JP2013017028A - Communication management device and communication management method - Google Patents

Communication management device and communication management method Download PDF

Info

Publication number
JP2013017028A
JP2013017028A JP2011148309A JP2011148309A JP2013017028A JP 2013017028 A JP2013017028 A JP 2013017028A JP 2011148309 A JP2011148309 A JP 2011148309A JP 2011148309 A JP2011148309 A JP 2011148309A JP 2013017028 A JP2013017028 A JP 2013017028A
Authority
JP
Japan
Prior art keywords
communication
network identifier
network
user terminal
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2011148309A
Other languages
Japanese (ja)
Inventor
Hiroyuki Sato
啓之 佐藤
Hironari Minami
裕也 南
Haruno Kataoka
春乃 片岡
Daichi Namikawa
大地 並河
Original Assignee
Nippon Telegr & Teleph Corp <Ntt>
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegr & Teleph Corp <Ntt>, 日本電信電話株式会社 filed Critical Nippon Telegr & Teleph Corp <Ntt>
Priority to JP2011148309A priority Critical patent/JP2013017028A/en
Publication of JP2013017028A publication Critical patent/JP2013017028A/en
Pending legal-status Critical Current

Links

Images

Abstract

PROBLEM TO BE SOLVED: To provide a secure communication method based on agreement between users, without using a gateway device, an additional device, etc. related to overlay, in a PS network.SOLUTION: A communication management device 1 includes: a session management unit 12 for establishing sessions between a plurality of user terminals according to a CS network identifier, and when there is a communication request from the plurality of user terminals related to the sessions, for acquiring, based on a PS network identifier related to the plurality of user terminals, communication permission/rejection information in the PS network, between the plurality of user terminals related to the PS network identifier; and a policy distribution unit 13 for distributing, based on the permission/rejection information, a communication policy related to access control between the plurality of user terminals, to network equipment in the PS network to which the plurality of user terminals related to the PS network identifier are subordinate.

