JP2016143911A - Communication controller, communication control method and communication control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique which allows for flexible control of P2P communication performed between randomly selected terminals.SOLUTION: A communication controller connected with two terminals, and a relay device for relaying the P2P communication performed between the two terminals has storage means for storing the authority information including the communication method of P2P communication permitted for the two terminals, reception means for receiving the signaling signal transmitted mutually between the two terminals, and control means for controlling the communication method of P2P communication based on the authority information, upon reception of the signaling signal.SELECTED DRAWING: Figure 7

Description

  The present invention relates to a communication control device, a communication control method, and a communication control program.

  A P2P communication technique for performing direct communication between two terminals is known. Here, when communication is performed between terminals using the P2P communication technique, direct communication may not be possible between the terminals depending on the configuration of the network to which the terminals are connected. For example, when two terminals belong to different private networks, packets are discarded depending on the specifications of NAT (Network Address Translation), and direct communication cannot be performed between the terminals. Therefore, there is a technique called ICE (Interactive Connectivity Establishment) as a technique for enabling communication between terminals belonging to a private network (for example, see Non-Patent Document 1). ICE communicates directly between terminals by communicating the address of the terminal itself, the address of the NAT public network side, and the address of the relay device arranged on the public network between the terminals via the signaling server. Is possible. Further, JSEP (Javascript (registered trademark) Session Establishment Protocol) is known as a signaling method using ICE in WebRTC technology (see, for example, Non-Patent Document 2).

  Here, a company or the like may want to prohibit P2P communication between a terminal connected to the internal LAN and a terminal connected to the external network in order to enhance security.

RFC5245: Interactive Connectivity Establishment (ICE) JSEP: draft-ietf-rtcweb-jsep-08

  However, if all access to the external network from a terminal connected to the internal LAN is prohibited, for example, if you want to use another company's service provided in the form of SaaS (Service as a Service) It becomes impossible. Further, depending on the title of the user of the terminal, there may be a case where P2P communication may be permitted with a terminal connected to an external network, and there has been a problem that a flexible response cannot be made.

  The disclosed technique has been made in view of the above, and an object thereof is to provide a technique capable of flexibly controlling P2P communication performed between arbitrary terminals.

  The communication control device of the disclosed technology is a communication control device connected to two terminals and a relay device that relays P2P communication performed between the two terminals, and is permitted to each of the two terminals. Storage means for storing authority information including the communication method of the P2P communication, receiving means for receiving a signaling signal communicated between the two terminals, and receiving the signaling signal, the authority Control means for controlling a communication method of the P2P communication based on the information.

  According to the disclosed technology, P2P communication performed between arbitrary terminals can be flexibly controlled.

It is a figure which shows an example of a structure of the communication system which concerns on embodiment. It is a figure which shows an example of the hardware constitutions of the communication control apparatus which concerns on embodiment. It is a figure which shows an example of the software configuration of the communication control apparatus which concerns on embodiment. It is a figure which shows an example of an authority information table and a communication destination permission information table. It is a figure which shows an example of the software configuration of the relay apparatus which concerns on embodiment. It is a flowchart which shows an example of the process sequence of the communication control apparatus which concerns on embodiment. It is a sequence diagram which shows an example of the process sequence of the communication system which concerns on embodiment. It is a figure which shows an example of a signaling signal.

  Hereinafter, embodiments will be described with reference to the drawings. In the drawings, the same components are denoted by the same reference numerals, and redundant description may be omitted.

  In the following description, P2P communication by WebRTC (Web Real-Time Communication) will be described as an example. Note that the terminal management system according to the embodiment can also be applied to P2P communication using a technique other than WebRTC.

  FIG. 1 is a diagram illustrating an example of a configuration of a communication system according to an embodiment. The communication system according to the embodiment includes a communication control device 10 that controls P2P communication performed between the terminal 30a and the terminal 30b, a relay device 20 that relays P2P communication, a terminal 30a, and a terminal 30b. . In the following description, an arbitrary terminal among the terminals (30a, 30b) is represented as “terminal 30”.

  The communication control device 10, the relay device 20, the terminal 30a, and the terminal 30b are connected so as to be able to communicate with each other via a network.

