JP5657509B2 - Network connection control method and network connection control device - Google Patents

Description

  The present invention relates to a network connection control method and a network connection control apparatus.

  Conventionally, as a network connection control method for connecting a user terminal to an Internet service provider (ISP) designated by a user, a layer 2 tunneling protocol access controller (LAC) that accommodates the user's communication line is connected to an ISP carrier network. There is known a technique for connecting a layer 2 tunneling protocol network server (LNS), which has been made, under the control of a LAC control server using a layer 2 tunneling protocol (L2TP).

  The LAC control server selects an optimum LNS to be connected to the LAC from among the LNSs installed for each ISP provider in accordance with identifiers such as ISP domain information included in the connection request transmitted by the user terminal. Thereby, in the technique mentioned above, a user terminal can be connected to arbitrary ISP provider networks.

  Here, in the above-described network connection control method, the LNS selected by the LAC control server and the LAC are usually connected, and then the user terminal is connected to the ISP business by the ISP business server connected to the LNS. It is authenticated whether or not it is a contract user. At this time, only when the authentication is OK, the user terminal is permitted to connect to the ISP carrier network. On the other hand, if the authentication is NG, the user terminal is not permitted to connect to the ISP carrier network.

Japanese Patent No. 4560064

  However, in the above-described conventional technology, the server processing load related to network connection control may increase. For example, when the user has set wrong authentication information in the user terminal or the broadband router under the user terminal, in the above-described conventional technology, the user terminal or the broadband router is authenticated as NG by the authentication server, Even after the connection to the ISP network is rejected, the connection request is made again, and thereafter, the connection rejection and the connection request may be repeated infinitely. As a result, there arises a problem that the processing load of the LAC control server of the communication line operator and the authentication server of the ISP operator increases.

  Here, the operation of the user terminal or the broadband router is changed so that, for example, the connection request is not transmitted after the connection is refused more than a certain number of times, thereby suppressing the above-mentioned invalid connection request transmission. can do. However, it is extremely difficult to change the operation of terminals that have already spread throughout the city and the operation of broadband routers.

  Therefore, the technology according to the present application has been made in view of the above-described problems of the prior art, and a network connection control method and a network connection control that can reduce the processing load of a server related to network connection control. An object is to provide an apparatus.

  In order to solve the above-described problems and achieve the object, the method of the present application controls connection between an access controller and a network server based on a layer 2 tunneling protocol based on a connection request from a user terminal via the access controller. A network connection control method executed by a network connection control device, wherein, when a connection request is received from the user terminal, the number of times that the connection request from the user terminal is invalid exceeds a predetermined threshold value A determination step of determining whether or not the number of times of invalidation exceeds the threshold by the determination step, the invalid network server not connected to an external network and the access controller Control connection by layer 2 tunneling protocol Characterized in that it includes a connection control step.

  The method of the present application makes it possible to reduce the processing load of a server related to network connection control.

FIG. 1 is a diagram illustrating an example of the overall configuration of the network connection control system according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of the LAC control server according to the first embodiment. FIG. 3 is a diagram illustrating an example of invalid request information stored by the invalid request information storage unit according to the first embodiment. FIG. 4 is a diagram illustrating an example of LNS information stored in the LNS information storage unit according to the first embodiment. FIG. 5 is a first sequence diagram illustrating a processing procedure performed by the network connection control system according to the first embodiment. FIG. 6 is a second sequence diagram illustrating a processing procedure performed by the network connection control system according to the first embodiment. FIG. 7 is a third sequence diagram illustrating a processing procedure performed by the network connection control system according to the first embodiment. FIG. 8 is a diagram illustrating an example of the overall configuration of the network connection control system according to the second embodiment. FIG. 9 is a diagram illustrating an example of the configuration of the LAC control server according to the second embodiment. FIG. 10 is a sequence diagram illustrating a processing procedure performed by the network connection control system according to the second embodiment.

  Exemplary embodiments of a network connection control method and a network connection control device according to the present application will be described below in detail with reference to the accompanying drawings. In the following, a network connection control system including a LAC control server that executes the network connection control method according to the present application will be described as an example. Further, the network connection control method and the network connection control device according to the present application are not limited to the following embodiments.

[Configuration of Network Connection Control System According to Embodiment 1]
In the following, first, the overall configuration of the network connection control system according to the first embodiment will be described, and then the detailed configuration of the LAC control server that executes the network connection control method according to the present application will be described. FIG. 1 is a diagram illustrating an example of a configuration of a network connection control system 1 according to the first embodiment.

  As shown in FIG. 1, the network connection control system 1 according to the first embodiment includes a user terminal 10 and a broadband router 20 accommodated in a user network 100, a LAC control server 40 accommodated in a communication line operator network 200, and The invalid connection accommodating LNS 60, the ISP authentication server 70 accommodated in the ISP carrier network 300, the ISP authentication server 71 accommodated in the ISP carrier network 301, the user network 100, and the communication line carrier network 200, respectively. LACs 30 to 32, an LNS 50 connected to each of the communication line carrier network 200 and the ISP carrier network 300, and an LNS 51 connected to each of the communication line carrier network 200 and the ISP carrier network 301. The user network connected to the LAC 31 and the LAC 32 is not shown.

  The user network 100 is a relatively narrow network such as a LAN (Local Area Network). The communication line carrier network 200 is a network owned by the communication line carrier. The ISP provider networks 300 and 301 are IP (Internet Protocol) networks respectively configured by providers that provide Internet services.

