JP2017163186A - End-to-end communication system, end-to-end communication method, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication system for making end-to-end direct communication without a server nor leaving data.SOLUTION: An end-to-end VPN construction method for making VPN communication directly between terminals is conducted by relaying a VPN in a TCP session. Because of direct relay of the VPN, a base station does not store a data packet nor decode the data packet. Thus, safety of VPN communication can be improved when the VPN is relayed. In addition, even if multi-stage relay via a plurality of base stations is performed, an end-to-end VPN can be provided more safely.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an inter-terminal communication system that performs communication between terminals. In particular, the present invention relates to a framework for realizing a communication system capable of performing communication without using a server.

Systems that perform communication using terminals such as smart phones and portable communication terminals are widely used. For example, a system for accessing a predetermined site from a remote location using remote access is known.
The conventional “remote access” technology includes all technologies for realizing access from a terminal to an in-house LAN or an intranet at a predetermined site over the Internet. For example, it includes all technologies for realizing and providing authentication technology for permitting access and VPN (Virtual Private Network) technology (encryption technology, etc.).

  In many cases, this remote access technology is used for an operation in which a terminal that intends to use a service securely connects to a server provided to aggregate the service.

Conventional connection mode 1 (Remote access)
FIG. 5 is an explanatory diagram showing the principle of conventional inter-terminal communication.

  In FIG. 5, a terminal 300 is connected to a predetermined site 304 via the Internet 302. The terminal 300 connects to the site 304 by connecting to a RAS (Remote Access Server) 306 (a base station that functions as). At the time of connection using this RAS, as in FIG. 5 and the like, encryption is performed for communication safety. Similarly, terminal authentication is executed, and only the terminal 300 that has succeeded in authentication can be connected.

The site 304 is a local IP environment and a secure security zone as in FIGS. Similarly, this security zone is composed of LAN / INTRANET. In many cases, the RAS 306 also serves as a base station. Hereinafter, description will be made on the assumption that the base station is RAS 306.
In the site 304, a terminal 308 in the site is located. As shown in FIG. 5, the terminal 300 can be connected to the terminal 308 in the site via the RAS 306.

  In FIG. 5, the RAS 306 mutually converts encryption and plaintext when interconnecting a TCP (Transmission Control Protocol) session between the terminal 300 and the terminal 308. That is, the RAS 306 decrypts the encrypted packet from the terminal 300 and transmits the plain packet to the terminal 308. Conversely, the RAS 306 encrypts a plaintext packet from the terminal 308 and transmits the encrypted packet to the terminal 300 via the Internet 302.

  As described above, in the conventional remote access, the RAS 306 executes encryption / decryption of a packet. In particular, the RAS 306 attempts to ensure security by applying the encryption / terminal authentication 303 to communication with the external terminal 300.

Conventional connection mode 1-2 (secure inter-terminal communication using RAS technology)
FIG. 6 is a diagram for explaining the operation when a secure communication environment between terminals is realized by applying the RAS technique.

  In FIG. 6, a terminal 400 is connected to a site 404 via the Internet 402. Terminal 400 connects to site 404 by connecting to RAS 406 (a base station that functions as). At the time of this connection, as in FIG. 5 and the like, encryption is performed for communication safety. Similarly, terminal authentication is executed, and only the terminal 400 that has succeeded in authentication can connect.

Similarly to FIG. 5, the site 404 is a secure security zone configured by LAN / INTRANET under a local IP environment. The RAS 406 is also a so-called base station, as in FIG. In the site 404, a terminal 410 in the site is located. As shown in FIG. 6, the terminal 400 can be connected to the terminal 410 in the site via the RAS 406.
In FIG. 6, the RAS 406 also performs encrypted communication with the terminal 410 in the site 404 in order to realize secure inter-terminal communication. That is, the RAS 406 performs encryption / terminal authentication for the terminal 410 as well as the terminal 400.

In such encrypted communication, the RAS 406 interconnects TCP sessions between the terminal 400 and the terminal 410. Here, in order to make such mutual connection, the RAS 406 once decrypts the received data and confirms the contents. In other words, the RAS 406 decrypts the encrypted packet from the terminal 400, flattenes it, checks the destination, and transfers the packet to the terminal 410 that is the destination. Conversely, when the RAS 406 receives the encrypted packet from the terminal 410, the RAS 406 decrypts the packet, obtains a plaintext, and confirms the content. Thereafter, the RAS 406 encrypts the plaintext packet again and transmits the encrypted packet to the terminal 400 via the Internet 402.
As described above, when the secure inter-terminal communication is realized by using the conventional RAS technique, an operation of temporarily decoding the packet transferred by the RAS 406 is executed.

Example of Detailed Operation of RAS FIG. 7 is an explanatory diagram showing a more detailed operation in which the portable information terminal accesses a predetermined server using RAS (Remote Access Server). In FIG. 7, portable information terminals 510a, 510b, and 510c access servers 504a and 504b included in the site 500 in order to use a predetermined service. For example, the server 504a is a mail server, and the server 504b is a bulletin board service. A user of the portable information terminal 510 uses the portable information terminal 510 to access the server 504 via the Internet 520 and use a predetermined service.
In this case, access from portable information terminal 510 to site 500 is performed via RAS 502. The RAS 502 is a facility included in the site 500 and is a server that receives a remote access from the outside and executes a service for connecting to a network in the site 500.

  With such a connection, for example, the portable information terminal 510a can write a predetermined message in the server 504b, and the other portable information terminal 510b can access the server 504b and read the written message. . In the conventional communication system, data and messages are always transmitted and received through the server 504a (504b) as described above.

Conventional connection mode 2 (LAN connection)
FIG. 8 shows an example of a communication system having a connection form called so-called LAN connection. As shown in this figure, a LAN 630a and a LAN 630b are connected to each other via the Internet 620. The LAN 630a is connected to the Internet 620 via a router (RT) 640a. The LAN 630b is connected to the Internet 620 via a router (RT) 640b.
A so-called VPN tunnel 642 is formed between the router 640a and the router 640b, and the LAN 630a and the LAN 630b are connected via the VPN tunnel 642, so that they can access each other.

Although not shown in FIG. 8, the LAN 630a and the LAN 630b include various servers as described in FIG. 7 and the like, and access each other's servers in the other LAN 630a (630b). be able to. The Internet 620 includes various servers 644a and 644b of various Internet service providers.
With such a connection, a terminal belonging to either the LAN 630a or the LAN 630b can also access a server included in both LANs 630. As described with reference to FIG. You can send and receive messages.

Prior Patent Literature For example, Patent Literature 1 below discloses an improved technique for remote VPN access from a user terminal to a corporate network. In particular, a mechanism has been disclosed that can reduce the double IPsec processing performed when remote VPN access is performed from a user terminal.
Further, in Patent Document 2 below, when accessing a RAS (Remote Access Service) device from a maintenance personal computer, information on the Internet connection is transmitted / received via an ISDN line, and the maintenance personal computer and the RAS device are used by using such information. Discloses a technology for mutually connecting to the Internet.
Patent Document 3 below discloses a mechanism for performing media transfer between a first LAN and a second LAN. In particular, a technology is disclosed in which a media renderer in a first LAN accesses a media server in a second LAN via a VPN tunnel.

JP 2010-206442 A JP 2010-206657 A Special table 2012-520006 gazette

  However, in the conventional method of exchanging data and sharing data while leaving data on a server on the Internet, it may be difficult to ensure security depending on the operation on the server side. In other words, for applications that use servers that cannot be secured for safety / reliability, it is appropriate from the viewpoint of safety to provide the service only with the remote access mechanism described above. I can not say.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to provide a mechanism for realizing a communication system for performing communication without leaving data without a server.

In order to solve the above problems, the inventors of the present application provide a gateway (Gateway) base station (compatible with multistage relay) for communicating without leaving data without a server, and terminal authentication for applications on a plurality of terminals or lower. The framework technology for VPN, the terminal etc. which implement | achieve the said framework were developed, and it came to make this invention.
In the present invention, there is no limitation on the application provided on the framework and the operation method thereof.