  The communication control apparatus 10 has a function of relaying signaling signals transmitted and received between the terminals 30 when a communication channel is established between the terminals 30 in accordance with a connection procedure defined in the WebRTC specification. Moreover, the communication control apparatus 10 controls the communication method when the terminal 30 establishes P2P communication using the said signaling signal. The communication control device 10 is a signaling relay server used in WebRTC, for example.

  The relay device 20 is a device that relays P2P communication performed between the terminals 30. The relay device 20 is, for example, a TURN (Traversal Using Relays around NAT) server used in WebRTC technology. First, when receiving a request from the terminal 30, the relay apparatus 20 assigns an IP address and a port number used for communication relay and transmits the request to the terminal 30. Subsequently, the terminal 30 transmits a packet to be transmitted to the partner terminal 30 to the IP address and port number transmitted from the relay device 20. Subsequently, the relay device 20 transfers the received packet to the communication partner terminal 30. In this way, the relay device 20 relays P2P communication performed between the terminals 30.

  The terminal 30 is a communication device such as a PC (Personal Computer) equipped with a Web browser, a mobile phone, a smartphone, or a tablet terminal. The terminal 30 realizes P2P communication by WebRTC with the partner terminal 30 by operating a client module (for example, an HTML file including JavaScript (registered trademark)) received from the Web server on the Web browser. The terminal 30 may be any communication device that can perform P2P communication.

  Here, the WebRTC technology will be briefly described. The WebRTC technology is a technology for realizing real-time P2P communication between terminals 30 using a Web browser. Generally, the terminal 30 is often connected to a private network in a company or home, and cannot communicate directly between the terminals 30. Therefore, the WebRTC technology enables communication exceeding the NAT by the ICE procedure, thereby enabling direct communication between the terminals 30 even when the terminals 30 are connected to a private network.

  The ICE procedure uses the STUN (Session Traversal Utilities for NAT) server installed on the Internet side to send the IP address and port number converted by NAT (that is, the IP address and port number visible from the Internet side) to the terminal 30. A notification mechanism and a mechanism for relaying P2P communication using a TURN server installed on the Internet side are provided. Accordingly, the WebRTC technology is designed to perform P2P communication over the NAT by using the ICE procedure regardless of what network environment the terminal 30 is connected to.

  WebRTC can use any signaling protocol. For example, WebRTC may use a unique signaling protocol or SIP (Session Initiation Protocol).

  In the ICE procedure, three addresses (ICE Candidate) corresponding to each of the following communication methods 1 to 3 are described in the format of SDP (Session Description Protocol), and between two terminals 30 using an arbitrary signaling protocol. Provides a mechanism to notify each other.

(Communication method and address specified in ICE procedure)
Communication method 1 (local communication not passing through NAT (hereinafter referred to as “internal communication”)): IP address and port number of terminal 30 itself Communication method 2 (communication passing through NAT but not using TURN server (hereinafter referred to as “external communication”) Communication (referred to as “without relay”))): NAT-converted IP address and port number of terminal 30 Communication method 3 (communication using a TURN server (hereinafter referred to as “external communication (with relay)”)): from TURN server Assigned IP address for P2P communication relay (hereinafter referred to as “relay IP address”) and port number The terminal 30 assigns each of the three addresses notified from the partner terminal 30 by the ICE procedure in order of priority. Negotiation is performed by transmitting packets, and P2P communication is established.

  For example, when two terminals 30 are connected to the same local network, P2P communication is established using an address of “internal communication” having a high priority. When the two terminals 30 communicate via NAT, P2P communication is performed using the address of “external communication (without relay)” having a priority or the address of “external communication (with relay)” having a low priority. Established. The NAT specification determines which of the addresses of “external communication (without relay)” that is in priority and the address of “external communication (with relay)” that is low in priority can establish P2P communication. Dependent. Note that it is prescribed in advance in the ICE procedure that “internal communication” is set to high priority, “external communication (without relay)” is set to medium priority, and “external communication (with relay)” is set to low priority. Yes.

