KR102123415B1 - Method for processing of message, server and cloud system thereof - Google Patents

Abstract

The present invention relates to a method capable of controlling a plurality of access devices, and more specifically, a control device for controlling a plurality of access devices is generated by applying a virtualization technology, and is generated according to a plurality of access devices and virtualization technology. The present invention relates to a message processing method capable of defining a message for transmitting and receiving information between control devices and processing a defined message, a connection device control server for this purpose, and a cloud access device control system.
For this, the message processing method according to an embodiment of the present invention allocates access controllers for each site composed of a plurality of access devices, and access messages previously generated at the site through access devices in a specific site. In the access device control server for controlling to process through, The access device control server receiving a message according to a predetermined protocol transmitted from any one access device, the access device control server is the access controller assigned to the access device And a step of processing the received message through the identified access controller by the access device control server.

Description

Message processing method, access device control server for this, and cloud access device control system{METHOD FOR PROCESSING OF MESSAGE, SERVER AND CLOUD SYSTEM THEREOF}

The present invention relates to a method capable of controlling a plurality of access devices, and more specifically, a control device for controlling a plurality of access devices is generated by applying a virtualization technology, and is generated according to a plurality of access devices and virtualization technology. The present invention relates to a message processing method capable of defining a message for transmission and reception of information between control devices and processing a defined message, an access device control server for this purpose, and a cloud access device control system.

The contents described in this section merely provide background information for this embodiment, and do not constitute a prior art.

With the development of information and communication technology, various wireless communication technologies have been developed. Among them, a wireless local access network (WLAN) is a personal digital assistant (PDA), a laptop computer, a portable multimedia player (PMP), and smart based on radio frequency technology. It refers to a technology that enables wireless access to the Internet from a specific service providing site such as a home, a business, or an airport using a portable terminal such as a smart phone.

One of the essential devices required for building such a wireless LAN system is an access device called an access point. Such an access device provides a function similar to that of a base station to a portable terminal, such as a base station of a mobile communication network, and serves to support access to the communication network. In addition, as described above, the access device may be constructed for each specific service providing site, such as a company or an airport, and such a connection device has a short frequency band, output, and coverage that is different from that of a mobile communication network support station, so that the user can use the wireless LAN smoothly. In order to provide a service, installation of many access devices in the site as well as construction of many sites are required.

In addition, in order to provide a smooth wireless LAN service to a terminal located in the site, it is also necessary to construct a control device capable of controlling the access device in conjunction with a plurality of access devices in the site.

However, the method so far is a method of physically constructing and connecting a control device for controlling an access device for each site, and it is necessary to physically construct and allocate a control device for each site, depending on the number of acceptable access devices in the site. Accordingly, there is a problem in that it is difficult to design performance for the control device organically.

Published Korean Patent No. 2012-0070488, published on June 29, 2012 (name: access point control method and apparatus)

The present invention has been proposed to solve the above-mentioned conventional problems, and in particular, a message processing method capable of generating a control device controlling a plurality of access devices for each site by applying virtualization technology, a connection device control server and a cloud for the same It is an object to provide a connection device control system.

In addition, the present invention defines a message according to a predetermined protocol for transmitting and receiving information between a plurality of access devices and a control device generated according to virtualization technology, and a message processing method capable of processing the defined message, and a connection device therefor The purpose is to provide a control server and a cloud access device control system.

However, the object of the present invention is not limited to the above object, and other objects not mentioned will be clearly understood from the following description.

Message processing method according to an embodiment of the present invention for achieving the above object is assigned to each access controller for each site consisting of a plurality of access devices, the message generated through the access device in a specific site to the site What is claimed is: 1. An access device control server that controls to be processed through a pre-allocated access controller, the access device control server comprising: receiving a message according to a predetermined protocol transmitted from any one access device; Checking, by the access device control server, an access controller assigned to the access device; And processing, by the access device control server, the received message through the identified access controller.

In this case, the message according to the determined protocol may mean a tunneling message tunneled using the designated port information for the access device control server and the IP address information of the access controller assigned to the access device.

In addition, the message according to the predetermined protocol is composed of a message header (message header) and the message body (control message body), the message header is reserved (Reserved), version (Version), flags (Flags), message ID (Message) ID), Length, Station ID, Domain ID, Access Controller ID (AC ID), Access Device ID (AP ID), Transaction ID, Connection Device RF ID ( RF ID), at least one of a connection device VAP ID, and the message body is an element ID, a length, and information defined according to each element for each message type. It may include at least one of (Information).

At this time, in the step of receiving the message, the access device control server may check the reservation of the message header of the received message to determine whether the message is a data signal or a control signal.

At this time, in the processing of the message, the access device control server removes the tunneling header of the received tunneling message and checks and processes the message from which the tunneling header has been removed, and when a response message is generated accordingly, the generated response The message can be controlled to be delivered to the access device by adding the tunneling header.

In addition, if the received message is an initial interlocked connection request (DISCOVER REQUEST) message, the step of processing the message determines whether the access controller of the access device control server is the access device assigned to the access device. step; If it is determined that the access device is assigned to the access device, the access controller of the access device control server generates an initial interlocked access request response (DISCOVER RESPONSE) message including a pre-registered access device ID (AP ID). ; And processing, by the access controller of the access device control server, the initial interlocked access request response message to the access device to process the message.

At this time, after the initial interlocking connection request response message is delivered to the access device and processing the message, the access controller of the access device control server transmits a message related to the access device and keep alive (KEEP ALIVE) in a predetermined cycle unit. And transmitting/receiving; may be further included.

In addition, if the received message is an association request (ASSOCIATION REQUEST) message, the step of processing the message may include: an access controller of the access device control server performing authentication for a terminal connected to the access device; And as a result of performing the authentication, if authentication is successful, the access controller of the access device control server transmits a message to the access device to send a station connection information notification (STATION CONNECTION INFO NOTIFY) message to the access device for IP assignment It may be achieved, including; processing.

At this time, the station connection information notification message is at least one or more of DHCP parameters required for allocating dynamic IP to the terminal to which the access device is connected, protocol ID required for local break out, ID band, and port range. Can be configured.

In addition, the step of performing the authentication may include transmitting an association request response (ASSOCIATION RESPONSE) message in response to the association request message to the access device by the access controller of the access device control server; A connection acknowledgment (ASSOCIATION ACK) message received from the access device by the access controller of the access device control server; And a step in which the access controller of the access device control server interworks with an authentication server to perform authentication for a terminal connected to the access device.

At this time, in the step of performing authentication for the terminal connected to the access device in conjunction with the authentication server, the access controller of the access device control server performs authentication for the terminal based on a MAC in conjunction with the authentication server. And, as a result of performing the authentication, if the authentication fails, after the step of transmitting the station connection information notification message to the access device, transmitting a redirection message for web-based authentication to the terminal; further comprising Can be done.

In addition, in the step of authenticating the terminal connected to the access device in conjunction with the authentication server, the access controller of the access device control server authenticates the terminal according to the Extensible Authentication Protocol (EAP). Performing, and processing the message by transmitting the station connection information notification message, the access controller of the access device control server receives a key exchange confirmation (KEY CHANGE ACK) message from the access device; And processing, by the access controller of the access device control server, transmitting a station connection information notification message for IP allocation to the terminal to the access device and processing the message.

In addition, if the received message is a DISASSOCIATION REQUEST message, the step of processing the message is that the access controller of the access device control server connects to the access device to release the association between the terminal and the access device. The message can be processed by delivering a response message for a release request.

In addition, if the received message is a recombination request (REASSOCIATION REQUEST) message according to a recombination request of a terminal delivered from another access device, the step of processing the message is that the access controller of the access device control server is currently connected to the terminal. Identifying a connected device; Transmitting, by the access controller of the access device control server, a disconnect request (DISASSOCIATION REQUSET) message to the identified access device; Transmitting, by the access controller of the access device control server, a REASSOCIATION RESPONSE message to the other access device in response to the recombination request message; A connection controller of the access device control server receiving an association confirmation (ASSOCIATION ACK) message from the other access device; Transmitting, by the access controller of the access device control server, a station connection information notification message to the other access device; And changing, by the access controller of the access device control server, a data transmission path from the access device to the other access device.

At this time, according to whether the re-combination request message includes an authentication key, the access controller of the access device control server performs authentication for a corresponding terminal connected to the other access device, or is previously generated in response to the terminal. A master session key (MSK) may be delivered to the other access device.