In particular, the present invention realizes an inter-terminal VPN construction method in a TCP session, as will be described in detail later. As a result, since it is serverless, VPN security can be improved during relay. Further, even when multi-stage relaying is performed, the inter-terminal VPN can be provided more safely.
Specifically, the present invention employs the following means.

  (1) The present invention includes a base station, a first terminal capable of communicating with the base station, and a second terminal capable of communicating with the base station, in order to solve the above-described problem, In the communication system for communicating with the second terminal, the first terminal transmits a VPN connection request to the second terminal as a communication partner to the base station, and the gateway base station Means for receiving the first terminal VPN address for the first terminal and the second terminal VPN address for the second terminal, and the received first terminal VPN address and the second terminal VPN address, Means for performing VPN communication with the second terminal by using a data packet including: when the base station receives the VPN connection request, the VPN connection request is a communication partner. Send to the second terminal And when the VPN connection request is received, the first terminal VPN address for the first terminal and the second terminal for the second terminal are communicated to the first terminal and the second terminal with which the first terminal communicates. 2 terminal VPN addresses are respectively generated, the first terminal VPN address is transmitted and assigned to the first terminal, and the second terminal VPN address is transmitted and assigned to the second terminal. Information on the first VPN communication used by the first terminal to which the first terminal VPN address has been assigned, and the second terminal to which the second terminal to which the second terminal VPN address has been assigned are used for generating and transmitting the address. 2 VPN communication information is described, and with reference to the relay table for relaying the first VPN communication and the second VPN communication, and the relay table, the first terminal 2 The data packet to be transmitted end to, it is a communication system which comprises a relay means for relaying to the second terminal which is the communication partner, the.

  (2) Further, the present invention provides the communication system according to (1), wherein both the first terminal and the second terminal send a TCP connection request for requesting TCP communication to the base station. And the base station, when receiving the TCP connection request, based on the TCP connection request, the VPN communication used by the first terminal or the second terminal that has transmitted the TCP connection request The VPN address generation / transmission means, when receiving the VPN connection request, uses the generated second terminal VPN address for the VPN communication used by the second terminal. In the relay table, and the relay means includes the VPN table information including the VPN communication information corresponding to the second terminal VPN address. Based on the volume, the VPN communication from the first terminal to the second terminal, a communication system, wherein the second terminal is relayed to VPN communications utilizing.

  (3) Further, the present invention provides the communication system according to (1) or (2), wherein the first terminal VPN address and the second terminal VPN address are IP addresses. It is.

  (4) Further, the present invention provides a terminal device operating as the first terminal used in the communication system according to any one of (1) to (3), to the second terminal that is a communication partner. Means for transmitting a VPN connection request to the base station; means for receiving a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal from the gateway base station; And a means for executing VPN communication with the second terminal using the received data packet including the first terminal VPN address and the second terminal VPN address. It is.

  (5) In the base station used in the communication system according to any one of (1) to (3), when the VPN connection request is received, the VPN connection request is transmitted to the communication partner. The first terminal VPN address for the first terminal with respect to the first terminal and the second terminal that is the communication partner of the first terminal when receiving the VPN connection request and the means for transmitting to the second terminal And a second terminal VPN address for the second terminal are generated, the first terminal VPN address is transmitted and assigned to the first terminal, and the second terminal VPN is transmitted to the second terminal. VPN address generation and transmission means for transmitting and assigning an address, information on the first VPN communication used by the first terminal to which the first terminal VPN address is assigned, and the second terminal VPN address are assigned. Information of the second VPN communication used by the second terminal is described, and a relay table for relaying the first VPN communication and the second VPN communication is referred to, and the relay table is referred to And a relay means for relaying the data packet transmitted from the first terminal to the second terminal as it is to the second terminal as a communication partner.

  (6) In order to solve the above-described problem, the present invention includes a base station, a first terminal that can communicate with the base station, and a second terminal that can communicate with the base station, and the first terminal And in a communication method in a communication system that communicates with the second terminal, the first terminal transmits a VPN connection request to the second terminal that is a communication partner to the base station, and A first terminal receiving a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal from the gateway base station; and the first terminal receiving Performing a VPN communication with the second terminal using a data packet including the first terminal VPN address and the second terminal VPN address, and the base station receives the VPN connection request. if you did this, A step of transmitting the VPN connection request to the second terminal as a communication partner, and when the base station receives the VPN connection request, the first terminal and the second terminal as a communication partner thereof Generating a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal, respectively, and transmitting and assigning the first terminal VPN address to the first terminal; VPN address generation and transmission step of transmitting and assigning the second terminal VPN address to the second terminal, and the base station using the first terminal to which the first terminal VPN address is assigned is used. VPN communication information and second VPN communication information used by the second terminal to which the second terminal VPN address is assigned are described, and the first VPN communication and the second VPN communication are described. A relay step of relaying the data packet transmitted from the first terminal to the second terminal as it is to the second terminal that is a communication partner with reference to a relay table for relaying A communication method characterized by the above.

  (7) Further, the present invention provides the communication method according to (6), wherein the first terminal and the second terminal transmit a TCP connection request for requesting communication by the TCP to the base station to the base station. And, when the base station receives the TCP connection request, based on the TCP connection request, information on VPN communication used by the first terminal or the second terminal that has transmitted the TCP connection request In the VPN address generation / transmission step, the base station uses the generated second terminal VPN address by the second terminal when receiving the VPN connection request. It is described in the relay table in correspondence with the information of VPN communication, and in the relay step, the base station corresponds to the VPN address for the second terminal A communication method for relaying VPN communication from the first terminal to the second terminal to VPN communication used by the second terminal based on the contents of the relay table including PN communication information is there.

  (8) Further, the present invention provides a computer program for operating a computer as a first terminal used in the communication system according to any one of (1) to (3), to the second terminal that is a communication partner. Of transmitting a VPN connection request to the base station, and receiving a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal from the gateway base station And a step of executing VPN communication with the second terminal using the received data packet including the first terminal VPN address and the second terminal VPN address. Is a computer program characterized by

  (9) In the computer program for operating a computer as the base station used in the communication system according to any one of (1) to (3), when the VPN connection request is received, A procedure for transmitting the VPN connection request to the second terminal that is a communication partner, and when the VPN connection request is received, the first terminal and the second terminal that is a communication partner of the first terminal A first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal are generated, and the first terminal VPN address is transmitted and assigned to the first terminal. VPN address generation and transmission procedure for transmitting and assigning the second terminal VPN address to the first terminal used by the first terminal to which the first terminal VPN address is assigned N communication information and second VPN communication information used by the second terminal to which the second terminal VPN address is assigned are described, and the first VPN communication, the second VPN communication, A relay procedure for relaying the data packet transmitted from the first terminal to the second terminal as it is to the second terminal that is a communication partner, with reference to a relay table for relaying A computer program that is executed by a computer.

  Thus, according to the present invention, it is possible to realize a communication system capable of performing communication without using a server or the like.

It is explanatory drawing which shows the principle of the communication system which concerns on this embodiment. It is explanatory drawing which shows the structure of the function of the framework of the communication system which concerns on this embodiment. It is a time chart explaining operation | movement in the case of performing communication between the terminals of the communication system of this embodiment. In this embodiment, it is explanatory drawing which shows a mode that relay is performed when a gateway base station becomes multistage. It is explanatory drawing which shows the concept of the conventional communication system using remote access. It is explanatory drawing which shows the structure of the conventional communication system which implement | achieves the secure communication between terminals using remote access. It is explanatory drawing which shows operation | movement of the conventional communication system using remote access. It is explanatory drawing which shows the structure of the conventional communication system which implement | achieves the connection between LAN.

  Hereinafter, a communication system 10 according to a preferred embodiment of the present invention will be described with reference to the drawings.

A. Embodiment 1
First. Outline of Configuration FIG. 1 is an explanatory diagram showing the principle for realizing the inter-terminal communication of the first embodiment.

