JP5486523B2 - Network connection control system and connection control method - Google Patents

Description

  The present invention relates to a network connection control system and a connection control method.

  2. Description of the Related Art Conventionally, a service form in which a telecommunications carrier provides digital content to a user terminal connected to a specific VPN using IP (Internet Protocol) -VPN (Virtual Private Network) technology is known. When using such a service, the user first connects the user terminal to the VPN, and then connects to a service server that provides digital content via a Web browser or the like.

  Here, connection authentication is performed when connecting to the VPN and the service server. For example, connection authentication is performed when a user inputs a user ID, a password, and the like when connecting to a VPN and a service server. However, it is not convenient for the user to input a user ID and password for each connection authentication.

  Therefore, in recent years, a single sign-on system (Single Sign-On System) is known in which a user only performs connection authentication once and does not require subsequent connection authentication. For example, in the single sign-on system, when connection authentication to VPN is performed, connection authentication related to subsequent connection to various service servers becomes unnecessary.

  There is also known a technique that enables connection to a VPN suitable for digital content provided from a service server. In the above-described technique, it is possible to select a VPN accommodating device to be connected according to an identifier transmitted from the user terminal. That is, by using the above-described technique and the single sign-on system, the user terminal is connected to an appropriate VPN according to the identifier transmitted from the user terminal, and new connection authentication other than connection authentication to the VPN is performed. It is possible to realize an environment in which the digital contents of the service server can be used. The VPN accommodating device is a device that accommodates a connection from the user terminal to the VPN.

Japanese Patent No. 4357165 Japanese Patent No. 4560064

  However, in the above-described conventional technology, when using a plurality of digital contents, convenience for the user may be reduced. Specifically, in the above-described prior art, since VPNs having various attributes are provided so that digital contents can be provided flexibly, when digital contents are to be used via an optimal VPN In addition, every time the user changes the digital content to be used, the VPN to be connected to the user terminal is switched, and the convenience for the user is lowered. Note that the attributes of VPN include, for example, communication quality and security.

  For example, since the level of communication quality required for each digital content is different, when a user tries to use the digital content with an appropriate communication quality, the VPN that is connected to the user terminal every time the digital content to be used is changed. Will be switched. As a result, user convenience is reduced.

  For example, a user connects a user terminal to a VPN with low communication quality when searching for digital content, and then disconnects a connection with a VPN with low communication quality when viewing a video or the like. Thus, connection to the VPN having high communication quality is made again. That is, the user repeats connection and disconnection to the VPN every time the digital content to be used is changed, and the convenience for the user is reduced. Note that a VPN with low communication quality is, for example, a VPN whose bandwidth is not guaranteed. The VPN with high communication quality is, for example, a VPN with a guaranteed bandwidth.

  Therefore, the technology disclosed in the present application has been made in view of the above-described problems of the prior art, and is a network connection control system capable of improving user convenience when using a plurality of digital contents. It is another object of the present invention to provide a connection control method.

  In order to solve the above-described problems and achieve the object, the disclosed system includes a user terminal in which content is used, a providing server that provides content to the user terminal via a temporary private network, and the user A network connection control system comprising a connection control server for connecting a terminal and the providing server by any one of a plurality of temporary private networks, wherein the connection control server is based on attributes of the temporary private network Selecting means for selecting a temporary private network for connecting the user terminal and the providing server; and connecting means for connecting the user terminal and the providing server by the temporary private network selected by the selecting means; It is provided with.

  The disclosed system makes it possible to improve user convenience when using a plurality of digital contents.

FIG. 1 is a diagram for explaining an example of the configuration of the network connection control system according to the first embodiment. FIG. 2 is a schematic diagram illustrating an example of a configuration of a user terminal according to the first embodiment. FIG. 3 is a diagram for explaining an example of a configuration of an apparatus accommodated in the VPN service provider network according to the first embodiment. FIG. 4 is a schematic diagram illustrating an example of selection information stored by the selection information storage unit according to the first embodiment. FIG. 5 is a schematic diagram illustrating an example of user information stored in the user information storage unit according to the first embodiment. FIG. 6 is a schematic diagram illustrating an example of session information stored by the session information storage unit according to the first embodiment. FIG. 7 is a schematic diagram illustrating an example of the configuration of the service providing server according to the first embodiment. FIG. 8 is a schematic diagram illustrating an example of information stored in the communication quality storage unit according to the first embodiment. FIG. 9 is a sequence diagram illustrating a procedure of connection processing by the network connection control system according to the first embodiment. FIG. 10 is a sequence diagram illustrating a procedure of connection switching processing by the network connection control system according to the first embodiment. FIG. 11 is a sequence diagram illustrating the reconnection processing procedure performed by the network connection control system according to the first embodiment.

  Exemplary embodiments of a network connection control system and a connection control method disclosed in the present application will be described below in detail with reference to the accompanying drawings. Note that the network connection control system and the connection control method disclosed in the present application are not limited to the following embodiments.

[Configuration of Network Connection Control System According to Embodiment 1]
In the following, first, the overall configuration of the network connection control system according to the first embodiment will be described, and then the detailed configuration of the devices included in the network connection control system will be described. FIG. 1 is a diagram for explaining an example of the configuration of the network connection control system 1 according to the first embodiment. As shown in FIG. 1, the network connection control system 1 according to the first embodiment includes a user terminal 10 and a VPN termination device 20 accommodated in a user network 100, an edge router 30 accommodated in a VPN service provider network 200, a tunnel. A control server 40, a VPN accommodation device 51, a VPN accommodation device 52, a VPN 51 a, a VPN 51 b, a VPN 52 a, a VPN connection authentication server 60, a service control server 80, and a service providing server 70 are provided. Then, the network connection control system 1 executes a VPN switching process in accordance with digital content used by the user terminal 10. In the following description, digital content may be simply referred to as content.

