JP2009213070A - Communication control system, communication control method and communication control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress a load of a terminal with switching of location information. <P>SOLUTION: When a network is configured by communicably connecting a closed-area network and a wide-area network, when a connection request is accepted from a terminal needed to switch location information thereof, in accordance with a position at which the relevant terminal is connected to the closed-area network, closed-area location information is allocated to the relevant terminal, the closed-area position information allocated to the terminal is received from a device (section) that has performed the relevant allocation, and conversion rules are generated for converting the received relevant closed-area location information and wide-area location information. The generated conversion rules are stored in a conversion rule table for storing the relevant conversion rules and when performing a communication between the terminal to which the closed-area location information has been allocated and another terminal connected to the wide-area network, on the basis of the conversion rule table storing the conversion rules thereon, the closed-area location information and the wide-area location information can be converted. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication control system, a communication control method, and a communication control program.

  Conventionally, various studies have been conducted on a system that realizes mobility of a terminal under a situation in which position information (for example, IP (Internet Protocol) address) assigned to the terminal is switched as the terminal moves. . Here, mobility means that communication between the terminal and the communication target device of the terminal continues even if the position information assigned to the terminal is switched as the terminal moves from the position connected to the network. This is a characteristic (handover) to be performed.

  For example, Non-Patent Document 1 discloses “Mobile IPv6” technology as a protocol for realizing mobility in layer 3 (IP layer). More specifically, in "Mobile IPv6", a terminal has two addresses, a permanent address called a home address and a care-of address assigned at the destination, and a location management server called a home agent. Register the correspondence between the home address and care-of address. Note that a message in which a terminal registers a correspondence relationship with a home agent is called a location registration update message (Binding Update message). Thus, the home agent grasps the position where the terminal is connected to the network by referring to the care-of address corresponding to the home address. The terminal can also register a correspondence relationship between the home address and the care-of address by transmitting a Binding Update message to the communication target device (corresponding node). In this case, even the correspondent node other than the home agent can grasp the position where the terminal is connected to the network.

  Under such a configuration, when the care-of address assigned to the terminal is switched by moving the position where the terminal is connected to the network, the terminal sends a Binding Update message to both the home agent and the correspondent node. Send and re-register your care-of address. For this reason, even if the care-of address of the terminal is switched as the terminal moves, the home agent and the correspondent node can grasp the position where the terminal is connected to the network and continue communication. it can.

  Further, for example, Non-Patent Document 2 discloses a technique of “HMIPv6”. “HMIPv6” is a technology designed to improve the efficiency of care-of address re-registration in “Mobile IPv6”. As described above, in “Mobile IPv6”, every time a terminal moves to a position where it is connected to the network, the terminal sends a Binding Update message to both the home agent and the correspondent node to re-establish the care-of address. Registration is required. If this is the case, when the terminal moves frequently, the frequency of retransmission of the Binding Update message by the terminal also increases, so that the processing time required for re-registration of the care-of address increases. For this reason, “HMIPv6” divides an area in which the terminal moves into a plurality of areas, and a MAP (Mobile Anchor Point) for managing the location of the terminal is provided in each of the divided areas. At this time, a home agent and a correspondent node are arranged above the MAP, and the home agent and the correspondent node manage a plurality of areas. When a terminal communicates with a terminal connected in another area, the terminal transmits a packet to the MAP arranged in the area to which the communication partner terminal connects. Then, the MAP that knows the care-of address of the terminal in the area retransmits the packet to the communication partner terminal.

  Under such a configuration, when the terminal moves to a location connected to the network within the same area, the terminal realizes mobility only by re-registering location information with respect to the MAP deployed in the area. To do. In other words, the MAP does not need to re-register the location information with the upper home agent or the correspondent node. This is because the location information of the terminal is grasped by the location information of the MAP for the upper home agent and the correspondent node. On the other hand, when the terminal moves across areas, the destination MAP retransmits the Binding Update message sent from the terminal to the upper home agent or correspondent node, and re-registers the terminal location information. To do. Then, the home agent rewrites the location information of the terminal with the location information of the destination MAP. Thus, the packet transmitted to the terminal is once received by the destination MAP, and the destination MAP retransmits the packet to the terminal.

  For example, Non-Patent Document 3 discloses a technique of “SIP (Session Initiation Protocol) mobility”. Here, SIP is a technique for establishing a media channel between terminals that communicate via a SIP server. Specifically, first, the terminal registers the IP address assigned to the terminal with respect to the SIP server. When a terminal identifies another terminal by a telephone number or SIP-URI (Uniform Resource Identifier) and performs communication, the terminal on the calling side receives an incoming request message (INVITE including the IP address assigned to the terminal itself). Message) to the SIP server. Since the SIP server holds the IP address of the terminal on the called side, the SIP server transfers the incoming request message to the terminal assigned with the IP address. In this way, the receiving terminal knows the IP address of the calling terminal. When the receiving terminal accepts the incoming request, the receiving terminal transmits an acceptance message (200 OK message) including the IP address of the receiving terminal to the SIP server. Then, the SIP server transfers the acceptance message to the originating terminal that has transmitted the incoming request message. In this way, the originating terminal that has transmitted the incoming request message and the terminating terminal exchange their IP addresses.

  By the way, “SIP mobility” means that the established media channel is maintained and communication is continued even when the IP address is switched with the movement of the terminal (either the caller or callee). Technology. More specifically, a terminal whose IP address has been switched due to movement transmits an INVITE message including an IP address newly assigned to the terminal itself to the SIP server. Then, the SIP server notifies the terminal on the incoming side of the IP address switching by transferring the IP address to the terminal on the incoming side. Upon receiving the notification, the terminal on the called side switches the transmission destination of the packet constituting the media channel to the notified IP address. Thus, “SIP mobility” continues communication on the media channel even when the IP address is switched without disconnecting the media session once established.

“Mobility Support in IPv6”, RFC3775, [online], [Search February 21, 2008], Internet <http://www.ietf.org/rfc/rfc3775.txt> “Hierarchical Mobile IPv6 Mobility Management (HMIPv6)”, RFC4140, [online], [Search February 21, 2008], Internet <http://www.ietf.org/rfc/rfc4140.txt> E. Wedlund, H. Schulzrinne, “Mobility Support using SIP”, Proceedings of WoWMoM ACM. 1999, Internet <http://www.cs.columbia.edu/~hgs/papers/Wedl9908_Mobility.pdf>

  By the way, in the above-described conventional technology, as described below, there is a problem that it is not possible to reduce the load on the terminal accompanying the switching of position information.

  For example, in the technologies disclosed in Non-Patent Document 1 and Non-Patent Document 3, a server (home agent, SIP server, etc.) holds terminal location information (IP address) when realizing terminal mobility. There is a need. In other words, each time the position information assigned to the terminal is switched, the terminal must re-transmit the position information newly assigned to the terminal to the server and re-register with the server. There is a heavy load on the terminal.

  Also, for example, in the technology disclosed in Non-Patent Document 2, the concept of area is introduced, so if the terminal moves within the same area, both the terminal and the MAP are newly allocated to the own terminal. There is no need to retransmit the given location information to the server. This is because, for the server, the terminal position information remains the MAP position information and does not switch. On the other hand, when moving across areas, the terminal does not need to retransmit the position information newly assigned to the terminal to the server. This is because the MAP deployed in the destination area acts as a proxy for registering location information for the server instead of the terminal. However, in any case, the terminal must transmit the position information newly assigned to the terminal to the MAP, and the load on the terminal accompanying the switching of the position information is still large.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and a communication control system, a communication control method, and a communication control program capable of suppressing a load on a terminal accompanying switching of position information The purpose is to provide.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is configured such that the position information assigned to the terminal as information necessary for the terminal to communicate is the position where the terminal is connected to the network. In a communication control system that controls communication performed by the terminal under the situation of switching with movement, the network is configured by communicably connecting a closed network and a wide area network. When a connection request for requesting connection to the network is received from a terminal that requires information switching, it is necessary for the terminal to communicate in the closed network according to the position at which the terminal connects to the closed network. Allocate the closed location information, which is location information, to the terminal and transmit the assigned closed location information to the terminal. And the closed location information assigned to the terminal by the assigning means, the received closed location information, and the location information required when the terminal communicates in the wide area network. Conversion rule generation means for generating a conversion rule for converting wide-area position information, conversion rule storage means for storing the conversion rule generated by the conversion rule generation means in a conversion rule table for storing the conversion rule, and A conversion rule table in which conversion rules are stored by the conversion rule storage means when communication is performed between a terminal to which the closed position information is assigned by the assigning means and another terminal connected to the wide area network. And a position information converting means for converting the closed position information and the wide area position information.