  Similar to FIG. 5 and FIG. 6 described in the section of the prior art, the terminal 1 is connected to a predetermined site 5 via the Internet 3. The terminal 1 connects to the site 5 by connecting to the base station 7. At the time of this connection, as in FIG. 5 and the like, encryption is performed for communication safety. Similarly, terminal authentication is executed, and only the terminal 1 that has succeeded in authentication can connect, as in FIG.

In the first embodiment, an example in which the terminal 1 is connected via the Internet 3 is shown, but the terminal 1 may be connected using another communication method.
The site 5 is a local IP environment and a secure security zone as in FIGS. Similarly, this security zone is composed of LAN / INTRANET. This base station 7 may also serve as RAS. Hereinafter, the base station 7 will be described as having the RAS function. In the site 5, a terminal 9 in the site is located. As shown in FIG. 1, the terminal 1 can be connected to the terminal 9 via a base station 7. In the first embodiment, the site 5 shows an example of a local IP environment. However, the site 5 may be configured in another network or other environment.

In FIG. 1, the terminal 1 is depicted as an independent terminal, but the terminal 1 itself may be a terminal 1 in a predetermined local IP environment such as the site 5. In that case, similarly to the terminal 9, the terminal 1 connects to the Internet 3 through a predetermined base station and connects to the base station 7 through the Internet 3. Similarly, although the terminal 9 is depicted as the terminal 9 in the site 5, as with the terminal 1, it may be an independent terminal 9 that does not belong to a predetermined site.
In FIG. 1, a base station 7 interconnects TCP sessions transmitted from two terminals 1 and 9. What is characteristic in the present embodiment is that the base station 7 does not decrypt the cipher of the TCP session in the base station 7 and transfers the ciphertext as it is.

As described above, one of the characteristic features of the first embodiment is that the data (packets) encrypted in the base station 7 at the time of mutual connection are mutually decrypted (without being converted into plaintext). Is sending and receiving. As a result, since it is not converted into plain text, the risk of data being read by a third party can be reduced. Therefore, according to the first embodiment, the security of communication between terminals can be more accurately ensured and the safety can be further improved as compared with various conventional interconnection technologies.
The data (packet) in the first embodiment (2) is a preferred example of the “data packet” in the claims. The “data packet” in the claims may be a set of data forming a unit of communication, and is not only a so-called data or packet, but also a set of data called “frame”, “datagram”, “message”, etc. The body is also included.

  As shown in FIG. 1, in the first embodiment, the encryption / terminal authentication technology 4a is applied to the terminal 1 as in FIG. 5 of the prior art, but in addition to this, for the terminal 9 In addition, the inter-terminal authentication technology 4b is supported.

As a result, in the first embodiment, by combining the inter-terminal authentication technology 4b and the TCP session switching technology provided by the base station 7, an end-end (terminal-terminal) secure communication environment can be constructed. In the first embodiment, the site 5 is a Local IP environment, and a security zone is formed by, for example, LAN / Intranet.
Further, for example, even if the terminal 9 moves and its IP address changes in this security zone of the site 5, the communication environment can be maintained. Details of this operation will be described later.

2nd. Details of Framework FIG. 2 is an explanatory diagram showing a framework of functions of the communication system 10 according to the first embodiment. As shown in FIG. 2, in the communication system 10, the first terminal 12 a and the second terminal 12 b are both connected to the gateway base station 18. As described with reference to FIG. 1, as a connection form, connection by the Internet or connection by LAN can be used, but connection may be made by other various communication means.
In addition, the 1st terminal 12a and the 2nd terminal 12b are corresponded to a suitable example of the terminal device of a claim.

  The 1st terminal 12a and the 2nd terminal 12b are portable information terminals, for example, and are a mobile phone, a smart phone, a tablet terminal, a notebook personal computer, etc. The gateway base station 18 is a base station that accommodates each terminal and connects each terminal to a network (not shown). This base station may be, for example, a base station of a mobile phone network or a Wi-Fi access base station for connecting to the Internet. Any base station may be used as long as terminals such as the first terminal 12a and the second terminal 12b can be connected, and the connection form is not limited.

Although omitted in FIG. 2, the gateway base station 18 can be connected to the Internet or a regional IP network as a (upper) network to be connected. Moreover, you may utilize as a network to which a mobile telephone network etc. connect.
The gateway base station 18 corresponds to a preferred example of the base station in the claims.

  A characteristic feature of the first embodiment is that a framework 24 for terminal authentication VPN is realized for the above purpose. With this framework 24, the first terminal 12a and the second terminal 12b can communicate without going through a server. That is, it is possible to transmit and receive data and messages without accumulating data and messages in the server.

On the other hand, in the conventional communication system, a predetermined server is arranged above the gateway base station 18, and data is transmitted and received through this server. Conventionally, the first terminal 12a and the like access this server, store predetermined data, and another server (for example, the second terminal 12b) accesses the server to acquire the predetermined data. This is a general conventional data transmission / reception flow.
The first embodiment realizes a data communication system that does not use a server (no data is stored in the server) by the gateway base station 18 transferring, for example, TCP (VPN) as it is to a communication partner terminal without using a server. It is something to try. By connecting the VPNs, the terminals can communicate as if they are in the same domain.

(2-1) Functional configuration of terminals (first terminal 12a, second terminal 12b) As shown in FIG. 2, the first terminal 12a implements various applications 14a and a framework 24 for terminal authentication VPN. A terminal-side framework 16a.

  Here, the application 14a means an application program, and a processor (for example, CPU) in the first terminal 12a executes the application program to provide various services to the user.

The terminal-side framework 16a in FIG. 2 is a terminal-side framework for realizing the above-described terminal authentication VPN framework 24. The terminal-side framework program is stored in the processor of the first terminal 12a. (CPU etc.) is executed by executing. That is, the processor of the first terminal 12a executes the terminal-side framework program stored in a predetermined storage unit, thereby configuring a part of the framework 24 for terminal authentication VPN described in FIG. A terminal-side framework 16a is provided.
Therefore, the operations of the first terminal 12a and the second terminal 12b in FIG. 3 and the like to be described later are realized by each terminal processor (CPU or the like) executing this terminal-side framework program.

  The first terminal 12a includes communication means (hardware) for connecting to the gateway base station 18, and can communicate with the gateway base station 18 by the terminal-side framework program. For example, in FIG. 3 and FIG. 4 to be described later, a process of transmitting a predetermined request or response and a process of receiving them are executed by the terminal processor executing the terminal-side framework program and controlling the communication means. Is realized.

  The second terminal 12b has the same configuration as that of the first terminal 12a, and includes an application 14b and a terminal-side framework 16b, similarly to the first terminal 12a. The terminal-side framework 16b provides a program similar to the terminal-side framework program of the first terminal 12a when the processor (CPU or the like) in the second terminal 12b executes.

In other words, the operation of the second terminal 12b in FIG. 3 and the like is realized by the processor of the second terminal 12b executing the terminal-side framework program. Similarly to the first terminal 12a, the second terminal 12b also includes communication means (hardware) for connecting to the gateway base station 18. When the processor of the second terminal 12b executes the terminal-side framework program, processing for transmitting and receiving requests and responses as shown in FIGS. 3 and 4 is realized.
The terminal-side framework program corresponds to a preferred example of the computer program in the claims.

(2-2) Functional Configuration of Gateway Base Station As shown in FIG. 2, the gateway base station 18 includes a security setting management function 20 and an authentication and VPN function 22.
The security setting management function 20 is a function for setting and managing security for the gateway base station 18 for communication, and is realized by a processor (CPU or the like) in the gateway base station 18 executing a predetermined program. It is a function.

  Further, the gateway base station 18 has a function as a gateway for connecting the first terminal 12a and the second terminal 12b to a network such as the Internet as its basic function. The gateway base station 18 includes communication means for connecting to the first terminal 12a and the second terminal 12b.