In addition, the present invention can provide a computer-readable recording medium recording a program for executing a message processing method according to an embodiment of the present invention as described above.

In order to achieve the above object, each access controller is assigned to each site composed of a plurality of access devices according to an embodiment of the present invention, and messages generated through access devices in a specific site are pre-allocated to the site. An access device control server for controlling processing through a controller, the access device control server comprising: a communication module that configures a site and transmits and receives information to and from one or more registered access devices; A hypervisor configured to check a connection controller assigned to the access device when a message according to a predetermined protocol is received from any one access device through the communication module, and control the message to be delivered to the identified access controller; And when the message is transmitted through the hypervisor, a plurality of access controllers supporting a processing process for the message.

In order to achieve the above object, each access controller is assigned to each site composed of a plurality of access devices according to an embodiment of the present invention, and messages generated through access devices in a specific site are pre-allocated to the site. A cloud access control system that controls to be processed through a controller, the cloud access control system comprising: a site and one or more access devices for tunneling and transmitting a message generated according to a connection with a terminal according to a predetermined protocol; And an access device control server that controls the received message to be processed through an access controller assigned to the site of the access device when the message tunneled according to a predetermined protocol is received from any access device. Can be.

According to the message processing method of the present invention, the access device control server and the cloud access device control system for this, the number of access devices constituting a site is generated by applying a virtualization technology to a control device controlling a plurality of access devices for each site. In consideration of the above, it is possible to build a control device organically, and instead of building a control device that is physically connected to the site, by building a control device through virtualization technology, it is possible to reduce the cost of system construction and maintenance as well as system availability. Will be able to improve.

In addition, the present invention defines a message according to a predetermined protocol for transmission and reception of information between a plurality of access devices and a control device generated according to virtualization technology, and processes a defined message, thereby allowing a connection between the access device and the newly defined control device. It is possible to support smooth message processing.

In addition, various effects other than the above-described effects may be directly or implicitly disclosed in a detailed description according to an embodiment of the present invention to be described later.

1 is a configuration diagram schematically showing a main configuration of a cloud access device control system according to an embodiment of the present invention.
2 is an exemplary view for explaining a message transmission/reception process between an access device and an access device control server according to an embodiment of the present invention.
3 is a block diagram showing a main configuration of a connection device according to an embodiment of the present invention.
4 is a block diagram showing a main configuration of a connection device control server according to an embodiment of the present invention.
5 is a block diagram showing a main configuration of an integrated management server according to an embodiment of the present invention.
6 is a flowchart schematically illustrating a message processing method according to an embodiment of the present invention.
7 is a data flow diagram for explaining a message processing method according to an embodiment of the present invention in more detail.
8 is an exemplary diagram for explaining a message structure according to an embodiment of the present invention.
9 is a data flow diagram illustrating a message processing method according to an initial access procedure according to an embodiment of the present invention.
10 is a data flow diagram illustrating a message processing method in a connection procedure according to an embodiment of the present invention.
11 is a data flow diagram illustrating a message processing method in a connection procedure according to another embodiment of the present invention.
12 is a data flow diagram illustrating a message processing method in a connection procedure according to another embodiment of the present invention.
13 is a data flow diagram illustrating a message processing method in a connection release procedure according to an embodiment of the present invention.
14 is a data flow diagram illustrating a message processing method in a handover procedure according to an embodiment of the present invention.
15 and 16 are data flow diagrams for describing a message processing method in a handover procedure according to another embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings will be described in detail preferred embodiments that can be easily carried out by the person of ordinary skill in the art. However, in the detailed description of the operating principle for the preferred embodiment of the present invention, when it is determined that a detailed description of related known functions or configurations may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. This is to more clearly communicate the core of the present invention by omitting unnecessary description. In addition, the present invention can be applied to various changes and can have various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description, but this is not intended to limit the present invention to specific embodiments, It should be understood to include all modifications, equivalents, or substitutes included in the spirit and scope of the present invention.

In addition, terms including ordinal numbers such as first and second are used to describe various components, and are used only for the purpose of distinguishing one component from other components, and to limit the components It is not used. For example, the second component may be referred to as the first component without departing from the scope of the present invention, and similarly, the first component may also be referred to as the second component.

In addition, when referring to a component being "connected" or "connected" to another component, it means that it can be connected or connected logically or physically. In other words, it may be understood that a component may be directly connected to or connected to other components, but other components may exist in the middle and may be connected or connected indirectly.

In addition, the terms used in this specification are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In addition, terms such as "comprises" or "have" described herein are intended to indicate that there are features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, or one or more thereof. It should be understood that the above other features or numbers, steps, actions, components, parts or combinations thereof are not excluded in advance.

Now, a message processing method according to an embodiment of the present invention, an access device control server for this, and a cloud access device control system will be described in detail with reference to the drawings. At this time, the same reference numerals are used for parts having similar functions and functions throughout the drawings, and duplicate descriptions thereof will be omitted.

First, a cloud access device control system according to an embodiment of the present invention will be described.

1 is a configuration diagram schematically showing a main configuration of a cloud access device control system according to an embodiment of the present invention.

The cloud access device control system according to an embodiment of the present invention operates various types of messages such as call processing/authentication generated through the access device 200 supporting access to the communication network 1000 to the terminal 100 based on virtualization It characterized in that it is made by the access device control server 300.

Referring to Figure 1, schematically explaining the components constituting the cloud access device control system of the present invention, the terminal 100 according to the user's operation in accordance with the operation of one site (site) any one of the access device 200 and Refers to a user's device that is connected and connects to the communication network 1000 through the connected access device 200 to transmit and receive various data. Here, the terminal 100 may search for one or more access devices 200 located within a certain radius according to the IEEE 802.11 protocol in an active or passive manner, and perform a procedure for performing access with the discovered access devices 200. have. In addition, when the connection is completed with any one of the access devices 200, the terminal 100 may be connected to the communication network 1000, that is, the core network (not shown), and a web server connected to an external Internet network (not shown). And various kinds of information.

The access device 200 refers to a device that supports access to the communication network 1000 of the terminal 100 according to an embodiment of the present invention. For example, an access point may correspond to the access device 200 of the present invention. However, the present invention is not limited thereto, and any device capable of supporting the connection of the communication network 1000 of the terminal 100 may operate as the connection device 200 of the present invention.

Particularly, the access device 200 according to an embodiment of the present invention may constitute a site where one or more groups are collected to cover a certain range. Here, the site may be a point where the logical characteristics are the same, such as a company or a school, and may mean a range of a certain size, such as within a radius of 100 m. One site may preferably consist of a plurality of access devices 200.

In the prior art, a control device for processing various messages generated according to access to the access device 200 of the terminal 100 is assigned to each site, and is physically connected to one or more access devices 200 located in the site. It had to be. For example, when there are 100 sites, 100 control devices for controlling the access devices 200 in each site also need to be required. In addition, the number of access devices 200 constituting the first site and the second site may be different from each other, and building a control device in consideration of characteristics of a site including the number of different access devices 200 is There is a problem in that it is practically difficult to construct a control device organically according to the number of the accommodating connection devices 200.

However, in the cloud access device control system according to an embodiment of the present invention, a control device for processing various messages generated through the access device 200, that is, the access device control server 300 controls each site using virtualization technology. The feature is that it allocates a virtual connection controller, which is a device, and processes various messages generated through the connection device 200.

The access device control server 300 supports the process of creating, changing, and deleting access controllers for processing various messages generated through the access devices 200 in a site for each site using virtualization technology as described above, and access The entire process of processing various messages generated through the device 200 by the corresponding access controller is supported. That is, it may serve to process various messages generated according to procedures such as call processing and authentication for access to the communication network 1000 of the terminal 100 through an access controller implemented with virtualization technology. In addition, various functions for charging may be performed, such as statistical processing of data packets generated in connection with the terminal 100.

At this time, the message transmitted and received between the access device 200 and the access controller in the access device control server 300 generated by being pre-allocated to the site constituted by the access device 200 is set to a predetermined protocol as shown in FIG. 2. Send and receive accordingly.

Here, the predetermined protocol means a pre-defined protocol between the access device 200 and the access device control server 300 according to an embodiment of the present invention, wherein the message is sent to the access device control server 300 Refers to a tunneled message tunneled by using the designated port information and the IP address information of the access controller allocated to the corresponding access device 200.

