WO2010067864A1 - 通信ネットワークシステム - Google Patents
通信ネットワークシステム Download PDFInfo
- Publication number
- WO2010067864A1 WO2010067864A1 PCT/JP2009/070754 JP2009070754W WO2010067864A1 WO 2010067864 A1 WO2010067864 A1 WO 2010067864A1 JP 2009070754 W JP2009070754 W JP 2009070754W WO 2010067864 A1 WO2010067864 A1 WO 2010067864A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- partition
- relay
- unit
- broker
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/54—Store-and-forward switching systems
- H04L12/56—Packet switching systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
Definitions
- the present invention relates to a communication network system, and more particularly to a communication network system having a plurality of nodes and a relay device that relays between the nodes.
- the network disclosed in Document 1 includes a network relay device that connects a terminal device and a shared device via a link.
- the network relay device determines whether or not data can be transmitted between the nodes based on a condition relating to at least one of a data transmission source and a transmission destination.
- An object of the present invention is to provide a communication network system that can dynamically control access between nodes.
- the communication network system includes a plurality of nodes, a relay device interposed between the nodes, and a setting device connected to the relay device.
- the relay device includes a relay unit that relays between the nodes, a partition information storage unit that stores partition information for determining whether the relay unit relays between the nodes, and the partition information storage unit
- a routing unit that controls the relay unit according to the contents of the partition information stored in
- the setting device includes: a receiving unit that receives broker information indicating that relay between the nodes is requested; a broker information storage unit that stores the broker information received by the receiving unit; and a broker information storage unit.
- a broker information setting unit that generates the partition information with reference to the stored broker information, and the partition information generated by the broker information setting unit that stores the partition information stored in the partition information storage unit of the relay device.
- a partition information update unit that updates information.
- the partition information stored in the partition information storage unit of the relay device can be changed by transmitting the broker information to the setting device. Therefore, control (access control) of permission and prohibition of communication between the nodes can be performed dynamically.
- the broker information includes information indicating a transmission source and information indicating a transmission destination.
- the transmission source is a node that requests the relay unit to relay a signal.
- the transmission destination is a node from which the transmission source requests reception of a signal.
- the broker information setting unit includes a broker information determination module and a partition information generation module.
- the broker information determination module stores the two broker information of the first broker information and the second broker information in the broker information storage unit, the transmission source indicated by the first broker information becomes the second broker information. It is configured to determine whether or not the transmission destination indicated by the information matches the transmission destination indicated by the first broker information and the transmission destination indicated by the second broker information.
- the partition information generation module matches the transmission destination indicated by the first broker information by the broker information determination module with the transmission destination indicated by the second broker information, and the transmission destination indicated by the first broker information. Is determined to match the transmission source indicated by the second broker information, a relay between the transmission source indicated by the first broker information and the transmission destination indicated by the first broker information is sent to the relay unit.
- the partition information for generating is configured to be generated.
- This communication network system can reduce the possibility of communication intercepted by a third party.
- the node has an object which is a collection of interfaces that are programs for realizing a predetermined function.
- the partition information includes an object identifier for identifying the object and an interface identifier for identifying the interface.
- partition information can be defined for a plurality of objects using only one identification information for identifying a node.
- a plurality of services can be requested using only one of the plurality of object identifiers.
- TCP / IP is used as a communication network protocol
- a service provider can provide many services with a small number of connections. Service recipients can enjoy many services with a small number of connections.
- Another communication network system has an upper domain having a plurality of lower domains.
- Each of the lower domains has a plurality of nodes and a lower relay apparatus interposed between the nodes.
- the lower relay apparatus a lower relay unit that relays between the nodes, a lower partition information storage unit that stores lower partition information for determining whether to cause the lower relay unit to relay between the nodes,
- a lower routing unit that controls the lower relay unit according to the contents of the lower partition information stored in the lower partition information storage unit.
- the upper domain includes an upper relay device interposed between the lower relay devices belonging to different lower domains, and an upper setting device connected to the upper relay device.
- the upper relay device stores upper partition information for determining whether to cause the upper relay unit to relay between the lower relay units and whether to cause the upper relay unit to relay between the lower relay units.
- the upper setting device includes an upper receiving unit that receives upper broker information indicating that relay between the lower relay units is requested, and an upper broker information storage unit that stores the upper broker information received by the upper receiving unit.
- An upper broker information setting unit that generates the upper partition information with reference to the upper broker information stored in the upper broker information storage unit, and the upper partition information stored in the upper partition information storage unit.
- An upper partition information update unit that updates the upper partition information generated by the upper broker information setting unit.
