JP2018038001A - Communication system, selection method, authentication device, and selection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To select an edge for minimizing a user connection time from a plurality of edge routers to shorten a time until communication is available to a user.SOLUTION: An authentication device 10 collects information on an access situation of each edge router 20 and stores the information in a management information storage unit 13a. The authentication device 10, from each edge router 20, receives a connection time actually lapsed until establishment of a session connection after a user terminal's transmission of a connection request and stores the connection time in the management information storage unit 13a. When receiving an authentication request for requesting authentication of user terminals from a plurality of edge routers 20, the authentication device 10 authenticates whether or not the user terminals are authorized users. Subsequently, the authentication device 10, when the authentication determines that they are authorized users, selects, from the respective edge routers 20, an edge router 20 having the shortest connection time of the connection times stored in the management information storage unit 13a; and transmits an authentication response to the edge router 20.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication system, a selection method, an authentication device, and a selection program.

  In recent years, the size of an edge router that terminates an access NW (Network) and accommodates users has increased, and a single edge router can accommodate a large number of users. As the size of the edge router increases, the influence of the failure of the edge router also increases. Therefore, it is important to improve reliability by taking redundancy between devices. As one method of inter-device redundancy, when multiple devices operate in the active state on the same NW and one edge router fails, the users accommodated by the failed edge router are transferred to other edge routers. The N-ACT system to accommodate is known.

  Here, a dynamic setting method will be described as an example of a method for setting user information to the edge router which is a premise of the N-ACT method. For example, when the edge router receives a connection request (PADI (PPPoE Active Discovery Initiation) or the like) from the user, the edge router issues an authentication request to the authentication device. When the authentication system determines that the user is a legitimate user by the authentication process, the authentication system sets user information to the edge router by transmitting an authentication response to the edge router.

  In the N-ACT method, all edge routers that receive a connection request issue an authentication request for the authentication device. Therefore, the authentication device designates an edge router that permits the authentication request in advance in order to reduce the authentication request. For example, the authentication apparatus periodically designates a plurality of edge routers that permit the authentication request, and gives a token.

  In this way, when the authentication device grants a token to a plurality of edge routers, for example, the authentication device is already accommodated in the connection request from the user from the edge router that has given the token. An edge router with few users is selected as a receiving edge router, and an authentication response including subscriber information is transmitted to the selected edge router.

  Here, an example of edge router selection processing by a conventional communication system will be described using the example of FIG. FIG. 13 is a diagram for explaining edge router selection processing by a conventional communication system. As illustrated in FIG. 13, for example, the authentication device grants tokens to the edge router # 1 and the edge router # 3 (see (1) in FIG. 13). When each of the edge routers # 1 to # 3 receives a connection request from the user from the HGW (Home Gateway) (see (2) in FIG. 13), a token is given to each of the edge routers # 1 to # 3. The edge router # 1 and the edge router # 3 transmit an authentication request to the authentication device (see (3) in FIG. 13). Then, the authentication apparatus selects the edge router # 1 whose number of accommodated users is smaller than that of the edge router # 3 as the accommodation destination edge router, and transmits an authentication response to the selected edge router # 1 (FIG. 13 (4)).

Takanori Watanabe et al., “Study on Reduction of Authentication Request Packets in Multiple BRAS Configurations”, IEICE Communication Society Conference, Communication Lecture 2, B-6-23, p. 23, 2015, September

  However, in the conventional technology, there is a problem that the user setting time is not optimal and the time until the user can communicate becomes long. In other words, the user setting time from when a user requests connection until the user can communicate is the number of users already accommodated in the edge router, access from a BackUP server, OPS (Operation System), etc. It changes with the background load due to the connection request processing from the user. For this reason, in the conventional selection method of selecting an edge router with a small number of users as an edge router to be accommodated, there is a problem that the user setting time is not necessarily optimal and the time until the setting is completed becomes long.

