JP2014154966A - Communication service provision system, and communication service provision method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication service provision system and a communication service provision method, without the need of implementation of a terminal function and setting work by a user to obtain authentication and connect to a service provider network, at a connection to the service provider network from a terminal through a fixed network.SOLUTION: With the provision of a traffic distribution function unit (200) in a fixed network (103), the traffic distribution function unit (200) performs connection between terminals (101A, 101B, 101C) and the fixed network (103), by a communication scheme available by each terminal, and also performs connection to service provider networks (104A, 104B, 104C) located farther with a connection policy fit to a service request. This enables the various terminals (101A, 101B, 101C) to receive service provision from the service provider networks (104A, 104B, 104C) only by the connection to the fixed network (103). With this, versatile services to be provided in the fixed network (103) become obtainable in future.

Description

  The present invention relates to a communication service provided in a form in which a communication network to which a terminal is connected and a communication network to which a service is provided, and particularly communication that performs automatic connection to a plurality of communication networks and appropriate communication path setting. The present invention relates to a service providing system and method.

  Conventionally, L2TP (Layer 2 Tunneling Protocol, RFC2661) technology is used for tunnel connection with ISP (Internet Services Provider) in fixed networks. L2TP uses LAC (L2TP Access Concentrator) to determine the ISP that is the connection destination from the request source line, user name, password, etc., and relays and transmits this information to the authentication device of the appropriate connection destination ISP for authentication. This is a technology for tunnel connection when authenticated by a device.

  3GPP (Third Generation Partnership Project) defines EPC (Evolved Packet Core) core connection technology using non-3GPP access such as WiFi (Wireless Fidelity) (TS23.402). Here, WiFiAP (Wi-Fi access point) and terminal are authenticated by SIM (Subscriber Identity Module) card, and GTP (GPRS Tunneling Protocol) / IPSec (Security Architecture for Internet Protocol) to the connection gateway of EPC core network To secure communications security.

  In addition, when a corporate user connects to the company network, a tunnel communication path that is secured by security such as IPSec is established and connected. For authentication at this time, an electronic certificate that can be acquired only within the company is used to prevent access from users other than the company user.

  A configuration as a specific example of the above technique will be described with reference to FIG.

  With existing technology, when connecting to an ISP (104A), when a terminal (101A) such as an HGW (Home GateWay) (102A) or a personal computer is connected to the fixed network (103), the fixed network (103) has line information and user ID. The ISP operator (104A) with which the user is contracting is identified, the connection point between the ISP operator (104A) and the fixed network (103) is determined, and the connection signal is transferred. At this time, authentication proceeds in parallel and the user ID and password (111A) are transferred to the ISP operator (104A). When the authentication process is completed, the tunnel communication path by L2TP (105A) is set between HGW (102A) and GW (107A) of ISP operator (104A), and user terminal (101A) and ISP operator (104A) are set to IP ( Connected with Internet Protocl).

  When connecting to the corporate network (104C) via the fixed network (103), use the certificate (111C) stored on the terminal (101C) to access the GW (107C) of the corporate network (104C), Authentication is performed based on the user ID and certificate (111C) information. Upon successful completion of authentication, the terminal (101C) establishes a tunnel channel using IPSec (105C) to the GW (107C) of the corporate network (104C), and the address managed by the corporate network (104C) is set to the terminal (101C ) And the communication between the terminal (101C) and the corporate network (104C) is encrypted by the IPSec (105C) tunnel communication path, so the terminal (101C) is virtually connected to the corporate network (104C ) Network.

  Regarding the connection to the mobile network (104B), as in the corporate system, after the authentication by SIM (111B) is completed between the mobile network (104B) and the terminal (101B), the connection between the ePDG (107B) and the terminal (101B) Then, the tunnel communication path of IPSec / GTP (105B) is established, and the terminal (101B) communicates with the mobile network (104B) using the address paid out by the mobile network (104B).

  In any case, the HGW (102A, 102B, 102C) authenticates with the AAA server (106) in the fixed network (103), and the HGW (102A, 102B, 102C) passes through the fixed network (103). Connectivity to various devices.

http://www.ietf.org/rfc/rfc2661.txt "Layer Two Tunneling Protocol" L2TP "" 3GPP TS23.402 V11.40 (2012-09)

  As shown in FIG. 7, the terminal (101A, 101B, 101C) directly connects to the service provider network such as ISP (104A), corporate network (104C), mobile network (104B), etc. by the AAA server ( 108A, 108B, 108C), authentication and tunnel connection processing are being implemented, so it was necessary to implement the terminal function and set up by the user for authentication and connection with the service provider network. Therefore, not only authentication information for the destination network in the terminal (101A, 101B, 101C) or HGW (102A, 102B, 102C), but also the generation function and termination function of the tunnel communication path necessary for connection through the tunnel communication path It is necessary to have. For this reason, there are problems such as a decrease in application processing due to an increase in terminal processing, an increase in terminal cost due to the need to implement a tunnel generation function and termination function on the terminal, and the necessity of setting work by the user. It was.

  In view of the above problems, the present invention eliminates the need for implementation of terminal functions and setting by the user for authentication and connection with the service provider network when connecting from the terminal to the service provider network via the fixed network. It is to provide a communication service providing system and method thereof.