- This communication network system can dynamically change whether communication between lower domains is permitted or prohibited. Furthermore, since the domains are hierarchized, it is only necessary that the linked nodes can identify identification information (address) that can be identified within the domain. Therefore, closed address setting is possible in the lower domain. Therefore, address management in the lower domain is facilitated. For example, it is assumed that a NAT router is used in the lower domain, and domain-specific identification information such as a private address is assigned to the node. Even in this case, the partition information can be transmitted to the upper relay apparatus using the address of the upper domain to which the lower domain relay apparatus belongs. Therefore, the node belonging to the lower domain does not need to know the address of the upper domain. This makes it easier to set and manage addresses in lower domains.
- each of the lower domains has a lower setting device connected to the lower relay device.
- the lower level setting device includes a lower level receiving unit that receives lower level broker information indicating that relay between the nodes is requested, a lower level broker information storage unit that stores the lower level broker information received by the lower level receiving unit, The lower broker information setting unit that generates the lower partition information with reference to the lower broker information stored in the lower broker information storage unit, and the lower partition information stored in the lower partition information storage unit as the lower broker A lower partition information update unit that updates the lower partition information generated by the information setting unit.
- whether to relay communication can be set for each node in the lower domain.
- the lower domain includes a lower authentication server that distributes a lower session key used for communication in the lower domain.
- the upper domain has an upper authentication server that distributes an upper session key used for communication with the lower domain.
- the upper partition information update unit distributes the lower session key by the lower authentication server and the upper partition stored in the upper partition information storage unit after the upper authentication server distributes the upper session key. Configured to update information.
- partition information can be changed safely. Therefore, interception of communication by a third party can be prevented.
- the lower domain includes a lower authentication server that distributes a lower session key used for communication in the lower domain.
- the upper domain has an upper authentication server that distributes an upper session key used for communication with the lower domain.
- the upper partition information update unit is configured to update the upper partition information stored in the upper partition information storage unit after the upper authentication server distributes the upper session key.
- the lower partition information update unit is configured to update the lower partition information stored in the lower partition information storage unit after the lower authentication server distributes the lower session key.
- the partition information of the upper partition information storage unit and the partition information of the lower partition information storage unit are updated. Therefore, access control between nodes can be managed at a plurality of locations. Therefore, the safety of communication between nodes is improved.
- the lower partition information includes an identification number of each of the plurality of nodes belonging to the lower domain, and a local partition number and a global partition number associated with each of the identification numbers.
- the local partition number is used to determine whether relaying between the nodes belonging to the same lower domain is possible.
- the global partition number is used to determine whether communication relay between the nodes belonging to different domains is possible.
- local partition information can be used when communicating between nodes in a domain
- global partition information can be used when communicating between nodes belonging to different domains. Therefore, you can use different domains. It is also possible to permit both intra-domain and inter-domain communications simultaneously.
- the partition information includes an identification number of the node and a partition number associated with the identification number.
- the routing unit is configured to control the relay unit to perform relay between the nodes having the same partition number.
- the partition number is determined using both a network address and a subnet mask given to the node.
- the partition information can be used as a routing address, access control can be performed for each node. Further, an IP address including a private address by NAT can be used as the partition information. If only the private address is used, communication can be performed only within the domain without passing through the NAT.
- 1 is a block diagram of a communication network system according to a first embodiment. It is the schematic of the communication format used for the same as the above. 1 is a schematic configuration diagram of a communication network system according to a first embodiment. It is a schematic block diagram of the modification of the communication network system of Embodiment 1. It is the schematic of the modification of the communication format used for Embodiment 1. FIG.
- the communication network system of the present embodiment has an upper domain 10.
- the upper domain 10 has a plurality of lower domains 20.
- Each of the plurality of lower domains 20 is a communication network (home network) provided in a house.
- the communication network system of this embodiment is a multi-domain communication network in which domains are hierarchized.
- the upper domain 10 has two lower domains 20.
- the first lower domain is represented by reference numeral 21 and the second lower domain is represented by reference numeral 22, as necessary.
- the communication network system of the present embodiment is a two-layer network, but may be a three-layer or more network.
- the lower domain 20 includes a plurality of nodes (hereinafter referred to as “terminal nodes”) 30, a relay device (lower relay device) 40 interposed between the terminal nodes 30, a setting device (lower setting device) 50, and an authentication server (Subordinate authentication server) 60.
- terminal nodes a plurality of nodes (hereinafter referred to as “terminal nodes”) 30, a relay device (lower relay device) 40 interposed between the terminal nodes 30, a setting device (lower setting device) 50, and an authentication server (Subordinate authentication server) 60.
- each of the lower domains 21 and 22 includes two terminal nodes 30, one lower relay device 40, one lower setting device 50, and one lower authentication server 60.
- the communication network system of the present embodiment includes the four terminal nodes 30, the two lower relay devices 40, the two lower setting devices 50, and the two lower authentication servers 60.
