 corresponds to the “address information storage unit” described in the claims, and the user connection information management unit 12 corresponds to the “user information storage unit” described in the claims. The address payout unit 13 corresponds to the “address payout unit” and “payout prohibition time registration unit” described in the claims, and the filter control unit 15 includes the “filtering rule registration” described in the claims. Corresponding to “means”, the user information providing unit 16 also corresponds to “user information transmitting means” described in the claims.

  The address management unit 11 indicates a time limit for which IP address payout is prohibited for each IP address (each IP address that is within the control range of the communication control device and can be paid to the terminal device). The payout prohibition time limit and a terminal identifier for specifying the terminal device that is the payout destination of the IP address are associated with each other and stored as address management information, and managed by, for example, an RDBMS (Relational Database Management System). In addition, as long as it is the structure which can specify a payment exclusion deadline, such as using the MAC address of each terminal device 20 as a terminal identifier, and a payment exclusion deadline being represented by the combination of a payment date and a payment exclusion period, etc. You may manage.

  The user connection information management unit 12 is specified by the terminal identifier of the terminal device 20 that has been successfully authenticated by the network connection authentication unit 14 to be described later (terminal identifier that will later indicate the payout destination of the IP address) and the terminal device. A user identifier for specifying the user of the terminal device is associated with the user identifier and stored as user connection information and managed by the RDBMS.

  The address management unit 11 and the user connection information management unit 12 dynamically manage records (user IDs, IP addresses, terminal identifiers) about the users of the terminal devices 20 that have been successfully authenticated by the network connection authentication unit 14. Alternatively, the records of all potential users that can be connected may be managed statically. When performing static management, a column indicating whether or not there is a record of the user of the terminal device 20 that has been successfully authenticated is added (for example, either “connected” or “not connected” state). Whether it is or not).

  The address payout unit 13 removes IP addresses managed by the address management unit 11 from those IP addresses that are within the payout prohibition time limit (they are not subject to payout, and the payout prohibition time limit is set). (Including IP addresses that are not recorded in association with each other) and pays out to the terminal device 20 that is the transmission source of the address payout request. Specifically, the address issuing unit 13 supports DHCP as a protocol for executing an address issuing procedure with the terminal device 20, and provides IP to the terminal device 20 that has been successfully authenticated by the network connection authentication unit 14 described later. Give out an address.

  The address payout unit 13 newly determines a payout exclusion deadline for the IP address paid out to the terminal device that is the payout request transmission source, and determines the newly determined payout exclusion deadline and the payout request transmission source. A terminal identifier of a certain terminal device is associated and registered in the address management unit.

  When the user of the terminal device 20 is authenticated at the wireless access point 42, the network connection authentication unit 14 performs back-end authentication using the EAP-TLS procedure on RADIUS, and the user connection information management unit 12 Create and update authentication result records. Specifically, the network connection authentication unit 14 supports RADIUS and EAP-TLS encapsulated in RADIUS as a protocol for executing an authentication procedure.

  The filter control unit 15 registers, in the filter device 43, a filtering rule including a pair of an IP address and a terminal identifier that allows transmission of communication from the terminal device. Specifically, the filter control unit 15 performs a filter link rule addition / deletion instruction execution procedure for the filter device 43 by message transmission using socket communication on TCP (Transmission Control Protocol). The message includes a filtering rule addition / deletion and a pair of terminal identifier and IP address. Note that the ITU-T recommendation H.248 control protocol may be used.

  The user information providing unit 16 receives a user information request from the service control device 30 and returns an ID-address pair corresponding to the request to the service control device 30 as user information. That is, the payout exclusion deadline and the terminal identifier corresponding to the IP address included in the user information request received from the service control device 30 are acquired from the payout exclusion deadline and the terminal identifier managed by the address management unit 11, and An ID-address comprising the user ID corresponding to the previously acquired terminal identifier from the user IDs managed by the user connection information management unit 12 and consisting of this user ID and the IP address included in the user information request Service of the pair and the expiration date of the ID-address pair set within a range not exceeding the previously obtained payout exclusion expiration date (the expiration date when the correspondence between the user ID and the IP address is valid) as a response to the user information request Send to control device. Specifically, the user information providing unit 16 uses a socket communication on TCP for a procedure for returning an ID-address pair (a pair of a user ID and an IP address) executed in response to a request from the service control device 30. This is done by sending and receiving messages.

  The user information providing unit 16 cannot acquire the user ID corresponding to the IP address included in the user information request from the user IDs managed by the user connection information management unit 12 (when it does not exist). May include the data indicating the fact (for example, “no corresponding entry”) in the message and return it to the service control device 30 or may return a message with an expiration date blank. . In addition, as a method for transmitting the expiration date of the ID-address pair, the expiration date itself indicating the absolute date may be included, or the period from the response occurrence date to the expiration date, that is, the number of seconds or the number of days. A value indicating the length of time may be included as the expiration date of the ID-address pair.

  The service control device 30 is a general-purpose information processing device having an IP communication function. For example, as shown in FIG. 3, an ID-address pair management unit 31, a service request authentication unit 32, a service providing unit 33, and the like. Is provided.

  The ID-address pair management unit 31 corresponds to the “identifier address pair storage unit” described in the claims, and the service request authentication unit 32 includes the “confirmation unit”, “ Corresponding to “user information request transmitting means”, “user information receiving means” and “user information registering means”, the service providing unit 33 corresponds to “service providing means” described in the claims.

  The ID-address pair management unit 31 stores, as an ID-address management information, a user ID corresponding to the IP address and an expiration date associated with each IP address indicating the source of the service request, and manages it by the RDBMS. .

  Here, the term of validity refers to an ID-address pair (user ID and IP address) corresponding to an IP address indicating the service request transmission source when information about the transmission source of the service request is requested from the communication control apparatus. When the ID-address pair is used in the authentication of the user of the terminal device that is the transmission source of the service request, the validity period of the correspondence between the user ID and the IP address is valid. (Time limit for guaranteeing the contents of the ID-address pair). Note that the expiration date is arbitrarily set in the communication control apparatus with the payout exclusion time limit as an upper limit.

  If the ID-address pair management unit 31 receives a period from the date / time when a response is received from the communication control device (response occurrence date / time) until the expiration date is reached instead of the expiration date, the communication control device The date and time when the response is received from and the valid period included in the response (for example, a value indicating the length of time such as the number of seconds or the number of days) may be managed in association with each other.

  The service request authentication unit 32 receives the service request from the terminal device 20 and authenticates the user of the terminal device 20 that is the transmission source of the service request.

  That is, when the service request authentication unit 32 receives a service request from the terminal device 20, a record (for example, ID-address pair) corresponding to the IP address acquired from the service request is received by the ID-address pair management unit 31. It is confirmed whether or not it exists in the managed ID-address management information.

  As a result of the confirmation, when the record (ID-address pair) corresponding to the IP address acquired from the service request exists in the ID-address management information, the service request authenticating device 32 determines the ID-address pair of the corresponding record. And the user ID acquired from the service request, if the user IDs match each other, it is assumed that the user of the terminal device 20 that is the source of the service request has been successfully authenticated, Allows processing based on the contents of the service request.

  On the contrary, as a result of confirmation, even if a record (ID-address pair) corresponding to the IP address acquired from the service request exists in the ID-address management information, the expiration date of the corresponding record has passed. If the record corresponding to the IP address acquired from the service request does not exist in the ID-address management information, the service request authenticating unit 32 controls communication of the ID-address pair corresponding to the IP address. In order to make a request to the device 10, a user information request including an IP address indicating the transmission source of the service request is transmitted to the communication control device 10.

  When the service request authenticating unit 32 receives the ID-address pair and the expiration date from the communication control device 10 as a response to the user information request, the service request authentication unit 32 includes the user ID included in the ID-address pair acquired from the communication control device 10 and If the user IDs are compared with each other when compared with the user ID acquired from the service request, it is assumed that the user of the terminal device that is the source of the service request has been successfully authenticated, and processing based on the content of the service request Allow.

  In addition, the service request authentication unit 32 registers the ID-address pair acquired from the communication control device 10 and the expiration date in the ID-address pair management unit 31 in association with each other.

  If the service authentication requesting unit 32 succeeds in authenticating the user of the terminal device 20 that is the transmission source of the service request, and the processing based on the content of the service request is permitted, the service providing unit 33 The service is provided to the user of the terminal device 20 that is the transmission source of the service request.

  When the service provided from the service control device 30 to the terminal device 20 is a session connection service based on SIP, the service request from the terminal device 20 is “REGISTER”, “INVITE”, “BYE”, or the like. The service providing unit 33 is a SIP signal, and provides, as a service, registration of the terminal device 20 and establishment or disconnection of a session with another terminal device 20 according to the content of the SIP signal received from the terminal device 20.

  Further, when the service provided from the service control device 30 to the terminal device 20 is based on another protocol or method (for example, a WEB service based on HTTP (Hypertext Transfer Protocol), etc.), the various processes described above are performed. Functions can be applied as well.

  The communication control device 10 and the service control device 30 can be realized by mounting the above-described various processing functions on an information processing device such as a known personal computer or workstation.

[Communication Network System Processing (Example 1)]
Subsequently, processing of the communication network system according to the first embodiment will be described with reference to FIGS. In the following, the flow of processing when the service provided from the service control device 30 to the terminal device 20 is a session connection service based on SIP will be described.

[Connection Phase]
First, the flow of the connection phase of the communication network system according to the first embodiment will be described with reference to FIGS. FIG. 4 is a sequence diagram illustrating the flow of the connection phase of the communication network system according to the first embodiment. FIG. 5 is a diagram illustrating the contents of the address management information and user connection information at the start of the connection phase according to the first embodiment. FIG. 6 is a diagram illustrating the contents of the address management information and the user connection information at the end of the connection phase according to the first embodiment.

  In the following, the flow of the connection phase until the terminal device 20 (for example, the terminal device 20-C) connects to the transmission system 40 and acquires an IP address necessary for the subsequent IP communication with the service control device 30. Will be explained. As a precondition, the terminal identifier of the terminal device 20-C that appears later as the terminal device 20 is “CC: CC: CC: 22: 22: 02”, the user ID of the user is “0333”, and this user It is assumed that the public key certificate that illuminates the ID and its private key are stored in the terminal device 20-C itself.

