JP4495049B2 - Packet communication service system, packet communication service method, edge side gateway device, and center side gateway device - Google Patents

Description

  The present invention relates to a packet communication technique, and more particularly to a packet communication control technique for providing each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal.

As a packet communication service system, there is a system that provides each client terminal with a packet communication service using a communication path corresponding to the IP address of the client terminal.
Conventionally, in such a packet communication service system, as shown in FIG. 15, a system configuration has been adopted in which a plurality of services are provided using an edge-side gateway device that is in one-to-one correspondence with the number of service types. FIG. 15 is a block diagram showing a configuration of a conventional packet communication service system.

In FIG. 15, the client terminal a is connected to the edge-side gateway device α and connected to the public network via the edge-side gateway device α. When the client terminal a receives dynamic IP address assignment using the DHCP procedure, IP address assignment is performed from the edge-side gateway device α.
The client terminal b connects to the edge-side gateway device β, and connects to the network via the center-side gateway device via the VPN (Virtual Private Network). When the client terminal b receives dynamic IP address assignment using a DHCP (Dynamic Host Configuration Protocol) procedure, IP address assignment is performed from the edge-side gateway device β.

  By using such a system configuration, a packet communication service is provided to the client terminal a and the client terminal b at the same base using a communication path according to the service type of these client terminals. It was.

http://www.furukawa.co.jp/fitelnet/f/nat-traversal_ff.html, “Configuration of NAT-Traversal”, Furukawa Electric Co., Ltd. http://www.furukawa.co.jp/fitelnet/f/case1.html, “FITELnet-F40-Case Study / Case 1”, Furukawa Electric Co., Ltd. http://www.furukawa.co.jp/fitelnet/f/case2.html, “FITELnet-F40-Case Study / Case 2”, Furukawa Electric Co., Ltd.

However, such a conventional technique has a problem in that a system cannot be configured efficiently because a unique edge-side gateway device is required for each service type provided to each client terminal.
For example, if the provided service types are different even for client terminals at the same base, it is necessary to prepare a plurality of edge-side gateway devices corresponding to the respective service types, which increases the hardware resources of the system.

In addition, since it is necessary to set the IP address assigned to the client terminal for each edge gateway device, it is necessary to set the IP subnet for each edge gateway device, resulting in wasteful use of IP addresses and effective use of network resources. Not available.
The present invention is intended to solve the above-described problems, and provides packet communication services that can effectively use hardware resources and network resources when providing various packet communication services using communication paths according to service types. It is an object of the present invention to provide a system, a method, an edge gateway device, and a center gateway device.

  In order to achieve such an object, the packet communication service system according to the present invention provides each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal. Provided is a packet communication service system including one or more edge-side gateway devices connected to a first IP network, and a center-side gateway device connected to a first IP network and a second IP network. The edge-side gateway device according to the first service type, a terminal connection means for connecting the client terminal, a VPN control means for establishing a VPN between the center-side gateway device via the first IP network, and the first service type The first client terminal having the IP address Between the second client terminal having the IP address corresponding to the second service type and the center-side gateway device, while mutually transferring packets to and from any host device connected to the IP network A packet transfer means for transferring packets to each other via the network, and the center side gateway apparatus constructs a VPN with the edge side gateway apparatus via the first IP network, and a second control means. Packet transfer means for transferring packets transmitted and received at the client terminal to each other via the VPN between the edge-side gateway device and an arbitrary host device connected to the second IP network.

  The packet communication service method according to the present invention includes one or more edge-side gateway devices connected to a first IP network, and a center-side gateway device connected to the first IP network and the second IP network. A packet communication service system comprising: a packet communication service method used for providing each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal. The edge-side gateway device includes a terminal connection step for connecting a client terminal, a VPN control step for establishing a VPN with the center-side gateway device via the first IP network, and a first service type. The first with the corresponding IP address A second client terminal and a center-side gateway device having an IP address corresponding to the second service type, while transferring packets between the client terminal and an arbitrary host device connected to the first IP network Packet transfer step of transferring packets to and from each other via the VPN, and the center side gateway device constructs a VPN with the edge side gateway device via the first IP network. And a packet transfer step of transferring packets transmitted and received at the second client terminal to each other via the VPN between the edge-side gateway device and an arbitrary host device connected to the second IP network. is doing.

  The edge-side gateway device according to the present invention includes one or more edge-side gateway devices connected to the first IP network, and a center-side gateway device connected to the first IP network and the second IP network. An edge-side gateway device used in a packet communication service system that provides each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal, A terminal connection means for connecting the client terminal, a VPN control means for establishing a VPN between the center-side gateway device via the first IP network, and a first having an IP address corresponding to the first service type Connect to client terminal and first IP network The packet communication between the two arbitrary client host devices is realized by mutual packet transfer, and the second client terminal having the IP address corresponding to the second service type and the center side gateway device Packet transfer means for realizing packet communication between the client terminal and an arbitrary host device connected to the second IP network by transferring packets to and from each other via VPN .

  Another edge-side gateway device of the present invention includes one or more edge-side gateway devices connected to a first IP network, and a center side connected to the first IP network and the second IP network. Edge-side gateway device that enables each client terminal to connect to the first IP network or the second IP network by a packet communication service system including the gateway device based on the IP address of the client terminal When the service identifier corresponding to the second IP network is received from the client terminal, an address request for transferring an IP address request for connection to the second IP network to the center side gateway device Transfer means and the client VPN control means for establishing a VPN with the center-side gateway device via the first IP network when the terminal is in communication connection with an arbitrary host device on the second IP network. Yes.

  At this time, the packet transfer means transfers the IP address assignment request from the second client terminal to the center gateway device via the VPN, and sends the IP address assignment response from the center gateway device via the VPN to the client. IP address assignment means for transferring an IP address in response to an IP address assignment request from the first client terminal and an IP address transmitted / received by the second client terminal in cooperation with the center side gateway device Filter processing means for performing an arbitrary filtering process on the packet may be further provided.

  In addition, when the VPN control means becomes capable of packet communication with the first IP network, or when the IP address used for the packet communication is changed, it is used for packet communication with the first IP network. You may make it request | require the VPN construction using a new IP address from the center side gateway apparatus.

  The center side gateway device according to the present invention includes one or more edge side gateway devices connected to the first IP network, and the center side gateway device connected to the first IP network and the second IP network. And a center side gateway device used in a packet communication service system that provides each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal, First between the first client terminal having an IP address corresponding to the first service type and an edge gateway device that realizes packet communication between an arbitrary host device connected to the first IP network. To build a VPN over other IP networks VPN between the edge side gateway device and an arbitrary host device connected to the second IP network for packets transmitted and received by the control means and the second client terminal having an IP address corresponding to the second service type Packet transfer means for transferring data to each other via the network.