  In order to achieve the above object, the present invention provides a second communication network in which a terminal connected to the first communication network is to be connected to any one of a plurality of second communication networks via the first communication network. The first communication network includes a traffic distribution function unit including an authentication processing unit, a connection processing unit, and a traffic distribution unit, and the second communication network includes an authentication server, A connection policy management server and a tunnel termination device, wherein the authentication processing unit receives a connection request from the terminal, and transfers the connection request to the authentication server of the second communication network to be connected; A function of transferring an authentication request transmitted from the authentication server of the second communication network to be connected to the terminal; an authentication response from the terminal; and receiving the authentication response from the terminal of the second communication network to be connected Transfer to authentication server When the authentication result is received from the function and the authentication server of the second communication network to be connected, the authentication result is confirmed, the authentication result is notified to the terminal, and the second to be connected to the terminal A function for notifying the connection processing unit of connection information necessary for connection to a communication network; and a terminal for receiving communication identification information and authentication completion when receiving a notification of completion of connection processing from the connection processing unit. And the connection processing unit connects to the connection policy management server of the second communication network to be connected based on the connection information when the connection information is received from the authentication processing unit. When a connection condition is received from the connection policy management server of the second communication network to be connected and a function for inquiring policy information, the traffic is set to connect to the second communication network to be connected according to the connection condition. A function for instructing the setting of a tunnel communication path to the traffic distribution unit, and when the notification of connection processing completion is received from the traffic distribution unit, the identification information to be given to the terminal is determined, and the traffic distribution unit Receiving a distribution condition setting completion notification from the traffic distribution unit and a function for requesting setting of distribution conditions to be transferred to the second communication network to be connected via the tunnel communication path during packet communication based on the identification information A function of notifying the authentication processing unit that the connection processing is completed, and the traffic distribution unit is connected when the connection processing unit is instructed to set a tunnel communication path. Connect to the tunnel termination device of the target second communication network to set the tunnel communication path and complete the connection processing in the connection processing unit A function of notifying that, and when the connection processing unit is requested to set a distribution condition, rewrite of packet header information (destination, transmission source, etc.) according to the specified distribution condition is set, and the connection process A function of transmitting a distribution condition setting completion notification to the authentication unit, and when the authentication server receives a connection request from the authentication processing unit, a function of requesting the authentication processing unit to perform authentication processing; Receiving the authentication response transmitted from the authentication processing unit, confirming the identity of the user of the terminal from the authentication response, and transmitting the authentication result to the authentication processing unit, the connection policy management The server has a function of responding to a connection condition when receiving an inquiry about the connection policy information from the connection processing unit, and the terminal responds to an authentication request received from the authentication processing unit. Suggest a function of transmitting a testimony in response to the authentication processing unit, the communication service providing system characterized in that it has a function of communicating with the identification information notified from the authentication processing unit.

  Furthermore, in order to solve the above-described problem, the present invention allows a terminal connected to the first communication network to be a target to be connected to any one of a plurality of second communication networks via the first communication network. In a communication service providing system for connecting to two communication networks, the first communication network includes a traffic distribution function unit, and the traffic distribution function unit connects the terminal and the second communication network by the traffic distribution function unit, When the traffic distribution function unit receives a connection request from the terminal to the second communication network to be connected, the traffic distribution function unit transfers the connection request to the second communication network to be connected, and When the authentication request for the connection request is received from the second communication network, the authentication request is transferred to the terminal, and when the authentication response for the authentication request is received from the terminal, the authentication request is transferred. When a response is transferred to the second communication network to be connected and an authentication result for the authentication response is received from the second communication network to be connected, the authentication result is confirmed, and the authentication result is sent to the terminal And a tunnel communication path is set between the terminal and the second communication network to be connected based on a connection condition for connection between the terminal and the second communication network to be connected. Determining the identification information to be assigned to the terminal, and setting the distribution condition so as to transfer the communication packet to the second communication network to be connected through the tunnel communication path during the packet communication of the terminal by the identification information, Proposed is a communication service providing method of notifying the terminal of the identification information and authentication completion.

  According to the communication service providing system and the method of the present invention, the terminal and the first communication network are connected by a communication method that can be used by the terminal, and the second communication network beyond that is the second communication network. Since it is possible to connect with a connection policy that meets the service request, various terminals can easily receive service provision of the second communication network simply by connecting to the first communication network. This makes it possible to diversify services provided on the first communication network in the future.

The figure explaining the communication service provision system in one Embodiment of this invention The figure explaining the outline | summary of the flow of the traffic distribution function part (200) in one Embodiment of this invention, and the flow of a connection process The figure explaining the detailed structure of the traffic distribution function part in one Embodiment of this invention The figure explaining the traffic distribution determination in one Embodiment of this invention The figure explaining the communication process which concerns on the traffic distribution process in one Embodiment of this invention The figure explaining the communication process which concerns on the traffic distribution process in one Embodiment of this invention The figure explaining the communication service provision system of a prior art example

  Hereinafter, a communication service providing system according to an embodiment of the present invention will be described with reference to the drawings.

  In FIG. 1, the AAA server (108A) of the ISP (104A), the AAA server (108C) of the corporate network (104C), and the AAA server (108B) of the mobile network (104B) are connected to the terminal (101A, 101B, 101C) by the ISP. (104A), when connecting to the corporate network (104C), mobile network (104B), the user ID between the terminal (101A, 101B, 101C) via the GW (107A, 107C) or ePDG (107B), Exchange authentication information for authentication, authorization, and accounting. In this embodiment, the AAA server (108A) of the ISP (104A), the AAA server (108C) of the corporate network (104C), and the AAA server (108B) of the mobile network (104B) are authentication servers, and mainly authentication. For managing user data and authenticating users based on authentication data.

  The AAA server (106) of the fixed network (103) has a function of communicating with the HGW (102A, 102B, 102C) and authenticating the connection from the fixed line. Further, the AAA server (106) manages the contract status of the line based on the physical information of the line, and determines whether or not the connection from the non-contracted line is possible according to the authentication result.

