JP3703477B1 - Connection position validity judgment method and apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent unauthorized connection in IP telephone service by 0ABJ number.
When a specific packet for connection processing of a user connection device is received from a broadband access server (BAS), the user connection device is connected under a predetermined BAS based on data about the BAS. And a step of determining whether the user connection device is connected to a predetermined network based on BAS data relating to the user connection device when a positive result is obtained in the determination step. If a positive result is obtained in the second determination step, the step of acquiring the MAC address of the user connection device and determining whether the connection position of the user connection device is a predetermined connection position in a normal state Including. When it is determined that the connection position of the user connection device is a predetermined connection position in the normal state, the connection position of the user connection device is treated as appropriate.
[Selection] Figure 1

Description

  The present invention relates to an unauthorized connection detection technique.

  In order to provide IP telephone services with numbers 0AB to J (sometimes abbreviated as 0ABJ) beginning with 03 or 045, the technical requirements (Article 9 No. 1 of Electronic Communication Number Rules) defined by the Ministry of Internal Affairs and Communications are met. Therefore, it is necessary to take measures to prohibit unauthorized connection (movement of the terminal device) of the users providing numbers 0AB to J. The technical requirement is to take technical measures for preventing the use of a telecommunication number different from the geographical identification area indicated by the telecommunication number (telephone number). For example, a terminal in which a telephone number starting with 03 is registered For example, when a device is installed in a telephone number area starting with 045, communication is disabled.

  In general, as a technical measure described above, a “VLAN method” in which a VLAN (Virtual Local Area Network) -ID is assigned to each user is adopted, and roughly divided into the following two methods. Two methods can be used in combination.

(1) Tag-VLAN method by terminal device and accommodating device VLAN-ID in units of terminal device (for example, VoIP (Voice over Internet Protocol) router) and accommodating port (for example, port of collective MC (Media Converter) which is accommodating device) Is granted. When the user moves the terminal device, a VLAN-ID mismatch is detected in the destination accommodation device, and communication becomes impossible, thus satisfying the above technical requirements.

(2) VLAN authentication method by authentication server (Radius server) A VLAN-ID is assigned for each accommodation port, and an element of VLAN-ID is added to the user authentication packet. The VLAN-ID is also registered in the authentication server in association with the user ID. If the user moves the terminal device (the accommodation port is changed), the VLAN-ID does not match in the authentication server. Therefore, authentication is not permitted and the above technical requirements are satisfied.

  If (1) and (2) are combined, even if the VLAN-ID of the terminal device is rewritten to the VLAN-ID of the destination accommodation port, it does not match the VLAN-ID registered in the authentication server. Not allowed.

In addition, as a technique for excluding “spoofing” that a user makes a call (calling and receiving) falsely with another person's telephone number, for example, Japanese Patent Laid-Open No. 2003-169135 discloses the following technique Has been. That is, in a VoIP communication system provided with a means for mediating telephone communication performed between a plurality of IP (Internet Protocol) telephone terminals via an IP network, an authentication means for the IP telephone terminal is provided. Means for previously storing correspondence information between the user name, password, and telephone number of the IP telephone terminal; correspondence between the user name, password, and telephone number of the IP telephone terminal that is notified when the IP telephone terminal dials up Means for authenticating the legitimacy of the IP telephone terminal by comparing the relation information with correspondence information of the user name, password and telephone number of the IP telephone terminal held in advance in the holding means; Means for notifying the intermediary means of the result, and the IP telephone whose validity has been authenticated by the authentication means The IP address assigned to the last dial-up connection is registered in the mediating means corresponding to the telephone number, and the mediating means is configured to register the IP address and the telephone number in the set IP address. A means for intermediating telephone communication limitedly between telephone terminals, wherein the authenticating means is a request for deleting the registered pair of the IP address and the telephone number when the dial-up connection disconnection of the IP telephone terminal is recognized. The intermediary means includes means for deleting the corresponding pair of the IP address and the telephone number when the deletion request is accepted. However, the spoofing of the connection position, not the phone number, is not considered.
JP 2003-169135 A

  The VLAN method described above is known to have problems in the following points. That is, (1) the influence on the existing network is large, (2) the operation / management work is greatly increased, and (3) restrictions are imposed on the new service. More specifically, (1a) When a Tag-VLAN is already used on the L2 network, it is necessary to newly adopt the VLAN stack system, resulting in a complicated configuration. In addition, (1b) VLAN setting is performed in units of users, and when shifting from a network that does not employ the VLAN method, a large-scale stop is required. Therefore, the impact is great and realization is very difficult. Furthermore, (2a) the accommodation device needs to be set for each user, and when the accommodation is changed due to a failure or the like, the VLAN setting work of the change destination port occurs, and the operation load increases. There is also a risk of service stop due to a setting error. (2b) It is necessary to set a VLAN in each terminal device, which increases management work. (3) When a VLAN is set for each user, it becomes practically impossible to provide a service using multicast or the like. As described above, the above-described method has problems in various points.