- the first terminal node is represented by reference numeral 31, the second terminal node is represented by reference numeral 32, the third terminal node is represented by reference numeral 33, A terminal node is represented by reference numeral 34.
- the first lower relay apparatus is denoted by reference numeral 41 and the second lower relay apparatus is denoted by reference numeral 42 as necessary.
- the first lower setting device is denoted by reference numeral 51 and the second lower setting device is denoted by reference numeral 52 as necessary.
- the first lower-level relay device is denoted by reference numeral 61 and the second lower-level relay device is denoted by reference numeral 62 as necessary.
- the upper domain 10 further includes a relay device (upper relay device) 70, a setting device (upper setting device) 80, and an authentication server (upper authentication server) 90.
- a relay device upper relay device 70
- a setting device upper setting device
- an authentication server upper authentication server
- the upper relay device 70 is interposed between the lower relay devices 40 belonging to different lower domains 20.
- the upper relay device 70 is connected to the lower relay devices 41 and 42 via a communication path of an external network such as the Internet.
- the lower level relay device 41 is connected to each of the terminal nodes 31 and 32 via a communication path (link) provided in the house.
- the lower relay apparatus 42 is connected to each of the terminal nodes 33 and 34 via a communication path (link) provided in the house.
- the lower relay apparatus 40 also functions as a proxy server for connecting the home network to an external network. That is, the lower relay apparatus 40 communicates with the upper relay apparatus 70 as a proxy for the terminal node 30 in the domain 20.
- ⁇ Identification information (address) distinguishable from other nodes is assigned to the nodes (relay devices 41, 42, 70, terminal nodes 31, 32, 33, 34) of the communication network system of the present embodiment.
- the identification information of these nodes is referred to as a node ID.
- a node ID is dynamically assigned to each terminal node 30.
- Identification information is also given to each of the domains 10, 21, and 22. Domain identification information is referred to as a domain ID.
- the node IDs of the terminal nodes 31, 32, 33, and 34 are C11, C12, C21, and C22, respectively.
- the node ID of the upper relay apparatus 70 is A0, and the node IDs of the lower relay apparatuses 21 and 22 are B1 and B2, respectively.
- the node ID of the upper setting device 80 is Y0, and the node IDs of the lower setting devices 51 and 52 are Y1 and Y2.
- the domain IDs of the domains 10, 21, and 22 are X0, X1, and X2, respectively.
- Each terminal node 30 has a device (not shown) for realizing a predetermined function.
- a unit of processing to be handled is referred to as an object
- a service attribute related to a service that can be provided by the object is referred to as an interface. That is, the interface is a program for realizing a predetermined function by the device.
- the terminal node 30 has an object that is a collection of interfaces. That is, the object can be said to be a program that defines the usage of the terminal node 30.
- a plurality of terminal nodes 30 may have the same object. In this case, a plurality of terminal nodes 30 can be specified at the same time by specifying an object.
- Each terminal node 30 includes a storage device (not shown) that stores an object identifier associated with an object and an interface identifier associated with an interface included in the object.
- the first terminal node 31 includes a TV camera as a device for realizing a predetermined function.
- the first terminal node 31 has a first object called an imaging function by a TV camera.
- the interface of the first object is a service (service attribute) corresponding to the function of the TV camera, such as start of imaging by the TV camera, stop of imaging by the TV camera, focusing of the TV camera, change of the field of view of the TV camera.
- the third terminal node 33 includes a monitor as a device for realizing a predetermined function.
- the third terminal node 33 has a second object called a display function by a monitor.
- the interface of the second object is a service corresponding to the function of the monitor such as start of display by the monitor or stop of display by the monitor.
- the terminal node 31 and the terminal node 33 cooperate with each other so that the video of the pet kept in the child household house captured by the TV camera (network camera) of the terminal node 31 can be converted into the terminal node of the parent household house. It can be displayed on 33 monitors (a network-compatible monitor device). If the terminal node 31 and the terminal node 33 are linked only while the householder in the child household is absent, the video of the pet is displayed on the monitor of the terminal node 33 only while the householder in the child household is absent. be able to.
- the terminal node 31 may have a switch, and the terminal node 33 may have a load. In this case, by linking the terminal node 31 and the terminal node 33, the load of the terminal node 33 can be controlled by the switch of the terminal node 31.
- the terminal node 31 may have a microphone and the terminal node 33 may have a speaker. In this case, by linking the terminal node 31 and the terminal node 33, the sound input to the microphone of the terminal node 31 can be output from the speaker of the terminal node 33.
- Each terminal node 30 includes a switch (not shown) for generating a trigger for instructing change of partition information described later. This trigger is broker information described later.