Description

  The present invention relates to a communication management apparatus and a communication management method.
  Conventionally, when a user terminal is connected to a public network such as the Internet via a data communication network (PS network: Packet Switching network), the user terminal communicates with other user terminals directly to exchange data. Etc. are transmitted and received. However, the user terminal also receives communications from other user terminals connected to the PS network. In particular, if communication from a malicious user terminal is received, there is an increased possibility of abnormal termination of the user terminal, infection with a computer virus, outflow of information, and the like.
  Therefore, as a method in which only specific user terminals communicate with each other, a method of controlling communication by combining a network and user terminals such as using session management information and a gateway device (Patent Document 1), an overlay network, and the like There is a method (Patent Document 2) using the above.
  Further, there are a method of physically and logically dividing the network, such as a method using a dedicated line service, a method of controlling communication using an access list, and a virtual LAN (VLAN) (Non-Patent Document 1). There is also a method of using functions on the user terminal side, such as using a virtual private network (VPN) (Non-patent Document 2), a personal firewall, or the like.
JP 2011-10123 A JP 2010-199972 A
"Virtual Local Area Network", Wikipedia, [online], [Search May 27, 2011], Internet <http://en.wikipedia.org/wiki/Virtual#Local#Area#Network> "Virtual Private Network", Wikipedia, [online], [Search May 27, 2011], Internet <http://en.wikipedia.org/wiki/Virtual#Private#Network>
  However, since the method of Patent Document 1 requires a gateway device or the like, when connecting to the PS network of a mobile communication network, the user terminal cannot be used because it is directly connected to the PS network.
  In addition, the method using the overlay network of Patent Document 2 needs to separately add dedicated software and dedicated hardware for using the overlay network.
  In addition, the method of controlling communication using a VLAN or the like of Non-Patent Document 1 is based on the idea that a user terminal belongs to only one group, so it is suitable for a connection method belonging to multiple groups. No.
  Further, although the method of Non-Patent Document 2 is secure because it is limited to communication between the user terminals by using encryption such as IPsec, the user terminal itself is connected to the public network. A connection from another terminal connected to the public network is received. It is also necessary to know in advance the identifiers of each other's PS network. A method using a personal firewall has a similar problem.
  In addition, the method using the leased line service is for connecting a fixed base for a relatively long period of time, and is not suitable for a short period of connection as necessary.
  There is also a method of controlling communication with an access list or the like in a network device such as a router in the PS network, but an IP address that is an identification number in the PS network is often assigned dynamically, and these are registered with each other in the control server. Needed to be managed.
  As described above, according to the conventional technique, access control in the PS network cannot be performed without using a gateway device or an additional device related to overlay.
  Accordingly, an object of the present invention made in view of the above-described problems is communication that enables secure communication based on an agreement between users without using a gateway device or an additional device related to overlay in a PS network. A management apparatus and a communication management method are provided.
In order to solve the above problems, a communication management apparatus according to the present invention includes an address management unit that associates a CS network identifier and a PS network identifier assigned to each user terminal,
When a session is established between a plurality of user terminals based on the CS network identifier and there is a communication request from the plurality of user terminals related to the session, the PS network identifier related to the plurality of user terminals A session management unit for acquiring permission / denial information of communication in a PS network between a plurality of user terminals related to the PS network identifier,
A policy distribution unit that distributes a communication policy related to access control between the plurality of user terminals to network devices of the PS network to which the plurality of user terminals related to the PS network identifier belongs, based on the permission / denial information;
It is characterized by having.
The communication management method according to the present invention includes an address management step for associating a CS network identifier and a PS network identifier assigned to each user terminal,
When a session is established between a plurality of user terminals based on the CS network identifier and there is a communication request from the plurality of user terminals related to the session, the PS network identifier related to the plurality of user terminals A session management step of acquiring permission / denial information of communication in a PS network between a plurality of user terminals related to the PS network identifier,
A policy distribution step of distributing a communication policy relating to access control between the plurality of user terminals to the network device of the PS network to which the plurality of user terminals related to the PS network identifier belongs based on the permission / denial information;
It is characterized by including.
  According to the communication management device and the communication management method of the present invention, access control in a PS network capable of secure communication based on an agreement between users can be performed without using a gateway device or an additional device related to overlay. it can.
It is a conceptual diagram of the communication management system of one Embodiment which concerns on this invention. It is a block diagram showing the structure of the communication management system of one Embodiment which concerns on this invention. It is a flowchart which shows operation | movement of the communication management system of one Embodiment which concerns on this invention. It is an example of the address management table | surface in the communication management system of one Embodiment which concerns on this invention. It is an example of the client side session management table in the communication management system of one Embodiment which concerns on this invention. It is an example of the server side session management table | surface in the communication management system of one Embodiment which concerns on this invention. It is an example of a router management table in the communication management system of one embodiment concerning the present invention. It is an example of the communication permission list | wrist in the communication management system of one Embodiment which concerns on this invention. It is an example of the communication destination management table | surface in the communication management system of one Embodiment which concerns on this invention. It is a conceptual diagram of the communication management system of the modification concerning this invention.
  Embodiments of the present invention will be described below.
(Embodiment)
FIG. 1 is a conceptual diagram of a communication management system according to an embodiment of the present invention. FIG. 1 shows a communication management device 1, a user terminal A2, a user terminal B3, a user terminal C4, a CS network (Circuit Switching network) 5 which is a real-time communication network, and a data communication network. A PS network 6 and routers 61 to 63 are illustrated. In general, the present invention performs communication by SIP (Session Initiation Protocol) in the CS network 5 which is a real-time communication communication network in advance and performs session management before performing identification and communication control between user terminals of the PS network. The user terminals are identified based on the information. Based on this information, the access control of the PS network is changed to allow communication between the user terminals.
  For example, communication management is performed so that communication between the user terminal A2 and the user terminal B3 in the PS network 6 is possible after the user terminal A2 and the user terminal B3 are previously communicated via the CS network 5. The apparatus 1 changes the settings of the router 61 and the router 62 to which the user terminal A2 and the user terminal B3 are connected. In this case, when the setting for enabling communication between the user terminal A2 and the user terminal C4 is not performed, communication between the user terminal A2 and the user terminal C4 in the PS network is not possible.
  FIG. 2 is a block diagram showing a configuration of a communication management system according to an embodiment of the present invention. The communication management system according to an embodiment of the present invention includes a communication management device 1, a user terminal A2, a user terminal B3, a CS network 5, a PS network 6, and routers 61 to 63.
  The communication management device 1 includes an address management unit 11, a session management unit 12, and a policy distribution unit 13.
  The address management unit 11 receives the CS network identifier and the PS network identifier received from the user terminal A2 and the user terminal B3, and stores a record (a combination of the CS identifier and the PS identifier) in an address management table described later. At this time, if the record has already been registered, the update time of the record is changed. If the record has not been registered, a record including the received CS identifier, PS identifier, and registration time is stored as a new record.