  The user terminal 10 is a general-purpose computer that includes a LAN connection interface and a Web browser, for example, and accepts an Internet service provided via an ISP carrier network. The broadband router 20 is a general-purpose broadband router capable of PPP (Point to Point Protocol) connection under the control of the user terminal 10, and makes a PPP connection request (hereinafter sometimes referred to as a connection request) to the LAC 31. . Specifically, the broadband router 20 executes a discovery stage for establishing a PPPoE (PPP over Ethernet (registered trademark)) session and negotiation with the LAC 30 with an LCP (Link Control Protocol).

  Then, the broadband router 20 uses the authentication protocol such as PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) to pass the domain information of the connection destination ISP, user information, and authentication information for ISP connection authentication to the LAC 30. Send. In FIG. 1, only one user terminal 10 and one broadband router are shown, but actually, a larger number of user terminals and broadband routers are connected to the LAC 30.

  When the LAC 30 receives a PPP connection request from the broadband router 20, the LAC 30 performs negotiation with the broadband router 20 using the discovery stage and LCP. Then, the LAC 30 transmits a connection destination LNS resolution request for establishing an L2TP session with the LNS via the communication line carrier network 200 to the LAC control server 40. In addition, the LAC 30 transmits an L2TP connection request for establishing an L2TP session to the LNS. Details of processing by the LAC 30 will be described later. The LAC 31 and the LAC 32 perform communication similar to the LAC 30 between the broadband router and the LAC control server 40 connected to the LAC 31 and the LAC control server 40, respectively. Although only three LACs are shown in FIG. 1, more LACs are actually connected to the communication line operator network 200.

  The LAC control server 40 executes various controls relating to establishment of an L2TP session between the LAC and the LNS. Specifically, the LAC control server 40 refers to the LNS information management table and authenticates the connection destination LNS resolution request received from the LAC. Here, if the authentication is OK, the LAC control server 40 transmits a connection destination LNS resolution response to the effect that the authentication is OK to the LAC. On the other hand, when the authentication is NG, the LAC control server 40 transmits a connection destination LNS resolution response indicating that the authentication is NG to the LAC.

  Here, in addition to the above-described processing, the LAC control server 40 according to the first embodiment executes processing for reducing the processing load on the server related to network connection control. Details of this process will be described later.

  The LNS 50 and the LNS 51 are general-purpose LNS devices that can be connected to the LAC through L2TP. When an L2TP connection request is received from the LAC 30, LAC 31, or LAC 32, a user authentication request is transmitted to the ISP authentication server 70 or 71. Specifically, the LNS 50 and the LNS 51 transmit user authentication information included in the L2TP connection request to the ISP authentication server 70 or 71. In FIG. 1, only two LNSs are shown, but actually, a larger number of LNSs are connected to the communication line operator network 200. For example, the same number of LNSs as the number of ISP carrier networks are connected to the communication line carrier network 200.

  The invalid connection accommodation LNS 60 is a general-purpose LNS device that can be connected to the LAC by L2TP. Here, when receiving the L2TP connection request from the LAC 30, LAC 31, or LAC 32, the invalid connection accommodating LNS 60 transmits an authentication OK response (CHAP-Success when the authentication protocol is CHAP) to the broadband router 20 without performing authentication. . As a result, a PPP session is established between the broadband router 20 and the invalid connection accommodation LNS 60. However, the invalid connection accommodating LNS 60 does not provide a communication service to the broadband router and user terminals under its control because the ISP carrier network is not connected.

  The ISP authentication server 70 and the ISP authentication server 71 receive user authentication requests from the LNS 50 and LNS 51, respectively, and perform user authentication. Then, the ISP authentication server 70 and the ISP authentication server 71 transmit the authentication results to the LNS 50 and the LNS 51, respectively.

  Next, a detailed configuration of the LAC control server included in the network connection control system 1 shown in FIG. 1 will be described. FIG. 2 is a diagram illustrating an example of the configuration of the LAC control server according to the first embodiment. In FIG. 2, a case where an L2TP session is established between the LAC 30 and the LNS 50 will be described as an example. Here, first, an example of the configuration of the LAC 30 connected to the LAC control server 40 via the communication line carrier network 200 will be described.

  For example, the LAC 30 includes a communication control I / F (Interface) unit 31 and a control unit 32 as shown in FIG. The communication control I / F unit 31 controls communication regarding various information exchanged between the LAC control server 40 and the LNS 50 and the control unit 32. For example, the communication control I / F unit 31 controls communication of a connection destination LNS resolution request between the control unit 32 and the LAC control server 40.

  As shown in FIG. 2, the control unit 32 includes a connection destination LNS request unit 32a and a session disconnection notification unit 32b. The connection destination LNS request unit 32a performs LAC control on the connection destination LNS resolution request including the domain information and user information of the connection destination ISP received from the broadband router 20 and line information for uniquely identifying the user's contracted line. Send to server 40.

  Further, the connection destination LNS request unit 32a transmits an L2TP connection request to the LNS when receiving a response indicating that the authentication is OK in the connection destination LNS resolution response of the LAC control server 40 in response to the connection destination LNS resolution request. . For example, when the connection destination LNS request unit 32a receives a connection destination LNS resolution response including the IP address of the LNS 50 from the LAC control server 40, the user information of the connection destination ISP and authentication for ISP connection authentication to the LNS 50 An L2TP connection request including information is transmitted.