  At this time, the packet transfer means transfers the IP address assignment request from the second client terminal transferred by the edge gateway device to the IP address assignment device, and also sends the IP address assignment device to the second client terminal. An authentication processing means for transferring the address assignment response to the edge gateway device and authenticating the client terminal, and a filtering process for performing arbitrary filtering processing on packets transmitted and received by the second client terminal according to the authentication result Means and filter control means for controlling the filtering process in the edge-side gateway device according to the authentication result may be further provided.

  Further, the VPN control means constructs a VPN with the edge-side gateway device 1 using a new IP address notified from the edge-side gateway device in response to a VPN construction request from the edge-side gateway device. Also good.

  According to the present invention, for a client terminal connected to the same edge side gateway device, a packet communication service via the first IP network is provided to a client terminal having an IP address corresponding to the first service type. The client terminal having an IP address corresponding to the second service type can provide a packet communication service via the VPN and the second IP network between the edge side gateway device and the center side gateway device.

Therefore, it is possible to provide individual packet communication services to the client terminals having different service types by the edge side gateway device common to these service types, and in comparison with the case where the edge side gateway device is provided for each service type The hardware resources of the entire communication service system can be used effectively.
Also, client terminals at the same site can be accommodated by one edge-side gateway device, and there is no need to set an IP subnet as in the case of using an edge-side gateway device for each service type, and there is no waste in using IP addresses. Network resources can be used effectively.

Further, according to the present invention, the IP address assignment request from the second client terminal is transferred to the center side gateway device via the VPN, and the IP address assignment response from the center side gateway device via the VPN is Since it is transferred to the client terminal, it becomes possible to centrally manage the IP address assignment to the second client terminal at each site on the center side gateway device side.
Further, the center side gateway apparatus includes an authentication processing unit that performs authentication for the second client terminal, and a filter processing unit that performs arbitrary filtering processing on a packet transmitted and received by the second client terminal according to the authentication result. By providing, it becomes possible to centrally manage authentication and access management to the network on the side of the center side gateway device for the second client terminal at each base.
With the central management function on the center side gateway device side, it is possible to provide a public access communication service to the Internet, for example, to client terminals under the edge side gateway device at each base.

  Thereby, it is also possible to extend existing packet communication and provide a separate communication service. For example, an edge side gateway device or a center side gateway device is introduced into a wireless LAN communication system used for store business packet communication, and an existing store business packet communication is used as a first service type to provide a normal Internet access communication service. On the other hand, as a second service type that is separate from this, we provide public wireless Internet access communication services that are common to all bases via VPN on the premise of authentication for general customers who visit the store In addition, it is possible to expect an effect of attracting customers by expanding an existing communication system without introducing a new communication system separately.

Next, embodiments of the present invention will be described with reference to the drawings.
[Packet communication service system]
First, a packet communication service system according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a packet communication service system according to the present embodiment.

This packet communication service system is a system that provides each client terminal with a packet communication service using a communication path corresponding to the IP address of the client terminal.
This packet communication service system is connected to one or more edge-side gateway devices 1 connected to an IP network (first IP network) 9A, an IP network 9A, and an IP network (second IP network) 9B. A center-side gateway device 9B is provided. Further, an authentication device 7 and an IP address assignment device 8 are connected to the center side gateway device 2.

  In the present embodiment, a VPN is constructed between the edge-side gateway device 1 and the center-side gateway via the IP network 9A, and the edge-side gateway device 1 has a client having an IP address corresponding to the first service type. For the terminal 3A, packets are transferred to and from any host device 4A connected to the IP network 9A, and for the client terminal 3B having an IP address corresponding to the second service type, the center side gateway device 2 Packets are transmitted to each other via VPN, and the center side gateway device 2 transmits / receives packets at the client terminal 3B to any host device connected to the edge side gateway device 1 and the IP network 9B. 4B to and from each other via VPN It is obtained by way.

Next, the configuration of the packet communication service system will be described in detail with reference to FIG.
Hereinafter, a case where wireless LAN client terminals are used as the client terminals 3A and 3B and the wireless LAN function is built in the edge-side gateway device 1 will be described as an example. Further, a case where IPsec (IP Security) is used as a VPN between the edge side gateway device 1 and the center side gateway device 2 will be described as an example. As the IP networks 9A and 9B, any IP network such as the Internet or an intranet can be used.

When wireless LAN client terminals are used as the client terminals 3A and 3B, the service types of the client terminals 3A and 3B in the edge side gateway device 1 are distinguished by SSID (Service Set Identifier) used in the wireless LAN.
In this embodiment, the wireless LAN client terminal a (3A: first service type) for which SSID: α is set communicates with the counterpart host apparatus A (4A) via the edge-side gateway apparatus 1. The wireless LAN client terminal b (3B: second service type) for which SSID: β is set passes through the VPN between the edge side gateway device 1 and the center side gateway device 2 and It is assumed that communication is performed with the counterpart host terminal B (4B).

The edge-side gateway device 1 has a function of connecting to the IP network 9A via ADSL. Although there are a plurality of ADSL connection methods, in this embodiment, the edge-side gateway device 1 connects to a BAS (Broadband Access Server) by PPP (Point To Point Protocol), and the interface on the ADSL connection side of the edge-side gateway device 1 It is assumed that an IP address is assigned from BAS.
As for the IP address assigned by the edge side gateway device 1 from the BAS, when the PPP between the edge side gateway device 1 and the BAS is disconnected, an IP address different from the IP address used before the disconnection may be assigned. There may be.

IPsec is used as a VPN between the edge-side gateway device 1 and the center-side gateway device 2. FIG. 2 is an example of an IPsec packet configuration.
The packet addressed to the destination host terminal B (4B) transmitted from the wireless LAN client terminal b (3B) is converted to IPsec by the edge-side gateway device 1. Here, since this packet (original packet) is a packet transmitted to the center side gateway apparatus 2, the IP address of the center side interface of the edge side gateway apparatus 1 is set as the transmission source IP address, The IP address of the edge side interface of the center side gateway apparatus 2 is the destination IP address, the original IP header is the source IP address of the wireless LAN client terminal b, and the IP address of the destination host terminal B is the destination IP address. And

  On the other hand, the packet addressed to the wireless LAN client terminal b transmitted from the partner host terminal B is converted to IPsec by the center side gateway device 2. Here, since this packet (original packet) is a packet transmitted to the edge-side gateway device 1, the IP address of the edge-side interface of the center-side gateway device 2 is set as the source IP address, The center-side IP address of the edge-side gateway device 1 is the destination IP address, and the original IP header is the IP address of the counterpart host terminal.

