JP2018129594A - Communication device, controller, communication method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To rapidly identify, out of a plurality of terminals being supported by a communication device and having address-conversion functions, which terminal device is infected by a virus.SOLUTION: A communication device of a second network in a communication system with an edge router operable to connect a first network and the second network comprises: storage means for storing an address conversion table; address conversion means for converting an address of a packet received from a terminal in the second network into an address used in the first network based on the address conversion table, and sending the packet subjected to conversion to the edge router; number-of-terminals-notifying means for receiving a query for the number of terminals supported by the communication device from a controller, and notifying the controller of the terminal number; and conversion means for receiving addresses for the terminal number, given by the edge router based on an instruction from the controller, and converting the address conversion table using the addresses.SELECTED DRAWING: Figure 5

Description

  The present invention relates to a technique for identifying a terminal infected with a virus.

  In recent years, a malicious user may conduct a cyber attack for the purpose of inhibiting services on the WEB. A malicious user infects a plurality of terminals using the WEB service with a virus, and causes a plurality of terminals infected with the virus to execute a cyber attack on a specific WEB server. Such an attack is called a DDoS (Distributed Denial of Service attack) attack. In addition, each terminal infected with a virus performs a SYN flood attack described in Non-Patent Document 1, for example.

  An attack detection device (for example, UTM (Unified Threat Management)) is used to detect the cyber attack as described above.

  FIG. 1 shows a configuration example and an operation example of a system in which the attack detection device 5 is used. The example shown in FIG. 1 is an example in which a company NW 20 that is a subscriber network connected to the carrier network 10 is connected to the carrier network 10. The carrier network 10 includes an edge router 4, an attack detection device 5, and a WEB server 6. The company NW 20 includes a CPE (Customer Premises Equipment) 1 (for example, a router) and a terminal 3. The CPE may be referred to as a communication device.

  Here, as an example, the terminal 3 is infected with a virus and performs a cyber attack on the WEB server 6 (step S1). When detecting the attack, the attack detection device 5 notifies the administrator of the carrier network 10 of the detection information, and the administrator of the carrier network 10 is the administrator of the company NW that is the subscriber (specifically, for example, NW The administrator terminal 2) is notified (step S2). Thereby, the NW administrator grasps that there is a terminal infected with a virus (step S3). Since the subscriber may participate in the attack unintentionally, it is necessary to notify the subscriber in this way.

RFC 4987 TCP SYN Flooding Attacks and Common Mitigations

  In an NW configuration as shown in FIG. 1, a network address port translation (NAPT) technique is often used in a subscriber-side NW environment in order to ensure security. The NAPT function may be referred to as an address conversion function.

  In the configuration of FIG. 1, the CPE 1 is provided with a NAPT function. With the NAPT function, the source IP address (which may be referred to as a local IP address) of a packet transmitted from a plurality of terminals in the corporate NW 20 is the IP address on the carrier network 10 side (the interface on the carrier network 10 side of the CPE 1). The packet is rewritten to an address (which may be called a global IP address), and the packet is transmitted to the carrier network 10.

  A configuration example in the case of using the NAPT function is shown in FIG. In the example of FIG. 2, three terminals in the company NW 20 are shown, and it is shown that the terminal 3 is infected with a virus and a cyber attack is performed from the terminal 3. FIG. 2 also shows a personal NW 30. In FIG. 2, a white circle indicates a global IP address, and a black circle indicates a private IP address. This notation is the same in the following figures.

  For example, the attack detection device 5 detects that there is a cyber attack from the company NW 20 based on the source IP address of the attack packet, and notifies the NW administrator's terminal 2 to that effect.

  However, the NW administrator knows that there is a cyber attack from the company NW 20, but does not know from which terminal in the company NW 20 the cyber attack is being performed. For this reason, for example, the NW administrator must investigate individual terminals in the company NW 20 in order to identify infected terminals.

  In other words, in the prior art, the attack detection notification can be performed only from the carrier network 10 side in units of subscribers of the carrier network. For this reason, subscribers applying NAPT cannot immediately identify which terminal is infected with a virus even when notified of an attack detection, and there is a problem that it takes time to search for an infected terminal. is there.

  The present invention has been made in view of the above points, and it is possible to quickly identify which of a plurality of terminals under the control of a communication device equipped with an address translation function is infected with a virus. The purpose is to provide the technology.