  Further, the invention according to claim 2 is based on a situation in which the position information allocated to the terminal as information necessary when the terminal performs communication is switched as the terminal moves to a position where the terminal is connected to the network. A communication control method for controlling communication performed by a terminal, wherein when the network is configured by communicably connecting a closed network and a wide area network, the terminal needs to switch the location information, and the network When receiving a connection request for requesting connection to the terminal, according to the position at which the terminal is connected to the closed network, the terminal receives closed position information, which is position information necessary for the terminal to communicate with the closed network. An allocation process for transmitting the allocated location information to the terminal, and the allocation process to the terminal. A conversion rule for converting the received closed area position information from the allocation step and converting the received closed area position information and the wide area position information which is position information necessary when the terminal performs communication in the wide area network; A conversion rule generation step to be generated; a conversion rule storage step for storing the conversion rule generated by the conversion rule generation step in a conversion rule table for storing the conversion rule; and the closed position information can be allocated by the allocation step. When communication is performed between the terminal and another terminal connected to the wide area network, based on the conversion rule table in which the conversion rule is stored in the conversion rule storage step, the closed area position information and the And a position information conversion step for converting wide-area position information.

  Further, the invention according to claim 3 is provided under a situation in which the position information allocated to the terminal as information necessary when the terminal performs communication is switched in accordance with the movement of the position where the terminal is connected to the network. A communication control system for controlling communication performed by a terminal, wherein when the closed network and the wide area network are communicably connected to form the network, the terminal is connected to be communicable with the terminal connected to the closed network. When the network connection control device receives a connection request for requesting connection to the network from a terminal that requires switching of the location information, the terminal connects the closed area according to the position at which the terminal connects to the closed network. Closed location information, which is location information necessary for network communication, is assigned to the terminal and assigned. An allocating means for transmitting the closed area position information to the terminal; and the closed area position information allocated to the terminal by the allocating means is received from the allocating means, and the received closed area position information and the terminal A conversion rule generating means for generating a conversion rule for converting wide area position information which is position information necessary for communication in a wide area network, and the conversion rule generated by the conversion rule generating means, the network connection control device. Conversion rule transmitting means for transmitting to the anchor device communicably connected to the anchor device, and the anchor device stores the conversion rule transmitted by the conversion rule transmitting means in a conversion rule table for storing the conversion rule. A rule storage means, a terminal assigned with the closed location information by the assigning means, and the other connected to the wide area network When communicating with a terminal, based on a conversion rule table in which conversion rules are stored by the conversion rule storage means, position information conversion means for converting the closed position information and the wide area position information; , Provided.

  Further, in the invention according to claim 4, the location information assigned to the terminal as information necessary for the terminal to communicate is changed under the situation where the location is switched as the terminal moves to a location connected to the network. An anchor device in a communication control system that controls communication performed by a terminal, and can communicate with a terminal connected to the closed network when the closed network and the wide area network are communicably connected to form the network. When the network connection control device connected to the terminal receives a connection request for requesting connection to the network from a terminal that requires switching of position information, the terminal is connected according to the position at which the terminal connects to the closed network. Closed location information, which is location information necessary for communication on the closed network, is And generating a conversion rule for converting the closed position information assigned to the terminal and the wide area position information which is position information necessary for the terminal to communicate in the wide area network, and converting the conversion rule to the network A conversion rule storing means for transmitting the conversion rule transmitted by the network connection control device to a conversion rule table for storing the conversion rule, which is transmitted to an anchor device communicably connected to the connection control device; When communication is performed between a terminal assigned the closed location information by the network connection control device and another terminal connected to the wide area network, the conversion rule storing means stores the conversion rule stored therein A position information converting means for converting the closed position information and the wide area position information based on a rule table; And wherein the door.

  According to the first to fourth aspects of the present invention, the position information assigned to the terminal as information necessary when the terminal performs communication switches under a situation where the terminal moves to a position where the terminal is connected to the network. A communication control system for controlling communication performed by the terminal, wherein when the closed network and the wide area network are communicably connected to form the network, the terminal needs to switch position information, and the network When receiving a connection request for requesting connection to the terminal, according to the position at which the terminal is connected to the closed network, the terminal allocates closed position information, which is position information necessary for the terminal to communicate with the closed network. The assigned closed area position information is transmitted to the terminal, and the closed area position information assigned to the terminal is transmitted. And generating a conversion rule for converting the received closed area position information and the wide area position information, which is position information necessary when the terminal performs communication in the wide area network, The conversion rule is stored in the conversion rule table that stores the conversion rule, and communication is performed between the terminal to which the closed location information is assigned and another terminal connected to the wide area network. Since the closed position information and the wide area position information are converted based on the conversion rule table, it is possible to suppress the load on the terminal accompanying the switching of the position information.

  Exemplary embodiments of a communication control system, a communication control method, and a communication control program according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, first, main terms common to each embodiment will be described. Subsequently, a communication control system assuming that the terminal performs SIP communication will be described as a first embodiment, and a communication control system assuming that the terminal performs IPsec tunnel communication will be described as a second embodiment.

[Explanation of terms]
In the communication control system according to the following embodiment, it is assumed that the position information allocated to the terminal as information necessary for the terminal to perform communication changes as the terminal moves to a position where the terminal is connected to the network. is doing. Here, the position information is, for example, an IP address. That is, the situation assumed here is that a terminal such as a notebook PC (Personal Computer) moves to a location where the terminal is connected to the network (for example, a wireless AP (Access Point) or the like) and moves to the terminal. In this situation, the assigned IP address is switched.

  Further, in the communication control system according to the following embodiment, it is assumed that the closed network and the wide area network are communicably connected to form a network. Here, the closed network is a network to which a local address (corresponding to “closed location information” described in the claims) is assigned as an IP address necessary for communication. The wide area network is a network to which a wide area address (corresponding to “wide area location information” described in claims) is assigned as an IP address necessary for communication.

  In the following embodiments, a closed network is provided with an NW connection control device that assigns an IP address to a terminal, and the NW connection control device assigns a local address to a terminal connected to the closed network. Assign. Further, when a terminal to which a local address is assigned communicates with other terminals connected to the wide area network, conversion between the local address and the wide area address is necessary. For this reason, in the following embodiments, an anchor device that performs address conversion is provided in the closed network, and the anchor device performs conversion between a local address and a wide area address. That is, the anchor device converts the address translation rule (corresponding to the “translation rule” described in the claims) between the local address and the wide area address into the address translation table (the “translation rule table” described in the claims). The local address and the wide area address are converted based on the address conversion table.

  By the way, in the following embodiments, it is assumed that the IP address assigned to the terminal is switched. If so, the address device translation table of the anchor device must be updated at each such switch. In this regard, the communication control system according to the following embodiment realizes the high-speed handover by updating the address conversion table while suppressing the load on the terminal.

  Subsequently, the communication control system according to the first embodiment will be described. In the following, the outline and features of the communication control system according to the first embodiment, the configuration of the communication control system according to the first embodiment, the processing procedure by the communication control system according to the first embodiment, and the effects of the first embodiment will be described in order. To do.

[Outline and Features of Communication Control System According to Embodiment 1]
First, the outline and characteristics of the communication control system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the communication control system according to the first embodiment.

  As shown in FIG. 1, in the communication control system according to the first embodiment, a terminal A having a SIP client function connects to a network via a wireless AP, and an IP address is assigned to a CSCF (Call Session Control Function) server (SIP server). ) To receive the SIP service provided by the CSCF server.

  As illustrated in FIG. 1, the communication control system according to the first embodiment further divides the closed network in which the terminal A moves into a plurality of closed networks such as area 1, area 2, and area 3. In the communication control system according to the first embodiment, an NW connection control device and an anchor device are provided in each area.

  Under such a configuration, the NW connection control apparatus according to the first embodiment requests that the terminal A (the terminal A at the initial connection or the terminal A at the time of the initial connection) that needs to switch the IP address to connect to the network. When a connection request is received (see (1) in FIG. 1), a local address is assigned to the terminal A according to the wireless AP to which the terminal A is connected (see (2) in FIG. 1).

  For example, as shown in FIG. 1, it is assumed that the local address assigned to the terminal A is predetermined as “10.11.11.1” or “10.11.12.1” for each wireless AP. At this time, as shown in FIG. 1, when the terminal A moves, the NW connection control device switches the local address assigned to the terminal A from “10.11.12.1” to “10.11.11.1”.

  Subsequently, the NW connection control device generates an address conversion rule for converting the allocated local address and the wide area address (see (3) in FIG. 1).

  For example, as shown in FIG. 1, an area router is provided at the boundary between the closed network area 1 and the wide area network, and “222.11.0.1” is assigned to the area router as a wide area address. Suppose. At this time, when the terminal A communicates with another terminal connected to the wide area network, the terminal A uses the wide area address “222.11.0.1” of the area router as the wide area address of the terminal A (note that The terminals connected to the area 2 and the area 3 are terminals connected to the closed network, but these terminals are connected to the wide area network for the terminal A in the sense that the terminal A cannot be connected unless the wide area network is connected. Is a terminal that connects to). That is, the NW connection control device generates an address conversion rule for converting the local address “10.11.11.1” and the wide area address “222.11.0.1”.

  Then, the NW connection control device stores the generated address translation rule in the address translation table stored in the anchor device (see (4) in FIG. 1).

  For example, the NW connection control device transmits an address conversion rule for converting the local address “10.11.11.1” and the wide area address “222.11.0.1” to the anchor device, so that the anchor device converts the address conversion rule into an address. Store in a table.