That is, the message transmitted and received between the terminal 100 and the access device 200 in FIG. 2 is a general message conforming to the TCP/IP protocol, while the message transmitted and received between the access device 200 and the access device control server 300 is It means a tunneling message that follows a predefined UDP protocol and adds a tunneling header to messages transmitted and received between the terminal 100 and the access device 200. At this time, the tunneling header includes the port information (for example, 2233) designated in correspondence with the access device control server 300 and the IP address information of the access controller assigned to the access device 200, so that the access device 200 is A virtual tunneling section (referred to as R6 tunneling section in the present invention) can be formed so that a message generated through it can be delivered to a corresponding access controller of the access device control server 300.

A method of processing a message between the access device 200 and the access device control server 300 will be described later, and in order to perform the above-described operation, first, a connection controller corresponding to a site including a plurality of access devices 200 Create and register using virtualization technology, and perform the process of registering by providing information on the access device 200 located in the corresponding site in advance as the access controller.

This process may be achieved through interworking with the access device control server 300 and the integrated management server 400.

The integrated management server 400 is a component that supports the overall management process for the access device control server 300 according to an embodiment of the present invention. In particular, the integrated management server 400 according to an embodiment of the present invention generates access controllers for a site composed of a plurality of access devices 200 according to a virtualization method in consideration of available resources of the access device control server 300 Support the process of becoming. Then, in response to the generated access controller, the process of storing and registering information on the access device 200 constituting the site covered by the access controller is performed. For example, when 50 access devices 200 are present in one site, the integrated management server 400 allocates resources in the access device control server 300 to accommodate 50 access devices 200 and accesses them. You can create a controller. In addition, by providing and registering information on the 50 access devices 200 to the access controller, the access controller can support processing of the transmitted message. For another example, when 100 access devices 200 are present in one site, the integrated management server 400 allocates resources in the access device control server 300 to accommodate 100 access devices 200 By creating a connection controller can perform the process of registering the access device 200.

Here, the integrated management server 200 may transmit and receive information according to the TCP/IP protocol with the access device control server 300. That is, the connection device 200 and the access device control server 300 generates a tunneling section according to a specified protocol to transmit and receive messages, while the integrated management server 200 and the access device control server 300 are TCP/IP protocols. In accordance with this, information is transmitted and received. However, instead of creating and terminating the TCP session whenever necessary, the TCP session is maintained continuously.

As described above, through the cloud access device control system according to an embodiment of the present invention, a control device can be organically constructed in consideration of the number of access devices 200 constituting a site, and is also physically connected to the site. Rather than constructing a control device, by constructing a control device through virtualization technology, system availability can be improved when cost is reduced due to system construction and maintenance.

In addition, one embodiment of the present invention will be described as an example that the integrated management server 400 and the access device control server 300 are implemented separately from each other, but the integrated management server 400 and the access device control server 300 May be implemented as a single cloud solution system, or may exist as a module form of a single cloud solution system.

In addition, although only one integrated management server 400 and one access device control server 300 are illustrated in the drawing, a plurality of access device control servers 300 managed by one integrated management server 400 may exist. .

The main configuration and operation method of the more specific access device 200, access device control server 300 and integrated management server 400 will be described later, and access device 200 and access device control according to an embodiment of the present invention The processor mounted on the server 300 and the integrated management server 400 can process program instructions for executing the method according to the present invention. In one implementation, this processor may be a single-threaded processor, and in other implementations, the processor may be a multithreaded processor. Furthermore, the processor can process instructions stored on a memory or storage device.

In addition, the communication network 1000 according to an embodiment of the present invention refers to a communication network for transmitting and receiving information between each component. In particular, various types, such as intranet networks, mobile communication networks, satellite communication networks, etc. A communication network implemented using a kind of wired/wireless communication technology may be a mixed form. In addition, the communication network 1000 according to an embodiment of the present invention may refer to the same internal network based on the site where the access device 200 is located, or may refer to an external network.

Hereinafter, the main configuration and operation method of the connection device 200 according to an embodiment of the present invention will be described first.

3 is a block diagram showing a main configuration of a connection device according to an embodiment of the present invention.

1 and 3, the access device 200 according to an embodiment of the present invention includes a communication interface unit 210, a terminal access management unit 220, an integrated management server interworking unit 230, and an access device control server interworking It may be configured to include a unit 240 and the message processing unit 250.

In more detail for each component, first, the communication interface unit 210 serves to support transmission and reception of information between the terminal 100, the access device control server 300, and the integrated management server 400. In particular, the communication interface unit 210 of the present invention can transmit and receive various information according to the connection procedure and data transmission and reception with the terminal 100, and the terminal 100 between the access device control server 300 and the integrated management server 400 ) Can transmit and receive various information to support the connection procedure and data transmission and reception.

The terminal access management unit 220 serves to support a connection procedure and a data transmission/reception procedure with the terminal 100 located within a certain radius covered by the terminal. More specifically, the terminal access management unit 220 may support the process of transmitting a beacon (beacon) to one or more terminals 100 located within a certain radius according to the IEEE 802.11 protocol. In addition, the terminal access management unit 220 may receive a probe request message from the terminal 100 detecting the beacon through the communication interface 210, and in response to this, a probe response A process of transmitting a message to the corresponding terminal 100 through the communication interface unit 210 may be supported. Since the above process can use a variety of known methods, detailed description will be omitted.

Thereafter, the terminal connection management unit 220 may support the connection procedure of the terminal 100 in conjunction with the connection device control server interworking unit 240, which will be described later, and data packets are transmitted and received to and from the terminal 100 where the connection is completed. Can support the process. In addition, the terminal access management unit 220 may store and manage information on IP information, MAC information, traffic usage, and the like for the connected terminal.

The integrated management server interworking unit 230 serves to support interworking with the integrated management server 400. In particular, the integrated management server interworking unit 230 according to an embodiment of the present invention is connected to the access controller of the access device control server 300 that is interlocked with itself through the communication interface 210 when the first power-on (on) Query information is transmitted. In addition, the integrated management server interworking unit 230 receives information on the access device control server 300 from the integrated management server 400 through the communication interface unit 210, that is, port information and IP for the allocated access controller. When the information is received, it is transmitted to the access device control server interworking unit 240. In addition, in an embodiment of the present invention, when the access device 200 is first powered on, information about the access device control server 300 and the access controller is transmitted to the integrated management server 400 through the communication interface 210. Although the query is described as an example, when the access device 200 is built in a specific site, it may be input by an administrator. In addition, when the integrated management server linker 230 receives various control information for driving, such as frequency change, SSID setting, output adjustment, etc., from the integrated management server 400, the integrated management server 400 may support a process of processing an operation accordingly.

The access device control server interworking unit 240 may serve to transmit and receive various messages according to the access procedure of the terminal 100 in conjunction with the access device control server 300. In particular, the access device control server interworking unit 240 of the present invention, when the port information for the access device control server 300 and the IP information for the assigned access controller is transmitted through the integrated management server interworking unit 230, It is delivered to the message processing unit 250, so that various messages according to the access procedure of the terminal 100 are transmitted to the access control server 300 to the corresponding access controller. More specifically, the access device control server interworking unit 240 of the present invention, when various messages according to the access procedure of the terminal 100 are generated through the message processing unit 250, the generated message is the access device control server 300 Tunneling process for generating a tunneling header including port information for the access device control server 300 and IP information for the access controller to be delivered to the access controller, and tunneling process for the message so that the generated tunneling header is included in the message To perform. At this time, the access device control server interworking unit 240 uses a variety of known tunneling methods such as IP enIP (IP encapsulation within IP encapsulation) tunneling, MEIP (Minimal Encapsulation within IP) tunneling, GRE (Generic Routing Encapsulation) tunneling, IPsec tunneling, etc. The tunneling process can be performed. In addition, the access device control server interworking unit 240 supports the process of transmitting the tunneled tunneling message to the communication interface unit 210.

Thereafter, when the response message for the message transmitted from the access device control server 300 is received through the communication interface unit 210, the access device control server interworking unit 240 also transmits the response message in the form of a tunneled packet. , After removing the tunneling header from the response message, by checking the contents of the message with the tunneling header removed, it is possible to support the process of processing the message.

The message processing unit 250 generates various messages according to an embodiment of the present invention and delivers them to the terminal access management unit 220 and the access device control server interworking unit 240, or interworking with the terminal access management unit 220 and the access device control server A process such as performing a specific operation according to a message transmitted through the unit 240 may be supported.