  Here, an outline of the operation of the communication system according to the embodiment will be briefly described. When receiving the signaling signal from the terminal 30, the communication control apparatus 10 uses the authority information set in advance for the terminal 30 to select which communication from among the “communication method 1” to “communication method 3”. The method confirms whether or not it is permitted to perform P2P communication. For example, when only the procedure of “communication method 1” is permitted, the communication control apparatus 10 deletes the IP addresses corresponding to “communication method 2” and “communication method 3” included in the signaling signal, or The signaling signal including the IP address corresponding to “communication method 2” and “communication method 3” included in the signaling signal is discarded without being relayed. As a result, the terminal 30 cannot establish P2P communication by “communication method 2” and “communication method 3”. Similarly, for example, when only the procedure of “communication method 3” is permitted, the communication control apparatus 10 deletes the IP addresses corresponding to “communication method 1” and “communication method 2” included in the signaling signal. Alternatively, the signaling signal including the IP address corresponding to “communication method 1” and “communication method 2” is discarded without being relayed. As a result, the terminal 30 cannot establish P2P communication by “communication method 1” and “communication method 2”.

  In addition, when the communication control device 10 permits communication by the “communication method 3” between the terminals 30, the communication control device 10 records the P2P communication performed between the terminals 30 to the relay device 20 as necessary. Instruct.

  When the communication control device 10 receives a signaling signal from the terminal 30, the communication control device 10 compares the communication destination permission information held in advance by the communication control device 10 with the received signaling signal, and communication is not permitted for the signaling signal. If the destination address is included, the address is deleted or the signaling signal including the address is discarded without being relayed. As a result, the terminal 30 cannot establish P2P communication with the terminal 30 that is not permitted.

  That is, the communication system according to the present embodiment can variously control the P2P communication performed between the terminals 30 by rewriting or discarding the signaling signal performed by WebRTC by the communication control apparatus 10.

<Hardware configuration>
FIG. 2 is a diagram illustrating an example of a hardware configuration of the communication control apparatus according to the embodiment. The communication control apparatus 10 according to the embodiment includes a CPU 101, a ROM 102, a RAM 103, an HDD 104, an operation unit 105, a display unit 106, a drive device 107, and a NIC (Network Interface card) 108.

  The CPU 101 is a processor that performs overall control of the communication control device 10. The CPU 101 executes programs such as an operating system, applications, and various services stored in the HDD 104 and the like, and realizes various functions of the communication control apparatus 10. The ROM 102 stores various programs and data used by the programs. The RAM 103 is used as a storage area for loading a program, a work area for the loaded program, and the like. Various information and programs are stored in the HDD 104.

  The operation unit 105 is hardware for receiving an input operation from the user, and is, for example, a keyboard or a mouse. The display unit 106 is hardware that performs display for the user.

  The drive device 107 reads the program from the storage medium 109 that stores the program. The program read by the drive device 107 is installed in the HDD 104, for example. The NIC 108 is a communication interface for connecting the communication control apparatus 10 to a network and transmitting / receiving data.

  Note that the storage medium 109 is a non-transitory storage medium. Examples of the storage medium 109 include a magnetic storage medium, an optical disk, a magneto-optical storage medium, and a nonvolatile memory.

  The hardware configuration of the relay device 20 is the same as that shown in FIG.

  Note that, for example, hardware resources provided by a cloud service may be used as hardware resources used for the communication control device 10 and the relay device 20.

<Software configuration>
(Communication control device)
FIG. 3 is a diagram illustrating an example of a software configuration of the communication control apparatus according to the embodiment. The communication control apparatus 10 according to the embodiment includes a storage unit 201, a communication unit 202, a communication method restriction unit 203, a communication destination determination unit 204, and an instruction unit 205.

  The storage unit 201 can be realized by using the RAM 103, the HDD 104, or a storage device connected to the communication control device 10 via a network. The storage unit 201 stores authority information indicating a communication method permitted to the terminal 30 and communication destination permission information indicating an address of a partner permitted to communicate with the terminal 30.

  The communication unit 202 communicates with the relay device 20 or the terminal 30 via the NIC 108.

  When receiving the signaling signal from the terminal 30, the communication method restriction unit 203 permits the terminal 30 to select any communication method among internal communication, external communication (without relay), and external communication (with relay) based on the authority information. Judge whether to do. Further, the communication method restriction unit 203 rewrites the signaling signal based on the determination result and transmits the rewritten signaling signal to the terminal 30 or discards the signaling signal based on the determination result without transmitting it to the terminal 30.