  Next, the NW connection control apparatus transmits the local address assigned to the terminal A as a connection response to the terminal A (see (5) in FIG. 1). The connection response may be performed in parallel with the processes (3) and (4) in FIG. 1 or may be performed before the process (3).

  Thus, when the terminal A communicates with other terminals connected to the wide area network, the anchor device converts the local address and the wide area address based on the address conversion table (( See 6)). For example, when the terminal A communicates with another terminal connected to the wide area network, the anchor device converts the local address “10.11.11.1” and the wide area address “222.11.0.1”.

  For this reason, the communication control system according to the first embodiment can suppress the load on the terminal accompanying the switching of the IP address.

  Specifically, first, the communication control system according to the first embodiment further divides the closed network in which the terminal moves into a plurality of closed networks such as area 1, area 2, and area 3, and each of the areas includes: An NW connection control device and an anchor device are provided. In other words, the communication control system according to the first embodiment installs an anchor device that represents the area in the area where the terminal moves, and the anchor device performs location information (on behalf of the terminal) on behalf of the terminal with respect to an external server or network. IP address). For this reason, when the position information is presented, the position information of the anchor device is presented, and even if the terminal moves in the area, the change of the IP address is concealed from the outside.

  Therefore, in the first place, if the movement of the terminal stays within the same area, the terminal does not need to re-register the IP address with the CSCF server. As a result, it is possible to reduce the load on the terminal, the load on the network, and the load on the CSCF server.

  In addition to such effects, the communication control system according to the first embodiment realizes update of the address conversion table only by communication between the NW connection control device and the anchor device, so that the movement of the terminal moves within the same area. The terminal does not need to re-register the IP address with respect to the anchor device, and the load on the terminal accompanying the switching of the IP address can be suppressed. At this time, the terminal only needs to have a normal SIP client function, and does not need to have a special location information management function.

  In addition, since the communication control system according to the first embodiment realizes the update of the address conversion table by superimposing (synchronizing) with the IP address assignment process, it is also possible to efficiently update the address conversion table. .

[Configuration of Communication Control System According to Embodiment 1]
Next, the configuration of the communication control system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the overall configuration of the communication control system according to the first embodiment, FIG. 3 is a block diagram illustrating the configuration of the communication control system according to the first embodiment, and FIG. 4 illustrates a terminal local address. FIG. 5 is a diagram for explaining an allocation unit, FIG. 5 is a diagram for explaining a server address storage unit, and FIG. 6 is a diagram for explaining an address conversion table.

[Overall Configuration of Communication Control System According to Embodiment 1]
First, the overall configuration of the communication control system according to the first embodiment will be described. The communication control system according to the first embodiment accommodates a terminal having a SIP client function. Specifically, using FIG. 2, first, the terminal has a wireless communication function and is accommodated in the network via the wireless AP. The edge router is a router that aggregates a plurality (two in the example of FIG. 2) of wireless APs, and transfers IP packets to and from an upper area router. The area router is a router that aggregates a plurality of (two in the example of FIG. 2) edge routers, and transfers IP packets to and from the upper core router.

  Here, as shown in FIG. 2, the area router incorporates an anchor device. The anchor device is a device that realizes a NAT (Network Address Translation) function that is a function of converting a local address and a wide area address, and the area router in the first embodiment incorporates such an anchor device. As shown in FIG. 2, the area router 1100 is assigned a wide area address “222.11.0.1”, and the area router 1200 is assigned a wide area address “222.12.0.1”.

  The core router is a router that aggregates a plurality of (two in the example of FIG. 2) area routers, and transfers IP packets to and from a higher-level CSCF server. Here, the area router functions as a router representing the area, and the areas are connected to each other via the core router. Further, the CSCF server functions as a server that provides the SIP service to the terminal, and is given a wide area address “222.30.0.1” as shown in FIG.

  On the other hand, paying attention to the internal configuration of each area, an NW connection control device is connected to an area router representing the area. In the illustration of FIG. 2, only the area router 1100 is connected to the NW connection control apparatus 100, but the area router 1200 is also connected to the NW connection control apparatus. The NW connection control device is a device that assigns an IP address to a terminal that has transmitted a connection request via a wireless AP in the area.

[Configuration of Each Device of Communication Control System According to Embodiment 1]
Subsequently, the configuration of each device of the communication control system according to the first embodiment will be described. Hereinafter, the terminal 10, the CSCF server 300, the NW connection control device 100, and the anchor device 200 will be described in order. Note that edge routers, area routers, and core routers have the same functions as general-purpose routers, so the explanation is omitted, and wireless APs also have the same functions as general-purpose wireless APs. Because there is, it omits explanation.

[Terminal 10]
As shown in FIG. 3, the terminal 10 includes a secure communication unit 11 that is closely related to the present invention.

  The secure communication unit 11 has a function of connecting to a wireless local area network (LAN) (a function of connecting to a wireless AP) and a function of generating a secure communication path with the CSCF server 300 and performing communication by SIP. is there. Note that the secure communication unit 11 according to the first embodiment generates a secure communication path with the CSCF server 300 using the SIP signal, and then performs SIP communication using the generated secure communication path.

  For example, the secure communication unit 11 transmits a connection request (a connection request for requesting connection to a network) to the NW connection control device 100, or a terminal local address (hereinafter, referred to as a terminal local address assigned by the NW connection control device 100). The local address assigned to the terminal is called a terminal local address). In addition, the secure communication unit 11 transmits a SIP REGISTER request to the CSCF server 300 using the terminal local address received from the NW connection control apparatus 100, and generates a secure communication path with the CSCF server 300. To do.

[CSCF server 300]
As shown in FIG. 3, the CSCF server 300 includes a secure communication unit 301 as closely related to the present invention.

  The secure communication unit 301 has a function of generating a secure communication path with the terminal 10 and providing an SIP service. The secure communication unit 301 according to the first embodiment generates a secure communication path with the terminal 10 using the SIP signal, and then provides the SIP service using the generated secure communication path. For example, the secure communication unit 301 receives a SIP REGISTER request transmitted from the terminal 10.

[NW connection control apparatus 100]
As shown in FIG. 3, the NW connection control apparatus 100 is closely related to the present invention, and includes a connection accepting unit 101, a terminal local address assignment unit 102, a server address storage unit 103, and an address translation rule generation update. Unit 104.

  The connection accepting unit 101 is a function for accepting a connection request transmitted from the terminal 10. Specifically, when receiving the connection request transmitted from the terminal 10, the connection receiving unit 101 acquires the terminal ID (authentication ID) of the terminal 10 included in the connection request, and the MAC ( Media Control Address) address and the wireless AP (connected wireless AP name) to which the terminal 10 is connected are specified. In addition, the connection receiving unit 101 transmits the acquired terminal ID, the specified MAC address, and the connected wireless AP name to the terminal local address assignment unit 102.

  Further, when the terminal local address is transmitted from the terminal local address assignment unit 102, the connection receiving unit 101 reads the server address of the CSCF server 300 from the server address storage unit 103, and transmits the transmitted terminal local address and the read server. The address is transmitted to the terminal 10. Further, the connection receiving unit 101 transmits the transmitted terminal local address to the address translation rule generation / updating unit 104.

  The terminal local address assignment unit 102 is a function for assigning a terminal local address to the terminal 10. Specifically, when the terminal ID, MAC address, and connection wireless AP name are transmitted from the connection reception unit 101, the terminal local address assignment unit 102 first authenticates the validity of the terminal 10 based on the terminal ID. To do. When the validity of the terminal 10 is authenticated, the terminal local address assignment unit 102 next determines a terminal local address (IP address) to be assigned to the terminal 10 based on the connected wireless AP name. Then, the terminal local address assignment unit 102 transmits the determined terminal local address to the connection reception unit 101, and associates the terminal ID, the MAC address, the connected wireless AP name, and the assigned terminal local address with each other. Store in the storage.

  For example, the terminal local address assignment unit 102 in the first embodiment uses the address space “10.11.0.0/16”, selects one IP address from this range, and determines it as a terminal local address to be assigned to the terminal 10. This space “10.11.0.0/16” is a valid local address in the area.

  In addition, as illustrated in FIG. 2 or FIG. 4A, the terminal local address assignment unit 102 according to the first embodiment associates with the wireless AP (connected wireless AP name) to the terminal 10 connected to the wireless AP. The terminal local address to be assigned is determined in advance. Specifically, when the terminal 10 is connected to the wireless AP 1111, the terminal local address assigning unit 102 assigns an IP address “10.11.11.1” to the terminal 10 and the wireless AP 1112 is under the control of the wireless AP 1112. When the terminal 10 is connected to the terminal 10, the IP address “10.11.12.1” is assigned to the terminal 10. When the terminal 10 is connected under the wireless AP 1121, the IP address “10.11.21.1” is assigned to the terminal 10. When the terminal 10 is connected under the assignment and wireless AP 1122, it is determined in advance that the IP address “10.11.22.1” is assigned to the terminal 10.