  The state of the address management information and the user connection information at the start of the connection phase is as illustrated in FIG. At the start of the connection phase, two terminal devices (terminal device 20-A and terminal device 20-B) are connected to the transmission system 40.

  As shown in FIG. 4, the terminal device 20 (20-C) transmits a wireless connection request to the wireless access point 42 (step S401), and using this as a trigger, a wireless link establishment procedure is performed between the two to establish a wireless link. Is established (step S402). The establishment of the wireless link is realized by transmitting and receiving “Probe Request / Response”, “Open System Authentication Request / Response”, and “Association Request / Response” messages according to a procedure defined in IEEE 802.11i.

  Next, the wireless access point 42 requests user authentication from the terminal device 20 (20-C) (step S403). Using this as a trigger, the wireless access point 42 serves as a relay point and is a communication that is a back-end authentication device. Authentication based on the terminal authentication procedure is performed between the control device 10 and the terminal device 20 (20-C) (see step S404 and step S405). The authentication performed between the communication control device 10 and the terminal device 20 (20-C) is performed according to the procedure defined in IEEE 802.1X adopted as the authentication method by IEEE 802.11i as “EAP Request / Response. "It is realized by sending and receiving messages.

  When the wireless access point 42 transfers the “EAP Response” message from the terminal device 20 (20-C) to the communication control device 10, this message is encapsulated in an “ACCESS REQUEST” message on the RADIUS protocol. The terminal device 20 (20-C) adds an attribute (AVP: Attribute Value Pair) whose value is the MAC address used for wireless communication with the wireless access point 42 to the “ACCESS REQUEST” message. Thereby, the communication control apparatus 10 can acquire the correct MAC address (terminal identifier) of the terminal device 20 (20-C) to be authenticated.

  Further, in this connection phase, since EAP-TLS is used as a specific authentication procedure on the EAP framework, the terminal device 20 (20-C) discloses public information corresponding to the user ID “0333” stored therein. The user ID is proved by using the key certificate and the private key as credentials.

  If the communication control device 10 succeeds in the authentication of the terminal device 20 (20-C), for example, as shown in FIG. 6, the user ID (“0333”) of the terminal device 20 (20-C) determined as a result of the authentication. And the terminal identifier (“CC: CC: CC: 22: 22: 02”) of the terminal device 20 (20-C) that the wireless access point 42 has transmitted in addition to the “ACCESS REQUEST” message. The added record is added to the user connection information (step S406).

  Subsequently, the communication control device 10 successfully transmits the “ACCESS ACCEPT” message of the RADIUS protocol including the encapsulated “EAP Success” message, and successfully authenticates the terminal device 20 to the wireless access point 42. It is notified (step S407).

  The wireless access point 42 that has received the notification of successful authentication transmits an “EAP Success” message on the EAP over LAN, and notifies the terminal device 20 (20-C) of the authentication success (step S408). ).

  Subsequently, the wireless access point 42 is silent with the terminal device 20 (20-C) that has been successfully authenticated by transmitting and receiving the “EAP over LAN Key” message defined in IEEE 802.1X adopted in IEEE 802.11i. A procedure for sharing a session key necessary for protecting communication with the terminal device 20 is executed (step S409).

  The wireless access point 42 that has successfully shared the key transfers the communication from the terminal device 20 (20-C) to the filter device 43 located upstream of the communication path and the IP network 41 located beyond the filter device 43. The communication port for the terminal device 20 (20-C) is opened.

  The terminal device 20 (20-C) that has completed the procedure of authentication and key sharing with the wireless access point 42 issues parameters necessary for performing IP communication through the IP network 41, in particular, an IP address used by itself. In order to receive, a search message (DHCP DISCOVER) based on the DHCP procedure is broadcast (step S410). The broadcast search message passes through the filter device 43 and reaches the communication control device 10.

  Note that the IP network 41 does not directly transmit the broadcast search message to the communication control device, but temporarily receives it by the router function in the IP network 41 and relays it to the communication control device 10. . In this case, the value of the terminal identifier (MAC address) of the terminal device 20 is configured to be transmitted to the communication control device 10 as a DHCP option.

  The communication control device 10 that has received the search message (DHCP DISCOVER) based on the DHCP procedure uses the terminal device 20 (20-C) that is the transmission source as the terminal identifier of the terminal device 20 (20-C) that is the transmission source of this message. ) And whether or not a record having the acquired MAC address as the value of the terminal identifier exists in the user connection information (step S411). In this connection phase, since the MAC address of the terminal device 20 (20-C) is added to the record in step S406, it is confirmed that it exists in the user connection information. On the other hand, if it is not confirmed that it exists in the user connection information, a rejection response is returned to the terminal device 20 (20-C) by transmitting a predetermined message (DHCP NACK), and the process is terminated. .

  Subsequently, the communication control device 10 refers to the address management information and determines an IP address to be paid out to the terminal device 20 (20-C) (step S412). Specifically, it is determined from a subset of IP addresses excluding IP address groups managed in the address management information except those within the payout exclusion period. Arbitrary logic can be used for determining the IP address to be paid out. For example, the IP address next to the IP address issued in accordance with the address payout request received immediately before is determined as the IP address to be paid out. Logic can be adopted. In this connection phase, for example, as shown in FIG. 5, among the IP address groups (managed objects: “192.168.1.0/24”) managed in the address management information, “192.168.1.100” and “ The payout exclusion period is set to “192.168.1.102”, but if both are within the payout exclusion period in the processing step of step S412, IP addresses other than these, for example, “192.168.1.103” are paid out. Determine as an address.

  Further, the communication control apparatus 10 determines a payout exclusion period for the IP address that has been determined to be paid out (step S413). An arbitrary method can be adopted as a method for determining the withdrawal exclusion period. For example, the withdrawal exclusion period is determined by adding a preset withdrawal exclusion period (for example, a length of time such as 6 hours) to the current year and date. The method to do can be adopted. In this connection phase, for example, as shown in FIG. 6, “2007-09-15: 10: 10” is determined as the payout exclusion period.

  Then, for example, as illustrated in FIG. 6, the communication control device 10 includes a payout IP address (for example, “192.168.1.103”), a payout exclusion period (for example, “2007-09-15: 10: 10”), And a record in which the MAC address (for example, “CC: CC: CC: 22: 22: 02”) of the terminal device 20 (20-C) acquired from the search message (DHCP DISCOVER) is associated with the address management information is added. (Step S414).

  Thereafter, the communication control device 10 transmits a predetermined message (DHCP OFFER), and presents the payout IP address (for example, “192.168.1.103”) and the lending period to the terminal device 20 (20-C) (step). S415). This lending period (corresponding to the “expiration date” described above) is determined so as not to exceed the payout exclusion period. For example, the value may be the same as the period until the payout exclusion period, or a value corresponding to 50% or 80% of the time from the current time to the payout exclusion period may be set. In this connection phase, the same value as the payout exclusion period (for example, “2007-09-15: 10: 10”) is set as the lending period.

  The terminal device 20 (20-C) confirms the IP address presented by the communication control device 10 and the lending period, transmits a predetermined message (DHCP REQUEST), and applies for use of the IP address (step S416). . This message includes a MAC address (for example, “CC: CC: CC: 22: 22: 02”) that is a terminal identifier of the terminal device 20 (20-C) indicating the transmission source, and a use application IP address (for example, "192.168.1.103").

  When receiving the message (DHCP REQUEST), the communication control device 10 receives the MAC address that is the terminal identifier of the terminal device 20 (20-C) indicating the transmission source of the message (for example, “CC: CC: CC: 22: 22: 02 ”) and the use application IP address (for example,“ 192.168.1.103 ”) included in this message, and whether or not the pair of the obtained MAC address and use application IP address exists in the address management information. (Step S417). In this connection phase, for example, as shown in FIG. 6, it is confirmed that there is a pair of MAC address and use application IP address, but when there is no pair of MAC address and use application IP address, By sending a predetermined message (DHCP NACK), a rejection response is returned to the terminal device 20 (20-C), and the process is terminated.

  When it is confirmed that the pair of the MAC address acquired from the received message (DHCP REQUEST) and the use application IP address exists in the address management information, the communication control device 10 determines that the terminal device 20 (20 Filter device 43 so that the use of the IP address of -C) is confirmed, and the terminal device 20 (20-C) becomes the transmission source, and the IP communication having the payout IP address as the originating address can be transferred by the IP network 41. An instruction to add a filtering rule is transmitted to (step S418). The addition instruction includes a MAC address (for example, “CC: CC: CC: 22: 22: 02”) that is a terminal identifier of the terminal device 20 (20-C) and a payout IP address (for example, “192.168.1.103”). ]).

  Based on the pair of the MAC address and the IP address included in the filtering rule addition instruction received from the communication control device 10, the filter device 43 starts from the terminal device 20 (20-C) having the MAC address included in this pair. Then, a filtering rule for permitting IP communication using the IP address included in the pair as an originating address is stored (step S419), and when the preparation of a state where IP communication from the terminal device 20 (20-C) can be transmitted is completed, The completion is returned to the communication control apparatus 10 (step S420).

  Upon receiving from the filter device 43 a maintenance completion response that allows transmission of IP communication from the terminal device 20 (20-C), the communication control device 10 sends a predetermined message (DHCP ACK) to the terminal device 20 (20-C). ) (Step S421), and the connection phase is normally completed.

  When the connection phase described above is normally completed, the terminal device 20 (20-C) executes IP communication with the service control device 30 with “192.168.1.103” as the source IP address. Is possible.

  Further, due to the function of the wireless access point 42, the terminal device 20 (20-C) wirelessly accesses IP communication in which a value other than “CC: CC: CC: 22: 22: 02” is spoofed as its own MAC address. As long as “CC: CC: CC: 22: 22: 02” is used by the function of the filter device 43, a value other than “192.168.1.103” is set as the source IP address. The spoofed IP communication cannot be sent upstream of the filter device 43. Therefore, IP communication from the terminal device 20 (20-C) that reaches the service control device 30 always uses “192.168.1.103” as the originating IP address, and is stored in the address management information of the communication control device 10. The user ID “0333” corresponding to the originating IP address can be identified without error based on the existing ID-address pair (for example, the pair of the user ID “0333” and the IP address “192.168.1.103”).