The main configuration and operation of the connection device 200 according to the embodiment of the present invention has been described above. More specific operation in the access device 200 according to an embodiment of the present invention can be clearly understood through a flow chart to be described later, and in addition, through FIG. 3, the access device 200 of the present invention through the communication interface unit 210 ), the terminal connection management unit 220, the integrated management server interworking unit 230, the connection device control server interworking unit 240 and the message processing unit 250, but is described as an example, but is not limited thereto. Furnace connection device 200 may be configured. For example, inside the AP through interworking with a Web CM processing unit (not shown) and a Network Time Protocol (NTP) server that executes a web browser for parameter control and transmits a command message through input from a web browser to a corresponding processing block. NTP processing unit (not shown) that performs the time information synchronization process, authentication/billing processing unit (not shown) that performs processing according to the RADIUS protocol with the authentication server for authentication and charging for the access terminal, F/ that manages the firmware W management unit (not shown), log storage/processing unit (not shown) that stores and manages messages related to terminal access in log format, user access processing unit (not shown) that supports terminal login, SSID, authentication method, authentication server When various parameters such as IP address information change, output change, channel change, etc. are changed, the parameter processing unit (not shown) that notifies the corresponding processing unit or changes the setting, performs IP pool management for terminal IP allocation and allocation through DHCP It further includes a DHCP processing unit (not shown), a status check processing unit (not shown) for checking the status of the access controller, a driver linking unit (not shown) interworking the drivers provided by the WLAN communication chipset vendor and various modules. It may be configured.

Hereinafter, the main configuration and operation of the access device control server 300 according to an embodiment of the present invention will be described.

4 is a block diagram showing a main configuration of a connection device control server according to an embodiment of the present invention.

1 and 4, the access device control server 300 according to an embodiment of the present invention refers to a server operating through virtualization technology. The access device control server 300 may include at least one virtual machine, an access controller 330, a host OS 320, and hardware 310.

The host OS 320 and the hardware 310 refer to a host machine. Here, the host machine refers to an actual physical server on which virtual hardware is generated, the host OS 320 refers to an OS running on the host machine, and the hardware 310 is an actual physical hardware resource of the host machine. , A communication module 311, a storage module 312, and the like.

The host OS 320 may include a hypervisor 321. The hypervisor 321 serves to create and manage a plurality of access controllers 330 under the control of the integrated management server 400, and a hypervisor 321 of various virtualization methods such as full virtualization and semi-virtualization Can be applied. In particular, the hypervisor 321 according to an embodiment of the present invention may be implemented as a Linux kernel-based virtual machine (KVM), and may be replaced with other hypervisors that provide equivalent or similar actions/effects. In addition, the hypervisor 321 may include an emulator (not shown) that mimics the hardware of the virtual machine 300. The emulator (not shown) requests the hypervisor 321 to generate a connection controller 330 which is a virtual machine and allocate resources, and performs input/output (I/O) processing with the access controller 330. The emulator (not shown) may be mapped and operated for each access controller 330, and the emulator (not shown) mapped for each access controller 330 may be implemented as a different type of emulator.

In particular, the hypervisor 321 according to an embodiment of the present invention may deliver information about available resources to the integrated management server 400 at the request of the integrated management server 400, and is provided by the integrated management server 400. It serves to generate the access controller 330 using the allocated resource information. Then, when information about one or more access devices 200 constituting a site mapped to the access controller 330 is received from the integrated management server 400, that is, IP information, corresponding to the generated access controller 330 To save. Subsequently, when a message is received from the access device 200 through the communication module 311 of the hardware 310, the hypervisor 321 checks the corresponding access controller 330 through the received message, and the identified access controller At 330, a process in which the message is transmitted may be supported.

At least one access controller 330 operates in the access device control server 300 applied to the server virtualization environment. Here, the number of access controllers 330 is not limited, and may be generated in a plurality of available resource environments.

In particular, the access controller 330 of the present invention may be assigned to each site composed of a plurality of access devices 200 as described above. For example, when the number of connected devices of the mapped site is 50, the access controller 330 is generated by allocating resources capable of interworking with 50 access devices under control of the hypervisor 321, and constructing the corresponding site. To support the process of processing the message transmitted from the access device 200. At this time, the connection controller 330, when a message according to the protocol specified through the hypervisor 321 is transmitted, removes the tunneling header of the message, checks the content of the message, and performs an operation corresponding thereto, with the authentication server After performing an authentication procedure through interworking, and generating a response message according to this, the generated response message may be tunneled to support a process delivered to the corresponding access device 200.

The connection controller 330 is not shown in the drawing, but may be configured to include a guest OS (not shown) and an application (not shown) for message processing. The guest OS (not shown) in each access controller 330 may be implemented with different types of OS, and the type and number of applications (not shown) possessed by each access controller 330 is the corresponding access controller 330 ) May be different depending on the type and number of the connection devices 200 to be processed.

In addition, the access device control server 300 according to an embodiment of the present invention may further include a security management unit 340. Here, the security management unit 340 may detect illegal access devices and terminals inside the network, and perform a function of detecting and automatically blocking a hacking attack threat.

The method for processing a message in the access device control server 330 according to an embodiment of the present invention may be more clearly understood through a flow chart described later.

Hereinafter, the main configuration and operation process of the integrated management server 400 according to an embodiment of the present invention will be described.

5 is a block diagram showing a main configuration of an integrated management server according to an embodiment of the present invention.

1 and 5, the integrated management server 400 according to an embodiment of the present invention may include an integrated management device 410, a cloud manager 420, and a device manager 430.

In more detail for each component, the integrated management device 410 manages the access device management unit 411 and the access device control server 300 that manage the access device 200 constituting the system of the present invention. It may be configured to include a connection controller management unit 412, a server management unit 413 for managing the connection device control server 300. Here, the access device management unit 411 stores and manages information such as IP information and a serial number of the access device 200 constituting the site. Here, information such as IP information, serial number, etc. for the access device 200 may be directly input by an administrator through the input device 432, and when the access device 200 is first turned on, the corresponding access device ( 200).

The access controller management unit 412 registers IP information, ID information, and MAC information for the access controller generated through the cloud manager 420, and information about the access device 200 constituting a site assigned to the access controller. It may serve to store and manage in response to the access controller. In particular, the access controller management unit 412 may request the creation of an access controller to the cloud manager 420 at the request of the administrator. At this time, the access controller management unit 412 may include access to the access device 200 constituting the site allocated to the access controller, and information on the type and number of access controllers using resources allocated according to the information. So you can ask.

The server management unit 413 stores and manages information about the access device control server 300. That is, there may be a plurality of access device control servers 300 of the present invention, and the server management unit 413 may provide information on the plurality of access device control servers 300 and access controllers of the access device control servers 300. It can play a role of storing and managing information.

The cloud manager 420 may include a server processing unit 412 and a connection controller processing unit 422. The server processing unit 412 may support a process in which the access device control server 300 processes information of the access device control server 300 to be registered in the server management unit 413 when initially constructed. The access controller processing unit 422 may support a process in which the access controller is generated using the resource environment of one access device control server 300. In particular, the access controller processing unit 422 of the present invention requests the access device control server 300 to check information about available resources held, and if it is determined that the access controller can be generated, the access device control server ( 300) by sending a command to generate a connection controller, it may request that the connection controller is generated. In addition, when generation completion information for the access controller is received from the access device control server 300, the process of transferring it to the access controller management unit 412 of the integrated management device 410 may be supported.

In addition, the access controller processing unit 422 may transmit a delete command for the access controller generated at the request of the user to the access device control server 300, whereby the hypervisor of the access device control server 300 is connected to The process of deleting the access controller may be performed by recovering the resources allocated to the controller.

In addition, the access controller processing unit 422 may perform a process of increasing or deleting the number of registered access devices corresponding to the access controller.

In addition, the device manager 430 may include a communication device 431, an input device 432, an output device 433, and a storage device 434, and the integrated management device 410 and the cloud manager 420 ) To support access to each device.

As described above, the main configuration of the integrated management server 400 according to the embodiment of the present invention has been described. However, the integrated management server 400 may be implemented by more components than those illustrated through FIG. 5. For example, the integrated management server 400 further includes an administrator management unit (not shown) that stores and manages information about an administrator, a SON processing unit (not shown) that processes and manages functions for a self organizing network (SON), and the like. Can be configured.