- the lower level relay apparatus 40 includes a relay unit (lower level relay unit) 401, a partition information storage unit (lower level partition information storage unit) 402, and a routing unit (lower level routing unit) 403.
- the lower relay unit of the lower relay apparatus 41 is denoted by reference numeral 411
- the lower partition information storage unit of the lower relay apparatus 41 is denoted by reference numeral 412
- the lower routing unit of the lower relay apparatus 41 is denoted by reference numeral 413.
- the lower relay unit of the lower relay device 42 is denoted by reference numeral 421
- the lower partition information storage unit of the lower relay device 42 is denoted by reference numeral 422
- the lower routing unit of the lower relay device 42 is denoted by reference numeral 423.
- the lower relay unit 401 is configured to relay between the terminal nodes 30.
- the lower relay unit 401 functions as a relay node.
- the lower relay unit 401 transfers the broker information to the upper relay device 70 if the requested node ID of the broker information received from the lower node (terminal node 30) is a node ID of a node belonging to a domain different from itself. Composed.
- the lower relay unit 401 transfers the broker information to the lower level setting device 50 if the requested node ID of the broker information received from the lower node (terminal node 30) is the node ID of a node belonging to the same domain as itself. Composed.
- the lower relay unit 401 may simply be configured to transfer the broker information received from the lower node (terminal node 30) to the upper relay device 70 and the lower setting device 50.
- the lower partition information storage unit 402 is configured to store partition information (lower partition information).
- the lower partition information is information for determining whether to cause the lower relay unit 401 to relay between the nodes 30. That is, the partition information is information that defines a cooperative relationship between nodes.
- the partition information includes a node ID and a partition number. That is, the partition information is a data pair of (node ID, partition number).
- the partition number is assigned to each domain 10, 21, 22.
- a numerical value indicating an upper domain and a numerical value indicating a lower domain are expressed in a format separated by dots (.).
- the partition number of the upper domain 10, which is the highest domain, is “1”. Since the upper relay device 70 and the upper setting device 90 belong only to the upper domain 10, the partition numbers of the upper relay device 70 and the upper setting device 90 are “1”.
- the partition number of the lower domain 21 is “1.1”, and the partition number of the lower domain 22 is “1.2”.
- the number to the left of the dot indicates the partition number of the upper domain 10.
- the number to the right of the dot indicates a number for distinguishing the lower domain 20.
- the lower relay device 41 is assigned the partition number “1.1” of the lower domain 21 to which the lower relay device 41 belongs.
- the lower relay device 42 is assigned the partition number “1.2” of the lower domain 22 to which the lower relay device 42 belongs.
- the lower partition information storage unit 412 stores the lower partition information shown in Table 1 as default partition information
- the lower partition information storage unit 422 stores the lower partition information shown in Table 2 as default partition information.
- the lower routing unit 403 is configured to control the lower relay unit 401 according to the contents of the lower partition information stored in the lower partition information storage unit 402. That is, the lower level routing unit selects permission or prohibition of communication between the terminal nodes 30 based on the lower level partition information stored in the lower level partition information storage unit 402.
- the lower routing unit 403 performs control (access control) of the lower relay unit 401 according to the following rules.
- Rule 1 Allow communication between nodes with the same partition number.
- the lower routing unit 403 is configured to update the lower partition information stored in the lower partition information storage unit 402 to the received lower partition information.
- the lower routing unit 403 is configured to update the lower partition information stored in the lower partition information storage unit 402 to default lower partition information when receiving a reset signal from the lower setting device 50.
- the upper relay device 70 includes a relay unit (upper relay unit) 701, a partition information storage unit (upper partition information storage unit) 702, and a routing unit (upper routing unit) 703.
- the upper relay unit 701 is configured to relay between the lower relay units 401.
- the upper relay unit 701 is configured to transfer the broker information received from the lower relay device 40 to the upper setting device 80.
- the upper partition information storage unit 702 is configured to store partition information (upper partition information).
- the upper partition information is information for determining whether to cause the upper relay unit 701 to relay between the lower relay units 401.
- the upper partition information storage unit 702 stores the upper partition information shown in Table 3 as default partition information.
- the upper routing unit 703 is configured to control the upper relay unit 701 in accordance with the contents of the upper partition information stored in the upper partition information storage unit 702.
- the upper routing unit 703 performs control (access control) of the upper relay unit 701 in accordance with the same rules 1) and 2) as those of the lower routing unit 403.
- the upper routing unit 703 Upon receiving the upper partition information from the upper setting device 80, the upper routing unit 703 is configured to update the upper partition information stored in the upper partition information storage unit 702 with the received upper partition information.