  Further, the authentication and VPN function 22 provided in the gateway base station 18 is a function for realizing the above-described framework 24 for terminal authentication VPN. The gateway base station 18 has a predetermined authentication and VPN program stored therein. It is realized by executing. The authentication and VPN program is stored in a predetermined storage means in the gateway base station 18, and a processor (CPU or the like) of the gateway base station 18 executes the authentication and VPN program, whereby the authentication and VPN function 22 is executed. And a part of the framework 24 for terminal authentication VPN described in FIG. 3 and the like can be configured.

  The authentication and VPN function 22 of the gateway base station 18 authenticates the first terminal 12a and the second terminal 12b, and constructs a VPN line between the first terminal 12a and the second terminal 12b. A function to relay VPN communication between them is realized. That is, various operations of the gateway base station 18 in FIG. 3 and FIG. 4 to be described later, relaying of requests and processing / responses, construction of a relay table, and description of contents of the relay table are performed by the processor (CPU and the like) of the gateway base station 18. ) Is realized by executing the authentication and VPN program. Similarly, the generation of a VPN address and the providing operation (transmission operation) are realized by executing the authentication and VPN program by the processor (CPU or the like). Transmission / reception processing such as relay operation is also executed by the authentication and VPN program controlling the communication means that the gateway base station 18 uses.

Further, the terminal authentication VPN framework 24 performs authentication with the gateway base station 18 without depending on the above-described applications 14a, 14b, etc. from the side of the first terminal 12a and the second terminal 12b, and establishes the VPN line. It is a function to build. Further, the terminal authentication VPN framework 24 is a function including a network function for performing authentication with a partner terminal (the first terminal 12a and the second terminal 12b).
The authentication and VPN program corresponds to a preferred example of the computer program in the claims.

Characteristics of Framework 24 for Terminal Authentication VPN In the first embodiment, any communication path between the first terminal 12a and the gateway base station 18 may be used. The network may be the Internet, a predetermined LAN connection, a Wi-fi connection, or a communication line such as a mobile phone. The framework 24 for terminal authentication VPN proposed in the first embodiment does not depend on the type of physical network. Further, the framework 24 for terminal authentication VPN proposed in the first embodiment does not depend on the types of applications 14a and 14b. If it is an application using VPN, the framework 24 for terminal authentication VPN in this Embodiment 1 can be utilized. Note that the characteristics of the framework 24 for terminal authentication VPN are the same in the second embodiment to be described later.

3rd. Detailed view 3 VPN work together in the framework of the present embodiment (relay operation), state of the communication between the first terminal 12a of the configuration described in FIG. 2, a second terminal 12b, and the gateway base station 18 It is a time chart figure which shows. A specific communication operation will be described with reference to FIG.

The transmission / reception and processing of the first terminal 12a and the second terminal 12b described in (3-1) to (3-4) below are performed by the above-described processor of the first terminal 12a and the second terminal 12b. This is realized by executing a work program. In particular, transmission and reception of packets and messages are realized by the terminal-side framework program controlling the communication means provided in the first terminal 12a and the second terminal 12b by executing the program.
Similarly, the transmission / reception and processing executed by the gateway base station 18 in (3-1) to (3-4) are realized by executing the authentication and VPN program by the processor of the gateway base station 18 described above. ing. In particular, transmission and reception of packets and messages are realized by an authentication and VPN program controlling communication means provided in the gateway base station 18 by executing the authentication and VPN program.

(3-1) Terminal authentication sequence (processing between terminal and gateway base station)
After the gateway base station 18 receives the authentication request access from the terminal side (first terminal 12a, second terminal 12b), the gateway base station 18 is configured by combining the sample code (connection time, CPU-ID, etc.) Value) is generated, and the sample code encrypted with the public key on the terminal side is transmitted to the terminal side.

The terminal side decrypts the sample code with the terminal's private key, obtains the original sample code, and hashes the obtained sample code. The terminal side transmits the hashed data to the gateway base station 18. The gateway base station 18 compares the data of the sample code hashed by the gateway base station 18 with the hashed data transmitted from the terminal side, and if they are the same, the gateway base station 18 determines that the authentication for the terminal is successful.
In the following, the detailed processing flow of the terminal authentication sequence will be described with reference to FIG.

(3-1a). Authentication sequence on the first terminal side First, a predetermined application 14a that requests communication with the second terminal 12b is running on the first terminal 12a. The application 14a outputs an application connection command 30 to the first terminal 12a. Then, the first terminal 12 a transmits a terminal authentication request 32 to the gateway base station 18 via a network such as the Internet 3. The first terminal 12a has a terminal ID and transmits a terminal authentication request 32 including this terminal ID.

  When receiving the terminal authentication request 32, the gateway base station 18 executes a terminal authentication process 34, and executes transmission / reception of a predetermined message and data with the first terminal 12a. The gateway base station 18 executes the terminal authentication process 34, and executes the VPN TCP information generation process 36 based on the result.

After the VPN TCP information generation process 36 is completed, the gateway base station 18 transmits a terminal authentication response 38 to the first terminal 12a. The terminal authentication response 38 includes various types of information (VPN TCP information) generated by the VPN TCP information generation process 36.
Upon receiving the terminal authentication response 28, the first terminal 12a acquires the VPN TCP information 40 included therein.
On the other hand, the gateway base station 18 transmits a terminal authentication request 42 to the second terminal 12b with which the first terminal 12a wants to communicate based on the terminal authentication request 32 from the first terminal 12a. This transmission may be performed through the Internet 3 or may be a LAN / Intranet within a predetermined site 5.

(3-1b). Authentication sequence on the second terminal side Next, on the second terminal 12b, for example, a predetermined application 14b that requests communication with the first terminal 12a is running, and like the first terminal 12a, Output application connection command. Then, the second terminal 12b transmits a terminal authentication request 42 to the gateway base station 18 via a network such as a wired LAN or a wireless LAN. The second terminal 12b also has a terminal ID, and transmits a terminal authentication request 42 including this terminal ID.

When receiving the terminal authentication request 42, the gateway base station 18 executes a terminal authentication process 44, and executes transmission / reception of a predetermined message and data with the second terminal 12a. The gateway base station 18 executes the terminal authentication process 44, and executes the VPN TCP information generation process 46 based on the result.
After the VPN TCP information generation process 46 is completed, the gateway base station 18 transmits a terminal authentication response 48 to the second terminal 12b. The terminal authentication response 48 includes various types of information (VPN TCP information) generated by the VPN TCP information generation process 46.

  When the second terminal 12b receives the terminal authentication response 48, the second terminal 12b acquires the VPN TCP information 50 included therein.

As a result of the above processing, authentication is completed for both the first terminal 12a and the second terminal 12b, and VPN TCP information can be acquired.
Note that both the first terminal 12a and the second terminal 12b have terminal IDs, but this terminal ID may be any ID that the gateway base station 18 can identify. For example, a telephone number may be used, and when using SIP (Session Initiation Protocol), a SIP URI (Uniform Resource Identifier) may be used. Any device that can uniquely identify a terminal can be used. In other words, any information may be used as long as the gateway base station 18 can identify each terminal.

(3-2) Inter-terminal authentication sequence (processing between the first terminal 12a and the second terminal 12b)
After the authentication request access from the source terminal (for example, the first terminal 12a) is received by the destination terminal (for example, the second terminal 12b), the destination terminal generates a combination of sample codes (connection time, CPU-ID, etc.) Value) is generated, and the encrypted sample code encrypted with the public key of the source terminal is transmitted to the source terminal.

The source terminal decrypts the transmitted encrypted sample code with the secret key of the source terminal to obtain original sample data. The transmission source terminal transmits data obtained by hashing the original sample data to the destination terminal. The destination terminal compares the hashed sample code data with the hashed data transmitted from the source terminal. If the destination terminal is the same, the destination terminal certifies that the source terminal has been successfully authenticated.