  Accordingly, an object of the present invention is to provide a novel technique for preventing unauthorized connection in an IP telephone service using a 0ABJ number.

  According to the present invention, a method for determining the validity of a connection position of a user connection device is performed when a specific packet for connection processing of the user connection device is received from a broadband access server. A first determination step of determining whether the user connection device is connected to a predetermined broadband access server based on the data about the user, and the user connection device to be subordinate to the predetermined broadband access server A second determination step of determining whether or not the user connection device is connected to a predetermined network based on data on the broadband access server according to the user connection device when determined to be connected; The user connection device is connected to a predetermined network. A third determination step of acquiring a MAC (Media Access Control) address of the user connection device and determining whether or not the connection position of the user connection device is a predetermined connection position in a normal state when it is determined that including. When it is determined that the connection position of the user connection device is a predetermined connection position in a normal state, the connection position of the user connection device is handled as appropriate.

  In this way, it is possible to distinguish between unauthorized connection and legitimate connection without adopting the VLAN method.

  In addition, when it is not determined that the connection position of the user connection device is a predetermined connection position in the normal state, a fourth determination step of determining whether the connection position of the user connection device is within an allowable range in the abnormal state. In addition, when it is determined that the connection position of the user connection device is within the allowable range in the abnormal state, the connection position of the user connection device may be handled as appropriate. In this way, even when the connection position of the user connection device is not a normal connection due to the convenience of the operator, the validity of the connection position can be confirmed, and the maintenance cost can be reduced.

  Note that the specific packet described above can also be used as a charging request packet from the broadband access server. In this way, useless processing can be reduced as compared to performing processing in response to an authentication request packet.

  Furthermore, in the first determination step described above, the identifier of the broadband access server (for example, the NAS-IP address in the embodiment, which may be abbreviated as NAS-IP hereinafter) is a predetermined identifier. You may make it judge.

  Further, in the second determination step described above, it may be determined whether a packet related to the user connection device is received via a predetermined port of the broadband access server. The data relating to the port number can be acquired even when using an existing device, and there is no operational problem.

  Further, in the second determination step described above, it is determined whether the user connection device is connected to a predetermined network using an identifier of a predetermined accommodation device under the broadband access server. Also good.

  The third determining step described above includes the step of requesting the MAC address of the user connection device to the broadband access server and a predetermined accommodation device under the broadband access server, and the broadband access server. When the MAC address of the user connection device is received from the server and the accommodation device, a step of determining whether the two MAC addresses match may be included. The MAC address can be easily acquired even with conventional equipment, and by acquiring the MAC address from two devices, it is possible to cope with MAC address spoofing and the like.

  Further, when there is no response from a predetermined accommodation device under the broadband access server and the MAC address of the user connection device cannot be obtained, the method further includes a step of identifying an abnormal state of the accommodation device. good. This is because it cannot be determined whether the user connection device is connected at a predetermined position in the normal state.

  Furthermore, the fourth determination step described above includes a step of acquiring port state data of a predetermined port of a predetermined accommodation device under the broadband access server, and the port state is a specific state. If it is determined, the step of identifying the abnormal state of the port of the accommodation device, and the abnormal state of the accommodation device or the abnormal state of the port of the accommodation device are detected, using the MAC address of the user connection device, Determining whether or not the user connection device is connected via a storage device in a predetermined base. For example, it is possible to cope with a case where a problem occurs in a port of a collective MC connected by a user connection device via a home MC (Media Converter) or the like and the user connection device is connected to another port. The abnormal state of the storage device is a case where there is no response from the storage device as described above, for example.

  In addition, when it is determined that the port state is not a specific state or when the port state data cannot be acquired, the user connection device is connected via the accommodation device in the predetermined base based on the MAC address. You may make it further include the 5th judgment step which judges whether it is. Further, when a positive determination is made in the fifth determination step, data indicating unauthorized connection within the same base is indicated, and when a negative determination is made, it indicates illegal connection from different bases within the same network. Data may be set.

  Furthermore, if a negative determination is made in the first determination step or the second determination step, data indicating unauthorized connection is set, and if a negative determination is made in the fourth determination step, an illegal operation is performed. Data indicating connection may be set.

  It is also possible to create a program for causing a computer to execute the method according to the present invention. The program is, for example, a storage medium or a storage device such as a flexible disk, a CD-ROM, a magneto-optical disk, a semiconductor memory, and a hard disk. Stored in In some cases, digital signals are distributed over a network. Note that data being processed is temporarily stored in a storage device such as a computer memory.

  According to the present invention, it is possible to prevent unauthorized connection in an IP telephone service using a 0ABJ number.

  First, in order to facilitate understanding of an embodiment of the present invention, an outline of an embodiment of the present invention will be described with reference to FIGS. 1 and 2. As shown in FIG. 1, a VoIP router 8 at a user's home includes a network termination device 7 such as a home-type MC, an accommodation device 6 such as a collective MC, a BAS (Broadband Access Server) 5, and a Proxy Radius server. 3 is connected to an Internet Service Provider (ISP) Radius server 4. In the present embodiment, a position determination server 1 and a 0ABJ database (DB) 2 are newly introduced in the position determination system, and functions are added to the Proxy Radius server 3. The position determination notification server 9 receives the unauthorized connection notification data from the position determination server 1 and transmits an unauthorized connection notification mail to the 0ABJ provider (for example, telephone company) server 10.