- the upper routing unit 703 receives the reset signal from the upper setting device 80, it updates the upper partition information stored in the upper partition information storage unit 702 to default upper partition information (partition information shown in Table 3 in this embodiment). Configured to do.
- the partition information storage units 402 and 702 are built in the relay devices 40 and 70. However, the partition information storage units 402 and 702 may be physically separated from the relay devices 40 and 70. In this case, the partition information storage units 402 and 702 are configured to communicate with the relay devices 40 and 70.
- the setting devices 50 and 80 are physically separated from the relay devices 40 and 70, the setting devices 50 and 80 are configured to communicate with the relay devices 40 and 70.
- the setting devices 50 and 80 may be incorporated in the relay devices 40 and 70.
- the lower-level authentication server 60 is provided to distribute a session key (lower-level session key) for encrypting communication between the lower-level relay device 40 and other nodes.
- the lower authentication server 61 is connected to the lower relay device 41, and the lower authentication server 62 is connected to the lower relay device 42.
- the lower-level authentication server 60 includes a key distribution unit (lower-level key distribution unit) 601 and a key storage unit (lower-level key storage unit) 602.
- the lower key distribution unit of the lower authentication server 61 is represented by reference numeral 611
- the lower key storage unit of the lower authentication server 61 is represented by reference numeral 612.
- the lower key distribution unit of the lower authentication server 62 is denoted by reference numeral 621
- the lower key storage unit of the lower authentication server 62 is denoted by reference numeral 622 as necessary.
- the lower key storage unit 602 is configured to store a secret key (lower secret key) that is a common key with each node in order to encrypt and distribute the lower session key to each node.
- the lower secret key is set for each node to which the session key is distributed. Naturally, the node to which the session key is distributed has a lower secret key.
- the lower key storage unit 602 is separated from the lower key distribution unit 601.
- the lower key storage unit 602 may be integrated with the lower key distribution unit 601.
- the lower key distribution unit 601 is configured to distribute a lower session key to the lower relay device 40 in response to a request from the lower relay device 40.
- the lower key distribution unit 601 encrypts the lower session key using the secret key stored in the lower key storage unit 602.
- the upper authentication server 90 is provided to distribute a session key (upper session key) for encrypting communication between the upper relay device 70 and another node.
- the upper authentication server 90 is connected to the upper relay device 70.
- the upper authentication server 90 includes a key distribution unit (upper key distribution unit) 901 and a key storage unit (upper key storage unit) 902.
- the upper key storage unit 902 is configured to store a secret key (upper secret key) that is a common key with each node in order to encrypt the upper session key and distribute it to each node.
- the upper secret key is set for each node to which the session key is distributed. Of course, the node to which the session key is distributed has a higher secret key.
- the upper key storage unit 902 stores three sets of data including a node ID or domain ID, a secret key, and a partition number.
- the upper key storage unit 902 is separated from the upper key distribution unit 901.
- the upper key storage unit 902 may be integrated with the upper key distribution unit 901.
- the upper key distribution unit 901 is configured to distribute the upper session key to the upper relay device 70 in response to a request from the upper relay device 70.
- the upper key distribution unit 901 encrypts the upper session key using the secret key stored in the upper key storage unit 902.
- each node encrypts data using the session key.
- the upper authentication server A session key (upper session key) distributed by 90 is used.
- the lower relay device 41 uses the lower session key distributed by the lower authentication server 61 when communicating with the nodes (terminal nodes 31 and 32 and the lower setting device 51) in the lower domain 21 to which the lower relay device 41 belongs.
- the lower level relay device 42 uses the lower session key distributed by the lower level authentication server 62 when communicating with the nodes (terminal nodes 33 and 34 and lower level setting device 52) in the lower level domain 22 to which the lower level relay device 42 belongs.
- Each key storage unit 902, 612, 622 stores key data as shown in Table 4 to Table 6, respectively.
- the key data is data in which a node ID or domain ID, a secret key, and a partition number are associated with each other. This key data is expressed as (node ID or domain ID, secret key, partition number). The reason why the upper secret key is associated with the domain ID is to assign the upper secret key to each lower domain 20.
- the upper key distribution unit 901 When the upper key distribution unit 901 is requested to distribute the session key from the lower relay apparatuses 41 and 42, the upper key distribution unit 901 generates a session key. This session key is common to two communicating nodes or domains.
- the upper key distribution unit 901 acquires the secret keys Kdx1 and Kdx2 associated with the domain IDs (X1, X2) of the lower domains 21 and 22 managed by the lower relay devices 41 and 42 from the upper key storage unit 902.
- the upper key distribution unit 901 encrypts the session key using the acquired secret keys Kdx1 and Kdx2, and distributes the session key to the lower relay apparatuses 41 and 42, respectively.