Hereinafter, a specific processing flow of the inter-terminal authentication sequence will be described with reference to FIG. This sequence is a series of processes from the inter-terminal authentication request 52 to the inter-terminal authentication responses 66 and 64 in FIG.
First, the first terminal 12a performs authentication as a communication partner with the second terminal 12b. For this purpose, the first terminal 12 a transmits the authentication terminal-to-terminal authentication request 52 to the second terminal 12 b via the gateway base station 18.

The gateway base station 18 transmits the received inter-terminal authentication request 52 to the second terminal 12b. For convenience, this transmitted inter-terminal authentication request is referred to as an inter-terminal authentication request 54.
Next, the second terminal 12b receives the transmitted inter-terminal authentication request 54. The second terminal 12b executes an inter-terminal authentication process 58 based on the received inter-terminal authentication request 54.

Note that the first terminal 12a also executes the inter-terminal authentication process 56 in the same manner as the inter-terminal authentication process 58 on the second terminal 12b side.
As described above, the inter-terminal authentication processes 56 and 58 include a process in which the second terminal 12b generates a sample code and transmits the code encrypted with the public key of the first terminal 12a to the first terminal 12a. This includes a process in which one terminal 12a decrypts a sample code encrypted using its own private key to obtain original sample data.

  The inter-terminal authentication processes 56 and 58 include a process of hashing the original sample data obtained by the first terminal 12a and transmitting it to the second terminal 12b, the data received by the second terminal 12b, and the original data itself. It includes a process of comparing sample data with hashed data. Further, the inter-terminal authentication processing 56, 58 compares the hashed data received by the second terminal 12b with the data hashed by the second terminal itself, and if both are the same, the other party is regarded as a legitimate terminal. Accredited and certified as successful. When such processing is performed mutually and the other party is authenticated as a legitimate terminal, authentication information that is information related to the authentication is acquired from each other.

The first terminal 12a acquires authentication information 60 as a result of the inter-terminal authentication process 56, and the second terminal 1bj acquires authentication information 62 as a result of the inter-terminal authentication process 58. The authentication information 60 and 62 includes an authentication code used when performing VPN connection.
Further, the second terminal 12b executes an inter-terminal authentication response 66 as a response to the inter-terminal authentication request 54. The gateway base station 18 relays this inter-terminal authentication response 66 and transmits it to the first terminal 12a. For convenience, this transmitted packet is referred to as an inter-terminal authentication response 64, but is substantially the same as the inter-terminal authentication response 66.

(3-3) TCP connection establishment sequence (processing between terminals 12a and 12b and gateway base station 18)
Next, the gateway base station 18 waits for a TCP connection request access (68, 70) to be transmitted from the terminal side (first terminal 12a, second terminal 1b) that has completed authentication. After receiving the TCP connection request access, the gateway base station 18 connects the information between the terminals (between the first terminal 12a and the second terminal 12b) and transfers the proxy information in the gateway base station 18. On the relay table. Specifically, new entries related to the request are added to the relay table.

The first terminal 12a (second terminal 12b) transmits a message (packet) including information on TCP communication that the first terminal 12a (second terminal 12b) wants to execute to the gateway base station 18. This message transmission is called TCP connection request access 68 (70).
Note that this relay table may be newly constructed for each TCP connection every time each TCP connection request access is received.

  This relay table is a table that the gateway base station 18 refers to when connecting TCP (TCP relay, TCP transfer) between terminals (between the first terminal 12a and the second terminal 12b). In this TCP connection establishment sequence, information on TCP to be relayed is added (registered) to the relay table. In other words, entries in the table are added. This relay table is a table for realizing proxy transfer by connecting TCP between terminals (between the first terminal 12a and the second terminal 12b).

  As described in the VPN connection sequence (4) described later, when a VPN address is determined, information on which TCP (TCP used as a VPN) and which TCP is relayed together with the VPN address. Are described in the relay table together with the VPN address.

This relay table can be stored in a predetermined storage means in the gateway base station 18. For example, it is preferable to use various semiconductor storage means, and a hard disk or various optical disks may be used.
The gateway base station 18 can determine the end of the TCP connection based on the elapsed time or the response change of the connection maintenance response after the relay table is constructed. For example, with respect to TCP that does not transmit / receive data for a predetermined time, it is possible to block and terminate the inter-terminal TCP connection by deleting the relay table (entry).
The relay table may be created for each TCP, but in this case, when the end of TCP connection is determined based on the elapsed time or the like, the relay table is deleted for each table corresponding to the TCP.

In the present embodiment, a case where the relay table mainly includes information on a plurality of TCPs will be described. In this case, it is determined that the TCP connection in the table is ended due to an elapsed time or a response change of the connection maintenance response. It is preferable to delete only the entry corresponding to the TCP in the relay table.
Specific processing of the TCP connection establishment sequence will be described with reference to FIG. This sequence corresponds to the processing from the TCP connection request access 68 to the VPN TCP relay connection completion 72 in FIG.

After the first terminal 12a receives the above-described inter-terminal authentication response 64 from the second terminal 12b,
A TCP connection request access 68 can be sent. The first terminal transmits this TCP connection request access 68 using the VPN TCP information 40 described above.
Upon receiving the TCP connection request access 68, the gateway base station 18 creates the entry in the relay table for VPN TCP relay connection using the VPN TCP information 40, and uses the VPN TCP information 40. Describes information about TCP.

As described above, the VPN TCP information 40 is TCP information generated by executing the VPN TCP information generation process 36 for the first terminal 12a.
By creating such a relay table, the gateway base station 18 can relay the TCP directed to the first terminal 12a to the TCP of the first terminal 12a.

On the other hand, the second terminal 12b can also transmit the TCP connection request access 70 after transmitting the above-described inter-terminal authentication response 66 (or at the same time). The second terminal 12b transmits the TCP connection request access 70 using the VPN TCP information 50 described above.
Similarly, when the gateway base station 18 receives the TCP connection request access 70, the gateway base station 18 creates an entry in the relay table for VPN TCP relay connection using the VPN TCP information 50, and stores the VPN TCP information 50. Describe in the entry. As described above, the VPN TCP information 50 is information generated by the gateway base station 18 executing the VPN TCP information generation process 46 for the second terminal 12b.

In this way, by constructing the relay table, the gateway base station 18 can relay TCP destined for the second terminal 12b to the second terminal 12a. This state is represented as VPN TCP relay connection completion 72 in FIG.
As a result of the TCP connection establishment sequence process as described above, a TCP connection can be established between the first terminal 12a and the second terminal 12b, and the encrypted data is decrypted and converted into plain text on the way. Without connecting, it is possible to connect directly with one TCP (VPN). The gateway base station 18 only performs relaying, does not store data therein, and does not decrypt encrypted data.

  As described above, in the first embodiment, as a result of connecting the TCP (connecting the VPN), the encrypted data is not decrypted and the data is not accumulated in the server or the like. It is possible to realize communication with improved safety. Next, a process for performing communication with VPN connection using the relay table in the gateway base station 18 created in the “TCP connection establishment sequence” will be described.

(3-4) VPN connection sequence (processing between the first terminal 12a and the second terminal 12b)
Next, after a relay table for TCP (VPN) relay is created, TCP connection is possible between terminals. Therefore, VPN cooperation using such TCP is possible. In this VPN connection sequence, if a VPN address is generated or the like, it is possible to perform VPN cooperation between the first terminal 12a and the second terminal 12b.

First, in the above-described terminal authentication sequence, when the authentication is successful, the destination terminal (second terminal 12b) side generates an authentication code (included in the authentication information 62) for establishing a VPN session. This authentication code is authenticated by executing encryption / decryption / hashing in the same manner as the above-described inter-terminal authentication sequence.
Specifically, the flow is as follows.

The second terminal 12b encrypts the authentication code (included in the authentication information 62) with the public key of the first terminal 12a and transmits it to the first terminal 12a.
The first terminal 12a decrypts the encrypted data with its own secret key and hashes it, and transmits it to the second terminal 12b.
The second terminal 12b compares the transmitted hashed data with the authentication code hashed by itself, and determines that the authentication is successful if they are the same.

