JP2013030890A - Communication device and communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication device and a communication method allowing communication with a high security level while reducing a processing load, when communicating through a plurality of networks having different security levels.SOLUTION: The communication device includes: first transmission/reception means for communicating through a first network having a high security level; second transmission/reception means for communicating through a second network having a security level lower than the first network; distribution means for distributing a transmission data packet to the first network or the second network; and coding means for outputting the transmission data packet distributed to the first network by the distribution means to the first transmission/reception means and for network-coding the transmission data packet distributed to the second network using the transmission data packet distributed to the first network as a key packet to output it to the second transmission/reception means.

Description

  The present invention relates to a communication apparatus and a communication method for performing communication via a plurality of networks having different security levels.

  FIG. 7 shows a configuration example of a communication system that performs communication via a plurality of networks (Patent Document 1).

  In FIG. 7, communication devices 71 and 72 are oppositely connected via a wireless LAN access network 73 and a mobile phone access network 74. The communication device 71 includes an interface unit that can be connected to the wireless LAN base station AP of the wireless LAN access network 73 and the mobile phone base station BS of the mobile phone access network 74. The communication device 71 may be, for example, a wireless terminal that can be connected to each access network, or a wireless relay device that performs a relay process between a wireless LAN terminal that is locally connected to a wireless LAN and each access network. Also good. The communication device 72 may be a relay node that is connected to the wireless LAN access network 73 and the mobile phone access network 74 and performs a relay process with the upper server 75 via the relay network 75.

  When the communication device 71 can be connected to both the wireless LAN access network 73 and the mobile phone access network 74, the communication device 71 is usually connected to the opposite communication device 72 via the inexpensive and high-speed wireless LAN access network 73, and In the case of outside the area or the like, a switching operation for connecting to the opposing communication device 72 via the mobile phone access network 74 is performed.

JP 2010-021878 A

  By the way, the access networks connecting the communication devices 71 and 72 have different security levels. Specifically, when the wireless LAN access network (public wireless LAN) 73 and the mobile phone access network 74 are compared, the equipment related to the mobile phone network is managed by a communication carrier, but the public wireless LAN is a FON As described above, there is a configuration in which a base station at home is opened, and a physical space such as a public space or a store office where physical security is not ensured.

  Here, the wireless section can use encryption such as AES, but it is unclear whether the wireless LAN access network connected to the wireless LAN base station AP has a high security level. It can be done easily.

  To deal with this problem, it is conceivable to encrypt the traffic itself, that is, in an upper layer, but the load increases when the processing capability of the wireless terminal is low.

  Although it is conceivable to use only a mobile phone access network with a high security level, the wireless LAN is faster and cheaper, so the convenience is impaired. In addition, the wireless resource cannot be effectively used even though the communication apparatus includes a plurality of WAN interface units.

  An object of the present invention is to provide a communication device and a communication method that enable communication with a high security level while reducing processing load when communication is performed via a plurality of networks having different security levels.

  According to a first aspect of the present invention, there is provided a communication device that uses a plurality of networks having different security levels in parallel and communicates with a communication device facing each other via the plurality of networks. First transmission / reception means for communicating via the second network, second transmission / reception means for communication via the second network whose security level is lower than that of the first network, and transmission data packets to the first network or second Distribution means for distributing to the first network, the transmission data packet distributed to the first network by the distribution means to the first transmission / reception means, and the second transmission data packet distributed to the first network as the key packet Send data packets distributed to other networks And a coding means for outputting to the second transceiver means in bridging of.

  In the communication device of the first invention, the allocating means determines the amount of transmission data packets to be allocated to each so that the throughput ratio is the same according to the throughput of the first network and the throughput of the second network. Control.

  In the communication device of the first invention, the allocating means is configured such that an arrival time difference between the data packet received via the first network and the data packet received via the second network is greater than a threshold value. Is larger, the amount of transmission data packets distributed to each network is controlled so that the amount of transmission data packets distributed to the network with the earlier arrival time becomes larger.

  In the communication device of the first invention, the distribution means limits the amount of data packets distributed to the first network based on the upper limit of the transmission rate of the first network so as not to exceed the upper limit, and otherwise Are allotted to the second network.