  In order to solve the above-described problems and achieve the object, a communication system of the present invention is a communication system having a plurality of edge routers that accommodate user terminals and an authentication device that authenticates user terminals, and each edge When receiving a connection request from the user terminal, the router transmits an authentication request for requesting authentication of the user terminal to the authentication device, and an authentication response from the authentication device to the authentication request as the authentication response. When receiving the subscriber information of the user terminal that has made a connection request, the subscriber information is set, and a setting unit that performs a process of establishing a session connection of the user terminal using the subscriber information, and The authentication device, for each edge router, the number of accommodated user terminals, the access status from the external device, and the processing load due to the connection request of the user terminal Correspondingly, a storage unit that stores a connection time from when a connection request is transmitted from the user terminal to when the session connection is completed, and information on the access status of each edge router are collected and stored in the storage unit A collecting unit for storing, a learning unit for receiving connection time actually taken from the time when the user terminal transmits a connection request to performing the session connection from each edge router, and storing the connection time in the storage unit; Upon receiving the authentication request from the plurality of edge routers, an authentication unit that authenticates whether the user terminal is a regular user terminal, and when the authentication unit is authenticated as a regular user, For each edge router, select the edge router with the shortest connection time among the connection times stored in the storage unit, and for the edge router, A selection unit for transmitting the witness response, characterized in that it comprises a.

  The selection method of the present invention is a selection method executed in a communication system having a plurality of edge routers accommodating user terminals and an authentication device for authenticating user terminals, wherein the authentication device is provided for each edge router. In association with the number of accommodated user terminals already accommodated, the access status from the external device and the processing load due to the connection request of the user terminal, the connection from the user terminal until the session connection is completed A storage unit that stores a connection time; and the authentication device collects information on the access status of each edge router, and stores the information in the storage unit; and the authentication device receives from each edge router, The connection time actually taken from when the user terminal transmits a connection request to when the session connection is made is received, and the storage unit stores the connection time. A learning step for storing, a request step for transmitting an authentication request for requesting authentication of the user terminal to the authentication device when each edge router receives a connection request from the user terminal, and the authentication device, Upon receiving the authentication request from the plurality of edge routers, an authentication process for authenticating whether the user terminal is a legitimate user terminal, and the authentication apparatus is authenticated as a legitimate user by the authentication process. In this case, for each edge router, an edge router having the shortest connection time among the connection times stored in the storage unit is selected, and an authentication response to the authentication request is transmitted to the edge router. And each edge router receives subscriber information of the user terminal that has made the connection request as an authentication response to the authentication request from the authentication device. If that sets the subscriber information, characterized in that it contains a setting step for performing a process for establishing a session connection of the user terminal using the subscriber information.

  Further, the authentication device of the present invention relates to the processing load due to the number of accommodated user terminals already accommodated, the access status from the external device, and the connection request of the user terminal for each edge router that accommodates the user terminal, A storage unit that stores a connection time from when a connection request is transmitted from a user terminal until a session connection is completed, a collection unit that collects information about the access status of each edge router, and stores the information in the storage unit; From each of the edge routers, the connection time actually taken from the time when the user terminal transmits a connection request to the time of performing the session connection is received, and the learning unit that stores the connection time in the storage unit; Upon receiving an authentication request for requesting authentication of a user terminal, an authentication unit that authenticates whether the user terminal is a legitimate user terminal, and When the authentication unit authenticates the user as an authorized user, the edge router having the shortest connection time among the connection times stored in the storage unit is selected for each edge router, and the edge router is selected. And a selection unit that transmits an authentication response to the authentication request.

  According to the present invention, it is possible to select an edge having the shortest user connection time from a plurality of edge routers and shorten the time until the user can communicate.