  In such a system configuration, the wireless LAN client terminal a (3A) is the client terminal of the first service type, and the packet transmitted from the wireless LAN client terminal a to the destination host terminal A (4A) Packets transmitted from the gateway device 1 to the partner host terminal A via the DSLAM (Digital Subscriber Line Access Multiplexer) 5 and the BAS 6 and the IP network 9A, and transmitted from the partner host terminal A to the wireless LAN client terminal a are In the reverse direction, the IP network 9A transmits the data to the wireless LAN client terminal a via the BAS 6 and the DSLAM 5 and the edge-side gateway device 1.

  On the other hand, the wireless LAN client terminal b (3B) is a client terminal of the second service type, and packets transmitted from the wireless LAN client terminal b to the destination host terminal B (4B) are transmitted to the edge-side gateway device 1 and the center. The data is transmitted from the center side gateway device 2 to the counterpart host terminal B via the IP network 9B via IPsec between the side gateway devices 2. A packet transmitted from the destination host terminal B to the wireless LAN client terminal b passes through the IP network 9B and the center side gateway apparatus 2 and further passes through IPsec between the edge side gateway apparatus 1 and the center side gateway apparatus 2. Then, it is transmitted from the edge side gateway device 1 to the wireless LAN client terminal b.

[Operation of packet communication service system]
Next, the operation of the packet communication service system according to the present embodiment will be described with reference to FIG. 3 and FIG. FIG. 3 is a sequence diagram showing an operation at the start of communication with the Internet host device to which the edge-side gateway device is connected, among the operations of the packet communication service system according to the present embodiment. FIG. 4 is a sequence diagram showing an operation at the time of starting communication with the host device of the network to which the center side gateway device is connected among the operations of the packet communication service system according to the present embodiment.

  3 and 4, the wireless LAN client terminals a and b belong to the built-in wireless LAN of the edge side gateway device 1 and can already transmit packets to the edge side gateway device 1 at the start of operation. It shall be in

First, the operation when the wireless LAN client terminal a (3A) as the first service type starts communication with the counterpart host apparatus A (4A) will be described with reference to FIG.
The wireless LAN client terminal a requests the edge-side gateway device 1 to assign an IP address according to the DHCP procedure (step 300). The edge-side gateway device 1 that has received this request recognizes that the first service type is desired based on the SSID of the wireless LAN client terminal a, and exchanges packets with the wireless LAN client terminal a according to the DHCP procedure. Then, the IP address that can be assigned by the edge side gateway device 1 is assigned to the wireless LAN client terminal a according to the DHCP procedure (steps 301-303).

The wireless LAN client terminal a thus assigned with the IP address starts communication with the counterpart host device A connected to the IP network 9A via the edge gateway device 1 using the IP address. (Step 304).
Note that the DHCP procedure is a known technique, and a detailed description thereof is omitted here.

Next, the operation when the wireless LAN client terminal b (3B), which is the second service type, starts communication with the counterpart host device B (4B) will be described with reference to FIG.
In FIG. 4, as an authentication method in the center side gateway device 2, a wireless LAN client terminal starts a web browser, accesses an authentication screen of the center side gateway device, and inputs an ID and a password on the authentication screen. A method for performing authentication is shown as an example. As an authentication method of this system for the wireless LAN client terminal b, an 802.1X authentication method used for the wireless LAN system or other authentication methods may be used.

The wireless LAN client terminal b requests the edge-side gateway device 1 for IP address assignment according to the DHCP procedure (step 310). The edge-side gateway device that has received this request recognizes that the second service type is desired based on the SSID of the wireless LAN client terminal b, and relays (Relays) the packet to the center-side gateway device.
The center-side gateway device 2 that has received the packet relayed and transferred from the edge-side gateway device 1 has information on the edge-side gateway device that relayed and forwarded the packet, and the uniqueness of the wireless LAN client terminal b that made the request from the packet The identification information (MAC address) is acquired, and the packet is relay-transferred to the IP address assignment device 8.

The IP address assignment device 8 that has received the packet relayed and transferred from the center-side gateway device 2 exchanges the packet with the wireless LAN client terminal b according to the DHCP procedure, thereby assigning an IP address that can be assigned by the IP address assignment device 8. Is assigned to the wireless LAN client terminal b, and an assignment response packet is transmitted to the center side gateway apparatus 2 (steps 311 to 313).
Upon receiving the IP address assignment response from the IP address assignment device 8, the center side gateway device 2 acquires the IP address information and the MAC address information assigned to the wireless LAN client terminal b from the packet, and relays and transfers them to the edge side gateway device 1. To do.
The edge-side gateway device 1 that has received the relay-transferred packet from the center-side gateway device 2 transmits the IP address assignment response to the wireless LAN client terminal b.

  Further, when the center-side gateway device 2 transmits an IP address assignment response to the edge-side gateway device 1, the IP address assigned to the wireless LAN client terminal b is the edge-side gateway device in which the wireless LAN client terminal b exists. The routing information of the center-side gateway device 2 is updated based on the information that it exists in Step 1 (Step 320: routing control).

  Similarly, when the center side gateway device 2 transmits an IP address assignment response to the edge side gateway device 1, the IP address assigned to the wireless LAN client terminal b is the edge side gateway device in which the wireless LAN client terminal b exists. The IPsec information of the center side gateway apparatus 2 is updated based on the information that it exists in Step 1 (Step 321: IPsec control).

  Similarly, when the center side gateway device 2 receives an authentication request from the IP address assigned to the wireless LAN client terminal b when the IP address assignment response is transmitted to the edge side gateway device 1, the authentication request is sent to the center side gateway device 2. The filter information is updated so as not to be discarded by the filter of the side gateway device 2 (step 322: filter control).

  At this time, when the center-side gateway device 2 updates the filter information of the center-side gateway device 2 itself, the center-side gateway device 2 transmits a command to the edge-side gateway device 1 in which the wireless LAN client terminal b exists, and the wireless LAN client terminal b When the edge-side gateway device 1 receives an authentication request from the IP address assigned to, the filter information is updated so that the edge-side gateway device 1 transfers the authentication request to the center-side gateway device 2 (step 325: filter control).

  On the other hand, when the edge-side gateway device 1 transmits an IP address assignment response to the wireless LAN client terminal b, information indicating that the IP address assigned to the wireless LAN client terminal b exists in the edge-side gateway device 1 The routing information of the edge side gateway device is updated (step 323: routing control).

  Similarly, when the edge side gateway device 1 transmits an IP address assignment response to the wireless LAN client terminal b, the IP address assigned to the wireless LAN client terminal b is the edge side gateway device in which the wireless LAN client terminal b exists. The IPsec information of the edge-side gateway device is updated with the information that it exists in step 1 (step 324: IPsec control).