  When the LNS 50 receives the L2TP connection request, the LNS 50 uses RADIUS (Remote Authentication Dial In User Service) to send an authentication request (for example, Access-Request) including ISP user information and authentication information to the ISP authentication server 70. Send. The ISP authentication server 70 that has received the authentication request authenticates the pair of ISP user information and authentication information included in the authentication request, and if the authentication is OK, transmits an Access-Accept as an authentication result to the LNS 50. On the other hand, when the authentication is NG, the ISP authentication server 70 transmits Access-Reject to the LNS 50 as an authentication result. When the LNS 50 receives the Access-Accept, the LNS 50 transmits a PPP authentication OK response (CHAP-Success when the authentication protocol is CHAP) to the broadband router 20 to connect to the ISP carrier network via the PPP session. To give permission.

  When the established L2TP session is disconnected, the session disconnection notification unit 32b transmits an L2TP session disconnection notification that is a notification that the L2TP session has been disconnected to the LAC control server 40. Specifically, the session disconnection notification unit 32b transmits an L2TP session disconnection notification including the disconnection reason to the LAC control server 40 when the L2TP connection is disconnected by the LNS.

  The LAC control server 40 according to the first embodiment determines whether or not the PPP connection request transmitted from the broadband router 20 to establish an L2TP session between the LAC and the LNS is an invalid request. If it is determined that there is an L2TP session between the LAC 30 and the invalid connection accommodating LNS, the processing load on the server related to network connection control is reduced.

  As shown in FIG. 2, the LAC control server 40 includes a communication control I / F unit 41, an input unit 42, a display unit 43, a storage unit 44, and a control unit 45. The communication control I / F unit 41 controls communication related to various information exchanged between the LAC and the control unit 45. For example, the communication control I / F unit 41 controls communication related to the connection destination LNS resolution response. Further, the communication control I / F unit 41 controls the exchange of various types of information between the input unit 42, the display unit 43, and the control unit 45.

  The input unit 42 is, for example, a keyboard or a mouse, and accepts various information input processes by the user. For example, the input unit 42 receives threshold value input processing used for determining whether or not the PPP connection request is an invalid request. The threshold will be described later. The display unit 43 is, for example, a display, and displays and outputs the processing result to the user.

  As shown in FIG. 2, the storage unit 44 includes an invalid request information storage unit 44a and an LNS information storage unit 44b. The storage unit 44 is, for example, a storage device such as a hard disk or an optical disk, or a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, and stores various programs executed by the LAC control server 40. Remember.

  The invalid request information storage unit 44a stores invalid request information used for determination of an invalid request executed by the control unit 45 described later. Specifically, the invalid request information storage unit 44a stores invalid request information in which the number of invalid requests is associated with each user terminal. FIG. 3 is a diagram illustrating an example of an invalid request information management table stored by the invalid request information storage unit 44a according to the first embodiment.

  For example, as shown in FIG. 3, the invalid request information storage unit 44a stores an invalid request information management table in which line information, ISP domain information, ISP user information, and invalid request transmission count are associated with each other. For example, as shown in FIG. 3, the invalid request information storage unit 44a is configured as “line information: L135572468, ISP domain information: isp-b.co.jp, ISP user information: user2, invalid request transmission count: 2. Is memorized. Here, the above-mentioned information is that the PPP connection request transmitted from the user terminal or broadband router corresponding to “line information: L135572468, ISP domain information: isp-b.co.jp, ISP user information: user2” is an invalid request. This means that the number of times “2” is “twice”.

  Returning to FIG. 2, the LNS information storage unit 44b stores LNS information in which an ISP domain is associated with an IP address of an LNS corresponding to the ISP. FIG. 4 is a diagram illustrating an example of LNS information stored in the LNS information storage unit 44b according to the first embodiment. For example, as shown in FIG. 4, the LNS information storage unit 44b stores LNS information in which “ISP domain information: isp-a.com” and “LNS IP address: 10.1.1.1” are associated with each other. To do.

  The LNS information storage unit 44b stores the IP address of the invalid connection accommodation LNS 60 as LNS information. For example, the LNS information storage unit 44b stores “ISP domain information: INVALID” and “LNS IP address: 10.1.99.99” as the LNS information of the invalid connection accommodation LNS 60, as shown in FIG.

  Returning to FIG. 2, the control unit 45 includes an invalid request determination unit 45a, an LNS information resolution unit 45b, a connection destination LNS response unit 45c, and an invalid request information update unit 45d. The control unit 45 is, for example, an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array), and is a LAC control server. 40 overall control is executed.

  When receiving a connection request from a user terminal, the invalidation request determination unit 45a determines whether or not the number of times that the connection request from the user terminal is invalid exceeds a predetermined threshold. Specifically, the invalid request determination unit 45a refers to the invalid request information storage unit 44a when receiving a connection destination LNS resolution request from the LAC 30 that has received the PPP connection request from the user terminal 10 or the broadband router 20. Then, it is determined whether or not the number of transmissions of the connection destination LNS resolution request exceeds a predetermined threshold value.

  For example, the “ISP domain information”, “user information”, and “line information” included in the connection destination LNS resolution request received from the LAC 30 are “isp-b.co.jp”, “user2”, and “L135572468”, respectively. If there is, the LAC invalid request determination unit 45a refers to the invalid request information shown in FIG. 3 and extracts that the “invalid request transmission count” is “twice”. Then, the LAC invalid request determination unit 45a determines whether or not the extracted “invalid request transmission count: twice” exceeds a predetermined threshold.