FIG. 1 is a diagram illustrating an example of a configuration of a communication system according to the first embodiment. FIG. 2 is a block diagram showing a configuration of the authentication apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the management information storage unit. FIG. 4 is a diagram for explaining information collection processing in the authentication apparatus. FIG. 5 is a diagram for explaining learning processing in the authentication apparatus. FIG. 6 is a diagram for explaining edge router selection processing in the authentication apparatus. FIG. 7 is a diagram for explaining a complementing process in the authentication device. FIG. 8 is a sequence diagram showing a flow of learning processing of the communication system according to the first embodiment. FIG. 9 is a sequence diagram showing a flow of edge router selection processing of the communication system according to the first embodiment. FIG. 10 is a diagram for explaining the problem of the edge router selection processing by the conventional communication system. FIG. 11 is a diagram for explaining the effect of edge router selection processing by the communication system according to the first embodiment. FIG. 12 is a diagram illustrating a computer that executes a selection program. FIG. 13 is a diagram for explaining edge router selection processing by a conventional communication system.

  Hereinafter, embodiments of a communication system, a selection method, an authentication device, and a selection program according to the present application will be described in detail with reference to the drawings. Note that the communication system, the selection method, the authentication device, and the selection program according to the present application are not limited by this embodiment.

[First embodiment]
In the following embodiments, the configuration of the communication system according to the first embodiment, the configuration of the authentication apparatus, and the processing flow of the communication system will be described in order, and finally the effects of the first embodiment will be described.

[Configuration of communication system]
FIG. 1 is a diagram illustrating an example of a configuration of a communication system according to the first embodiment. The communication system 100 according to the first embodiment includes an authentication device 10, a plurality of edge routers 20A and 20B, an HGW 30, a BackUP server 40, and an OPS 50. In addition, the number of each apparatus shown in FIG. 1 is an example to the last, and is not restricted to this. In addition, when the plurality of edge routers 20A and 20B are described without particular distinction, they are appropriately described as edge routers 20.

  The authentication device 10 authenticates a user who has made a connection request, authenticates whether the user is a regular user, and permits a connection if the user is a regular user. Further, the authentication device 10 periodically designates a plurality of edge routers 20 permitting an authentication request and gives a token. When the authentication device 10 receives the authentication request from the edge router 20, the authentication device 10 selects the accommodating edge router 20 from the edge routers 20 to which the tokens are given, and joins the selected edge router 20. An authentication response including the user information is sent. The edge router selection method will be described in detail later.

  The edge routers 20A and 20B are relay devices that relay packets transmitted from the HGW 30. The edge routers 20A and 20B each have a request unit 21 and a setting unit 22. When the request unit 21 receives a connection request from a user terminal (not shown) via the HGW 30, the request unit 21 transmits an authentication request for requesting authentication of the user terminal to the authentication device 10. When receiving the subscriber information of the user terminal that has made the connection request as an authentication response to the authentication request from the authentication device 10, the setting unit 22 sets the subscriber information and uses the subscriber information to set the session of the user terminal. Process to establish connection.

  The HGW 30 is a network device that is deployed in a user's home or the like and bridges the Internet, which is a public network, and a home network. When the HGW 30 receives a connection request to the Internet from a subordinate user terminal, the HGW 30 transmits a connection request to each of the edge routers 20A and 20B. For example, the HGW 30 transmits a packet such as PADI or DHCP (Dynamic Host Configuration Protocol) Discover as a connection request.

  The BackUP server 40 and the OPS 50 are server devices that regularly communicate with the edge router 20. For example, the BackUP server 40 periodically communicates with the edge router 20 to acquire a Backup Config, and stores the Config backup of the edge router 20. Also, for example, the OPS 50 acquires traffic information from the edge router 20 and monitors the traffic status.

[Configuration of authentication device]
Next, the configuration of the authentication device 10 shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram showing a configuration of the authentication apparatus according to the first embodiment. As illustrated in FIG. 2, the authentication device 10 includes a communication processing unit 11, a control unit 12, and a storage unit 13. The processing of each of these units will be described below.

