JP2011119947A - Access point and method of controlling packet relay of access point - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access point of a public wireless LAN with high convenience, which prevents an installer and a manager from being called to account when a user commits a fraudulent act. <P>SOLUTION: A wireless LAN communication means 501 has a function for transmitting/receiving packets to/from a wireless LAN terminal 510, and transmits packets having passed through a packet filtering means 503 to the wireless LAN terminal 510 among the packets received by an Internet communication means 502. The Internet communication means 502 has a function for transmitting/receiving the packets to/from an IPsec server 530 via the Internet 520, and transmits the packets having passed through the packet filtering means 503 to the IPsec server 530 among the packets received by the wireless LAN communication means 501. Then, IPsec packets transmitted by the Internet communication means 502 are decoded by the IPsec server 530 to be transmitted to other device 540. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an access point used for a public wireless LAN and a packet relay control method for the access point.

  An access point for relaying transmission / reception of information via the Internet by a wireless LAN (Local Area Network) terminal is installed in a restaurant or a station.

  There are public wireless LAN access points, which are publicly available wireless LANs, with and without user authentication.

  Patent Document 1 describes a system that can be connected to a VPN (Virtual Private Network) via an access point of a public wireless LAN.

Japanese Patent Laying-Open No. 2005-204086 (paragraphs 0046 to 0074, FIG. 1)

  When a public wireless LAN access point authenticates a user, a user other than a user who has contracted with a specific Internet service provider who installed the access point cannot use the access point. . Therefore, the access point that performs user authentication is less convenient.

  In the system described in Patent Document 1, users other than the user who is authenticated by the connection authentication server cannot transmit / receive information using the public wireless LAN, and convenience is low.

  In addition, when the access point of the public wireless LAN does not authenticate the user, the user who uses the access point cannot be specified. Even if the user performs an illegal act or the like through the access point, It is difficult to track the user.

  Therefore, the present invention is highly convenient, and even when the access point does not authenticate the user, the public wireless LAN that can prevent the user's fraud and can easily track the user who has performed the fraud. It is an object to provide an access point and a packet relay control method for the access point.

  The access point according to the present invention includes a wireless LAN communication unit that transmits and receives packets to and from a wireless LAN terminal, an IPsec server that decrypts received IPsec packets via the Internet, and transmits packets to other devices connected to the Internet. Internet communication means for transmitting and receiving, packet filtering means through which an IKE packet and an IPsec packet can pass among packets received by the wireless LAN communication means and packets received by the Internet communication means. Of the packets received by the communication means, packets that have passed through the packet filtering means are transmitted to the wireless LAN terminal. And transmitting a packet that has passed to the IPsec server.

  The access point packet relay control method according to the present invention includes a wireless LAN communication step for transmitting / receiving a packet to / from a wireless LAN terminal, and decrypts the received IPsec packet via the Internet and transmits it to another device connected to the Internet. An Internet communication step for transmitting and receiving packets to and from an IPsec server, and a packet filtering step for performing a process of passing an IKE packet and an IPsec packet out of the packet received in the wireless LAN communication step and the packet received in the Internet communication step, In the wireless LAN communication step, among the packets received in the internet communication step, the packets passed in the packet filtering step are transmitted to the wireless LAN terminal, and the internet communication step. In, among the packets received by the wireless LAN communication step, and transmits the packet through the processing of packet filtering step to the IPsec server.

  According to the present invention, it is possible to provide a convenient access point that does not perform user authentication.

  In addition, it is possible to prevent a user's fraud without the user authenticating the user or to easily track the user who has performed the fraud.

It is explanatory drawing which shows the example of a connection of 1st Embodiment of the access point by this invention. It is a block diagram which shows the structural example of the access point of the 1st Embodiment of this invention. It is a block diagram which shows the structural example of an IPsec server. It is a flowchart which shows the process of the packet of the uplink in an access point. It is a flowchart which shows operation | movement of the IPsec server which received the IPsec packet of the uplink direction. It is a flowchart which shows operation | movement of the IPsec server which received the IPsec packet of the downlink direction. It is a block diagram which shows the structural example of 2nd Embodiment of the access point by this invention. It is a block diagram which shows the outline | summary of this invention.

Embodiment 1. FIG.
A first embodiment of an access point according to the present invention will be described with reference to the drawings. FIG. 1 is an explanatory diagram showing a connection example of the first embodiment of the access point 103 according to the present invention.