  Here, for example, when the threshold value is “3 times”, the LAC invalid request determination unit 45 a determines that the connection destination LNS resolution request received from the LAC 30 is not an invalid connection request. On the other hand, when the threshold is “once”, the LAC invalid request determination unit 45a determines that the connection destination LNS resolution request received from the LAC 30 is an invalid connection request.

  Based on the determination result of the invalid request determination unit 45a, the LNS information resolution unit 45b determines the LNS that establishes the L2TP session with the LAC that transmitted the connection destination LNS resolution request. Specifically, when the invalid request determination unit 45a determines that the LNS information resolution unit 45b is not an invalid connection request, the LNS information resolution unit 45b determines the IP address LNS corresponding to the ISP domain information included in the connection destination LNS resolution request. It is determined as the connection destination LNS.

  For example, when it is determined that the connection destination LNS resolution request received from the LAC 30 is not an invalid connection request, the LNS information resolution unit 45b refers to the LNS information illustrated in FIG. 4 and connects to the connection destination LNS received from the LAC 30. The LNS of “LNS IP address: 10.1.2.2” corresponding to “ISP domain information: isp-b.co.jp” included in the resolution request is determined as the connection destination LNS.

  On the other hand, when the invalid request determination unit 45a determines that the request is an invalid connection request, the LNS information resolution unit 45b determines the invalid connection accommodation LNS 60 as the connection destination LNS. For example, when it is determined that the connection destination LNS resolution request received from the LAC 30 is an invalid connection request, the LNS information resolution unit 45b determines the invalid connection accommodation LNS 60 as the connection destination LNS of the LAC 30.

  The connection destination LNS response unit 45c transmits a connection destination LNS resolution response including the IP address of the connection destination LNS determined by the LNS information resolution unit 45b to the LAC. For example, the connection destination LNS response unit 45c transmits to the LAC 30 a connection destination LNS resolution response including the “IP address: 10.1.2.2” of the LNS determined as the connection destination LNS of the LAC 30 by the LNS information resolution unit 45b. To do. As a result, an L2TP session is established between the LAC 30 and the LNS 50.

  Further, the connection destination LNS response unit 45c reads the IP address “10.1.99.99” of the invalid connection accommodation LNS 60 determined as the connection destination LNS of the LAC 30 by the LNS information resolution unit 45b from the LNS information illustrated in FIG. The connection destination LNS resolution response including the read “IP address: 10.1.99.99” is transmitted to the LAC 30. As a result, an L2TP session is established between the LAC 30 and the invalid connection accommodation LNS 60. When the LNS information is not stored in the LNS information storage unit 44b, the connection destination LNS response unit 45c transmits a connection destination LNS resolution response that does not include an IP address to the LAC 30.

  Returning to FIG. 2, the invalid request information update unit 45d creates invalid request information and stores it in the invalid request information storage unit 44a. Specifically, the invalidation request information updating unit 45d determines the number of times that the connection request from the user terminal or the broadband router is invalidated in the authentication in the connection between the LAC and the LNS and the authentication in the ISP authentication server connected to the LNS. The number of invalidation is counted, and the counted number is stored in the invalidation request information storage unit 44a in association with each user terminal.

  Specifically, the invalid request information update unit 45d resolves the connection destination LNS resolution when the LNS information related to the ISP domain information included in the connection destination LNS resolution request received from the LAC is not stored in the LNS information storage unit 44b. The request is determined as an invalid connection request, and invalid request information is created in the invalid request information management table. Then, the invalid request information updating unit 45d updates the number of invalid request information each time the same connection destination LNS resolution request is received.

  Further, the invalid request information updating unit 45d determines a connection request that has been authenticated as NG by the ISP authentication server as an invalid connection request, and creates invalid request information in the invalid request information management table. Specifically, first, the ISP authentication server 70 determines that the authentication is NG, and an authentication response (for example, Access-Reject) corresponding thereto is transmitted to the LNS 50. When the LNS 50 receives an authentication response (Access-Reject) whose authentication is NG, the LNS 50 disconnects the L2TP session with the LAC 30. When the L2TP session with the LNS is disconnected, the LAC 30 transmits an L2TP session disconnection notification including the reason for disconnection to the LAC control server 40. Here, the invalid request information update unit 45d detects that the authentication by the ISP authentication server 70 is NG, and makes an invalid request to the invalid request information management table based on the information included in the L2TP session disconnection notification received from the LAC 30. Create information. Then, the invalid request information updating unit 45d updates the number of invalid request information each time the L2TP session disconnection notification associated with the same connection request is received from the LAC 30.

  Further, the invalid request information updating unit 45d is configured to store the user terminal stored in the invalid request information storage unit 44a when the LAC 30 and the invalid connection accommodating LNS 60 are connected by L2TP based on the connection request of the user terminal or the broadband router. Delete information about. As a result, the LAC control server 40 according to the first embodiment can suppress an increase in unnecessary data.

  The invalid request information update unit 45d further stores the update date and time in association with the invalid request information management table stored by the invalid request information storage unit 44a, and deletes records that have not been updated for a predetermined time or longer. For example, the invalid request information update unit 45d deletes a record that has not been updated for a certain period of time in a record in which the number of invalid connection request transmissions has not reached the threshold. Thereby, the LAC control server 40 according to the first embodiment can further suppress an increase in unnecessary records.