The wireless LAN client terminal b that has completed the assignment of the IP address in this way requests an authentication screen from the center side gateway device 2 via the edge side gateway device 1 using the IP address (step 330). An authentication screen is acquired from the gateway device 2 (step 331). Next, the wireless LAN client terminal b makes an authentication request by entering the ID and password on this authentication screen (step 332).
This authentication request is transferred to the authentication device 7 via the center side gateway device 2, and the wireless LAN client terminal b receives the authentication result response from the authentication device 7 via the center side gateway device 2 (step 333). .

  When the center side gateway device 2 receives an authentication result response indicating successful authentication to the edge side gateway device 1 and receives a packet from the IP address assigned to the wireless LAN client terminal b, the center side gateway device 2 The filter information is updated so as not to be discarded by the filter of the gateway device 2 (step 335: filter control).

  Further, when the center side gateway device 2 updates the filter information of the center side gateway device 2 itself, the center side gateway device 2 transmits a command to the edge side gateway device 1 in which the wireless LAN client terminal b exists, and sends the command to the wireless LAN client terminal b. When the edge-side gateway device 1 receives a packet from the assigned IP address, the filter information is updated so that the edge-side gateway device 1 transfers the packet to the center-side gateway device 2 (step 336: filter control). .

  As a result, the wireless LAN client terminal b that has been assigned an IP address uses the IP address to connect the counterpart host device connected to the IP network 9B via the edge gateway device 1 and the center gateway device 2. Communication with B is started (step 337).

[Edge-side gateway device]
Next, with reference to FIG. 5, the edge side gateway apparatus 1 used in the packet communication service system according to the present embodiment will be described in detail. FIG. 5 is a functional block diagram showing the configuration of the edge-side gateway device used in the packet communication service system according to the present embodiment.

  The edge-side gateway device 1 includes, as main functional units, a filter control unit 100, a routing control unit 101, an IPsec control unit 102, a PPP connection monitoring unit 103, a PPP connection processing unit 104, a connection information storage unit 105, an IP address allocation. Processing unit 106, DHCP processing unit 107, routing processing unit 108, center side gateway cooperation processing unit 109, wireless LAN side interface (hereinafter referred to as wireless LAN side I / F) 110, packet reception unit 111, filter processing unit 112, wireless LAN control unit 113, packet transmission unit 114, IPsec processing unit 115, packet transmission unit 116, center side interface (hereinafter referred to as center side I / F) 120, packet reception unit 121, IPsec processing unit 122, filter processing unit 123, Wireless LAN control unit 124 It is provided.

  These functional units are each configured by a dedicated circuit unit, an arithmetic processing unit, or a storage device. In particular, the arithmetic processing unit has a microprocessor such as a CPU and its peripheral circuits, and reads the program from a memory in the hardware or an external storage device and executes the program to cooperate the hardware and the program. To realize each functional unit.

  The filter control unit (filter processing means) 100 controls the filter policy of the filter processing units 112 and 123 according to a predetermined filter policy, and performs filter processing according to the filter policy received from the center-side gateway device 2. A function of dynamically controlling the filter policies of the units 112 and 123, and a function of dynamically controlling the filter policies of the filter processing units 112 and 123 according to the notification from the IPsec control unit 102.

  In addition, the filter control unit 100 controls the filter processing units 112 and 123, so that the wireless LAN client terminal a (3A), the wireless LAN client terminal b (3B), the counterpart host device A (4A), and the counterpart host A device B (4B), a function of permitting communication via the edge-side gateway device 1 of a packet whose source is the center-side gateway device, or a packet whose destination is each of the devices described above, The edge-side gateway device 1 has a function of changing or processing information on a packet in accordance with a predetermined policy, and a function of discarding a packet by disallowing communication via the edge-side gateway device 1. .

  The routing control unit (packet transfer unit) 101 has a function of controlling a routing policy for the routing processing unit 108, a function of controlling the routing processing unit 108 according to a predetermined policy, and a wireless LAN. A function for performing dynamic control for newly changing a routing policy when a client terminal receives a new IP address assignment, and a routing policy for changing the IP address of a wireless LAN client terminal A function for performing dynamic control, a function for performing dynamic control for changing a routing policy when the wireless LAN client terminal releases an IP address and cannot connect to the edge gateway device 1, and IPsec Routing policy upon receiving notification from the control unit 102 And a function to perform a dynamic control to change.

  The IPsec control unit (VPN control means) 102 acquires the IPsec policy information of the edge gateway device 1 from the connection information storage unit 105, and the IPsec processing units 115 and 122 perform the encapsulation processing and decapsulation processing by IPsec according to the IPsec policy. It has the function to control to perform. As a result, a VPN is established with the center-side gateway device 2.

  In addition, the IPsec control unit 102 has a function of dynamically controlling the IPsec processing units 115 and 122 in cooperation with the PPP connection monitoring unit 103, receiving information on the connection state from the PPP connection monitoring unit 103 to the ADSL. Yes. In particular, when a notification is received from the PPP connection monitoring unit 103 that the edge-side gateway device 1 has become communicable with the center-side gateway device 2, or the lP of the center-side I / F 120 of the edge-side gateway device 1 When the notification that the address information is changed is received, the IPsec processing units 115 and 122 are controlled according to the information. Thereby, the VPN between the center side gateway apparatus 2 is reconstructed.

  In the embodiment of the present invention, it is assumed that users of two different service types, wireless LAN client terminal a and wireless LAN client terminal b, connect using different SSIDs of SSID: α and SSID: β, respectively.

The wireless LAN setting applied to the wireless LAN client terminal a (3A) using the SSID: α is the initial value preset in the edge side gateway device 1, or the wireless LAN client terminal a and the wireless LAN client terminal a. A value controlled by a client terminal of the same service type is set.
The wireless LAN control unit 113 sets an initial value preset in the edge-side gateway device 1 or a value controlled by a wireless LAN client terminal a and a client terminal of the same service type as the wireless LAN client terminal a. / F110 is set.

  On the other hand, the setting of the wireless LAN applied to the wireless LAN client terminal b (3B) using the SSID: β is the initial value preset in the edge-side gateway device 1 or the center when the initial value is changed. A value controlled from the side gateway device 2 is set. The wireless LAN control unit 124 sets an initial value preset in the edge side gateway device 1 or a value controlled by the center side gateway device in the wireless LAN side I / F 110.

  FIG. 6 is an example of information stored in the connection information storage unit 105 of the edge-side gateway device 1. Here, a case where a pre-shared secret key is used as an IPsec method and XAUTH authentication is performed is shown as an example.