According to the disclosed technology, the control device, the attack detection device provided in the first network, the communication device provided in the second network, and the edge connecting the first network and the second network A communication device in a communication system comprising a router,
Storage means for storing an address conversion table;
Based on the address conversion table, the address of the packet received from the terminal in the second network is converted into an address used in the first network, and the packet subjected to the conversion is transmitted to the edge router. Address translation means;
A terminal number notifying means for receiving an inquiry about the number of terminals under control of the communication device from the control device and notifying the control device of the number of terminals;
A communication device comprising: conversion means for receiving addresses corresponding to the number of terminals paid out from the edge router based on an instruction from the control device, and converting the address conversion table using the addresses. Is provided.

According to the disclosed technology, the control device, the attack detection device provided in the first network, the communication device provided in the second network, and the first network and the second network are connected. The control device in a communication system comprising an edge router,
Obtaining means for obtaining the number of terminals by inquiring of the number of terminals under control of the communication device to the communication device;
Instructing means for transmitting to the edge router an address payout instruction that instructs the communication device to pay out addresses for the number of terminals,
From the edge router, a payout address that is a payout address based on the address payout instruction and an initial address that is an address used before the payout are received, and the payout address and the initial address are And a notifying means for notifying the attack detecting device.

  According to the disclosed technology, there is provided a technology that can quickly identify which of a plurality of terminals under the control of a communication device provided with an address translation function is infected with a virus.

It is a figure for demonstrating a prior art. It is a figure for demonstrating a subject. It is a figure which shows the outline | summary of embodiment of this invention. It is a system configuration figure in an embodiment of the invention. It is a figure for demonstrating the operation example of the system in embodiment of this invention. It is a figure for demonstrating the operation example of the system in embodiment of this invention. It is a figure for demonstrating the operation example of the system in embodiment of this invention. It is a figure for demonstrating the operation example of the system in embodiment of this invention. It is a figure which shows the state after cancellation | release and before cancellation | release. 2 is a functional configuration diagram of a controller 200. FIG. It is a functional block diagram of CPE100. It is a hardware block diagram of the controller 200 and CPE100.

  Hereinafter, an embodiment (this embodiment) of the present invention will be described with reference to the drawings. The embodiment described below is merely an example, and the embodiment to which the present invention is applied is not limited to the following embodiment.

  In the present embodiment, a description will be given of a configuration in which a corporate network (example of a second network) as a subscriber network is connected to a carrier network (example of a first network). The present invention is not limited to such a configuration. Further, in the present embodiment, the IP address is the conversion target and the notification target, but this is also an example, and the present invention can be applied to an address other than the IP address (for example, a MAC address).

  In this embodiment, NAPT is used as an example of the address conversion function. However, the present invention is also applicable to a communication apparatus having an address conversion function other than NAPT. In the following description, a cyber attack is described as an “attack”.

(Outline of the embodiment)
The outline of the processing operation in this embodiment will be described with reference to FIG. FIG. 3A shows a conventional method for comparison, and FIG. 3B shows a proposed method in the present embodiment.

  As shown in FIG. 3 (a), in the conventional method, as already described, the source IP of packets transmitted from a plurality of terminals in the company NW 20 on the carrier network 10 side by the NAPT function of the CPE 1 in the company NW 20 The address is the same IP address. Since the attack detection device 5 detects an attack based on the IP address, the conventional method cannot detect an attack for each terminal in the company NW 20 although it can detect that an attack is being performed from the company NW 20.

  On the other hand, in the present embodiment shown in FIG. 3B, the edge router 4 in the carrier network 10 is global to the CPE 100 for each terminal under the CPE 100 in the company NW 20 (for each terminal to which address translation is applied). Pay out the IP address. Thereby, the transmission source IP address of the packet transmitted from the CPE 100 is different for each terminal, and the attack detection device 5 on the carrier network 10 side can detect the attack for each terminal in the company NW 20.

(System configuration)
FIG. 4 shows a system configuration in the present embodiment. As shown in FIG. 4, the system in the present embodiment has a configuration in which a carrier network 10 and a company NW 20 that is one of subscriber networks connected to the carrier network 10 are connected. The carrier network 10 includes an edge router 4, an attack detection device 5, a WEB server 6, and a controller 200. The controller 200 can communicate with the attack detection device 5 and the edge router 4 via a network. The company NW 20 has a CPE 100 (for example, a router) having a NAPT function and a plurality of terminals that are under the control of the CPE 100 and communicate with the CPE 100.