  The processing outline of the system shown in FIG. 1 will be described with reference to FIG. First, the VoIP router 8 causes the ISP Radius server 4 to start authentication (step (1)). At this time, when receiving the accounting request packet for the VoIP router 8 from the BAS 5, the Proxy Radius server 3 notifies the location determination server 1 of the connected user information (step (2)). The position determination server 1 reads user information corresponding to the connected user from 0ABJDB2 (step (3)). Then, the location determination server 1 compares the NAS-IP and NAS-Port of the BAS 5 included in the connected user information with the NAS-IP and NAS-Port included in the user information acquired from the 0ABJDB 2 (step (4)). ). If they do not match, the VoIP router 8 is obviously connected via a route other than a predetermined route, so the location determination server 1 determines the location of information on the unauthorized connection user. It transmits to the notification server 9 (step (7)). The position determination notification server 9 transmits information about the unauthorized connection user to the 0ABJ provider server 10 or the like (step (8)). In response to this notification, the 0ABJ provider performs measures such as disconnecting the connection with the VoIP router 8.

  On the other hand, if the NAS-IP and the NAS-Port match in step (4), the location determination server 1 acquires the MAC address of the VoIP router 8 from the BAS 5 and the accommodating device 6 (step (5)). The presence / absence of unauthorized connection, such as comparing the MAC addresses, is determined (step (6)). If the acquired MAC addresses do not match, the VoIP router 8 is connected via a route that is not a predetermined route. In addition, when the storage device itself has been replaced due to an abnormality, or when the storage device is connected to a different port due to a storage device port error, this is not a normal state but unavoidable for service provision If any other state is detected, it is determined that the connection is illegal. If it is determined that there is an unauthorized connection, the process proceeds to step (7). On the other hand, if it is determined that the connection is not unauthorized, the VoIP router 8 can continue communication as usual.

  In this way, it is possible to detect unauthorized connections using only the data that can be collected with the current network configuration simply by introducing the position determination system as shown in FIG. 1. Compared with the VLAN method described in the prior art. Thus, there is an advantage that the configuration of the existing network equipment can be hardly changed. Further, since the Proxy Radius server 3 that cooperates with the position determination server 1 has a normally redundant configuration, a system can be constructed without stopping the user service. In addition, since the determination of the connection position based on the MAC address is performed, the versatility is high, and the MAC address table should be held for devices that will appear in the future. It is done. In addition, it is assumed that there is no need for individual user settings for the VoIP router 8 and the like, and there is almost no increase in operation / management work. Further, as will be described in detail below, even if a failure of the entire storage device 6 or a port of the storage device 6 occurs and the normal action is taken against it, the influence on the user can be minimized. There is no decline in service level. Further, unlike the VLAN method, the VLAN can be configured flexibly, so there is no restriction on new services such as multicast.

  Next, the processing for unauthorized connection in the system shown in FIGS. 1 and 2 will be specifically described with reference to FIGS. 3 to 7 to help understanding of the embodiment of the present invention. First, referring to FIG. 3, a VoIP router having a user ID (UserID) of UserA, a MAC address of abc, and a telephone number of 03-xxxx-xxx, with the same BAS number and BAS port, but with a collective type A case will be described in which a connection is made not to MC # 1 but to a different collective MC # 2. As shown in FIG. 3, BAB number (No.), BAS port number (Port), MC number (No.) and MC port number (Port) are registered in 0ABJDB2 in correspondence with the user ID. The VoIP router of User A is registered with a BAS number of 1, a BAS port number of 1, an MC number of 1, and an MC port number of 1.

  On the other hand, after moving the VoIP router, the BAS table provided in BAS # 1 shows the IP address x. x. x. x and MAC address abc are registered. Further, the Port1 MAC table provided in the collective MC # 1 to which the UserA VoIP router should be connected is not registered (Null), and the collective MC # to which the UserA VoIP router is currently connected is connected. Abc is registered in the Port 2 MAC table provided in the port 2. In such a situation, in step (2) of FIG. 2, when the location determination server 1 acquires the NAS-IP and NAS-Port related to UserA from the Proxy Radius server 3, in step (3), from 0ABJDB2 to UserA Are registered, and in step (4), both are compared. At this time, BAS # 1 and BASport1 are positions where UserA should be connected in advance, and are not determined to be unauthorized connections here.

  Then, when the MAC address is acquired from BAS # 1 and aggregate type MC # 1 according to the registration data acquired from 0ABJDB2 in step (5), the MAC address abc is acquired from BAS # 1, as shown in FIG. The MAC address “Null” is acquired from the type MC # 1. These MAC addresses do not match, and it is possible to detect movement of the VoIP router of User A, that is, unauthorized connection. Since the accommodation device can acquire the MAC address for each port, unauthorized connection can be detected even when moving to another port in the same accommodation device.