[Service usage phase]
Next, the flow of the service use phase of the communication network system according to the first embodiment will be described with reference to FIGS. FIG. 7 is a sequence diagram illustrating the flow of the service use phase of the communication network system according to the first embodiment. FIG. 8 is a flowchart illustrating a process flow of the service control apparatus in the service use phase according to the first embodiment. FIG. 9 is a diagram illustrating the contents of the ID-address management information at the start of the service use phase according to the first embodiment. FIG. 10 is a diagram illustrating the contents of the ID-address management information after service request authentication according to the first embodiment.

  In the following, after the terminal device 20 (for example, the terminal device 20-C) connects to the transmission system 40 and acquires the IP address necessary for the subsequent IP communication with the service control device 30, the service control device 30 The flow of the service use phase from when receiving a session control service based on SIP to SIP will be described.

  The contents of the ID-address management information at the start of the service use phase are as illustrated in FIG. At the start of the service use phase, two terminal devices (terminal device 20-A and terminal device 20-B) are connected to the transmission system 40.

  As shown in FIG. 7, the terminal device 20 (20-C) transmits a “SIP REGISTER” message (service request) to the service control device 30 in order to request registration of its own IP address (location). (Step S701). Upon receiving the “SIP REGISTER” message, the service control device 30 performs authentication processing of the user who transmitted the message (steps S702 and S703, and the hatching portion in FIG. 7). This authentication process will be described with reference to FIG.

  As shown in FIG. 8, the service control apparatus 30 acquires the IP address of the transmission source and the user ID for using the SIP service from the received “SIP REGISTER” message (step S801). In this usage phase, it is assumed that the IP address “192.168.1.103” and the user ID “0333” have been acquired.

  Although the user ID storage location in the “SIP REGISTER” message (SIP signal) depends on the service design by the service provider, the username part in the SIP URI of the From header of the SIP signal is used as the user ID storage location. Alternatively, the username part of the Authorization header of the SIP signal may be used, or a dedicated header may be added to the SIP signal separately. In this usage phase, for example, the username part of the Authorization header is used as the storage location of the user ID for all SIP signals.

  In this usage phase, the user ID for using the SIP service is the same as the user ID used when connecting to the transmission system 40. That is, the user of the terminal device 20 (20-C) assigned the user ID “0333” for connection to the transmission system 40 is assigned the user ID “0333” for SIP service use. However, the two need not always match, and the correspondence relationship is defined between the two, so that the service control device 30 can refer to the correspondence relationship and convert them to each other. Both can be assigned different values and systems.

  The service control device 30 searches the ID-address management information for a record (ID-address pair) corresponding to the IP address of the transmission source of the service request (step S802).

  Subsequently, the service control device 30 confirms whether there is a record corresponding to the IP address of the transmission source of the service request based on the search result (step S803). For example, as shown in FIG. 9, since there is no record (No in step S803), an ID-address pair corresponding to the IP address of the transmission source of the service request is requested to the communication control apparatus 10 (step in FIG. 7). S702 and step S804 of FIG. 8).

  Then, the service control device 30 confirms the request result to the communication control device 10 (step S805), and when the acquisition of the ID-address pair and the expiration date can be confirmed (Yes in step S805), for example, FIG. As shown in FIG. 4, a record including the acquired user ID, IP address, and expiration date is added to the ID-address management information (step S806).

  In this usage phase, the address management information and the user connection information managed in the communication control device 10 are as shown in FIG. 6, so that the communication control device 10 responds to a request from the service control device 30. , The ID-address pair consisting of the user ID “0333” and the IP address “192.168.1.103” and the expiration date determined within a range not exceeding the payout exclusion period of this IP address are returned together (FIG. 7). Step S703).

  Next, the service control device 30 is included in the user ID (the value of the user ID part) included in the ID-address pair acquired from the communication control device 10 and the service request received from the terminal device 20 (20-C). It is compared whether or not the user ID matches (step S807).

  Then, the service control apparatus 30 confirms the comparison result (step S808), and in this usage phase, since the comparison result indicates that they match each other (Yes in step S808), the service requester user is authenticated. As a success, processing for the service request from the user ID “0333” that is the request source of the service request is permitted (step S809).

  On the contrary, if the service control device 30 results in the comparison result that they do not match each other (No in step S808), it is assumed that the user who requested the service request has failed in authentication, and the service control device 30 Processing for the service request from the user ID “0333” as the request source is not permitted (step S810).

  Here, returning to the description of step S805, if the service control apparatus 30 cannot confirm the acquisition of the ID-address pair and the expiration date (No at step S805), the service request is the same as at step S810 described above. Processing for a service request from the user ID “0333”, which is the request source, is not permitted.

  If the process for the service request is not permitted as in step S810, the service control apparatus 30 ends the service request authentication process and sends a code indicating the authentication failure to the terminal apparatus 20 (20-C). )

  Returning to the description of FIG. 7 again, when the service control apparatus 30 permits the process for the service request, the process for the service request (SIP REGISTER message) from the terminal apparatus 20 (20-C), that is, the terminal The location (IP address) of the device 20 (20-C) is registered, and “200 OK” is returned to the terminal device 20 (20-C) (step S704).

  After receiving the location registration completion message, the terminal device 20 (20-C) transmits an “INVITE” message with the other terminal device 20 as a session establishment partner to the service control device 30 as a new service request (step S20). S705).

  The service control device 30 that has received the “INVITE” message from the terminal device 20 performs an authentication process for the user who sent this message, as in the case of receiving the SIP REGISTER message described above. The authentication process will be described with reference to FIG. 8 again.

  The service control apparatus 30 acquires the IP address “192.168.1.103” of the transmission source and the user ID “0333” for using the SIP service from the received “INVITE” message (see step S801 above).

  The service control device 30 searches the ID-address management information for a record (ID-address pair) corresponding to the IP address of the transmission source of the service request (see step S802 above).

  Subsequently, the service control device 30 confirms whether there is a record corresponding to the IP address of the transmission source of the service request based on the search result (see step S803 above). In this usage phase, for example, As shown in FIG. 10, since the record exists (refer to the above step S803 affirmative), it is confirmed whether or not the expiration date of this record has passed (step S811).

  As a result of the confirmation, if the validity period of the record has passed (No in step S811), the service control device 30 gives an ID-address pair corresponding to the IP address of the transmission source of the service request to the communication control device 10. A request is made (see step S804 above). On the other hand, in this usage phase, for example, as shown in FIG. 10, since the expiration date of the record has not passed (Yes in step S811), the service control device 30 sets the ID-address pair retrieved from the ID-address management information. It is compared whether the included user ID (value of the user ID portion) matches the user ID included in the service request received from the terminal device 20 (20-C) (see step S807 above).

  Then, the service control apparatus 30 confirms the comparison result (see step S808 above), and in this usage phase, since the comparison result indicates that they match each other (see step S808 above), the request source of the service request As a result of the authentication, the service request from the user ID “0333” that is the request source of the service request is permitted (see step S809 above).

  Returning to FIG. 7 again, when the service control apparatus 30 permits the process for the service request, the process for the service request (INVITE message) from the terminal apparatus 20 (20-C), that is, session establishment. The “INVITE” message is transferred to the other terminal device 20 designated as the partner (step S706).

  The other terminal device 20 that has received the “INVITE” message returns “200 OK” to the service control device in response to the establishment of the session (step S707).

  The service control apparatus 30 transfers “200 OK” received from the other terminal apparatus 20 to the terminal apparatus 20 (20-C) (step S708). Thereby, a session based on the SIP signal is established between both terminal apparatuses, and communication (for example, voice call) using this session can be performed.

  The service control device 30 performs communication control unless the date and time when the service request is received from the terminal device 20 (20-C) exceeds the expiration date of the ID-address pair managed in the ID-address management information. Since the service request authentication process can be completed and executed within itself without requesting the ID-address pair from the apparatus 10, the service request authentication process can be efficiently executed. is there.

  Further, the communication control device 10 executes the IP address payout to the terminal device 20 in consideration of the payout exclusion period, and the expiration date managed in the ID-address management information in the service control device 30 is the payout exclusion. Since the period is set so as not to exceed the period, the authentication due to the deviation of the correspondence between the IP address and the terminal device without requesting the ID-address pair to the communication control device 10 whenever necessary. An error (spoofing of a user ID using the same IP address) can be prevented.

[Effects of Example 1]
As described above, according to the first embodiment, it is possible to prevent misidentification of a user who uses a service via a network to ensure safety and to prevent generation of a lot of unnecessary capital investment costs. Is possible. In other words, the information required for authenticating the user in the service control device 30 (ID-address pair, etc.) is given an expiration date and given from the communication control device 10, whereby the expired information is authenticated by the user. At this time, the service control device can be prevented from being used, and the user can be prevented from being misidentified to ensure safety. In addition, since the service control device 30 acquires information (ID-address pair, etc.) for authenticating the user from the communication control device 10 as necessary, it is unnecessary and wasted as a result. Therefore, it is not necessary to provide computer resources for dealing with information (for example, ID-address pairs), and it is possible to prevent the generation of a lot of unnecessary capital investment costs.

  Further, according to the first embodiment, the communication control device 10 authenticates the terminal device 20 when receiving an authentication request from the terminal device 20 and pays an IP address when the authentication of the terminal device 20 is successful. In addition, the terminal identifier of the terminal device 20 that has been successfully authenticated and the user ID of the user of the terminal device 20 that has been successfully authenticated are registered in association with each other, and transmission of communication from the terminal device to the transmission system 40 is allowed. A filtering rule including a pair of an IP address to be permitted and a terminal identifier is registered and stored. The terminal device 20 transmits an authentication request to the communication control device 10 before requesting the IP address, and the transmission system 40 , Storing the filtering rule accepted from the communication control device 10, and the IP address and terminal identifier stored as the filtering rule Since Allow transmission of only the communication from the terminal device 20 corresponding to, it is possible to more strictly prevent the theft of the user ID by the user of the terminal device.