The HGW (102A, 102B, 102C) has a network function for bridging the public line network and the home network in the communication service using the fixed line of the fixed network (103). In addition to general broadband router functions such as connection to ISP (Internet service provider), assignment of IP address to personal computer in home, wireless LAN access point, etc. for HGW (102A, 102B, 102C) , Function of line termination equipment (ONU and cable modem) is integrated
The GWs (107A, 107C) have a firewall function for converting protocols and ensuring security used in gateways installed at the boundary between the ISP (104A) and the corporate network (104C) and other networks. Further, the GW (107A, 107C) authenticates the connected user when connecting from a user of the company, and permits communication only to the authenticated user.

The ePDG (107B) is used in the mobile network (104B) to accommodate untrusted non-3GPP wireless access (Untrusted Non-3GPP IP Access) such as public wireless LAN in the mobile operator's core network (104B). It has a gateway function installed at the boundary with other networks. Further, the ePDG (107B) sets an encrypted tunnel communication path (105B) such as IPSec or GTP between the terminal (101B) in order for the mobile operator to independently secure security. Further, the ePDG (107B) connects to the AAA server (108B) and relays the authentication signal in order to receive the authentication signal and the like. (3GPP TS 23.402)
The HSS (109) has a subscriber database function in the mobile network (104B), and the HSS (109) stores subscriber related information (profile). Based on this information, the HSS (109) Perform authentication and authorization, and manage subscriber location information and IP information.

  The traffic distribution function unit (200) receives a connection request to each service such as ISP (104A), corporate network (104C) or mobile network (104B) from the terminal (101A, 101B, 101C), and selects an appropriate destination. The problem is solved and the connection signal is relayed to the appropriate GW (107A, 107C) or ePDG (107B).

  In the present embodiment, connections from various terminals (101A, 101B, 101C) are aggregated in the fixed network (103), and the terminals (101A, 101B, 101C) and ISP (104A), corporate network (104C), or mobile network ( 104B) and other services such as a traffic distribution function that performs connection processing using the tunnel communication path required for various services, not on the terminal (101A, 101B, 101C). ).

  The traffic distribution function unit (200) relays an authentication signal of the terminal (101A, 101B, 101C) to various services and mediates an authentication process between the terminal (101A, 101B, 101C) and the various services. This authentication method supports various authentication technologies such as ID / Pass, certificates, and SIM cards. In addition, depending on the contract contents of the users who use the service during the authentication process and the service provider's service provision policy (security, quality, billing), multiple tunnel communication paths such as L2TP, IPSec, GTP, etc. (104A, 104B, 104C). Furthermore, it has a traffic distribution function unit (200) that relays communication between the terminals (101A, 101B, 101C) and the service and accommodates the communication of the terminals (101A, 101B, 101C) in an appropriate tunnel communication path.

  In this embodiment, the traffic distribution function unit (200) accommodates users at the IP layer in the fixed network (103) in order to identify and distribute communication from each line / user, and performs individual control for each user. It is provided in the edge router that performs. However, an authentication processing unit and a connection processing unit, which will be described later, in the traffic distribution function unit (200) may be provided in the edge router, or may be provided in another device (control server device or the like) connected to the edge router. .

  Next, an overview of the traffic distribution function unit (200) and an overview of the flow of connection processing in this embodiment will be described with reference to FIG.

  First, the flow of connection processing will be described below.

  When each terminal (101A, 101B, 101C) connects to a service provider network such as ISP (104A), corporate network (104C), or mobile network (104B) with which a contract is made, the traffic distribution function unit (200) A connection request to the carrier network is received from the terminal (101A, 101B, 101C), the appropriate destination is resolved, and the connection signal is relayed to the appropriate GW (107A, 107C) or ePDG (107B). At this time, the terminals (101A, 101B, 101C) need only transmit signals to the traffic distribution function unit (200).

  The GW (107A, 107C) or ePDG (107B) of each service provider network (104A, 104B, 104C) that has received the connection signal receives the connection request sent to the AAA server (108A, 108B, 108C). The AAA server (108A, 108B, 108C) transmits an authentication request to the traffic distribution function unit (200) via the GW (107A, 107C) or the ePDG (107B).

  The traffic distribution function unit (200) transmits the received authentication request to the connection request source terminals (101A, 101B, 101C), and starts the authentication process.

  The traffic distribution function unit (200) relays all the processing such as authentication and connection from each terminal (101A, 101B, 101C), and the traffic distribution function unit (200) side has an ISP (104A) and a corporate network (104C). ) Or processing necessary for connection with various services such as the mobile network (104B) (processing such as tunnel control and bandwidth control). Further, the traffic distribution function unit (200) accommodates communication traffic between the terminal (101A, 101B, 101C) and the service provider network (104A, 104B, 104C), and the terminal (101A, 101B, 101C) and service Various services without performing special tunnel control processing on the terminal (101A, 101B, 101C) side by performing appropriate protocol conversion to enable connection with the carrier network (104A, 104B, 104C) Communication to use the.

  Next, an outline of the traffic distribution function unit (200) will be described.

  As shown in the figure, the traffic distribution function unit (200) includes an authentication processing unit (210), a connection processing unit (220), and a traffic distribution unit (230). The authentication processing unit (210) receives a connection signal from the terminal (101A, 101B, 101C) when connecting the terminal (101A, 101B, 101C) and various service provider networks (104A, 104B, 104C). And a function of relaying the user name or the like to an appropriate service provider network (104A, 104B, 104C). The connection processing unit (220) manages and controls packet communication between the terminals (101A, 101B, 101C) and the traffic distribution unit (230), and connects to the appropriate service provider network (104A, 104B, 104C). It has a function of canceling establishment of tunnel communication paths and setting distribution to each tunnel communication path.