  When receiving a signaling signal from the terminal 30, the communication destination determination unit 204 determines whether the communication partner with which the terminal 30 is to perform P2P communication is a permitted communication partner based on the communication destination permission information. When trying to perform P2P communication with an unauthorized communication partner, the communication destination determination unit 204 transmits the rewritten signaling signal to the terminal 30 or discards the signaling signal without transmitting it to the terminal 30.

  The instruction unit 205 instructs the relay apparatus 20 to record (capture) the P2P communication performed between the designated terminals 30 based on the authority information.

  FIG. 4 is a diagram illustrating an example of the authority information table and the communication destination permission information table. The authority information shown in FIG. 4A includes a terminal identifier, an internal communication flag, an external communication (without relay) flag, and an external communication (with relay) flag.

  The terminal identifier is an identifier for uniquely identifying the terminal 30 by the communication control device 10.

  The internal communication flag is a flag indicating whether or not internal communication is permitted in the ICE procedure, “◯” indicates that P2P communication by internal communication is permitted, and “×” indicates that P2P communication by internal communication is not permitted. .

  The external communication (no relay) flag is a flag indicating whether or not external communication (no relay) is permitted in the ICE procedure, and “◯” permits P2P communication by external communication (no relay), and “×”. Indicates that P2P communication by external communication (without relay) is not permitted.

  The external communication (with relay) flag is a flag indicating whether or not to permit external communication (with relay) in the ICE procedure, and “◯” permits P2P communication by external communication (with relay), and “×”. Indicates that P2P communication by external communication (with relay) is not permitted.

  The communication destination permission information shown in FIG. 4B has an address type and address information. As the address type, the type of communication partner permitted as a communication destination is set. When “communication destination terminal” is set as the address type, it indicates that the address set in the address information is the address of the terminal 30 permitted as the communication destination of the P2P communication. When “relay device” is set as the address type, it indicates that the address set in the address information is the address of the relay device 20 that is permitted to connect. In the example of FIG. 4B, “192.168.1. *” Is set in the record whose address type is “communication destination terminal”. This is because the IP address of the communication partner terminal 30 is 192.168.1. P2P communication is permitted only when the address is * (* represents an arbitrary number), and P2P communication to the terminal 30 having the other IP address is not permitted. Also, “192.0.2.15” is set in the record of the address type “relay device”. This indicates that P2P communication by the communication method of external communication (with relay) is permitted only when the IP address of the relay device 20 used for relay of P2P communication is 192.168.2.15. .

  In the communication destination permission information table, a plurality of IP addresses may be set or a range of IP addresses may be set.

(Relay device)
FIG. 5 is a diagram illustrating an example of a software configuration of the relay apparatus according to the embodiment. The relay device 20 according to the embodiment includes a storage unit 301, a relay unit 302, and a communication recording unit 303.

  The storage unit 301 can be realized using a RAM 103, the HDD 104, or a storage device connected to the relay device 20 via a network. The storage unit 301 stores communication record information that is capture data of P2P communication relayed by the relay device 20.

  The relay unit 302 relays P2P communication performed between the terminals 30.

  In response to an instruction from the communication control device 10, the communication recording unit 303 captures P2P communication performed between the terminals 30 and stores it in the storage unit 301.

<Processing procedure>
(Processing flow of communication control device)
FIG. 6 is a flowchart illustrating an example of a processing procedure of the communication control apparatus according to the embodiment. The communication control apparatus 10 controls a communication method of P2P communication performed between the terminals 30 by rewriting or discarding a signaling signal transmitted / received between the terminals 30 according to the processing procedure of FIG.

  In step S401, when receiving the signaling signal from the terminal 30, the communication method restriction unit 203 extracts the terminal identifier of the source terminal of the signaling signal and the terminal identifier of the destination terminal of the signaling signal included in the signaling signal. Then, various flags (an internal communication flag, an external communication (no relay) flag, an external communication (with relay) flag) included in each extracted terminal identifier record are acquired from the records in the authority information table.

  Subsequently, the communication method restriction unit 203 determines a communication method that should be permitted to each terminal 30 that performs P2P communication, from the extracted various flags. The various flags corresponding to the terminal identifier of the signaling signal transmission source terminal 30 do not always match the various flags corresponding to the terminal identifier of the signaling signal transmission destination terminal 30. For example, there may be a case where all communication methods are permitted for the terminal 30a, whereas only internal communication is permitted for the terminal 30b of the communication partner. In this case, the communication method restriction unit 203 may permit all communication methods for the terminal 30b as in the terminal 30a, and conversely, only the internal communication can be performed for the terminal 30a as in the terminal 30b. It may not be allowed.