[Operation of edge gateway device]
Next, with reference to FIG. 7, an operation when the packet is received by the wireless LAN side I / F 110 among the operations of the edge side gateway device 1 will be described. FIG. 7 is a processing flow showing an operation when a packet is received by the wireless LAN side I / F as an operation of the edge side gateway device.

The packet receiving unit 111 receives packets transmitted from the client terminals a and b of different service types via the wireless LAN side I / F (terminal connection unit) 110 and passes them to the filter processing unit 112.
Based on the packet received from the packet receiving unit 111, the filter processing unit 112 determines whether the transmission source client terminal is the client terminal that received the SSID: α or SSID: β.

Here, when the packet is transmitted from the client terminal a with SSID: α (first service type), when the packet is a packet requesting IP address allocation, the packet is subjected to IP address allocation processing. When the packet is destined for the destination host device A, the packet is delivered to the routing processing unit 108.
Alternatively, when the packet is transmitted from the client terminal a with the SSID: α (first service type), and when the packet is a packet for controlling the setting of the wireless LAN with the SSID: α, the wireless LAN control is performed. Delivered to the unit 113.

  On the other hand, when the packet is transmitted from the client terminal b with SSID: β (second service type), when the packet is a DHCP packet, the packet is transferred to the DHCP processing unit 107, and is a packet other than the DHCP packet. Is searched for a filter condition that matches the condition of the client terminal b, and if transmission of a packet with the client terminal b as a transmission source is permitted, the packet is passed to the routing processing unit 108 and the client terminal b is transmitted. If transmission of the original packet is not permitted, the packet is discarded.

  When the IP address allocation processing unit (IP address allocation unit) 106 receives an IP address allocation request from the filter processing unit 112 and the IP address to the client terminal a is not allocated, the IP address allocation processing unit 106 A process for assigning an assignable IP address to the client terminal a is performed, and an IP address assignment response to the client terminal a is delivered to the routing processing unit 108.

  When receiving the DHCP packet from the filter processing unit 112, the DHCP processing unit 107 changes the destination to the IP address of the center side gateway device 2 when the destination of the DHCP packet is not the center side gateway device 2, and the edge side gateway Information indicating that relaying has been performed by the device 1 is inserted into the packet, and then delivered to the routing processing unit 108. Further, when the DHCP processing unit 107 receives the DHCP packet from the filter processing unit 112, when the destination of the DHCP packet is the center side gateway device 2, the DHCP processing unit 107 delivers it to the routing processing unit 108.

  When receiving a packet from the filter processing unit 112, the IP address allocation processing unit 106, or the DHCP processing unit 107, the routing processing unit (packet transfer unit) 108 receives the packet of the wireless LAN side I / F 110 according to the destination of the packet. The data is delivered to the transmission unit 114 or the IPsec processing unit 115 of the center side I / F 120.

  When receiving a packet from the routing processing unit 108, the IPsec processing unit (packet transfer means) 115 is configured so that the destination IP address of the packet is the center side gateway device 2, or the transmission source IP address of the packet is a wireless LAN client terminal In the case of b, the packet is determined to be a packet that needs to be encapsulated by IPsec, and the packet is encapsulated as shown in FIG. When the transmission source IP address of the packet is the wireless LAN client terminal a, the packet is delivered to the packet transmission unit 116 without being processed.

  The packet transmission unit 116 performs transmission processing on the packet received from the IPsec processing unit 115, and transmits the packet from the center side I / F 120 to the IP network 9A.

  Next, of the operations of the edge side gateway apparatus 1, the operation when the center side I / F 120 receives a packet will be described with reference to FIG. FIG. 8 is a processing flow showing the operation when the center side I / F 120 receives a packet as the operation of the edge side gateway device.

The packet receiving unit 121 delivers the packet received via the center side I / F 120 to the IPsec processing unit 122.
When receiving a packet from the packet receiving unit 122, the IPsec processing unit 122 determines whether the packet is encapsulated as shown in FIG. 2 or is not encapsulated. Here, in the case of an encapsulated packet, the encapsulated packet as illustrated in FIG. 2 is decapsulated and delivered to the filter processing unit 123. Further, in the case of a non-encapsulated packet, it is handed over to the filter processor 123 as it is.

The filter processing unit (filter processing means) 123 determines the packet received from the IPsec processing unit 122.
Here, when the transmission source IP address of the packet is the center-side gateway device 2, the packet is transferred to the center-side gateway cooperation processing unit 109, and the packet is assigned an IP address to the wireless LAN client terminal b. If it is a DHCP packet, it is delivered to the DHCP processing unit 107.
Further, when the destination IP address of the packet is a packet of the wireless LAN client terminal b, routing is performed when the wireless LAN client terminal b has already been authenticated and communication of the packet destined for the wireless LAN client terminal b is permitted. Delivered to the processing unit 108. Packets that do not meet any of the above conditions are discarded.

  The center-side gateway cooperation processing unit 109 acquires command information from the center-side gateway device 2 to the edge-side gateway device 1 from the received packet. Based on the acquired command information, control information is sent to the filter control unit 100 or the wireless LAN control unit 124.

  The DHCP processing unit 107 converts the DHCP packet transferred from the center side gateway device 2 to the edge side gateway device 1 into a packet in a format to be assigned to the wireless LAN client terminal b, and delivers it to the routing processing unit 108.

The routing processing unit 108 receives a packet from the filter processing unit 123 or the DHCP processing unit 107 and delivers it to the packet transmission unit 114 according to the destination of the packet.
The packet transmission unit 114 performs transmission processing on the packet received from the routing processing unit 108, and transmits the packet from the wireless LAN side I / F 110 to the wireless LAN client terminals a and b.

[Center gateway device]
Next, with reference to FIG. 9, the center side gateway apparatus 2 used in the packet communication service system according to the present embodiment will be described in detail. FIG. 9 is a functional block diagram showing the configuration of the center-side gateway device used in the packet communication service system according to the present embodiment.

  The center-side gateway device 2 includes, as main functional units, a filter control unit 200, a routing control unit 201, an IPsec control unit 202, a client information storage unit 204, a connection information storage unit 205, an authentication processing unit 206, and a DHCP processing unit 207. , Routing processing unit 208, edge side interface (hereinafter referred to as edge side I / F) 210, packet receiving unit 211, IPsec processing unit 212, filter processing unit 213, IPsec processing unit 214, packet transmission units 215 to 217, network side Interface (hereinafter referred to as network side I / F) 220, packet receiving unit 221, filter processing unit 222, DHCP / authentication server side interface (hereinafter referred to as DHCP / authentication server side I / F) 230, packet receiving unit 231, filter processing 232 is provided.