  Note that the terminal local address assignment unit 102 stores, for example, a correspondence between the terminal ID, the MAC address, the connected wireless AP name, and the assigned terminal local address, as illustrated in FIG. To store.

  The server address storage unit 103 stores an address of the CSCF server 300 (hereinafter referred to as a server address). For example, as shown in FIG. 5, the server address storage unit 103 stores a wide area address “222.30.0.1” as a server address.

  The address translation rule generation / update unit 104 has a function of generating an address translation rule and transmitting the address translation rule to the anchor device 200. Specifically, when the terminal local address (assigned by the terminal local address assignment unit 102) is transmitted from the connection receiving unit 101, the address conversion rule generation / updating unit 104 generates an address conversion rule. At this time, the address conversion rule generation / updating unit 104 can also read the server address of the CSCF server 300 from the server address storage unit 103 as necessary, and use it to generate an address conversion rule. In addition, the address translation rule generation / update unit 104 transmits the generated address translation rule to the anchor device 200.

  Here, the address translation rule defines conditions (direction, destination address before translation, source address before translation) for applying the address translation rule to the IP packet input to the anchor device 200, and It defines how to rewrite the destination address and source address for an IP packet that satisfies the conditions.

  For example, as shown in FIG. 2, the terminal local address assignment unit 102 assigns a local address “10.11.11.1” to the terminal 10, and the wide area address of the area router 1100 (the wide area address of the anchor device 200) is “222.11”. .0.1 ”. Then, the address conversion rule generation / updating unit 104 generates an address conversion rule as shown in FIG. 6, for example.

The address conversion rule on the first line in FIG. 6 will be described.
An IP packet sent from a terminal to a wide area network.
Source address is 10.11.11.1 (terminal local address)
For an IP packet that satisfies the condition that the destination address is an area outside the jurisdiction of the area router 1100,
Source address is 222.11.0.1 (area router wide area address)
The destination address is an area outside the jurisdiction of the area router 1100 (no rewriting)
To rewrite
That's it.

The address conversion rule on the second line in FIG. 6 will be described.
An IP packet sent from a wide area network to a terminal,
Source address is outside the area router 1100 jurisdiction destination address is 222.11.0.1 (area router wide area address)
For an IP packet that satisfies the condition
An area outside the jurisdiction of the area router 1100 (no rewriting)
The destination address is 10.11.11.1 (terminal local address)
To rewrite
That's it.

[Anchor device 200]
As shown in FIG. 3, the anchor device 200 includes an address conversion table 201, a NAT management unit 202, and a NAT transfer unit 203, which are closely related to the present invention.

  The address conversion table 201 stores address conversion rules. Specifically, the address conversion table 201 stores the address conversion rule stored by the NAT management unit 202. That is, the address conversion table 201 stores the address conversion rule generated by the address conversion rule generation / updating unit 104 of the NW connection control device 100. For example, the address conversion table 201 stores an address conversion rule as shown in FIG.

  The NAT management unit 202 has a function of storing address conversion rules in the address conversion table 201. Specifically, when receiving the address translation rule transmitted by the NW connection control device 100, the NAT management unit 202 stores the address translation rule in the address translation table 201.

  The NAT transfer unit 203 has a function of converting a terminal local address and a wide area address. Specifically, the NAT transfer unit 203 is communication that passes over the area router 1100, communication that is performed from the inside of the area (closed network) to the core router 1000 (wide area network), and the outside of the area (wide area network). ) To the inside of the area (closed network), the IP address written in the IP packet is converted.

  In other words, the NAT transfer unit 203 converts the terminal local address and the wide area address based on the address conversion table 201 when communication is performed between the terminal 10 and another terminal 10 connected to the wide area network. Forward IP packets. When the NAT transfer unit 203 receives an IP packet from the terminal 10 or the CSCF server 300, the NAT transfer unit 203 checks whether or not the IP packet satisfies the condition stored in the address conversion table 201. Address translation is performed according to the rules.

For example, using the first line in FIG.
The IP packet transmitted from the terminal 10 to the CSCF server 300 is:
Direction Terminal → Wide area network Source address 10.11.11.1 (terminal local address)
Destination address 222.30.0.1 (server address)
Therefore, the condition of the first line of the address conversion rule stored in the address conversion table 201 is satisfied. Therefore, the NAT transfer unit 203 performs address conversion according to the address conversion rule,
Source address 222.11.0.1 (area router wide area address)
Destination address 222.30.0.1 (server address)
And rewrite.

  Here, when the CSCF server 300 tries to return a received message to the IP packet transmitted from the terminal 10, the CSCF server 300 sets the IP address of the terminal 10 to 222.11.0.1 (area router wide area address). I recognize that there is. This is because the source address of the IP packet transmitted from the terminal 10 is rewritten by the NAT transfer unit 203. Therefore, the CSCF server 300 transmits an IP packet to 222.11.0.1 (area router wide area address), thereby returning a received message to the terminal 10.

Then, for example, using the second line in FIG.
The IP packet transmitted from the CSCF server 300 to the terminal 10 is:
Direction Wide area network → terminal Source address 222.30.0.1 (server address)
Destination address 222.11.0.1 (area router wide area address)
Therefore, the condition of the second line of the address conversion rule stored in the address conversion table 201 is satisfied. Therefore, the NAT transfer unit 203 performs address conversion according to the address conversion rule,
Source address 222.30.0.1 (server address)
Destination address 10.11.11.1 (terminal local address)
And rewrite. Then, the NAT transfer unit 203 transfers the IP packet to the terminal 10.

[Procedure of processing by communication control system according to embodiment 1]
Next, a processing procedure by the communication control system according to the first embodiment will be described with reference to FIGS. 7 and 8. FIG. 7 is a sequence diagram illustrating a processing procedure (at the time of initial connection) by the communication control system according to the first embodiment, and FIG. 8 illustrates a processing procedure (at the time of movement) by the communication control system according to the first embodiment. It is a sequence diagram.

[Initial connection (Fig. 7)]
First, when connected to the wireless AP 1111, the terminal 10 (secure communication unit 11) transmits a connection request for the wireless AP 1111 to the wireless AP 1111. Then, the wireless AP 1111 transfers the connection request to the NW connection control apparatus 100 (connection reception unit 101) (step S101).

  Then, the NW connection control apparatus 100 (terminal local address assignment unit 102) first authenticates the validity of the terminal 10 based on the terminal ID acquired from the connection request, and establishes a connection from the terminal 10 to the wireless AP 1111. . For example, EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) authentication is performed between the terminal 10 (secure communication unit 11) and the NW connection control device 100 (terminal local address assignment unit 102), and the NW connection control device 100 (Terminal local address assignment unit 102) establishes a connection from terminal 10 to wireless AP 1111 (step S102). In addition, the method of authentication performed between the terminal 10 and the NW connection control apparatus 100 is not limited to EAP-TLS authentication, and other methods may be used.

  Then, the NW connection control apparatus 100 (terminal local address assignment unit 102) assigns a terminal local address to the terminal 10 according to the wireless AP to which the terminal 10 (secure communication unit 11) is connected (step S103). For example, when the terminal 10 is connected to the connected wireless AP 1111, the NW connection control apparatus 100 (terminal local address assignment unit 102) assigns the IP address “10.11.11.1” to the terminal 10.

  Subsequently, when the NW connection control apparatus 100 (terminal local address assignment unit 102) transmits the terminal local address to the connection reception unit 101, the connection reception unit 101 acquires the server address of the CSCF server 300 from the server address storage unit 103. (Step S104).

  The NW connection control apparatus 100 (address conversion rule generation / update unit 104) receives the terminal local address assigned to the terminal 10 by the terminal local address assignment unit 102 from the terminal local address assignment unit 102 (connection accepting unit). An address conversion rule for converting the received terminal local address and the wide area address is generated (step S105).

  Then, the NW connection control device 100 (address conversion rule generation / update unit 104) transmits the generated address conversion rule to the anchor device 200 (NAT management unit 202) (step S106).

  Then, the anchor device 200 (NAT management unit 202) stores the address conversion rule transmitted by the NW connection control device 100 (address conversion rule generation / update unit 104) in the address conversion table 201 (step S107). The anchor device 200 (NAT management unit 202) transmits an address translation rule reception response to the NW connection control device 100 (address translation rule generation / update unit 104) (step S108).

  Here, the address conversion rule stored in the address conversion table 201 is illustrated again. In the following description, the port number is also specifically exemplified in consideration of the fact that the first embodiment is a communication control system that assumes that the terminal performs SIP communication.

The address conversion rule stored in the address conversion table 201 is, for example,
An IP packet sent from a terminal to a wide area network.
Source address is 10.11.11.1 (terminal local address)
Source port number is 5060
For an IP packet that satisfies the condition that the destination address is an area outside the jurisdiction of the area router 1100,
Source address 222.11.0.1 (area router wide area address)
Source port number 5060 (no rewrite)
Destination address Area outside area router 1100 jurisdiction (no rewriting)
Rewrite,
That's it.