  As shown in FIG. 1, the access point 103 according to the first embodiment of the present invention is connected to a terminal 104 via a public wireless LAN 106 and connected to an IPsec (Security Architecture for Internet Protocol) server 102 via the Internet 101. Has been. A service providing server 105 that provides a service via the Internet 101 is connected to the Internet 101. The service providing server 105 is, for example, a general HTTP (Hyper Text Transfer Protocol) server or an e-mail server.

  The terminal 104 has a wireless LAN connection function, and is set in advance so as to be able to transmit and receive IPsec packets to and from the IPsec server 102 based on the IPsec standard via the access point 103 and the Internet 101. Note that the fact that the terminal 104 is in a range where wireless LAN connection with the access point 103 is possible is said to be in the public wireless LAN 106.

  FIG. 2 is a block diagram illustrating a configuration example of the access point 103 according to the first embodiment of this invention.

  As shown in FIG. 2, the access point 103 according to the first embodiment of the present invention includes a wireless LAN communication unit 202, filters 203 and 206, an IKE (Internet Key Exchange) packet processing unit 204, an IPsec packet processing unit 205, and a WAN. A (Wide Area Network) side communication unit 207, a DHCP (Dynamic Host Configuration Protocol) server function unit 208, a table management unit 209, and a log storage unit 210 are included.

  The wireless LAN communication unit 202 connects to the terminal 104 via a wireless LAN and transmits and receives packets. The WAN side communication unit 207 transmits / receives a packet to / from the IPsec server 102 via the Internet 101.

  Further, the wireless LAN communication unit 202 inputs the DHCP packet received from the terminal 104 to the DHCP server function unit 208. The DHCP server function unit 208 is connected to the wireless LAN communication unit 202, processes the DHCP packet input by the wireless LAN communication unit 202, and inputs the DHCP packet to the wireless LAN communication unit 202.

  The DHCP server function unit 208 processes the DHCP packet based on the specification of “DHCP server” defined in RFC (Request For Comments) 2131. In the present embodiment, the IP address assigned by this processing is a global address that can be used on the Internet 101.

  The filter 203 is connected to the wireless LAN communication unit 202, analyzes packets received by the wireless LAN communication unit 202 from the terminal 104, and classifies the packets into IKE packets, IPsec packets, and other packets. The filter 203 inputs the IKE packet to the IKE packet processing unit 204, inputs the IPsec packet to the IPsec packet processing unit 205, and discards the other packets.

  The filter 206 is connected to the WAN-side communication unit 207, analyzes packets received by the WAN-side communication unit 207 via the Internet 101, and classifies the packets into IKE packets, IPsec packets, and other packets. The filter 203 inputs the IKE packet to the IKE packet processing unit 204, inputs the IPsec packet to the IPsec packet processing unit 205, and discards the other packets.

  The IKE packet processing unit 204 discards the IKE packet input by the filter 203 (steps S106 and S108) or inputs the IKE packet to the WAN side communication unit 207 via the filter 206, and the IPsec server via the Internet 101. Instruct to transfer to 102. Also, the IKE packet processing unit 204 inputs the IKE packet input by the filter 206 to the wireless LAN communication unit 202 via the filter 203 and instructs transfer to the terminal 104.

  Further, the IKE packet processing unit 204 registers the transmission source IP address and the destination IP address of the IKE packet in a table managed by the table management unit 209 in a process (step S105) described later.

  The IPsec packet processing unit 205 discards the IPsec packet input by the filter 203 (processing in steps S110 and S111), or inputs it to the WAN side communication unit 207 via the filter 206, via the Internet 101. Instructs transfer to the IPsec server 102. In addition, the IPsec packet processing unit 205 inputs the IPsec packet input by the filter 206 to the wireless LAN communication unit 202 via the filter 203 and instructs transfer to the terminal 104.

  The table management unit 209 manages a table in which the transmission source IP address and the destination IP address of the IKE packet are registered by the IKE packet processing unit 204. Specifically, for example, the table management unit 209 is realized by a CPU (Central Processing Unit) of the access point 103, and the table is realized by a cache memory. The source IP address and the destination IP address of the IKE packet are stored in a table format in the cache memory. That is, it is registered in the table. The table management unit 209 deletes the transmission source IP address and the destination IP address of the IKE packet registered in the table at a predetermined timing.

  The log storage unit 210 includes a source IP address and a destination IP address of an IKE packet registered in a table managed by the table management unit 209, a date and time when the IP address was registered in the table, and a date and time when the IP address was deleted from the table. And record. Specifically, for example, it is stored in the storage means.