  In step S402, the communication method restriction unit 203 deletes or permits an IP address corresponding to a communication method that is not permitted from among IP addresses corresponding to each communication method included in the signaling signal received from the terminal 30. The signaling signal including the IP address corresponding to the communication method that has not been performed is discarded without being transmitted to the terminal 30.

  In step S403, the communication destination determination unit 204 is used for the IP address of the terminal 30 used for “internal communication” and “external communication (with relay)” included in the signaling signal received in step S401. It is determined whether the relay IP address of the relay device 20 is included in the record of the communication destination permission information. If at least one of these IP addresses is not included in the record of the communication destination permission information, the communication destination determination unit 204 determines that these IP addresses are not permitted communication destinations. The process proceeds to step S404. If these IP addresses are included in the communication destination permission information record, the communication destination determination unit 204 determines that these IP addresses are permitted communication destinations, and proceeds to the processing procedure of step S405.

  In step S404, when the IP address of the terminal 30 used for “internal communication” is not a permitted communication destination, the communication destination determination unit 204 sets “internal communication” included in the signaling signal received in step S401. IP address of terminal 30 used, IP address of terminal 30 after NAT conversion used for external communication (without relay), and relay IP address of relay device 20 used for “external communication (with relay)” Or the IP address of the terminal 30 used for “internal communication” included in the signaling signal received in step S401, the IP address of the terminal 30 after NAT conversion used for external communication (without relay), And all signaling signals including the relay IP address of the relay device 20 used for “external communication (with relay)” to the terminal 30 Discarded without. All these IP addresses are deleted or all signaling signals are discarded only the IP address of the terminal 30 used for “internal communication” or the IP address of the terminal 30 used for “internal communication”. This is to prevent the P2P communication from being established using the communication method of external communication (without relay) or the communication method of “external communication (with relay)” even if only the signaling signal including the message is discarded.

  The communication destination determination unit 204 is used for “external communication (with relay)” when the relay IP address of the relay device 20 used for “external communication (with relay)” is not a permitted communication destination. The relay IP address of the relay device 20 to be deleted is deleted or the signaling signal including the relay IP address of the relay device 20 used for “external communication (with relay)” is discarded without being transmitted to the terminal 30.

  In step S405, if the communication method “external communication (with relay)” is permitted in step S401, the instruction unit 205 determines that communication recording is necessary, and proceeds to the processing procedure of step S406. If “external communication (with relay)” is not permitted, the process ends.

  In step S406, the instruction unit 205 instructs the relay apparatus 20 to record (capture) the P2P communication performed between the terminals 30 to the relay apparatus 20.

  Note that the communication control apparatus 10 may omit a part of the processing procedures of S401 to S406 as necessary as long as there is no contradiction in the processing procedures. For example, the communication control apparatus 10 may perform only the processing procedure of step S401 and step S402, or may perform only the processing procedure of step S401, step S402, step S405, and step S406. Further, the communication control apparatus 10 may perform only the processing procedure of step S403 and step S404, or may perform only the processing procedure of step S405 and step S406. Further, the communication control apparatus 10 may determine whether or not to omit a part of the processing procedure of S401 to S406 based on the terminal identifier of the terminal 30 that transmits and receives the signaling signal. By variously combining the processing procedures of FIG. 6, the communication control apparatus 10 according to the present embodiment can control the communication method performed between the terminals 30 by various methods.

(Whole communication system processing sequence)
FIG. 7 is a sequence diagram illustrating an example of a processing procedure of the communication system according to the embodiment. FIG. 7 shows a processing procedure when the terminal 30a requests the terminal 30b to start P2P communication.