  According to a second aspect of the present invention, there is provided a communication method in which a plurality of networks having different security levels are used in parallel and communication is performed with a communication device facing each other via the plurality of networks. First transmission / reception means for performing communication via a second network and second transmission / reception means for performing communication via a second network whose security level is lower than that of the first network, and transmitting data packets to the first network or A distribution step of distributing to the second network, a transmission data packet distributed to the first network by the distribution step being output to the first transmission / reception means, and the transmission data packet distributed to the first network as a key packet Send data packets distributed to the second network And a coding step of outputting the second transceiver means and the workpiece coding of.

  In the communication method of the second invention, the allocating step determines the amount of transmission data packets to be allocated to each so that the throughput ratio is the same according to the throughput of the first network and the throughput of the second network. Control.

  In the communication method of the second invention, the allocating means is configured such that an arrival time difference between the data packet received via the first network and the data packet received via the second network is greater than a threshold value by the receiving communication device. Is larger, the amount of transmission data packets distributed to each network is controlled so that the amount of transmission data packets distributed to the network with the earlier arrival time becomes larger.

  In the communication method of the second invention, the allocating step limits the amount of data packets distributed to the first network based on the upper limit of the transmission rate of the first network so as not to exceed the upper limit, and otherwise Are allotted to the second network.

  The present invention uses a plurality of networks in parallel between communication devices connected via a plurality of networks with different security levels, and uses a data packet transmitted over a network with a high security level as a key packet. Data packets transmitted on a low network are network-coded and transmitted. This makes it difficult to read traffic transmitted using any network.

It is a figure which shows the structural example 1 of the communication system with which the communication apparatus of this invention is used. It is a figure which shows the structural example of the radio | wireless terminal 13 used as a communication apparatus of this invention. 6 is a diagram illustrating an operation example of an encoding function unit 342. FIG. It is a figure which shows the structural example of the relay node 17 used as a communication apparatus of this invention. It is a figure which shows the structural example 2 of the communication system with which the communication apparatus of this invention is used. It is a figure which shows the structural example 3 of the communication system with which the communication apparatus of this invention is used. It is a figure which shows the structural example of the communication system which can utilize a some access network.

  The present invention is characterized in that a plurality of networks are used in parallel between communication devices connected via a plurality of networks having different security levels, and a data packet transmitted on one network is used as a key packet, and the other network is used. The data packet to be transmitted by the network coding is transmitted. At this time, a data packet serving as a key packet is transmitted through a network with a high security level such as a mobile phone access network, and a network-coded data packet is a network with a low security level such as a wireless LAN access network. Is transmitted through. Data packets transmitted by the wireless LAN access network may be intercepted, but the contents cannot be read because they are network coded. Moreover, since the key packet for decoding the network-coded packet is transmitted via a network with high security, it is difficult to acquire. Therefore, it is difficult to read the traffic transmitted using any network.

FIG. 1 shows a configuration example 1 of a communication system in which the communication apparatus of the present invention is used.
In FIG. 1, as a communication device connected via a wireless LAN access network 11 with a low security level and a mobile phone access network 12 with a high security level, there is a wireless terminal 13 on one side and a relay network 16 on the other side. There is a relay node 17. A server 18 is connected to the relay network 16.

  The wireless terminal 13 receives, for example, video content distributed by the server 18 with the server 18. In accordance with a request from the wireless terminal 13, the server 18 sends data packets (A to H) constituting the video content to the wireless terminal 13 and outputs them to the relay network 16. The relay network 16 transfers the data packet to the relay node 17 paired with the wireless terminal 13. The relay node 17 distributes the input data packet to the wireless LAN access network 11 and the mobile phone access network 12. In the wireless LAN access network 11, the data packets (B, C, D, F, G, H) distributed by the relay node 17 are transmitted to the wireless terminal 13 via the wireless LAN base station AP. On the other hand, in the cellular phone access network 12, the data packet (A, E) distributed by the relay node 17 is transmitted to the wireless terminal 13 via the cellular phone base station BS.