  As described above, the LAC control server 40 according to the first embodiment transfers the PPP session between the user terminal or the broadband router and the LAC to the invalid connection accommodating LNS when the number of invalid connection requests exceeds a predetermined threshold. Connect. As a result, since the connection by L2TP is established, the connection destination ISP authentication NG or domain information is incorrect until the user explicitly disconnects the PPP session with the invalid connection accommodation LNS. Since the PPP connection request is not repeatedly transmitted, the processing load on the LAC control server 40, the LNS, and the ISP authentication server is reduced.

  On the other hand, the request once accommodated in the invalid connection accommodation LNS 60 is deleted when the user notices the setting error of the broadband router and repeats the PPP connection request with the correct setting because the record is deleted from the invalid request information management table. It is accommodated in the correct LNS without being accommodated in the connection accommodation LNS 60. For this reason, the communication line carrier or ISP carrier who received the report from the user accommodated in the invalid connection accommodation LNS only needs to correct the setting error by the user, such as data change to the LAC control server. Maintenance work is unnecessary.

  Here, the user can notice a setting error when triggered by the following. For example, a user can notice a setting error when a user makes an inquiry to customer support when normal communication cannot be performed, for example, the user cannot connect to a Web site on the Internet even when the browser is started. Alternatively, it is possible to incorporate a mechanism that positively displays on the user side that the setting is NG. For example, by transferring the web access of the user accommodated in the invalid connection accommodation LNS to the website notifying that the connection is NG, the fact that the setting is NG is displayed to the user. However, in the case of a broadband router in which normal settings and invalid settings coexist, even if invalid settings are accommodated in the invalid connection accommodation LNS, there is no substantial influence on the user.

[Procedure for Connection Processing by Network Connection Control System According to Embodiment 1]
Next, a procedure of connection processing by the network connection control system 1 according to the first embodiment will be described with reference to FIGS. FIG. 5 is a first sequence diagram illustrating a processing procedure performed by the network connection control system 1 according to the first embodiment. FIG. 5 shows a sequence when the connection request transmitted by the broadband router 20 is not determined to be invalid by the LAC control server 40 and the authentication by the ISP authentication server 70 is NG.

  As shown in FIG. 5, in the LAC control server according to the first embodiment, when the broadband router 20 transmits a PPP connection request (step S101), the LAC 30 acquires domain information of the connection destination ISP included in the PPP connection request. The connection destination LNS resolution request including the user information and the line information is transmitted to the LAC control server 40 (step S102).

  In the LAC control server 40, when the connection destination LNS resolution request is received, the invalid request determination unit 45a determines whether or not the received connection destination LNS resolution request is an invalid connection request (step S103). . Here, in this sequence, the invalid request determination unit 45a determines that the received connection destination LNS resolution request is not an invalid connection request. Thereafter, the LNS information resolution unit 45b executes LNS information resolution for determining the connection destination LNS (step S104).

  Thereafter, in the LAC control server 40, the connection destination LNS response unit 45c transmits a connection destination LNS resolution response including the IP address of the connection destination LNS to the LAC 30 (step S105). Upon receiving the connection destination LNS resolution response, the LAC 30 transmits an L2TP connection request including user information of the connection destination ISP and authentication information for ISP connection authentication to the connection destination LNS 50 (step S106). Establish an L2TP session.

  Thereafter, the LNS 50 transmits an authentication request (Access-Request) including ISP user information and authentication information to the ISP authentication server 70 (step S107). Here, when the authentication by the authentication server 70 is NG, the authentication server 70 transmits an authentication response (Access-Reject) to the LNS 50 (step S108). When receiving the authentication response (Access-Reject), the LNS 50 transmits a PPP authentication NG response to the broadband router 20 (step S109), and disconnects the L2TP session (step S110). At this time, the LNS 50 notifies the LAC 30 that the disconnection reason is ISP authentication NG.

  When the L2TP session is disconnected by the LNS 50, the LAC 30 transmits an L2TP session disconnection notification (Accounting-Request (stop) of the RADIUS protocol) including the disconnection reason notified from the LNS 50 to the LAC control server 40 (step 1). S111). The Accounting-Request (stop) includes line information, domain information of the connection destination ISP, and user information.

  When the LAC control server 40 receives the L2TP session disconnection notification (Accounting-Request (stop)), the invalid request information update unit 45d displays invalid request information when the disconnection reason included in the notification is ISP authentication NG. Is updated (step S112).

  FIG. 6 is a second sequence diagram illustrating a processing procedure performed by the network connection control system 1 according to the first embodiment. FIG. 6 shows a sequence when the connection request transmitted by the broadband router is not determined to be invalid by the LAC control server 40 and there is an error in the domain information of the connection destination ISP.

  As shown in FIG. 6, in the LAC control server according to the first embodiment, when the broadband router 20 transmits a PPP connection request (step S201), the LAC 30 acquires the domain information of the connection destination ISP included in the PPP connection request. The connection destination LNS resolution request including the user information and the line information is transmitted to the LAC control server 40 (step S202).

  In the LAC control server 40, when the connection destination LNS resolution request is received, the invalid request determination unit 45a determines whether or not the received connection destination LNS resolution request is an invalid connection request (step S203). . Here, in this sequence, the invalid request determination unit 45a determines that the received connection destination LNS resolution request is not an invalid connection request. After that, the LNS information resolution unit 45b executes LNS information resolution for determining the connection destination LNS (step S204).

  Here, since the domain information of the connection destination ISP included in the connection destination LNS resolution request is incorrect and there is no corresponding record in the LNS information table, the LNS information resolution unit 45b gives the LAC 30 the IP address of the LNS. A connection destination LNS resolution response not included is transmitted (step S205). Then, the invalid request information update unit 45d updates the invalid request information (step S206).