  That is, the authentication processing unit (210) determines an authentication request from the terminal (101A, 101B, 101C), specifies an authentication method and an authentication destination, and communicates with an appropriate authentication destination authentication server (AAA server). When the authentication signal is relayed and the authentication is OK, the connection processing unit (220) is requested to perform connection processing between the service network (104A, 104B, 104C) and the terminal (101A, 101B, 101C).

  The connection processing unit (220) acquires connection policy information required for the connection processing from each service provider network (104A, 104B, 104C) from the authentication user and service information requested by the authentication processing unit (210). This is based on information such as tunnel type (L2TP / IPSec / GTP / IP native), required bandwidth, security requirements, charging policy, etc., traffic distribution unit (230) and various service networks (104A, 104B, 104C) A tunnel communication path is set between Also, the correspondence between the tunnel communication path and the terminal identifier (IP address etc.) is set in the traffic distribution unit (230).

  The traffic distribution unit (230) performs communication distribution processing in accordance with the distribution conditions set by the connection processing unit (220).

  Next, a detailed configuration of the traffic distribution function unit (200) in the present embodiment will be described with reference to FIG.

  As shown in the figure, the authentication function unit (210) includes an authentication signal receiving unit (211), an authentication signal transmitting unit (212), an authentication signal analyzing unit (213), an authentication signal transmitting unit (214), and an authentication signal receiving unit. (215), which uses the authentication information such as SIM card, electronic certificate, ID / password in the terminal to send the user name and authentication information to the service provider's authentication system. It has a function to prove

  The authentication signal receiving unit (211) has a function of receiving an authentication signal transmitted from the authentication function unit (121) of the terminal (101 (101A, 101B, 101C)).

  The authentication signal transmission unit (212) has a function of transmitting an authentication signal to the authentication function unit (121) of the terminal (101 (101A, 101B, 101C)).

  The authentication signal analysis unit (213) includes an authentication method analysis unit (213a), an authentication information / result analysis unit (213b), and an identification information management unit (213c), and includes terminals (101 (101A, 101B, 101C). )) And the service provider network (104 (104A, 104B, 104C)) authentication server (AAA server (108 (108A, 108B, 108C))) analysis of the content of the authentication signal to monitor the authentication status It has the function to do. The authentication signal analysis unit (213) has a function of notifying the connection processing unit (220) that the first authentication of the connection process is completed when the authentication is completed.

  The authentication method analysis unit (213a) has a function of specifying the authentication protocol and the like from the protocol, the ID and the expression format of the authentication information, etc. at the time of starting the authentication signal analysis.

  The authentication information / result analysis unit (213b) has a function of extracting the user ID and the contents of the authentication request / authentication response in accordance with the protocol specified by the authentication method analysis unit (213a).

  The identification information management unit (213c) manages which terminal (101 (101A, 101B, 101C)) and which service provider network (104 (104A, 104B, 104C)) is being processed during authentication analysis. It has a function. Further, the identification information management unit (213c) is connected to each terminal (101 (101A, 101B, 101C)) and service network (104 (104A, 104B, 104C) such as authentication start / authentication request transmitted / authentication response received / authenticated). )) To manage the progress of the authentication process.

  The authentication connection destination information DB (240) obtains the service provider network (104 (104A) from the user ID and the service provider network (104 (104A, 104B, 104C)) extracted by the authentication signal analysis unit (213). , 104B, 104C)) and the database used to hold the information required for connecting to the connection destination GW (107A, 107C) or ePDG (107B) or AAA server (108A, 108B, 108C) .

  The connection processing unit (220) includes a connection processing request reception unit (221), a connection processing determination unit (222), a policy information acquisition unit (223), a connection state management DB (224), an IPSec connection control unit (225), It consists of a GTP connection control unit (226), an L2TP connection control unit (227), and an IP native connection control unit (228).

  The connection processing request receiving unit (221) has a function of receiving a connection request of a user who has been authenticated by the authentication processing unit (210).

  The connection processing decision unit (222) needs to comprehensively determine information such as the user's contract details and the service provider network (104 (104A, 104B, 104C)) connection policy for the connection requesting user. A function for determining connection control contents such as connection processing by a simple tunnel communication path, bandwidth control, and access control. Further, the connection processing determination unit (222) assigns identification information necessary for communication to the authenticated terminal (101 (101A, 101B, 101C)), and adds the information to the traffic distribution unit (230). Instruct terminal identification based on.

  The policy information acquisition unit (223) has a function of inquiring of connection policy information to the service provider network (104 (104A, 104B, 104C)) using a user name during connection processing.

  The connection state management DB (224) stores the connection state between the terminal (101 (101A, 101B, 101C)) and the service provider network (104 (104A, 104B, 104C)), that is, the terminal (101 (101A, 101B, 101C)). ) And the service provider network (104 (104A, 104B, 104C)) is a database for managing connection states of a plurality of tunnel communication paths.

  The IPSec / GTP / L2TP / IP native connection control unit (225, 226, 227, 228) has a function of controlling setting and release of a tunnel communication path required by the traffic distribution unit (230) according to an instruction from the connection processing determination unit (222).

  The traffic distribution unit (230) includes a terminal identification unit (231) and a distribution destination determination unit (232).

  The terminal identification unit (231) has a function of identifying a terminal (101 (101A, 101B, 101C)) based on the terminal identifier designated by the connection processing unit (220).