  The user network 100 is a relatively narrow area network such as a LAN (Local Area Network). The VPN service provider network 200 is an IP (Internet Protocol) network configured by a provider that provides a VPN service. As shown in FIG. 1, the user network 100 and the VPN service provider network 200 are connected by a VPN termination device 20 and an edge router 30. Further, as shown in FIG. 1, the VPN service provider network 200 is connected to a service providing server 70 by VPN 51a, VPN 51b, and VPN 52b.

  The user terminal 10 is a general-purpose computer that includes a LAN connection interface and a Web browser, for example, and communicates with the VPN termination device 20 via the LAN. The VPN termination device 20 is a general-purpose broadband router provided with, for example, a LAN connection interface, a VPN connection function based on PPPoE, and an automatic reconnection function when a VPN connection session is disconnected.

  The edge router 30 is, for example, a router that establishes an L2TP tunnel (session) with the VPN accommodating device 51 or 52 and transfers packets between the VPN terminating device 20 and the VPN accommodating device 51 or 52. The tunnel control server 40 is a server device that performs control related to tunneling between the edge router 30 and the VPN accommodating devices 51 and 52.

  The VPN accommodating device 51 is, for example, a VPN accommodating device that accommodates the VPNs 51a and 51b and has a VPN connection termination function based on PPPoE and a RADIUS client function for authenticating the VPN connection. The VPN accommodating device 52 is, for example, a VPN accommodating device that accommodates the VPN 52 a and has a VPN connection termination function based on PPPoE and a RADIUS client function for authenticating the VPN connection.

  The VPN 51a, VPN 51b, and VPN 52a are VPNs for which communication quality such as bandwidth and priority control is not guaranteed (for example, best effort) or VPNs for which communication quality is guaranteed. For example, the VPN 51a and the VPN 51b are VPNs whose communication quality is not guaranteed. Further, for example, the VPN 52a is a VPN in which communication quality is guaranteed.

  The VPN connection authentication server 60 is a server device that executes various processes related to user authentication. The service providing server 70 corresponds to a single sign-on protocol SAML (Security Assertion Markup Language) and is a Web server device that provides various contents. For example, the service providing server 70 provides search content and moving image content for searching for content. The service control server 80 is a server device that executes various processes related to the VPN switching process.

  Next, the detailed configuration of each device provided in the network connection control system 1 shown in FIG. 1 will be described. Here, the network connection control system 1 disclosed in the present application becomes a connection destination of the user terminal 10 by controlling a tunnel established between the VPN termination device 20 and the VPN accommodation device 51 or the VPN accommodation device 52. VPN switching is controlled. In the following, first, detailed control of the first connection will be described, and then details of switching control for switching the VPN of the connection destination will be described. FIG. 2 is a diagram for explaining an example of the configuration of the user terminal 10 according to the first embodiment. The user terminal 10 is a general-purpose computer. For example, as shown in FIG. 2, a communication control I / F (Interface) unit 11, an input unit 12, a display unit 13, a storage unit 14, and a control unit 15. And is connected to the VPN terminator 20.

  The communication control I / F unit 11 controls communication related to various information exchanged between the VPN termination device 20 and the control unit 15. The communication control I / F unit 11 controls the exchange of various information between the control unit 15, the input unit 12, and the display unit 13. For example, the communication control I / F unit 11 controls IP communication between the control unit 15 and the VPN termination device 20.

  The input unit 12 is, for example, a keyboard or a mouse, and accepts various information input processes by the user. For example, the input unit 12 accepts an input process of information such as a user ID and password related to VPN connection, an input process related to user content selection, and the like. The display unit 13 is, for example, a display, and displays and outputs the processing result to the user. For example, the display unit 13 displays and outputs content using a Web browser.

  The storage unit 14 is, for example, a storage device such as a hard disk or an optical disk, or a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, and stores various programs executed by the user terminal 10. To do.

  The control unit 15 is, for example, an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). Execute overall control. For example, the control unit 15 controls a content request to the service providing server 70 using a protocol such as HTTP (HyperText Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Security).

  The VPN terminating device 20 transmits a VPN connection request to the edge router 30 accommodated in the VPN service provider network 200 based on information such as a preset user ID, password, and domain name. Specifically, the VPN termination device 20 transmits a VPN connection request including information such as a user ID, a password, and a domain name to the edge router 30 using a protocol such as PPPoE or IPsec. For example, the VPN terminating device 20 transmits a VPN connection request including “user ID: xxxx, password: ****, domain name: a.co.jp” to the edge router 30. Information such as a user ID, a password, and a domain name is registered when the user inputs in advance from the user terminal 10, for example.

  FIG. 3 is a diagram for explaining an example of a configuration of a device accommodated in the VPN service provider network 200 according to the first embodiment. The edge router 30 accommodated in the VPN service provider network 200 receives the VPN connection request transmitted by the VPN termination device 20, and extracts the user ID and domain name included in the received VPN connection request. Then, the edge router 30 includes the extracted user ID and domain name in the Access-Request signal of the RADIUS protocol, and transmits an Access-Request signal including the user ID and domain name to the tunnel control server 40.