  When the LAC 30 receives the connection destination LNS resolution response that does not include the IP address of the LNS 50, the LAC 30 transmits a PPP authentication NG response to the effect that the authentication for establishing the PPP session is NG to the broadband router 20 (step S207). ).

  FIG. 7 is a third sequence diagram illustrating a processing procedure performed by the network connection control system 1 according to the first embodiment. FIG. 7 shows a sequence when the connection request transmitted by the broadband router is determined to be invalid by the LAC control server 40.

  As shown in FIG. 7, in the LAC control server according to the first embodiment, when the broadband router 20 transmits a PPP connection request (step S301), the LAC 30 acquires the domain information of the connection destination ISP included in the PPP connection request. The connection destination LNS resolution request including the user information and the line information is transmitted to the LAC control server 40 (step S302).

  In the LAC control server 40, when the connection destination LNS resolution request is received, the invalid request determination unit 45a determines whether or not the received connection destination LNS resolution request is an invalid connection request (step S303). . Here, in this sequence, the invalid request determination unit 45a determines that the received connection destination LNS resolution request is an invalid connection request. Thereafter, the LNS information resolution unit 45b executes LNS information resolution for connecting the LAC 30 to the invalid connection accommodation LNS 60 (step S304).

  Then, the connection destination LNS response unit 45c transmits a connection destination LNS resolution response including the IP address of the invalid connection accommodation LNS 60 to the LAC 30 (step S305). Further, the invalid request information update unit 45d deletes the invalid request information record corresponding to the connection destination LNS resolution response, and updates the invalid request information (step S306). When the LAC 30 receives the connection destination LNS resolution response including the IP address of the invalid connection accommodation LNS 60, the LAC 30 transmits an L2TP connection request to the invalid connection accommodation LNS 60 (step S307) to establish an L2TP session.

  When the L2TP session is established, the invalid connection accommodation LNS 60 transmits a PPP authentication OK response to the effect that the authentication for establishing the PPP session is OK to the broadband router 20 (step S308).

[Effect of Example 1]
As described above, according to the first embodiment, when the invalidation request determination unit 45a receives a connection request from the broadband router 20, the number of invalidation of the connection request from the broadband router 20 has a predetermined threshold value. Determine if it has exceeded. If the connection request LNS response unit 45c is determined by the invalid request determination unit 45a that the number of invalidations exceeds the threshold, the invalid connection accommodation LNS and LAC that are not connected to the ISP carrier network Are controlled to be connected by the layer 2 tunneling protocol. Therefore, the LAC control server 40 according to the first embodiment can suppress the invalid connection request repeatedly transmitted from the user terminal or the broadband router when the authentication at the time of establishing the PPP session is NG. This makes it possible to reduce the processing load of a server related to network connection control, such as a LAC control server owned by a line operator or an authentication server owned by an ISP operator.

  In general, a broadband router can be connected to a plurality of ISPs at the same time, and each authentication information can be set. For this reason, in the case where the setting of the canceled service provider remains in the broadband router, a situation may occur in which connection refusal and connection request by authentication NG are repeated infinitely. In particular, when a newly contracted operator is set at the same time, the user can communicate as desired, so he / she does not realize that the connection request and the connection refusal by the canceled operator's setting are repeated. May be left over for a period of time.

  The LAC control server 40 according to the first embodiment can suppress connection request transmission in the situation described above, and can reduce the processing load on the server related to network connection control.

  Further, according to the first embodiment, the invalid request information updating unit 45d determines the number of times that the connection request from the user terminal or the broadband router is invalid, and the authentication in the connection between the LAC and the LNS and the authentication server connected to the LNS. The number of invalidation in the authentication is counted, and the counted number is stored in the invalidation request information storage unit 44a in association with each user. Then, the invalid request determination unit 45a refers to the invalid request information storage unit 44a to determine whether or not the number of times that the connection request from the user terminal or the broadband router is invalid exceeds a threshold value. Therefore, the LAC control server 40 according to the first embodiment can determine whether or not the authentication related to the connection by L2TP is invalid, and can accommodate only the invalid connection request in the invalid connection accommodation LNS. Here, the LAC control server 40 according to the first embodiment, for example, identifies and counts invalid connection requests by a combination of line information, ISP domain information, and ISP user information. Compared to the case (identification using only line information), it can be more accurately identified that the same invalid connection request continues to be transmitted.

  That is, the LAC control server 40 according to the first embodiment can more accurately identify that the same invalid connection request is continuously transmitted, so that, for example, a user unfamiliar with the network device newly sets a broadband router. It is possible to exclude invalid connection requests that can occur during trial and error when inputting ISP user information and passwords. In other words, the LAC control server 40 according to the first embodiment makes it possible to reduce the effort related to unnecessary user support that occurs by suppressing the invalid connection request as described above.

  Further, according to the first embodiment, the invalid request information update unit 45d stores the invalid request information storage unit 44a when the LAC and the invalid connection accommodation LNS are connected based on the connection request of the user terminal or the broadband router. Delete the corresponding record. Therefore, the LAC control server 40 according to the first embodiment can suppress an increase in unnecessary records.

  In the first embodiment described above, the case where the LAC is connected to the invalid connection accommodating LNS when the invalid connection request is received has been described. In the second embodiment, a case where a PPP authentication NG response is transmitted when an invalid connection request is received will be described. In the second embodiment, components having the same functions as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

  FIG. 8 is a diagram illustrating an example of the overall configuration of the network connection control system 1a according to the second embodiment. As shown in FIG. 8, in the network connection control system 1a according to the second embodiment, the point that the invalid connection accommodation LNS is not connected to the communication line carrier network 200 and the processing by the LAC control server are the same as the first embodiment. Different.