  The distribution destination determination unit (232) stores the distribution conditions specified by the connection processing unit (220), and performs communication from the terminal (101 (101A, 101B, 101C)) according to the conditions, in the service provider network (104 (104A, 104B, 104C)) and a function of allocating to the tunnel communication path connected.

  Further, the connection function unit (122) of the terminal (101 (101A, 101B, 101C)), when the user uses the service in the terminal (101 (101A, 101B, 101C)), the service provider network (104 ( 104A, 104B, 104C)) has a function of performing connection processing necessary for communication. The connection function unit (122) transmits / receives a control signal to / from the connection processing unit (220) and transmits / receives an actual data packet to / from the traffic distribution unit (230).

  Service provider networks (104 (104A, 104B, 104C)) such as ISP (104A), corporate network (104C), and mobile network (104B) are connected to AAA servers (108 (108A, 108B, 108C)) A policy management server (131) and a tunnel termination device (132) are provided.

  The connection policy management server (131) provides information on how and in what quality (bandwidth, delay, loss rate) the service provider is connected with respect to the connection of its users, and is accessible / impossible. It is a server that manages connection destination information handled as

  The tunnel termination device (132) terminates the tunnel communication path (105A, 105B, 105C) of the traffic distribution unit (230) and converts it into a protocol within the service provider network (104 (104A, 104B, 104C)). It has a function.

  In the traffic distribution function unit (200) having the above configuration, the authentication processing unit (210) relays an authentication signal from the terminal (101 (101A, 101B, 101C)), and uses an appropriate service provider network ( 104 (104A, 104B, 104C)) is provided. For this reason, the authentication signal is analyzed internally, identification information necessary for relay is added, and an authentication request is issued to the service provider network (104 (104A, 104B, 104C)) that has the authentication data specified as a result of the analysis. Relay the signal. When receiving an authentication response signal from the service provider network (104 (104A, 104B, 104C)), the internal identification information is confirmed, and the authentication response signal is transferred to the requesting terminal.

  The connection processing unit (220) works in conjunction with the authentication processing unit (210) to perform connection processing necessary for communication with each service provider network (104 (104A, 104B, 104C)) when authentication is successful. . To accommodate the various requirements of each service provider network (104 (104A, 104B, 104C)), it has multiple tunnel communication path connection control units (IPSec, GTP, L2TP, IP native, etc.) (225,226,227,228) The policy information determined for each service provider network (104 (104A, 104B, 104C)) and users is obtained from the service provider network (104 (104A, 104B, 104C)) and appropriate connection processing is determined. Depending on the decision, necessary tunnel communication path connection control and connection state management are performed.

  The traffic distribution unit (230) relays communication between the terminal (101 (101A, 101B, 101C)) and the service provider network (104 (104A, 104B, 104C)), and the service provider network (104 (104A, 104B, 104C)) to convert / replace communication with the terminal (101 (101A, 101B, 101C)) to the tunnel communication path (105A, 105B, 105C) necessary for communication with the terminal. For this reason, the connection information (terminal identifier, connection method, connection destination network) of the terminal (101 (101A, 101B, 101C)) is held, and based on the information, the terminal identification during communication, the service provider network (104 ( 104A, 104B, 104C)) and communication method (tunnel communication path, encryption) are identified, and conversion / replacement processing is performed.

  In the present embodiment, as shown in FIG. 4, for the terminal 1 (101A), the connection network is ISP, the connection method is L2TP, the tunnel ID is L2TP, the terminal identifier is IP # A, and the terminal 2 (101B) is connected. The network is a mobile network, the connection method is IPSec / GTP, the tunnel ID is IPSec / GTP, the terminal identifier is IP # B, and for terminal 3 (101C), the connection network is the corporate network, the connection method is IPSec, the tunnel ID is IPSec2, The details of the communication processing will be described below with the terminal identifier as IP # C with reference to FIGS.

  A terminal 1 (101A) such as a personal computer or an HGW is an ISP connection terminal, and is connected to the ISP provider network (104A) via the fixed network (103). Upon receiving the connection request (501) from the terminal 1 (101A), the authentication processing unit (210) identifies the ISP provider that issued the request from the ID information, and the AAA server (authentication server) of the ISP provider network (104A) The connection request (502) from the user is transferred to (108A). At this time, ID information for managing which user's authentication information is relayed in the authentication processing unit (210) is added to the connection request signal.

  The AAA server (authentication server) (108A) of the ISP carrier network (104A) uses an authentication protocol such as RADIUS in response to the connection request and requests an authentication process from the authentication processing unit (210) (503). The authentication processing unit (210) relays this authentication request and transfers it to the terminal 1 (101A) (504).

  In response to the authentication request (504) received from the authentication processing unit (210), the terminal 1 (101A) sends ID information and authentication information (password or the like) that proves that the user is a valid user to the authentication response (505). To the authentication processing unit (210).

  Upon receiving the authentication response (505) from the terminal 1 (101A), the authentication processing unit (210) transfers it to the AAA server (08A) of the ISP carrier network (104A) (506). The AAA server (108A) of the ISP network (104A) confirms the identity of the user from the received authentication response (506), and transmits the authentication result (507) to the authentication processing unit (210).

  The authentication processing unit (210) confirms the authentication result (507) received from the AAA server (108A), notifies the authentication result to the terminal 1 (101A) (508), and also connects the terminal 1 (101A) to the ISP network ( Information necessary for connection with 104A) (such as the user ID of the L2TP tunnel communication path) is notified to the connection processing unit (220) (509).

  The connection processing unit (220) inquires of the connection policy information to the connection policy management server (131A) of the ISP network (104A) based on the connection user ID of the terminal 1 (101A) (510).