  The edge router 4 is a router that connects the carrier network 10 and the corporate NW 20. The attack detection device 5 is a device that detects an attack based on a packet received from the edge router 4 or the like. The WEB server 6 is an example of an attack target.

  The controller 200 in the carrier network 10 is a device that issues an IP address issue instruction. The CPE 100 is a communication device including a NAPT function as an address conversion function and a NAPT table, and has a plurality of terminals under its control. For example, the CPE 100 refers to the NAPT table, acquires an IP address (global IP address) corresponding to an IP address that matches the transmission source IP address (local IP address) of the packet received from the terminal, and uses the local IP address. The IP address is converted to the global IP address, and the converted packet is sent to the edge router 4.

  Each of the controller 200 and the CPE 100 is a device including the function according to the present invention, and the operation content will be sequentially described below. Further, the controller 200 may be called a control device, and the CPE 100 may be called a communication device.

(System operation example)
With reference to FIGS. 5 to 8, an example of the operation of the system in the present embodiment will be described.

  5, the attack detection apparatus 5 detects an attack from the company NW 20 and notifies the controller 200 of the attacker's IP address (here, the IP address on the carrier network 10 side of the CPE 100). In this embodiment, the processing after step S102 is performed in response to the attack detection as described above. However, the processing may be started from step S102 regardless of whether or not the attack is detected.

  In step S102, the controller 200 inquires of the CPE 100 about the number of terminals to be accommodated using, for example, the IP address related to the notification. The CPE 100 returns the number of terminals to the controller 200 as a response to the inquiry from the controller 200 (step S103). When the number of terminals is 1, the infected terminal in the company NW 20 can be identified as one, and at this point in time, the controller 200 indicates that the attack has been detected by the subscriber (specifically, for example, the company NW 20 It is not necessary to perform the subsequent processing. Hereinafter, a case where there are a plurality of terminals will be described.

  In step S <b> 104, the controller 200 transmits an address payout instruction to the edge router 4 that accommodates the CPE 100 so as to pay out to the CPE 100 the (global) IP addresses for the number of terminals returned in the response of step S <b> 103. In step S <b> 105, the edge router 4 issues IP addresses for the number of terminals to the CPE 100.

  In step S106 of FIG. 6, the CPE 100 allocates the issued IP address to each terminal and converts the NAPT table.

  A conversion example of the NAPT table provided in the CPE 100 will be described with reference to Tables 1 and 2 shown in FIG. Before the conversion of the NAPT table (Table 1), the local IP addresses A, B, and C are assigned to the terminal a, the terminal b, and the terminal c, respectively, and the IP address after the NAPT address conversion (on the carrier network side of the CPE 100) Global IP address) is assigned as one global IP address D. Therefore, the NAPT table shown in Table 1 is obtained.

  Next, after the conversion of the NAPT table (Table 2) will be described. In this example, E, F, and G are issued from the edge router 4 to the CPE 100 as global IP addresses corresponding to the number of terminals (three). The CPE 100 allocates a global IP address E to the terminal a (local IP address A), allocates a global IP address F to the terminal b (local IP address B), and allocates a global IP address G to the terminal c (local IP address C). . The CPE 100 creates the NAPT table shown in Table 2 based on the above allocation.

  Note that the address distribution shown as step S106 in the company NW 20 of FIG. 6 may not be performed when there is no change in the local IP address as in the above NAPT table conversion example.

  Subsequently, in step S107, the edge router 4 notifies the controller 200 of the global IP address issued to the CPE 100 and the global IP address used in the CPE 100 before the payment, and the controller 200 Notify the attack detection device 5. In the example of Table 2, E, F, and G are notified as the global IP addresses that are issued to the CPE 100, and D is notified as the global IP address that was used in the CPE 100 before the payment.

  The attack detection device 5 has a NAPT function (address conversion function). In step S108, the attack detection apparatus 5 creates a NAPT table (conversion table) based on the global IP address information received in step S107. Specifically, a NAPT table for converting a global IP address newly issued to the CPE 100 into a global IP address that was originally used is created.