For example,
An IP packet sent from a wide area network to a terminal,
Source address is outside the area router 1100 jurisdiction destination address is 222.11.0.1 (area router wide area address)
Destination port number is 5060
For an IP packet that satisfies the condition
Source address Area outside area router 1100 jurisdiction (no rewriting)
Destination address 10.11.11.1 (terminal local address)
Destination port number 5060 (no rewrite)
Rewrite,
That's it.

  Returning to FIG. 7, the NW connection control apparatus 100 (connection accepting unit 101) then transmits the terminal local address transmitted from the terminal local address assignment unit 102 in step S <b> 104 and the CSCF server 300 acquired from the server address storage unit 103. The server address is transmitted to the terminal 10 as a connection response (step S109). For example, the NW connection control apparatus 100 (connection reception unit 101) transmits the terminal local address “10.11.11.1” and the server address “222.30.0.1” to the terminal 10 as a connection response. By completing the processing up to step S109, the terminal 10 establishes IP connectivity to the network.

  Then, the terminal 10 uses the terminal local address transmitted from the NW connection control device 100 (connection accepting unit 101) to the server address of the CSCF server 300 transmitted from the NW connection control device 100 (connection accepting unit 101). On the other hand, a “SIP REGISTER request” is transmitted (step S110). Since the terminal 10 in the first embodiment generates a secure communication path with the CSCF server 300 using the SIP signal, the SA (Security Association) parameter for the selection of the terminal 10 is added to the “SIP REGISTER request”. To the CSCF server 300.

At this time, the anchor device 200 (NAT transfer unit 203)
An IP packet transmitted from the terminal 10 is
Source address is 10.11.11.1 (terminal local address)
Source port number is 5060
The destination address is 222.30.0.1 (server address)
So
Source address 222.11.0.1 (area router wide area address)
Source port number 5060 (no rewrite)
Destination address 222.30.0.1 (no rewrite)
And retransmit (transfer) to the CSCF server 300.

  That is, the anchor device 200 (NAT transfer unit 203) rewrites the transmission source address from 10.11.11.1 (terminal local address) to 222.11.0.1 (area router wide area address). Then, the CSCF server 300 that has received the IP packet whose source address has been rewritten is observed as if the IP packet transmitted by the area router 1100 has been received. Therefore, the CSCF server 300 recognizes that the IP address of the terminal 10 is 222.11.0.1 (area router wide area address), and stores the corresponding relationship.

  When the CSCF server 300 (secure communication unit 301) receives the “SIP REGISTER request” retransmitted from the anchor device 200 (NAT transfer unit 203), the CSCF server 300 (secure communication unit 301) sends “401 Unauthorized” to the terminal 10 in response thereto. Is transmitted (step S111). Since the CSCF server 300 according to the first embodiment generates a secure communication path with the terminal 10 using the SIP signal, the CSCF server 300 sets “401 Unauthorized” to the SA parameter for the CSCF server 300 selection. And AKA (Authentication and Key Agreement) authentication parameters are transmitted to the terminal 10.

At this time, the anchor device 200 (NAT transfer unit 203)
An IP packet transmitted from the CSCF server 300 is
Source address is 222.30.0.1 (server address)
The destination address is 222.11.0.1 (area router wide area address)
Destination port number is 5060
So
Source address 222.30.0.1 (no rewrite)
Destination address 10.11.11.1 (terminal local address)
Destination port number 5060 (no rewrite)
And retransmit (transfer) to the terminal 10.

  That is, as described above, the CSCF server 300 recognizes that the IP address of the terminal 10 is 222.11.0.1 (area router wide area address). Therefore, the response to the terminal 10 is also transmitted with 222.11.0.1 (area router wide area address) as the transmission destination. However, since the anchor device 200 (NAT transfer unit 203) rewrites the transmission destination address from 222.11.0.1 (area router wide area address) to 10.11.11.1 (terminal local address), the CSCF server 300 executes 222.11.0.1 (area router). The IP packet transmitted with the wide area address as the transmission destination is eventually retransmitted to the terminal 10 and reaches the terminal 10.

  Thereafter, in the first embodiment, a secure communication path (UDP (User Datagram Protocol) encapsulated ESP (Encapsulating Security Payload) is established between the terminal 10 and the CSCF server 300 based on the parameters exchanged in Steps S110 and S111. ) Tunnel) is generated, and the terminal 10 and the CSCF server 300 perform SIP communication using the secure communication path (step S112).

[When moving (Fig. 8)]
By the way, while communication by SIP using a secure communication path is performed between the terminal 10 and the CSCF server 300 (step S201), the terminal 10 releases the connection with the wireless AP 1111 and newly wirelessly communicates. When connected under the control of the AP 1121, the NW connection control apparatus 100 (terminal local address assignment unit 102) assigns a new terminal local address “10.11.21.1” to the terminal 10 as in the initial connection (steps S202 to S204). See).

  Similarly to the initial connection, the NW connection control device 100 (address conversion rule generation / update unit 104) generates an address conversion rule so as to synchronize with the allocation of the terminal local address, and the generated address conversion rule is displayed in the area router 1100. It transmits with respect to the upper anchor apparatus 200 (refer step S205-S208).

At this time, the address conversion rule stored in the address conversion table 201 is, for example,
An IP packet sent from a terminal to a wide area network.
Source address is 10.11.21.1 (terminal local address)
Source port number is 5060
For an IP packet that satisfies the condition that the destination address is an area outside the jurisdiction of the area router 1100,
Source address 222.11.0.1 (area router wide area address)
Source port number 5060 (no rewrite)
Destination address Area outside area router 1100 jurisdiction (no rewriting)
Rewrite,
That's it.

For example,
An IP packet sent from a wide area network to a terminal,
Source address is outside the area router 1100 jurisdiction destination address is 222.11.0.1 (area router wide area address)
Destination port number is 5060
For an IP packet that satisfies the condition
Source address Area outside area router 1100 jurisdiction (no rewriting)
Destination address 10.11.21.1 (terminal local address)
Destination port number 5060 (no rewrite)
Rewrite,
That's it.

  Here, considering the relationship with the IP address of the terminal 10 held by the CSCF server 300, the terminal 10 after movement (the terminal 10 after the terminal local address has been switched to 10.11.21.1) is already generated. When an IP packet is transmitted to CSCF server 300 using a simple communication path, anchor device 200 (NAT transfer unit 203) changes the source address from 10.11.21.1 (terminal local address) to 222.11.0.1 (area router wide area Address). In other words, as long as the terminal 10 moves under the area router 1100, the IP address of the terminal 10 recognized by the CSCF server 300 is 222.11.0.1 (area router wide area address) and is unchanged. Accordingly, the moved terminal 10 can continuously perform SIP communication using the secure communication path shown in step S201.

[Effect of Example 1]
As described above, in the communication control system according to the first embodiment, when the connection reception unit 101 of the NW connection control apparatus 100 receives a connection request from the terminal 10 that requires switching of the IP address, the terminal local address assignment unit 102 However, according to the wireless AP connected to the closed network, the terminal 10 assigns a terminal local address to the terminal 10 and transmits the assigned terminal local address to the terminal 10. Further, the address translation rule generation / update unit 104 receives the terminal local address from the terminal local address assignment unit 102, generates an address translation rule for converting the received terminal local address and the wide area address of the area router 1100, and generates The address conversion rule thus stored is stored in the address conversion table of the anchor device 200. Then, when the NAT transfer unit 203 of the anchor device 200 performs communication between the terminal 10 assigned the terminal local address and another terminal connected to the wide area network, based on the address conversion table, Since the terminal local address and the wide area address of the area router 1100 are converted, the load on the terminal 10 due to the switching of the IP address can be suppressed.

  In other words, according to the first embodiment, the closed network in which the terminal 10 moves is further divided into a plurality of closed networks such as area 1, area 2, and area 3, and the NW connection control device 100 and An anchor device 200 is provided. Therefore, if the movement of the terminal 10 remains within the same area, the terminal 10 does not need to re-register the IP address (re-transmit the location registration signal) with the CSCF server 300. As a result, it is possible to reduce the load on the terminal, the load on the network (the amount of traffic flowing through the network), and the load on the CSCF server.

  In other words, in the first embodiment, the control is performed so that the wide area address of the area router 1100 can always be seen when the terminal 10 is viewed from the CSCF server 300. For example, when the CSCF server 300 intends to transmit a message to the terminal 10, the CSCF server 300 generates a packet with a transmission destination address of 222.11.0.1 and sends it to the network. Then, the area router 1100 once receives the message, and the anchor device 200 rewrites the transmission destination address of the message as 10.11.21.1 according to the address conversion rule, and retransmits the message to the terminal 10 in the area.

  As described above, according to the first embodiment, the CSCF server 300 exposes the wide area address of the area router 1100 as a representative instead of the IP address of the terminal 10, and conceals the local address in the area. If the movement of 10 remains within the same area, re-registration of the IP address from the terminal 10 to the CSCF server 300 can be suppressed. In this case, the anchor device 200 of the area router 1100 plays a role as a location management device that manages the true location of the terminal 10.