  For example, the edge router 30 transmits an Access-Request signal including “user ID: xxxx” and “domain name: a.co.jp” to the tunnel control server 40. Thereafter, the edge router 30 establishes an L2TP tunnel with the VPN accommodating apparatus 51 or 52 based on a signal transmitted by the tunnel control server 40 described later. The process for establishing the L2TP tunnel will be described in detail later.

  As shown in FIG. 3, the tunnel control server 40 includes a communication control I / F unit 41, a storage unit 42, and a control unit 43, and is connected to the core network. The communication control I / F unit 41 controls communication related to various types of information exchanged between the device connected to the core network and the control unit 43. As shown in FIG. 3, the storage unit 42 includes a selection information storage unit 42a.

  The selection information storage unit 42a stores selection information for selecting a VPN accommodating device to which the VPN termination device 20 is connected. FIG. 4 is a schematic diagram illustrating an example of selection information stored by the selection information storage unit 42a according to the first embodiment. As illustrated in FIG. 4, the selection information storage unit 42a stores selection information in which a VPN name is assigned to a domain name and a user ID. For example, as illustrated in FIG. 4, the selection information storage unit 42 a stores selection information “domain name: a.co.jp, user ID: xxx, VPN accommodating apparatus IP address: 10.0.0.1”. . The above information is obtained when a user with “user ID: xxx” accesses from a user terminal with “domain name: a.co.jp” to a VPN accommodating apparatus with an IP address “10.0.0.1”. It shows that the VPN terminator 20 is connected. The selection information is set in advance. In addition, the selection information storage unit 42a can also store the IP address of the VPN accommodating apparatus to be returned when there is no selection information by default setting.

  Returning to FIG. 3, the control unit 43 includes a VPN accommodating device determination unit 43 a and a selection information rewriting unit 43 b as shown in FIG. 3. The VPN accommodating device determination unit 43a selects a VPN for connecting the user terminal 10 and the service providing server based on the attribute of the VPN. Specifically, the VPN accommodating device determination unit 43a selects a VPN having the communication quality identified by the service providing server 70 as an attribute. More specifically, the VPN accommodating device determination unit 43a determines a VPN accommodating device to be connected to the VPN terminating device 20 based on the user ID and the domain name included in the Access-Request signal received from the edge router 30. In other words, the VPN accommodating device determination unit 43a extracts the user ID and domain name from the received Access-Request signal, refers to the selection information stored by the selection information storage unit 42a, and uses the extracted user ID and domain name. It is determined that the VPN accommodating apparatus having the corresponding IP address is connected to the VPN terminating apparatus 20.

  For example, when receiving an Access-Request signal including “user ID: xxxx” and “domain name: a.co.jp”, the VPN accommodating apparatus determining unit 43a refers to the selection information, and “IP address: 10. It is determined to connect the VPN accommodating apparatus 51 and the VPN terminating apparatus 20 to which “0.0.1” is assigned. Then, the VPN accommodating device determination unit 43 a includes the determined “IP address: 10.0.0.1” of the VPN accommodating device 51 in the Access-Accept signal, and transmits it to the edge router 30.

  Here, the edge router 30 establishes an L2TP tunnel with the VPN accommodating apparatus identified by the IP address included in the Access-Accept signal transmitted by the VPN accommodating apparatus determining unit 43a. For example, the edge router 30 establishes an L2TP tunnel with the VPN accommodating apparatus 51 identified by “IP address: 10.0.0.1”. Then, the edge router 30 transfers the VPN connection request received from the VPN terminating device 20 to the VPN accommodating device 51 that has established the L2TP tunnel. For example, the edge router 30 transmits a VPN connection request including “user ID: xxxx, domain name: a.co.jp, password: ******” to the VPN accommodating apparatus 51.

  The selection information rewriting unit 43b rewrites the selection information stored in the selection information storage unit 42a based on a VPN connection change request received from the service control server 80 described later. The processing by the selection information rewriting unit 43b will be described in detail when describing VPN switching control.

  The VPN accommodating apparatus 51 receives the VPN connection request transmitted by the edge router 30, and extracts the user ID, domain name, and password included in the received VPN connection request. Then, the VPN accommodating apparatus 51 transmits the extracted user ID, domain name, and password to the VPN connection authentication server 60 as an Access-Request signal of the RADIUS protocol. For example, the VPN accommodating apparatus 51 transmits an Access-Request signal including “user ID: xxxx, domain name: a.co.jp, password: ******” to the VPN connection authentication server 60. At this time, when the connection is established, the VPN accommodating apparatus 51 transmits an Access-Request signal including a session ID for identifying the connection and a payout IP address that is an IP address used for the connection to the VPN connection. It transmits to the authentication server 60. For example, the VPN accommodating apparatus 51 transmits an Access-Request signal including “session ID: aaaabbbbbcccc, payout IP address: 192.168.1.1” to the VPN connection authentication server 60. When the edge router 30 establishes an L2TP tunnel with the VPN accommodating device 52, the VPN accommodating device 52 executes the above-described processing.

  As shown in FIG. 3, the VPN connection authentication server 60 includes a communication control I / F unit 61, a storage unit 62, and a control unit 63, and is connected to the core network. The communication control I / F unit 61 controls communication related to various types of information exchanged between the device connected to the core network and the control unit 63. As shown in FIG. 3, the storage unit 62 includes a user information storage unit 62a and a session information storage unit 62b.

  The user information storage unit 62a stores user information related to users who are permitted to connect to the VPN. FIG. 5 is a schematic diagram illustrating an example of user information stored by the user information storage unit 62a according to the first embodiment. As illustrated in FIG. 5, the user information storage unit 62a stores user information in which a domain name, a user ID, and a password are associated with each other. For example, as shown in FIG. 5, the user information storage unit 62 a stores user information “domain name: a.co.jp, user ID: xxx, password: ********,”.