  These functional units are each configured by a dedicated circuit unit, an arithmetic processing unit, or a storage device. In particular, the arithmetic processing unit has a microprocessor such as a CPU and its peripheral circuits, and reads the program from a memory in the hardware or an external storage device and executes the program to cooperate the hardware and the program. To realize each functional unit.

  The filter control unit 200 has a function of controlling the filter policy for the filter processing units 213, 222, and 232 in accordance with a predetermined filter policy, and the filter processing unit in accordance with IP address assignment to the client terminal and user authentication. And a function of dynamically controlling the filter policy.

  Further, the filter control unit 200 controls the filter processing units 213, 222, and 232, so that the center side gateway device with respect to the packet having the edge side gateway device 1 and the wireless LAN client terminal b as a transmission source or transmission destination A function for permitting communication via 2 and transferring a packet, a function for changing or processing information on a packet in accordance with a policy predetermined in the center side gateway device 2, and a function via the center side gateway device 2 A function of discarding a packet by disallowing such communication.

  The routing control unit (packet transfer unit) 201 has a function of controlling a routing policy for the routing processing unit 208, a function of controlling the routing processing unit 208 according to a predetermined policy, and a wireless LAN. A function for performing dynamic control for newly changing a routing policy when a client terminal receives a new IP address assignment, and a routing policy for changing the IP address of a wireless LAN client terminal A function for performing dynamic control, a function for performing dynamic control for changing a routing policy when the wireless LAN client terminal releases an IP address and cannot connect to the edge gateway device 1, The routing policy received from the IPsec control unit 202 And a function to perform a dynamic control to change over.

  The IPsec control unit (VPN control means) 202 acquires the IPsec policy information of the edge gateway device 1 from the connection information storage unit 205, and the IPsec processing units 212 and 214 perform the encapsulation and decapsulation processing by IPsec according to the IPsec policy. It has the function to control to do. As a result, the VPN is constructed / reconstructed with the edge-side gateway device 1.

  FIG. 10 is an example of information stored in the connection information storage unit 205 of the center side gateway device 2. Here, a case where a pre-shared secret key is used as an IPsec method and XAUTH authentication is performed is shown as an example. FIG. 11 shows an example of information stored in the client information storage unit 204 of the center side gateway device 2.

[Operation of center side gateway device]
Next, of the operations of the center side gateway device 2, the operation when the edge side I / F 210 receives a packet will be described with reference to FIG. FIG. 12 is a processing flow showing an operation when a packet is received at the edge side I / F as an operation of the center side gateway device.

The packet receiving unit 211 passes the packet received via the edge side I / F 210 to the IPsec processing unit 212.
The IPsec processing unit 212 determines whether the packet received from the packet receiving unit 211 is encapsulated as illustrated in FIG. 2 or is not encapsulated. Here, when the packet is encapsulated, the encapsulated packet as illustrated in FIG. 2 is decapsulated and delivered to the filter processing unit 213. If the packet is not encapsulated, it is handed over to the filter processing unit 213 as it is.

The filter processing unit 213 determines a packet in accordance with the policy of the filter processing unit 213, and transfers to the DHCP processing unit 207, to the authentication processing unit 206, to the routing processing unit 208, or to discard the packet Perform the process.
First, when the packet is a DHCP packet, the packet is delivered to the DHCP processing unit 207.

If the packet is a packet other than a DHCP packet, the next filter condition that matches the condition of the packet is searched.
That is, when the source IP address of the packet is an IP address assigned an IP address from the IP address assignment device 8 connected to the center side gateway device 2, and is an authentication screen request or authentication request packet The packet is delivered to the authentication processing unit 207.

If the packet does not match the second condition, the next filter condition that matches the condition of the packet is searched.
That is, when the transmission source IP address of the packet is the IP address of the client terminal authenticated by the center side gateway device 2, the packet is delivered to the routing processing unit 208.
The filter processing unit 213 discards the packet when the packet does not meet the third condition.

  The DHCP processing unit 207 receives the packet from the filter processing unit 213, records the unique identification information (MAC address information) of the wireless LAN client b that has transmitted the packet in the client information storage unit 204, and then stores it in the routing processing unit 208. hand over.

  When the authentication processing unit 206 receives the packet from the filter processing unit 213 and the packet is an authentication screen request transmitted from the wireless LAN client terminal b, the authentication processing unit 206 acquires the authentication screen information from the authentication screen processing unit 209, and Is generated to be transmitted to the wireless LAN client terminal b and delivered to the routing processing unit 208. When the packet is an authentication request transmitted from the wireless LAN client terminal b, the IP address information and ID information of the wireless LAN client terminal b are acquired and recorded in the client information storage unit 204, and then the routing processing unit 208. To hand over.

  When receiving a packet from the filter processing unit 213, the DHCP processing unit 207, and the authentication processing unit 206, the routing processing unit (packet transfer unit) 208 performs IPsec processing of the edge side I / F 210 from the destination IP address information of the packet. The packet is distributed to the unit 214, the packet transmission unit 216 of the network side I / F 220, and the packet transmission unit 217 of the DHCP / authentication server side I / F 230 to deliver the packet.

  The packet transmission unit 216 performs transmission processing on the packet received from the routing processing unit 208, and transmits the packet from the network side I / F 220 to the IP network 9B.

  Next, of the operations of the center side gateway device 2, the operation when the network side I / F 220 receives a packet will be described with reference to FIG. FIG. 13 is a processing flow showing an operation when a packet is received at the network side I / F as an operation of the center side gateway device.

  The packet receiving unit 221 delivers the packet received via the network side I / F 220 to the filter processing unit 222.

  The filter processing unit 222 determines a packet according to the policy of the filter processing unit 222, and performs either processing of delivery to the routing processing unit 208 or discarding of the packet. Here, when the transmission destination IP address of the packet is the IP address of the client terminal authenticated by the center side gateway apparatus 2, the packet is delivered to the routing processing unit 208. If the packet does not meet the conditions, the packet is discarded.

The routing processing unit 208 receives the packet from the filter processing unit 222 and passes it to the IPsec processing unit 214.
When the IPsec processing unit 214 receives a packet from the routing processing unit 208, the IPsec processing unit 214 searches for an encapsulation policy corresponding to the transmission destination IP address of the packet. As shown in FIG. 2, the packet is encapsulated and delivered to the packet transmission unit 215. When the encapsulation policy of the packet cannot be detected, the packet is discarded.

  The packet transmission unit 215 performs transmission processing on the packet received from the IPsec processing unit 214, and transmits the packet from the edge side I / F 210 to the IP network 9A.

  Next, of the operations of the center side gateway device 2, the operation when the DHCP / authentication server side I / F 220 receives a packet will be described with reference to FIG. FIG. 14 is a processing flow showing an operation when a packet is received by the DHCP / authentication server side I / F as an operation of the center side gateway device.