  In addition to such effects, according to the first embodiment, the address translation table 201 is updated only by communication between the NW connection control device 100 and the anchor device 200, so that the movement of the terminal 10 is within the same area. In the case of staying moving, the terminal 10 does not need to re-register the IP address with respect to the anchor device 200, and the load on the terminal 10 due to the switching of the IP address can be suppressed. At this time, the terminal 10 only needs to have a normal SIP client function, and does not need to have a special location information management function.

  In addition, according to the first embodiment, the address conversion table 201 is updated by superimposing (synchronizing) with the IP address assignment process, so that the address conversion table 201 can be updated efficiently.

  The communication control system that assumes that the terminal performs SIP communication has been described as the first embodiment so far, but the present invention is not limited to this. Therefore, in the following, a communication control system that assumes that a terminal performs IPsec tunnel communication will be described as a second embodiment. In the following, the point that the communication control system according to the second embodiment is configured in the same manner as the communication control system according to the first embodiment will be briefly described.

[Outline and Features of Communication Control System According to Second Embodiment]
First, the outline and features of the communication control system according to the second embodiment will be described. In the communication control system according to the second embodiment, a terminal B having an IPsec tunnel communication function is connected to a network via a wireless AP, and a key exchange for establishing an IPsec tunnel is performed by IKE (Internet Key Exchange). The outline is that an encrypted communication path using an IPsec tunnel is established with the tunnel terminating device 300 by performing communication with the tunnel terminating device 300 to communicate with the provider IP network. Originally, in such a communication control system, the terminal B must perform re-registration of the IP address and re-exchange of the key with the tunnel terminating device 300 every time the IP address is switched with movement.

  Here, the configuration method of the IPsec tunnel generated between the terminal B and the tunnel terminating device 300 is, for example, “Negotiation of NAT-Traversal in the IKE” (RFC3947, http://www.ietf.org/rfc). /rfc3947.txt), “UDP Encapsulation of IPsec ESP Packets” (RFC3948, http://www.ietf.org/rfc/rfc3948.txt). These technologies carry an IPsec packet encapsulated in a UDP packet. Even if the IP address of the transmission destination and the transmission source is rewritten in the middle of the delivery path for the IP header containing the UDP packet part carrying the IPsec packet (NAT), the IPsec packet included in the payload part is not affected. These techniques establish communication by allowing IPsec packets to pass through address translation (NAT).

  Note that the communication control system according to the second embodiment further divides the closed network in which the terminal B moves into a plurality of closed networks such as area 1, area 2, and area 3 as in the first embodiment. Further, in the communication control system according to the second embodiment, similarly to the first embodiment, an NW connection control device and an anchor device are provided in each area.

  Under such a configuration, the NW connection control apparatus according to the second embodiment is connected to the network from the terminal B (terminal B at the initial connection or the terminal B at the time of movement) that requires switching of the IP address, as in the first embodiment. When a connection request for requesting connection is received, a terminal local address is assigned to the terminal B according to the wireless AP to which the terminal B is connected.

  Subsequently, as in the first embodiment, the NW connection control device generates an address conversion rule for converting the allocated terminal local address and wide area address. The NW connection control device stores the generated address conversion rule in the address conversion table stored in the anchor device, as in the first embodiment. Next, as in the first embodiment, the NW connection control apparatus transmits the terminal local address assigned to the terminal B as a connection response to the terminal B.

  Thus, when the terminal B communicates with other terminals connected to the wide area network, the anchor device converts the terminal local address and the wide area address based on the address conversion table.

  Thus, in the communication control system according to the second embodiment, first, the closed network in which the terminal B moves is further divided into a plurality of closed networks such as area 1, area 2, and area 3, and each of the areas has NW. A connection control device and an anchor device are provided. Therefore, if the movement of the terminal B stays within the same area in the first place, the terminal does not need to re-register the IP address or re-exchange the key with the tunnel terminating device. As a result, it is possible to reduce the load on the terminal, the load on the network, and the load on the tunnel termination device.

  In addition to such effects, the communication control system according to the second embodiment realizes updating of the address conversion table only by communication between the NW connection control device and the anchor device, so that the movement of the terminal moves within the same area. The terminal does not need to re-register the IP address with respect to the anchor device, and the load on the terminal accompanying the switching of the IP address can be suppressed. At this time, the terminal only needs to have a normal IPsec tunnel communication function, and does not need to have a special location information management function.

  In addition, since the communication control system according to the second embodiment realizes the update of the address conversion table by superimposing (synchronizing) with the IP address assignment process, it is also possible to efficiently update the address conversion table. .

[Overall Configuration of Communication Control System According to Second Embodiment]
Next, the overall configuration of the communication control system according to the second embodiment will be described with reference to FIG. FIG. 9 is a block diagram illustrating the overall configuration of the communication control system according to the second embodiment.

  As shown in FIG. 9, the communication control system according to the second embodiment accommodates a terminal having an IPsec tunnel communication function. Specifically, using FIG. 9, first, the terminal has a wireless communication function and is accommodated in the network via the wireless AP. Similarly to the first embodiment, the edge router is a router that aggregates a plurality (two in the illustration of FIG. 9) of wireless APs, and transfers IP packets to and from an upper area router. Similarly to the first embodiment, the area router is a router that aggregates a plurality of (two in the illustration of FIG. 9) edge routers, and transfers IP packets to and from the upper core router.

  Here, the area router has a built-in anchor device as shown in FIG. As in the first embodiment, the anchor device is a device that realizes a NAT function that is a conversion function between a local address and a wide area address, and the area router in the second embodiment incorporates such an anchor device. As in the first embodiment, as shown in FIG. 9, the area router 1100 is assigned a wide area address “222.11.0.1”, and the area router 1200 is assigned a wide area address “222.12.0.1”. ing.

  The core router is a router that aggregates a plurality of (two in the example of FIG. 9) area routers, and transfers IP packets to and from a higher-level tunnel termination device. Here, the area router functions as a router representing an area, as in the first embodiment, and the areas are connected to each other via the core router. Further, instead of the CSCF server in the first embodiment, the tunnel termination device is connected to the upper level of the core router in the second embodiment, but the tunnel termination device is a device that provides an IPsec tunnel communication function to the terminal. As shown in FIG. 9, the wide area address “222.30.0.1” is given.

  On the other hand, focusing on the internal configuration of each area, an NW connection control device is connected to an area router representing the area, as in the first embodiment. In the illustration of FIG. 9, only the area router 1100 is connected to the NW connection control apparatus 100, but it is assumed that the area router 1200 is also connected to the NW connection control apparatus. As in the first embodiment, the NW connection control device is a device that assigns an IP address to a terminal connected to a wireless AP in the area.

[Procedure for Processing by Communication Control System According to Second Embodiment]
Next, a processing procedure by the communication control system according to the second embodiment will be described. FIG. 10 is a sequence diagram illustrating a processing procedure (at the time of initial connection) by the communication control system according to the second embodiment.

[Initial connection (Fig. 10)]
First, as in the first embodiment, the terminal 10 (secure communication unit 11) transmits a connection request to the wireless AP 1111. The wireless AP 1111 sends the connection request to the NW connection control device 100 (connection reception unit 101). Transfer (step S301).

  Then, as in the first embodiment, the NW connection control apparatus 100 (terminal local address assignment unit 102) first authenticates the validity of the terminal 10 based on the terminal ID acquired from the connection request, and then the wireless AP 1111 from the terminal 10 A connection to is established (step S302).

  Then, as in the first embodiment, the NW connection control apparatus 100 (terminal local address assignment unit 102) assigns a terminal local address to the terminal 10 according to the wireless AP to which the terminal 10 (secure communication unit 11) is connected (step S303). ).

  Subsequently, when the NW connection control apparatus 100 (terminal local address assignment unit 102) transmits the terminal local address to the connection reception unit 101 as in the first embodiment, the connection reception unit 101 transmits a tunnel termination from the server address storage unit 103. The server address of the device 300 is acquired (step S304).

  Also, the NW connection control apparatus 100 (address translation rule generation / updating unit 104) receives the terminal local address assigned to the terminal 10 by the terminal local address assigning unit 102 from the terminal local address assigning unit 102, as in the first embodiment. Received (transmitted via the connection accepting unit 101), and generates an address conversion rule for converting the received terminal local address and wide area address (step S305).

  Then, the NW connection control device 100 (address conversion rule generation / update unit 104) transmits the generated address conversion rule to the anchor device 200 (NAT management unit 202) as in the first embodiment (step S306).

  Then, the anchor device 200 (NAT management unit 202) stores the address conversion rule transmitted by the NW connection control device 100 (address conversion rule generation / updating unit 104) in the address conversion table 201 as in the first embodiment ( Step S307). The anchor device 200 (NAT management unit 202) transmits an address translation rule reception response to the NW connection control device 100 (address translation rule generation / updating unit 104) as in the first embodiment (step S308).

  Here, the address conversion rule stored in the address conversion table 201 is illustrated again. In the following description, the port number is also specifically exemplified in consideration of the fact that the second embodiment is a communication control system that assumes that the terminal performs IPsec tunnel communication.