  The connection policy management server (131A) responds with a connection condition with the ISP network (104A) (511). This connection condition includes a tunnel type (IPSec), a connection band allocated to the user, a security condition (access restriction list), and a charging condition.

  The connection processing unit (220) that has received the connection condition instructs the traffic distribution unit (230) to set the tunnel communication path so as to connect according to the specified connection condition (512). The traffic distribution unit (230) is connected to the tunnel termination device (132A) of the ISP network (104A) using the user ID of the terminal 1 (101A), authentication information, and an encryption key, and is tunneled for the user. A communication channel is set (513). When the setting of the tunnel communication path is completed, the traffic distribution unit (230) notifies the connection processing unit (220) that the connection processing is completed (514).

  The connection processing unit (220) that has received the notification of the completion of the connection processing from the traffic distribution unit (230) identifies the identification information to be given to the terminal 1 (101A), that is, the packet from the terminal 1 (101A) in the traffic distribution unit (230). Information (IP address, etc.) for identifying that the network is for the ISP network (104A) is determined and set for the traffic distribution unit (230) in the previous step when packet communication is performed using the identification information. A request is made to set a distribution condition so as to transfer to the ISP network (104A) via the tunnel communication path (515).

  The traffic distribution unit (230) requested to set the distribution condition sets rewrite of the header information (destination, transmission source, etc.) of the packet according to the specified distribution condition, and distributes the distribution condition to the connection processing unit (220). A setting completion notice (516) is transmitted. Upon receiving this, the connection processing unit (220) notifies the authentication processing unit (210) that the connection processing has been completed (517).

  Finally, the authentication processing unit (210) notifies the terminal 1 (110A) of the completion of authentication together with the communication identification information (IP address, etc.) (518). Thereafter, actual communication is performed between the terminal 1 (101A) and the ISP network (104A) (519, 520).

  A terminal 2 (101B) such as a smartphone is a connection terminal to the mobile network (104B), and is connected to the fixed network (103) using the ID of the mobile operator network (104B) using WiFi. Upon receiving the connection request (601) from the terminal 2 (101B), the authentication processing unit (210) identifies the mobile operator network (104B) that is the issuing source from the ID information, and the mobile operator network (the AAA server (104B of 104B) 108B), the connection request from the user is transferred (602), and at this time, ID information for managing which user's authentication information is relayed in the authentication processing unit (210) is added to the connection request signal. To do.

  The AAA server (108B) of the mobile operator network (104B) uses an authentication protocol such as EAP-SIM / AKA in response to the connection request and requests the authentication processing unit (210) for a prior authentication process ( 603). The authentication processing unit (210) relays this authentication request and transfers it to the terminal 2 (101B) (604).

  When the terminal 2 (101B) receives the authentication request from the authentication processing unit (210), the terminal 2 (101B) sends the ID information and authentication information (password, key information, etc.) proving that the user is a valid user to the authentication processing unit (210). In response to this, an authentication response is transmitted (605). Upon receiving the authentication response from the terminal 2 (101B), the authentication processing unit (210) transfers it to the AAA server (108B) of the mobile operator network (104B) (606).

  The AAA server (108B) of the mobile network (104B) confirms the identity of the user from the received authentication response, and transmits the authentication result to the authentication processing unit (210) (607). The authentication processing unit (210) confirms the authentication result, notifies the authentication result to the terminal 2 (101B) (608), and information necessary for connection between the terminal 2 (101B) and the mobile network (104B) ( ID, encryption key, etc.) are notified to the connection processing unit (220) (609).

  Upon receiving this information, the connection processing unit (220) inquires of the connection policy management server (131B) of the mobile network (104B) about the connection policy information based on the connection user ID of the terminal 2 (101B) (610).

  The connection policy management server (131B) having received the inquiry about the connection policy information returns a connection condition with the mobile network (104B) to the connection processing unit (220) (611). This connection condition includes a tunnel type (IPSec, GTP, etc.), a connection band assigned to the user, a security condition (access restriction list), and a charging condition.

  Upon receiving the response from the connection policy management server (131B), the connection processing unit (220) instructs the traffic distribution unit (230) to set the tunnel communication path so as to connect according to the specified connection condition (612 ).

  The traffic distribution unit (230) instructed to set the tunnel communication path is connected to the terminal unit (132B) of the mobile network (104B) using the user ID of terminal 2 (101B), authentication information, and encryption key. (613), a tunneled communication path for the user is set. When the setting of the tunnel communication path is completed, the traffic distribution unit (230) notifies the connection processing unit (220) that the connection processing is completed (614).

  The connection processing unit (220) that has received the notification of the completion of the connection processing from the traffic distribution unit (230) receives the identification information given to the terminal 2 (101B), that is, the packet from the terminal 2 (101B) in the traffic distribution unit (230). Determines the information (IP address, etc.) for identifying that the network is for the mobile network (104B), and sets it in the previous step when packet communication occurs according to the identification information for the traffic distribution unit (230) The distribution condition is requested to be transferred to the mobile network via the tunnel communication path (615).

  The traffic distribution unit (230) requested to set the distribution condition sets rewrite of the header information (destination, transmission source, etc.) of the packet according to the specified distribution condition, and distributes the distribution condition to the connection processing unit (220). A setting completion notification is sent (616). Upon receiving this, the connection processing unit (220) notifies the authentication processing unit (210) that the connection processing has been completed (617). Finally, the authentication processing unit (210) notifies the terminal 2 (101B) of authentication completion together with communication identification information (IP address, etc.) (618). Thereafter, actual communication is performed between the terminal 2 (101B) and the mobile network (104B) (619, 620).