  The CS network identifier is designated by a communication carrier when a user performs a procedure for receiving a communication service in the CS network 5 and is notified to the user, and is given to each user terminal. Preferably, the CS network identifier is configured by a URI (Uniform Resource Identifier) in SIP. The PS network identifier is notified from the PS network 6 using, for example, DHCP or the like when a user terminal of a user who has a right to receive a communication service connects to the PS network 6. Preferably, the PS network identifier is configured by an IP address (Internet Protocol address).
  Further, when the address management unit 11 receives a request to delete a registered record from the user terminal A2 or the user terminal B3, the address management unit 11 deletes the corresponding record. Further, the address management unit 11 automatically deletes records older than a predetermined period.
  The session management unit 12 manages a SIP session. The following description will be given on the assumption that SIP is preferably used as the protocol, but the protocol is not limited to this, and other similar protocols may be used.
  Specifically, the session management unit 12 updates information in a server-side session management table, which will be described later, based on information received from the SIP client unit 22 of the user terminal A2 or the SIP client unit 32 of the user terminal B3. In addition, the session management unit 12 is a three-way call between the three of the user terminal related to the source CS network identifier of the server-side session management table, the user terminal related to the destination CS network identifier, and the communication management device 1 Control the session.
  In addition, when the three-party call starts, the session management unit 12 “presses“ 1 ”to start secure communication based on this call (session),” otherwise press “0”. And the like, and a DTMF (Dial Toe Multi Frequency) signal is received from the user terminal A2 and the user terminal B3 within a predetermined reception period. And the session management part 12 transmits a communication start request | requirement to the policy delivery part 13 based on the DTMF signal received from user terminal A2 and user terminal B3. That is, the DTMF signal becomes the permission information for secure communication. Specifically, “1” of the DTMF signal is permission information for permission of communication for secure communication, and “0” of DTMF signal is permission information for permission to refuse communication for secure communication. As described above, the session management unit 12 acquires permission / denial information of secure communication between the user terminal A2 and the user terminal B3 from the user terminal A2 and the user terminal B3 by the DTMF signal. Furthermore, the session management unit 12 transmits a communication start notification to the application unit 23 of the user terminal A2 and the application unit 33 of the user terminal B3.
  When the session management unit 12 receives a use termination request from the SIP client unit 22 of the user terminal A2 or the SIP client unit 32 of the user terminal B3, the session management unit 12 searches the session management table using the received session ID as a key, and If there is a record of the session ID to be deleted, information relating to the record is deleted. In addition, the session management unit 12 acquires each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier from the address management table. Then, the session management unit 12 transmits a communication end request to the policy distribution unit 13. At the time of a communication end request, the session management unit 12 transmits each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier together. Furthermore, the session management unit 12 transmits a use end notification to the application unit 23 of the user terminal A2 or the application unit 33 of the user terminal B3.
  When the policy distribution unit 13 receives the communication start request from the session management unit 12, the policy distribution unit 13 determines, based on the PS network identifier received together with the communication start request, the router to which the user terminal related to the PS network identifier belongs. A communication policy for enabling communication between user terminals related to the PS network identifier is distributed. As described above, the policy distribution unit 13 distributes the communication policy to the network device that performs access control based on the secure communication permission / inhibition information acquired by the session management unit 12.
  The policy distribution unit 13 recognizes which router is associated with a predetermined PS network identifier based on the routing information exchanged by the routers, and stores the routing information in a router management table described later. The policy distribution unit 13 stores information related to the communication policy transmitted to each router as a communication permission list.
  When the policy distribution unit 13 receives a communication end request from the session management unit 12, the policy distribution unit 13 does not communicate with the router to which the user terminal related to the received PS network identifier belongs between the user terminals related to the PS network identifier. Send the communication policy that you want to enable.
  The user terminal A <b> 2 includes an address registration unit 21, a SIP client unit 22, and an application unit 23.
  The address registration unit 21 makes a registration request to the address management unit 11 of the communication management device 1 in accordance with an instruction from the user. At the time of registration request, the address registration unit 21 transmits a CS network identifier and a PS network identifier to be registered.
  In addition, when the use of the user terminal A2 and the user terminal B3 ends, the address registration unit 21 requests the address management unit 11 of the communication management device 1 to delete the registered address and the CS network identifier to be deleted. , PS network identifier is transmitted.
  The SIP client unit 22 requests the session management unit 12 of the communication management device 1 to start using this system in accordance with an instruction from the user. In the use start request, the SIP client unit 22 transmits the source CS network identifier, the destination CS network identifier, and the session ID of the use start request generated by the call start notification (SIP INVITE). Then, the SIP client unit 22 stores the transmitted session ID, source CS network identifier, and registration time in a client-side session management table described later.
  When receiving the communication start notification from the session management unit 12 of the communication management device 1, the application unit 23 receives the received information, that is, the source CS network identifier, the PS network identifier corresponding to the source CS network identifier, and the destination CS network identifier. And the PS network identifier corresponding to the transmission destination CS network identifier are stored in a communication destination management table to be described later.
  Further, the application unit 23 notifies the user that communication has started. An example of notification is “Secure communication has been established between <CS network identifier 1>, <PS network identifier 1> and <CS network identifier 2>, <PS network identifier 2>. Application starts”) It is. And the application part 23 starts communication of the user terminals which concern on the said PS network identifier, ie, user terminal A2, and user terminal B3.
  The application unit 23 activates an external application using the data communication network using a CS network identifier or a PS network identifier other than the PS network identifier of the user terminal as a parameter during communication, or the user actually Transition to the processing of the application itself used for.
  The user terminal B3 includes an address registration unit 31, a SIP client unit 32, and an application unit 33. The address registration unit 31, the SIP client unit 32, and the application unit 33 correspond to the address 21, the SIP client unit 22, and the application unit 23 of the user terminal A2, and have the same functions.
  The CS network 5 is a communication network in the session management unit 12 of the communication management device 1, the SIP client unit 22 of the user terminal A2, and the SIP client unit 32 of the user terminal B3, and complies with the SIP protocol.
  The PS network 6 includes an address management unit 11 and a policy distribution unit 13 of the communication management device 1, an address registration unit 21 and an application unit 23 of the user terminal A2, an address registration unit 31 and an application unit 33 of the user terminal B3, and a router. 61-63, which is compliant with the IP protocol.
  The router 61 performs access control and routing of the network to which the user terminal A2 belongs. The router 62 performs access control and routing of the network to which the user terminal B3 belongs. The router 63 performs access control and routing of the network to which the user terminal C4 belongs. For example, in order to perform secure communication with the user terminal A2 and the user terminal B3, both the router 61 and the router 62, which are routers to which each user terminal belongs, need to perform access control and permit the communication. . The routers 61 to 63 are not limited to this, and may be any network device as long as it is a device that performs access control.
  Next, the operation of the communication management system according to the embodiment of the present invention will be described with reference to the flowchart shown in FIG. In the following description, it is assumed that the user terminal A2 communicates with the user terminal B3 via the CS network 5, and then the user terminal A2 and the user terminal B3 communicate via the PS network 6.