Each device constituting the cloud access device control system of the present invention has been described above. The memory mounted in each of these devices stores information in the device. In one implementation, the memory is a computer-readable medium. In one implementation, the memory may be a volatile memory unit, and in other implementations, the memory may be a non-volatile memory unit. In one embodiment, the storage device is a computer-readable medium. In various different implementations, the storage device may include, for example, a hard disk device, an optical disk device, or some other mass storage device.

In addition, the term'~module' used in the embodiment of the present invention means a software component, and'~module' performs certain roles. As an example,'~module' refers to components such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, and subs. It includes routines, segments of program code, drivers, data, databases, data structures, tables, arrays, and variables. In addition, the functions provided in the components and'~modules' may be combined into a smaller number of components and'~modules', or further separated into additional components and'~modules'.

Although the specification and drawings describe exemplary device configurations, the functional operations and subject implementations described herein may be implemented with other types of digital electronic circuits, or the structures disclosed herein and their structural equivalents. It may be implemented in the included computer software, firmware or hardware, or a combination of one or more of them. Implementations of the subject matter described herein are one or more computer program products, that is, one for computer program instructions encoded on a tangible program storage medium to control or thereby execute the operation of a device according to the invention. It can be implemented as the above modules. The computer-readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of materials affecting a machine-readable propagated signal, or a combination of one or more of these.

Hereinafter, the message processing method will be described in more detail with reference to the access device control server 300 according to an embodiment of the present invention, and the access device 200 and the access device control server ( 300) and the operation of the integrated management server 400 can be more clearly understood.

6 is a flowchart schematically illustrating a message processing method according to an embodiment of the present invention.

1 and 6, the access device control server 300 according to an embodiment of the present invention receives a message according to a protocol determined from any one of the access devices 200 constituting the site. (S101). In this case, the message is a message according to the UDP protocol and is transmitted in the form of a tunneling message to which a tunneling header including port information (eg, 2233) of the access device control server 300 and IP address information of a corresponding access controller is added.

The access device control server 300 checks the tunneling header of the received message, and transmits the message to the access controller assigned to the access device 200. That is, as described with reference to FIG. 4, when a message is transmitted through the communication module 311 of the hardware 310, the hypervisor 320 can access the message through the tunneling header of the message (330) ).

Thereafter, the access controller of the access device control server 300 removes the tunneling header, checks the content of the message, performs a corresponding action accordingly, and processes the corresponding message, such as generating a response message. It can be performed (S105).

7 is a diagram illustrating the process in more detail.

7 is a data flow diagram for explaining a message processing method according to an embodiment of the present invention in more detail.

Referring to FIG. 7, a process of searching for one or more access devices 200 located within a predetermined radius of the terminal 100 may be performed, and an access procedure for connection with the searched access devices 200 may be performed. have. When the terminal 100 transmits a message to the access device 200 according to the access procedure (S1101), the access device 200 according to an embodiment of the present invention transmits the corresponding message to the access device control server 300. In order to deliver to the controller, a process of tunneling the message is performed (S1103). To this end, the access device 200 generates a tunneling header using the above information while obtaining the port information of the access device control server 300 and the IP address information of the access controller allocated to the access device in advance, and generates After the tunneling message is generated by adding the tunneling header to the message, the generated tunneling message can be transmitted to the access device control server 300 (S1105).

The access device control server 300 that has received this identifies the access controller capable of processing the message through the tunneling header of the received message, and allows the corresponding access controller to process the message. That is, after removing the tunneling header (S1107), the access controller can check the content of the message, perform an operation according to the checked message content, and generate a response message that is the result information (S1109). Thereafter, in order to transmit the response message to the access device 200, the access controller performs tunneling of the response message using the tunneling header and then transmits the tunneled response message to the access device 200 (S1111 to S1113). . In this way, the access device 200 and the access device control server 300 may form a tunneling section according to the R6 protocol, and transmit and receive messages through the section.

In addition, after removing the tunneling header of the transmitted response message (S1115), the access device 200 can transmit the response message to the terminal 100 that transmits and receives the message according to the TCP/IP protocol (S1117).

In addition, the message according to the determined protocol according to an embodiment of the present invention is composed of a message header (message header, 710) and a message body (control message body, 720), as shown in Figure 8a in terms of structure. Headers are reserved, version, flags, message ID, length, station ID, domain ID, and access controller ID (AC ID). , An access device ID (AP ID), a transaction ID (transaction ID), an access device RF ID (RF ID), and a connection device VAP ID (VAP ID). Also, as shown in FIG. 8B, the message body may include at least one of an element ID, a length, and information defined according to each element for each message type. .

The following is a brief description of the structure of the message header.

Message item Explanation Reserved To distinguish control signals or data signals, the length of the field is 4 bytes Version Information about the R6 protocol version currently used. The field length is 1 byte. Flags Information on the definition of the use of 802.16 (WiMAX/WiBro) TLV. The length of the field is 1 byte. Message ID This is a field that defines the type of message. The length of the field is 2 bytes.
For example, the message ID of the combine request message is 05, and the message ID of the keep alive message is 03. Length Means the total length of the message including the length of the message header Station Id Means the MAC address of the transmitting station, and the length of the field is 6 bytes Domain ID Information that identifies the site where the access device is installed. The length of the field is 1 byte. AC ID Information about the ID of the assigned access controller. The length of the field is 1 byte. AP ID Information on the ID of the access device created by the integrated management server. The length of the field is 2 bytes. Transaction ID Information about the transaction ID of the message according to the R6 protocol. The length of the field is 2 bytes. RF ID Information about the RF ID of the access device, the length of the field is 1 byte VAP ID Information classified by SSID of access device, field length is 1 byte

Here, the reserved (Reserved) is to distinguish whether the message according to an embodiment of the present invention is a control signal including a control command or a data signal including only data. Meaning, if there is no value of the corresponding field, it is recognized as a data signal.

That is, when a message is received from the access device 200, the access device control server 300 checks the reserved field in the header of the received message, and thus can determine whether the message is a control signal or a data signal. In addition, in the case of a data signal including only data, a process for data signal processing can be performed, such as a process of checking the access controller through a separate processing path.

Hereinafter, a method of processing a message in the access device control server 300 according to the message type will be described in more detail with reference to FIGS. 9 to 16. In addition, for convenience of description, the process of transmitting and receiving a message between the access device 200 and the access device control server 300 through tunneling is not explicitly illustrated, but access is made as described above even if there is no separate description. It should be noted that the messages transmitted and received between the device 200 and the access device control server 300 are tunneled and transmitted differently from messages transmitted and received between the terminal 100 and the access device 200.

9 is a data flow diagram illustrating a message processing method according to an initial access procedure according to an embodiment of the present invention.

Referring to FIG. 9, the access device 200 transmits query information on the access controller of the access device control server 300 that is interlocked with itself when the power is first turned on to the integrated management server 400 ( S201). Then, when a response thereto is received from the integrated management server 400, that is, port information of the access device control server 300 and IP address information of the assigned access controller (S203), the subsequent access devices 200 are described above. As described above, an R6 tunneling section may be formed with the access device control server 300, and information may be transmitted and received with the access device control server 300 through the section, and between the access device 200 and the access device control server 300 The transmitted/received message can be transmitted through tunneling even if there is no additional explanation.

Then, the access device 200 transmits an initial interlocked access request (DISCOVER REQUEST) message to the access device control server 300 to inquire whether or not it is registered in the corresponding server and the access controller (S205). The message is a message generated when the access device 200 and the access device control server 300 first communicate, the access device IP address, access point model information, access point vendor information ( AP Vender Name), and access device hardware information (AP Hw Info).

Subsequently, when the initial connection request message is received, the corresponding connection controller of the access device control server 300 uses the access device IP address information included in the message, so that the access device 200 is integrated management server 400 ) To determine whether or not the access device 200 is assigned to the user. As a result of the check, when the access device 200 is an access device assigned to it, the corresponding access controller of the access device control server 300 is designated by the integrated management server 400 in correspondence with the access device 200 An initial interworking access request response (DISCOVER RESPONSE) message including the registered access device ID (AP ID) is generated, and the generated initial interworking access request response message is transmitted to the access device 200 (S207).

After such a process, the access device 200 and the access device control server 300 can now perform an association procedure of the terminal 100.