  In step S501, the terminal 30a collects address candidates according to the ICE rules. Address candidates include the IP address and port number of the terminal 30a itself used for internal communication, the IP address and port number of the NAT-converted terminal 30a used for external communication (without relay), and external communication (relay) Yes, the relay IP address and port number of the relay device 20 used. The terminal 30a collects the IP address and port number of the terminal 30a itself after NAT conversion by inquiring the STUN server. Further, the terminal 30a collects the relay device 20 by inquiring the relay IP address and the port number of the relay device 20 used for external communication (with relay). Note that the STUN server inquired by the terminal 30a and the destination of the relay device 20 are set in advance in a client module that operates on the Web browser.

  In step S502, the terminal 30a transmits a communication request that is a signaling signal to the communication control apparatus 10.

  FIG. 8 is a diagram illustrating an example of a signaling signal. FIG. 8A is an example of a signaling signal transmitted from the terminal 30a to the terminal 30b in step S502. As shown in FIG. 8A, the communication request includes a terminal identifier (A) of the terminal 30a that is the source of the signaling signal, a terminal identifier (B) of the terminal 30b that is the destination of the signaling signal, SDP offer with the IP address and port number collected in S501 included.

  In step S503, the communication method restriction unit 203 of the communication control apparatus 10 performs processing according to the processing procedure of steps S401 to S402 in FIG. 7 and deletes the IP address included in the SDP offer if there is a communication method that is not permitted. . Further, when there is an IP address that is not included in the connection destination restriction information, the communication destination determination unit 204 of the communication control device 10 deletes the address included in the SDP offer according to the processing procedure of Step S403 to Step S404 in FIG. To do.

  In step S504, the communication unit 202 of the communication control apparatus 10 transmits a communication request including the SDP offer whose address has been deleted to the terminal 30b.

  In step S505, the terminal 30b collects address candidates in accordance with the ICE rules. Address candidates include the IP address and port number of the terminal 30b itself used for internal communication, the IP address and port number of the NAT-converted terminal 30b used for external communication (without relay), and external communication (relay) Yes, the relay IP address and port number of the relay device 20 used. The terminal 30b collects the IP address and port number of the terminal 30b itself after NAT conversion by inquiring of the STUN server. Further, the terminal 30b collects the relay IP address and port number of the relay device 20 used for external communication (with relay) by inquiring the relay device 20. Note that the STUN server inquired by the terminal 30b and the destination of the relay device 20 are set in advance in a client module that operates on the Web browser.

  In step S506, the terminal 30b transmits a signaling signal that is a communication request response to the communication control apparatus 10. Here, FIG. 8B is an example of a signaling signal transmitted from the terminal 30a to the terminal 30b. As shown in FIG. 8B, the communication request includes a terminal identifier (B) of the terminal 30b that is the source of the signaling signal, a terminal identifier (A) of the terminal 30a that is the destination of the signaling signal, SDP answer including the IP address and port number collected in S505 is included.

  In step S507, the communication method restriction unit 203 of the communication control apparatus 10 performs processing according to the processing procedure of steps S401 to S402 in FIG. 7, and deletes an address included in the SDP answer if there is a communication method that is not permitted. In addition, when there is an IP address that is not included in the connection destination restriction information, the communication destination determination unit 204 of the communication control device 10 determines the IP address included in the SDP answer according to the processing procedure of Step S403 to Step S404 in FIG. delete. Note that the communication method restriction unit 203 of the communication control apparatus 10 deletes the IP address corresponding to the same communication method as the communication method determined not to be permitted in step S503.

  In step S508, the instruction unit 205 of the communication control apparatus 10 performs the processing of steps S405 and S406 in FIG. 6 when the communication method of external communication (with relay) is permitted in the processing procedure of steps S503 and S507. A communication record instruction is transmitted to the relay device 20 according to the procedure. The communication record instruction includes the relay IP address and port number of the relay device 20 included in the SDP offer received in step S502 and the SDP answer received in step S506. This is because the instruction unit 205 tells the relay device 20 which terminal 30 the P2P communication performed between is to be recorded.

  Note that the instruction unit 205 may perform the processing procedure of step S508 when only the communication method of external communication (with relay) is permitted in the processing procedures of step S503 and step S507. Whether the P2P communication is established by the communication method of external communication (with relay) or the P2P communication is established by another communication method is determined between the terminal 30a and the terminal 30b. This is because it may be wasted.

  In step S509, the communication unit 202 of the communication control apparatus 10 transmits a communication request response including the SDP answer with the address deleted to the terminal 30a.