  First, the address registration unit 21 of the user terminal A2 makes a registration request to the address management unit 11 of the communication management device 1 according to an instruction from the user (step S1). At the time of registration request, the address registration unit 21 transmits a CS network identifier and a PS network identifier to be registered. Here, the CS network identifier assigned to the user terminal A2 and the PS network identifier are transmitted.
  Next, the address registration unit 31 of the user terminal B3 makes a registration request to the address management unit 11 of the communication management device 1 (step S2). In the registration request, the address registration unit 31 transmits a CS network identifier and a PS network identifier to be registered. Here, the CS network identifier assigned to the user terminal B3 and the PS network identifier are transmitted.
  The address management unit 11 receives the CS network identifier and the PS network identifier received from the user terminal A2 and the user terminal B3, and stores the record (combination of CS identifier and PS identifier) in the address management table. At this time, if the record has already been registered, the address management unit 11 changes the update time of the record. If the record has not been registered, the address management unit 11 changes the record including the received CS identifier, PS identifier, and registration time to a new record. Store as.
  FIG. 4 shows the address management table stored in this way. In the address management table shown in FIG. 4, records relating to the user terminal A2 and the user terminal B3 are stored in the first and second lines, respectively. Specifically, in the first line, as the CS network identifier, the SIP URI “sip: 4849@ntt.co.jp”, the IP address “192.168.2.1”, and the record are Stored or updated time “2011/02/28 16:34” is stored. Similarly, in the second line, as the CS network identifier, the SIP URI “sip: 3033@ntt.co.jp” and the IP address “192.168.3.4” are stored. Alternatively, “2011/03/01 20:23” which is the updated time is stored.
  Subsequently, the SIP client unit 22 of the user terminal A2 makes a use start request to the session management unit 12 of the communication management device 1 in accordance with an instruction from the user (step S3). In the use start request, the SIP client unit 22 transmits the source CS network identifier, the destination CS network identifier, and the session ID of the use start request generated by the call start notification (SIP INVITE). In addition, the SIP client unit 22 stores the transmitted session ID, source CS network identifier, and registration time in the client-side session management table.
  FIG. 5 shows the client-side session management table stored in this way. The client side session management table shown in FIG. 5 stores information related to the session of the user terminal A2. For example, in the first line, “10000001” is stored as the session ID, “sip: 4849@ntt.co.jp” is stored as the transmission source CS network identifier, and “2011/03/01 16:34” is stored as the registration time.
  When receiving the transmission source CS network identifier, the transmission destination CS network identifier, and the session ID from the SIP client unit 22 of the user terminal A2, the session management unit 12 of the communication management device 1 performs a server-side session based on the received information. Update management table information. Specifically, the session management unit 12 checks the presence or absence of the record using the received session ID, source CS network identifier, and destination CS network identifier as keys. When the record does not exist, the session management unit 12 adds a record based on the session ID, the source CS network identifier, and the destination CS network identifier. Then, the phase relating to the session ID is updated to “waiting for user terminal B3”.
  FIG. 6 shows the server-side session management table stored in this way. The server-side session management table shown in FIG. 6 stores information on sessions managed by the communication management device 1. For example, in the first line, “10000001” as the session ID, “sip: 4849@ntt.co.jp” as the source CS network identifier, “sip: 3033@ntt.co.jp” as the destination CS network identifier, “Waiting for user terminal B3” is stored as the phase.
  The phase represents the current status of the session, and transitions according to the session status. Specifically, when a predetermined record is first registered in the server-side session management table, the phase becomes “waiting state of user terminal related to destination CS network identifier”. Subsequently, when there is a response from the user terminal related to the destination CS network identifier, the phase shifts to “waiting state of the user terminal related to the source CS network identifier”. Subsequently, when there is a response from the user terminal related to the source CS network identifier, the phase shifts to “busy”.
  Subsequently, the session management unit 12 issues a usage start instruction to the SIP client unit 32 of the user terminal B3 related to the destination CS network identifier using an instant message (SIP Message Method, etc.) (step S4). At this time, the session management unit 12 transmits a source CS network identifier. Furthermore, the session management unit 12 transmits a call start notification (SIP INVITE) to the user terminal B3 related to the destination CS network identifier (step S5). At this time, the session management unit 12 transmits the source CS network identifier and the session ID.
  Upon reception of the use start instruction, the SIP client unit 32 of the user terminal B3 displays on the display unit or the like (not shown) that there is a request for secure communication from the user terminal A2 corresponding to the source CS network identifier. The person in charge. An example of the display is “<source CS network identifier> requires secure communication”. A specific SIP URI is input to the <source CS network identifier> portion.
  When the SIP client unit 32 receives a call start notification, a source CS network identifier, and a session ID from the session management unit 12 of the communication management device 1, the received session ID matches the session ID in the client-side session management table. If so, the contents are displayed on a display unit (not shown) and the user is notified. A display example is “<source CS network identifier> requests to start a call for confirmation”. A specific SIP URI is input to the <source CS network identifier> portion.
  Subsequently, the SIP client unit 32 sends an acknowledgment (SIP ACK) with respect to the call start request of the source CS network identifier to the session management unit 12 of the communication management device 1 in accordance with an instruction from the user (step S6). ). At this time, the SIP client unit 32 also transmits the CS network identifier, the source CS network identifier, and the session ID of the user terminal.
  When the confirmation response and the session ID are received from the SIP client unit 32 of the user terminal (in this case, the user terminal B3) indicated by the destination CS network identifier, the session management unit 12 of the communication management device 1 performs server-side session management. If the session ID phase in the table is waiting for user terminal B3, the session ID phase in the server-side session management table is changed to "waiting for user terminal A2". Furthermore, the session management unit 12 transmits a call start notification to the SIP client unit 22 of the user terminal (in this case, the user terminal A2) indicated by the transmission source CS network identifier (step S7). At this time, the session management unit 12 transmits the source CS network identifier and the destination CS network identifier.
  Subsequently, when the SIP client unit 22 of the user terminal A2 receives the call start notification, the transmission source CS network identifier, and the session ID from the session management unit 12 of the communication management device 1, the communication management device according to an instruction from the user. An acknowledgment (SIP ACK) is sent to the session management unit 12 for the call origination request of the source CS network identifier (step S8). At this time, the SIP client unit 22 also transmits a session ID.
  When the confirmation response is received, the session management unit 12 of the communication management device 1 determines that the session ID in the server side session management table is “waiting for user terminal A2” in the server side session management table. Change the phase of the session ID to “busy”. Further, the session management unit 12 is a three-way communication between the three of the user terminal related to the source CS network identifier of the server-side session management table, the user terminal related to the destination CS network identifier, and the communication management device 1. Start a call.
  When the three-party call is started, the session management unit 12 presses “1” when starting secure communication based on this call (session), and “0” when not starting. Voice guidance for prompting transmission of a DTMF signal such as “User terminal (in this case, user terminal A2) related to the source CS network identifier and user terminal (in this case, user terminal) related to the destination CS network identifier. B3) (step S9). As described above, the session management unit 12 acquires permission / denial information of secure communication between the user terminal A2 and the user terminal B3 from each user terminal by the DTMF signal.
  Next, the SIP client unit 22 of the user terminal A2 that has received the voice guidance reproduces the voice guidance received from the session management unit 12 of the communication management apparatus 1 through a speaker (not shown) so that the user can hear it. Further, the SIP client unit 22 transmits the content uttered by the user to the session management unit 12. Furthermore, the SIP client unit 22 transmits a DTMF signal to the session management unit 12 within a predetermined reception period to the session management unit 12 in accordance with a user instruction (step S10).