  Returning to FIG. 3, the session information storage unit 62 b stores session information between the user terminal 10 and the service providing server 70. FIG. 6 is a schematic diagram illustrating an example of session information stored by the session information storage unit 62b according to the first embodiment. As shown in FIG. 6, the session information storage unit 62b stores session information in which a domain name, a user ID, a session ID, and a payout IP address are associated with each other. For example, as shown in FIG. 6, the session information storage unit 62b stores the session information “domain name: a.co.jp, user ID: xxx, session ID: aaaabbbbbcccc, payout IP address: 192.168.1.1”. Remember.

  Returning to FIG. 3, the control unit 63 includes an authentication unit 63a. The authentication unit 63a receives the Access-Request signal transmitted by the VPN accommodating apparatus, and authenticates whether or not the user corresponding to the information included in the received Access-Request signal is permitted to connect to the VPN. To do. Specifically, the authentication unit 63a refers to the user information stored in the user information storage unit 62a, and the “domain name” and the “password” of the “user ID” included in the received Access-Request signal are the user. It is determined whether or not it matches the “password” stored in the information.

  If the passwords match, the authentication unit 63a transmits a connection permission response (Access-Accept signal) to the VPN accommodating device. On the other hand, if the passwords do not match, the authentication unit 63a transmits a connection failure response (Access-Reject signal) to the VPN accommodating device. For example, when an Access-Request signal including “domain name: a.co.jp, user ID: xxxx, password: ********” is received from the VPN accommodating device 51, authentication is performed. The unit 63a transmits an Access-Accept signal to the VPN accommodating device 51 because the passwords match with reference to the user information shown in FIG. When the VPN accommodating apparatus 51 receives a response from the authentication unit 63a, the VPN accommodating apparatus 51 transfers the response result to the VPN terminating apparatus 20. Here, when the response is an Access-Accept signal, a connection to the VPN is established, and the user terminal 10 can access the service providing server 70.

  When the connection to the VPN is established, the authentication unit 63a stores the session information of the established connection in the session information storage unit 62b. Specifically, the authentication unit 63a extracts session information from the Access-Request signal received from the VPN accommodating apparatus, and stores the extracted session information in the session information storage unit 62b. For example, as illustrated in FIG. 6, the authentication unit 63a sends the session information “domain name: a.co.jp, user ID: xxx, session ID: aaaabbbbcccc, payout IP address: 192.168.1.1” to VPN. It is extracted from the Access-Request signal received from the accommodation device 51 and stored in the session information storage unit 62b.

  As described above, when the connection to the VPN is established, the user terminal 10 can access the service providing server 70. Therefore, hereinafter, connection control when the user terminal 10 accesses the service providing server 70 and uses content will be described.

  Returning to FIG. 3, the service control server 80 includes a communication control I / F unit 81, a storage unit 82, and a control unit 83, and is connected to the core network. The communication control I / F unit 81 controls communication related to various types of information exchanged between the device connected to the core network and the control unit 83. As illustrated in FIG. 3, the storage unit 82 includes a VPN information storage unit 82a.

  The VPN information storage unit 82a stores communication quality for each VPN. For example, the VPN information storage unit 82a stores VPN information indicating that the VPN 51a and the VPN 51b are VPNs whose communication quality is not guaranteed (for example, best effort VPN), and the VPN 52a is a VPN whose communication quality is guaranteed. Remember.

  As shown in FIG. 3, the control unit 83 includes an authentication confirmation unit 83a, a change request unit 83b, and a disconnection request unit 83c. The authentication confirmation unit 83a confirms whether or not the user terminal 10 redirected by the service providing server 70 described later has been authenticated. Specifically, the authentication confirmation unit 83a transmits the IP address of the user terminal 10 to the VPN connection authentication server 60 using the search key as a search key, and whether or not the user terminal 10 to which the transmitted IP address is assigned has been authenticated. Requests authentication status information indicating. For example, the authentication confirmation unit 83 a transmits the IP address “192.168.1.1” assigned to the user terminal 10 to the VPN connection authentication server 60 and requests authentication state information.

  When the authentication unit 63a of the VPN connection authentication server 60 receives the IP address from the authentication confirmation unit 83a, the authentication unit 63a searches the session information stored in the session information storage unit 62b using the IP address as a search key. And the authentication part 63a acquires the authentication state of a corresponding user terminal, user ID, and domain name, and transmits the acquired information to the service control server 80 as a response of an authentication state. For example, the authentication unit 63a searches the session information shown in FIG. 6 using the IP address “192.168.1.1” as a search key, and acquires the user ID and the domain name. Then, since the session ID is assigned, it is determined that authentication has been performed, and a response indicating that authentication has been performed is transmitted to the service control server 70 together with the user ID and the domain name.

  The authentication confirmation unit 83a sends the authenticated information received from the authentication unit 63a, the user ID, and the domain name to the service providing server 70 via the Web browser of the user terminal 10 as the SAML assertion of the single sign-on protocol. Send.

  The change request unit 83b executes various processes related to VPN switching. Note that the processing performed by the change request unit 83b will be described in detail when describing VPN switching control. The disconnection request unit 83c executes various processes related to VPN switching. The processing by the disconnection request unit 83c will be described in detail when explaining VPN switching control.