  In the example of the addresses shown in Tables 1 and 2, the NAPT table for converting the global IP addresses E, F, and G into the global IP address D is shown in Table 3. For example, when receiving a packet addressed to the WEB server 6 having the global IP address G as the transmission source IP address, the attack detection device 5 converts the transmission source IP address into the global IP address D and sends the packet to the WEB server. 6 to send. As a result, the WEB server 6 seems to communicate with the global IP address D as before.

  In step S109 of FIG. 7, the attack detection device 5 detects that an attack is being performed by a packet having the global IP address G as a transmission source IP address, for example.

  In step S110, the attack detection device 5 notifies the controller 200 of the IP address of the attack source. Here, it is assumed that the global IP address G is notified.

  In step S111, the controller 200 notifies the subscriber (company NW 20) of the global IP address G based on the global IP address G. The notified global IP address G is notified to, for example, the terminal of the NW administrator in the company NW 20, and the NW administrator has a one-to-one correspondence between the local IP address and the global IP address in the NAPT table (Table 2 in FIG. 6). Based on the correspondence, the local IP address C of the terminal corresponding to the global IP address G can be specified. That is, the terminal c can be specified as a terminal suspected of being infected. The CPE 100 acquires the local IP address C of the terminal c based on the global IP address G received in step S111 and the NAPT table, and notifies the NW administrator's terminal of the local IP address C of the terminal c. Also good.

  Next, a procedure for canceling the setting of the issued IP address will be described with reference to FIG.

  In step S <b> 201, the controller 200 transmits a release instruction to the CPE 100 and the attack detection device 5. In step S202, the release processing is executed in each of the attack detection device 5 and the CPE 100.

  In step S202, the attack detection device 5 turns off the NAPT function itself. As a result, the address conversion according to the table shown in Table 3 of FIG. 6 is not performed. Also, the CPE 100 returns the NAPT table shown in Table 4 to the previous NAPT table as shown in Table 5.

  FIG. 9 is a diagram comparing and comparing (a) before release and (b) after release. As shown in FIG. 9, before the release (a), the terminals a, b, and c can be identified on the carrier network 100 side, but after the release (b), they cannot be identified.

(Device configuration)
Next, examples of functional configurations of the controller 200 and the CPE 100 that perform the above-described operation will be described.

<Controller 200>
FIG. 10 shows a functional configuration diagram of the controller 200. As illustrated in FIG. 10, the controller 200 includes a recording unit 210, a control unit 220, a transmission unit 230, and a reception unit 240.

  The recording unit 210 is a storage unit that stores various data (for example, a database system). As shown in FIG. 10, for example, the recording unit 210 includes information on the NW form of the subscriber (e.g., whether or not NAPT is used), information on the IP address detected by the attack detection device 5, originally used by the subscriber. The information on the global IP address and the newly issued global IP address is stored for each subscriber in the form of a table, for example.

  The transmission unit 230 transmits information to the outside based on an instruction from the control unit 220. The receiving unit 240 receives information from the outside, and passes the received information to the control unit 220.

  The controller 220 controls the operation of the controller 200 described with reference to FIGS. That is, the operation of the controller 200 described with reference to FIGS. 5 to 8 is executed under the control of the control unit 220.

  For example, the control unit 220 issues an IP address payout instruction (S105 in FIG. 5), a request for the number of terminals, an IP address notification of an unauthorized (infected) terminal (S102 in FIG. 5, S111 in FIG. 7), and an attack detection device 5 Control for causing the controller 200 to execute an IP address notification (S107 in FIG. 6) and a release instruction (S201 in FIG. 8) is performed. Specifically, for example, information necessary for the operation is read from the recording unit 210 and the transmission unit 230 is instructed to transmit. Further, for example, the information received from the receiving unit 240 is received, and the received information is analyzed and stored.

<CPE100>
FIG. 11 shows a functional configuration diagram of the CPE 100. As illustrated in FIG. 11, the CPE 100 includes a recording unit 110, a control unit 120, a transmission unit 130, and a reception unit 140.

  The recording unit 110 is a storage unit that stores various data (for example, a database system). As shown in FIG. 11, for example, the recording unit 110 stores a NAPT table (eg, Table 1 and Table 2 in FIG. 6).

  The transmission unit 130 transmits information to the outside based on an instruction from the control unit 120. The receiving unit 140 receives information from the outside and passes the received information to the control unit 120.