  Also, in this VPN connection sequence, exchange of specifications such as association with a common key used for VPN and a terminal ID is performed, and a VPN IP address is generated. The processor (CPU or the like) of the gateway base station 18 performs this generation processing by executing the authentication and VPN program described above. That is, the program and the processor correspond to a suitable example of the VPN address generation / transmission means in the claims. The VPN IP addresses generated in this way are sent to the other terminal in order to exchange each other. The VPN IP address can be described in the relay table. Thereafter, communication can be performed using this VPN IP address. Thereby, the gateway base station 18 can know the associated VPN (TCP) from the VPN IP address based on the relay table, and can find the destination VPN address. In this manner, a serverless VPN (not stored in the server) can be established between the first terminal 12a and the second terminal 12b.

Hereinafter, a specific processing flow of the VPN connection sequence will be described with reference to FIG.
First, the first terminal 12a transmits a VPN connection request 74.
The gateway base station 18 transfers this VPN connection request 74 to the second terminal 12b. Although it is a request having the same content, in FIG. 3 for convenience, this is called a VPN connection request 76. When receiving the VPN connection request 76, the second terminal 12b performs authentication using the authentication code (included in the authentication information 62) as described above. And after authenticating, the 2nd terminal 12b performs the VPN item exchange process 80 which is a process which performs the exchange of the item regarding VPN.

  In accordance with this, the first terminal 12a also performs the VPN specification exchange process 78 for exchanging the specifications relating to the VPN after performing authentication using the authentication code (included in the authentication information 60). In the specification exchange process, as described above, the specification exchange such as the association with the common key used for the VPN and the terminal ID is performed.

In the specification exchange process (78, 80), the gateway base station 18 generates a VPN IP address for each terminal based on the specifications. The gateway base station 18 provides (transmits) the generated VPN IP address to the first terminal 12a and the second terminal 12b in the processing of the VPN specification exchanges 78 and 80. The gateway base station 18 can describe the generated VPN IP address together with the VPN corresponding to the relay table described above. The processor (CPU or the like) of the gateway base station 18 performs this generation process by executing the authentication and VPN program already described. That is, the authentication and VPN program, the CPU that executes the program, and the communication interface (communication means) between the first terminal 12a and the second terminal 12b correspond to a preferred example of the VPN address generation / transmission means in the claims. .
The VPN IP addresses are shown as a first terminal VPN address 94 and second terminal VPN addresses 86 and 92 in FIG. In the first embodiment, the first terminal 12a and the second terminal 12b can perform communication using the IP addresses (the first terminal VPN address 94 and the second terminal VPN address 92).

As described above, the terminal ID is an ID unique to the first terminal 12a and the second terminal 12b, and the gateway base station 18 recognizes each terminal using this terminal ID. The gateway base station 18 gives a VPN address (IP address) to each terminal each time there is a VPN connection request, and each terminal can perform VPN communication using the VPN address.
For example, the second terminal 12a transmits a VPN connection response 84 to the first terminal 12a in order to start VPN communication when the VPN can be constructed after performing the specification exchange. In particular, the second terminal 12 b transmits a VPN connection response 84 including the second terminal VPN address to the gateway base station 18. As a result, the second terminal 12b can return the VPN connection response and simultaneously transmit the second terminal VPN address 86 to the first terminal 12a via the gateway base station 18.

The gateway base station 18 transfers the received VPN connection response 84 to the first terminal 12a. For convenience, the transferred VPN connection response is referred to as a VPN connection response 82.
The first terminal 12a receives the VPN connection response 82 and receives various specifications, parameters, and data. In particular, the first terminal 12a obtains the second terminal VPN address 86, and thereafter uses the second terminal VPN address 86 to execute communication using the VPN to the second terminal 12b. it can.

  Communication using VPN is so-called serverless communication, and communication between terminals is possible without being accumulated in a server or the like. Based on the relay table, the gateway base station 18 can know that the VPN corresponding to the first terminal VPN address 94 and the VPN corresponding to the second terminal VPN address 86 are linked. Based on the address, the encrypted packet 90 can be transferred (relayed) between VPNs. A processor (CPU or the like) of the gateway base station 18 can perform such VPN relay using the relay cable by executing the authentication and the VPN program. Therefore, the communication interface (communication means) between the processor (CPU or the like) of the gateway base station 18, the authentication and VPN program, and the first terminal 12 a and the second terminal 12 b is suitable for the relay means in the claims. It corresponds to an example.

A schematic state of the encrypted packet 90 used in the VPN communication is described in the lower part of FIG. The encrypted packet 90 shown in FIG. 3 is a packet transmitted / received by the application program, and includes a second terminal VPN address 92 (same as the second VPN address 86) as a source address. In addition, a first terminal VPN address 94 is also included as a destination address.
The encrypted packet 90 includes data used by the application (hereinafter simply referred to as application data 98), and the application can transmit and receive data between the first terminal 12a and the second terminal 12b. Is possible. As a protocol for transmitting and receiving the application data, for example, TCP, UDP (User Datagram Protocol) or the like can be used. In the first embodiment, an example in which TCP and UDP can be used will be described. In the first embodiment, these TCP and UDP are included in the encrypted packet 90 as TCP / UDP 95 for application data.

  Through the processing as described above, the first terminal 12a and the second terminal 12b can generate the first terminal VPN address 94 and the second terminal VPN address 92 for constructing the VPN. And can communicate with each other. As a result, in each terminal (first terminal 12a, second terminal 12b), the application program can transmit and receive data using, for example, TCP / IP100. As a result, each application program can operate as transmitting / receiving data via the Proxy 102 (which does not accumulate data).

4th. Comparison with the prior art As described above, in the prior art, when a VPN is constructed between mobile terminals using a TCP session, the VPN is generally managed by a “server” called a relay server. Yes. This relay server once decrypts the encrypted packet when transferring data (packet). Therefore, a security vulnerability occurs at that time.

In the first embodiment, the packet is never decoded even if the gateway base station 18 is relayed in multiple stages without using such a “server”. Therefore, the packet in the conventional relay server is once decoded. In principle, there are no vulnerabilities. A characteristic matter in this embodiment is that packets are transmitted and received between terminals without being decoded in this way.
Furthermore, the characteristic matter in the first embodiment is that mutual authentication is performed between the gateway base station 18 to which the terminals 12a and 12b are connected and the terminals 12a and 12b, and a VPN on the TCP session is constructed. It is a point. As a result, it is not necessary to decode a packet even when it passes through a plurality of gateway base stations 18 (when it is relayed in multiple stages). Next, the operation when this multistage relay is performed will be described.

B. Embodiment 2
First. Overview In the first embodiment, an example in which there is one gateway base station, and both the first terminal 12a and the second terminal 1b that transmit and receive data are connected to the same gateway base station (see FIG. 1, see FIG.
However, in the present invention, when the first terminal 12a that transmits and receives data and the second terminal 12 and b are separated, the first terminal 12a and the second terminal 12b are connected via a plurality of gateway base stations. It is also preferable to configure so that and are connected by VPN.
FIG. 5 is an explanatory diagram illustrating an example in which the first terminal 12a and the second terminal 12b are connected via two gateway base stations. As shown in FIG. 5, the configuration and operation of the first terminal 12a and the second terminal 12b are the same as those in the first embodiment.

2nd. Processing / Operation
(2-1) Terminal Authentication Sequence First, the first terminal 12a performs terminal authentication 200a with the first gateway base station 18a. The process of this terminal authentication 200a is the same process as the operation described as (1) terminal authentication sequence in the first embodiment.
Similarly, the second terminal 12b also performs terminal authentication 200b with the second gateway base station 18b. The process of the terminal authentication 200b is also the same as the (1) terminal authentication sequence described in the first embodiment.