  FIG. 7 is a schematic diagram illustrating an example of the configuration of the service providing server 70 according to the first embodiment. As shown in FIG. 7, the service providing server 70 includes a communication control I / F unit 71, a storage unit 72, and a control unit 73, and is connected to VPNs 51a, 51b, and 52a. The communication control I / F unit 71 controls communication related to various types of information exchanged between the device connected to the VPN 51a, 51b, or 52a and the control unit 73. As shown in FIG. 7, the storage unit 72 includes a content storage unit 72a and a communication quality storage unit 72b.

  The content storage unit 72 a stores data relating to various contents provided by the service providing server 70. The communication quality storage unit 72b stores information on communication quality required for content. FIG. 8 is a schematic diagram illustrating an example of information stored in the communication quality storage unit 72b according to the first embodiment. For example, as illustrated in FIG. 8, the communication quality storage unit 72b stores information in which content types are associated with quality assurance. Here, the content type shown in FIG. 8 indicates the type of content stored by the content storage unit 72a. Further, the quality assurance shown in FIG. 8 indicates assurance of communication quality such as bandwidth control and priority control in VPN. For example, as shown in FIG. 8, the communication quality storage unit 72b stores “content type: search content, quality assurance: none”. The information described above indicates that the quality assurance is not required in the VPN required for the search content. Similarly, as shown in FIG. 8, the communication quality storage unit 72b stores “content type: moving image content, quality assurance: yes”.

  Returning to FIG. 7, the control unit 73 includes an authentication requesting unit 73a, a service providing unit 73b, and a VPN change requesting unit 73c. After the connection to the VPN is established, the authentication request unit 73a has already authenticated the connection to the VPN of the user terminal 10 that has made a connection to the service providing server 70 using HTTP or HTTPS via the Web browser. Or not, the service control server 80 is checked. Specifically, the authentication request unit 73a redirects the Web browser of the user terminal 10 to the service control server 80 based on SAML of the single sign-on protocol. As a result, the service control server 80 executes the authentication confirmation process described above.

  Then, the authentication request unit 73a verifies the authentication state information, the user ID, and the domain name received from the authentication confirmation unit 83a of the service control server 80, and performs content use authentication to the user terminal 10. The service providing unit 73b provides the content to the user terminal 10 whose use of the content has been authenticated by the authentication requesting unit 73a. The VPN change request unit 73c executes various processes related to VPN switching. The processing by the VPN change request unit 73c will be described in detail below.

  So far, the detailed control of the first connection has been described. Details of the switching control for switching the VPN to be connected will be described below.

  In the switching control of the VPN to be connected, first, the VPN change request unit 73c of the service providing server 70 identifies communication quality required for transmission / reception of data related to the content requested by the user terminal 10. Specifically, the VPN change request unit 73c refers to information in which the content type and the communication quality stored in the communication quality storage unit 72b are associated with each other, and the communication quality required for the content requested by the user terminal 10 Identify

  More specifically, the VPN change request unit 73c corresponds to the information of the VPN to which the user terminal 10 is connected, the communication quality of the VPN, the content type stored in the communication quality storage unit 72b, and the communication quality. It is determined whether or not it is necessary to switch the VPN using the attached information. That is, the VPN change request unit 73c determines whether the communication quality of the VPN currently connected to the user terminal 10 is different from the communication quality required for the content requested by the user.

  Note that the VPN to which the user terminal 10 is connected and the communication quality information of the VPN are transmitted to the service providing server 70 when the authentication status of the user terminal 10 is confirmed. Specifically, when the VPN connection authentication server 60 transmits a confirmation response of the authentication status of the user terminal 10 to the service control server 80, the VPN connection authentication server 60 transmits information including information on the VPN to which the user terminal 10 is connected. When the service control server 80 transmits an authentication response to the service providing server 70, the service control server 80 transmits the information including the communication quality information of the VPN to which the user terminal 10 is connected.

  Here, when the communication quality of the currently connected VPN is different from the communication quality required for the content requested by the user, the VPN change request unit 73c transmits the VPN change request to the service control server 80. . For example, when the user terminal 10 is connected to the VPN 51a whose communication quality is not guaranteed at present and a moving image content is requested from the user terminal 10, the VPN change request unit 73c is first stored in the communication quality storage unit 72b. With reference to the information, it is identified that the communication with the quality guaranteed for the moving image content is required. Then, the VPN change request unit 73c determines that it is necessary to switch from the currently connected VPN to a VPN with guaranteed communication quality.

  In such a case, the VPN change request unit 73c includes a VPN change content for requesting a change from a VPN whose communication quality is not guaranteed to a VPN whose communication quality is guaranteed, a user ID, and a domain name. A VPN change request is transmitted to the service control server 80 via the user terminal 10 using SAML.

  The change request unit 83 b of the service control server 80 transmits a VPN accommodation device change request to the tunnel control server 40 in response to the VPN change request received from the service providing server 70. For example, the change request unit 83b refers to the contents of the VPN change, determines the connection destination of the user terminal 10 corresponding to the user ID and the domain name from the VPN accommodation device 51 that accommodates the VPN 51a whose communication quality is not guaranteed. Is sent to the tunnel control server 40 to change to the VPN accommodating device 52 that accommodates the VPN 52a that is guaranteed.

  When the selection information rewriting unit 43b of the tunnel control server 40 receives the change request for the VPN accommodating device from the change request unit 83b, the selection information rewriting unit 43b rewrites the selection information stored in the selection information storage unit 42a. Specifically, the selection information rewriting unit 43b rewrites, in the selection information, the VPN accommodating apparatus IP address associated with the user ID and the domain name included in the change request according to the change request. For example, the selection information storage unit 42a sets “IP address: 10.0.0.1” associated with “domain name: a.co.jp, user ID: xxx” in the selection information illustrated in FIG. The IP address of the accommodation device 52 is rewritten to “10.0.1.1”.