  FIG. 3 is a block diagram illustrating a configuration example of the IPsec server 102. As shown in FIG. 3, the IPsec server 102 includes an IKE processing unit 302, an IPsec processing unit 303, a NAT (Network Address Translation) processing unit 304, and Internet connection units 305 and 306.

  The internet connection unit 305 transmits and receives packets to and from the access point 103 via the internet 101. The Internet connection unit 306 transmits and receives packets to and from the service providing server 105 via the Internet 101.

  The Internet connection unit 305 analyzes packets received via the Internet 101 and classifies them into IKE packets, IPsec packets, and other packets. Then, the IKE packet is input to the IKE processing unit 302, the IPsec packet is input to the IPsec processing unit 303, and other packets are discarded.

  In addition, the Internet connection unit 305 transmits the packet input by the IKE processing unit 302 or the IPsec processing unit 303 to the destination of the packet via the Internet 101.

  The IPsec processing unit 303 decrypts the IPsec packet input by the Internet connection unit 305 and inputs it to the NAT processing unit 304. Also, the IP packet input by the NAT processing unit 304 is encrypted based on the IPsec specification and input to the Internet connection unit 303. Note that IPsec processing, which is packet encryption processing and decryption processing performed by the IPsec processing unit 303, is performed based on the IPsec specifications defined in RFC4301 and RFC2401. In addition, the IPsec processing unit 303 receives key information used for the IPsec processing from the IKE processing unit 303.

  The NAT processing unit 304 rewrites the source IP address of the IP packet input by the IPsec processing unit 303 from the IP address of the terminal 104 to its own IP address, and inputs it to the Internet connection unit 306.

  Further, the NAT processing unit 304 rewrites the destination IP address of the IP packet input by the Internet connection unit 306 from its own IP address to the IP address of the terminal 104 and inputs the IP address to the IPsec processing unit 303. Note that the IP address rewriting process performed by the NAT processing unit 304 is performed based on the specifications of NAPT (Network Address Port Translation) defined in RFC2663.

  The IKE processing unit 302 processes the IKE packet received from the terminal 104 input by the Internet connection unit 305. In addition, the Internet connection unit 305 is instructed to transmit an IKE packet to the terminal 104 via the Internet 101.

  The IKE processing unit 302 passes key information obtained by processing the IKE packet to the IPsec processing unit 303. The IPsec processing unit 303 uses the passed key information for IPsec processing. Note that the IKE packet processing performed by the IKE processing unit 302 is performed based on the IPsec specifications defined in RFC4301 and RFC2401.

  Next, the operation of the public wireless LAN system including the access point 103 according to the first embodiment of this invention will be described. First, an outline of the operation of the public wireless LAN system will be described. Hereinafter, packets transmitted from the terminal 104 to the service providing server 105 via the access point 103, the Internet 101, the IPsec server 102, and the Internet 101 are referred to as uplink packets. A packet transmitted from the service providing server 105 to the terminal 104 via the Internet 101, the IPsec server 102, the Internet 101, and the access point 103 is referred to as a downlink packet.

  Both settings are performed in advance so that IPsec communication in the tunnel mode can be performed between the IPsec server 102 and the terminal 104.

  When the terminal 104 is in the public wireless LAN 106, the terminal 104 establishes wireless LAN communication by transmitting / receiving information to / from the access point 103. Then, the terminal 104 transmits a DHCP request to the access point 103 and receives an IP address assignment from the access point 103. The DHCP request to be transmitted is specifically a DHCP discover message, for example.

  Next, the terminal 104 negotiates IKE with the IPsec server 102 via the access point 103 and the Internet 101, and establishes a communication path by IPsec. IKE negotiations are defined in RFC4301 and RFC2401 described above. The operation of the access point 103 will be described later.

  When the terminal 104 uses a service provided by the service providing server 105 connected to the Internet 101, the terminal 104 transmits / receives an IPsec packet, which is a packet transmitted / received through a communication path established with the IPsec server 102. To do.

  The IPsec server 102 decrypts the IPsec packet transmitted from the terminal 104, rewrites the IP address of the transmission source based on the NAPT specification, and transmits it to the service providing server 105 via the Internet 101.

  The service providing server 105 that has received the packet transmitted by the IPsec server 102 recognizes that the transmission source is not the terminal 104 but the IPsec server 102 based on the transmission source IP address of the packet.

  When the service providing server 105 transmits a packet in response to the terminal 104, the service providing server 105 transmits the packet to the IPsec server 102 that is recognized as the transmission source of the received packet. The IPsec server 102 converts the destination IP address of the packet transmitted by the service providing server 105 based on the NAPT specification, encrypts the packet based on the IPsec specification, and transmits it to the terminal 104 via the Internet 101 and the access point 103. To do.