- the lower level relay apparatuses 41 and 42 Upon receiving the encrypted session key (ticket), the lower level relay apparatuses 41 and 42 decrypt the ticket using the secret key held by the lower level relay apparatus 41 and 42 and obtain the session key.
- the lower key distribution units 611 and 612 generate a session key when requested to distribute a session key from each of the terminal nodes 31, 32, 33, and 34.
- This session key is common to two communicating nodes or domains.
- the lower key distribution unit 601 acquires the secret keys Kc11, Kc12, Kc21, and Kc22 associated with the node IDs of the terminal nodes 31, 32, 33, and 34 from the lower key storage unit 602, respectively.
- the lower key distribution unit 601 encrypts the session key using the acquired secret keys Kc11, Kc12, Kc21, and Kc22 and distributes them to the terminal nodes 31, 32, 33, and 34, respectively.
- each terminal node 30 receives the encrypted session key (ticket), it decrypts the ticket using its own private key and acquires the session key.
- the key distribution units 901, 611, and 612 are configured to update the partition information (partition numbers) of the key storage units 902, 612, and 622 after distributing the session key.
- the key distribution units 901, 611, and 612 receive reset signals from the setting devices 80, 51, and 52, the partition information stored in the key storage units 902, 612, and 622 is updated to default partition information. Composed.
- the upper authentication server 90 distributes the upper session key to the upper relay device 70 and the lower relay device 41, respectively. Further, the upper authentication server 90 updates partition information between the lower domain 21 to which the upper relay device 41 belongs and the upper relay device 70.
- the partition number of the lower domain 21 is “1.1”, and the partition number of the upper relay device 70 is “1”. That is, communication between the lower relay apparatus 41 and the upper relay apparatus 70 is permitted even before the partition information is updated. That is, the lower relay apparatus 41 is allowed to communicate with the upper relay apparatus 70. Therefore, the partition information stored in the upper key storage unit 902 is not substantially updated.
- the upper authentication server 90 distributes the session key to the lower relay apparatuses 41 and 42, respectively. Further, the upper authentication server 90 updates the partition information (partition number) of the lower domains 21 and 22 to which the lower relay apparatuses 41 and 42 belong. In this case, one partition number of the lower domains 21 and 22 is changed to match the other partition number of the lower domains 21 and 22. For example, in the example shown in Table 4, the partition number of the lower domain 21 is changed from 1.1 to 1.2.
- the lower level setting device 51 is connected to the lower level relay device 41.
- the lower setting device 52 is connected to the lower relay device 42.
- Each lower setting device 50 includes a communication unit (lower communication unit) 501, a broker information storage unit (lower broker information storage unit) 502, a broker information setting unit (lower broker information setting unit) 503, and a partition information update unit ( Lower partition information update unit) 504.
- the lower communication unit of the lower setting device 51 is denoted by reference numeral 511
- the lower broker information storage unit of the lower setting device 51 is denoted by reference numeral 512
- the lower broker information setting unit of the lower setting device 51 is denoted by reference numeral 513.
- the lower partition information update unit of the lower setting device 51 is denoted by reference numeral 514.
- the lower order communication unit of the lower setting device 52 is denoted by reference numeral 521
- the lower broker information storage unit of the lower setting device 52 is denoted by reference numeral 522
- the lower broker information setting unit of the lower setting device 52 is denoted as necessary.
- the lower partition information update unit of the lower setting device 52 is denoted by reference numeral 524.
- the lower communication unit 501 is configured to communicate with the connected lower relay device 40.
- the lower communication unit 501 functions as a receiving unit (lower receiving unit) that receives lower broker information indicating that relay between the lower relay units 401 is requested.
- the lower broker information storage unit 502 is configured to store the lower broker information received by the lower communication unit 501.
- Broker information is information indicating a cooperation relationship between terminal nodes 30 included in the lower domain 20.
- the broker information includes information indicating a transmission source, information indicating a domain to which the transmission source belongs, and information indicating a transmission destination.
- the broker information is data composed of a source node ID, a domain ID to which the source belongs, and a destination node ID (request node ID).
- the broker information is expressed in the form of (source node ID, domain ID to which the source belongs, request node ID).
- the transmission source is the terminal node 30 that requests the relay device 40 to relay the signal.
- the transmission destination is the terminal node 30 that is the destination of the signal relayed by the relay device 40. In other words, the transmission destination is the terminal node 30 from which the transmission source requests reception of a signal.
- the broker information (C11, X1, C21) indicates that the terminal node C11 desires to provide some service to the terminal node C21.
- the lower broker information setting unit 503 is configured to generate lower partition information with reference to the lower broker information stored in the lower broker information storage unit 502.
- the lower broker information setting unit 503 includes a broker information determination module (lower broker information determination module) 5031 and a partition information generation module (lower partition information generation module) 5032.