  Further, the disconnection request unit 83 c of the service control server 80 transmits a disconnection request for a session established at the present time to the VPN connection authentication server 60. Specifically, the disconnection request unit 83c transmits a session disconnection request including the user ID and domain name of the user terminal 10 that switches the VPN accommodating device to the VPN connection authentication server 60.

  The authentication unit 63a of the VPN connection authentication server 60 searches the session information using the user ID and domain name included in the disconnection request transmitted by the disconnection request unit 83c as search keys, and includes a RADIUS Disconnect including the session ID of the corresponding session. -Request is transmitted to the VPN accommodating apparatus that disconnects the session. For example, the authentication unit 63 a transmits a RADIUS Disconnect-Request to the VPN accommodating device 51.

  When the VPN accommodating apparatus receives the RADIUS Disconnect-Request, the VPN accommodating apparatus disconnects the session having the session ID included in the RADIUS Connect-Request, and returns the RADIUS Connect-Ack to the VPN connection authentication server 60. When the VPN connection authentication server 60 receives the RADIUS Disconnect-Ack, the VPN connection authentication server 60 returns a session disconnection response, which is a response indicating that the session disconnection is completed, to the service control server 80.

  As described above, the selection information stored in the tunnel control server 40 is rewritten, and the already established session is disconnected. Here, when the VPN terminating device 20 transmits a VPN connection request again by the automatic reconnection function, the VPN accommodating device to which the L2TP tunnel is established by the edge router 30 is rewritten IP stored in the selection information storage unit 42a. A VPN accommodating device identified by an address. That is, the edge router 30 establishes an L2TP tunnel with the VPN accommodating device 52. As described above, in the network connection control system according to the first embodiment, it is possible to automatically switch to a VPN having an appropriate communication quality when the content used by the user is changed. As a result, the network connection control system according to the first embodiment can dynamically switch the connection destination VPN of the user terminal 10 according to the service without changing the settings of the VPN termination device 20 and the user terminal 10. It is possible to improve the convenience.

[Procedure for Connection Processing by Network Connection Control System According to Embodiment 1]
Next, a procedure of connection processing by the network connection control system 1 according to the first embodiment will be described with reference to FIG. FIG. 9 is a sequence diagram illustrating a procedure of connection processing by the network connection control system 1 according to the first embodiment.

  As shown in FIG. 9, in the network connection control system 1 according to the first embodiment, when the VPN terminating device 20 transmits a VPN connection request to the edge router 30 (step S101), the edge router that has received the VPN connection request 30 transmits an Access-Request signal including the user ID and domain name to the tunnel control server 40 as a VPN accommodating device determination request (step S102).

  When the tunnel control server 40 receives the VPN accommodation device determination request from the edge router 30, the tunnel control server 40 determines the VPN accommodation device 51 that accommodates the VPN to be connected based on the selection information stored in the selection information storage unit 42a ( In step S103), an Access-Accept signal including information on the determined VPN accommodating device 51 is transmitted as a response to the edge router 30 (step S104).

  When receiving the Access-Accept signal from the tunnel control server 40, the edge router 30 transfers the VPN connection request received from the VPN terminating device 20 to the determined VPN accommodating device 51 (step S105). When receiving the VPN connection request from the edge router 30, the VPN accommodating apparatus 51 transmits an Access-Request signal as an authentication request to the VPN connection authentication server 60 (step S106). When the VPN connection authentication server 60 receives the Access-Request signal of the authentication request from the VPN accommodating device 51, the VPN connection authentication server 60 performs user authentication based on the user information stored in the user information storage unit 62a (step S107), and includes the authentication result. A response is transmitted to the VPN accommodating apparatus 51 (step S108). For example, the VPN connection authentication server 60 transmits an Access-Accept signal to the VPN accommodating apparatus 51 as a connection permission response. Further, the VPN connection authentication server 60 transmits an Access-Reject signal to the VPN accommodating apparatus 51 as a connection failure response.

  And the VPN accommodating apparatus 51 will transmit an authentication result to the VPN termination device 20 as a VPN connection response, if a response is received from the VPN connection authentication server 60 (step S109). Here, when the connection is authenticated, the connection with the VPN is completed.

  When the connection with the VPN is completed, the user terminal 10 transmits a service request for using the content to the service providing server 70 (step S110). When receiving the service request from the user terminal 10, the service providing server 70 redirects the Web browser of the user terminal 10 to the service control server 80 based on the SAML of the single sign-on protocol (step S111). When receiving the authentication request, the service control server 80 transmits an authentication state confirmation request to the VPN connection authentication server 60 (step S112). Upon receiving the authentication status confirmation request from the service control server 80, the VPN connection authentication server 60 confirms the user authentication status (step S113), and transmits a response including the authentication result to the service control server 80 (step S114).

  When receiving the response from the VPN connection authentication server, the service control server 80 redirects the Web browser of the user terminal 10 to the service providing server 70 based on the SAML of the single sign-on protocol (step S115). Here, when authenticated, the content is provided from the service providing server 70 in the user terminal 10.

[Procedure for Connection Switching Process by Network Connection Control System According to Embodiment 1]
Next, the procedure of connection switching processing by the network connection control system 1 according to the first embodiment will be described with reference to FIG. FIG. 10 is a sequence diagram illustrating a procedure of connection switching processing by the network connection control system 1 according to the first embodiment.

