JP2011049689A - Communication system, center side gateway used in communication system, and communication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make a starting device as a center side gateway when EAP (Extensible Authentication Protocol) authentication is applied to an IKEv2 (Internet Key Exchange version 2). <P>SOLUTION: A communication system establishes a pre-connection 81 and a communication tunnel 82 between an end side device 1 and the center side gateway 2. The center side gateway 2 transmits a calling message for starting an establishing procedure of the communication tunnel 82 to the end side device 1. After the end side device 1 executes a key creation procedure of the pre-connection 81 by receiving the calling message, the center side gateway starts the establishing procedure of the communication tunnel 82 using the encryption key of the created pre-connection 81, and establishes the communication tunnel 82 with the authenticated end side device 1. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a communication system, a center-side gateway used in the communication system, and a communication method.

  A communication system that establishes a communication tunnel, which is a logical communication path, between devices and transfers data through the communication tunnel is widely used. As shown below, various methods for establishing a communication tunnel are disclosed as RFC (Request for Comments) by the standardization organization IETF (Internet Engineering Task Force).

  The RFC4306 system described in Non-Patent Document 1 defines a key exchange protocol IKEv2 (Internet Key Exchange version 2) for establishing a communication tunnel for realizing secure data transfer. In IKEv2, a two-stage connection method is adopted, in which IKE_SA is established as a front connection and CHILD_SA is established as a back connection. And each signaling message required for establishment of CHILD_SA can raise the security intensity | strength by performing secure encryption communication using the key of IKE_SA. After CHILD_SA is established, user data is transferred through a secure communication tunnel of CHILD_SA, thereby realizing secure communication.

  The RFC 3261 method referred to in Non-Patent Document 2 defines SIP (Session Initiation Protocol) for establishing a session on a packet switching system. In SIP, an INVITE message from the calling terminal to the called terminal is transmitted as a call request, and the call as a session is established when the called terminal responds to the calling terminal. This INVITE message is relayed from the calling terminal to the called terminal via a proxy device that exists at an intermediate position between the calling terminal and the called terminal.

C. Kaufman, Ed., “Internet Key Exchange (IKEv2) Protocol”, [online], December 2005, IETF, [searched on August 18, 2009], Internet <URL: http://www.ietf.org /rfc/rfc4306.txt> Yasuhiko Tamura, Mayumi Yanagiya, Koichi Bessho, Yasushi Takagi, “A Study on Establishment of IPsec SA Using SIP”, Proceedings of the IEICE General Conference, B-6-151 , Proceedings of the IEICE General Conference 2003_Communications (2) pp.151

  In the communication tunnel establishment procedure, a device that requests establishment of a communication tunnel is called an initiator (Initiator), and a device that responds to the request is called a responder (Responder). Hereinafter, as an example of using EAP (Extensible Authentication Protocol) authentication for authentication of a device that establishes a communication tunnel, an example in which EAP-MD5 defined in RFC2284 is applied to the IKEv2 framework will be described.

FIG. 6 is a flowchart showing a procedure for establishing a two-stage connection (IKE_SA, CHILD_SA) of IKEv2 using the end device 91 as a starter and the center gateway 92 as a response device.
The flowchart shows a Request-Reply type address assignment sequence using EAP-MD5 authentication.
Two messages (IKE_SA_INIT req, IKE_SA_INIT res) are exchanged to generate a key for the previous connection (IKE_SA), a shared key for IKE_SA is generated, and the shared key is used to establish a subsequent connection (CHILD_SA). 6 messages (IKE_AUTH_1st to IKE_AUTH_6th) are exchanged.

  Table 1 is a table showing the message contents exchanged by each message in FIG. 6 and the processing activated on the receiving side of the message. EAP-MD5 is applied to the establishment process of the subsequent connection (CHILD_SA). In this establishment process, the center side gateway 92 exchanges four messages (Access-Request 1st, Access-Challenge, Access-Request 2nd, Access-Accept) with the authentication server 94, so that the end-side device 91 is legitimate. It is authenticating whether it is a device or not. The authentication server 94 is configured as, for example, an AAA (Authentication Authorization Accounting) server.