  At this time, the data packet (A, E) distributed to the mobile phone access network 12 is a key packet, and the data packet (B, C, D, distributed to the wireless LAN access network 11 using the key packet). F, G, H) is network coded. The wireless terminal 13 decrypts the network-coded data packet transmitted via the wireless LAN access network 11 by using the key packet transmitted via the mobile phone access network 12, rearranges and rearranges the video content. Reproduce. Note that for packets transmitted from the wireless terminal 13 to the relay node 17 as well, key packets and network-coded packets are similarly distributed to the access networks.

FIG. 2 shows a configuration example of the wireless terminal 13 used as the wireless device of the present invention.
In FIG. 2, a wireless terminal 13 is connected to a wireless LAN transmitting / receiving unit 31 connected to a wireless LAN base station AP of a high-speed, low-cost wireless LAN access network, and to a mobile phone base station BS of a high-security mobile phone access network. Mobile phone transmission / reception unit 32, quality evaluation unit 33, encoding processing unit 34, decoding processing unit 35, encoding control unit 36, setting management unit 37, and communication termination unit 38.

  The wireless LAN transmission / reception unit 31 and the mobile phone transmission / reception unit 32 are configured by a transmission function unit and a reception function unit, and transmit processing and reception for performing wireless communication with the wireless LAN base station AP and the mobile phone base station BS, respectively. Process.

  The encoding processing unit 34 includes a distribution function unit 341, an encoding function unit 342, a reference data holding function unit 343, and accompanying information addition function units 344 and 345.

  The distribution function unit 341 distributes the data packet input from the communication termination unit 38 to the encoding function unit 342 or the reference data holding function unit 343 in accordance with the data packet distribution ratio set by the encoding control unit 36. The data packet output to the encoding function unit 342 is a data packet transferred via the wireless LAN access network, and the data packet output to the reference data holding function unit 343 is transferred via the mobile phone access network. Data packet.

  The reference data holding function 343 stores the input data packet in its own memory and outputs it to the accompanying information addition function unit 345. The data packet stored in the memory is output to the encoding function unit 342 in response to a request from the encoding function unit 342. When a new data packet is input to the reference data holding function unit 343, the data packet stored in the memory is overwritten by the data packet. A plurality of data packets may be stored in the memory, and one data packet may be selected based on the designation of the encoding function unit 342 and output to the encoding function unit 342. That is, the key packet and the data packet subjected to network coding processing by the key packet do not need to be continuous or have a close sequence number. For example, in FIG. May be used. When the delay of the network transmitting the key packet is large, the time for waiting for the key packet at the partner can be reduced by performing network coding using the key packet already received at the partner.

  The encoding function unit 342 performs an exclusive OR operation on the data packet input from the distribution function unit 341 using the data packet stored in the memory of the reference data holding function unit 343 as a key packet. Perform the coding process. Specifically, when a data packet is input from the distribution function unit 341, the encoding function unit 342 requests the reference data holding function unit 343 for a key packet, and uses the acquired key packet to distribute the data packet. The data packet input from the function unit 341 is network-coded and output to the accompanying information addition function unit 344.

  The accompanying information adding function units 344 and 345 add accompanying information (header information) to the input data packet so that the relay node can perform decoding processing. The data is output to the transmission function unit of the telephone transmission / reception unit 32. The header information includes a sequence number indicating the packet order, a sequence number of the key packet, and the like. In addition, when the network coding process is performed by an arithmetic process other than the exclusive OR operation, information indicating the processing content is given. Also, as will be described later, when there are multiple choices for aligning the length of the packet to be network coded and the key packet, which one was used to perform the network coding processing? Is included. Note that a sequence number is added in the accompanying information addition function unit 345 connected to the reference data holding function unit 343. The sequence number is counted up for each data packet by the distribution function unit 341 and is notified to the accompanying information addition function unit 345 together with each data packet.

  The decryption processing unit 35 includes a synthesis function unit 351, a decryption function unit 352, a reference data holding function unit 353, and accompanying information separation function units 354 and 355.