  In the first embodiment, when the terminal device 20 requests the IP address payout again by DHCP before reaching the expiration date of the lending time limit of the IP address that has been paid out from the communication control device 10, the same condition is applied. The address may be paid out from the communication control device 10 again. Therefore, in the following second embodiment, the configuration and processing of the communication network system according to the second embodiment will be described.

[Configuration of communication network system (second embodiment)]
The configuration of the communication network system according to the second embodiment is different from the configuration of the communication network system described in the first embodiment described below.

  That is, the address issuing unit 13 of the communication control device 10 records information related to the IP address determined to be paid out to the terminal device 20 (20-C) (see step S414 in FIG. 4), and the payout destination terminal device. The user ID of each user is recorded together. The DB table for storing and managing the address management information is expanded so that records composed of IP addresses, terminal identifiers, expiration dates, and user IDs are recorded in association with each other.

  When the configuration as described above is adopted, when the terminal device 20 (20-C) connects to the transmission system 40 in the same procedure as the connection phase described in the first embodiment, the address management information in the communication control device 10 is For example, the state is as shown in FIG. FIG. 13 is a diagram illustrating the contents of the address management information and user connection information at the end of the connection phase according to the second embodiment.

[Address reassignment phase (Example 2)]
The flow of the address reassignment phase according to the second embodiment will be described with reference to FIG. The communication control device 10 is different from the connection phase described in the first embodiment in the points described below. FIG. 15 is a sequence diagram illustrating the flow of the address reassignment phase according to the second embodiment.

  That is, the communication control device 10 searches the address management information, and obtains a record (corresponding record) including the terminal identifier of the address requesting terminal device 20 (20-C) (step S1502). The result of the search is confirmed (step S1503), and if there is a corresponding record (Yes at step S1503), the payout exclusion period of the record is referred to and the payout exclusion period has not passed at this time (within the payout exclusion deadline) It is confirmed that the user ID of the corresponding record of the user connection information matches the user ID of the corresponding record of the address management information (step S1504).

  If both of the above confirmation items are true (Yes at Step S1504), the same IP address (registered in the address management information) “192.168.1.103” as the previous IP address to be issued to the terminal device 20 (20-C). Is selected and determined (step S1505).

  Thereafter, the communication control apparatus 10 determines a payout exclusion period (step S1508). When determining the payout exclusion deadline by adding a predetermined period to the current date and time, for example, as shown in FIG. A new payout exclusion deadline (for example, “2007-09-15: 50: 00”) different from the payout exclusion deadline recorded in the address management information is determined and recorded. FIG. 14 is a diagram illustrating the contents of address management information and user connection information after the end of address reassignment according to the second embodiment.

  Returning to the description of step S1503, if there is no corresponding record (No in step S1503), the IP address to be paid out is newly determined in the same manner as in the first embodiment (see step S412 in FIG. 4). And paying out (step S1507).

  Returning to the description of step S1504, if at least one of the above confirmation items is false (No at step S1504), after deleting the corresponding record from the address management information (step S1506), Similarly (see step S412 in FIG. 4), a new IP address to be paid out is determined and paid out (step S1507).

  Other steps shown in FIG. 15 are the same as those in the connection phase (see FIG. 4) described in the first embodiment. However, in steps S1513 to S1515, the filtering rules are already registered in the filter device 43. Therefore, it may be omitted.

  When the currently connected terminal device 20 requests to issue an IP address again, a “DHCP REQUEST” message including an IP address issued earlier as an argument is used instead of a “DHCP DISCOVER” message. You may make it transmit. In that case, the communication control apparatus 10 may reassign addresses by executing steps S1610 to S1614 after executing steps S1602 to S1609 shown in FIG. FIG. 16 is a sequence diagram illustrating a flow of another method of the address reassignment phase according to the second embodiment.

  Further, if the terminal device 20 (20-C) continues to use the service of the service control device 30 after completion of the address reassignment phase, the occurrence date and time of the service request is stored in the previously stored ID- Unless the expiration date of the ID-address pair (for example, “2007-09-15: 10: 10”, see FIG. 13) regarding the terminal device 20 (20-C) in the address management information has passed, the communication control device 10 The authentication completed within the service control device 30 can be executed without inquiring the ID-address pair.

  When a service request is generated at the timing when the expiration date (for example, “2007-09-15: 10: 10”, see FIG. 13) is passed and authentication is performed, the service described in the first embodiment is used. In the use phase (see step S811 in FIG. 8), it is determined that the expiration date has expired, and an ID-address pair is requested from the communication control apparatus 10 (see step S804 in FIG. 8).

  Upon receiving this request, the communication control device 10 sets a new payout exclusion period (for example, “2007-09-15: 50: 00”, see FIG. 14) in the record relating to the terminal device 20 (20-C) to the expiration date. As a response to the service control device 30. In response to this response, the service control device 30 updates the expiration date in the ID-address management information (for example, “2007-09-15: 50: 00”, see step S806 in FIG. 8). The state of this address management information is shown in FIG. FIG. 11 is a diagram illustrating the contents of ID-address pair management information after service request authentication that occurs after the expiration date according to the second embodiment.

  Thereafter, the authentication of the terminal device 20 (20-C) is completed in the same processing flow as that in the service use phase described in the first embodiment (see steps S807 to S809 in FIG. 8). As long as the date and time when the service request occurs does not exceed the expiration date in the ID-address management information (for example, “2007-09-15: 50: 00”), the authentication completed inside the service control device 30 is executed. Will be able to.

[Effects of Example 2]
As described above, according to the second embodiment, when the terminal identifier of the terminal device 20 that is the transmission source of the address payout request exists in the terminal identifier stored in the address management unit 11, The user ID of the terminal device 20 that is the sender of the address payout request and the sender of the address payout request do not exceed the payout prohibition period stored in the address management unit 11 in association with the terminal identifier. Corresponding to the terminal identifier of the terminal device 20 that is the transmission source of the address payout request, on condition that the user ID stored in the user connection information management unit 12 is associated with the terminal identifier of a certain terminal device 20 Thus, the same IP address as the IP address stored in the address management unit 11 is paid out to the terminal device 20 that is the transmission source of the address payout request. The user can use the same IP address continuously, depending on the IP address of the terminal device, when the specified terminal device is used continuously or with a short interruption. In such a service form that provides a service, it is possible to ensure continuity of the service, for example, by maintaining a session.

  In the above embodiment, there may be a case where the link between the terminal device 20 and the wireless access point 42 is broken due to the movement of the terminal device 20 or the radio wave condition. Further, in the wireless access point 42, the terminal device 20 that has succeeded in the connection authentication of the terminal device 20 and has obtained the connectivity with the transmission system 40 is authenticated again for the terminal device 20 after a predetermined period. In the case of having the function of commanding as described above, if this re-authentication fails, the link between the terminal device 20 and the wireless access point 42 may be broken.

  Even in the case described above, the IP address assigned to the terminal device 20 by the communication control device 10 by the connection phase described in the first embodiment (see step S411 in FIG. 4) is another terminal. Since it is prevented from being used by the device 20, a situation in which a user ID is erroneously recognized in the service request authentication in the service control device 30 is avoided, but the service control device 30 is ineffective ineffective. ID-address management information continues to be stored, and computer resources are wasted.

  Therefore, in order to prevent such waste of computer resources, in the following third embodiment, after describing the configuration and processing of the communication network system according to the third embodiment, the effects of the third embodiment will be described.

[Configuration of Communication Network System (Example 3)]
The configuration of the communication network system according to the third embodiment is different from the configuration of the communication network system described in the above embodiment in the following points.

  That is, the wireless access point 42 further has a function of notifying the communication control device 10 of disconnection of the connectivity with the terminal device 20 when the established link with the terminal device 20 is disconnected. This function corresponds to “communication disconnection information transmission means” described in the claims.

  When transmitting the ID-address pair and the expiration date to the service control device, the user information providing unit 16 of the communication control device 10 transmits the ID-address pair and the expiration date in association with the ID-address pair and the expiration date. It further has a function of storing a service device ID for specifying the service control device 30 that is the destination. This function corresponds to “service device identifier storage unit” recited in the claims.

  Further, when the communication control device 10 receives a link disconnection notification from the wireless access point 42, the communication control device 10 deletes the record related to the terminal device 20 (corresponding terminal device 20) in which the established link with the wireless access point is disconnected from the user connection information. In addition, the service control device 30 that has acquired the ID-address pair related to the terminal device 20 further has a function of notifying the invalidation of the ID-address pair. This function corresponds to the “deletion instruction transmission unit” recited in the claims.

  In addition, the filter control unit 15 of the communication control device 10 and the record related to the corresponding terminal device 20 are deleted from the user connection information, and at the same time, the filtering rule deletion instruction related to the terminal device 20 corresponding to this record is transmitted to the filter device 43. You may make it have a function.

  Upon receiving notification of invalidation of the ID-address pair from the communication control device 10, the service control device 30 further has a function of deleting a record relating to this ID-address pair from the ID-address management information. This function corresponds to “deleting means” described in the claims.

[Communication Network System Processing (Example 3)]
The processing of the communication network system according to the third embodiment differs from the processing of the communication network system described in the above embodiment in the following points. In the following, after the address reassignment phase described in the second embodiment is completed, the wireless communication between the terminal device 20 (20-C) and the wireless access point 42 is caused by the movement of the terminal device 20 (20-C) or the deterioration of radio wave conditions. A process assuming a case where the link is broken will be described. It is assumed that the communication control device 10 has already stored the service device ID of the service control device 30 that has acquired the ID-address information related to the terminal device 20 (20-C).

  The wireless access point 42 transmits a link disconnection notification including the terminal identifier (for example, “CC: CC: CC: 22: 22: 02”) of the terminal device 20 (20 -C) to the communication control device 10.