- the low-order broker information determination module 5031 stores two pieces of low-order broker information (first low-order broker information and second low-order broker information) in the low-order broker information storage unit 502, the transmission source indicated by the first low-order broker information is the first. It is configured to determine whether or not the destination indicated by the second lower-level broker information matches the destination indicated by the first lower-order broker information and the source indicated by the second lower-order broker information.
- the lower-level broker information generation module 5032 uses the lower-level broker information determination module 5031 to match the transmission source indicated by the first lower-level broker information with the transmission destination indicated by the second lower-level broker information, and the transmission destination indicated by the first lower-level broker information. If it is determined that it matches the transmission source indicated by the second lower-level broker information, the lower-level partition information is generated.
- This lower partition information is a relay between the transmission source indicated by the first lower broker information and the transmission destination indicated by the first lower broker information (the transmission source indicated by the second lower broker information and the transmission destination indicated by the second lower broker information). This indicates that the lower relay unit 401 is relayed to the lower relay unit 401.
- the lower partition information update unit 504 controls the lower communication unit 501 and transmits the lower partition information generated by the lower broker information setting unit 503 to the lower relay device 40. As a result, the lower partition information update unit 504 updates the lower partition information stored in the lower partition information storage unit 402 to the lower partition information generated by the lower broker information setting unit 503.
- the lower partition information update unit 504 requests the lower authentication server 60 to distribute the session key on behalf of the terminal node 30.
- the lower partition information update unit 504 controls the lower communication unit 501 and, based on the lower partition information generated by the lower broker information setting unit 503, the session key to the two nodes that start communication with each other. Send a message requesting distribution.
- the lower partition information update unit 504 controls the lower communication unit 501 and transmits the lower partition information generated by the lower broker information setting unit 503 to the lower authentication server 60. Thereby, the lower-level authentication server 60 distributes the session key and updates the partition information (partition number).
- the lower level setting device 50 updates the data (partition information) stored in the lower level key storage unit 602 and updates the data (partition information) stored in the lower level partition information storage unit 402. Provide service.
- the upper setting device 80 is connected to the upper relay device 70.
- the upper setting device 80 includes a communication unit (upper communication unit) 801, a broker information storage unit (upper broker information storage unit) 802, a broker information setting unit (upper broker information setting unit) 803, and a partition information update unit (upper host). Partition information update unit) 804.
- the upper communication unit 801 is configured to communicate with the upper relay device 70.
- the upper communication unit 801 functions as a receiving unit (upper receiving unit) that receives higher broker information indicating that relay between the lower relay units 401 is requested.
- the upper broker information is also information indicating a communication cooperation relationship between the terminal nodes 30 included in the lower domain 20.
- the upper broker information storage unit 802 is configured to store the upper broker information received by the upper communication unit 801.
- the upper broker information setting unit 803 is configured to generate upper partition information with reference to the upper broker information stored in the upper broker information storage unit 802.
- the upper broker information setting unit 803 includes a broker information determination module (upper broker information determination module) 8031 and a partition information generation module (upper partition information generation module) 8032.
- the upper broker information determination module 8031 determines the transmission source indicated by the first upper broker information. It is configured to determine whether or not the transmission destination indicated by the second higher-order broker information matches the transmission destination indicated by the first higher-order broker information and the transmission destination indicated by the second higher-order broker information.
- the upper broker information generation module 8032 uses the upper broker information determination module 8031 to match the transmission source indicated by the first upper broker information with the transmission destination indicated by the second upper broker information, and the transmission destination indicated by the first upper broker information.
- the upper partition information is generated.
- the upper partition information is relayed between the transmission source indicated by the first upper broker information and the transmission destination indicated by the first upper broker information (the transmission source indicated by the second upper broker information and the transmission destination indicated by the second upper broker information). This means that the relay unit 701 is relayed to the upper relay unit 701.
- the upper partition information update unit 804 controls the upper communication unit 801 and transmits the upper partition information generated by the upper broker information setting unit 803 to the upper relay device 70. As a result, the upper partition information update unit 804 updates the upper partition information stored in the upper partition information storage unit 702 with the upper partition information generated by the upper broker information setting unit 803.
- the upper partition information update unit 804 requests the upper authentication server 90 to distribute a session key on behalf of the relay devices 40 and 70 and the terminal node 30. That is, the upper partition information update unit 804 controls the upper communication unit 801 and, based on the upper partition information generated by the upper broker information setting unit 803, the session key to the two nodes that start communication with each other. Send a message requesting distribution. Further, the upper partition information update unit 804 controls the upper communication unit 801 and transmits the upper partition information generated by the upper broker information setting unit 803 to the upper authentication server 90. As a result, the higher-level authentication server 90 distributes the session key and updates the partition information (partition number).