  The accompanying information separation function units 354 and 355 respectively receive data packets from the reception function unit of the wireless LAN transmission / reception unit 31 and the reception function unit of the mobile phone transmission / reception unit 32, read header information from each data packet, and obtain header information. Extract the deleted data packet. The header information of the network packet-processed data packet input to the accompanying information separation function unit 354 includes a sequence number, a sequence number of the key packet, an identifier of the encoding process, an identifier of the data size adjustment method, and the like. The separation function unit 354 outputs the header information and the data packet from which the header information has been deleted to the decoding function unit 352. The header information of the key packet input to the accompanying information separation function unit 355 includes a sequence number, and the accompanying information separation function unit 355 uses the data packet from which the sequence number and header information have been deleted as a reference data holding function unit. Output to 353.

  The reference data holding function unit 353 associates the input data packet and the sequence number with each other and stores them in a memory provided therein, and outputs the sequence number and the data packet to the synthesis function unit 351. The data packet stored in the memory is output to the decryption function unit 352 in response to the request specifying the sequence number by the decryption function unit 352.

  The decoding function unit 352 identifies the decoding method based on the input identifier of the encoding process and the identifier of the data size adjustment method, and decodes the input network-coded data packet. For example, when the encoding process is performed by exclusive OR operation, decoding is performed by exclusive OR operation using the same key packet. The key packet used for the decryption is obtained as a response by making a request for the key packet together with the sequence number of the key packet to the reference data holding function unit 353. The decrypted data packet is output to the synthesis function unit 351 together with the sequence number.

  The composition function unit 351 rearranges the input data packets in the order of the sequence numbers and outputs them to the communication termination unit 38.

  The communication termination unit 38 delivers the data packet input from the synthesis function unit 351 to the application or the like, or outputs the data packet input from the application or the like to the distribution function unit 341.

  The encoding control unit 36 notifies the distribution function unit 341 of the distribution ratio of the data packets. The distribution ratio of data packets is controlled by the communication status between the wireless LAN access network and the mobile phone access network. That is, the encoding control unit 36 determines that the data packet has the same throughput ratio as the throughput (transmission speed, delay time) of the wireless LAN access network and the mobile phone access network input by the quality evaluation unit 33. Sort out. For example, when the throughput of the wireless LAN access network is 20 Mbps and the throughput of the mobile phone access network is 5 Mbps, the distribution ratio between the wireless LAN access network and the mobile phone access network is 4: 1.

  On the other hand, for example, when evenly distributed to each network, when the data packet arrives at the decryption side faster than the key packet due to the difference in throughput, it cannot be decrypted until the key packet arrives, resulting in processing delay. Problems arise. The present invention solves this problem by setting a distribution ratio according to the throughput.

  In the case of the above distribution ratio, a plurality of data packets are network-coded with the same key packet. Although network coding is performed with the same key packet, the security level is lowered, but the difference in throughput of the access network to which each packet is transferred can be absorbed, so that the effect of suppressing processing delay can be expected.

  Further, when the above-described distribution ratio is reversed, that is, when the throughput of the mobile phone access network with high security is higher than the throughput of the wireless LAN access network, more data packets are transmitted through the mobile phone access network. In that case, in the data packet transmitted through the cellular phone access network, the portion corresponding to the data packet transmitted through the wireless LAN access network becomes a key packet, and the rest is used for network coding, not as a key packet. It is transmitted as a data packet that cannot be transmitted.

  In addition, in the transmission path using radio, the transmission speed fluctuates with the passage of time. By such control, it is possible to continue processing while adapting to the fluctuation. It is also possible to employ a configuration including a setting management unit 37 instead of the quality evaluation unit 33. The setting management unit 37 encodes a distribution ratio based on a preset fixed value without evaluating the communication status. The control unit 36 may be notified.

  The quality evaluation unit 33 includes a quality evaluation function unit 331 and a quality evaluation result reception function unit 332.

  The quality evaluation function unit 331 measures the throughput, delay time, and the like of the data packet input to the communication termination unit 38, and sends the measurement result to the communication device (relay node) of the other party via the transmission function unit of the mobile phone transmission / reception unit 32. 17). Further, the quality evaluation result receiving function 332 acquires the throughput, delay time, and the like measured in the counterpart communication device (relay node 17) via the receiving function unit of the mobile phone transmitting / receiving unit 32. The quality evaluation result reception function unit 332 sets the distribution ratio of the data packets based on these evaluation values. For example, as described above, it can be set to be the same as the throughput ratio.