  Next, a case where the VoIP router of UserA is connected to the collective MC # 3 connected to the same BAS but connected to a different BAS port will be described with reference to FIG. In such a case, the same contents as FIG. 3 are registered in the BAS table provided in BAS # 1, and the MAC address abc of the VoIP router is stored in the Port3 MAC table provided in the collective MC # 3. Is registered. Under such circumstances, in step (2) of FIG. 2, the location determination server 1 acquires the NAS-IP and NAS-Port related to UserA from the Proxy Radius server 3. In step (3), registration data on UserA is acquired from 0ABJDB2. Thereafter, when both are compared in step (4), NAS-IP matches because BAS # 1 is the same. However, since the BAS port is Port2 instead of Port1, as shown in FIG. 4, BASport (NAS-Port ) Is 2, and BASport (NAS-Port) in 0ABJDB2 is 1 and does not match. Since NAS-Port does not match in this way, unauthorized connection can be detected.

  A case where the VoIP router of UserA is connected to the collective MC # 4 connected to a different BAS # 2 will be described with reference to FIG. In such a case, the same contents as FIG. 3 are registered in the BAS table provided in BAS # 2, and the MAC address abc of the VoIP router is stored in the Port4 MAC table provided in the collective MC # 4. Is registered. Under such circumstances, in step (2) of FIG. 2, the location determination server 1 acquires the NAS-IP and NAS-Port related to UserA from the Proxy Radius server 3. In step (3), registration data on UserA is acquired from 0ABJDB2. After that, when both are compared in step (4), as shown in FIG. 5, since the received BAS number (that is, NAS-IP) is different from the BAS number in 0ABJDB2, the unauthorized connection of the VoIP router of UserA is detected. Can do.

  Further, the case where the MAC address is spoofed will be described with reference to FIG. UserA has a user ID (UserID) of UserA, a MAC address of abc and a telephone number of 03-xxxx-xxxx, and VoIP router # 1 to which UserB is to connect its own VoIP router # 2. 2 and connected to BAS # 1 via collective MC # 2. At this time, the MAC address abc of the VoIP router # 1 of UserA is spoofed as the MAC address xyz of the VoIP router # 2 of UserB. In addition, 0ABJDB2 registers BAS number 1, BAS port number 1, MC number 1, MC port number 1 corresponding to UserA. Corresponding to UserB, the BAS number is 1, the BAS port number is 1, the MC number is 2, and the MC port number is 2. Further, the BAS table provided in BAS # 1 includes the IP address x. x. x. x and MAC address xyz are registered. In addition, the Port1 MAC table provided in the collective MC # 1 is not registered (Null), and xyz is registered in the Port2 MAC table provided in the collective MC # 2.

  In such a situation, in step (2) of FIG. 2, when the location determination server 1 acquires the NAS-IP and NAS-Port related to UserA from the Proxy Radius server 3, in step (3), from 0ABJDB2 to UserA Are registered, and in step (4), both are compared. At this time, BAS # 1 and BASport1 are positions where UserA should be connected in advance, and are not determined to be unauthorized connections here.

  Then, when the MAC address is acquired from BAS # 1 and aggregate type MC # 1 according to the registration data acquired from 0ABJDB2 in step (5), the MAC address xyz is acquired from BAS # 1, as shown in FIG. The MAC address “Null” is acquired from the type MC # 1. These MAC addresses do not match, and movement of User A's VoIP router # 1, that is, unauthorized connection can be detected. In this way, even if the MAC address is spoofed, unauthorized connection can be detected.

  Next, with reference to FIG. 7, a case will be described in which MAC address is spoofed and UserA's VoIP router # 1 and UserB's VoIP router # 2 are interchanged. That is, the VoIP router # 1 with the user ID UserA, the MAC address abc, and the telephone number 03-xxxx-xxxx is connected to the in-home MC # 2 to which the VoIP router # 2 of the UserB is connected. Connect to BAS # 1 via type MC # 2. At this time, it is assumed that the MAC address abc of the VoIP router # 1 is spoofed as the MAC address xyz of the VoIP router # 2, and the MAC address of the VoIP router # 2 is spoofed as the MAC address abc of the VoIP router # 1. It shall be. Then, in the BAS table provided in BAS # 1, the IP address x. x. x. x and MAC address xyz are registered, and for the session with UserB, the IP address y. y. y. y and MAC address abc are registered. Also, abc is registered in the Port1 MAC table provided in the collective MC # 1, and xyz is registered in the Port2 MAC table provided in the collective MC # 2.

  In such a situation, in step (2) of FIG. 2, when the location determination server 1 acquires the NAS-IP and NAS-Port related to UserA from the Proxy Radius server 3, in step (3), from 0ABJDB2 to UserA Are registered, and in step (4), both are compared. At this time, BAS # 1 and BASport1 are positions where UserA should be connected in advance, and are not determined to be unauthorized connections here.