The address conversion rule stored in the address conversion table 201 is, for example,
An IP packet sent from a terminal to a wide area network.
Source address is 10.11.11.1 (terminal local address)
Source port number is 500 or 4500
For an IP packet that satisfies the condition that the destination address is an area outside the jurisdiction of the area router 1100,
Source address 222.11.0.1 (area router wide area address)
Source port number 500 or 4500 (no rewrite)
Destination address Area outside area router 1100 jurisdiction (no rewriting)
Rewrite,
That's it.

For example,
An IP packet sent from a wide area network to a terminal,
Source address is outside the area router 1100 jurisdiction destination address is 222.11.0.1 (area router wide area address)
Destination port number is 500 or 4500
For an IP packet that satisfies the condition
Source address Area outside area router 1100 jurisdiction (no rewriting)
Destination address 10.11.11.1 (terminal local address)
Destination port number 500 or 4500 (no rewrite)
Rewrite,
That's it.

  Returning to FIG. 10, the NW connection control apparatus 100 (connection reception unit 101), similarly to the first embodiment, the terminal local address transmitted from the terminal local address assignment unit 102 in step S <b> 304 and the server address storage unit 103. The server address of the tunnel termination device 300 obtained from the above is transmitted as a connection response to the terminal 10 (step S309).

  Then, the terminal 10 uses the terminal local address transmitted from the NW connection control device 100 (connection reception unit 101), and the server address of the tunnel termination device 300 transmitted from the NW connection control device 100 (connection reception unit 101). In response to this, a tunnel establishment request “IKEv2 request” is transmitted (step S310). Note that the terminal 10 according to the second embodiment generates a secure communication path with the tunnel termination device 300 according to IKEv2.

At this time, the anchor device 200 (NAT transfer unit 203)
An IP packet transmitted from the terminal 10 is
Source address is 10.11.11.1 (terminal local address)
Source port number is 500 or 4500
The destination address is 222.30.0.1 (server address)
So
Source address 222.11.0.1 (area router wide area address)
Source port number 500 or 4500 (no rewrite)
Destination address 222.30.0.1 (no rewrite)
And retransmit (transfer) to the tunnel termination device 300.

  That is, the anchor device 200 (NAT transfer unit 203) rewrites the transmission source address from 10.11.11.1 (terminal local address) to 222.11.0.1 (area router wide area address). Then, in tunnel terminating device 300 that has received the IP packet whose source address has been rewritten, it is observed as if the IP packet transmitted by area router 1100 has been received. For this reason, the tunnel terminating device 300 recognizes that the IP address of the terminal 10 is 222.11.0.1 (area router wide area address), and stores the corresponding relationship.

  When tunnel termination apparatus 300 (secure communication unit 301) receives the “IKEv2 request” retransmitted from anchor apparatus 200 (NAT transfer unit 203), in response to this, to terminal 10, “IKEv2 response” is sent. Is transmitted (step S311). Note that the tunnel termination device 300 according to the second embodiment generates a secure communication path with the terminal 10 using IKEv2.

At this time, the anchor device 200 (NAT transfer unit 203)
An IP packet transmitted from the tunnel terminating device 300 is
Source address is 222.30.0.1 (server address)
The destination address is 222.11.0.1 (area router wide area address)
Destination port number is 500 or 4500
So
Source address 222.30.0.1 (no rewrite)
Destination address 10.11.11.1 (terminal local address)
Destination port number 500 or 4500 (no rewrite)
And retransmit (transfer) to the terminal 10.

  That is, as described above, the tunnel terminating device 300 has recognized that the IP address of the terminal 10 is 222.11.0.1 (area router wide area address). Therefore, the response to the terminal 10 is also transmitted with 222.11.0.1 (area router wide area address) as the transmission destination. However, since the anchor device 200 (NAT transfer unit 203) rewrites the transmission destination address from 222.11.0.1 (area router wide area address) to 10.11.11.1 (terminal local address), the tunnel termination device 300 is 222.11.0.1 (area The IP packet transmitted with the router wide area address) as the transmission destination is eventually retransmitted to the terminal 10 and reaches the terminal 10.

  Thereafter, in the second embodiment, a secure communication path (UDP encapsulated ESP tunnel) is generated between the terminal 10 and the tunnel terminating device 300 based on the parameters exchanged in steps S310 to S313. And the tunnel termination device 300 performs communication using the secure communication path (step S314).

[When moving]
By the way, while the communication using the secure communication path is performed between the terminal 10 and the tunnel terminating device 300, the terminal 10 releases the connection with the wireless AP 1111 and newly connects to the wireless AP 1121. Then, the NW connection control apparatus 100 (terminal local address assignment unit 102) newly assigns a terminal local address “10.11.21.1” to the terminal 10 as in the initial connection.

  Similarly to the initial connection, the NW connection control device 100 (address conversion rule generation / update unit 104) generates an address conversion rule so as to synchronize with the allocation of the terminal local address, and the generated address conversion rule is displayed in the area router 1100. It transmits with respect to the upper anchor apparatus 200. FIG.

At this time, the address conversion rule stored in the address conversion table 201 is, for example,
An IP packet sent from a terminal to a wide area network.
Source address is 10.11.21.1 (terminal local address)
Source port number is 500 or 4500
For an IP packet that satisfies the condition that the destination address is an area outside the jurisdiction of the area router 1100,
Source address 222.11.0.1 (area router wide area address)
Source port number 500 or 4500 (no rewrite)
Destination address Area outside area router 1100 jurisdiction (no rewriting)
Rewrite,
That's it.

For example,
An IP packet sent from a wide area network to a terminal,
Source address is outside the area router 1100 jurisdiction destination address is 222.11.0.1 (area router wide area address)
Destination port number is 500 or 4500
For an IP packet that satisfies the condition
Source address Area outside area router 1100 jurisdiction (no rewriting)
Destination address 10.11.21.1 (terminal local address)
Destination port number 500 or 4500 (no rewrite)
Rewrite,
That's it.

  Here, considering the relationship with the IP address of the terminal 10 held by the tunnel terminating device 300, the terminal 10 after movement (the terminal 10 after the terminal local address is switched to 10.11.21.1) has already been generated. When an IP packet is transmitted to the tunnel termination device 300 using a secure communication path, the anchor device 200 (NAT transfer unit 203) changes the transmission source address from 10.11.21.1 (terminal local address) to 222.11.0.1 (area Router wide area address). In other words, as long as the terminal 10 moves under the area router 1100, the IP address of the terminal 10 recognized by the tunnel terminating device 300 is 222.11.0.1 (area router wide area address) and is unchanged. Therefore, the terminal 10 after moving can continuously communicate using the secure communication path that has already been generated.

[Effect of Example 2]
As described above, in the communication control system according to the second embodiment, when the connection reception unit 101 of the NW connection control apparatus 100 receives a connection request from the terminal 10 that requires switching of the IP address, the terminal local address allocation unit 102 is connected. However, according to the wireless AP connected to the closed network, the terminal 10 assigns a terminal local address to the terminal 10 and transmits the assigned terminal local address to the terminal 10. Further, the address translation rule generation / update unit 104 receives the terminal local address from the terminal local address assignment unit 102, generates an address translation rule for converting the received terminal local address and the wide area address of the area router 1100, and generates The address conversion rule thus stored is stored in the address conversion table of the anchor device 200. Then, when the NAT transfer unit 203 of the anchor device 200 performs communication between the terminal 10 assigned the terminal local address and another terminal connected to the wide area network, based on the address conversion table, Since the terminal local address and the wide area address of the area router 1100 are converted, the load on the terminal 10 due to the switching of the IP address can be suppressed.

  That is, in the first place, according to the second embodiment, the closed network in which the terminal 10 moves is further divided into a plurality of closed networks such as area 1, area 2, and area 3, and the NW connection control apparatus 100 and An anchor device 200 is provided. Therefore, if the movement of the terminal 10 stays within the same area, the terminal 10 does not need to re-register an IP address or exchange a key with the tunnel terminating device 300. As a result, it is possible to reduce the load on the terminal 10, the load on the network (the amount of traffic flowing through the network), and the load on the tunnel termination device 300.

  In other words, in the second embodiment, control is performed so that the wide area address of the area router 1100 can always be seen when the terminal 10 is viewed from the tunnel terminating device 300. For example, when the tunnel termination device 300 tries to transmit a message to the terminal 10, the tunnel termination device 300 generates a packet with a transmission destination address of 222.11.0.1 and sends it to the network. Then, the area router 1100 once receives the message, and the anchor device 200 rewrites the transmission destination address of the message as 10.11.21.1 according to the address conversion rule, and retransmits the message to the terminal 10 in the area.

  Thus, according to the second embodiment, by exposing the wide area address of the area router 1100 as a representative instead of the IP address of the terminal 10 to the tunnel terminating device 300 and concealing the local address in the area, If the movement of the terminal 10 stays within the same area, re-registration of the IP address from the terminal 10 to the tunnel termination device 300 and key re-exchange can be suppressed. In this case, the anchor device 200 of the area router 1100 plays a role as a position management device that manages the true position of the terminal 10.