  A terminal 3 (101C) such as a personal computer is a connection terminal for the corporate network (104C), and is connected to the corporate network (104C) via the fixed network (103). At this time, when the authentication processing unit (210) receives the connection request from the terminal 3 (101C) (701), it identifies the issuing company network (104C) from the ID information, and the AAA server of the company network (104C) The connection request from the user is transferred to (108C) (702). At this time, ID information for managing which user's authentication information is relayed in the authentication processing unit (210) is added to the connection request signal.

  The AAA server (108C) of the corporate network (104C) uses an authentication protocol such as RADIUS / EAP-TLS in response to the connection request, and requests an authentication process from the authentication processing unit (210) (703). The authentication processing unit (210) relays this authentication request and transfers it to the terminal 3 (101C) (704).

  In response to the authentication request from the authentication processing unit (210), the terminal 3 (101C) sends, to the authentication processing unit (210), ID information and authentication information (password, etc.) that proves that the user is a valid user as an authentication response. Send (705). Upon receiving the authentication response from the terminal 3 (101C), the authentication processing unit (210) transfers it to the AAA server (108C) of the corporate network (104C) (706).

  The AAA server (108C) of the corporate network (104C) confirms the identity of the user from the received authentication response, and transmits the authentication result to the authentication processing unit (210) (707). The authentication processing unit (210) confirms the authentication result, notifies the authentication result to the terminal 3 (101C) (708), and information necessary for connection between the terminal 3 (101C) and the corporate network (104C) ( The user ID of the IPSec tunnel is notified to the connection processing unit 220 (709).

  The connection processing unit (220) that has received the notification from the authentication processing unit (210) inquires of the connection policy information to the connection policy management server (131C) of the corporate network (104C) by the connection user ID of the terminal 3 (101C) ( 710).

  The connection policy management server (131C) having received the inquiry from the connection processing unit (220) responds to the connection processing unit (220) with a connection condition with the corporate network (104C) (711). This includes the tunnel type (IPSec), the connection bandwidth allocated to the user, security conditions (access restriction list), and accounting conditions.

  The connection processing unit (220) that has received the connection condition instructs the traffic distribution unit (230) to set a tunnel communication path so as to connect according to the specified connection condition (712).

  The traffic distribution unit (230) instructed to set the tunnel communication path is connected to the tunnel terminating device (132C) of the corporate network (104C) by the user ID of terminal 3 (101C), authentication information, and encryption key. Then, a tunneled communication path for the user is set (713). When the setting of the tunnel communication path is completed, the traffic distribution unit (230) notifies the connection processing unit (220) that the connection processing is completed (714).

  The connection processing unit (220) that has received the notification of the completion of the connection processing from the traffic distribution unit (230) receives the identification information given to the terminal 3 (101C), that is, the packet from the terminal 3 (101C) in the traffic distribution unit (230). Determines the information (IP address, etc.) for identifying that the network is for the corporate network (104C), and when packet communication based on the identification information is issued to the traffic distribution unit (230) The distribution condition is requested to be transferred to the corporate network (104C) via the tunnel communication path set in the step (715).

  The traffic distribution unit (230) sets rewriting of the header information (destination, transmission source, etc.) of the packet according to the specified distribution condition, and transmits a distribution condition setting completion notification to the connection processing unit (220) (716) ).

  Upon receiving this, the connection processing unit (220) notifies the authentication processing unit (210) that the connection processing has been completed (717). Finally, the authentication processing unit (210) notifies the terminal 3 (101C) of the completion of authentication together with the communication identification information (IP address, etc.) (718). Thereafter, actual communication is performed between the terminal 3 (101C) and the corporate network (104C) (719, 720).

  As described above, according to the communication service providing system of the present embodiment, the terminal (101A, 101B, 101C) and the fixed network (103) are connected by a communication method that can be used by the terminal, and beyond Since it is possible to connect to the service provider network (104A, 104B, 104C) with a connection policy that meets the request for the service, various terminals (101A, 101B, 101C) are connected to the fixed network (103). It becomes possible to receive service provision simply by connecting only. In this way, it is possible to diversify services provided on the fixed network (103) in the future.

  In the present invention, the terminal and the first communication network are connected by a communication method that can be used by the terminal, and the second communication network is connected by a connection policy that meets the service request of the second communication network. Therefore, various terminals can easily receive service provision of the second communication network simply by connecting to the first communication network. This makes it possible to diversify services provided on the first communication network in the future.

  101, 101A, 101B, 101C ... terminal, 102A, 102B, 102C ... HGW, 103 ... fixed network (first communication network), 104 ... service provider network (second communication network), 104A ... ISP (second communication network) , 104B ... Mobile network (second communication network), 104C ... Corporate network (second communication network), 105A ... L2TP (tunnel communication path), 105B ... IPSec / GTP (tunnel communication path), 105C ... IPSec (tunnel communication path) ), 106 ... AAA server, 107A ... GW, 107B ... ePDG, 107C ... GW, 108,108A, 108B, 108C ... AAA server (authentication server), 109 ... HSS, 111A ... ID / Pass, 111B ... SIM, 111C ... certification , 121 ... Authentication function unit, 122 ... Connection function unit, 131,131A, 131B, 131C ... Connection policy management server, 132,132A, 132B, 132C ... Tunnel termination device, 200 ... Traffic distribution function unit, 210 ... Authentication processing unit, 211: Authentication signal receiving unit, 212 ... Authentication signal transmitting unit, 213 ... Authentication signal analyzing unit, 213a ... Authentication method analyzing unit, 213b ... Authentication information / result analyzing unit, 213c ... Identification information tube Management unit, 214 ... Authentication signal transmission unit, 215 ... Authentication signal reception unit, 220 ... Connection processing unit, 221 ... Connection processing request reception unit, 222 ... Connection processing determination unit, 223 ... Policy information acquisition unit, 224 ... Connection state management DB, 225 ... IPSec connection control unit, 226 ... GTP connection control unit, 227 ... L2TP connection control unit, 228 ... IP native connection control unit, 230 ... traffic distribution unit, 231 ... terminal identification unit, 232 ... distribution destination determination unit.