  Next, an IKE negotiation performed between the terminal 104 and the IPsec server 102 will be described. IKE negotiations performed between the terminal 104 and the IPsec server 102 are performed by the terminal 104 transmitting an IKE packet to the IPsec server 102 and then transmitting IKE packets to each other until a communication path by IPsec is established. .

  FIG. 4 is a flowchart showing upstream packet processing at the access point 103. Note that the processing in steps S101 to S108 shown in FIG. 4 is performed to establish a communication path between the terminal 104 and the IPsec server 102. 4 is performed after a communication path is established between the terminal 104 and the IPsec server 102. The processes in steps S101, S102, and S109 to S111 illustrated in FIG.

  When the terminal 104 transmits the IKE packet to the IPsec server 102, the wireless LAN communication unit 202 of the access point 103 receives the IKE packet (step S101). The filter 203 analyzes the packet received by the wireless LAN communication unit 202 and determines the packet type (step S102).

  When the filter 203 analyzes the packet received by the wireless LAN communication unit 202 and determines that the packet is a DHCP packet (step S102), the filter 203 inputs the DHCP packet to the DHCP server function unit 208. The DHCP server function unit 208 assigns an IP address to the terminal 104 based on the “DHCP server” specification (step S103), and discards the DHCP packet.

  When the filter 203 determines that the packet received by the wireless LAN communication unit 202 is an IKE packet (step S102), the filter 203 inputs the IKE packet to the IKE packet processing unit 204. The IKE packet processing unit 204 determines whether data matching the transmission source IP address of the input IKE packet is registered in the table managed by the table management unit 209 (step S104).

  If the IKE packet is first transmitted from the terminal 104, data matching the transmission source IP address of the IKE packet is not registered in the table managed by the table management unit 209 (N in step S104). The IKE packet processing unit 204 registers the transmission source IP address and the destination IP address in the table managed by the table management unit 209 (step S105). Note that the source IP address registered in the table in step S105 is the IP address of the terminal 104, and the destination IP address is the IP address of the IPsec server 102.

  Then, the IKE packet processing unit 204 inputs the IKE packet to the WAN side communication unit 207 via the filter 206 and instructs transfer to the IPsec server 102 via the Internet 101. In response to the instruction, the WAN side communication unit 207 transfers the IKE packet to the IPsec server 102 via the Internet 101 (step S106). That is, it transmits.

  Thereafter, when the terminal 104 transmits an IKE packet to the IPsec server 102, processing similar to the processing in steps S101, S102, and S104 described above is performed. Then, since the transmission source IP address and the destination IP address are registered in the table managed by the table management unit 209 in the process of step S104 described above, the IKE packet processing unit 204 executes the IKE packet input by the filter 203. It is determined that data matching the transmission source IP address is registered (Y in step S104).

  Then, the IKE packet processing unit 204 matches the destination IP address corresponding to the transmission source IP address of the IKE packet registered in the table managed by the table management unit 209 and the destination IP address of the input IKE packet. Whether or not (step S107).

  The IKE packet processing unit 204 discards the input IKE packet (step S108) when it is determined in step S107 that they do not match (N in step S107).

  When the IKE packet processing unit 204 determines that they match in the process of step S107 (Y in step S107), the IKE packet processing unit 204 inputs the IKE packet to the WAN side communication unit 207 via the filter 206, and the IPsec server via the Internet 101 Instruct to transfer to 102. In response to the instruction, the WAN side communication unit 207 transfers the IKE packet to the IPsec server 102 via the Internet 101 (step S106). That is, it transmits.

  The access point 103 processes the downstream IKE packet as follows in order to establish a communication path between the terminal 104 and the IPsec server 102. That is, the WAN side communication unit 207 of the access point 103 receives the IKE packet transmitted from the IPsec server 102 and inputs it to the filter 206. The filter 206 inputs the IKE packet to the IKE packet processing unit 204. The IKE packet processing unit 204 inputs the IKE packet to the wireless LAN communication unit 202 via the filter 203 and instructs transfer to the terminal 104. The wireless LAN communication unit 202 transmits the input IKE packet to the terminal 104.

  The IPsec server 102 processes the downstream IKE packet as follows in order to establish a communication path with the terminal 104. That is, the Internet connection unit 305 of the IPsec server 102 receives the downstream IKE packet and inputs it to the IKE processing unit 302. The IKE processing unit 302 processes the IKE packet described above, and instructs the Internet connection unit 305 to transmit the IKE packet to the terminal 104 via the Internet 101. The Internet connection unit 305 transmits an IKE packet to the terminal 104 via the Internet 101 in response to the instruction. In addition, when key information is obtained by processing the IKE packet, the IKE processing unit 302 passes the key information to the IPsec processing unit 303.