  Upon receiving the link disconnection notification from the wireless access point 42, the communication control device 10 uses the terminal identifier included in the link disconnection notification as a key, and records corresponding to the user connection information (user ID “0333” and terminal identifier “CC: CC: CC: 22: 22: 02 "), the user ID included in the retrieved record is stored, and the corresponding record is deleted.

  Subsequently, the communication control apparatus 10 uses the terminal identifier included in the link disconnection notification as a key, and records corresponding to the address management information (IP address “192.168.1.103”, terminal identifier “CC: CC: CC: 22: 22: 02 ”and the withdrawal exemption deadline“ 2007-09-15: 10: 10 ”), and an ID-address pair in which the IP address included in the searched record and the user ID stored in advance are combined. (User ID “0333”, IP address “192.168.1.103”) is generated.

  Then, the communication control device 10 acquires the service device ID corresponding to the ID-address pair generated earlier from the service device ID stored when paying the ID-address pair to the service control device 30. Then, invalidation of the ID-address pair generated earlier is transmitted with this service device ID as the transmission destination.

  When the service control device 30 receives a notification of invalidation of the ID-address pair from the communication control device 10, the corresponding record from the ID-address management information using the ID-address pair included in the notification of invalidation as a key. And the searched record (user ID “0333”, IP address “192.168.1.103”, payout exclusion deadline “2007-09-15: 50: 10”) is deleted. FIG. 12 shows the state of ID-address management information after record deletion in the service control apparatus 30. FIG. 12 is a diagram illustrating the contents of the ID-address management information after the ID-address invalidation process according to the third embodiment.

[Effects of Example 3]
As described above, according to the third embodiment, the transmission system 40 transmits the terminal identifier of the terminal device 20 in which the established link is disconnected to the communication control device 10, and the communication control device 10 transmits the user information request. When the ID-address pair and the expiration date are transmitted to the service control device 30 as a response to the service control device 30, the service control device 30 that is the transmission destination of the ID-address pair and the expiration date is associated with the ID-address pair and the expiration date. The service device ID for specifying is stored, the record stored in the user connection information management unit 12 is deleted using the terminal identifier received from the transmission system 40 as a key, and the ID-address pair corresponding to the deleted record The service device ID that is the transmission destination of the received device is searched, and the deleted service record ID is used as the transmission destination for the deleted record. When the service control apparatus 30 receives the invalidation notification from the communication control apparatus 10, the service control apparatus 30 transmits the ID-address pair invalidation notification to be recorded from the records stored in the ID-address management unit 31. Since the record corresponding to the ID-address to be invalidated is deleted, a terminal device that is disconnected due to radio wave conditions or the like, or a terminal device that is unable to communicate due to re-authentication failure When this occurs, it is possible to delete useless information that is effectively unnecessary in the service control apparatus.

  Although the first to third embodiments have been described as one embodiment of the present invention, the present invention may be implemented in various different forms other than the above-described embodiments. In the following, other embodiments included in the present invention will be described.

(1) ID-address pair request / response procedure In the above embodiment, the ID-address pair request / response procedure exchanged between the communication control apparatus 10 and the service control apparatus 30 is performed by socket communication on TCP. Although the case where the message is transmitted and received is described, the present invention is not limited to this, and can be realized using a protocol used in DNS (Domain Name System).

  The processing flow in this case will be described below with reference to FIG. FIG. 17 is a diagram illustrating an ID-address pair request / response procedure according to the fourth embodiment. As shown in the figure, the ID-address pair request transmitted from the service control device is a so-called “reverse lookup” DNS having a Query portion including the IP address of the terminal device to be requested in the Name portion. It is implemented as a standard query (see (1) in FIG. 17).

  The response transmitted from the communication control device 10 includes the IP address of the terminal device that is the request target in the Name portion, the Domain Name portion is the user ID, and the TTL (Time To Live) portion is the ID-address. It is implemented as a DNS standard response (Standard Query Response) having an Answer part that is the valid period of the pair (see (2) in FIG. 17).

  As the validity period set in the TTL part, the time and the number of days from when the response is made until the validity period of the ID-address pair is reached are used.

  Note that a request / response of an ID-address pair using a protocol used in DNS (Domain Name System) may be transmitted / received as a UDP (User Datagram Protocol) datagram or transmitted / received over a TCP connection. Good.

(2) User ID Request / Response In the above embodiment, the service control device 30 requests the communication control device 10 for an ID-address pair corresponding to the IP address that is the source of the service request. The ID-address pair and the expiration date are acquired from the communication control device 10, the user ID included in the ID-address pair acquired from the communication control device 10 is compared with the user ID acquired from the service request, and the user In the case where the IDs match each other, the case where the user of the terminal device 20 that is the transmission source of the service request is authenticated has been described.

  However, the present invention is not limited to this, and the service control device 30 requests the communication control device 10 for a user ID corresponding to the IP address that is the source of the service request, and the user ID and valid The time limit is acquired from the communication control apparatus 10, and the user ID acquired from the communication control apparatus 10 is compared with the user ID acquired from the service request. You may make it authenticate the user of the terminal device 20 which is. In this case, the service control device 30 requests the communication control device 10 for a user ID corresponding to the IP address that is the source of the service request, and obtains the user ID and the expiration date acquired from the communication control device 10. The IP address that is the source of the service request is registered as ID-address management information in association with the IP address.

(3) System Configuration, etc. Also, the configuration of the communication network system shown in FIG. 2 and each component constituting the communication network system shown in FIG. 3 are functionally conceptual and are not necessarily physically illustrated. It doesn't need to be configured.

  That is, the specific form of distribution / integration of the components shown in FIGS. 2 and 3 is not limited to that shown in the figure. For example, the wireless access point 42 of the transmission system 40 shown in FIG. Distributing to the discard function, integrating the address management unit 11 and the address issuing unit 13 of the communication control device 10, integrating the user connection information management unit 12 and the network connection authentication unit 14, and All or part of the service request authentication unit 32 and the service providing unit 33 are integrated and functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. can do.

(4) Communication Network Control Method The following communication network control method is realized by the communication network system described in the above embodiment. That is, the communication control device, for each IP address paid out to the terminal device, a payout prohibition time limit indicating a time limit for paying out an IP address, and a terminal for specifying a terminal device that is a payout destination of the IP address An address information storage step of storing the identifier in association with the storage unit (see step S414 in FIG. 4), the terminal identifier of the terminal device that has been successfully authenticated when the IP address is issued, and the terminal identifier A user information storage step (see step S406 in FIG. 4) that associates and stores the user identifier for specifying the user of the terminal device to be stored in the storage unit, and the user stored in the storage unit by the user information storage step Among the identifiers, a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device On the condition that it exists, the address information storing step selects one of the IP addresses stored in the storage unit after the withdrawal prohibition deadline, and sends it to the terminal device that is the transmission source of the address withdrawal request Address payout step for paying out (refer to steps S411 to S413 in FIG. 4), and newly setting the payout prohibition deadline for the IP address paid out to the terminal device that is the sending source of the payout request by the address payout step A payout prohibition time limit registration step of registering the newly set payout prohibition time limit and the terminal identifier of the terminal device that is the transmission source of the payout request in association with each other in the storage unit (step S414 in FIG. 4); From the withdrawal prohibition time limit and the terminal identifier stored in the storage unit by the address information storage step, The payout prohibition time limit and the terminal identifier corresponding to the IP address included in the user information request received from the service control device are acquired, and the user identifier stored from the user identifier stored in the storage unit by the user information storage step is acquired. The user identifier corresponding to the received terminal identifier is acquired, and the identifier address pair consisting of the acquired user identifier and the IP address included in the user information request is set within a range not exceeding the previously acquired withdrawal prohibition time limit. A user information transmission step of transmitting the expiration date of the identifier address pair to the service control device as a response to the user information request (see step S703 in FIG. 7), and the service control device includes the communication control The identifier address pair acquired from the device and the identifier address pair An identifier address pair storing step in which the expiration date is stored in the storage unit (see step S806 in FIG. 8), and when the service request is received, corresponds to the IP address indicating the source of the service request And confirming whether the identifier address pair exists in the identifier address pair stored in the storage unit by the identifier address pair storage step, and an identifier corresponding to the IP address indicating the source of the service request When it is confirmed that the address pair exists in the identifier address pair stored in the storage unit by the identifier address pair storing step, the address pair further corresponds to the identifier address pair confirmed to exist. In addition, whether or not the expiration date stored in the storage unit by the identifier address pair storage step has been exceeded (See steps S801 to S803 and S811 in FIG. 8), the identifier address pair corresponding to the IP address indicating the source of the service request is changed to the identifier address pair storage step by the confirmation step. When it is confirmed that the identifier address pair does not exist in the identifier address pair stored in the storage unit, or the identifier address pair corresponding to the IP address indicating the transmission source of the service request is determined by the identifier address pair storage step. When it is confirmed that the identifier address pair stored in the storage unit exists in an expired state, the user information request including the IP address indicating the source of the service request is transmitted to the communication A user information request transmission step to be transmitted to the control device (step S7 in FIG. 7); 2, step S803 and step S804 in FIG. 8 and step S811), as a response to the user information request transmitted by the user information request transmission step, an identifier address pair and an expiration date of the identifier address pair from the communication control device User information receiving step (see step S805 in FIG. 8) and the user information registration for registering the identifier address pair received in the user information receiving step and the validity period of the identifier address pair in the storage unit in association with each other (See step S806 in FIG. 8), the identifier address pair corresponding to the IP address indicating the source of the service request is stored in the storage unit by the identifier address pair storage step by the confirmation step. Over expiration date in pair A user identifier included in the identifier address pair confirmed to exist in a state that does not exceed the validity period and a user identifier included in the service request. And the identifier address pair corresponding to the IP address indicating the transmission source of the service request is determined by the confirmation step to provide a service to the terminal device that is the transmission source of the service request. When it is confirmed by the address pair storage step that it does not exist in the identifier address pair stored in the storage unit, or the identifier address pair corresponding to the IP address indicating the source of the service request is the identifier address The expiration date has been exceeded in the identifier address pair stored in the storage unit by the pair storage step If it is confirmed that the user identifier is present, the user identifier included in the service request matches the user identifier included in the identifier address pair received from the communication control device in the user information receiving step. In addition, a communication network control method including a service providing step of providing a service to a terminal device that is a transmission source of the service request (steps S807 to S809 in FIG. 8) is realized.