  As shown in FIG. 10, in the network connection control system 1 according to the first embodiment, when the user terminal 10 transmits a service request to the service providing server 70 (step S201), the service providing server 70 is requested. The communication quality required for the service is identified (step S202). If it is determined that the VPN needs to be changed, the service providing server 70 redirects the Web browser of the user terminal 10 to the service control server 80 based on the SAML of the single sign-on protocol and makes a VPN change request. (Step S203).

  When receiving the VPN change request, the service control server 80 transmits a VPN accommodating apparatus change request to the tunnel control server 40 (step S204). When the tunnel control server 40 receives the VPN accommodation device change request, the tunnel control server 40 changes the IP address included in the selection information (step S205), and transmits a change response, which is information indicating that the change is completed, to the service control server 80. (Step S206).

  Upon receiving the change response, the service control server 80 transmits a session disconnection request to the VPN connection authentication server 60 (step S207). Upon receiving the session disconnection request, the VPN connection authentication server 60 transfers the session disconnection request to the VPN accommodating device 51 (step S208). Upon receiving the session disconnection request, the VPN accommodating apparatus 51 disconnects the session (step S209), and transmits a session disconnection response, which is information indicating that the session disconnection is completed, to the VPN connection authentication server 60 (step S210). Upon receiving the session disconnection response from the VPN accommodating device 51, the VPN connection authentication server 60 transfers the session disconnection response to the service control server 80 (step S211).

[Procedure for reconnection processing by network connection control system according to embodiment 1]
Next, the procedure of reconnection processing by the network connection control system 1 according to the first embodiment will be described with reference to FIG. FIG. 11 is a sequence diagram illustrating the reconnection processing procedure performed by the network connection control system 1 according to the first embodiment. FIG. 11 shows a process after the process in FIG.

  As shown in FIG. 11, in the network connection control system 1 according to the first embodiment, the VPN termination device 20 transmits a VPN connection request to the edge router 30 by the automatic reconnection function (step S301). When receiving the VPN connection request from the VPN terminating device 20, the edge router 30 transmits a VPN accommodating device determination request to the tunnel control server 40 (step S302).

  When receiving the VPN accommodation device determination request from the edge router 30, the tunnel control server 40 determines the VPN accommodation device 52 that accommodates the VPN to be connected based on the selection information stored in the selection information storage unit 42a ( In step S303, a response including information on the determined VPN accommodating device 52 is transmitted to the edge router 30 (step S304). That is, the tunnel control server 40 switches the connection destination when the IP address is changed in step S204 of FIG.

  When receiving the response from the tunnel control server 40, the edge router 30 transfers the VPN connection request received from the VPN terminating device 20 to the determined VPN accommodating device 52 (step S305). When receiving the VPN connection request from the edge router 30, the VPN accommodating apparatus 52 transmits an authentication request to the VPN connection authentication server 60 (step S306). Upon receiving the authentication request from the VPN accommodating device 52, the VPN connection authentication server 60 performs user authentication based on the user information stored in the user information storage unit 62a (step S307), and sends a response including the authentication result to the VPN accommodating device. 52 (step S308). Upon receiving the response from the VPN connection authentication server 60, the VPN accommodating device 52 transmits the authentication result as a VPN connection response to the VPN terminating device 20 (step S309). If the connection is authenticated, the connection with the VPN is completed (step S310).

  When the connection with the VPN is completed, the user terminal 10 transmits a service request for using the content to the service providing server 70 (step S311). When the service providing server 70 receives the service request from the user terminal 10, Based on the SAML of the single sign-on protocol, the web browser of the user terminal 10 is redirected to the service control server 80 to make an authentication request (step S312). When receiving the authentication request, the service control server 80 transmits an authentication status confirmation request to the VPN connection authentication server 60 (step S313). Upon receiving the authentication status confirmation request from the service control server 80, the VPN connection authentication server 60 confirms the user authentication status (step S314), and transmits a response including the authentication result to the service control server 80 (step S315).

  When receiving the response from the VPN connection authentication server, the service control server 80 redirects the Web browser of the user terminal 10 to the service providing server 70 based on the SAML of the single sign-on protocol (step S316). Here, when authenticated, service use is started from the service providing server 70 in the user terminal 10 (step S317).

[Effect of Example 1]
As described above, according to the first embodiment, the VPN accommodating device determination unit 43a of the tunnel control server 40 selects a VPN for connecting the user terminal 10 and the service providing server 70 based on the attributes of the VPN. Then, the edge router 30 connects the user terminal 10 and the service providing server 70 by the VPN selected by the VPN accommodating device determining unit 43a. Therefore, the network connection control system 1 according to the first embodiment can automatically switch the VPN to be connected to the user terminal 10 without changing the settings of the VPN termination device 20 and the user terminal 10, and uses a plurality of digital contents. It is possible to improve the convenience of the user at the time.

  Further, according to the first embodiment, the VPN change request unit 73c of the service providing server 70 identifies the communication quality required for transmission / reception of data related to the content requested by the user terminal 10. And the VPN accommodation apparatus determination part 43a of the tunnel control server 40 selects VPN which has the communication quality identified by the VPN change request part 73c as an attribute. Therefore, the network connection control system 1 according to the first embodiment can automatically switch to a VPN having an appropriate communication quality for each content without changing the settings of the VPN termination device 20 and the user terminal 10, and uses a plurality of contents. It is possible to further improve the convenience of the user when doing so.