  In step S510, the terminal 30a and the terminal 30b negotiate each other by transmitting packets in order of priority to addresses corresponding to the communication methods exchanged by the signaling signal, thereby establishing P2P communication. Since no packet is transmitted to the deleted address, the terminal 30a and the terminal 30b fail to negotiate. On the other hand, when a packet is transmitted to an address that has not been deleted, since the packet reaches the partner terminal 30 unless the packet is discarded by the NAT process, the terminal 30a and the terminal 30b succeed in the negotiation. . That is, the terminal 30a and the terminal 30b can establish P2P communication only with the communication method or the communication partner whose address has not been deleted.

  Although the overall processing sequence of the communication system has been described above, the communication system according to the embodiment is configured to perform internal communication, external communication (no relay), and external communication between the terminal 30a and the terminal 30b by a communication method called “Triple ICE”. You may make it exchange the address corresponding to the communication method of communication (with relay) mutually.

  When the communication method of Triple ICE is used, first, the terminal 30a transmits an SDP offer that does not include an address to the terminal 30b via the communication control apparatus 10, and at the same time, internal communication and external communication (no relay) And collecting addresses corresponding to the communication method of external communication (with relay). Similarly, the terminal 30b transmits an SDP answer not including an address to the terminal 30a via the communication control device 10, and concurrently performs communication of internal communication, external communication (without relay), and external communication (with relay). Collect addresses corresponding to the method.

  Subsequently, when the terminal 30a collects one of the addresses corresponding to the communication methods of internal communication, external communication (without relay), and external communication (with relay), a signaling signal including the collected address is received. Each time, the data is transmitted to the terminal 30b via the communication control device 10. Similarly, when the terminal 30b collects one of the addresses corresponding to the communication methods of internal communication, external communication (without relay), and external communication (with relay), a signaling signal including the collected address is received. Each time, the data is transmitted to the terminal 30a via the communication control device 10.

  When the address is exchanged between the terminal 30a and the terminal 30b each time according to the communication method of the Triple ICE, the communication method restriction unit 203 or the communication destination determination unit 204 of the communication control apparatus 10 is connected between the terminal 30a and the terminal 30b. When an IP address that is not included in the communication method or connection destination restriction information that is not permitted is included in the signaling signal transmitted / received in (1), the signaling signal is discarded.

  Thereby, since the signaling signal including the IP address that is not included in the communication method that is not permitted or the connection destination restriction information is discarded by the communication control device 10, the terminal 30a and the terminal 30b can receive the signaling signal. P2P communication can be established only with the method or the communication partner.

<Effect>
As described above, the communication control apparatus 10 according to the embodiment deletes the address included in the signaling signal transmitted / received between the terminals 30 or discards the signaling signal based on the authority information associated with each terminal 30. Thus, the communication method of the P2P communication performed between the terminals 30 is controlled. Thereby, the communication control apparatus 10 according to the embodiment can flexibly control the P2P communication performed between the terminals 30.

  Further, the communication control apparatus 10 according to the embodiment can control the communication destination for each terminal 30 by storing the authority information for each terminal identifier. As a result, a flexible operation such as changing the permitted communication method depending on the job title of the user of the terminal becomes possible.

  Further, the communication control apparatus 10 according to the embodiment instructs the relay apparatus 20 to record the P2P communication as necessary. Accordingly, for example, it is possible to perform an operation in which all the contents of the P2P communication performed by the terminal 30 in the company are recorded.

  In addition, the communication control apparatus 10 according to the embodiment deletes the address included in the signaling signal transmitted / received between the terminals 30 or discards the signaling signal based on the communication destination permission information, so that the terminal 30 performs P2P Added the ability to limit the number of people trying to communicate. As a result, an operation of prohibiting P2P communication with the terminal 30 outside the company can be performed, and security can be enhanced. In addition, it is possible to operate such that P2P communication is permitted only through the trusted relay device 20, and it is possible to reduce the security risk that communication contents are intercepted by the malicious relay device 20.

<Supplement of embodiment>
In the present embodiment, the terminal identifier may be a user ID of a user who uses the terminal 30, for example.