The message processing method according to the access procedure will be described later. In addition, after the process, the access device 200 indicates that it is operating normally in a certain periodic unit, for example, every 3 seconds. 300) to send a keep alive request (KEEP ALIVE REQUSET) message to the access device control server 300 (S209), the access device control server 300 is a response message for this, keep alive response (KEEP ALIVE RESPONSE) The message may be transmitted to the access device 200 (S211). Here, when the corresponding access controller of the access device control server 300 does not receive the keep alive request message from the access device 200 over a predetermined number of times (for example, 3 times or more) for a predetermined time, for example, 10 seconds, access It may be determined that the device 200 is in an abnormal state, and a procedure for releasing all terminals 100 connected to the access device 200 may be performed.

Hereinafter, a method of processing a message according to an association procedure of the terminal 100 will be described.

10 is a data flow diagram illustrating a message processing method in a connection procedure according to an embodiment of the present invention.

Referring to FIG. 10, first, the terminal 100 transmits an association request (ASSOCIATION REQUEST) message to the access device 200 to perform access with the discovered access device 200 (S301). Upon receiving this, the access device 200 delivers the combination request message to the access device control server 300 (S303). Then, the access device control server 300 generates an association request response (ASSOCIATION RESPONSE) message in response to the association request message, transmits it to the access device 200 (S305), and receives the access device 200 The combined request response message is transmitted to the terminal 100 (S307).

Then, after transmitting the association request response message to the terminal 100, the access device 200 transmits an association confirmation (ASSOCIATION ACK) message to the access device control server 300. The access device control server 300 receiving this may perform authentication for the terminal 100 in conjunction with the authentication server 600. That is, in the connection procedure between the access device according to the prior art and the control device controlling the same, when a connection request message is received from the access device, the control device controlling the access device performs authentication for the terminal and then transmits the connection request response message to the access device. If it is transmitted to, in the present invention, after the connection confirmation message is received from the access device 200, the terminal 100 is authenticated. This is to provide parameter information for the DHCP server in charge of the site assigned to the access controller of the access device control server 300, even if the access device 200 receives a combined request response message in step S305, the terminal ( ID assignment for 100) is not yet possible. Therefore, the access device control server 300 first performs authentication in conjunction with the authentication server 600 based on the MAC of the terminal 100. That is, when the access controller of the access device control server 300 requests MAC-based authentication to the authentication server 600 and receives the MAC-based authentication success message from the authentication server 600 (S313), station connection information is notified (STATION CONNECTION INFO) NOTIFY) message can be generated and transmitted to the access device 200 (S315).

Upon receiving this, the access device 200 can perform a DHCP process for allocating IP to the terminal 100 based on the content of the station connection information notification message (S319). Since the DHCP process can use a variety of known methods, a detailed description will be omitted.

In addition, the above-described authentication server 600 refers to a server that performs authorization, authentication, and accounting (AAA), and can perform billing processing.

In addition, the above-mentioned station connection information notification message includes at least one of a DHCP parameter required to allocate dynamic IP to a terminal to which the access device is connected, a protocol ID required for local break out, an ID band, and a port range. It can be composed of. Here, the protocol ID required for local break out is necessary to transmit to the corresponding internal network without forwarding it when the traffic requested by the terminal 100 is traffic to be processed in a specific internal network. Information.

The message body structure of the station connection information notification message is as follows.

Order Information Element ID Length(in octets) Option One Auth status 134 2 M 2 Auth Type 130 2 M 3 Sta IP Address 140 4 M 4 Sta Index 141 2 M 5 Subnet Mask 142 4 M 6 Router 143 4 M 7 Domain Name Server 144 4 M 8 DHCP Lease Time 145 4 M 9 DHCP Server Identifier 146 4 M 10 DHCP Renewal Time 147 4 M 11 DHCP Rebinding Time 148 4 M 12 Local Break Out Count 149 One M 13 Local Break Out IP Protocol ID 150 One M 14 Local Break Out Start Port 151 2 M 15 Local Break Out End Port 152 2 M 16 Local Break Out Start IP 153 4 M 17 Local Break Out End IP 154 4 M

On the other hand, when the access device control server 300 interoperates with the authentication server 600 and the MAC-based authentication fails, the terminal 100 may be authenticated based on the web.

This will be described with reference to FIG. 11.

11 is a data flow diagram illustrating a message processing method in a connection procedure according to another embodiment of the present invention.

Referring to FIG. 11, steps S401 to S411 are substantially the same as steps S301 to S311 described with reference to FIG. 10, so a description thereof will be omitted, and the corresponding access controller of the access device control server 300 is authenticated. When receiving a message that the MAC-based authentication has failed from the server 600 (S413), the corresponding access controller of the access device control server 300 accesses the station connection information notification message for IP assignment to the terminal 100 Device 200.

The access device 200 receiving this may perform a DHCP process for allocating IP in the dynamic IP allocation method with the terminal 100, and then the access device 200 receives the first data packet generated in the terminal 100. When it is detected (S419), it is notified by notifying the access device control server 300 (S421), and accordingly, the corresponding access controller of the access device control server 300 transmits a web redirection message to the terminal 100 (S423). , Web-based authentication between the terminal 100 and the authentication server 600, that is, ID (ID) and password (PASSWORD)-based authentication can be controlled to be performed.

10 and 11, MAC-based authentication and web-based authentication procedures between the access device 200 and a corresponding access controller of the access device control server 300 have been described. In addition, the access device 200 and the access device control server 300 of the present invention may perform authentication for the terminal 100 according to the Extensible Authentication Protocol (EAP). EAP authentication means a method of authenticating the terminal 100 using a dual pairwise master key (PMK).

A message processing method according to EAP authentication will be described with reference to FIG. 12.

12 is a data flow diagram illustrating a message processing method in a connection procedure according to another embodiment of the present invention.

Referring to FIG. 12, steps S501 to S509 are substantially the same as steps S401 to S409 described with reference to FIG. 11, so a description thereof will be omitted, and when the terminal 100 supports EAP authentication, S509 After the step, the terminal 100 may perform an authentication procedure in conjunction with the access device 200 (S511). After performing the device authentication for the terminal 100, it may be divided into a procedure for performing user authentication for the user, and the process at this time may be performed using various known methods, so a detailed description will be omitted. .

Thereafter, the access device 200 may transmit and receive various messages to perform the EAP authentication process with a corresponding access controller of the access device control server 300 according to the EAP authentication process of the terminal 100, and the access device control server The corresponding access controller of 300 may perform the above process in conjunction with the authentication server 600 (S513 to S515).

When the authentication for the terminal 100 is completed and the RADIUS acceptance message, which is an EAP success message, is received from the authentication server 600, the access device control server 300 and the authentication server 600 receive a master session key (MSK). Key), and the access controller of the access device control server 300 transmits a key change directive message including the master session key to the access device 200 (S517).

Thereafter, the terminal 100 and the access device 200 generate a dual pairwise master key, that is, a PMK according to a 4-way key exchange process, and access the device through a key exchange confirmation message that the key exchange is completed and the PMK is generated. The corresponding access controller of the control server 300 is notified (S521).

Thereafter, since the access controller of the access device control server 300 has completed all the AP authentication procedures, the station connection information notification message can be transmitted to the access device 200 (S523), and the access device 200 receiving the access device 200 is tactical. As described above, the IP for the terminal 100 can be allocated (S525).

In addition, the access device control server 300 according to an embodiment of the present invention may perform a message processing process according to a disconnection procedure of the terminal 100.

This will be described with reference to FIG. 13.

13 is a data flow diagram illustrating a message processing method in a connection release procedure according to an embodiment of the present invention.

Referring first to FIG. 13A, the terminal 100 may transmit a DISASSOCIATION REQUEST message to the access device 200 in order to release the connection with the access device 200 (S601). The access device 200 that received this sends the disconnection request message to the access device control server 300 (S603), and the corresponding access controller of the access device control server 300 includes the access device 200 and the terminal ( 100) and performs a connection release procedure, generates a response release message (DISASSOCIATION RESPONSE) message according to the response message, and transmits it to the access device 200 (S605). Then, the access device 200 that received this is able to complete the disconnection process with the terminal 100 by transmitting a disconnection response message to the terminal 100 (S607). The above process is an operation performed by the request of the terminal 100 according to a handover procedure.

On the other hand, if a failure occurs in the access device 200, or if it is determined that the access device 200 is operating abnormally, the request of the corresponding access controller of the access device control server 300 controlling the access device 200 Accordingly, the process of disconnecting the terminal 100 may be performed.