  Through the processing in steps S101 to S108 described above and the downstream IKE packet processing in the access point 103 and the IPsec server 102, the terminal 104 and the IPsec server 102 complete the negotiation by IKE, and the communication path by IPsec is established. .

  A process of the access point 103 after establishing a communication path between the terminal 104 and the IPsec server 102 will be described.

  When the terminal 104 and the IPsec server 102 complete the negotiation by IKE and establish the communication path by IPsec, the terminal 104 starts using the service provided by the service providing server 105 connected to the Internet 101.

  In order to transmit a packet to the service providing server 105 using the communication path established with the IPsec server 102, the terminal 104 encrypts the packet, and sends the encrypted IPsec packet to the IPsec server 102. Transmit to the access point 103.

  The wireless LAN communication unit 202 of the access point 103 receives the IPsec packet transmitted from the terminal 104 (step S101). The filter 203 analyzes the packet received by the wireless LAN communication unit 202 and determines the packet type (step S102).

  When the filter 203 determines that the packet received by the wireless LAN communication unit 202 is an IPsec packet, the filter 203 inputs the IPsec packet to the IPsec packet processing unit 205. The IPsec packet processing unit 205 determines whether data matching the transmission source IP address and destination IP address of the input IPsec packet is registered in the table managed by the table management unit 209 (step S109).

  In this example, as described above, the IKE negotiation has already been performed, and the source IP address and the destination IP address are registered in the table managed by the table management unit 209 in the process of step S105 (step S105). In step S109, the IPsec packet processing unit 205 inputs the IPsec packet to the WAN side communication unit 207 via the filter 206, and instructs transfer to the IPsec server 102 via the Internet 101. In response to the instruction, the WAN-side communication unit 207 transfers the IPsec packet to the IPsec server 102 via the Internet 101 (step S110). That is, it transmits.

  In addition, when the transmission source IP address is not registered in the table managed by the table management unit 209, or the transmission source IP address registered in the table and the transmission source IP of the IPsec packet input to the IPsec packet processing unit 205 If the address does not match (N in Step S109), the IPsec packet processing unit 205 discards the IPsec packet (Step S111).

  In the process of step S102, when the filter 203 analyzes the packet received by the wireless LAN communication unit 202 and determines that the packet is not an IKE packet, an IPsec packet, or a DHCP packet, Discard (step S112).

  The access point 103 processes the downstream IPsec packet after establishing a communication path between the terminal 104 and the IPsec server 102 as follows. That is, the WAN side communication unit 207 receives the IPsec packet transmitted from the IPsec server 102 and inputs it to the filter 206. The filter 206 inputs the IPsec packet to the IPsec packet processing unit 205. The IPsec packet processing unit 205 inputs the IPsec packet to the wireless LAN communication unit 202 via the filter 203 and instructs transfer to the terminal 104. The wireless LAN communication unit 202 transmits the input IPsec packet to the terminal 104.

  Further, the access point 103 performs the following processing after the communication between the terminal 104 and the IPsec server 102 is completed. That is, when the terminal 104 ends communication with the IPsec server 102, the IPsec packet transmitted from the terminal 104 to the IPsec server 102 is not transmitted to the access point 103. Then, the table management unit 209 deletes the data registered in the table after a predetermined period has elapsed since the IPsec packet transmitted from the terminal 104 to the IPsec server 102 is not transmitted to the access point 103. Note that the data registered in the table is the source IP address and the destination IP address of the IKE packet. The “predetermined period” is set in advance so that the registered data amount does not exceed the storage capacity of the cache memory.

  Next, the operation of the IPsec server 102 will be described. FIG. 5 is a flowchart showing the operation of the IPsec server 102 that has received an IPsec packet in the upstream direction.

  The Internet connection unit 305 of the IPsec server 102 receives the IPsec packet transmitted from the terminal 104 via the access point 103 and the Internet 101 (step S201), and inputs it to the IPsec processing unit 303.

  The IPsec processing unit 303 decrypts the IPsec packet received by the Internet connection unit 305 (step S202) and inputs it to the NAT processing unit 304. The NAT processing unit 304 rewrites the source IP address of the input IP packet from the IP address of the terminal 104 to its own IP address (step S203), and inputs it to the Internet connection unit 306.

  The internet connection unit 306 transmits the input IP packet to the service providing server 105 via the internet 101 (step S204).