  Similarly, the SIP client unit 32 of the user terminal B3 that has received the voice guidance reproduces the voice guidance received from the session management unit 12 of the communication management apparatus 1 through a speaker (not shown) so that the user can hear it. Further, the SIP client unit 32 transmits the content uttered by the user to the session management unit 12. Further, the SIP client unit 32 transmits a DTMF signal to the session management unit 12 within a predetermined reception period to the session management unit 12 according to a user instruction (step S11).
  The session management unit 12 of the communication management device 1 receives the DTMF signal “1” or “0” from the user terminal A2 and the user terminal B3. When the DTMF signal “1” is received from the user terminal A2 and the user terminal B3, the session management unit 12 shows each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier in FIG. It is obtained from the address management table shown. Specifically, here, the session management unit 12 includes a PS network identifier “192.168.2.1” corresponding to “sip: 4849@ntt.co.jp” which is a transmission source CS network identifier, and a transmission destination. The PS network identifier “192.168.3.4” corresponding to the CS network identifier “sip: 3033@ntt.co.jp” is obtained from the address management table. Then, the session management unit 12 transmits a communication start request to the policy distribution unit 13 (step S12). When making a communication start request, the session management unit 12 transmits the acquired PS network identifier.
  When the policy distribution unit 13 receives the communication start request, the policy distribution unit 13 communicates between the user terminals related to the PS network identifier to the router related to the PS network identifier based on the received PS network identifier. A communication policy for enabling it is distributed to the network device (step S13). As described above, the policy distribution unit 13 distributes a communication policy that regulates access control to the network device that performs access control based on the secure communication permission / inhibition information acquired by the session management unit 12.
  Specifically, the policy distribution unit 13 permits the router 61 related to the PS network identifier “192.168.2.1” to communicate with the PS network identifier “192.168.3.4”. Distribute the communication policy. Further, the policy distribution unit 13 sets a communication policy for permitting the router 62 related to the PS network identifier “192.168.3.4” to communicate with the PS network identifier “192.168.2.1”. To deliver.
  The policy distribution unit 13 recognizes which router is involved in “192.168.2.1” or “192.168.3.4” based on the routing information exchanged between the routers. The routing information is stored in the router management table.
  FIG. 7 shows an example of a router management table in which routing information is stored. In the first row, the router identifier “Ra” of the router 61 and PS network identifiers “192.168.2.1” and “192.168.2.2” belonging to the router 61 are stored. Similarly, the router identifier “Rb” of the router 62 and the PS network identifiers “192.168.3.3” and “192.168.3.4” belonging to the router 62 are stored in the second row.
  When the communication policy transmitted from the policy distribution unit 13 is received, the router 61 performs communication control in the PS network 6 based on the communication policy, and permits or rejects communication between a plurality of user terminals related to the PS network identifier.
  Similarly, when the communication policy transmitted from the policy distribution unit 13 is received, the router 62 performs communication control in the PS network 6 based on the communication policy, and permits or denies communication between a plurality of user terminals related to the PS network identifier. To do.
  Further, the policy distribution unit 13 stores information related to the communication policy transmitted to each router as a communication permission list. FIG. 8 shows an example of the communication permission list. In the first line, the router identifier “Ra” of the router 61, the PS network identifier “192.168.2.1” of the transmission source, the PS network identifier “192.168.3.4” of the transmission destination, A display “permission” indicating that communication is permitted is stored. The second line includes a router identifier “Rb” of the router 62, a source PS network identifier “192.168.3.4”, a destination PS network identifier “192.168.2.1”, A display “permission” indicating that communication is permitted is stored.
  Subsequently, the session management unit 12 of the communication management device 1 transmits a communication start notification to the application unit 23 of the user terminal A2 related to the PS network identifier “192.168.2.1” (step S14). At the time of communication start notification, the session management unit 12 obtains a source CS network identifier, a PS network identifier corresponding to the source CS network identifier, a destination CS network identifier, and a PS network identifier corresponding to the destination CS network identifier. Send together. Similarly, the session management unit 12 transmits a communication start notification to the application unit 33 of the user terminal B3 related to the PS network identifier “192.168.3.4” (step S15). At the time of the communication start notification, the session management unit 12 sends the source CS network identifier, the PS network identifier corresponding to the source CS network identifier, the destination CS network identifier, and the PS network identifier corresponding to the destination CS network identifier. Are sent together.
  When receiving the communication start notification from the session management unit 12, the application unit 23 of the user terminal A2 receives the received information, that is, the source CS network identifier, the PS network identifier corresponding to the source CS network identifier, and the destination CS network identifier. And the PS network identifier corresponding to the destination CS network identifier are stored in the communication destination management table. The communication destination management table stored in this way is shown in FIG. In the communication destination management table shown in FIG. 9, in the first line, “sip: 4849@ntt.co.jp”, which is a source CS network identifier, and “192”, which is a PS network identifier corresponding to the CS network identifier. .168.2.1 "is stored. Similarly, in the second line, “CSIP: 3033@ntt.co.jp” which is the destination CS network identifier and “192.168.3.4” which is the PS network identifier corresponding to the CS network identifier are displayed. Stored. Similarly, when receiving the communication start notification, the application unit 33 of the user terminal B3 receives the received information, that is, the source CS network identifier, the PS network identifier corresponding to the source CS network identifier, the destination CS network identifier, and The PS network identifier corresponding to the destination CS network identifier is stored in the communication destination management table.
  Further, the application unit 23 of the user terminal A2 and the application unit 33 of the user terminal B3 notify the user that communication has started. An example of notification is “Secure communication has been established between <CS network identifier 1>, <PS network identifier 1> and <CS network identifier 2>, <PS network identifier 2>. Application starts”) It is. Then, communication between the user terminals related to the PS network identifier, that is, the user terminal A2 and the user terminal B3 in the PS network 6 is started (step S16).
  At the time of communication, the application unit 23 of the user terminal A2 and the application unit 33 of the user terminal B3 use the CS network identifier or PS network identifier other than the PS network identifier of the user terminal as a parameter, and the data communication network The external application to be used is started, or the process transitions to the processing of the application itself actually used by the user.
  Next, the operation at the end of communication is shown. The communication is terminated when either the user terminal A2 or the user terminal B3 makes a use termination request. Hereinafter, the case where the user terminal A2 makes a use termination request will be described with reference to steps S17a to S20a, and the case where the user terminal B3 makes a use termination request will be described with reference to steps S17b to S20b.
  First, the SIP client unit 22 of the user terminal A2 transmits a use end request to the session management unit 12 of the communication management device 1 according to an instruction from the user (step S17a). In the use termination request, the SIP client unit 22 transmits a transmission source CS network identifier, a transmission destination CS network identifier, and a session ID to be used. Also, related records are deleted from the client-side session management table using the session ID as a key.
  When the use termination request is received from the SIP client unit 22 of the user terminal A2, the session management unit 12 of the communication management device 1 searches the session management table using the received session ID as a key, and the record of the corresponding session ID is found. If there is, delete the information related to the record. Each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier is acquired from the address management table. The session management unit 12 transmits a communication end request to the policy distribution unit 13 (step S18a). At the time of a communication end request, the session management unit 12 transmits each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier together.
  When the communication end request is received from the session management unit 12, the policy distribution unit 13 sets a communication policy that disables communication between the user terminals related to the PS network identifier to the router to which the received PS network identifier belongs. Transmit (step S19a). The router that has received the communication policy disables communication between user terminals related to the PS network identifier.