  In this way, in the EAP authentication, the response device authenticates the validity of the starting device by cooperating with the authentication server 94, and provides the starting device with a key for authenticating the validity of the response device as necessary. Therefore, an operation cost for preparing the authentication infrastructure is generated on the response device side, while an operation cost load is small on the starter side. Furthermore, the responding device needs to pay out an address assigned to the end point of the communication tunnel established with respect to the starter device, and it is necessary to manage the address. On the other hand, in the SIP of Non-Patent Document 2, although establishment and disconnection of a session are defined, the authentication of the originating terminal and the terminating terminal of the session is not described.

  By the way, in FIG. 6, the starting device (IKE_SA_INIT req transmission source device) in the pre-connection key generation process is the end device 91, but there is a need to change this starting device to the center gateway 92. For example, the end side device 91 arranged in each home holds meter reading data such as electricity / gas / water supply in the home, and the center side gateway 92 collects each meter reading data, Consider the case of distributing necessary data. At this time, since the center-side gateway 92 tries to establish a communication tunnel with the end-side device 91 when data distribution or data collection is desired, the pre-connection starter is on the center-side gateway 92 side.

  Here, in the IKEv2 framework, it is necessary to maintain the symmetry of the sequence. The symmetry of the sequence is to maintain the symmetry between the transmission process and the reply process by returning one response message with respect to one request message. Further, in the IKEv2 framework, the start device for the previous connection (the transmission source device for IKE_SA_INIT req) and the start device for the subsequent connection (the transmission source device for IKE_AUTH_1st) are the same device (the end device 91 in FIG. 6). is there.

  That is, when the front connection starter is changed to the center gateway 92 side, the rear connection starter is also on the center gateway 92 side in the IKEv2 framework. In this case, in EAP authentication, an authentication infrastructure is prepared on the side of the response device to be connected later, and thus it is necessary to prepare an authentication infrastructure in the end device 91 in each home. Thus, since it is not realistic to force the operation cost of the authentication infrastructure to each home, it is difficult to change the starter to the center gateway 92 side when applying EAP authentication to IKEv2. .

  Therefore, the main object of the present invention is to solve the above-described problem and to make the starting device a center side gateway when EAP authentication is applied to IKEv2.

  In order to solve the above problems, the present invention provides a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway, wherein the center-side gateway performs a procedure for establishing the communication tunnel. A call message for starting is transmitted to the end-side device, and the center-side gateway starts a key generation procedure for the previous connection to generate an encryption key between the end-side device and the end-side device. After the apparatus performs the key generation procedure of the previous connection by receiving the call message, the apparatus starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key, and the center side gateway By authenticating the end device, the communication tunnel is established with the end device, and the end device and the sensor are established. Side gateway via the established the communication tunnel, characterized in that the data communication.

  The present invention is a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway, wherein the center-side gateway starts the pre-connection key generation procedure, and the end-side An encryption key is generated with the device, and the center side gateway transmits a call message for starting the communication tunnel establishment procedure to the end side device by encrypted communication using the generated encryption key. Then, upon receipt of the call message, the end-side device starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key, and the center-side gateway authenticates the end-side device. Thus, the communication tunnel is established with the end side device, and the end side device and the center side gateway are Via the established the communication tunnel, characterized in that the data communication.

  The present invention relates to the center-side gateway used in a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway, and the center-side gateway starts the communication tunnel establishment procedure. A call message for sending to the end-side device, starting a key generation procedure for the previous connection, generating an encryption key with the end-side device, and sending the call to the end-side device After executing the pre-connection key generation procedure by the message, the communication tunnel establishment procedure is started by encrypted communication using the generated encryption key, and the end device is authenticated by Establishing the communication tunnel with the device, and performing data communication via the communication tunnel established with the end-side device And wherein the door.

  The present invention is the center-side gateway used in the communication system for establishing the pre-connection and communication tunnel between the end-side device and the center-side gateway, and the center-side gateway starts the key generation procedure for the pre-connection Then, an encryption key is generated with the end-side device, and a call message for starting the communication tunnel establishment procedure is transmitted to the end-side device by encrypted communication using the generated encryption key. Then, for the end side device, after performing the key connection procedure of the previous connection by the call message, start the communication tunnel establishment procedure by encrypted communication using the generated encryption key, By authenticating the end side device, the communication tunnel is established with the end side device and established with the end side device. Via the serial communication tunnel, characterized in that the data communication.