  In addition to such an effect, according to the second embodiment, since the address conversion table 201 is updated only by communication between the NW connection control device 100 and the anchor device 200, the movement of the terminal 10 is within the same area. In the case of staying moving, the terminal 10 does not need to re-register the IP address with respect to the anchor device 200, and the load on the terminal 10 due to the switching of the IP address can be suppressed. At this time, the terminal 10 only needs to have a normal IPsec tunnel communication function, and does not need to have a special location information management function.

  Further, according to the second embodiment, the address conversion table 201 is updated by superimposing (synchronizing) with the IP address assignment process, so that the address conversion table 201 can be updated efficiently.

[Other embodiments]
Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments.

[Address translation rule]
In the address translation rule in the first and second embodiments, the situation is that only one terminal for SIP communication is connected under the area router (the situation in which the anchor device can identify the terminal connected by the port number 5060). In addition, a situation is assumed in which only one terminal that performs IPsec tunnel communication is connected under the area router (a situation in which the anchor device can identify a terminal connected by port number 500 or 4500). For this reason, for example, when the anchor device receives an IP packet of port number 5060 destined for the wide area address of the area router, the anchor device can identify the terminal to which the IP packet is to be transferred. It was possible to convert the terminal local address of the terminal.

  However, the present invention is not limited to this. For example, assume that the anchor device is provided with a NAPT (Network Address Port Translation) function instead of the NAT function. Then, in general, in the NAPT function, a difference in IP address in a closed network can be mapped to a difference in port number. Therefore, the address translation rule can be generated by a method of specifying a terminal by a combination of an IP address and a port number. In this case, even in a situation where a plurality of SIP communication terminals are connected under the area router or a situation where a plurality of IPsec tunnel communication terminals are connected under the area router, the anchor device Can identify the terminal to which the IP packet is to be transferred from the combination of the IP address and the port number, and can convert the terminal into the terminal local address and port number of the terminal.

[System configuration, etc.]
In the first embodiment and the second embodiment, the NW connection control apparatus performs the generation up to the address translation rule. That is, the anchor device only has to store the address translation rule transmitted from the NW connection control device in the address translation table. However, the system configuration of the present invention is not limited to this. For example, the NW connection control device may only assign a terminal local address. That is, when the NW connection control device assigns a terminal local address and transmits the terminal local address to the anchor device, the anchor device generates an address translation rule and stores it in the address translation table.

  In the first and second embodiments, the example in which the closed network is further divided into a plurality of closed networks such as area 1, area 2, and area 3 has been described. However, the present invention is not limited to this. The present invention can be similarly applied to an example in which a closed network is configured by one area without being divided into a plurality of closed networks.

  In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures (such as FIG. 7), control procedures, specific names, and information including various data and parameters shown in the drawings and drawings may be arbitrarily changed unless otherwise specified. it can.

  Each component of each illustrated device is functionally conceptual, and does not necessarily need to be physically configured as illustrated (such as FIG. 2). In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. The NW connection control device and the anchor device may be configured by the same physical device, for example. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The communication control method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, in the communication control system, the communication control method, and the communication control program according to the present invention, the position information assigned to the terminal as information necessary for the terminal to communicate is the position where the terminal is connected to the network. This is useful for controlling communication performed by the terminal under the situation of switching as the user moves, and is particularly suitable for suppressing the load on the terminal associated with the switching of position information.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and features of a communication control system according to a first embodiment. 1 is a block diagram illustrating an overall configuration of a communication control system according to a first embodiment. 1 is a block diagram illustrating a configuration of a communication control system according to a first embodiment. It is a figure for demonstrating a terminal local address allocation part. It is a figure for demonstrating a server address memory | storage part. It is a figure for demonstrating an address conversion table. It is a sequence diagram which shows the procedure (at the time of initial connection) by the communication control system which concerns on Example 1. FIG. It is a sequence diagram which shows the procedure (at the time of a movement) of the process by the communication control system which concerns on Example 1. FIG. It is a block diagram which shows the whole structure of the communication control system which concerns on Example 2. FIG. FIG. 10 is a sequence diagram illustrating a processing procedure (at the time of initial connection) by the communication control system according to the second embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Terminal 11 Secure communication part 100 NW connection control apparatus 101 Connection reception part 102 Terminal local address allocation part 103 Server address memory | storage part 104 Address conversion rule production | generation update part 200 Anchor apparatus 201 Address conversion table 202 NAT management part 203 NAT transfer part 300 Service Device 301 Secure communication unit 1000 Core router 1100 Area router 1110 Edge router 1111 Wireless AP
1112 Wireless AP
1121 Wireless AP
1122 Wireless AP

Claims (4)

A communication control system that controls communication performed by a terminal under a situation in which position information assigned to the terminal as information necessary when the terminal performs communication switches as the terminal moves to a position connected to the network. Because
When the network is configured by communicably connecting a closed network and a wide area network, when receiving a connection request for requesting connection to the network from the terminal that requires switching of the location information, According to the position at which the terminal is connected to the closed network, closed position information, which is position information necessary when the terminal communicates with the closed network, is assigned to the terminal, and the assigned closed position information is assigned to the terminal. Assigning means to transmit;
The closed position information assigned to the terminal by the assigning means is received from the assigning means, and the received closed position information and the wide area position information that is position information necessary when the terminal communicates with the wide area network. A conversion rule generating means for generating a conversion rule for converting
Conversion rule storage means for storing the conversion rule generated by the conversion rule generation means in a conversion rule table for storing the conversion rule;
When communication is performed between a terminal to which the closed location information is assigned by the assigning unit and another terminal connected to the wide area network, the conversion rule is stored by the conversion rule storing unit. A position information conversion means for converting the closed position information and the wide area position information based on a table;
A communication control system comprising: A communication control method for controlling communication performed by a terminal under a situation in which position information assigned to the terminal as information necessary when the terminal performs communication switches as the terminal moves to a position connected to the network. Because
When the network is configured by communicably connecting a closed network and a wide area network, when receiving a connection request for requesting connection to the network from the terminal that requires switching of the location information, According to the position at which the terminal is connected to the closed network, closed position information, which is position information necessary when the terminal communicates with the closed network, is assigned to the terminal, and the assigned closed position information is assigned to the terminal. An assignment process to send, and
The closed location information assigned to the terminal by the assigning step is received from the assigning step, the received closed location information, and the wide location information that is location information necessary when the terminal communicates with the wide area network. A conversion rule generating step for generating a conversion rule for converting
A conversion rule storage step of storing the conversion rule generated by the conversion rule generation step in a conversion rule table storing the conversion rule;
When communication is performed between the terminal to which the closed location information is assigned in the assignment step and another terminal connected to the wide area network, the conversion rule in which the conversion rule is stored in the conversion rule storage step A position information conversion step for converting the closed position information and the wide area position information based on a table;
The communication control method characterized by including. A communication control system that controls communication performed by a terminal under a situation in which position information assigned to the terminal as information necessary when the terminal performs communication switches as the terminal moves to a position connected to the network. Because
When the closed network and the wide area network are communicably connected to form the network, the network connection control device connected to be communicable with a terminal connected to the closed network is:
When receiving a connection request for requesting connection to the network from a terminal that requires switching of the location information, when the terminal performs communication in the closed network according to the position at which the terminal connects to the closed network Allocation means for allocating the closed position information, which is necessary position information, to the terminal, and transmitting the allocated closed position information to the terminal;
The closed position information assigned to the terminal by the assigning means is received from the assigning means, and the received closed position information and the wide area position information that is position information necessary when the terminal communicates with the wide area network. A conversion rule generating means for generating a conversion rule for converting
Conversion rule transmission means for transmitting the conversion rule generated by the conversion rule generation means to an anchor device communicably connected to the network connection control device,
The anchor device is
Conversion rule storage means for storing the conversion rule transmitted by the conversion rule transmission means in a conversion rule table for storing the conversion rule;
When communication is performed between a terminal to which the closed location information is assigned by the assigning unit and another terminal connected to the wide area network, the conversion rule is stored by the conversion rule storing unit. A position information conversion means for converting the closed position information and the wide area position information based on a table;
A communication control system comprising: A communication control system that controls communication performed by a terminal under a situation in which position information assigned to the terminal as information necessary when the terminal performs communication switches as the terminal moves to a position connected to the network. An anchor device in which
When the closed network and the wide area network are communicably connected to form the network, the network connection control device connected to be communicable with the terminal connected to the closed network needs to switch the position information. When a connection request for requesting connection to the network is received from a terminal, a closed position that is position information necessary for the terminal to communicate in the closed network according to the position at which the terminal connects to the closed network Assigning information to the terminal, generating a conversion rule for converting the closed position information assigned to the terminal and the wide area position information which is position information necessary when the terminal communicates in the wide area network, and the conversion rule Is transmitted to an anchor device that is communicably connected to the network connection control device. ,
Conversion rule storage means for storing a conversion rule transmitted by the network connection control device in a conversion rule table for storing a conversion rule;
When communication is performed between the terminal assigned the closed location information by the network connection control device and another terminal connected to the wide area network, the conversion rule is stored by the conversion rule storage means. Position information conversion means for converting the closed position information and the wide area position information based on a conversion rule table;
An anchor device comprising:

Images