  In the present embodiment, the communication control apparatus may store the communication destination permission information and the terminal identifier (or user ID) in association with each other. Further, the communication destination determination unit 204 deletes the IP address included in the signaling signal based on the communication source permission information corresponding to the terminal identifier of the signal transmission source and the terminal identifier of the signal transmission destination included in the signaling signal, or signaling The signal may be discarded. This makes it possible to control the communication destination for each terminal 30 and perform flexible operations such as changing the permitted communication method depending on the post of the user of the terminal.

  In this embodiment, the address permitted as the communication destination of the terminal 30 is stored in the communication destination permission information (white list method), but the address not permitted as the communication destination of the terminal 30 is stored. May be stored (black list method). In the case of the blacklist method, in step S403 of FIG. 6, the communication destination determination unit 204 includes the IP address of the terminal 30 used for “internal communication” included in the signaling signal received in step S401, and “external It operates to determine whether the relay IP address of the relay device 20 used for “communication (with relay)” is included in the record of the communication destination permission information. In addition, when at least one of these IP addresses is included in the record of the communication destination permission information, the communication destination determination unit 204 determines that these IP addresses are not permitted communication destinations. It operates so as to make a decision and proceed to the processing procedure of step S404. If these IP addresses are not included in the communication destination permission information record, the communication destination determination unit 204 determines that these IP addresses are permitted communication destinations, and goes to the processing procedure of step S405. Try to go forward.

  As described above, the present invention is not limited to the embodiments, and various modifications and improvements can be made within the scope of the present invention.

  As described above, the sequences and flowcharts described in the above embodiments may be switched in order as long as there is no contradiction.

  As described above, all or part of the above embodiments can be implemented by a program. This program can be stored in a storage medium.

  The communication unit 202 is an example of a receiving unit. The communication method limiting unit 203 is an example of a control unit. The internal communication, the external communication (no relay) flag, and the external communication (with relay) are examples of communication methods for P2P communication. The IP address and port number are an example of address information.

DESCRIPTION OF SYMBOLS 10 Communication control apparatus 20 Relay apparatus 30 Terminal 201, 301 Storage means 202 Communication means 203 Communication method restriction means 204 Communication destination determination means 205 Instruction means 302 Relay means 303 Communication recording means

Claims (7)

A communication control device connected to two terminals and a relay device that relays P2P communication performed between the two terminals,
Storage means for storing authority information including a communication method of the P2P communication permitted to each of the two terminals;
Receiving means for receiving signaling signals communicated between the two terminals;
Control means for controlling a communication method of the P2P communication based on the authority information when the signaling signal is received;
A communication control device.   The communication control apparatus according to claim 1, wherein the control unit controls the communication method of the P2P communication by deleting address information included in the received signaling signal or discarding the signaling signal.   The communication control apparatus according to claim 1, further comprising an instruction unit that instructs the relay apparatus to record the P2P communication based on the authority information when the signaling signal is received. The signaling signal is a signal used for establishing P2P communication by a communication means of WebRTC,
The communication control apparatus according to any one of claims 1 to 3, wherein the communication method of the P2P communication is three communication methods defined in an ICE processing procedure. A communication system having two terminals, a relay device that relays P2P communication performed between the two terminals, and a communication control device that controls the P2P communication,
The communication control device includes:
Storage means for storing authority information including a communication method of the P2P communication permitted to each of the two terminals;
Receiving means for receiving signaling signals communicated between the two terminals;
Control means for controlling a communication method of the P2P communication based on the authority information when the signaling signal is received;
An instruction means for instructing the relay apparatus to record the P2P communication based on the authority information when the signaling signal is received;
The relay device is
A communication recording means for recording the P2P communication when receiving the instruction;
A communication system. A communication control method in a communication control device connected to two terminals and a relay device that relays P2P communication performed between the two terminals,
A storage step of storing authority information including a communication method of the P2P communication permitted to each of the two terminals in a storage unit;
Receiving a signaling signal communicated between the two terminals; and
A control step of controlling a communication method of the P2P communication when the signaling signal is received;
A communication control method. A communication control program in a communication control device connected to two terminals and a relay device that relays P2P communication performed between the two terminals,
In the communication control device,
A storage step of storing authority information including a communication method of the P2P communication permitted to each of the two terminals in a storage unit;
Receiving a signaling signal communicated between the two terminals; and
A control step of controlling a communication method of the P2P communication based on the authority information when the signaling signal is received;
Communication control program to execute.

Images