  The present invention relates to a communication method by a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway, wherein the center-side gateway starts a communication tunnel establishment procedure. A message is transmitted to the end-side device, and the center-side gateway initiates a key generation procedure for the previous connection to generate an encryption key between the end-side device and the end-side device After performing the pre-connection key generation procedure by receiving a message, the communication gateway establishment procedure is started by encrypted communication using the generated encryption key, and the center side gateway starts the end side device. By authenticating, the communication tunnel is established with the end device, and the end device and the center gateway are established. Lee, via the established the communication tunnel, characterized in that the data communication.

  The present invention is a communication method by a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway, wherein the center-side gateway starts the pre-connection key generation procedure, An encryption key is generated between the end-side device, and the center-side gateway sends a call message for starting the communication tunnel establishment procedure by encrypted communication using the generated encryption key. And the end side device starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key upon reception of the call message, and the center side gateway starts the end side device. Is established, the communication tunnel is established between the end side device and the end side device and the center side. Towei, via the established the communication tunnel, characterized in that the data communication.

  As a result, the start device in the previous connection establishment procedure becomes the center side gateway, and the start device in the communication tunnel establishment procedure using the previous connection becomes the end device called by the call message. Therefore, when applying EAP authentication to IKEv2, the starter can be a center-side gateway.

  In the present invention, when the end-side device receives the call message, it checks whether or not the identification information of the center-side gateway that is the transmission source of the call message is registered in the storage unit of the end-side device However, when it is not registered, the start of the communication tunnel establishment procedure is stopped.

  Thereby, the strength of security is improved by authenticating the source of the call message.

  As a result, the start device in the previous connection establishment procedure becomes the center side gateway, and the start device in the communication tunnel establishment procedure using the previous connection becomes the end device called by the call message. Therefore, the authentication process in the communication tunnel establishment procedure becomes the center-side gateway that is the response device, so that the authentication infrastructure can be concentrated in the center-side gateway that is the starting device of the previous connection establishment procedure.

  When the end device receives the call message, the present invention checks whether the content of the call message is registered in the storage means of the end device. The start of the communication tunnel establishment procedure is stopped.

  Thereby, the strength of security is improved by authenticating the content of the call message.

  The present invention is characterized in that the call message for establishing the communication tunnel is transmitted to the end-side device when the center-side gateway receives an input of an instruction to establish the communication tunnel. .

  Thereby, a desired communication tunnel can be established by transmitting a call message with an appropriate opportunity.

  When the center side gateway performs data communication via the communication tunnel, the communication gateway establishes the communication tunnel when the communication tunnel is not established with a communication partner. The call message is transmitted to the end device.

  Thereby, a desired communication tunnel can be established by transmitting a call message with an appropriate opportunity.

  According to the present invention, when EAP authentication is applied to IKEv2, the starting device can be a center-side gateway.

It is a block diagram which shows the communication system regarding one Embodiment of this invention. It is a block diagram which shows the detail of each apparatus which comprises the communication system of FIG. 1 regarding one Embodiment of this invention. It is a flowchart which shows the 1st example of the establishment procedure of a communication tunnel which the communication system of FIG. 1 regarding one Embodiment of this invention performs. It is a screen figure which shows the registration screen of the data content of the call message regarding one Embodiment of this invention. It is a flowchart which shows the 2nd example of the establishment procedure of a communication tunnel which the communication system of FIG. 1 regarding one Embodiment of this invention performs. It is a flowchart which shows the procedure which establishes the connection (IKE_SA, CHILD_SA) of two steps of IKEv2 by making an end side apparatus into a starting apparatus and a center side gateway as a response apparatus.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a configuration diagram illustrating a communication system. In this communication system, an end side network 7 and a center side network 9 are connected via an IP network 8.
An end-side device 1 is installed in the end-side network 7. A center side gateway 2 and an authentication server 4 are installed in the center side network 9.
The IP network 8 can communicate at the IP level (IPv4, IPv6), has a DNS server 3 installed therein, and is a communication tunnel that is a logical communication path between the end-side device 1 and the center-side gateway 2. 82 is established. The center side gateway 2 establishes a communication tunnel 82 with one or more end side devices 1 (three are exemplified in FIG. 1).