  The communication processing unit 11 controls communication related to various information exchanged with each edge router 20 or the like. For example, the communication processing unit 11 receives an authentication request from the edge router 20 and transmits an authentication response to the edge router 20.

  The storage unit 13 stores data and programs necessary for various processes performed by the control unit 12, and particularly includes a management information storage unit 13 a that is closely related to the present invention. For example, the storage unit 13 is a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.

  The management information storage unit 13a relates to each edge router 20 after the connection request is transmitted from the user terminal in association with the capacity of the edge router 20, the access status from the external device, and the processing load due to the connection request of the user terminal. The connection time until the session connection is completed is stored.

  For example, as illustrated in FIG. 3, the management information storage unit 13 a performs processing for acquiring “traffic”, which is a name for identifying the edge router 20, and the OPS 50 communicating with the edge router 20 to obtain traffic information. “Whether or not the traffic information is acquired” indicating whether or not, and whether or not the Backup UP server 40 communicates with the edge router 20 to acquire the Backup Config, and acquires the Backup Config from the Backup UP server 40. “Whether or not a Backup Config is acquired” indicating whether or not, “the number of SOs per unit time” indicating the number of SOs (Service Orders) each edge router 20 has been input in 1 second units, and each edge router 20 From the user terminal, the “number of accommodated edge routers” indicating the number of edges already accommodated In association with the "user connection time" from connection request is transmitted until the PPP connection process is completed.

  The control unit 12 has an internal memory for storing a program that defines various processing procedures and necessary data, and performs various processes using them, and particularly as closely related to the present invention, It has the collection part 12a, the learning part 12b, the authentication part 12c, the complement part 12d, and the selection part 12e.

  The collection unit 12a collects information regarding the access status of each edge router 20 and stores it in the management information storage unit 13a. For example, as illustrated in FIG. 4, the collection unit 12a acquires information (schedule) on the timing at which the BackUP server 40 or OPS 50 accesses the edge router 20, and each edge router 20 acquires the BackUP server 40 or OPS 50 from the information. Whether or not it is communicating with.

  If the collection unit 12a determines that the edge router 20A is communicating with the BackUP server 40, the collection unit 12a stores “Backup” stored in the management information storage unit 13a for the corresponding edge router 20A (edge # 1). “Yes” is stored in the item “Presence / absence of Config acquisition”. On the other hand, if it is determined that the collection unit 12a is not communicating with the BackUP server 40, “None” is set in the item “Presence / absence of acquisition of Backup Config” for the corresponding edge router 20B (Edge # 2). Remember.

  In addition, when the collection unit 12a determines that the edge router 20A is communicating with the OPS 50, the “existence / absence of traffic information acquisition” stored in the management information storage unit 13a is stored for the corresponding edge router 20A. Store “Yes” in the item. On the other hand, if the collection unit 12a determines that communication with the OPS 50 is not being performed, the collection unit 12a stores “None” in the item “Presence / absence of traffic information acquisition” for the corresponding edge router 20B.

  Note that the “number of SOs per unit time” and “accommodated number of each edge router” stored in the management information storage unit 13a are information that the authentication device 10 can grasp. That is, when the authentication device 10 receives an authentication request from each edge router 20 or selects an edge router 20 that is a transmission destination of an authentication response to the authentication request, the number of SOs and the number of accommodations can be obtained from other devices. It is possible to grasp without collecting information.

  The learning unit 12b receives from each edge router 20 the connection time actually taken from the time when the user terminal transmitted the connection request until the session connection is made, and stores it in the management information storage unit 13a. For example, as illustrated in FIG. 5, when the authentication device 10 inputs SO to the edge router 20A, the learning unit 12b performs PPP connection authentication after the HGW 30 transmits a connection request from the edge router 20A. The connection time feedback until completion is received, and the received connection time is stored in the management information storage unit 13a.