  Subsequently, the session management unit 12 notifies the use termination to the user terminal B3 related to the transmission destination CS network identifier (step S20a). Upon receipt of the use end notification, the application unit 33 of the user terminal B3, when there is a set of PS network identifier and CS network identifier (when communication with a user terminal related to an identifier other than its own terminal is started) ), The communication is terminated according to the procedure described in the session management unit 12 of the communication management device 1. Further, the application unit 33 notifies the user that the communication has ended. An example of notification is "Application will be terminated". Further, the application unit 33 terminates an external application using the data communication network or an application actually used by the user. Also, the application unit 33 deletes the CS network identifier and the PS network identifier that are not of the user terminal B3 from the communication destination management table, and the communication end process is completed.
  Next, a case where the user terminal B3 makes a use termination request will be described. First, the SIP client unit 32 of the user terminal B3 transmits a use end request to the session management unit 12 of the communication management device 1 according to an instruction from the user (step S17b). In the use termination request, the SIP client unit 32 transmits a source CS network identifier, a destination CS network identifier, and a session ID to be used. Further, the SIP client unit 32 deletes a related record from the client-side session management table using the session ID as a key.
  When the use termination request is received from the SIP client unit 32 of the user terminal B3, the session management unit 12 of the communication management device 1 searches the session management table using the received session ID as a key, and a record of the corresponding session ID is found. If there is, delete the information related to the record. In addition, the session management unit 12 acquires each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier from the address management table. The session management unit 12 transmits a communication end request to the policy distribution unit 13 (step S18b). At the time of a communication end request, the session management unit 12 transmits each PS network identifier corresponding to the source CS network identifier and the destination CS network identifier together.
  When the communication end request is received from the session management unit 12, the policy distribution unit 13 sets a communication policy that disables communication between the user terminals related to the PS network identifier to the router to which the received PS network identifier belongs. Transmit (step S19b). The router that has received the communication policy disables communication between user terminals related to the PS network identifier.
  Subsequently, the session management unit 12 notifies the use termination to the user terminal A2 related to the transmission destination CS network identifier (step S20b). Upon receipt of the use end notification, the application unit 23 of the user terminal A2 determines that there is a set of PS network identifiers and CS network identifiers (when communication with a user terminal related to an identifier other than its own terminal is started). ), The communication is terminated according to the procedure described in the session management unit 12 of the communication management device 1. Further, the application unit 23 notifies the user that the communication has ended. An example of notification is "Application will be terminated". Further, the application unit 23 terminates the external application using the data communication network or the application actually used by the user. Further, the application unit 23 deletes the CS network identifier and the PS network identifier that are not of the user terminal A2 from the communication destination management table, and the communication end process is completed.
  As described above, according to the present invention, since the session management unit 12 uses the session in the CS network 5 to perform access control in the PS network 6, it is possible to connect users without using a gateway device or an additional device related to overlay. It is possible to perform access control in the PS network 6 capable of secure communication based on the agreement.
  Furthermore, the user can identify the communication partner only with the CS network identifier that is easy for the user to understand without being aware of the PS network identifier, and can communicate more safely.
  Further, when either one of the user terminals refuses secure communication, communication in the PS network 6 is not performed, and therefore unintended communication is lost in the PS network 6, and a security attack aimed at a security hole. It becomes difficult to receive.
  In addition, the order of step S1 and step S2 is not restricted to this, You may make it user terminal B3 register first and user terminal A2 register after that.
  If the DTMF signal “0” is received in step S10 or step S11, the process does not proceed to step S12. In this case, permission / denial information for refusing secure communication is acquired from the user terminal A2 or the user terminal B3. And the session management part 12 deletes the record regarding the said session ID of a session management table | surface. Furthermore, the session management unit 12 transmits a communication end request to the policy distribution unit 13 after obtaining the PS network identifier corresponding to the transmission source CS network identifier and the transmission destination CS network identifier from the address management table. To do. When the communication end request is made, the session management unit 12 transmits a PS network identifier corresponding to each of the transmission source CS network identifier and the transmission destination CS network identifier. Further, the session management unit 12 transmits a communication end notification to the application unit 23 and the application unit 33 of the user terminals (here, the user terminal A2 and the user terminal B3) related to the corresponding PS network identifiers. To do. At this time, the session management unit 12 also transmits a source CS network identifier, a PS network identifier corresponding to the source CS network identifier, a destination CS network identifier, and a PS network identifier corresponding to the destination CS network identifier. .
  In step S10 or step S11, if the user terminal A2 or the user terminal B3 does not transmit a DTMF signal within a predetermined period, secure communication rejection information is received from the user terminal that did not transmit. You may comprise so that it may be considered. That is, in this case, the session management unit 12 performs the same processing as when the DTMF signal “0” is received.
(Modification)
Below, the modification of this invention is demonstrated. FIG. 10 shows a schematic diagram of a modification of the present invention. In the communication management system according to the modification, the user terminal D7 related to the CS network identifier and the user terminal E8 related to the PS network identifier are configured by different user terminals and used by the same user. That is, the user terminal D7 related to the CS network identifier communicates with the CS network 5, and the secure communication in the PS network 6 of the user terminal E8 related to the PS network identifier is based on the permission information of the secure communication from the user terminal D7. To control.
  In this case, the address management unit 11 of the communication management apparatus 1 associates the CS network identifier with a PS network identifier assigned to a user terminal different from the user terminal related to the CS network identifier.
  Note that the user terminal D7 and the user terminal E8 perform inter-terminal communication and share the CS network identifier and the PS network identifier assigned to each.
  In the case of the configuration of the modification, the address registration unit provided in the user terminal may be provided in either the user terminal D7 or the user terminal E8. Moreover, the SIP client part should just be provided only in the user terminal D7. And the registration request to the address management unit 11 of the communication management device 1 is once when the terminal having the address registration unit of the user terminal D7 or the user terminal E8 is activated and whenever these identifiers are changed, Executed.
  As described above, according to the communication management system, the communication management apparatus, and the communication management method according to the modified example of the present invention, the user terminal related to the PS network identifier is different from the user terminal related to the CS network identifier, The registration unit may be provided in any user terminal, and the SIP client unit may be provided only in the user terminal related to the CS network identifier, so that a more flexible system design can be achieved.
  Although the present invention has been described based on the drawings and examples, it should be noted that those skilled in the art can easily make various modifications and corrections based on the present disclosure. Therefore, it should be noted that these variations and modifications are included in the scope of the present invention. For example, the functions included in each member, each means, each step, etc. can be rearranged so as not to be logically contradictory, and a plurality of means, steps, etc. can be combined into one or divided. Is possible.
1 Communication management device 2 User terminal A
3 User terminal B
4 User terminal C
5 CS network 6 PS network 7 User terminal D
8 User terminal E
DESCRIPTION OF SYMBOLS 11 Address management part 12 Session management part 13 Policy distribution part 21, 31 Address registration part 22, 32 SIP client part 23, 33 Application part 61, 62, 63 Router