Note that each device (end-side device 1, center-side gateway 2, DNS server 3, authentication server 4, and tunnel management device 5) constituting the communication system of FIG. 1 includes a CPU as a control device and a storage unit. The computer is configured with a memory and a network interface. Details of each device will be described later with reference to FIG.
Further, the addresses (“10.0.1.1”, “10.0.1.101 to 103”) in the balloons described in the end-side device 1 and the center-side gateway 2 in FIG. 1 are IP addresses used for communication of the communication tunnel 82 itself. Indicates. These IP addresses are assigned in advance.
Also, the address ("192.168.1.101 to 103") in the balloon written at the end of the communication tunnel 82 in FIG. 1 on the end side device side is the IP address on the end side device side used for communication in the communication tunnel 82 (Inner address). These IP addresses are issued from the center-side gateway 2 in the procedure for establishing the communication tunnel 82.

FIG. 2 is a block diagram showing details of each device constituting the communication system of FIG.
The end-side device 1 includes a call handling unit 10, a pre-connection establishment unit 14, a post-connection establishment unit 15, and a communication control unit 16. The call handling unit 10 includes a call partner authentication unit 11, a connection destination It has a list 12 and a call content authentication unit 13.
The center-side gateway 2 includes a call request unit 20, a pre-connection establishment unit 24, a post-connection establishment unit 25, and a communication control unit 26.

First, processing units (pre-connection establishment units 14 and 24, post-connection establishment units 15 and 25, and communication control units 16 and 26) relating to IKEv2 processing will be described. In the present embodiment, EAP-MD5 is used as an example of EAP authentication as in the description of FIG. However, since the processing unit related to the IKEv2 processing has not been changed from the standard specification, it may be replaced with EAP authentication other than EAP-MD5. The following is an example of a replaceable EAP authentication method.
・ EAP-MD5 (RFC2284)
・ LEAP (EAP-Cisco)
・ EAP-TTLS
・ EAP-PEAP
・ EAP-TLS (RFC2716)

  The pre-connection establishment unit 14 and the pre-connection establishment unit 24 use IKEv2 as the IPsec key exchange protocol and establish IKE_SA as the pre-connection 81. The starting device (source of IKE_SA_INIT req) in the IKE_SA key generation procedure is the center side gateway 2 to which the previous connection establishment unit 24 belongs.

The post-connection establishing unit 15 and the post-connection establishing unit 25 use IKEv2 as the IPsec key exchange protocol and establish CHILD_SA as the post-connection communication tunnel 82. The signaling messages exchanged in the CHILD_SA establishment procedure are protected from snooping and tampering by encrypted communication using the key of the previous connection 81. The starting device (the source of IKE_AUTH_1st) in the CHILD_SA establishment procedure is the end device 1 to which the post-connection establishing unit 15 belongs.
In this CHILD_SA establishment procedure, whether or not the end-side device 1 to which the post-connection establishing unit 15 belongs is valid, and whether or not each device of the center-side gateway 2 to which the post-connection establishing unit 25 belongs is valid. In order to authenticate each of these, the post-connection establishing unit 25 executes EAP authentication in cooperation with the authentication server 4.
The authentication server 4 authenticates the connection-destination end device 1 using an ID / password or the like in the communication tunnel 82 establishment procedure (EAP authentication). The authentication server 4 is, for example, an AAA server.

  The communication control unit 16 and the communication control unit 26 realize secure data transfer using the established communication tunnel 82.

  Next, the call handling unit 10 and the call request unit 20 will be described.

  The call request unit 20 transmits a “call message” for starting the post-connection establishment unit 15 to the call handling unit 10. Hereinafter, the “call message” packet is an IP packet (IPv4 or IPv6 packet) as an example, but is not limited to an IP packet as long as the constituent elements are satisfied.