  FIG. 6 is a flowchart showing the operation of the IPsec server 102 that has received a downstream IPsec packet.

  The Internet connection unit 306 of the IPsec server 102 receives the IP packet transmitted from the service providing server 105 via the Internet 101 (step S301), and inputs it to the NAT processing unit 304.

  The NAT processing unit 304 rewrites the destination IP address of the IP packet input by the Internet connection unit 306 from its own IP address to the IP address of the terminal 104 (step S302), and inputs it to the IPsec processing unit 303. The IPsec processing unit 303 encrypts the input IP packet (step S303). Then, the IPsec processing unit 303 inputs the encrypted IP packet (IPsec packet) to the Internet connection unit 303. The Internet connection unit 303 transmits the IPsec packet to the terminal 104 via the Internet 101 and the access point 103 (step S304).

  According to this embodiment, the access point 103 cannot be used by a user other than a trusted user who is permitted to install the IPsec server 102 by any Internet service provider.

  Specifically, the access point 103 is configured not to pass packets other than the IPsec packet except for the IKE packet for establishing the communication path by IPsec in the processes of steps S102 and S112. Therefore, the user of the terminal 104 needs to prepare an IPsec server 102 connected to the Internet 101 in advance in order to use the access point 103.

  And it is difficult for the installer or administrator of the access point 103 to know who the user of the access point 103 is before use, during use, or immediately after use. Since the installation of the server 102 is permitted, the user can be expected to be reliable to some extent. That is, the access point 103 cannot be used by users other than such users. And unauthorized use can be prevented in advance.

  Further, according to the present embodiment, when the service providing server 105 connected to the Internet 101 tries to track the identity of the user, the burden on the installer or administrator of the access point 103 can be reduced.

  The access point 103 is configured not to pass packets other than IPsec packets even for packets transmitted via the Internet 101. Here, the IKE packet for establishing the communication path by IPsec is excluded.

  Therefore, in order for the terminal 104 to communicate with the service providing server 105 connected to the Internet 101, the IPsec server 102 performs NAPT processing in order to encrypt the packet transmitted by the service providing server 105 with IPsec. It is necessary to make the service providing server 105 recognize the communication performed by the terminal 104 as if the IPsec server 102 itself is performing.

  If the IPsec server 102 did not convert the IP address by NAPT, the IP address assigned by the access point 103 to the terminal 104 by DHCP is transmitted to the service providing server 105 connected to the Internet 101. It will be recognized as the IP address of the transmission source. Then, the response IP packet transmitted from the service providing server 105 connected to the Internet 101 is transmitted to the terminal 104 without passing through the IPsec server 102.

  However, since the transmitted IP packet is a normal IP packet that has not been encapsulated into an IPsec packet (IPsec process) by the IPsec server 102, it is discarded by the access point 103 and is not received by the terminal 104.

  That is, in order for the terminal 104 to receive a packet transmitted by the service providing server 105, it is necessary to pass through the IPsec server 102, and the service providing server 105 needs to recognize the IP address of the IPsec server 102.

  Therefore, when an illegal act is performed on the service providing server 105 by the terminal 104, the administrator of the service providing server 105 is not the installer or administrator of the access point 103 but the IPsec server 102 used by the terminal 104. It is thought that the responsibility is asked to the manager of. Note that the fraudulent act performed by the terminal 104 with respect to the service providing server 105 is specifically an fraudulent act performed by the user of the terminal 104 using the terminal 104.

  Therefore, it is possible to reduce the possibility that the installer or administrator of the access point 103 will be held accountable.

  Further, according to the present embodiment, the installer or administrator of the access point 103 can investigate the identity of the user of the terminal 104.

  If the terminal 104 only unilaterally transmits an IP packet to the service providing server 105, the IPsec server 102 can omit the NAPT process. However, the above-described case is also possible when the IPsec server 102 omits the NAPT process. Thus, the IPsec server 102 still needs to relay IP packets.

  Accordingly, the installer or administrator of the access point 103 presumes that the user of the terminal 104 is a person who can receive authentication of the installation of the IPsec server 102 from the Internet service provider, and the log storage unit 210 records it. Based on the IP address of the terminal 104 and the IP address of the IPsec server 102, the identity of the user of the terminal 104 can be investigated.

  As described above, even when the access point 103 releases the use without authenticating the user, the unauthorized use can be prevented and the unauthorized user can be traced. The installer can install the access point 103 without an authentication by the Internet service provider and can improve the convenience of the public wireless LAN.