  The control unit 120 controls the operation of the CPE 100 described with reference to FIGS. That is, under the control of the control unit 120, the operation of the CPE 100 described with reference to FIGS.

  For example, the control unit 120 controls the CPE 100 to execute an IP address issue instruction, search and transmission of the number of terminals (S102 and S103 in FIG. 5), and rewrite of the NAPT table (S106 in FIG. 6 and S202 in FIG. 8). I do. Specifically, for example, information necessary for the operation is read from the recording unit 110 and the transmission unit 130 is instructed to transmit. Further, for example, the information received from the receiving unit 140 is received, and the received information is analyzed and stored.

  The control unit 120 also includes a NAPT function. For example, when the source IP address of a packet received from the company NW 20 side via the reception unit 140 is checked against the NAPT table and matches the IP address before conversion, The transmission source IP address is converted into an IP address after conversion, and the packet after the transmission source IP address conversion is transmitted to the carrier network side (edge router side) via the transmission unit 130.

<Hardware configuration example>
Both the controller 200 and the CPE 100 in the present embodiment can be realized in terms of hardware by the configuration of a computer (a router or the like is also a kind of computer). Further, both the controller 200 and the CPE 100 can realize their functions by executing a program on a computer. However, realizing the controller 200 or the CPE 100 by the configuration of the computer is an example, and a hardware configuration other than the computer may be adopted.

  FIG. 12 is a diagram illustrating a hardware configuration example applicable to both the controller 200 and the CPE 100 (hereinafter referred to as the controller 200 / CPE 100) in the present embodiment. As shown in FIG. 12, the controller 200 / CPE 100 includes a drive device 150, an auxiliary storage device 152, a memory device 153, a CPU 154, an interface device 155, a display device 156, and an input device 157 that are connected to each other via a bus B. Etc.

  A program that realizes processing in the controller 200 / CPE 100 is provided by a recording medium 151 such as a CD-ROM or a memory card, for example. When the recording medium 151 storing the program is set in the drive device 150, the program is installed from the recording medium 151 into the auxiliary storage device 152 via the drive device 150. However, the program does not necessarily have to be installed from the recording medium 151, and may be downloaded from another computer via a network. The auxiliary storage device 152 stores the installed program and also stores necessary files and data.

  The memory device 153 reads and stores the program from the auxiliary storage device 152 when there is an instruction to start the program. The CPU 154 realizes functions related to the controller 200 / CPE 100 in accordance with a program stored in the memory device 153. The interface device 155 is used as an interface for connecting to a network. The display device 156 displays a GUI (Graphical User Interface) or the like by a program. The input device 157 includes a keyboard and mouse, buttons, a touch panel, and the like, and is used to input various operation instructions. Note that the controller 200 / CPE 100 according to the present embodiment may not include the display device 156 and the input device 157.

(Effects of embodiment, summary)
Because the technology according to the present embodiment temporarily pays out the IP addresses for the number of terminals to the subscriber using NAPT, the communication is inspected for each IP address (for each terminal). Thus, it is possible to specify the IP address (terminal) that is performing suspicious communication. That is, by using the present technology, it is possible to quickly identify a terminal infected with a virus, and to reduce the operation until the terminal is identified.

  In addition, with the technology according to the present embodiment, appropriate information can be notified for each subscriber, and the infected terminal can be identified. As variations of notification, for example, (1) the terminal address is notified to a subscriber who uses NAPT, and (2) the user who does not use NAPT is notified on a subscriber basis. There are two.

  In addition to the technique according to the present invention, for example, a method of transmitting the MAC address information of each terminal to the upper level is conceivable, but the processing load is considered to increase. On the other hand, the technology according to the present invention is considered to be effective against a large-scale DDoS attack.

  As described above, according to the present embodiment, the control device, the attack detection device provided in the first network, the communication device provided in the second network, the first network, and the first network A communication device in a communication system comprising an edge router for connecting to a second network, the storage device storing an address conversion table, and received from a terminal in the second network based on the address conversion table The address of the packet is converted to an address used in the first network, and the converted packet is transmitted to the edge router, and the number of terminals under the control of the communication device is transmitted from the control device. Terminal number notifying means for receiving the inquiry of the terminal and notifying the control device of the number of terminals, and the edge router paid out based on an instruction from the control device Receives the address of the end of minutes, the communication device characterized by comprising a conversion means for converting the address translation table by using the address is provided.