Examples of the contents of the “call message” include the following information.
Information that can uniquely identify the caller (for example, the IP address of the center side gateway 2)
Authentication information necessary for establishing the communication tunnel 82 from the end-side device 1 to the center-side gateway 2 (id used for user authentication when establishing the communication tunnel 82, IP for uniquely identifying the center-side gateway 2 as a connection destination Address or FQDN (Fully Qualified Domain Name), or a combination thereof: (Example) id @ FQDN)

Examples of the transmission trigger of the “call message” include the following trigger (1) or trigger (2). Details of these opportunities will be described later.
Trigger (1): When the establishment of the communication tunnel 82 is explicitly instructed from the outside such as a user Trigger (2): The communication control units 16 and 26 receive the packet to be transferred, and the transfer destination device When the communication tunnel 82 is not established during

  The call handling unit 10 responds to the call message from the call request unit 20, and in accordance with the instruction of the call message, the key generation processing of the front connection 81 by the front connection establishment unit 14 and the communication tunnel by the back connection establishment unit 15 The establishment process 82 is started. That is, since the end-side device 1 to which the connection establishing unit 15 to be started belongs becomes a start-up device in the CHILD_SA establishment procedure, authentication processing with the authentication server 4 is performed by the opposite center-side gateway 2.

When the call partner authentication unit 11 receives a call message, the call partner authentication unit 11 authenticates whether or not the center-side gateway 2 (call request unit 20) that is the call partner is a valid device. Specifically, the call partner authentication unit 11 reads the list of the center side gateway 2 from the connection destination list 12, and inquires the DNS server 3 using the domain name described in the list as a search key, thereby making the center side gateway A list of IP addresses of 2 is acquired. Then, when the IP address of the call message transmission source does not exist in the acquired list of the center side gateway 2, the call partner is regarded as illegal and the call message is discarded. Thereby, the spoofing of the call message can be prevented, and the security strength can be increased.
In the connection destination list 12 of the call handling unit 10, a list of the center side gateway 2 to which the communication tunnel 82 is connected is stored in the IP address or domain name of the center side gateway 2.
The DNS server 3 provides a DNS service for indexing an IP address from a domain name to the call partner authentication unit 11 and the like.

When the call content authentication unit 13 receives a call message, the call content authentication unit 13 authenticates whether the content of the message is valid. Specifically, the call content authentication unit 13 registers authentication information necessary for establishing the communication tunnel 82 to be included in the call message in advance in the storage unit in the end-side device 1 before receiving the call message. Keep it. This registration process is performed when the user of the end-side device 1 inputs parameters on a registration screen (see FIG. 4 described later) displayed on the browser.
When the content of the received call message is not already registered in the storage unit in the end device 1, the end device 1 regards the call content as invalid and discards the call message. Thereby, falsification of the call message can be prevented and the security strength can be increased.

The tunnel list 50 in the tunnel management device 5 shown in Table 2 manages information related to the communication tunnel 82 for each communication tunnel 82. The tunnel list 50 may be arranged in the center side gateway 2. This tunnel list 50 is edited by a user (such as an administrator) via a user interface 51 (input means such as a keyboard) or a telegram interface 52 (reception means for receiving a mail message from another system).
The tunnel ID is an identifier of the communication tunnel 82.
The user authentication information (user ID) is information for authenticating the user of the end device 1 and is information necessary for establishing the communication tunnel 82. On the other hand, the password used at the time of user authentication is not managed by the tunnel list 50 for security, but the password set on the end side apparatus 1 side is used.
The IP address of the end-side device 1 is the IP address of the end-side device 1 used for transmission / reception of a call message transmitted by the center-side gateway 2 and a message for establishing the communication tunnel 82.
The center-side gateway FQDN is information for uniquely identifying the center-side gateway 2 and is the FQDN of the center-side gateway 2 in transmission / reception of a message for establishing the communication tunnel 82. Note that the FQDN of the center side gateway may be the IP address of the center side gateway 2 (for example, “10.0.1.1”).
The tunnel establishment state indicates whether or not the communication tunnel 82 has been established.
The IP address (inner address) of the end-side device 1 is an IP address used in communication within the tunnel, and is an IP address assigned to the end-side device 1 when the communication tunnel 82 is established.
Among the information described above, information that may be included in the call message is user authentication information (user ID), the IP address of the center side gateway 2, and the FQDN of the center side gateway 2.