The packet receiving unit 231 delivers the packet received via the DHCP / authentication server side I / F 230 to the filter processing unit 232.
The filter processing unit 232 determines a packet in accordance with the policy of the filter processing unit 232, and performs any one of processing of delivery to the DHCP processing unit 207, delivery to the authentication processing unit 206, and packet discard.
First, when the packet is a DHCP packet, the packet is delivered to the DHCP processing unit 207.

If the packet is a packet other than a DHCP packet, the next filter condition that matches the condition of the packet is searched.
That is, if the source IP address of the packet is an IP address that has been assigned an IP address from an IP address assignment device connected to the center-side gateway device, and is an authentication screen request or authentication request packet, authentication processing Delivered to the unit 206.
If the packet does not meet the second condition, the packet is discarded.

  When receiving the packet from the filter processing unit 232, the DHCP processing unit 207 acquires unique identification information (MAC address information) of the wireless LAN client b and IP address information assigned to the wireless LAN client terminal b from the packet. Then, the recording location of the MAC address information in the client information storage unit 204 is searched. When the MAC address information search is successful, the IP address information is added and recorded, and the packet is delivered to the routing processing unit 208.

  When the authentication processing unit 206 receives a packet from the filter processing unit 232, the authentication processing unit 206 obtains the transmission destination IP address information of the packet and the authentication success or failure information from the packet, and obtains the client from the transmission destination IP address information of the packet. The recording location of the IP address information in the information storage unit 204 is searched. When the search of the IP address information is successful, the authentication success or failure information is added and recorded, and the packet is delivered to the routing processing unit 208.

The routing processing unit (packet transfer means) 208 receives packets from the filter processing unit 232, the DHCP processing unit 207, and the authentication processing unit 206, and delivers the packets to the IPsec processing unit 214.
When the IPsec processing unit (packet transfer unit) 214 receives a packet from the routing processing unit 208, it searches for an encapsulation policy corresponding to the destination IP address of the packet and can detect the encapsulation policy of the packet. As shown in FIG. 2, the packet is encapsulated according to the policy and delivered to the packet transmission unit 215. If the encapsulation policy of the packet cannot be detected, the packet is discarded.

  The packet transmission unit 215 performs transmission processing on the packet received from the IPsec processing unit 214, and transmits the packet from the edge side I / F 210 to the IP network 9A.

  As described above, the present embodiment constructs a VPN between the edge-side gateway device 1 and the center-side gateway via the IP network 9A, and the edge-side gateway device 1 uses the IP corresponding to the first service type. For the client terminal 3A having an address, packets are transferred to and from any host device 4A connected to the IP network 9A, and for the client terminal 3B having an IP address corresponding to the second service type, Packets are mutually transferred via the VPN to the side gateway device 2 and the packets transmitted and received by the client terminal 3B in the center side gateway device 2 are connected to the edge side gateway device 1 and the IP network 9B. Via VPN with any host device 4B It is obtained so as to forward to each other Te.

  As a result, for the client terminals a and b connected to the same edge side gateway apparatus 1, for the client terminal a (3A) having the IP address corresponding to the first service type, the destination host via the IP network 9A For the client terminal b (3B) that can provide a packet communication service with the device A (4A) and has an IP address corresponding to the second service type, the VPN and the IP network 9B between the center side gateway device 2 and Packet communication service with the destination host apparatus B (4B).

Therefore, individual packet communication services can be provided to client terminals with different service types by the edge-side gateway device 1 common to these service types, compared to the case where an edge-side gateway device is provided for each service type, The hardware resources of the entire packet communication service system can be used effectively.
Further, client terminals at the same site can be accommodated by one edge-side gateway device 1, and there is no need to set an IP subnet as in the case of using an edge-side gateway device for each service type, and there is no waste in using IP addresses. Network resources can be used effectively.

Further, according to the present invention, the IP address assignment request from the second client terminal is transferred to the center side gateway device via the VPN, and the IP address assignment response from the center side gateway device via the VPN is Since it is transferred to the client terminal, it becomes possible to centrally manage the IP address assignment to the second client terminal at each site on the center side gateway device side.
Further, the center side gateway apparatus includes an authentication processing unit that performs authentication for the second client terminal, and a filter processing unit that performs arbitrary filtering processing on a packet transmitted and received by the second client terminal according to the authentication result. By providing, it becomes possible to centrally manage authentication and access management to the network on the side of the center side gateway device for the second client terminal at each base.
With the central management function on the center side gateway device side, it is possible to provide a public access communication service to the Internet, for example, to client terminals under the edge side gateway device at each base.

  Thereby, it is also possible to extend existing packet communication and provide a separate communication service. For example, an edge side gateway device or a center side gateway device is introduced into a wireless LAN communication system used for store business packet communication, and an existing store business packet communication is used as a first service type to provide a normal Internet access communication service. On the other hand, as a second service type that is separate from this, we provide public wireless Internet access communication services that are common to all bases via VPN on the premise of authentication for general customers who visit the store In addition, it is possible to expect an effect of attracting customers by expanding an existing communication system without introducing a new communication system separately.

It is a block diagram which shows the structure of the packet communication service system concerning one embodiment of this invention. It is a packet configuration example of IPsec. It is a sequence diagram which shows operation | movement of the packet communication service system concerning this Embodiment. It is a sequence diagram which shows the other operation | movement of the packet communication service system concerning this Embodiment. It is a functional block diagram which shows the structure of the edge side gateway apparatus used with the packet communication service system concerning this Embodiment. It is an example of information memorize | stored in the connection information memory | storage part of an edge side gateway apparatus. It is a processing flow which shows operation | movement of an edge side gateway apparatus. It is a processing flow which shows other operation | movement of an edge side gateway apparatus. It is a functional block diagram which shows the structure of the center side gateway apparatus used with the packet communication service system concerning this Embodiment. It is an example of information memorize | stored in the connection information storage part of the center side gateway apparatus. It is an example of information memorize | stored in the client information storage part of the center side gateway apparatus. It is a processing flow which shows operation | movement of the center side gateway apparatus. It is a processing flow which shows other operation | movement of the center side gateway apparatus. It is a processing flow which shows other operation | movement of the center side gateway apparatus. It is a block diagram which shows the structure of the conventional packet communication service system.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Edge side gateway apparatus, 2 ... Center side gateway apparatus, 3A ... Wireless LAN client terminal a, 3B ... Wireless LAN client terminal b, 4A ... Destination host apparatus A, 4B ... Destination host apparatus B, 5 ... DSLAM, 6 ... BAS, 7 ... Authentication device, 8 ... IP address allocation device, 9A ... IP network (second network), 9B ... IP network (second network), 100 ... Filter control unit, 101 ... Routing control unit, DESCRIPTION OF SYMBOLS 102 ... IPsec control part, 103 ... PPP connection monitoring part, 104 ... PPP connection processing part, 105 ... Connection information storage part, 106 ... IP address allocation processing part, 107 ... DHCP processing part, 108 ... Routing processing part, 109 ... Center Side gateway cooperation processing unit, 110 ... wireless LAN side I / F, 111 ... packet 112, filter processing unit, 113 ... wireless LAN control unit, 114 ... packet transmission unit, 115 ... IPsec processing unit, 116 ... packet transmission unit, 120 ... center side I / F, 121 ... packet reception unit, 122 ... IPsec processing unit, 123 ... filter processing unit, 124 ... wireless LAN control unit, 200 ... filter control unit, 201 ... routing control unit, 202 ... IPsec control unit, 204 ... client information storage unit, 205 ... connection information storage unit, 206 ... Authentication processing unit, 207 ... DHCP processing unit, 208 ... Routing processing unit, 209 ... Authentication screen processing unit, 210 ... Edge side I / F, 211 ... Packet reception unit, 212 ... IPsec processing unit, 213 ... Filter processing unit, 214 ... IPsec processing unit, 215-217 ... bucket transmission unit, 220 ... network side I F, 221 ... packet receiving section, 222 ... filter processing unit, 230 ... DHCP / authentication server I / F, 231 ... packet receiving section, 232 ... filtering unit.