Claims (6)

  1. An address management unit that associates a CS network identifier and a PS network identifier assigned to each user terminal;
    When a session is established between a plurality of user terminals based on the CS network identifier and there is a communication request from the plurality of user terminals related to the session, the PS network identifier related to the plurality of user terminals A session management unit for acquiring permission / denial information of communication in a PS network between a plurality of user terminals related to the PS network identifier,
    A policy distribution unit that distributes a communication policy related to access control between the plurality of user terminals to network devices of the PS network to which the plurality of user terminals related to the PS network identifier belongs, based on the permission / denial information;
    A communication management apparatus comprising:
  2. When the session management unit acquires communication rejection permission information from at least one of the plurality of user terminals related to the session,
    The policy distribution unit rejects access control between the plurality of user terminals to a network device of the PS network to which the plurality of user terminals related to the PS network identifier belongs based on the rejection information of the communication rejection. The communication management device according to claim 1, wherein the communication management device is distributed.
  3.   The communication according to claim 1, wherein the address management unit associates a CS network identifier with a PS network identifier assigned to a user terminal different from the user terminal related to the CS network identifier. Management device.
  4. An address management step for associating a CS network identifier and a PS network identifier assigned to each user terminal;
    When a session is established between a plurality of user terminals based on the CS network identifier and there is a communication request from the plurality of user terminals related to the session, the PS network identifier related to the plurality of user terminals A session management step of acquiring permission / denial information of communication in a PS network between a plurality of user terminals related to the PS network identifier,
    A policy distribution step of distributing a communication policy relating to access control between the plurality of user terminals to the network device of the PS network to which the plurality of user terminals related to the PS network identifier belongs based on the permission / denial information;
    A communication management method comprising:
  5. In the case where the session management step acquires communication refusal permission information from at least one of the plurality of user terminals related to the session,
    The policy distribution step is a communication policy that denies access control between the plurality of user terminals to a network device of the PS network to which the plurality of user terminals related to the PS network identifier belongs, based on the communication rejection permission information. The communication management method according to claim 4, wherein the communication management method is distributed.
  6.   6. The communication according to claim 4 or 5, wherein the address management step associates a CS network identifier with a PS network identifier assigned to a user terminal different from the user terminal related to the CS network identifier. Management method.
JP2011148309A 2011-07-04 2011-07-04 Communication management device and communication management method Pending JP2013017028A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2011148309A JP2013017028A (en) 2011-07-04 2011-07-04 Communication management device and communication management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2011148309A JP2013017028A (en) 2011-07-04 2011-07-04 Communication management device and communication management method