  When receiving the authentication request from the plurality of edge routers 20, the authenticating unit 12c authenticates whether the user terminal is a regular user terminal. For example, when the authentication unit 12c receives authentication requests from the plurality of edge routers 20, the authentication unit 12c determines whether the user terminal is a legitimate user terminal from the user information included in the authentication request.

  When the number of accommodated user terminals or the processing load changes, the complementing unit 12d supplements the connection time after the change by using information stored in the management information storage unit 13a. For example, when the number of SOs per unit time stored in the management information storage unit 13a and the number of accommodated edge routers (hereinafter collectively referred to as variables) change, the user connection time also changes. It is difficult to obtain the user connection time in advance. For this reason, you may make it guess by acquiring a certain amount of pattern and complementing connection time from the acquired pattern.

  When the selecting unit 12e is authenticated by the authentication unit 12c as a legitimate user, the edge router 20 having the shortest connection time among the connection times stored in the management information storage unit 13a for each edge router 20 is selected. And an authentication response is transmitted to the edge router 20. Here, the process of selecting the edge router 20 will be described using the example of FIG. FIG. 6 is a diagram for explaining edge router selection processing in the authentication apparatus. Note that the value of the connection time “E” is greater than the value of the connection time “F”.

  As illustrated in FIG. 6, when the selection unit 12 e is authenticated as a legitimate user as a result of the authentication process described above, the user connection time “E” corresponding to the edge router 20 </ b> A that transmitted the authentication request. And the user connection time “F” corresponding to the edge router 20B is acquired from the management information storage unit 13a. Then, the selection unit 12e compares the user connection time “E” with the user connection time “F”, and the connection time “F” is smaller in value than the user connection time “E”. The edge router 20B corresponding to "is selected, and an authentication response is transmitted to the edge router 20B.

  Further, the selection unit 12e selects the edge router 20 having the shortest connection time for each edge router 20 using the connection time stored in the management information storage unit 13a or the connection time supplemented by the complement unit 12d. An authentication response may be transmitted to the edge router 20. Here, the complementary process in the authentication device 10 will be described with reference to FIG. FIG. 7 is a diagram for explaining a complementing process in the authentication device. As shown in FIG. 7, when the authentication device 10 receives an authentication request from the edge router 20 (step S1), the user connection when each variable (the number of SOs per unit time or the number of accommodated edge routers) changes. Time (SO reflection time) is learned (step S2).

  And the authentication apparatus 10 determines whether each variable and user connection time (delay) were fully acquired (step S3). As a result, if the authentication apparatus 10 determines that each variable and the user connection time (delay) are not sufficiently acquired (No at Step S3), the authentication apparatus 10 returns to Step S2 and repeats the learning process.

  If the authentication device 10 determines that each variable and the user connection time (delay) have been sufficiently acquired (Yes in step S3), the authentication apparatus 10 is based on the collection result of each variable and the user connection time (SO reflection time). The data is complemented (step S4). For example, the authentication device 10 complements between data by the least square method which is an existing technique. And the authentication apparatus 10 selects the edge router 20 which becomes the minimum based on the complemented result (step S5).

  That is, for example, the authentication device 10 performs a learning process on the edge router 20A of edge # 1 so that the user connection when the number of SOs per unit time is “A” and the capacity of each edge router is “C”. Although the time “E” is stored, when the selection processing of the edge router 20 is performed, if the number of SOs per unit time is changed to “G” and the number of accommodations of each edge router is “H”, the user connection time is known. Absent. Therefore, the authentication device 10 complements the data based on the already stored information so that the SO number per unit time “G” and the accommodation number “H” of each edge router are obtained. The edge router 20 can be selected based on the complemented result.

[Processing flow of communication system]
Next, a processing flow of the communication system 100 according to the first embodiment will be described with reference to FIGS. 8 and 9. FIG. 8 is a sequence diagram showing a flow of learning processing of the communication system according to the first embodiment. FIG. 9 is a sequence diagram showing a flow of edge router selection processing of the communication system according to the first embodiment.