Embodiment 2. FIG.
A second embodiment of the access point according to the present invention will be described with reference to the drawings. The access point 701 according to the second embodiment of the present invention has a NAPT function in addition to the functions of the access point 103 according to the first embodiment. FIG. 7 is a block diagram showing a configuration example of the second embodiment of the access point 701 according to the present invention.

  As illustrated in FIG. 7, the access point 701 according to the second embodiment of this invention includes a NAPT function unit 711 between the WAN side communication unit 207 and the filter 206. Other configurations are the same as the configuration of the access point 103 of the public wireless LAN system according to the first embodiment shown in FIG. 2, and therefore, the same reference numerals as those in FIG.

  Note that the filter 203 does not send an IPsec packet to the IPsec processing unit 205, for example, a UDP packet whose destination port number is 4500, which is obtained by encapsulating the IPsec packet by the wireless LAN communication unit 202 based on UDP (User Data Protocol). Has the function of inputting.

  Further, the filter 206 has a function of inputting, to the IPsec processing unit 205, not an IPsec packet, but, for example, a UDP packet whose source port number is 4500 encapsulated by the NAPT function unit 711 based on UDP. Have.

  The NAPT function unit 711 has a NAPT function, and converts the source IP address and source UDP port number of the upstream packet. The NAPT function unit 711 converts the destination IP address and destination UDP port number of the downstream packet.

  The DHCP server function unit 208 does not need to assign a global address that can be used on the Internet 101 to the terminal 104, and may assign a local address that can be used only within the public wireless LAN 106.

  In the IPsec server 102, the IKE processing unit 302 has a function of understanding the NAT traversal negotiation defined in RFC3947, and the IPsec processing unit 303 has a function of terminating the NAT traversal.

  According to the present embodiment, the DHCP server function unit 208 can allocate a local address that can be used only within the public wireless LAN 106 to the terminal 104 and operate the public wireless LAN 106 with the local address.

  Next, the outline of the present invention will be described. FIG. 8 is a block diagram showing an outline of the present invention. As shown in FIG. 8, the access point 500 according to the present invention includes wireless LAN communication means (corresponding to the wireless LAN communication unit 202 shown in FIG. 2) 501, Internet communication means (WAN side communication unit shown in FIG. 2). And a packet filtering means (corresponding to the filters 203 and 206 shown in FIG. 2) 503.

  The wireless LAN communication unit 501 has a function of transmitting and receiving packets to and from the wireless LAN terminal 510, and transmits packets that have passed through the packet filtering unit 503 among the packets received by the Internet communication unit 502 to the wireless LAN terminal 510.

  The Internet communication unit 502 has a function of transmitting and receiving packets to and from the IPsec server 530 via the Internet 520, and transmits packets that have passed through the packet filtering unit 503 among packets received by the wireless LAN communication unit 501 to the IPsec server 530. To do.

  Then, the IPsec packet transmitted by the Internet communication unit 502 is decoded by the IPsec server 530 and transmitted to the other device 540.

  With such a configuration, the access point 500 relays packet transmission / reception between the wireless LAN terminal 510 and another device 540 connected to the Internet 520 without performing user authentication. It is possible to provide a highly convenient access point that can be used by users who have not contracted.

  In addition, since the access point 500 transmits / receives a packet that has passed through the packet filtering unit 503 to / from another device 540 via the IPsec server 530, a reliable user who is permitted to install the IPsec server 530 by any Internet service provider. Use by other users can be made impossible.

  In addition, the access point 500 is configured to transmit and receive packets to and from another device 540 via the IPsec server 530, and allows the other device 540 to recognize that the other party of the packet is the IPsec server 530. When an unauthorized act is performed using the wireless LAN terminal 510, it is considered that the administrator of the other device 540 asks the administrator of the IPsec server 530 for the responsibility. It is possible to reduce the possibility that the administrator will be held accountable.

  In each of the above embodiments, the following access point is also disclosed.

  Includes address management means (corresponding to the table management unit 209 and log storage unit 210 shown in FIG. 2) for storing in the storage means the source IP address and destination IP address of the IKE packet that has passed through the packet filtering means 503 access point. According to such a configuration, the installer or administrator of the access point 500 can investigate the identity of the user of the wireless LAN terminal 510.

  Access including a packet discarding unit (corresponding to the IPsec packet processing unit 205 shown in FIG. 2) for discarding an IPsec packet having a source IP address not stored in the storage unit among the IPsec packets that have passed through the packet filtering unit 503 Point and a packet discarding unit (corresponding to the IPsec packet processing unit 205 shown in FIG. 2) for discarding an IPsec packet whose destination IP address is not stored in the storage unit among the IPsec packets that have passed through the packet filtering unit 503 Including access points.