  For this reason, when authenticating a user of a terminal device that receives a service via a network, the user is prevented from being misidentified to ensure safety, and a lot of unnecessary capital investment costs are prevented. It is possible to provide a communication network control method that can be performed.

(5) Communication Control Program and Service Control Program By the way, various processes of the communication control device 10 and the service control device 30 described in the above embodiment (see FIGS. 4, 7, 8, 15 to 17, etc.) Can be realized by executing a prepared program on a computer system such as a personal computer or a workstation. In the following, an example of a computer that executes a communication control program having the same function as that of the above embodiment and an example of a computer that executes a service control program will be described with reference to FIGS. FIG. 18 is a diagram illustrating a computer that executes a communication control program. FIG. 19 is a diagram illustrating a computer that executes a service control program.

  First, an example of a computer that executes a communication control program will be described with reference to FIG. As shown in the figure, the computer 50 as the communication control device 10 is configured by connecting an input unit 51, an output unit 52, a communication control I / F unit 53, an HDD 54, a RAM 55, and a CPU 56 via a bus 60.

  Here, the input unit 51 receives input of various data from the user. The output unit 52 displays various information. The communication control I / F unit 53 controls the exchange of various information. The HDD 54 stores information necessary for executing various processes by the CPU 56. The RAM 55 temporarily stores various information. The CPU 56 executes various arithmetic processes.

  As shown in FIG. 18, the HDD 54 stores in advance a communication control program 54a that exhibits the same function as each processing unit of the communication control apparatus 10 shown in the above embodiment, and communication control data 54b. Has been. Note that the communication control program 54a may be appropriately distributed and stored in a storage unit of another computer that is communicably connected via a network.

  Then, the CPU 56 reads out the communication control program 54a from the HDD 54 and develops it in the RAM 55, so that the communication control program 54a functions as a communication control process 55a as shown in FIG. Then, the communication control process 55a reads the communication control data 54b and the like from the HDD 54, expands them in the area allocated to itself in the RAM 55, and executes various processes based on the expanded data and the like. Note that the communication control process 55a corresponds to the processes executed in the address issuing unit 13, the network connection authentication unit 14, the filter control unit 15, and the user information providing unit 16 of the communication control apparatus 10 shown in FIG.

  The communication control program 54a is not necessarily stored in the HDD 54 from the beginning. For example, a flexible disk (FD), a CD-ROM, a DVD disk, a magneto-optical disk, and an IC inserted into the computer 50 are used. Each program is stored in a “portable physical medium” such as a card, and “another computer (or server)” connected to the computer 50 via a public line, the Internet, a LAN, a WAN, or the like. The computer 50 may read out and execute each program from these.

  Next, an example of a computer that executes a service control program will be described with reference to FIG. As shown in the figure, the computer 70 as the service control device 30 is configured by connecting an input unit 71, an output unit 72, a communication control I / F unit 73, an HDD 74, a RAM 75, and a CPU 76 via a bus 80.

  Here, the input unit 71 receives input of various data from the user. The output unit 72 displays various information. The communication control I / F unit 73 controls the exchange of various information. The HDD 74 stores information necessary for the CPU 76 to execute various processes. The RAM 75 temporarily stores various information. The CPU 76 executes various arithmetic processes.

  As shown in FIG. 19, the HDD 74 stores in advance a service control program 74a that exhibits the same function as each processing unit of the service control apparatus 30 shown in the above embodiment, and service control data 74b. Has been. The service control program 74a may be distributed as appropriate and stored in a storage unit of another computer that is communicably connected via a network.

  Then, the CPU 76 reads out the service control program 74a from the HDD 74 and develops it in the RAM 75, whereby the service control program 74a functions as a service control process 75a as shown in FIG. Then, the service control process 75a reads the service control data 74b and the like from the HDD 74, expands them in an area allocated to itself in the RAM 75, and executes various processes based on the expanded data and the like. The service control process 75a corresponds to the processing executed in the service request authentication unit 32 and the service providing unit 33 of the service control device 30 shown in FIG.

  The service control program 74a described above does not necessarily need to be stored in the HDD 74 from the beginning. For example, a flexible disk (FD), a CD-ROM, a DVD disk, a magneto-optical disk, an IC inserted into the computer 70 can be used. Each program is stored in a “portable physical medium” such as a card, or “another computer (or server)” connected to the computer 70 via a public line, the Internet, a LAN, a WAN, or the like. The computer 70 may read and execute each program from these.

  As described above, the communication network system, the communication network control method, the communication control apparatus, the communication control program, the service control apparatus, and the service control program according to the present invention provide various services via IP telephones, electronic commerce, and other networks. This is useful for authenticating users who use the service, especially to prevent misidentification of users to ensure safety and to prevent the generation of many unnecessary capital investment costs. Suitable for.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and characteristics of a communication network system according to a first embodiment. 1 is a diagram illustrating a configuration of a communication network system according to a first embodiment. 1 is a diagram illustrating a configuration of each device in a communication network system according to Embodiment 1. FIG. It is a sequence diagram which shows the flow of the connection phase of the communication network system which concerns on Example 1. FIG. It is a figure which shows the content of the address management information at the time of the connection phase start based on Example 1, and user connection information. It is a figure which shows the content of the address management information at the time of the completion | finish of the connection phase based on Example 1, and user connection information. It is a sequence diagram which shows the flow of the service utilization phase of the communication network system which concerns on Example 1. FIG. 6 is a flowchart showing a flow of processing of a service control device during a service use phase according to Embodiment 1. It is a figure which shows the content of ID-address management information at the time of the service utilization phase which concerns on Example 1. FIG. It is a figure which shows the content of ID-address management information after the service request authentication which concerns on Example 1. FIG. It is a figure which shows the content of ID-address pair management information after the service request authentication which generate | occur | produced after the expiration date based on Example 2. FIG. It is a figure which shows the content of the ID-address management information after the ID-address invalidation process which concerns on Example 3. FIG. It is a figure which shows the content of the address management information at the time of the completion | finish of the connection phase which concerns on Example 2, and user connection information. It is a figure which shows the content of the address management information after completion | finish of address reassignment based on Example 2, and user connection information. FIG. 10 is a sequence diagram illustrating a flow of an address reassignment phase according to the second embodiment. It is a sequence diagram which shows the flow of another system of the address reallocation phase which concerns on Example 2. FIG. It is a figure which shows the request | requirement / response procedure of ID-address pair which concerns on Example 4. FIG. It is a figure which shows the computer which executes a communication control program. It is a figure which shows the computer which executes a service control program.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Communication control apparatus 11 Address management part 12 User connection information management part 13 Address issuing part 14 Network connection authentication part 15 Filter control part 16 User information provision part 20 Terminal device 21 Authentication part 22 Address acquisition part 23 Service utilization part 30 Service control Device 31 ID-address pair management unit 32 Service request authentication unit 33 Service provision unit 40 Transmission system 41 IP network 42 Wireless access point 43 Filter device 50 Computer (communication control device)
51 Input Unit 52 Output Unit 53 Communication Control I / F Unit 54 HDD (Hard Disk Drive)
54a Communication control program 54b Communication control data 55 RAM (Random Access Memory)
55a Communication control process 56 CPU (Central Processing Unit)
60 bus 70 computer (service control device)
71 Input unit 72 Output unit 73 Communication control I / F unit 74 HDD (Hard Disk Drive)
74a Service control program 74b Service control data 75 RAM (Random Access Memory)
75a Service control process 76 CPU (Central Processing Unit)
80 bus

Claims (10)