  FIG. 3 is a flowchart showing a first example of a procedure for establishing the communication tunnel 82 executed by the communication system of FIG. The establishment procedure of FIG. 3 is obtained by adding the procedures of S11 to S13 to the establishment procedure of FIG. Therefore, S11 to S13 will be described below.

The end-side device 1 and the center-side gateway 2 execute processing (S11 to S13) related to the call message before the pre-connection key generation processing. Among these, the processes of S12 and S13 can be omitted.
In S <b> 11, the call request unit 20 transmits a call message to the call handling unit 10. Upon receiving this call message, the call handling unit 10 instructs the previous connection establishing unit 14 to start the key generation processing for the previous connection, and when the previous connection establishing unit 14 is notified of the establishment of the previous connection 81. The post-connection establishment unit 15 is instructed to start (call) the communication tunnel 82 establishment process.
In S12, the call partner authentication unit 11 authenticates whether or not the transmission source (center side gateway 2) of the call message in S11 is valid. When it is not valid, the call to the post-connection establishment unit 15 is interrupted.
In S13, the call content authentication unit 13 authenticates whether the data content of the call message in S11 is valid. When it is not valid, the call to the post-connection establishment unit 15 is interrupted.

FIG. 4 is a screen diagram showing a registration screen for the data content of the call message displayed by the end-side device 1. In this registration screen, for each communication tunnel 82 identified by the connection ID, the authentication information (ID / password), connection control (whether connection is permitted), and connection request response (whether to respond to the call message) Or not) and the status of the communication tunnel 82 is displayed.
For example, when a call message including authentication information “user1@FQDN1.jp” is received, it is the same as “user1@FQDN1.jp” set as “connection 1”, so the communication tunnel 82 of “connection 1”. Since the connection request response is checked, a response notification to the call message (see S14 in FIG. 5 described later) is transmitted. Then, after the communication tunnel 82 of “connection 1” is established, the status is changed from “not connected” to “connected” and displayed.

Returning to FIG. 3, after the process (S11 to S13) regarding the call message, in response to the call message, the previous connection establishment unit 14 establishes the previous connection 81 with respect to the previous connection establishment unit 24 as a starter. To implement. By the process of establishing the previous connection 81, a key for the previous connection 81 (IKE_SA) is generated.
Then, the post-connection establishing unit 15 establishes the pre-connection 81 and the post-connection (communication tunnel 82) to the post-connection establishment unit 25 as a starter in response to the call of the call message. The EAP authentication at the time of establishing the subsequent connection is performed between the center side gateway 2 which is a response device for the subsequent connection and the authentication server 4.

FIG. 5 is a flowchart showing a second example of the procedure for establishing the communication tunnel 82 executed by the communication system of FIG. Hereinafter, the description will be given focusing on differences from the first example of FIG.
In the pre-connection key generation process, the transmission / reception directions of “IKE_SA_INIT req” and “IKE_SA_INIT res” are reversed. This is because, since the call message (S11) has not arrived at the end-side device 1 at the time of the pre-connection key generation processing, the center-side gateway 2 becomes the starting device.
S11 (call message transmission processing) is executed before generating the key for the previous connection in FIG. 3, but is executed after generating the key for the previous connection in FIG. Then, the call message is transmitted via the encrypted communication using the generated key of the previous connection 81, so that S12 (authentication process of the call partner) in FIG.
In FIG. 5, S <b> 14 is added after the previous connection 81 and the communication tunnel 82 are established. In S14, a response notification to the call message is transmitted in a direction opposite to the transmission direction of the call message, thereby ensuring the symmetry of the sequence in IKEv2. In the response notification to the call message, the purpose is only to transmit a packet, and therefore the data content included in the response notification is arbitrary (no data may be present).

  The call request unit 20 may transmit a call message to the call handling unit 10 in response to a user instruction that is a management command input from an administrator or the like. Hereinafter, a mode triggered by a user instruction will be described in detail. First, as an interface for accepting user instructions, the tunnel management device 5 is a message that enables cooperation with a user interface 51 corresponding to a user operation to the tunnel management device 5 and other systems (such as an automatic data collection system). A telegram interface 52 is provided.