  First, the flow of the learning process of the communication system 100 according to the first embodiment will be described with reference to FIG. As shown in FIG. 8, the authentication device 10 requests a schedule for communicating with the edge router 20 from the server group of the BackUP server 40 and the OPS 50 (step S101). Then, when receiving the request, the BackUP server 40 and the OPS 50 send a schedule for communicating with the edge router 20 to the authentication device 10 (step S102). Upon receiving the schedule, the authentication device 10 stores information on the access status of each edge router 20 in the management information storage unit 13a.

  Further, the authentication device 10 grants tokens to the edge router 20A (router # 1) and the edge router 20B (router # 2) (step S103). Thereafter, when a connection request (for example, PADI or the like) is transmitted from the HGW 30 to each of the edge routers 20A to 20C (step S104), the edge routers 20A and 20B to which the tokens are assigned are authenticated among the edge routers 20A to 20C. An authentication request is transmitted to the apparatus 10 (steps S105 and S106).

  Upon receiving the authentication request, the authentication device 10 selects the edge router 20A that has the smallest accommodation number (step S107). Here, a method of selecting the edge router 20A that minimizes the number of accommodations will be described as an example. However, the method is not limited to this, and the edge may be selected using another method.

  Subsequently, the authentication device 10 transmits an authentication response to the selected edge router 20A (step S108), and reflects SO (subscriber information) (step S109). Thereafter, PPP connection processing is performed between the HGW 30 and the LNS (L2TP Network Server) 60 via the edge router 20A (step S110).

  Thereafter, the authentication device 10 requests the result of the user connection time from the edge router 20A (step S111). When receiving the request, the edge router 20A feeds back the result of the user connection time to the authentication device 10 (step S112). When the authentication device 10 receives the feedback of the user connection time from the edge router 20A, the authentication device 10 stores it in the management information storage unit 13a. Further, in the above processing, the edge router 20A is selected and learning is performed by receiving feedback from the edge router 20A. However, by performing the same processing on the edge router 20B and the edge router 20C, the edge router 20B is processed. Also, it is possible to obtain feedback of the user connection time for the edge router 20C.

  Next, the flow of edge router selection processing of the communication system 100 according to the first embodiment will be described with reference to FIG. As shown in FIG. 9, the authentication device 10 grants tokens to the edge router 20A (router # 1) and the edge router 20B (router # 2) (step S201). Thereafter, when a connection request (for example, PADI or the like) is transmitted from the HGW 30 to each of the edge routers 20A to 20C (step S202), the edge routers 20A and 20B to which the tokens are assigned are authenticated among the edge routers 20A to 20C. An authentication request is transmitted to the apparatus 10 (steps S203 and 204).

  Upon receiving the authentication request, the authentication device 10 selects the edge router 20A that minimizes the user connection time from the learned result (step S205). Subsequently, the authentication device 10 transmits an authentication response to the selected edge router 20A (step S206), and reflects SO (subscriber information) (step S207). Thereafter, PPP connection processing is performed between the HGW 30 and an LNS (L2TP Network Server) 60 via the edge router 20A (step S208).

[Effect of the first embodiment]
As described above, the authentication device 10 according to the first embodiment collects information about the access status of each edge router 20 and stores it in the management information storage unit 13a. Further, the authentication device 10 receives from each edge router 20 the connection time actually taken from the time when the user terminal transmitted the connection request until the session connection is made, and stores it in the management information storage unit 13a. And the authentication apparatus 10 will authenticate whether a user terminal is a regular user terminal, if the authentication request | requirement which requests | requires the authentication of a user terminal from the some edge router 20 is received. Subsequently, when the authentication device 10 is authenticated as a legitimate user, the edge router 20 having the shortest connection time among the connection times stored in the management information storage unit 13a for each edge router 20 is selected. An authentication response is transmitted to the edge router 20. Thereby, it is possible to select the edge router 20 having the shortest user connection time from the plurality of edge routers 20 and shorten the time until the user can communicate.