A terminal device that transmits a service request to a service control device using the IP address received from the communication control device as a transmission source address, a service control device that provides a service in response to a service request from the terminal device, and the terminal A communication control device for controlling a network connection of the device and responding to a user information request from the service control device for requesting information on a transmission source of the service request; and the terminal device and the communication control device via a network; A communication network system including a transmission system that connects the service control devices in a mutually communicable state,
The communication control device includes:
For each IP address to be paid out to the terminal device, an address for storing the payout prohibition time limit indicating the time limit for paying out the IP address and the terminal identifier for specifying the terminal device to which the IP address is payed out in association with each other Information storage means;
User information storage means for storing a terminal identifier of a terminal device that has been successfully authenticated for paying out the IP address and a user identifier for specifying a user of the terminal device specified by the terminal identifier, in association with each other;
Stored by the address information storage means on condition that a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device exists among the user identifiers stored by the user information storage means. Address payout means for selecting one of the IP addresses remaining as a result of removing the IP addresses that are within the payout prohibition deadline from each IP address that has been sent, and paying out to the terminal device that is the source of the address payout request When,
The IP address issued to the terminal device that is the sender of the payout request is newly set with respect to the IP address that has been sent out, and the newly set payout prohibition deadline and the sender of the payout request are set. A withdrawal prohibition time limit registration means for registering in the address information storage means in association with the terminal identifier of the terminal device,
Obtaining a payout prohibition time limit and a terminal identifier corresponding to an IP address included in a user information request received from the service control device from the payout prohibition time limit and the terminal identifier stored by the address information storage means. A user identifier corresponding to the acquired terminal identifier is acquired from the user identifiers stored by the user information storage means, and consists of the acquired user identifier and the IP address included in the user information request. User information transmission means for transmitting the identifier address pair and the expiration date of the identifier address pair set in a range not exceeding the payout prohibition time acquired previously to the service control device as a response to the user information request; With
The service control device includes:
An identifier address pair storage means for storing the identifier address pair acquired from the communication control device and the expiration date of the identifier address pair in association with each other;
Whether or not an identifier address pair corresponding to an IP address indicating a transmission source of the service request exists in the identifier address pair stored by the identifier address pair storage unit when the service request is received. And confirming that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored by the identifier address pair storage means, A confirmation unit for confirming whether or not an expiration date stored in the identifier address pair storage unit in association with the identifier address pair confirmed to exist is exceeded;
When the confirmation means confirms that the identifier address pair corresponding to the IP address indicating the source of the service request does not exist in the identifier address pair stored by the identifier address pair storage means, or It was confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored by the identifier address pair storage means in a state where the expiration date has been exceeded. In this case, user information request transmitting means for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device;
User information receiving means for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device as a response to the user information request transmitted by the user information request transmitting means;
User information registration means for registering the identifier address pair received by the user information receiving means and the validity period of the identifier address pair in association with the identifier address pair storage means;
An identifier address pair corresponding to an IP address indicating the transmission source of the service request exists by the confirmation unit in a state where the expiration date has not been exceeded in the identifier address pair stored by the identifier address pair storage unit. If it is confirmed that the user identifier included in the identifier address pair that has been verified to exist without exceeding the expiration date matches the user identifier included in the service request. In addition, an identifier address pair corresponding to an IP address indicating the transmission source of the service request is stored in the identifier address pair storage unit by the confirmation unit. Or the service request When it is confirmed that the identifier address pair corresponding to the IP address indicating the source exists in the identifier address pair stored by the identifier address pair storage means in a state where the expiration date has been exceeded, On the condition that the user identifier included in the service request matches the user identifier included in the identifier address pair received from the communication control device by the user information receiving means, the terminal device that is the transmission source of the service request Service providing means for providing services to
A communication network system comprising: The communication control device includes:
When the authentication request is received from the terminal device, the terminal device is authenticated, and the terminal identifier of the terminal device that has succeeded in the authentication is associated with the user identifier of the user of the terminal device that has succeeded in the authentication, Terminal authentication registration means for registering in the user information storage means;
Filtering rule registration means for registering a filtering rule consisting of a pair of an IP address and a terminal identifier that allows transmission from the terminal device to the transmission system, further comprising:
The user information storage means stores the terminal identifier registered by the terminal authentication registration means in association with the user identifier;
The terminal device includes an authentication request transmission unit that transmits an authentication request to the communication control device before requesting an IP address;
The transmission system includes:
Filtering rule storage means for storing the filtering rule received from the communication control device;
The communication rule means for permitting the transmission of only the communication from the terminal device corresponding to the pair of the IP address and the terminal identifier stored as the filtering rule by the filtering rule storage means. Item 4. The communication network system according to Item 1. The communication control device stores a user identifier corresponding to a terminal identifier of the terminal device when the IP address is paid out to the terminal device that is a transmission source of the address payout request by the address payout unit. A user identifier registration means for obtaining from the user identifier stored by the means and registering in the address information storage means;
The address information storage means further stores the user identifier registered by the user identifier registration means in association with the withdrawal prohibition time limit and the terminal identifier for each IP address included in the IP address group,
The address issuing unit stores a user identifier corresponding to a terminal identifier of a terminal device that is a transmission source of the address issue request, the user identifier stored in the address information storage unit, and the user information storage unit. When the acquired user identifiers are respectively acquired from the user identifiers and match each other, they are stored in the address information storage means in association with the terminal identifier of the terminal device that is the transmission source of the address payout request. The same IP address as that stored in the address information storage means in association with the terminal identifier of the terminal device that is the transmission source of the address payout request, on the condition that the IP address being within the payout prohibition time limit A request characterized by paying out an IP address to a terminal device that is the source of the address payout request. Communication network system according to claim 1 or 2. The transmission system further comprises communication disconnection information transmission means for transmitting communication disconnection apparatus information including a terminal identifier of a terminal apparatus whose established connection has been disconnected to the communication control apparatus,
The communication control device includes:
When transmitting the identifier address pair and the expiration date to the service control device as a response to the user information request by the user information transmission means, the identifier address pair and the expiration date are associated with the identifier address pair and the expiration date. Service device identifier storage means for storing a service device identifier for specifying a service control device as a transmission destination;
Using the terminal identifier included in the communication disconnection information received from the transmission system as a key, the terminal identifier and the user identifier stored in the user information storage unit are deleted, and the deleted terminal identifier and the user identifier are associated. A service device identifier that is a transmission destination of an identifier address pair is searched from service device identifiers stored in the service device identifier storage unit, and the deleted terminal identifier is set using the searched service device identifier as a transmission destination. And an identifier address pair corresponding to the user identifier, and a deletion instruction transmitting means for transmitting an expiration date deletion instruction corresponding to the identifier address pair,
The service control device, when receiving the deletion instruction from the communication control device, out of the identifier address pair stored in the identifier address pair storage means, the identifier address pair that is the object of the deletion instruction and the valid The communication network system according to any one of claims 1 to 3, further comprising deletion means for searching for and deleting a time limit. A terminal device that transmits a service request to a service control device using the IP address received from the communication control device as a transmission source address, a service control device that provides a service in response to a service request from the terminal device, and the terminal A communication control device for controlling a network connection of the device and responding to a user information request from the service control device for requesting information on a transmission source of the service request; and the terminal device and the communication control device via a network; A communication network system including a transmission system that connects the service control devices in a mutually communicable state,
The communication control device includes:
For each IP address to be paid out to the terminal device, a payout prohibition time limit indicating a time limit for paying out the IP address and a terminal identifier for specifying the terminal device to which the IP address is payable are stored in association with each other. Address information storage means;
User information storage means for storing a terminal identifier of a terminal device that has been successfully authenticated for paying out the IP address and a user identifier for specifying a user of the terminal device specified by the terminal identifier, in association with each other;
Stored by the address information storage means on condition that a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device exists among the user identifiers stored by the user information storage means. Address payout means for selecting one of the IP addresses remaining as a result of removing the IP addresses that are within the payout prohibition deadline from each IP address that has been sent, and paying out to the terminal device that is the source of the address payout request When,
The IP address issued to the terminal device that is the sender of the payout request is newly set with respect to the IP address that has been sent out, and the newly set payout prohibition deadline and the sender of the payout request are set. A withdrawal prohibition time limit registration means for registering in the address information storage means in association with the terminal identifier of the terminal device,
Obtaining a payout prohibition time limit and a terminal identifier corresponding to an IP address included in a user information request received from the service control device from the payout prohibition time limit and the terminal identifier stored by the address information storage means. The user identifier corresponding to the acquired terminal identifier is acquired from the user identifiers stored by the user information storage means, and the acquired user identifier and the previously obtained withdrawal prohibition time limit are not exceeded. User information transmission means for transmitting the expiration date of the user identifier set in a range to the service control device as a response to the user information request,
The service control device includes:
Address / identifier storage means for storing the user identifier corresponding to the IP address and the expiration date in association with each IP address indicating the source of the service request;
When the service request is received, it is confirmed whether or not a user identifier corresponding to an IP address indicating a transmission source of the service request exists in the user identifier stored by the address / identifier storage unit. In addition, when it is confirmed that the user identifier corresponding to the IP address that is the transmission source of the service request exists in the user identifier stored by the address / identifier storage means, Confirmation means for confirming whether or not the expiration date stored by the address / identifier storage means in association with the user identifier confirmed to be performed is exceeded;
When the confirmation means confirms that the user identifier corresponding to the IP address indicating the transmission source of the service request does not exist in the user identifier stored by the address / identifier storage means, or When it is confirmed that the user identifier corresponding to the IP address that is the source of the service request exists in the user identifier stored by the address / identifier storage means in a state where the expiration date has been exceeded, User information request transmitting means for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device;
User information receiving means for receiving a user identifier and an expiration date of the user identifier from the communication control device as a response to the user information request transmitted by the user information request transmitting means;
User information registration means for registering the user identifier received by the user information receiving means and the expiration date of the user identifier in association with the IP address indicating the source of the service request in the address / identifier storage means;
The user identifier corresponding to the IP address indicating the transmission source of the service request is present in the user identifier stored by the address / identifier storage unit in a state where the expiration date has not been exceeded by the confirmation unit. If the service request is confirmed, the source of the service request is provided on the condition that the user identifier that has been confirmed to exist without exceeding the expiration date matches the user identifier included in the service request. The user identifier corresponding to the IP address indicating the transmission source of the service request is not present in the user identifier stored in the address / identifier storage unit by the confirmation unit. The user ID corresponding to the IP address indicating the transmission source of the service request. When it is confirmed that the child exists in the user identifier stored by the address / identifier storage means in a state where the expiration date has been exceeded, the user identifier included in the service request and the user information Service providing means for providing a service to the terminal device that is the transmission source of the service request on the condition that the user identifier received from the communication control device by the receiving means matches,
A communication network system comprising: An IP address is issued in response to the address issue request received from the terminal device, the network connection of the terminal device is controlled, and a service request is transmitted from a service control device that provides a service in response to the service request from the terminal device A communication control device that receives and responds to a user information request for requesting information about the source,
For each IP address to be paid out to the terminal device, an address for storing the payout prohibition time limit indicating the time limit for paying out the IP address and the terminal identifier for specifying the terminal device to which the IP address is payed out in association with each other Information storage means;