Claims (9)

A packet communication service system that provides each client terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal,
One or more edge-side gateway devices connected to a first IP network, and a center-side gateway device connected to the first IP network and the second IP network,
The edge-side gateway device includes a terminal connection unit that connects the client terminal, a VPN control unit that establishes a VPN with the center-side gateway device via a first IP network, and a first service type. A packet is transferred between a first client terminal having a corresponding IP address and an arbitrary host device connected to the first IP network, and has an IP address corresponding to a second service type. A packet transfer means for transferring packets between the second client terminal and the center side gateway device via the VPN;
The center-side gateway device includes a VPN control unit that establishes a VPN with the edge-side gateway device via a first IP network, and a packet transmitted and received by the second client terminal. And a packet transfer means for transferring data to and from any host device connected to the second IP network via the VPN. Each client in a packet communication service system comprising one or more edge-side gateway devices connected to a first IP network and a center-side gateway device connected to the first IP network and the second IP network A packet communication service method used when providing each terminal with a packet communication service of a different service type using a communication path corresponding to the IP address of the client terminal.
The edge-side gateway device includes a terminal connection step for connecting the client terminal, a VPN control step for establishing a VPN with the center-side gateway device via a first IP network, and a first service type. A packet is transferred between a first client terminal having a corresponding IP address and an arbitrary host device connected to the first IP network, and has an IP address corresponding to a second service type. A packet transfer step of transferring packets between the second client terminal and the center side gateway device via the VPN,
The center-side gateway device includes a VPN control step for establishing a VPN with the edge-side gateway device via a first IP network, and a packet transmitted / received by the second client terminal to the edge-side gateway device And a packet transfer step of transferring the packets to and from any host device connected to the second IP network via the VPN. One or more edge-side gateway devices connected to a first IP network, and a center-side gateway device connected to the first IP network and the second IP network, and for each client terminal, An edge-side gateway device used in a packet communication service system that provides packet communication services of different service types using communication paths corresponding to IP addresses of client terminals,
Terminal connection means for connecting the client terminal;
VPN control means for constructing a VPN with the center side gateway device via the first IP network;
Packet communication between the first client terminal having an IP address corresponding to the first service type and an arbitrary host device connected to the first IP network by mutually transferring packets The packet is mutually transferred via the VPN between the second client terminal having an IP address corresponding to the second service type and the gateway device on the center side, and the client terminal and the first An edge-side gateway device comprising: packet transfer means for realizing packet communication with an arbitrary host device connected to the second IP network. Each client by a packet communication service system comprising one or more edge gateway devices connected to a first IP network and a center gateway device connected to the first IP network and the second IP network An edge-side gateway device that enables a terminal to connect to the first IP network or the second IP network based on the IP address of the client terminal,
An address request transfer means for transferring an IP address request for connection to the second IP network to the center side gateway device when a service identifier corresponding to the second IP network is received from the client terminal;
VPN control means for establishing a VPN with the center-side gateway device via the first IP network when the client terminal is connected to an arbitrary host device on the second IP network. An edge-side gateway device comprising: In the edge side gateway apparatus according to claim 3,
The packet transfer means transfers an IP address assignment request from the second client terminal to the center side gateway device via the VPN, and an IP address assignment response from the center side gateway device via the VPN. To the client terminal,
IP address assignment means for assigning an IP address in response to an IP address assignment request from the first client terminal, and the IP address sent and received by the second client terminal in cooperation with the center side gateway device An edge-side gateway device further comprising: filter processing means for performing arbitrary filtering processing on the packet. In the edge side gateway apparatus according to claim 3,
When the VPN control means becomes ready for packet communication with the first IP network, or when the IP address used for the packet communication is changed, the VPN control means performs packet communication with the first IP network. An edge-side gateway device that requests a VPN construction using a new IP address to be used from a center-side gateway device. One or more edge-side gateway devices connected to a first IP network, and a center-side gateway device connected to the first IP network and the second IP network, and for each client terminal, A center-side gateway device used in a packet communication service system that provides packet communication services of different service types using communication paths corresponding to the IP addresses of client terminals,
Between a first client terminal having an IP address corresponding to a first service type and the edge gateway device that realizes packet communication between an arbitrary host device connected to the first IP network VPN control means for constructing a VPN via the first IP network;
A packet transmitted / received by a second client terminal having an IP address corresponding to a second service type is transmitted between the edge gateway device and an arbitrary host device connected to the second IP network. And a packet transfer means for transferring data to each other via the center-side gateway device. The center side gateway device according to claim 7,
The packet transfer means transfers the IP address allocation request from the second client terminal transferred by the edge side gateway device to the IP address allocation device, and the second client terminal from the IP address allocation device. The IP address assignment response to the edge side gateway device,
Authentication processing means for performing authentication on the client terminal, filter processing means for performing arbitrary filtering processing on packets transmitted and received at the second client terminal according to the authentication result, and depending on the authentication result And a filter control means for controlling a filtering process in the edge side gateway device. The center side gateway device according to claim 7,
The VPN control means constructs a VPN with the edge side gateway device 1 using a new IP address notified from the edge side gateway device in response to a VPN construction request from the edge side gateway device. A center-side gateway device as a feature.

Images