  Here, with reference to FIG. 10 and FIG. 11, the effect of the first embodiment will be described by comparing the conventional selection method with the selection method by the authentication device 10 according to the first embodiment. FIG. 10 is a diagram for explaining the problem of the edge router selection processing by the conventional communication system. FIG. 11 is a diagram for explaining the effect of edge router selection processing by the communication system according to the first embodiment. As shown in FIG. 10, in the conventional communication system, when the authentication device receives the authentication request from the edge router # 1 and the edge router # 3 to which the token is given, the already accommodated user is sent from the edge router # 3. The edge router # 1 with the smallest number is selected as the edge router to be accommodated, and an authentication response is transmitted to the selected edge router # 1. However, although the edge router # 1 has a small capacity, it takes time to connect the user depending on the user processing status such as communication with the BackUP server and OPS and PPP connection with other users.

  Therefore, in the communication system 100 according to the first embodiment, as shown in FIG. 11, the connection process is fast and the user connection is fast in consideration of communication from the outside to the edge router and the processing state of the edge. Edge router # 3 is selected as the edge router for SO input. As described above, it is possible to select the edge router 20 having the shortest user connection time from the plurality of edge routers 20 and shorten the time until the user can communicate.

  Further, when the number of accommodated user terminals or the processing load of the edge router 20 changes, the authentication device 10 according to the first embodiment uses the information stored in the management information storage unit 13a to change The connection time is complemented, and for each edge router 20, the edge router 20 having the shortest connection time is selected using the connection time stored in the management information storage unit 13 a or the supplemented connection information. In response, an authentication response is transmitted. For this reason, even when the number of accommodated user terminals or the processing load of the edge router 20 changes, the edge router 20 having the shortest user connection time is selected from the plurality of edge routers 20 by complementing the connection time, It is possible to shorten the time until the user can communicate.

[System configuration, etc.]
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In addition, among the processes described in this embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed All or a part of the above can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
FIG. 12 is a diagram illustrating a computer that executes a selection program. The computer 1000 includes, for example, a memory 1010 and a CPU (Central Processing Unit) 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example. The video adapter 1060 is connected to the display 1061, for example.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the authentication device 10 is implemented as a program module 1093 in which a code executable by a computer is described. The program module 1093 is stored in the hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration in the apparatus is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

  The setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

DESCRIPTION OF SYMBOLS 10 Authentication apparatus 11 Communication processing part 12 Control part 12a Collection part 12b Learning part 12c Authentication part 12d Complement part 12e Selection part 13 Storage part 13a Management information storage part 20, 20A-20C Edge router 30 HGW
40 BackUP server 50 OPS
60 LNS
100 communication system

Claims (6)