  On the other hand, when the MAC address is acquired from BAS # 1 and the collective MC # 1 according to the registration data acquired from 0ABJDB2 in step (5), the MAC address xyz is acquired from BAS # 1 as shown in FIG. The MAC address “abc” is acquired from the type MC # 1. Also for UserB, the MAC address abc is acquired from BAS # 1, and the MAC address “xyz” is acquired from the collective MC # 2. Thus, these MAC addresses do not match, and movement of the VoIP router # 1 of User A and VoIP router # 2 of User B, that is, unauthorized connection can be detected. In this way, even if the VoIP router is replaced after spoofing the MAC address, unauthorized connection can be detected.

  In FIG. 7, when VoIP router # 2 tries to connect with MAC address xyz without spoofing the MAC address, xyz is registered in the MAC table provided in collective MC # 1, The data about User A collected in the determination server 1 is the same MAC address. However, since MAC addresses overlap on the same BAS port, communication is impossible (no reachability). Therefore, unauthorized connection is impossible.

  As described above, by introducing the position determination system as in the present embodiment, it is possible to determine the unauthorized connection without greatly changing the existing equipment.

  Next, a detailed example of the system outline shown in FIG. 1 and the processing flow shown in FIG. 2 will be described with reference to FIGS. FIG. 8 shows a configuration diagram of the entire network. In addition, the same reference number is attached | subjected about the same component as FIG. The VoIP router 8 is connected to a network termination device 7 such as an in-home MC, and the accommodating device 6 such as a collective MC, the base aggregation switch 17, the BAS 5, the Proxy Radius server 3, and the network 14 that is, for example, the Internet. To the ISP Radius server 4. An ISP server 20 for general business of an ISP, a position determination notification server 9 and a 0ABJ provider server 10 are also connected to the network 14. The Proxy Radius server 3 is connected to the position determination server 1. The position determination server 1 manages the 0ABJDB 2 and the accommodation apparatus DB 21 and is connected to the position determination notification server 9 via the network 13. A customer DB management server 12 is also connected to the network 13. The customer DB management server 12 manages the customer DB 11. The types of accommodation devices 6 include, for example, accommodation devices used in, for example, PON (Passive Optical Network) or VDSL (Very High-bit-rate Digital Subscriber Line) in addition to the collective MC. The MC management system 19 is connected to the Proxy Radius server 3 via the network 18.

  Next, FIG. 9 shows an example of data stored in 0ABJDB2. In the example shown in FIG. 9, for each user ID, a BAS number (NAS-IP), a BAS port number (NAS-Port (included as part of the identifier of the accommodation device in this embodiment)), accommodation device Number (for example, MC-IP address) and accommodation device port number are registered.

  Processing of such a network system will be described with reference to FIGS. The VoIP router 8 transmits an authentication request at the start of communication (step S1). The authentication request is transmitted to the Proxy Radius server 3 via the network termination device 7, the accommodation device 6, the site aggregation switch 17, and the BAS 5. When the Proxy Radius server 3 receives the authentication request, the Proxy Radius server 3 transfers the request to the ISP Radius server 4 (step S3). The ISP Radius server 4 receives the authentication request transferred from the Proxy Radius server 3 and performs an authentication process (step S5). Then, an authentication result (for example, authentication permission / denial permission) is transmitted to the VoIP router 8 (step S7). The Proxy Radius server 3 receives the authentication result notification from the ISP Radius server 4 and forwards it to the VoIP router 8 (step S9). The VoIP router 8 receives the authentication result notification via the BAS 5, the site aggregation switch 17, the accommodating device 6, and the network terminating device 7 (step S11). If authentication is not permitted, the process returns to step S1. On the other hand, when the authentication is permitted, the BAS 5 transmits a charging request to the Proxy Radius server 3. The Proxy Radius server 3 receives the billing request from the BAS 5 and transfers it to the ISP Radius server 4 (step S14). The ISP Radius server 4 receives the billing request transferred from the Proxy Radius server 3 and performs billing start processing (step S15). Then, a billing response is returned (step S19). The Proxy Radius server 3 receives the billing response from the ISP Radius server 4 and transfers it to the BAS 5 (step S21).

  In the present embodiment, when the Proxy Radius server 3 receives the charging request in Step S14, the Proxy Radius server 3 receives the user information (user ID, NAS-IP, NAS-Port, session ID, IP) included in the charging request. Address) is transmitted to the position determination server 1 (step S17). The position determination server 1 receives user information from the Proxy Radius server 3 and stores it in a storage device such as a main memory (step S25). If the position determination server 1 starts processing in response to the billing request in this way, the processing will not be started in vain in the case of authentication failure or the like.

  Then, the location determination server 1 searches for 0ABJDB2 using the user ID as a key, and stores stored user information (user ID, BAS number (NAS-IP), BAS port number (NAS-Port), accommodation device number (for example, MC-IP), accommodation device port number) is read (step S27). And it is confirmed whether data is registered into 0ABJDB2 about the received user ID (step S29). This is because the connection position does not matter unless the user receives the 0ABJ service. If the user with the received user ID is not a registered user, that is, if the user information is not registered in 0ABJDB2 (step S29: No route), the process is terminated (step S31). On the other hand, if the user information is registered in 0ABJDB2 (step S29: Yes route), the process proceeds to the process in FIG.