  The CPE 100 described in the embodiment is an example of a communication device. That is, the CPE 100 includes storage means, address conversion means, terminal number notification means, and conversion means.

  The conversion unit is configured to associate the address of the second network assigned to a terminal under the communication device with an address issued from the edge router in a one-to-one correspondence. The conversion may be performed.

  Further, according to the present embodiment, the control device, the attack detection device provided in the first network, the communication device provided in the second network, and the first network and the second network are connected. In the control device in a communication system including an edge router, an acquisition unit that acquires the number of terminals by inquiring of the number of terminals under the communication device to the communication device, and an address for the number of terminals An address issuing instruction for instructing the communication device to pay out to the edge router, a payout address that is an address issued from the edge router based on the address payout instruction, and the payout The initial address that is the address used before the first address is received, and the payout address and the initial address are passed to the attack detection device. Control device is provided, characterized in that it comprises a notifying means for.

  The controller 200 described in the embodiment is an example of a control device. That is, the controller 200 includes an acquisition unit, an instruction unit, and a notification unit.

  The control device may further include detection address notification means for receiving an address related to attack detection from the attack detection device and notifying the communication device of the address.

  Although the present embodiment has been described above, the present invention is not limited to the specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. Is possible.

10 Carrier network 20 Company NW
1,100 CPE
4 Edge router 5 Attack detection device 6 WEB server 200 Controller 110, 210 Recording unit 120, 220 Control unit 130, 230 Transmission unit 140, 240 Reception unit 150 Drive device 151 Recording medium 152 Auxiliary storage device 153 Memory device 154 CPU
155 Interface device 156 Display device 157 Input device

Claims (8)

In a communication system comprising: a control device; an attack detection device provided in a first network; a communication device provided in a second network; and an edge router that connects the first network and the second network. A communication device comprising:
Storage means for storing an address conversion table;
Based on the address conversion table, the address of the packet received from the terminal in the second network is converted into an address used in the first network, and the packet subjected to the conversion is transmitted to the edge router. Address translation means;
A terminal number notifying means for receiving an inquiry about the number of terminals under control of the communication device from the control device and notifying the control device of the number of terminals;
A communication device comprising: conversion means for receiving addresses corresponding to the number of terminals paid out from the edge router based on an instruction from the control device, and converting the address conversion table using the addresses. . The converting means includes
The address conversion table is converted so that the second network address assigned to the terminal under the communication device and the address issued from the edge router are associated one-to-one. The communication apparatus according to claim 1. In a communication system comprising: a control device; an attack detection device provided in a first network; a communication device provided in a second network; and an edge router that connects the first network and the second network. The control device comprising:
Obtaining means for obtaining the number of terminals by inquiring of the number of terminals under control of the communication device to the communication device;
Instructing means for transmitting to the edge router an address payout instruction that instructs the communication device to pay out addresses for the number of terminals,
From the edge router, a payout address that is a payout address based on the address payout instruction and an initial address that is an address used before the payout are received, and the payout address and the initial address are And a notifying means for notifying the attack detecting device. The control device according to claim 3, further comprising: a detection address notification unit that receives an address related to attack detection from the attack detection device and notifies the communication device of the address. In a communication system comprising: a control device; an attack detection device provided in a first network; a communication device provided in a second network; and an edge router connecting the first network and the second network. A communication method to be executed,
The control device obtains the number of terminals by inquiring of the number of terminals under control of the communication device to the communication device;
The control device transmits to the edge router an address payout instruction that instructs the communication device to pay out addresses for the number of terminals;
The communication device receives addresses for the number of terminals paid out from the edge router based on an instruction from the control device, and converts the address conversion table using the addresses;
The control device receives, from the edge router, a payout address that is a payout address based on the address payout instruction, and an initial address that is an address used before the payout, and the payout address And a step of notifying the attack detection device of the initial address. In the converting step,
The address conversion table is converted so that the second network address assigned to the terminal under the communication device and the address issued from the edge router are associated one-to-one. The communication method according to claim 5.   The program for functioning a computer as each means in the communication apparatus of Claim 1 or 2.   The program for functioning a computer as each means in the control apparatus of Claim 3 or 4.