  What is characteristic in the second embodiment is that the gateway base station 18a (18b) transmits the information of the terminal authenticated by itself to the other gateway base station 18b (18a), and executes the information sharing 200c. is there. As a result, the positions of the terminals can be grasped from each other, and even when an authentication request is issued from one of the terminals to, for example, a predetermined partner terminal, the authentication request is sent to the partner terminal. Is possible. In the second embodiment, an example of two gateway base stations 18a and 18b has been described. However, the same applies to a network in which a plurality of gateway base stations 18 are generally arranged.

(2-2) Inter-terminal authentication sequence Next, an inter-terminal authentication sequence is executed between the first terminal 12a and the second terminal 12b. This sequence is the process described as the “inter-terminal authentication sequence” in the first embodiment, and substantially the same process is executed in the second embodiment.

The operations of the first terminal 12a and the second terminal 12b in this sequence are the same as those of the first embodiment, and the first terminal 12a and the second terminal 12b are gateway base stations between each other and the other terminal. There is no need to be directly aware of how many 18 are located. For example, the first terminal 12a performs inter-terminal authentication 202a with the first gateway base station 18a. Specifically, the first terminal 12a transmits the inter-terminal authentication request 52, and the subsequent process corresponds to this process. In response to the inter-terminal authentication 202a, the second terminal 12b executes the inter-terminal authentication 202c.
In these processes, for example, the first terminal 12a generates a sample code and transmits the sample code encrypted with the public key of the second terminal 12b to the second terminal 12b. Then, the second terminal 12b decrypts the sample code encrypted using its own secret key to obtain original sample data. Further, the second terminal 12b hashes the original sample data obtained in this way and transmits it to the first terminal 12a. The first terminal 12a compares the received data (hashed data) with the data obtained by hashing the original sample data generated by itself. The first terminal 12a recognizes that the authentication has succeeded when the two match.

  When such processing is performed mutually and the other party is authenticated as a legitimate terminal, authentication information (authentication information 60 and 62 in FIG. 3), which is information related to the authentication, is acquired from each other. Further, the second terminal 12b transmits an inter-terminal authentication response 66 (64) to the first terminal 12b as a response to the inter-terminal authentication request 54 (52). These processes are the inter-terminal authentications 202a and 202c.

  In the second embodiment, in the series of “inter-terminal authentication sequence”, the first gateway base station 18a and the second gateway base station 18b relay and forward packets such as authentication requests. A certain inter-terminal authentication 202b is executed. As described above, since the position of the terminal is shared between the gateway base stations 18a and 18b by the information sharing 200c, each gateway base station can relay a packet such as an authentication request.

(2-3) TCP Connection Establishment Sequence Next, a TCP connection establishment sequence is executed. The processing of this sequence is the same as the “TCP connection establishment sequence” described in the first embodiment, and is processing that is completed in the VPN connection completion 72 from the TCP connection request access 68 in FIG. In this process, the gateway base stations 18a, 18b, as described above, establish a relay table (entry) for proxy transfer by connecting TCP between terminals (first terminal 12a, body 2 terminal 12b). Creating (adding) is as described above.

In particular, in the second embodiment, the relay table is shared between the gateway base stations 18a and 18b. That is, the gateway base station 18a transmits the entry in the created relay table to the other gateway base station 18b and shares it. In addition, the gateway base station 18b transmits the relay table (entry) created by the gateway base station 18b to the other gateway base station 18a and shares it. Thus, since the relay table created by one of the gateway base stations 18a (18b) transmits the information to the other gateway base station 18b (18a), the created relay table (entry thereof) Each gateway base station 18 can share it. This is represented as information sharing 204 between gateway base stations in FIG. As described above, in the second embodiment, the terminal ID and the connection TCP port are shared.
Thus, in this Embodiment 2, since each relay base station 18 shares the relay table for connecting and proxy-transferring TCP between terminals, each gateway base station 18 includes the relay table in the relay table. Based on this, TCP transfer can be performed.

  As described in the first embodiment, when the TCP connection becomes unnecessary based on the elapsed time or the response change of the connection maintenance response, the entry of the relay table is deleted. , Communicated to each gateway and shared. That is, when any gateway base station 18a (18b) determines that a predetermined entry in the table is no longer necessary and is deleted under a predetermined condition, this deletion processing is performed by the other gateway base station 18b ( 18a) and the corresponding entry is deleted in the same manner. Similarly, for example, when the disconnection of one of the terminals (the first terminal 12a or the second terminal 12b) is detected, the detected content is also shared between the gateway base stations 18. As described above, according to the second embodiment, not only the entry creation process (addition process) of the relay table but also the entry deletion process and the connection status of each terminal (first terminal 12a, second terminal 12b). Are also shared.

The movement of the terminal, for example, the second terminal 12b may move and the connected gateway base station 18b may be changed. In this case, the entry of the relay table related to the second base station 12b is deleted in the gateway base station 18b that has been disconnected, and this is transmitted to the other gateway base station 18a. When the second terminal 12b is newly connected to another gateway base station 18 at the destination, the connection of the second terminal 12b is detected at the new gateway base station 18, and based on that, the above-mentioned description has been made. The relay table is newly created by the method. In this way, it is possible to cope with the movement of the terminal by deleting or updating the entry in the relay table.

(2-4) VPN connection sequence Next, a VPN connection sequence is executed. The processing of this sequence is the same as the “VPN connection sequence” described in the first embodiment, and is processing from the VPN connection request 74 in FIG. 4 to the VPN connection responses 82 and 84. As a result of this processing, the first terminal VPN address and the second terminal VPN address 86 are exchanged with each other. And VPN communication can be performed using these VPN addresses. It becomes possible to transmit / receive the encrypted packet 90 as shown in the lower part of FIG.

  Specifically, the VPN connection 206a corresponding to the VPN connection request 74, the VPN specification exchange 78, the VPN connection response 82, etc. between the first terminal 12a and the first gateway 18a is executed. Similarly, a VPN connection 206c corresponding to the VPN connection request 76, VPN specification exchange 80, VPN connection response 84, etc. between the second terminal 12b and the second gateway 18b is executed.

In particular, in the second embodiment, in the VPN connection sequence, the gateway base stations 18a and 18b transfer the VPN connection request 74 as the VPN connection request 76 using the relay table created in (3) TCP connection establishment sequence. can do. Similarly, the gateway base stations 18a, 18b can forward VPN specification exchanges 78, 80 and VPN connection responses 82, 84. This is possible because each gateway base station 18a, 18b holds the relay table. In FIG. 4, such a transfer process of the gateway is represented as a VPN connection 206b.
As a result of such processing, after acquiring VPN addresses from each other, the encrypted packet 90 shown in the lower part of FIG. 3 can be transmitted and received using them.

  Such communication by the encrypted packet 90 corresponds to the VPN encryption data 208 as shown in the lower part of FIG. What is characteristic in this embodiment is that the encrypted packet 90 is transferred without using a so-called server. The gateway base stations 18a and 18b transfer the encrypted packet 90 without accumulating it inside. Further, the gateway base stations 18a and 18b do not execute the decryption of the encrypted packet 90. Therefore, since it is not decoded and is not accumulated in the middle of communication, it is possible to easily maintain the safety of communication higher than in the past.

  Such communication using the VPN encryption data 208 is, for example, communication using the TCP / IP 210a for the first terminal 12a (see FIG. 4), and communication using the TCP / IP 210c, for example, for the second terminal 12a. Yes (see FIG. 4). In the second embodiment, TCP / IP communication or UDP / IP communication can be performed between the gateway base station 18a and the gateway base station 18b (210b in FIG. 4).

C. Modifications In the first and second embodiments described so far, the case where there are mainly two terminals has been described. Of course, the same technique can be applied even when there are three or more terminals. The embodiment described above is an example as means for realizing the present invention, and should be appropriately modified or changed according to the configuration of the apparatus to which the present invention is applied and various conditions. The present invention is not limited to this embodiment. However, the present invention is not limited to the first and second embodiments.