That is, as shown in FIG. 13B, a failure occurs or abnormally occurs in the access device 200, such as the access controller of the access device control server 300 does not periodically receive a keep alive request message from the access device 200. If it is determined that it is operating, the connection device 200 may transmit a release request message to the connection device 200 (S701), and the connection device 200 transmits a connection release request message to the terminal 100, and from the terminal 100 Response message, which is a response message, may be received (S703 to S705). Subsequently, the access device 200 may transmit a disconnection response message to the access device control server 300 (S707), so that the terminal 100 is normally released.

Hereinafter, a message processing method according to a handover procedure in the terminal 100 will be described.

14 is a data flow diagram illustrating a message processing method in a handover procedure according to an embodiment of the present invention.

Prior to description with reference to FIG. 14, for convenience of description, the first access device 200a means a source access device to which the current terminal 100 is connected, and the second access device 200b is the terminal 100 It is assumed that this is a target connection device to be moved and newly connected. In addition, the terminal 100 may determine whether to handover in a variety of known ways according to the movement. For example, the terminal 100 may determine whether handover is performed by comparing the strengths of signals transmitted from one or more access devices within a predetermined radius, and may perform a process of selecting a target access device in conjunction with a source access device. Since the above process uses a known procedure, detailed description will be omitted.

Referring to FIG. 14, the terminal 100 transmits a REASSOCIATION REQUEST message to the second access device 200b, which is a target access device to be moved (S801). Here, the recombination request message may be the same in terms of the structure and the combination request message, and will be referred to as a recombination request message for convenience of explanation.

Then, the second access device 200b transmits a recombination request message to the access device control server 300 (S503), and access to manage information on which access device 200 the terminal 100 is connected to The corresponding access controller of the device control server 300 checks the first access device 200a, which is the source access device to which the terminal 100 is currently connected, and transmits a disconnection request message to the identified first access device 200a. It is done (S805). Upon receiving this, the first access device 200a may transmit a connection release request message to the terminal 100 to perform a connection release procedure (S807).

Then, the access device control server 300 transmits a recombination request response (REASSOCIATION RESPONSE) message to the second access device 200b so that the terminal 100 can be connected to the second access device 200b (S809). The received second access device 200b transmits a recombination request response message to the terminal 100 (S811), so that it is connected to the terminal 100. In addition, the terminal 100 transmits the disconnection response message to the first access device 200a (S813), and the first access device 200a transmits the disconnection response message to the access device control server 300 ( S815), complete the connection release procedure. The connection confirmation message may be transmitted to the second connection device 200b or the connection device control server 300 (S817), and as the connection confirmation message is received from the second connection device 200b, the connection device control server 300 The corresponding access controller determines that all handover procedures have been completed, and transmits a station connection information notification message to the second access device 200b.

Subsequently, the second access device 200b and the terminal 100 may perform a procedure for allocating a new ID, and may not perform the procedure according to the terminal 100. Then, the access device control server 300 may store the changed information on the second access device 200b of the terminal 100 to perform a process of changing and registering a transmission path (S821).

In addition, in step S801, when the terminal 100 transmits the recombination request message to the second access device 200b, the authentication key, for example, information about the PMK may be transmitted and may not be included. Depending on whether the authentication key of the recombination request message is included, the access device control server 300 may not perform authentication with the authentication server or perform authentication again in connection with the authentication server.

This will be described with reference to FIGS. 15 and 16.

15 and 16 are data flow diagrams for describing a message processing method in a handover procedure according to another embodiment of the present invention.

First, referring to FIG. 15, the terminal 100 transmits a recombination request message to the second access device 200b (S901). At this time, the recombination request message does not contain an authentication key (PMK ID). Subsequent steps S903 to S917 are substantially the same as steps S803 to S817 described with reference to FIG. 14, so a detailed description thereof will be omitted, and the access device control server 300 includes an authentication key in the recombination request message after step S917. Since it is not, it is possible to perform authentication for the terminal 100 in conjunction with an authentication server. At this time, the terminal 100 may perform the authentication process with the second access device 200b according to the EAP authentication process, as described with reference to FIG. 12, and the second access device 200b according to the EAP authentication process The generated message can be transmitted and received with the access device control server 300 (S921). Subsequently, when all authentication procedures have been completed and the RADIUS acceptance message, which is an EAP success message, is received from the authentication server, the access device control server 300 and the authentication server 600 may share a master session key (MSK). , The access controller of the access device control server 300 transmits a Key Change Directive message including the master session key to the access device 200 (S923).

Thereafter, the terminal 100 and the access device 200 generate a double pairwise master key, that is, a PMK according to a 4-way key exchange process (S925), and a key exchange confirmation message that the key exchange is completed and the PMK is generated. Through the access device control server 300, the corresponding access controller is notified (S927). Thereafter, the access device control server 300 transmits a station connection information notification message to the second access device 200b (S929), and stores information about the changed second access device 200b of the terminal 100, A process of changing and registering a transmission path may be performed (S931).

On the other hand, when the recombination request message includes information on the authentication key (PMK ID) through the RSN in step S901, as illustrated in FIG. 16, the access device control server 300 accesses the second terminal 100 As the recombination request message is received through the device 200b (S1001 to S1003), a disconnection request message is transmitted to the first access device 200a (S1005), and the first access device 200a transmits the disconnection request message to the terminal 100 ) Is transmitted (S1007).

Thereafter, the access device control server 300 transmits a recombination request response message including the master session key (MSK) shared through the authentication server to the second access device 200b, and the second access device 200b This is transmitted to the terminal 100 (S1009 ~ S1011).

On the other hand, the terminal 100 transmits a disconnection response message to the first access device 200a (S1013), and the first access device 200a transmits it to the access device control server 300 (S1015). Complete the release procedure. In addition, the second access device 200b may transmit a connection confirmation message to the access device control server 300 and transmit the master session key to the terminal 100 to inform whether the user has the authentication key (S1019). .

Then, the access device control server 300 transmits a station connection information notification message to the second access device 200b (S1021), so that the terminal 100 can normally complete a connection procedure with the second access device 200b. do. Thereafter, the access device control server 300 registers information on the connected second access device 200b for the terminal 100 to complete a transmission path change and registration procedure (S1023).

The message processing method according to the embodiment of the present invention has been described above.

The message processing method of the present invention as described above may be provided in the form of a computer-readable medium suitable for storing computer program instructions and data. A program recorded in a recording medium for implementing a message processing method according to an embodiment of the present invention comprises the steps of: receiving a message according to a predetermined protocol transmitted from any one access device by the access device control server; A step of checking the access controller assigned to the access device, and the step of processing the received message through the access device control server by the access device control server may be executed.

At this time, the program recorded on the recording medium can be read, installed and executed on a computer to execute the above-described functions.

Here, in order for a computer to read a program recorded on a recording medium and execute functions implemented as a program, the above-described programs are C, C++, which can be read by a computer's processor (CPU) through a device interface of the computer, It may include code coded in a computer language such as JAVA or machine language.

The code may include a function code related to a function defining functions described above, and the like, and control code related to an execution procedure necessary for a processor of a computer to execute the functions described above according to a predetermined procedure. In addition, the code may further include memory reference-related code as to which location (address address) of the computer's internal or external memory should be referred to additional information or media necessary for the computer's processor to perform the functions described above. . In addition, when the processor of the computer needs to communicate with any other computer or server in the remote in order to execute the above-described functions, the code is used to determine whether the computer's processor is in the remote using the computer's communication module. It may further include communication-related codes on how to communicate with other computers or servers, and what information or media should be transmitted/received during communication.

Such computer-readable media suitable for storing computer program instructions and data include, for example, recording media such as hard media, magnetic media such as floppy disks and magnetic tapes (Magnetic Media), and CD-ROM (Compact Disk Read Only Memory). , Optical Media such as DVD (Digital Video Disk), Magnetic-Optical Media such as Floptical Disk, and ROM (Read Only Memory), RAM (RAM) , Random Access Memory, Flash memory, EPROM (Erasable Programmable ROM), and semiconductor memory such as EEPROM (Electrically Erasable Programmable ROM). The processor and memory may be supplemented by, or incorporated in, special purpose logic circuitry.

In addition, the computer-readable recording medium can be distributed over network coupled computer systems so that the computer-readable code is stored and executed in a distributed fashion. In addition, functional programs for implementing the present invention and related codes and code segments, programmers in the technical field to which the present invention belongs, in consideration of the system environment of a computer that reads a recording medium and executes the program It can be easily inferred or changed by.