  Further, according to the first embodiment, the authentication unit 63a of the VPN connection authentication server 60 sets the user terminal 10 to the VPN selected by the control unit 43 of the tunnel control server 40 based on the user information using the user terminal 10. Authenticates whether to connect. When the edge router 30 is authenticated by the authentication unit 63a to connect the user terminal 10 to the VPN, the edge router 30 connects the user terminal 10 to the VPN selected by the control unit 43 of the tunnel control server 40. Therefore, the network connection control system 1 according to the first embodiment makes it possible to construct a network that is used only by users who are permitted to connect.

  According to the first embodiment, the authentication unit 63a further authenticates whether or not the user terminal 10 is connected to the service providing server. The authentication request unit 73a connects the user terminal 10 to the service providing server 70 when the authentication unit 63a is authenticated to connect the user terminal 10 to the service providing server 70. Therefore, the network connection control system 1 according to the first embodiment can omit the input of a user ID, a password, and the like by the user that is necessary every time it is used for content, and further improves the convenience for the user. Make it possible.

  Further, according to the first embodiment, general-purpose products can be used for the user terminal and the VPN termination device, and can be easily realized.

  Although the first embodiment has been described so far, the technology disclosed in the present application is not limited to the first embodiment. That is, these embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made.

  In the first embodiment described above, the case where the tunnel control server 40, the VPN connection authentication server 60, and the service control server 80 are connected to the core network has been described. However, the disclosed technology is not limited to this. For example, when one server having the functions of the tunnel control server 40, the VPN connection authentication server 60, and the service control server 80 is connected to the core network. There may be.

  In the above-described first embodiment, the case where communication quality is used as the VPN attribute has been described. However, the disclosed technology is not limited to this, and for example, security may be used as an attribute of the VPN. In such a case, for example, the network connection control system of the present application performs control so that a VPN having a high security and a VPN having a low security are automatically switched based on digital content to be provided.

  Further, in the first embodiment described above, the case where the connection is switched from the VPN whose communication quality is not guaranteed to the VPN whose communication quality is guaranteed has been described. However, the disclosed technique is not limited to this, and may be, for example, a case of switching from a VPN whose communication quality is guaranteed to a VPN whose communication quality is not guaranteed.

  In addition, for example, the specific form (for example, the form of FIG. 4) of the distribution / integration of each device is not limited to the illustrated one, and all or a part thereof can be arbitrarily set according to various loads or usage conditions. It can be distributed or integrated functionally or physically in units. For example, the user information storage unit 62a and the session information storage unit 62b may be integrated as one storage unit, while the authentication unit 63a includes a VPN connection authentication unit that authenticates a VPN connection, and a service providing server. It may be distributed to a connection authentication unit that performs authentication when connecting to the network 70.

  Further, the control unit 43 may be connected as an external device of the tunnel control server 40 via a network, or another device has a VPN accommodation device determination unit 43a and a selection information rewriting unit 43b, respectively. You may make it implement | achieve the function of the tunnel control server 40 mentioned above by connecting and cooperating.

  These embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

DESCRIPTION OF SYMBOLS 1 Network connection control system 10 User terminal 20 VPN termination device 30 Edge router 40 Tunnel control server 51,52 VPN accommodation apparatus 60 VPN connection authentication server 70 Service provision server 80 Service control server

Claims (5)

A user terminal where the content is used,
A providing server for providing content to the user terminal via a temporary private network;
A network connection control system comprising a connection control server for connecting the user terminal and the providing server by any of a plurality of temporary private networks,
The providing server is
When a provision request for content is received from the user terminal via the first temporary private network, the temporary private network corresponding to the content is identified, and a temporary private network corresponding to the content is Identifying means for transmitting a change request for changing the temporary private network to the connection control server when a second temporary private network different from the first temporary private network connected to the user terminal is identified in ,
With
The connection control server is
Temporary connection for connecting the second temporary private network to the user terminal and the providing server when a request for changing from the first temporary private network to the second temporary private network is received from the providing server. A selection means to select a new private network,
And connection means for re-connecting the providing server and the user terminal by the selected temporary private network by said selecting means,
A network connection control system comprising: Said identifying means, based on the communication quality required for transmission and reception of data according to the content requested by the user terminal, to identify the temporary private network in accordance with the contents of the content,
Network connection control system of claim 1 wherein the selecting means, characterized in that selecting a tentative set private network identified by said identifying means. The connection control server is
Further comprising authentication means for authenticating whether or not to connect the user terminal to the temporary private network selected by the selection means based on the user information using the user terminal;
The connection means connects the user terminal to the temporary private network selected by the selection means when the authentication means is authenticated to connect the user terminal to the temporary private network. The network connection control system according to claim 1 or 2. The authentication means further authenticates whether or not to connect the user terminal to the providing server,
The said connection means connects the said user terminal to the said provision server, when it is authenticated by the said authentication means that the said user terminal is connected to the said provision server. Network connection control system. A user terminal where the content is used,
A providing server for providing content to the user terminal via a temporary private network;
A network connection control method executed in a system comprising a connection control server for connecting the user terminal and the providing server by any of a plurality of temporary private networks,
By the providing server,
When a provision request for content is received from the user terminal via the first temporary private network, the temporary private network corresponding to the content is identified, and a temporary private network corresponding to the content is An identification step of transmitting a change request for changing the temporary private network to the connection control server when a second temporary private network different from the first temporary private network connected to the user terminal is identified in FIG.
Is executed,
By the connection control server,
Temporary connection for connecting the second temporary private network to the user terminal and the providing server when a request for changing from the first temporary private network to the second temporary private network is received from the providing server. A selection process to select a new private network,
A connecting step of re-connecting the providing server and the user terminal by the selected temporary private network by said selection step,
The network connection control method is characterized in that is executed.

Images