  In addition, when the arrival time difference between the key packet and the data packet that is network-coded by the key packet is larger than the threshold value, the amount of packets allocated to the access network whose arrival time is earlier than the previous distribution ratio becomes large. In this way, the distribution ratio can be changed by a predetermined value. Further, when the difference in delay time of each network is larger than the threshold value, the same distribution ratio change process may be performed.

  When the data size of the data packet to be network-coded and the key packet are different in the encoding function unit 342, it is necessary to perform network coding after making the data sizes the same. At this time, when the key packet is short, as shown in FIG. 3 (1), a method of aligning the length by repeating the data string constituting the key packet, the amount of the key packet lacking is set to 0 or 1. A method of supplementing with a bit is conceivable. If the key packet is long, as shown in FIG. 3 (2), it can be considered that the key packet is extracted from the head of the key packet up to the same data size as the network coded packet. Either method can be decrypted by notifying the relay node of the sequence number of the key packet and the method used as header information.

FIG. 4 shows a configuration example of the relay node 17 used as the wireless device of the present invention.
In FIG. 4, in the relay node 17, the communication termination unit 38 of the wireless terminal 13 illustrated in FIG. 2 becomes the transmission / reception unit 40 that performs transmission / reception with the relay unit 39 and the relay network. Each of the wireless LAN transmission / reception unit 31 and the mobile phone transmission / reception unit 32 is not a wireless interface but a wired interface, and performs processing according to a protocol of a wired network to which they are connected. It is also possible to use a physical layer interface or the like in common. Other functions are the same as those of the wireless terminal 13 shown in FIG.

  As described above, among the access networks with which the communication devices (wireless terminal 13 and relay node 17) communicate, the data packet transferred by the high security access network is used as the key packet and transferred by the low security wireless LAN access network. By making the data packet into the network coding, the confidentiality of the data packet transferred through the low security access network can be improved. Further, since the network coding process can be realized by an exclusive OR operation, the processing load is smaller than that of the encryption process, and the network coding process can be used in a terminal having a low processing capability such as a mobile phone terminal.

FIG. 5 shows a configuration example 2 of a communication system in which the communication apparatus of the present invention is used.
In FIG. 5, as a communication device connected via the wireless LAN access network 11 and the mobile phone access network 12, there is a wireless relay device 14 to which a wireless LAN terminal 15 is connected, and the other is arranged in the relay network 16. There is a relay node 17. A server 18 is connected to the relay network 16.

  The wireless relay device 14 has a function of performing relay processing between the wireless LAN terminal 15 connected to the local side wireless LAN and each access network on the WAN side. The configuration has the same encoding processing function / decoding processing function as the wireless terminal 13 shown in FIG. 2, but the communication termination unit 38 of the wireless terminal 13 is similar to the relay node 17 shown in FIG. In addition, the transmitter / receiver 40 is connected to the wireless LAN terminal 15. However, the transmission / reception unit 40 serves as a wireless interface for wireless LAN connection with the wireless LAN terminal 15.

FIG. 6 shows a configuration example 3 of a communication system in which the communication apparatus of the present invention is used.
In FIG. 6, there is a relay node 23 to which a terminal 24 is connected on one side as a communication device connected via an IP network 21 with a low security level and a telephone network 22 with a high security level, and is arranged on the relay network 16 on the other side. There is a relay node 17 to be operated. A server 18 is connected to the relay network 16.

  The communication system has a configuration in which the telephone network 22 in which the upper limit of the available transmission rate is set by the fee system and the wired network of the IP network 21 having a low security level but no band limitation are used together.

  The relay node 23 in this configuration example has the same configuration as the relay node 17 shown in FIG. The relay nodes 17 and 23 distribute the data packets to be transmitted to the respective wired networks, select the key packets based on the difference in security level, and perform network coding as in the first embodiment. That is, the data packet transferred using the IP network 21 is network-coded using the data packet transferred using the telephone network 22 having a high security level as a key packet.