  According to such a configuration, the IPsec packet of the source IP address or the destination IP address that is not stored in the storage unit can be discarded, and unauthorized use by the user of the wireless LAN terminal 510 can be prevented.

  An access point 500 that relays packet transmission / reception between another device 540 and the wireless LAN terminal 510 via the IPsec server 530 having a function of terminating NAT traversal, and assigns a local address to the wireless LAN terminal 510 And an IP address conversion unit having a NAPT function.

  According to such a configuration, the public wireless LAN by the access point 500 can be operated with a local address.

  As described above, according to the present invention, the access point 500 relays packet transmission / reception between the wireless LAN terminal 510 and another device 540 connected to the Internet 520 without performing user authentication. It is possible to provide a convenient access point that can be used by a user who has not contracted with an Internet service provider.

  In addition, since the access point 500 transmits and receives packets to and from other devices 540 via the IPsec server 530, the access point 500 cannot be used by a user other than a trusted user who is permitted to install the IPsec server 530 by any Internet service provider. Can be possible.

  Further, the access point 500 is configured to transmit / receive a packet to / from another device 540 via the IPsec server 530, and causes the other device 540 to recognize that the packet transmission / reception partner is the IPsec server 530. When an illegal act is performed using the wireless LAN terminal 510, the administrator of the other device 540 is considered to be responsible for the administrator of the IPsec server 530. It is unlikely that the person will be held accountable.

  The present invention can be applied to an access point used for a public wireless LAN.

101,520 Internet 102,530 IPsec server 103,500,701 Access point 104,510 Terminal 105 Service providing server 106 Public wireless LAN
202 wireless LAN communication unit 203, 206 filter 204 IKE packet processing unit 205 IPsec packet processing unit 207 WAN side communication unit 208 DHCP server function unit 209 table management unit 210 log storage unit 302 IKE processing unit 303 IPsec processing unit 304 NAT processing unit 305 , 306 Internet connection unit 501 Wireless LAN communication unit 502 Internet communication unit 503 Packet filtering unit 540 Other device 711 NAPT function unit

Claims (7)

Wireless LAN communication means for transmitting and receiving packets to and from the wireless LAN terminal;
Internet communication means for transmitting and receiving packets to and from an IPsec server that decrypts received IPsec packets and transmits them to other devices connected to the Internet via the Internet;
Of the packet received by the wireless LAN communication means and the packet received by the Internet communication means, a packet filtering means capable of passing an IKE packet and an IPsec packet,
The wireless LAN communication means transmits a packet that has passed through the packet filtering means among the packets received by the Internet communication means to the wireless LAN terminal,
The access point, wherein the Internet communication unit transmits a packet that has passed through the packet filtering unit among packets received by the wireless LAN communication unit to the IPsec server. The access point according to claim 1, further comprising address management means for storing in the storage means the source IP address and the destination IP address of the IKE packet that has passed through the packet filtering means. The access point according to claim 2, further comprising: a packet discarding unit that discards an IPsec packet having a source IP address that is not stored in the storage unit among the IPsec packets that have passed through the packet filtering unit. The access point according to claim 2, further comprising: a packet discarding unit that discards an IPsec packet having a destination IP address that is not stored in the storage unit among the IPsec packets that have passed through the packet filtering unit. An access point that relays packet transmission / reception between another device and a wireless LAN terminal via an IPsec server having a function of terminating NAT traversal,
Address assignment means for assigning a local address to the wireless LAN terminal;
The access point according to claim 1, further comprising an IP address conversion unit having a NAPT function. A wireless LAN communication step for transmitting and receiving packets to and from the wireless LAN terminal;
An Internet communication step of transmitting and receiving packets to and from an IPsec server that decodes received IPsec packets and transmits them to other devices connected to the Internet via the Internet;
A packet filtering step for performing a process of passing an IKE packet and an IPsec packet out of the packet received in the wireless LAN communication step and the packet received in the Internet communication step;
In the wireless LAN communication step, out of the packets received in the Internet communication step, the packet passed in the packet filtering step is transmitted to the wireless LAN terminal,
The packet relay control method for an access point, wherein, in the Internet communication step, a packet that has passed through the packet filtering step among the packets received in the wireless LAN communication step is transmitted to the IPsec server. The access point packet relay control method according to claim 6, further comprising an address management step of storing in a storage means a source IP address and a destination IP address of an IKE packet that has passed through the filtering step.

Images