Publications (1)

Publication Number Publication Date
JP2013017028A true JP2013017028A (en) 2013-01-24

Family

ID=47689265

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2011148309A Pending JP2013017028A (en) 2011-07-04 2011-07-04 Communication management device and communication management method

Country Status (1)

Country Link
JP (1) JP2013017028A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004048340A (en) * 2002-07-11 2004-02-12 Ntt Me Corp System for controlling access / connection quality to wide area computer communication network
JP2007312345A (en) * 2006-04-20 2007-11-29 Fujitsu Ltd System for connecting information processing devices associated with ip telephones
JP2009182660A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Connection control system, method, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004048340A (en) * 2002-07-11 2004-02-12 Ntt Me Corp System for controlling access / connection quality to wide area computer communication network
JP2007312345A (en) * 2006-04-20 2007-11-29 Fujitsu Ltd System for connecting information processing devices associated with ip telephones
JP2009182660A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Connection control system, method, and program

Similar Documents

Publication Publication Date Title
US10630612B2 (en) Apparatus and method for subscription to a service and use of the service
KR20130059425A (en) Dynamic host configuration and network access authentication
JP2017108417A (en) Network communication system and method
US8346264B2 (en) Transmission of data in a communication system
EP2837239A1 (en) VVoIP CALL TRANSFER
WO2006136027A1 (en) Exchange and use of globally unique device identifiers for circuit-switched and packet switched integration
TW200950544A (en) Communication apparatuses and methods for handling apparatus terminated communication request
KR101602521B1 (en) Method and apparatus for distinguishing several user equipments sharing a same public user identity
JP2006005606A (en) Communication system, communicating method, address distributing system, address distributing method and communication terminal
KR100527633B1 (en) System and method for multimedia service of mobile communication network
EP3310117B1 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and radio access network component
US20060230155A1 (en) System and method for peer-to-peer communications with soft hand over for internet enabled devices
JP2013017028A (en) Communication management device and communication management method
US10484381B1 (en) Wireless priority service (WPS) authorization
US20080141343A1 (en) Method, system and apparatus for access control
WO2012077773A1 (en) Communication management device
KR100493100B1 (en) Method and apparatus for supporting voice over ip in a mobile communication system
JP2015073219A (en) Telephone system
KR100921771B1 (en) Resource allocation method in radio network connected to multimedia network
JP5120431B2 (en) Communication system, communication method, address distribution system, address distribution method, communication terminal
JP2015073218A (en) Telephone system
JP2010268469A (en) Communication control apparatus and method

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20130826

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20140424

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20140507

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20140612

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20141202