  FIG. 9 is a diagram illustrating an example of the configuration of the LAC control server 40a according to the second embodiment. As shown in FIG. 9, the LAC control server 40a according to the second embodiment is different from the first embodiment in the processing by the connection destination LNS response unit 46a and the invalid request information update unit 46b. Hereinafter, these will be mainly described.

  When the invalid request determination unit 45a determines that the number of invalidations exceeds the threshold, the connection destination LNS response unit 46a sends the IP address of the connection destination LNS corresponding to the connection request to the LAC 30. Reply with information that does not contain. Specifically, the connection destination LNS response unit 46a sends a connection destination LNS resolution response that does not include the IP address of the connection destination LNS to the LAC 30 when the invalid request determination unit 45a determines that the request is an invalid connection request. Send.

  When the LAC 30 receives the connection destination LNS resolution response that does not include the IP address of the connection destination LNS, the LAC 30 transmits a PPP authentication NG response to the broadband router 20 indicating that the authentication for establishing the PPP session is NG. The broadband router 20 that has received the PPP authentication NG response executes transmission of the PPP connection request again. That is, in the network control system 1a according to the second embodiment, the above-described process is repeatedly executed. As a result, the LNS and the authentication server do not execute processing, and the processing load on these servers can be reduced.

  The invalid request information update unit 46b stores the update date and time in association with the invalid request information management table stored by the invalid request information storage unit 44a, and deletes records that have not been updated for a certain period of time. For example, the invalid request information update unit 46b deletes a record that has not been updated for a certain time regardless of the number of invalid connection request transmissions. Thereby, the LAC control server 40 according to the second embodiment can suppress an increase in unnecessary records.

  In the LAC control server 40a according to the second embodiment, processes other than those described above are the same as those of the LAC control server 40 according to the second embodiment.

[Procedure for Connection Processing by Network Connection Control System According to Second Embodiment]
Next, a connection processing procedure performed by the network connection control system 1a according to the second embodiment will be described with reference to FIG. FIG. 10 is a sequence diagram illustrating a processing procedure performed by the network connection control system 1a according to the second embodiment. FIG. 10 shows a sequence when the connection request transmitted by the broadband router is determined to be invalid by the LAC control server 40.

  As shown in FIG. 10, in the LAC control server 40 according to the second embodiment, when the broadband router 20 transmits a PPP connection request (step S401), the LAC 30 uses the domain of the connection destination ISP included in the PPP connection request. A connection destination LNS resolution request including information, user information, and line information is transmitted to the LAC control server 40 (step S402).

  In the LAC control server 40, when the connection destination LNS resolution request is received, the invalid request determination unit 45a determines whether or not the received connection destination LNS resolution request is an invalid connection request (step S403). . Here, in this sequence, the invalid request determination unit 45a determines that the received connection destination LNS resolution request is an invalid connection request. After that, the LNS information resolution unit 45b executes LNS information resolution for determining the connection destination LNS (step S404).

  Here, in the LAC control server 40 according to the second embodiment, the connection destination LNS response unit 46a transmits a connection destination LNS resolution response that does not include the IP address of the connection destination LNS to the LAC 30 (step S405). . When the LAC 30 receives the connection destination LNS resolution response that does not include the IP address of the connection destination LNS, the LAC 30 transmits a PPP authentication NG response to the broadband router 20 (step S406). Thereafter, the network connection control system 1a according to the second embodiment repeatedly executes a PPP connection request transmission (step S407) and a PPP authentication NG response.

  In addition, in the network connection control system 1a according to the second embodiment, a sequence when the connection request transmitted by the broadband router is not determined to be invalid by the LAC control server 40, and the authentication by the authentication server 70 is NG, and The sequence when the connection request transmitted by the broadband router is not determined to be invalid by the LAC control server 40 and the domain information of the connection destination ISP is incorrect is the same as that of the network connection control system 1 according to the first embodiment. It is.

[Effect of Example 2]
As described above, according to the second embodiment, when the invalid request determination unit 45a receives a connection request from the broadband router 20, the number of times that the connection request from the broadband router 20 is invalidated has a predetermined threshold value. Determine if it has exceeded. The connection destination LNS response unit 46a includes the IP address of the LNS corresponding to the connection request for the LAC when the invalidation request determination unit 45a determines that the number of invalidations exceeds the threshold. No response information. Therefore, the LAC control server 40a according to the second embodiment can perform control so that processing by the LNS and the authentication server is not executed, and can reduce the processing load on the server related to network connection control. To.

  Further, according to the second embodiment, the LAC control server 40a according to the second embodiment is a device other than a device necessary for providing a connection service to the ISP carrier network via the PPP session, such as the invalid connection accommodating LNS 60. This makes it possible to reduce the processing load on the server related to network connection control.

  Although the first and second embodiments have been described so far, the embodiment according to the present application is not limited to the first and second embodiments. That is, these embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made.

  In the first and second embodiments described above, the case where there is a single LNS IP address corresponding to ISP domain information has been described. However, the embodiment is not limited to this, and may be, for example, a plurality. In such a case, all the LNS IP addresses may be included in the connection destination LNS resolution response, or a single IP address may be selected by the LAC control server 40 and included in the connection destination LNS resolution response. In addition to the domain information of the connection destination ISP, for example, the LNS information management table may be configured so that the connection destination LNS can be resolved based on the identification information (IP address) of the transmission source LAC.