  Upon receiving an input of “user ID” for establishing the communication tunnel 82 via these interfaces, the tunnel management device 5 responds by searching the tunnel list 50 using the “user ID” as a search key. Information necessary for establishing the communication tunnel 82 is acquired and notified to the call request unit 20. The call request unit 20 transmits a call message including the notified necessary information to the call handling unit 10.

Here, the telegram interface 52 instructs establishment or disconnection of the communication tunnel 82 of the user ID “user1” as illustrated in the following text.
・ Instruction to establish communication tunnel 82: “user1 @ FQDN1, connect”
-Communication tunnel 82 disconnection instruction: “user1 @ FQDN1, disconnect”. Upon receiving this disconnection instruction, the center side gateway 2 transmits an “IKE_SA delete” message to the end side device 1 to disconnect the communication tunnel 82.

The tunnel management device 5 can manage the established state of the communication tunnel 82 and the IP address assigned to the end-side device 1 in the tunnel list 50 in cooperation with the authentication server 4.
By managing the established state of the communication tunnel 82 in the tunnel list 50 of the tunnel management device 5, the call operation can be performed only when the communication tunnel 82 to be called is not established.
By managing the IP address (inner address) issued to the end-side device 1 in the tunnel list 50 of the tunnel management device 5, the communication tunnel 82 can be established with a packet addressed to the IP address as a trigger.

The call request unit 20 sends a call message to the call corresponding unit 10 when the communication control units 16 and 26 receive the packet and the communication tunnel 82 is not established with the transfer destination device of the packet. You may send it.
First, the “IP address of the end-side device 1” in the tunnel list 50 is fixedly assigned to each end-side device 1.
Next, when receiving the packet to be transferred, the communication control units 16 and 26 confirm the presence or absence of the communication tunnel 82 to the communication control unit 16 and 26 that is the transfer destination of the packet. The presence / absence of the communication tunnel 82 is confirmed by referring to the tunnel list 50, for example.
When the transfer destination communication tunnel 82 does not exist, the communication control units 16 and 26 notify the call request unit 20 that the communication tunnel 82 to the transfer destination does not exist together with the transfer destination IP address.
Further, the call request unit 20 retrieves the IP address of the transfer destination from the “IP address of the end-side device” in the tunnel list 50, acquires information necessary for establishing the communication tunnel 82 in the retrieved record, The call message including the acquired necessary information is transmitted to the call corresponding unit 10.

  According to the present embodiment described above, the center side gateway 2 takes charge of the starting device in IKEv2, and the data distribution and data collection led by the center side gateway 2 (according to the schedule of the center side gateway 2) are performed. It becomes possible. That is, since the user of the end side network 7 does not need to explicitly instruct the end side device 91 to become a starter, data distribution and data collection can be performed after the store is closed without an administrator of the end side network 7. become.

  Note that the disconnection control means for the communication tunnel 82 from the center-side gateway 2 performs disconnection of the communication tunnel 82 that is no longer necessary after data distribution and data collection. This disconnection control means is defined in Non-Patent Document 1. ing. That is, since the communication tunnel 82 is established only in a time zone in which data distribution and data collection are required by an instruction from the center side gateway 2, the lifetime of the communication tunnel 82 is shortened, and an illegal packet is transmitted to the communication tunnel. It is possible to suppress the flow in 82. Further, since the lifetime of each communication tunnel 82 is shortened, the number of communication tunnels 82 that can be connected at the same time can be suppressed. By increasing the number of end-side devices 1 as described above, the utilization efficiency of computer resources can be increased.

  Then, when EAP authentication is used for the procedure for establishing the subsequent connection (CHILD_SA) in IKEv2, the end device 91 takes charge of the starting device of the establishment procedure by a call message. Thereby, since the center side gateway 2 which is the response device of the subsequent connection performs the authentication process with the authentication server 4, it is not necessary to bear the operation cost on the end side device 91 side (each household side).