  The location determination server 1 compares the NAS-IP included in the user information received from the Proxy Radius server 3 with the NAS-IP included in the user information read from the 0ABJDB 2 (step S33). If the two NAS-IPs do not match (step S35: No route), it is connected to a different BAS, so the code 21 is set as an unauthorized connection (step S37). The process proceeds to step S107 in FIG. If both NAS-IPs match (step S35: Yes route), the NAS-Port included in the user information received from the Proxy Radius server 3 and the NAS-Port included in the user information read from the 0ABJDB2 are set. Compare (step S39). If the two NAS-Ports do not match (step S41: No route), it is connected to a different port of the same BAS, so the code 11 is set as an unauthorized connection (step S43). The process proceeds to step S107 in FIG.

  On the other hand, if both NAS-Ports match (step S41: Yes route), the position determination server 1 transmits a request for the MAC address related to the received session ID to the BAS 5 specified by the NAS-IP. (Step S45). Request, for example, using Telnet. The BAS 5 receives the MAC address request from the location determination server 1 (Step S47), reads the MAC address corresponding to the session ID registered in the BAS table, and transmits the MAC address to the location determination server 1 (Step S47). S49). The position determination server 1 receives the MAC address from the BAS 5 and stores it in the storage device (step S51). In addition, a survival confirmation packet is transmitted to the accommodation device 6 identified by the accommodation device number registered in 0ABJDB2 (step S53). The accommodation device 6 receives the survival confirmation packet from the position determination server 1 (step S55), generates a response packet, and returns it (step S57). The position determination server 1 receives the response packet from the accommodating device 6 and stores it in a storage device such as a main memory (step S59).

  Here, the position determination server 1 confirms whether the response from the accommodation apparatus 6 has been received (step S61). If the response cannot be received (step S61: No route), it is temporarily determined that the storage device 6 is connected to another storage device because some abnormality (failure) has occurred, and the code 01 is set. (Step S63), the process proceeds to Step S95 in FIG. On the other hand, when a response is received (step S61: Yes route), the processing shifts to the processing in FIG.

  Next, based on the response from the accommodation device 6, the location determination server 1 transmits to the accommodation device 6 a MAC address request specifying the accommodation device port number of the port to which the VoIP router 8 in the accommodation device 6 is connected ( Step S65). For example, transmission is performed using Telnet. The accommodating device 6 receives the MAC address request specifying the accommodating device port number (step S67), reads the MAC address from the MAC table corresponding to the port of the accommodating device, and transmits the MAC address to the position determination server 1. (Step S69). The position determination server 1 receives the MAC address from the accommodation device 6 and stores it in a storage device such as a main memory (step S71). Then, the MAC address received in step S51 is compared with the MAC address received in step S71 (step S73). If both MAC addresses match (step S75: Yes route), the code 00 is set because the connection is from a normal connection position, and the process is terminated (step S77). On the other hand, if the MAC addresses do not match (step S75: No route), it is determined whether the port state can be acquired from the accommodation device 6 with reference to the accommodation device DB 21 (step S79). An example of data stored in the accommodation apparatus DB 21 is shown in FIG. In the example illustrated in FIG. 15, the type of the accommodation device and the availability of the port status of the accommodation device are registered for each accommodation device number (for example, MC-IP address). Further, the accommodation device DB 21 can be omitted by previously classifying whether or not the port state can be acquired by the accommodation device number plan.

  If the port status can be acquired from the accommodating device 6 (step S79: Yes route), an MC port status request specifying the accommodating device 6 and the accommodating device port number is transmitted to the MC management system 19 (step S81). In addition, when the MC management system 19 does not exist, you may make it transmit directly to the accommodating apparatus 6 (for example, collective MC). The MC management system 19 receives the MC port status request from the location determination server 1 (step S83), acquires the MC port status of the designated accommodation device 6, and transmits the MC port status data to the location determination server 1. (Step S85). Note that the MC management system 19 receives a signal such as power-off of the network termination device (home-type MC), optical link disconnection, etc., and holds state data based on the signal. The position determination server 1 receives the MC port state data from the MC management system 19 and stores it in a storage device such as a main memory (step S87). Then, it is determined whether the received MC port state data represents, for example, an optical link disconnection (step S89). If it indicates that the optical link is broken (step S89: Yes route), it is temporarily determined that an abnormality (failure) has occurred in the designated port of the accommodation device 6 and that it is connected to another port. Code 02 is set (step S91). Then, the processing shifts to the processing in FIG.

  On the other hand, when the MC port state is not an optical link disconnection, for example, an optical link UP or an in-home MC power supply disconnection (step S89: No route), the user intends to connect from another connection position. Since it can be determined, a code 03 representing unauthorized connection within the same site is set (step S93). Then, the processing shifts to the processing in FIG.

  If the port state cannot be acquired from the accommodation device 6 in step S79 (step S79: No route), a code 03 representing unauthorized connection in the same site is set (step S93). Then, the processing shifts to the processing in FIG.