User information storage means for storing a terminal identifier of a terminal device that has been successfully authenticated for paying out the IP address and a user identifier for specifying a user of the terminal device specified by the terminal identifier, in association with each other;
Stored by the address information storage means on condition that a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device exists among the user identifiers stored by the user information storage means. Address payout means for selecting one of the IP addresses remaining as a result of removing the IP addresses that are within the payout prohibition deadline from each IP address that has been sent, and paying out to the terminal device that is the source of the address payout request When,
The IP address issued to the terminal device that is the sender of the payout request is newly set with respect to the IP address that has been sent out, and the newly set payout prohibition deadline and the sender of the payout request are set. A withdrawal prohibition time limit registration means for registering in the address information storage means in association with the terminal identifier of the terminal device,
Obtaining a payout prohibition time limit and a terminal identifier corresponding to an IP address included in a user information request received from the service control device from the payout prohibition time limit and the terminal identifier stored by the address information storage means. A user identifier corresponding to the acquired terminal identifier is acquired from the user identifiers stored by the user information storage means, and consists of the acquired user identifier and the IP address included in the user information request. User information transmission means for transmitting the identifier address pair and the expiration date of the identifier address pair set in a range not exceeding the payout prohibition time acquired previously to the service control device as a response to the user information request;
A communication control apparatus comprising: An IP address is issued in response to the address issue request received from the terminal device, the network connection of the terminal device is controlled, and a service request is transmitted from a service control device that provides a service in response to the service request from the terminal device A communication control program for causing a computer to execute a process of receiving and responding to a user information request for requesting information about an original,
For each IP address to be paid out to the terminal device, a storage prohibiting time limit indicating a time limit for paying out the IP address and a terminal identifier for specifying the terminal device to which the IP address is payed out are associated with each other and stored Address information storage procedure to be stored in,
User information storage that stores the terminal identifier of the terminal device that has been successfully authenticated for paying out the IP address and the user identifier for specifying the user of the terminal device specified by the terminal identifier in the storage unit in association with each other Procedure and
The address information storage on condition that the user identifier stored in the storage unit by the user information storage procedure includes a user identifier corresponding to the terminal identifier included in the address payout request received from the terminal device. From the IP addresses stored in the procedure, select one of the IP addresses remaining as a result of excluding those within the withdrawal prohibition period, and pay out to the terminal device that is the transmission source of the address withdrawal request Address issuing procedure;
The IP address issued to the terminal device that is the sender of the payout request by the address payout procedure is newly set with the payout prohibition deadline, the newly set payout prohibition deadline, and the sender of the payout request A withdrawal prohibition time limit registration procedure for registering in the storage unit in association with the terminal identifier of the terminal device,
Of the withdrawal prohibition time limit and the terminal identifier stored in the storage unit by the address information storage procedure, a withdrawal prohibition time limit and a terminal identifier corresponding to the IP address included in the user information request received from the service control device are And acquiring a user identifier corresponding to the acquired terminal identifier from the user identifiers stored in the storage unit by the user information storage procedure, and in response to the acquired user identifier and the user information request The identifier address pair composed of the included IP address and the expiration date of the identifier address pair set in a range not exceeding the payout prohibition time period acquired earlier are transmitted to the service control apparatus as a response to the user information request. User information transmission procedure;
A communication control program for causing a computer to execute. A service control device that receives a service request from a terminal device having an IP address paid out from a communication control device as a transmission source address and provides a service corresponding to the terminal device;
An identifier address pair storage means for storing the identifier address pair acquired from the communication control device and the expiration date of the identifier address pair in association with each other;
Whether or not an identifier address pair corresponding to an IP address indicating a transmission source of the service request exists in the identifier address pair stored by the identifier address pair storage unit when the service request is received. And confirming that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored by the identifier address pair storage means, A confirmation unit for confirming whether or not an expiration date stored in the identifier address pair storage unit in association with the identifier address pair confirmed to exist is exceeded;
When the confirmation means confirms that the identifier address pair corresponding to the IP address indicating the source of the service request does not exist in the identifier address pair stored by the identifier address pair storage means, or It was confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored by the identifier address pair storage means in a state where the expiration date has been exceeded. In this case, user information request transmitting means for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device;
User information receiving means for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device as a response to the user information request transmitted by the user information request transmitting means;
User information registration means for registering the identifier address pair received by the user information receiving means and the validity period of the identifier address pair in association with the identifier address pair storage means;
An identifier address pair corresponding to an IP address indicating the transmission source of the service request exists by the confirmation unit in a state where the expiration date has not been exceeded in the identifier address pair stored by the identifier address pair storage unit. If it is confirmed that the user identifier included in the identifier address pair that has been verified to exist without exceeding the expiration date matches the user identifier included in the service request. In addition, an identifier address pair corresponding to an IP address indicating the transmission source of the service request is stored in the identifier address pair storage unit by the confirmation unit. Or the service request When it is confirmed that the identifier address pair corresponding to the IP address indicating the source exists in the identifier address pair stored by the identifier address pair storage means in a state where the expiration date has been exceeded, On the condition that the user identifier included in the service request matches the user identifier included in the identifier address pair received from the communication control device by the user information receiving means, the terminal device that is the transmission source of the service request Service providing means for providing services to
A service control device comprising: A service control program for receiving a service request from a terminal device whose source address is an IP address paid out from a communication control device, and causing a computer to execute a process of providing a service according to the terminal device,
An identifier address pair storage procedure for storing the identifier address pair acquired from the communication control device and the expiration date of the identifier address pair in a storage unit in association with each other;
Whether the identifier address pair corresponding to the IP address indicating the transmission source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storing procedure when the service request is received Confirming that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage procedure. If it is, a confirmation for confirming whether or not the expiration date stored in the storage unit by the identifier address pair storage procedure has been exceeded in association with the identifier address pair that has been confirmed to exist Procedure and
The confirmation procedure confirms that the identifier address pair corresponding to the IP address indicating the transmission source of the service request does not exist in the identifier address pair stored in the storage unit by the identifier address pair storage procedure. Or the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage procedure in an expired state A user information request transmission procedure for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device;
As a response to the user information request transmitted by the user information request transmission procedure, a user information receiving procedure for receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device;
A user information registration procedure for registering the identifier address pair received by the user information reception procedure and the expiration date of the identifier address pair in the storage unit in association with each other;
According to the confirmation procedure, the identifier address pair corresponding to the IP address indicating the source of the service request does not exceed the expiration date in the identifier address pair stored in the storage unit by the identifier address pair storage procedure. If it is confirmed that it exists in the state, the user identifier included in the identifier address pair confirmed not to exceed the validity period matches the user identifier included in the service request. The identifier address pair corresponding to the IP address indicating the transmission source of the service request is stored in the identifier address pair storing procedure according to the confirmation procedure. Confirms that it does not exist in the identifier address pair stored in the storage unit or It is confirmed that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage procedure in a state where the expiration date has been exceeded. If the user request included in the service request matches the user identifier included in the identifier address pair received from the communication control device by the user information reception procedure, the service request A service providing procedure for providing a service to a terminal device as a transmission source;
A service control program for causing a computer to execute A terminal device that transmits a service request to a service control device using the IP address received from the communication control device as a transmission source address, a service control device that provides a service in response to a service request from the terminal device, and the terminal A communication control device for controlling a network connection of the device and responding to a user information request from the service control device for requesting information on a transmission source of the service request; and the terminal device and the communication control device via a network; A communication network control method applied to a communication network system configured to include a transmission system that connects the service control devices in a state where they can communicate with each other,
The communication control device includes:
For each IP address to be paid out to the terminal device, a storage prohibiting time limit indicating a time limit for paying out the IP address and a terminal identifier for specifying the terminal device to which the IP address is payed out are associated with each other and stored Address information storage step for storing
User information storage that stores the terminal identifier of the terminal device that has been successfully authenticated for paying out the IP address and the user identifier for specifying the user of the terminal device specified by the terminal identifier in the storage unit in association with each other Steps,
The address information storage on the condition that the user identifier stored in the storage unit by the user information storage step includes a user identifier corresponding to the terminal identifier included in the address issue request received from the terminal device. From each IP address stored in the step, select one of the IP addresses remaining as a result of excluding those within the withdrawal prohibition period, and pay out to the terminal device that is the transmission source of the address withdrawal request An address issuing step;
The IP address issued to the terminal device that is the sender of the payout request by the address payout step is newly set with respect to the payout prohibition deadline, the newly set payout prohibition deadline, and the sender of the payout request A withdrawal prohibition period registration step of registering in the storage unit in association with the terminal identifier of the terminal device,
Of the withdrawal prohibition time limit and the terminal identifier stored in the storage unit by the address information storage step, a withdrawal prohibition time limit and a terminal identifier corresponding to the IP address included in the user information request received from the service control device are And acquiring a user identifier corresponding to the acquired terminal identifier from the user identifiers stored in the storage unit by the user information storage step, and in response to the acquired user identifier and the user information request The identifier address pair composed of the included IP address and the expiration date of the identifier address pair set in a range not exceeding the payout prohibition time period acquired earlier are transmitted to the service control apparatus as a response to the user information request. A user information transmission step,
The service control device includes:
An identifier address pair storage step of storing the identifier address pair acquired from the communication control device and the expiration date of the identifier address pair in a storage unit in association with each other;
If the service request is received, does the identifier address pair corresponding to the IP address indicating the source of the service request exist in the identifier address pair stored in the storage unit by the identifier address pair storage step? And confirming that the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage step. If it is, a confirmation for confirming whether or not the expiration date stored in the storage unit by the identifier address pair storage step has been exceeded in association with the identifier address pair that has been confirmed to exist Steps,
The confirmation step confirms that the identifier address pair corresponding to the IP address indicating the transmission source of the service request does not exist in the identifier address pair stored in the storage unit by the identifier address pair storage step. Or the identifier address pair corresponding to the IP address indicating the transmission source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage step in an expired state. A user information request transmitting step for transmitting a user information request including an IP address indicating a transmission source of the service request to the communication control device;
As a response to the user information request transmitted by the user information request transmitting step, a user information receiving step of receiving an identifier address pair and an expiration date of the identifier address pair from the communication control device;
A user information registration step of registering the identifier address pair received in the user information receiving step and the expiration date of the identifier address pair in a storage unit in association with each other;
By the confirmation step, the identifier address pair corresponding to the IP address indicating the transmission source of the service request does not exceed the expiration date in the identifier address pair stored in the storage unit by the identifier address pair storage step. If it is confirmed that it exists in the state, the user identifier included in the identifier address pair confirmed not to exceed the validity period matches the user identifier included in the service request. And providing the service to the terminal device that is the transmission source of the service request, and in the confirmation step, the identifier address pair corresponding to the IP address indicating the transmission source of the service request is the identifier address pair storage step. Is confirmed not to exist in the identifier address pair stored in the storage unit. Alternatively, the identifier address pair corresponding to the IP address indicating the source of the service request exists in the identifier address pair stored in the storage unit by the identifier address pair storage step in a state where the expiration date has been exceeded. If it is confirmed that the user identifier included in the service request and the user identifier included in the identifier address pair received from the communication control device by the user information receiving step, A service providing step of providing a service to a terminal device that is a transmission source of the service request;
A communication network control method comprising:

Images