This specification includes details of many specific implementations, but these should not be understood as limiting on the scope of any invention or claim, but rather as a description of features that may be specific to a particular embodiment of the particular invention. It should be understood. Certain features that are described in this specification in the context of separate embodiments may be implemented in combination in a single embodiment. Conversely, various features described in the context of a single embodiment may also be implemented in multiple embodiments individually or in any suitable subcombination. Further, although features may operate in a particular combination and may initially be depicted as so claimed, one or more features from the claimed combination may be excluded from the combination in some cases, and the claimed combination subcombined. Or sub-combinations.

Likewise, although the operations are depicted in the drawings in a particular order, it should not be understood that such operations should be performed in the particular order shown or in sequential order, or that all shown actions should be performed in order to obtain desirable results. In certain cases, multitasking and parallel processing may be advantageous. In addition, the separation of various system components of the above-described embodiments should not be understood as requiring such separation in all embodiments, and the described program components and systems will generally be integrated together into a single software product or packaged in multiple software products. You should understand that you can.

The present invention relates to a method capable of controlling a plurality of access devices, and more specifically, a control device for controlling a plurality of access devices is generated by applying a virtualization technology, and is generated according to a plurality of access devices and virtualization technology. The present invention relates to a message processing method capable of defining a message for transmission and reception of information between control devices and processing a defined message, an access device control server for this purpose, and a cloud access device control system.

According to the present invention, by creating a control device that controls a plurality of access devices for each site by applying virtualization technology, it is possible to construct a control device organically in consideration of the number of access devices constituting the site and physically accessing the site. Rather than building a connected control device, by building a control device through virtualization technology, it is possible to improve system availability as well as reduce costs associated with system construction and maintenance.

The present invention can contribute to the development of the telecommunications service industry. In addition, the present invention has industrial applicability since it is not only sufficient for commercial or commercial sales, but also can be implemented in a realistic manner.

100: terminal 200: access device
210: communication interface unit 220: terminal access management unit
230: integrated management server linkage 240: access device control server linkage
250: message processing unit 300: access device control server
310: hardware 320: host OS
330: access controller 340: security management unit
400: integrated management server 410: integrated management device
411: connection device management unit 412: connection controller management unit
413: server management unit 420: cloud manager
421: server processing unit 422: connection controller processing unit
430: device manager 431: communication device
432: input device 433: output device
434: storage device 1000: cloud access control system

Claims (18)

In the access device control server for assigning each access controller for each site consisting of a plurality of access devices, and controls to process messages generated through the access devices in a specific site through the access controller pre-assigned to the site,
The access device control server sends a message according to a specified protocol, which is a tunneling message tunneled using the specified port information for the access device control server and IP address information of the access controller assigned to the access device, which is transmitted from one access device. Receiving;
Checking, by the access device control server, an access controller assigned to the access device; And
After the access device control server removes the tunneling header of the received tunneling message, checks and processes the message with the tunneling header removed, and when a response message is generated, the generated response message is added to the tunneling header to add Controlling to be delivered to the access device;
Message processing method comprising a. delete According to claim 1,
The message according to the specified protocol is
It consists of a message header and a message body,
The message header includes Reserved, Version, Flags, Message ID, Length, Station ID, Domain ID, Access Controller ID (AC) ID), at least one of an access device ID (AP ID), a transaction ID (Transaction ID), an access device RF ID (RF ID), and an access device VAP ID (VAP ID),
The message body is a message processing method characterized in that it comprises at least one of the element ID (Element ID), length (length), information (Information) defined according to each element (element) for each message type. According to claim 3,
In the step of receiving the message,
Message processing method, characterized in that the access device control server determines whether the message is a data signal or a control signal by checking the reservation of the message header of the received message. delete According to claim 1,
If the received message is an initial interworking connection request (DISCOVER REQUEST) message,
The step of processing the message
Determining whether the access device of the access device control server is the access device assigned to the access device;
If the access device is determined to be the access device assigned to it, the access controller of the access device control server generates an initial interlocked access request response (DISCOVER RESPONSE) message including a pre-registered access device ID (AP ID). ; And
Processing, by the access controller of the access device control server, transmitting the initial interworking access request response message to the access device;
Message processing method comprising a. The method of claim 6,
After the initial interworking connection request response message is delivered to the access device to process the message,
A step in which the access controller of the access device control server transmits/receives a message related to keep alive (KEEP ALIVE) with the access device in a predetermined cycle unit;
Message processing method characterized in that it further comprises. According to claim 1,
If the received message is an association request (ASSOCIATION REQUEST) message,
The step of processing the message
A step in which the access controller of the access device control server authenticates a terminal connected to the access device; And
As a result of performing the authentication, if authentication is successful, the access controller of the access device control server transmits a message by sending a STATION CONNECTION INFO NOTIFY message to the access device for IP allocation for the terminal. Processing;
Message processing method comprising a. The method of claim 8,
The station connection information notification message
Message processing method characterized in that it consists of at least one of a DHCP parameter required to allocate a dynamic IP to the terminal to which the access device is connected, a protocol ID required for local break out, an ID band, and a port range. . The method of claim 8,
The step of performing the authentication is
Transmitting an association request response (ASSOCIATION RESPONSE) message in response to the association request message to the access device by the access controller of the access device control server;
A connection controller of the access device control server receiving an association confirmation (ASSOCIATION ACK) message from the access device; And
A step in which the access controller of the access device control server works with an authentication server to perform authentication for a terminal connected to the access device;
Message processing method comprising a. The method of claim 10,
In the step of authenticating the terminal connected to the access device in conjunction with the authentication server
The access controller of the access device control server works with the authentication server to perform authentication for the terminal based on a MAC,
As a result of performing the authentication, if authentication fails, after the step of transmitting the station connection information notification message to the access device, transmitting a redirection message for web-based authentication to the terminal;
Message processing method characterized in that it further comprises. The method of claim 10,
In the step of authenticating the terminal connected to the access device in conjunction with the authentication server
The access controller of the access device control server performs authentication for the terminal according to an Extensible Authentication Protocol (EAP),
The step of processing the message by passing the station connection information notification message is
Receiving, by the access controller of the access device control server, a key exchange confirmation (KEY CHANGE ACK) message from the access device; And
Processing, by the access controller of the access device control server, transmitting a station connection information notification message to the access device for IP assignment to the terminal;
Message processing method comprising a. According to claim 1,
If the received message is a DISASSOCIATION REQUEST message,
The step of processing the message
Message processing method, characterized in that the access controller of the access device control server processes a message by transmitting a disconnection request response message to the access device to release the association between the terminal and the access device. According to claim 1,
If the received message is a recombination request (REASSOCIATION REQUEST) message according to the recombination request of the terminal transmitted from another access device,
The step of processing the message
Checking, by the access controller of the access device control server, the access device to which the terminal is currently connected;
Transmitting, by the access controller of the access device control server, a disconnect request (DISASSOCIATION REQUSET) message to the identified access device;
Transmitting, by the access controller of the access device control server, a REASSOCIATION RESPONSE message to the other access device in response to the recombination request message;
A connection controller of the access device control server receiving an association confirmation (ASSOCIATION ACK) message from the other access device;
Transmitting, by the access controller of the access device control server, a station connection information notification message to the other access device; And
A connection controller of the access device control server changing a data transmission path from the access device to the other access device;
Message processing method comprising a. The method of claim 14,
Depending on whether the re-combination request message includes an authentication key, the access controller of the access device control server performs authentication for a corresponding terminal connected to the other access device, or a master session previously generated in response to the terminal. Message (MSK; Master Session Key) message processing method characterized in that for passing to the other access device. A computer-readable recording medium recording a program for executing the message processing method according to any one of claims 1, 3, 4, 6 to 15. In the access device control server for assigning each access controller for each site consisting of a plurality of access devices, and controls to process messages generated through the access devices in a specific site through the access controller pre-assigned to the site,
The access device control server
A communication module that configures a site and transmits and receives information with one or more registered access devices;
When a message according to a specified protocol, which is a tunneling message tunneled using the specified port information for the access device control server and the IP address information of the access controller assigned to the access device, is received from one access device through the communication module, After removing the tunneling header of the received tunneling message, the message from which the tunneling header is removed is checked and processed, and when a response message is generated, the generated response message is added to the tunneling header to be transmitted to the access device. Hypervisor to do; And
When the message is transmitted through the hypervisor, a plurality of access controllers supporting a process for processing the message;
Connection device control server comprising a. delete

Images