1, 9 Terminal 3 Internet 4a Encryption / terminal authentication 4b Inter-terminal authentication 5 Site 7 Base station 10 Communication system 12a First terminal 12b Second terminal 14a, 14b Application 16a, 16b Terminal side framework 18 Gateway base station 18a First Gateway base station 18b Second gateway base station 20 Security setting management function 22 Authentication and VPN function 30 Application connection command 32, 42 Terminal authentication request 34, 44 Terminal authentication processing 36, 46 VPN TCP information generation 38, 48 Terminal authentication response 40 , 50 VPN TCP information 52, 54 Inter-terminal authentication request 56, 58 Inter-terminal authentication processing
60, 62 Authentication information 64, 66 Inter-terminal authentication response 68, 70 TCP connection request access 72 VPN TCP relay connection completion 74, 76 VPN connection request 78, 80 VPN specification exchange 82, 84 VPN connection response 86, 92 2nd Terminal VPN address 90 Encrypted packet 94 First terminal VPN address 96 TCP / UDP for application data
98 Application data 100 TCP / IP
200a, 200b Terminal authentication 200c Information sharing 202a, 202b, 202c Terminal-to-terminal authentication 204 Gateway base station information sharing 206a, 206b, 206c VPN connection 208 VPN encryption data 210a, 210c TCP / IP
210b TCP / IP or UDP / IP
300, 308, 400, 410 Terminal 302, 402, 520, 620 Internet 303, 403 Encryption / terminal authentication 304, 404, 500 Site 306, 406, 502 RAS
504a, 504b, 644a, 644b Server 510a, 510b, 510c Portable information terminal 630a, 630b LAN
640a, 640b router 642 tunnel

Claims (9)

A base station,
A first terminal capable of communicating with the base station;
A second terminal capable of communicating with the base station;
In a communication system for performing communication between the first terminal and the second terminal,
The first terminal is
Means for transmitting a VPN connection request to the second terminal as a communication partner to the base station;
Means for receiving from the gateway base station a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal;
Means for performing VPN communication with the second terminal using the received data packet including the first terminal VPN address and the second terminal VPN address;
Including
The base station
Means for transmitting the VPN connection request to the second terminal as a communication partner when the VPN connection request is received;
When the VPN connection request is received, the first terminal VPN address for the first terminal and the second terminal VPN address for the second terminal are sent to the first terminal and the second terminal with which the first terminal is communicating. VPN address generation and transmission means for transmitting and assigning the first terminal VPN address to the first terminal and transmitting and assigning the second terminal VPN address to the second terminal When,
Information on the first VPN communication used by the first terminal to which the first terminal VPN address is assigned and information on the second VPN communication used by the second terminal to which the second terminal VPN address is assigned. And a relay table for relaying the first VPN communication and the second VPN communication;
Referring to the relay table, the relay means for relaying the data packet transmitted from the first terminal to the second terminal as it is to the second terminal that is a communication partner;
A communication system comprising: The communication system according to claim 1, wherein
Both the first terminal and the second terminal are
Means for transmitting a TCP connection request for requesting communication by TCP to the base station to the base station;
Including
The base station
Means for describing, in the relay table, information of VPN communication used by the first terminal or the second terminal that has transmitted the TCP connection request based on the TCP connection request when the TCP connection request is received;
Including
The VPN address generation / transmission means, when receiving the VPN connection request, describes the generated second terminal VPN address in the relay table in association with information of VPN communication used by the second terminal,
The relay means performs VPN communication from the first terminal to the second terminal based on the contents of the relay table including information of VPN communication corresponding to the VPN address for the second terminal. A communication system characterized by relaying to VPN communication to be used. The communication system according to claim 1 or 2,
The communication system characterized in that the first terminal VPN address and the second terminal VPN address are IP addresses. In the terminal device which operate | moves as said 1st terminal used for the communication system of any one of Claim 1 to 3,
Means for transmitting a VPN connection request to the second terminal as a communication partner to the base station;
Means for receiving from the gateway base station a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal;
Means for performing VPN communication with the second terminal using the received data packet including the first terminal VPN address and the second terminal VPN address;
The terminal device characterized by including. In the base station used in the communication system according to any one of claims 1 to 3,
Means for transmitting the VPN connection request to the second terminal as a communication partner when the VPN connection request is received;
When the VPN connection request is received, the first terminal VPN address for the first terminal and the second terminal VPN address for the second terminal are sent to the first terminal and the second terminal with which the first terminal is communicating. VPN address generation and transmission means for transmitting and assigning the first terminal VPN address to the first terminal and transmitting and assigning the second terminal VPN address to the second terminal When,
Information on the first VPN communication used by the first terminal to which the first terminal VPN address is assigned and information on the second VPN communication used by the second terminal to which the second terminal VPN address is assigned. And a relay table for relaying the first VPN communication and the second VPN communication;
Referring to the relay table, the relay means for relaying the data packet transmitted from the first terminal to the second terminal as it is to the second terminal that is a communication partner;
A base station comprising: A base station,
A first terminal capable of communicating with the base station;
A second terminal capable of communicating with the base station;
In a communication method in a communication system that performs communication between the first terminal and the second terminal,
The first terminal transmitting a VPN connection request to the second terminal as a communication partner to the base station;
The first terminal receiving a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal from the gateway base station;
The first terminal performs VPN communication with the second terminal using the received data packet including the first terminal VPN address and the second terminal VPN address;
Including,
When the base station receives the VPN connection request, transmitting the VPN connection request to the second terminal as a communication partner;
When the base station receives the VPN connection request, the first terminal and the second terminal that is a communication partner of the first terminal, the first terminal VPN address for the first terminal and the second terminal A second terminal VPN address is generated, the first terminal VPN address is transmitted and assigned to the first terminal, and the second terminal VPN address is sent and assigned to the second terminal. VPN address generation and transmission step;
The base station uses the second terminal to which the second terminal VPN address is used and the information of the first VPN communication used by the first terminal to which the first terminal VPN address is assigned and the second terminal VPN address. The data packet that is described by the VPN communication and is transmitted from the first terminal to the second terminal with reference to a relay table for relaying the first VPN communication and the second VPN communication. Relaying step as it is to the second terminal that is the communication partner;
A communication method comprising: The communication method according to claim 5, wherein
The first terminal and the second terminal transmitting to the base station a TCP connection request for requesting TCP communication to the base station;
When the base station receives the TCP connection request, VPN communication information used by the first terminal or the second terminal that has transmitted the TCP connection request is described in the relay table based on the TCP connection request. And steps to
Including
In the VPN address generation / transmission step, when the base station receives the VPN connection request, the base station associates the generated second terminal VPN address with the information of the VPN communication used by the second terminal. Described in
In the relay step, the base station performs VPN communication from the first terminal to the second terminal based on the contents of the relay table including information of VPN communication corresponding to the VPN address for the second terminal. Relaying to VPN communication used by the second terminal. In the computer program which operates a computer as a 1st terminal used for the communication system of any one of Claim 1 to 3,
A procedure for transmitting a VPN connection request to the second terminal as a communication partner to the base station;
Receiving a first terminal VPN address for the first terminal and a second terminal VPN address for the second terminal from the gateway base station;
Using the received data packet including the first terminal VPN address and the second terminal VPN address to execute VPN communication with the second terminal;
Is executed by the computer. A computer program for operating a computer as the base station used in the communication system according to any one of claims 1 to 3,
A procedure for transmitting the VPN connection request to the second terminal as a communication partner when the VPN connection request is received;
When the VPN connection request is received, the first terminal VPN address for the first terminal and the second terminal VPN address for the second terminal are sent to the first terminal and the second terminal with which the first terminal is communicating. VPN address generation and transmission procedure for transmitting and assigning the first terminal VPN address to the first terminal and transmitting and assigning the second terminal VPN address to the second terminal When,
Information on the first VPN communication used by the first terminal to which the first terminal VPN address is assigned and information on the second VPN communication used by the second terminal to which the second terminal VPN address is assigned. And referring to a relay table for relaying the first VPN communication and the second VPN communication, the data packet transmitted from the first terminal to the second terminal is used as it is. A relay procedure for relaying to the second terminal that is the communication partner;
Is executed by the computer.