  In the first embodiment described above, the case where a single invalid connection accommodation LNS is used has been described. However, the embodiment is not limited to this. For example, a plurality of invalid connection accommodation LNS may be used.

  In the above-described first and second embodiments, the case where the invalid request is determined based on the three attributes of the line information, the domain information, and the user information has been described. However, the embodiment is not limited to this. For example, the determination may be made using only line information. In such a case, the invalid request information management table is composed of two columns of line information and invalid request transmission count. In this configuration, for example, even when the broadband router transmits an invalid request while changing domain information or user information, the invalid request is specified by the line information of the transmission source line and accommodated in the invalid connection accommodation LNS. Can do.

  In the second embodiment described above, a case has been described in which a connection destination LNS resolution response that does not include an LNS IP address is responded to a connection destination LNS resolution request that is determined to be an invalid request. However, the embodiment is not limited to this. For example, the connection destination LNS resolution response may not be returned and the connection destination LNS resolution request may be discarded. In such a case, the time until the broadband router times out with no response and transmits the PPP connection request again becomes longer. As a result, the transmission frequency of the PPP connection request decreases, and the processing load on the LAC and LAC control server decreases. be able to.

  In addition, for example, the specific form of distribution / integration of each device (for example, the form of FIG. 2) is not limited to that shown in the figure, and all or a part thereof can be arbitrarily set according to various loads or usage conditions. It can be distributed or integrated functionally or physically in units. For example, the LNS information resolution unit 45b and the connection destination LNS response unit 45c may be integrated as one processing unit, while the invalid request information update unit 45d creates a new invalid request information. And an update unit to be updated.

  Further, the control unit 45 may be connected via a network as an external device of the LAC control server 40, or another device has an invalid request information storage unit 44a and an LNS information storage unit 44b, respectively. The functions of the LAC control server 40 described above may be realized by connecting and cooperating.

  These embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

30 LAC
40 LAC control server 45a Invalid request determination unit 45b LNS information resolution unit 45c Connection destination LNS response unit 45d Invalid request information update unit 50 LNS

Claims (5)

A network connection control method executed by a network connection control device that controls connection between an access controller and a network server using a layer 2 tunneling protocol based on a connection request from a user terminal via the access controller,
Counting the number of times the connection request from the user terminal is invalidated as the number of times invalidated in the authentication in the connection between the access controller and the network server and the authentication in the authentication server connected to the network server, A counting step in which the number of times of the association is stored in a predetermined storage unit in association with each user terminal;
A determination step of determining whether or not the number of times that the connection request from the user terminal has been invalidated exceeds a predetermined threshold with reference to the storage unit when a connection request is received from the user terminal;
When the determination step determines that the number of invalidations exceeds the threshold, the invalid network server not connected to an external network and the access controller are connected by the layer 2 tunneling protocol. A connection control process for controlling
A network connection control method comprising: The counting step includes deleting the number of times corresponding to the user terminal stored in the storage unit when the access controller and the invalid network server are connected based on a connection request of the user terminal. The network connection control method according to claim 1 , wherein: A network connection control device that controls connection between an access controller and a network server according to a layer 2 tunneling protocol based on a connection request from a user terminal via the access controller,
Counting the number of times the connection request from the user terminal is invalidated as the number of times invalidated in the authentication in the connection between the access controller and the network server and the authentication in the authentication server connected to the network server, Counting means for associating the number of times for each user terminal and storing it in a predetermined storage unit;
A determination unit that determines whether or not the number of times the connection request from the user terminal is invalid exceeds a predetermined threshold with reference to the storage unit when a connection request is received from the user terminal;
When the determination means determines that the number of invalidations exceeds the threshold, the invalid network server not connected to an external network and the access controller are connected by the layer 2 tunneling protocol. Connection control means for controlling
A network connection control device comprising: A network connection control method executed by a network connection control device that controls connection between an access controller and a network server using a layer 2 tunneling protocol based on a connection request from a user terminal via the access controller,
Counting the number of times the connection request from the user terminal is invalidated as the number of times invalidated in the authentication in the connection between the access controller and the network server and the authentication in the authentication server connected to the network server, A counting step in which the number of times of the association is stored in a predetermined storage unit in association with each user terminal;
A determination step of determining whether or not the number of times that the connection request from the user terminal has been invalidated exceeds a predetermined threshold with reference to the storage unit when a connection request is received from the user terminal;
When it is determined by the determination step that the number of invalidations exceeds the threshold value, the access controller is provided with information that does not include the IP address of the connection destination network server corresponding to the connection request. A response process to respond;
A network connection control method comprising: A network connection control device that controls connection between an access controller and a network server according to a layer 2 tunneling protocol based on a connection request from a user terminal via the access controller,
Counting the number of times the connection request from the user terminal is invalidated as the number of times invalidated in the authentication in the connection between the access controller and the network server and the authentication in the authentication server connected to the network server, Counting means for associating the number of times for each user terminal and storing it in a predetermined storage unit;
A determination unit that determines whether or not the number of times the connection request from the user terminal is invalid exceeds a predetermined threshold with reference to the storage unit when a connection request is received from the user terminal;
When the determination unit determines that the number of invalidations exceeds the threshold, the access controller responds with information that does not include the IP address of the connection destination network corresponding to the connection request. A response means to
A network connection control device comprising:

Images