  Next, the process of FIG. 13 will be described. The position determination server 1 transmits a port number confirmation request corresponding to the MAC address received from the BAS 5 to the site aggregation switch 17 (step S95). For example, Telnet is used. The site aggregation switch 17 receives the port number confirmation request corresponding to the MAC address from the position determination server 1 (step S97), acquires the port number in which the MAC address is registered, and transmits it to the position determination server 1 ( Step S99). The position determination server 1 receives the port number from the site aggregation switch 17 and stores it in a storage device such as a main memory (step S101). For example, a correspondence table of port numbers and site numbers is held, and whether the VoIP router 8 is connected to a port that should originally exist according to the association rules between site numbers and user IDs, that is, in the same site It is determined whether or not (step S103). If it is determined that they do not exist in the same base (step S103: No route), it means that they have moved out of the base, so that there is an abnormality in the storage device 6 or the port of the storage device 6 It will not be abnormal. Accordingly, the code 04 representing unauthorized connection from different locations in the same network is set (step S105).

  On the other hand, when it is determined that they are in the same base (step S103: Yes route), the code numbers set so far are held. In the case of passing through step S103, any one of the code 01, code 02, and code 03 has already been set, and is retained as it is.

  If the code is equal to or greater than 03, it is an unauthorized connection, and the location determination server 1 transmits an unauthorized user notification including the user ID, code number, time, IP address, and the like to the location determination notification server 9 (step S107). The position determination notification server 9 receives the unauthorized user notification and stores it in the storage device (step S109). Then, the position determination notification server 9 further transmits an unauthorized user notification mail to the ISP server 20 and the 0ABJ provider server 10 (step S111). Note that the unauthorized user notification from the position determination notification server 9 may be an event only, and the ISP or 0ABJ provider may access the position determination notification server 9 to transmit specific unauthorized user information.

  By executing such processing, an unauthorized connection user can be specified without using a method such as Tag-VLAN. In addition, it is possible to cope with a failure of the accommodation device 6 and, when a predetermined condition is met, the unauthorized connection is not handled even if the accommodation device is changed or the accommodation port is changed in the same site. Therefore, further inconvenience does not occur for the user after returning from the failure.

  Although not shown in the figure, the content of the customer DB 11 managed by the customer DB management server 12 is changed based on a setting change due to a change in the user's address or the like. For example, it is registered in 0ABJDB2 at a frequency of about once a day. Only the data to be transmitted is transmitted from the customer DB management server 12 to the position determination server 1, and the contents of 0ABJDB2 are also updated.

  Although one embodiment of the present invention has been described above, the present invention is not limited to this. For example, the storage device may be a storage device used in PON, VDSL, or the like, but even this case can be handled. In addition, although a device (not shown) is connected to the network, this does not cause a problem. Note that the network described above may be a VLAN.

  Also, the configuration of the network 18 and the network 13, the MC management system 19, the location determination notification server 9, the customer DB management server 12, and the connection relationship of the 0ABJ provider server 10 are not limited to those shown in FIG. Any configuration may be used as long as the above-described processing can be performed.

  The various servers described above may be configured by a single computer, or may be implemented by a plurality of servers.

  Furthermore, in the embodiment described above, an example of a VoIP router has been shown. However, the present invention is not necessarily limited to a VoIP router, and the present invention can be applied to a case where an unauthorized connection is detected for a device whose connection position is limited. .

  Further, the various servers described above are computer devices. In the computer device, a memory 2501 (storage unit), a CPU 2503 (processing unit), and a hard disk drive (HDD) 2505 are displayed as shown in FIG. A display control unit 2507 connected to the device 2509, a drive device 2513 for the removable disk 2511, an input device 2515, and a communication control unit 2517 for connecting to a network are connected by a bus 2519. Application programs including an operating system (OS) and a Web browser are stored in the HDD 2505, and are read from the HDD 2505 to the memory 2501 when executed by the CPU 2503. If necessary, the CPU 2503 controls the display control unit 2507, the communication control unit 2517, and the drive device 2513 to perform necessary operations. Further, data in the middle of processing is stored in the memory 2501 and stored in the HDD 2505 if necessary. Such a computer realizes various functions as described above by organically cooperating hardware such as the CPU 2503 and the memory 2501 described above with the OS and necessary application programs.

It is a network block diagram in one embodiment of this invention. It is the outline | summary of the processing flow which concerns on one embodiment of this invention. It is a figure which shows the 1st example for demonstrating the countermeasure to an unauthorized connection. It is a figure which shows the 2nd example for demonstrating the countermeasure to an unauthorized connection. It is a figure which shows the 3rd example for demonstrating the countermeasure to an unauthorized connection. It is a figure which shows the 4th example for demonstrating the countermeasure to an unauthorized connection. It is a figure which shows the 5th example for demonstrating the countermeasure to an unauthorized connection. It is a detailed view of a network configuration in an embodiment of the present invention. It is a figure which shows an example of the data stored in 0ABJDB. It is a figure which shows the processing flow (1st part) in one embodiment of this invention. It is a figure which shows the processing flow (2nd part) in one embodiment of this invention. It is a figure which shows the processing flow (3rd part) in one embodiment of this invention. It is a figure which shows the processing flow (4th part) in one embodiment of this invention. It is a functional block diagram of a computer. It is a figure which shows an example of the data stored in accommodation apparatus DB.