A communication system having a plurality of edge routers that accommodate user terminals and an authentication device that authenticates user terminals,
Each edge router
A request unit that transmits an authentication request for requesting authentication of the user terminal to the authentication device when receiving a connection request from the user terminal;
When subscriber information of a user terminal that has made the connection request is received as an authentication response to the authentication request from the authentication device, the subscriber information is set, and the session connection of the user terminal is established using the subscriber information. A setting unit that performs processing to establish;
With
The authentication device
For each edge router, the session connection after the connection request is transmitted from the user terminal in association with the number of accommodated user terminals already accommodated, the access status from the external device, and the processing load due to the connection request of the user terminal A storage unit for storing the connection time until the completion of
A collection unit that collects information about the access status of each edge router and stores the information in the storage unit;
From each of the edge routers, a learning unit that receives a connection time actually taken from the time when the user terminal transmits a connection request until the session connection is performed, and stores the connection time in the storage unit;
Upon receiving the authentication request from the plurality of edge routers, an authentication unit that authenticates whether the user terminal is a regular user terminal;
When the authentication unit authenticates the user as an authorized user, the edge router having the shortest connection time among the connection times stored in the storage unit is selected for each edge router, and the edge router is selected. In contrast, a selection unit that transmits the authentication response;
A communication system comprising: The authentication device further includes a complementing unit that complements the changed connection time using the information stored in the storage unit when the number of accommodated user terminals or the processing load changes,
The selection unit selects, for each edge router, an edge router having the shortest connection time using the connection time stored in the storage unit or the connection information supplemented by the complement unit, and The communication system according to claim 1, wherein the authentication response is transmitted. There is a selection method executed in a communication system having a plurality of edge routers accommodating user terminals and an authentication device for authenticating user terminals,
For each edge router, a connection request is transmitted from the user terminal in association with the number of accommodated user terminals already accommodated, the access status from the external device, and the processing load due to the connection request of the user terminal. A storage unit that stores the connection time from session to completion of session connection,
A collecting step in which the authentication device collects information about the access status of each edge router and stores the information in the storage unit;
A learning step in which the authentication device receives connection time actually taken from the edge router to the session connection after the user terminal transmits a connection request from each edge router, and stores the connection time in the storage unit;
When each edge router receives a connection request from the user terminal, a request step of transmitting an authentication request for requesting authentication of the user terminal to the authentication device;
When the authentication device receives the authentication request from the plurality of edge routers, an authentication step of authenticating whether the user terminal is a regular user terminal;
When the authentication device is authenticated as a legitimate user by the authentication step, an edge router having the shortest connection time among the connection times stored in the storage unit is selected for each edge router. A selection step of transmitting an authentication response to the authentication request to the edge router;
When each edge router receives subscriber information of a user terminal that has made the connection request as an authentication response to the authentication request from the authentication device, the subscriber router sets the subscriber information and uses the subscriber information to A setting step for performing a process of establishing a session connection of the user terminal;
The selection method characterized by including. For each edge router that accommodates user terminals, a connection request is transmitted from the user terminal in association with the number of accommodated user terminals already accommodated, the access status from the external device, and the processing load due to the connection request of the user terminal. A storage unit for storing the connection time until the session connection is completed from
A collection unit that collects information about the access status of each edge router and stores the information in the storage unit;
From each of the edge routers, a learning unit that receives a connection time actually taken from the time when the user terminal transmits a connection request until the session connection is performed, and stores the connection time in the storage unit;
Upon receiving an authentication request for requesting authentication of the user terminal from a plurality of edge routers, an authentication unit that authenticates whether the user terminal is a regular user terminal;
When the authentication unit authenticates the user as an authorized user, the edge router having the shortest connection time among the connection times stored in the storage unit is selected for each edge router, and the edge router is selected. In contrast, a selection unit that transmits an authentication response to the authentication request;
An authentication device comprising: There is a selection method executed by the authentication device,
For each edge router that accommodates the user terminal, the authentication device connects from the user terminal in association with the number of accommodated user terminals already accommodated, the access status from the external device, and the processing load due to the connection request of the user terminal. A storage unit for storing a connection time from when the request is transmitted until the session connection is completed;
Collecting information on the access status of each edge router, and storing the information in the storage unit;
From each of the edge routers, a learning step of receiving a connection time actually taken from when the user terminal transmits a connection request until performing the session connection, and storing in the storage unit;
Upon receiving an authentication request for requesting authentication of the user terminal from a plurality of edge routers, an authentication step of authenticating whether the user terminal is a regular user terminal;
When it is authenticated by the authentication step that the user is a legitimate user, an edge router having the shortest connection time among the connection times stored in the storage unit is selected for each edge router, and the edge router is selected. In contrast, a selection step of transmitting an authentication response to the authentication request;
The selection method characterized by including.   A selection program for causing a computer to function as the authentication device according to claim 4.

Images