  Here, the distribution of data packets is determined by the transmission rate available in the telephone network 22. That is, the period for transmitting the key packet is determined within the upper limit of the transmission speed of the telephone network 22, and data packets other than the key packet are transferred by the IP network 21 after performing network coding. At this time, the key packet for performing the network coding of the data packet transferred by the IP network 22 is updated at a cycle of transmitting the key packet.

  As described above, the present invention can also be applied to a communication system using both the telephone network 22 and the IP network 21, and the confidentiality of data transferred through a network with a low security level can be improved.

DESCRIPTION OF SYMBOLS 11 Wireless LAN access network 12 Mobile phone access network 13 Wireless terminal 14 Wireless relay apparatus 15 Wireless LAN terminal 16 Relay network 17 Relay node 18 Server 21 IP network 22 Telephone network 23 Relay node 24 Terminal 31 Wireless LAN transmission / reception part 32 Mobile phone transmission / reception part 33 Quality Evaluation Unit 331 Quality Evaluation Function Unit 332 Quality Evaluation Result Reception Function Unit 34 Encoding Processing Unit 341 Distribution Function Unit 342 Encoding Function Unit 343 Reference Data Holding Function Unit 344, 345 Accompanying Information Addition Function Unit 35 Decoding Processing Unit 351 Compositing function unit 352 Decoding function unit 353 Reference data holding function unit 354, 355 Attached information separation function unit 36 Encoding control unit 37 Setting management unit 38 Communication termination unit

Claims (8)

In a communication device that uses a plurality of networks with different security levels in parallel and communicates with a communication device facing each other via the plurality of networks,
First transmission / reception means for performing communication via a first network with a high security level;
Second transmission / reception means for performing communication via a second network having a security level lower than that of the first network;
Distribution means for distributing transmission data packets to the first network or the second network;
The transmission data packet distributed to the first network by the distribution unit is output to the first transmission / reception unit, and the transmission data packet distributed to the first network is distributed to the second network as a key packet. And a coding unit configured to network-code the received transmission data packet and output the packet to the second transmission / reception unit. The communication device according to claim 1,
The allocating means controls the amount of transmission data packets allocated to each of the first network and the second network so that the throughput ratio is the same according to the throughput of the first network and the throughput of the second network. Communication device. The communication device according to claim 1,
The allocating means, when the arrival time difference between the data packet received via the first network and the data packet received via the second network by the communication device on the receiving side is larger than a threshold, A communication apparatus that controls the amount of transmission data packets to be distributed to each network so that the amount of transmission data packets to be distributed to a network with an earlier arrival time becomes larger. The communication device according to claim 1,
The distribution means limits the amount of data packets distributed to the first network based on the upper limit of the transmission rate of the first network so as not to exceed the upper limit, and all other data packets are distributed. 2. A communication apparatus that distributes to the second network. In a communication method that uses a plurality of networks having different security levels in parallel and communicates with a communication device facing each other via the plurality of networks,
First transmission / reception means for performing communication via a first network with a high security level;
Second transmission / reception means for performing communication via a second network whose security level is lower than that of the first network,
A distribution step of distributing transmission data packets to the first network or the second network;
The transmission data packet distributed to the first network in the distribution step is output to the first transmission / reception means, and the transmission data packet distributed to the first network is distributed to the second network as a key packet. And a coding step of performing network coding on the received transmission data packet and outputting it to the second transmitting / receiving means. The communication method according to claim 5, wherein
The allocating step controls the amount of transmission data packets allocated to each of the first network and the second network according to the throughput of the first network and the throughput of the second network so that the throughput ratio becomes the same. Communication method. The communication method according to claim 5, wherein
The allocating means, when the arrival time difference between the data packet received via the first network and the data packet received via the second network by the communication device on the receiving side is larger than a threshold, A communication method characterized by controlling the amount of transmission data packets distributed to each network so that the amount of transmission data packets distributed to the network with the earlier arrival time increases. The communication method according to claim 5, wherein
The allocating step limits the amount of data packets to be distributed to the first network based on the upper limit of the transmission rate of the first network so as not to exceed the upper limit, and all other data packets The communication method is characterized by allocating to the second network.

Images