Explanation of symbols

1 position determination server 2 0ABJDB
3 Proxy Radius Server 4 ISP Radius Server 5 BAS 6 Accommodating Device 7 Network Terminating Device 8 VoIP Router 9 Location Determination Notification Server 10 0ABJ Provider Server 11 Customer DB 12 Customer DB Management Server 17 Site Aggregation Switch 19 MC Management System 20 ISP Server 21 Accommodating Device DB

Claims (13)

A method for determining the validity of a connection position of a user connection device,
When a specific packet for connection processing of the user connection device is received from a broadband access server, the user access device is determined in advance based on data about the broadband access server. A first determination step of determining whether the connection is under the control of
When it is determined that the user connection device is connected to a predetermined broadband access server, the user connection device is based on data about the broadband access server according to the user connection device. A second determination step of determining whether is connected to a predetermined network;
When it is determined that the user connection device is connected to a predetermined network, the first MAC (Media Access) of the user connection device specified by the broadband access server in the connection process of the user connection device is determined. Control) address to determine whether the second MAC address of the user connection device under the broadband access server and the user connection device to which the user connection device should be connected is currently known . 3 judgment steps;
Including
A connection position validity determination method, characterized in that when it is determined that the first MAC address and the second MAC address match , the connection position of the user connection device is treated as valid. A fourth determination step of determining whether or not the connection position of the user connection device is within an allowable range in an abnormal state when it is not determined that the first MAC address and the second MAC address match ; In addition,
The connection position validity determination method according to claim 1, wherein when the connection position of the user connection device is determined to be within an allowable range in an abnormal state, the connection position of the user connection device is treated as valid. .   3. The connection position validity determining method according to claim 1, wherein the specific packet is a packet of a billing request from the broadband access server. In the first determining step,
The connection location validity determination method according to claim 1 or 2, wherein it is determined whether the identifier of the broadband access server is a predetermined identifier. In the second determination step,
The connection position validity determination method according to claim 1, wherein it is determined whether a packet related to the user connection device is received via a predetermined port of the broadband access server. In the second determination step,
The connection position validity determination method according to claim 1, wherein it is determined whether the user connection device is connected to a predetermined network using the identifier of the accommodating device . The third determining step includes
Requesting the broadband access server for the MAC address of the user connection device;
The method according to claim 1, further comprising: transmitting a response request to the accommodating device and requesting the MAC address of the user connection device from the accommodating device when there is a response to the response request . Connection location validity judgment method. The connection position validity determination method according to claim 7, further comprising: when there is no response to the response request from the accommodation device , specifying an abnormal state of the accommodation device. The fourth determining step includes
Obtaining port state data for a predetermined port of the accommodation device ;
If it is determined that the port state is a specific state, the step of identifying an abnormal state of the port of the accommodation device;
When an abnormal state of the accommodation device or an abnormal state of the port of the accommodation device is detected, the user connection device uses a MAC address of the user connection device via the accommodation device in a predetermined base. Determining whether it is connected;
The connection position validity determination method according to claim 2, comprising: When it is determined that the port state is not a specific state or when the port state data cannot be acquired, the user connection device is connected via a storage device in a predetermined base based on the MAC address. A fifth determination step for determining whether the connection is established;
Data indicating unauthorized connection within the same site when affirmative determination is made in the fifth determination step, and data indicating unauthorized connection from a different site within the same network when a negative determination is made. The connection position validity determination method according to claim 9, wherein:   A program for causing a computer to execute the connection position validity determining method according to any one of claims 1 to 10. A device for determining the validity of the connection position of the user connection device,
When a specific packet for connection processing of the user connection device is received from a broadband access server, the user access device is determined in advance based on data about the broadband access server. First determination means for determining whether or not it is connected to
When it is determined that the user connection device is connected to a predetermined broadband access server, the user connection device is based on data about the broadband access server according to the user connection device. Second determination means for determining whether or not is connected to a predetermined network;
When it is determined that the user connection device is connected to a predetermined network, the first MAC address of the user connection device specified by the broadband access server in the connection process of the user connection device is: Third determination means for determining whether the accommodation device to which the user connection device is originally connected is currently known with the second MAC address of the user connection device under the broadband access server ;
Have
A connection position validity determination apparatus characterized in that when it is determined that the first MAC address and the second MAC address match , the connection position of the user connection apparatus is treated as valid. Fourth determination means for determining whether or not the connection position of the user connection device is within an allowable range in an abnormal state when it is not determined that the first MAC address and the second MAC address match ; In addition,
The connection position validity determination device according to claim 12, wherein when it is determined that the connection position of the user connection device is within an allowable range in an abnormal state, the connection position of the user connection device is treated as valid. .

Images