DESCRIPTION OF SYMBOLS 1 End side apparatus 2 Center side gateway 3 DNS server 4 Authentication server 5 Tunnel management apparatus 7 End side network 8 IP network 9 Center side network 10 Call corresponding part 11 Calling party authentication part 12 Connection destination list 13 Call content authentication part 14 Pre-connection Establishing unit 15 Post-connection establishing unit 16 Communication control unit 20 Call request unit 24 Pre-connection establishing unit 25 Post-connection establishing unit 26 Communication control unit 50 Tunnel list 51 User interface 52 Telegram interface 81 Pre-connection 82 Communication tunnel

Claims (10)

A communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway,
The center-side gateway sends a call message to start the communication tunnel establishment procedure to the end-side device,
The center side gateway starts the key generation procedure of the previous connection, generates an encryption key with the end side device,
The end-side device performs the pre-connection key generation procedure by receiving the call message, and then starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key. The side gateway authenticates the end side device to establish the communication tunnel with the end side device,
The end-side device and the center-side gateway perform data communication through the established communication tunnel. When the end device receives the call message, the end device verifies whether or not the identification information of the center side gateway that is the transmission source of the call message is registered in the storage unit of the end device. 2. The communication system according to claim 1, wherein the communication tunnel establishment procedure is stopped when the communication tunnel is not established. A communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway,
The center side gateway starts the key generation procedure of the previous connection, generates an encryption key with the end side device,
The center-side gateway transmits a call message for starting the communication tunnel establishment procedure to the end-side device by encrypted communication using the generated encryption key,
The end-side device starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key upon receipt of the call message, and the center-side gateway authenticates the end-side device by Establish the communication tunnel with the end device,
The end-side device and the center-side gateway perform data communication through the established communication tunnel. When the end-side device receives the call message, the end-side device checks whether the content of the call message is registered in the storage unit of the end-side device. When the end-side device is not registered, the end-side device establishes the communication tunnel. The communication system according to any one of claims 1 to 3, wherein the start of the procedure is stopped. The center-side gateway transmits the call message for establishing the communication tunnel to the end-side device when receiving an input of an instruction to establish the communication tunnel. The communication system according to claim 4. When the center-side gateway performs data communication via the communication tunnel, the call message for establishing the communication tunnel is triggered when the communication tunnel is not established with a communication partner. The communication system according to any one of claims 1 to 4, wherein the communication is transmitted to the end-side device. The center side gateway used in a communication system for establishing a pre-connection and a communication tunnel between an end side device and a center side gateway,
The center side gateway is
Send a call message to the end device to initiate the communication tunnel establishment procedure;
Initiating the key generation procedure of the previous connection, generating an encryption key with the end-side device,
For the end side device, after executing the pre-connection key generation procedure by the call message, start the communication tunnel establishment procedure by encrypted communication using the generated encryption key, and By authenticating the device, the communication tunnel is established with the end device,
A center-side gateway that performs data communication via the communication tunnel established with the end-side device. The center-side gateway used in a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway,
The center side gateway is
Initiating the key generation procedure of the previous connection, generating an encryption key with the end-side device,
A call message for starting the establishment procedure of the communication tunnel is transmitted to the end-side device by encrypted communication using the generated encryption key,
For the end side device, after executing the pre-connection key generation procedure by the call message, start the communication tunnel establishment procedure by encrypted communication using the generated encryption key, and By authenticating the device, the communication tunnel is established with the end device,
A center-side gateway that performs data communication via the communication tunnel established with the end-side device. A communication method by a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway,
The center-side gateway sends a call message to start the communication tunnel establishment procedure to the end-side device,
The center side gateway starts the key generation procedure of the previous connection, generates an encryption key with the end side device,
The end-side device performs the pre-connection key generation procedure by receiving the call message, and then starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key. The side gateway authenticates the end side device to establish the communication tunnel with the end side device,
The communication method, wherein the end side device and the center side gateway perform data communication through the established communication tunnel. A communication method by a communication system for establishing a pre-connection and a communication tunnel between an end-side device and a center-side gateway,
The center side gateway starts the key generation procedure of the previous connection, generates an encryption key with the end side device,
The center-side gateway transmits a call message for starting the communication tunnel establishment procedure to the end-side device by encrypted communication using the generated encryption key,
The end-side device starts the communication tunnel establishment procedure by encrypted communication using the generated encryption key upon receipt of the call message, and the center-side gateway authenticates the end-side device by Establish the communication tunnel with the end device,
The communication method, wherein the end side device and the center side gateway perform data communication through the established communication tunnel.

Images