Claims (8)

A communication service providing system for connecting a terminal connected to a first communication network to a second communication network to be connected among any of a plurality of second communication networks via the first communication network,
The first communication network includes a traffic distribution function unit including an authentication processing unit, a connection processing unit, and a traffic distribution unit,
The second communication network includes an authentication server, a connection policy management server, and a tunnel termination device,
The authentication processing unit
A function of receiving a connection request from the terminal and transferring the connection request to the authentication server of the second communication network to be connected;
A function of transferring an authentication request transmitted from the authentication server of the second communication network to be connected to the terminal;
A function of receiving an authentication response from the terminal and transferring the authentication response to the authentication server of the second communication network to be connected;
When the authentication result is received from the authentication server of the second communication network to be connected, the authentication result is confirmed, the authentication result is notified to the terminal, and the second communication network to be connected to the terminal A function of notifying the connection processing unit of connection information necessary for the connection of
A function of notifying the terminal of communication identification information and authentication completion when receiving a notification of completion of connection processing from the connection processing unit;
The connection processing unit
A function of inquiring connection policy information from a connection policy management server of a second communication network to be connected based on the connection information when the connection information is received from the authentication processing unit;
When a connection condition is received from the connection policy management server of the second communication network to be connected, a tunnel communication path is set to the traffic distribution unit so as to connect to the second communication network to be connected according to the connection condition. A function to instruct settings,
When the notification of connection processing completion is received from the traffic distribution unit, the identification information to be given to the terminal is determined, and when the packet communication is performed with the identification information to the traffic distribution unit via the tunnel communication path A function for requesting setting of a distribution condition to be transferred to the second communication network,
When receiving a distribution condition setting completion notification from the traffic distribution unit, having a function of notifying the authentication processing unit that the connection processing is completed,
The traffic distribution unit
When the connection processing unit is instructed to set the tunnel communication path, the connection processing unit is connected to the tunnel terminating device of the second communication network to be connected and the tunnel communication path is set, and the connection processing is completed in the connection processing unit. A function to notify
A function of setting rewriting of header information of a packet according to a specified distribution condition when a setting of distribution conditions is requested from the connection processing unit, and transmitting a distribution condition setting completion notification to the connection processing unit; Have
The authentication server is
A function of requesting an authentication process to the authentication processing unit when a connection request is received from the authentication processing unit;
Receiving an authentication response transmitted from the authentication processing unit, confirming the identity of the user of the terminal from the authentication response, and having a function of transmitting the authentication result to the authentication processing unit;
The connection policy management server
When receiving an inquiry about the connection policy information from the connection processing unit, it has a function of responding to a connection condition;
The terminal
A function of transmitting an authentication response to the authentication request received from the authentication processing unit to the authentication processing unit;
A communication service providing system comprising a function of performing communication using the identification information notified from the authentication processing unit. The authentication processing unit has a function of identifying a second communication network to be connected based on ID information included in a connection request received from the terminal;
The communication service providing system according to claim 1, wherein the authentication response transmitted by the terminal includes the ID information and authentication information that proves that the user is a valid user. The communication service providing system according to claim 1, wherein the connection processing unit has a function of managing connection states of a plurality of the tunnel communication paths. 4. The communication according to claim 1, wherein the connection condition transmitted by the connection policy management server includes a type of a tunnel communication path, a connection band allocated to a user, a security condition, and a charging condition. Service provision system. In the communication service providing system for connecting a terminal connected to the first communication network to the second communication network to be connected among any of the plurality of second communication networks via the first communication network, the first A communication service providing method for providing a traffic distribution function unit in a communication network, and connecting the terminal and the second communication network by the traffic distribution function unit,
The traffic distribution function unit
Upon receiving a connection request from the terminal to the second communication network to be connected, the connection request is transferred to the second communication network to be connected;
When an authentication request for the connection request is received from the second communication network to be connected, the authentication request is transferred to the terminal,
When an authentication response to the authentication request is received from the terminal, the authentication response is transferred to the second communication network to be connected;
When an authentication result for the authentication response is received from the second communication network to be connected, the authentication result is confirmed, the authentication result is notified to the terminal, and the terminal and the second connection target Setting a tunnel communication path with the second communication network to be connected based on connection conditions for connection with the communication network;
The identification information to be given to the terminal is determined, and the distribution condition is set so that the communication packet is transferred to the second communication network to be connected through the tunnel communication path during the packet communication of the terminal based on the identification information. Done
The communication service providing method of notifying the identification information and authentication completion to the terminal. The traffic distribution function unit identifies a second communication network to be connected based on ID information included in a connection request received from the terminal,
The communication service providing method according to claim 5, wherein the authentication response transmitted by the terminal includes ID information and authentication information that proves that the user is a valid user. The communication service providing method according to claim 5 or 6, wherein the traffic distribution function unit manages connection states of the plurality of tunnel communication paths. The connection condition transmitted by the second communication network to be connected includes a type of a tunnel communication path, a connection band allocated to a user, a security condition, and a charging condition. The communication service providing method according to 1.

Images