- the upper setting device 80 updates the data (partition information) stored in the upper key storage unit 902 and updates the data (partition information) stored in the upper partition information storage unit 402. Provide service.
- the lower partition information storage unit 412 stores the lower partition information shown in Table 1
- the lower partition information storage unit 422 stores the lower partition information shown in Table 2.
- the lower routing unit 413 permits communication between the lower relay device 41 and the first terminal node 31 and permits communication between the lower relay device 41 and the second terminal node 32. Further, the lower routing unit 413 permits communication between the terminal nodes 31 and 32. As a result, the first terminal node 31 and the second terminal node 32 can communicate with each other. The lower relay device 41 and the terminal nodes 31 and 32 and the upper relay device 70 do not have the same partition number. However, according to Rule 2, the lower routing unit 413 permits communication between the lower relay device 41 and the upper relay device 70 and permits communication between the terminal nodes 31 and 32 and the upper relay device 70.
- the lower routing unit 413 determines whether the communication path between nodes is valid or invalid. The lower-level routing unit 413 permits communication between nodes if all the communication paths between the nodes are valid. On the other hand, the lower-level routing unit 413 does not permit communication between nodes if an invalid communication path is included in the communication path between nodes.
- the lower routing unit 413 permits communication between the lower relay device 41 and the lower setting device 51.
- the lower routing unit 423 permits communication between the terminal nodes 33 and 34.
- the lower routing unit 423 permits communication between the lower relay device 42 and the terminal nodes 33 and 34 and the upper relay device 70. Further, the lower routing unit 423 permits communication between the lower relay device 42 and the lower setting device 52.
- the upper partition information storage unit 702 stores the upper partition information shown in Table 3.
- the upper relay device 70 and the upper setting device 80 have the same partition number. Therefore, the upper routing unit 703 permits communication between the upper relay device 70 and the upper setting device 80.
- the lower relay apparatus 41 and the lower relay apparatus 42 do not have the same partition number. Therefore, the upper routing unit 703 does not permit communication between the lower relay apparatuses 41 and 42. That is, in the initial state, communication between the lower domains 20 is prohibited.
- the upper relay device 70 can communicate with the lower relay devices 41 and 42 and the terminal nodes 31 to 34. That is, the upper relay device 70 can communicate with all nodes included in the upper domain 10.
- the partition information of the upper partition information storage unit 702 may be changed as shown in Table 7.
- the partition number of the lower relay apparatus 41 is “1.2”. That is, the partition number of the lower relay apparatus 41 is changed from “1.1” to “1.2”.
- the partition numbers of the lower relay apparatus 41 and the lower relay apparatus 42 match. Therefore, the upper routing unit 703 permits communication between the lower relay apparatuses 41 and 42. That is, communication between the lower domains 21 and 22 is permitted. The same result can be obtained even if the partition number of the lower relay apparatus 42 is changed from “1.2” to “1.1”.
- the lower relay apparatus 41 is allowed to communicate with the terminal nodes 31 and 32 in the lower domain 21. Further, the lower relay apparatus 42 is permitted to communicate with the terminal nodes 33 and 34 in the lower domain 22. Therefore, the terminal node 31 and the terminal node 33 can communicate with each other via the relay apparatuses 41, 42, and 70.
- broker information including the node ID of the other terminal node 30 is transmitted to the specific terminal node 30. Further, broker information including the node ID of the specific terminal node 30 is transmitted to another terminal node 30. As shown in FIG. 2, the broker information includes its own node ID (source node ID), a domain ID that identifies the domain to which it belongs, and a request node ID that is a node ID that it wants to cooperate with .
- the first terminal node 31 When communication is performed between the first terminal node 31 and the third terminal node 33, the first terminal node 31 sends broker information including (C11, X1, C21) to the upper relay device 70 via the lower relay device 41. Transmit ((1) in FIG. 3).
- this broker information indicates that the first terminal node 31 can provide a service (a service for disclosing an image captured by a TV camera) to the third terminal node 33.
- the upper relay device 70 transfers the received broker information to the upper setting device 80.
- the higher-level communication module 801 of the higher-level setting device 80 receives broker information from the first terminal node 31.
- the upper broker information storage unit 802 stores the broker information received by the upper communication module 801. Therefore, the broker information (first broker information) shown in the upper part of Table 8 is stored in the upper broker information storage unit 802.
- the higher-level setting device 80 permits the node having the requested node ID of the broker information to browse the broker information. That is, the third terminal node 33 can browse data (for example, broker information) because the requested node ID of the broker information stored in the higher-level broker information storage unit 802 matches the node ID of itself.
- the third terminal node 33 desires to enjoy the service provided by the first terminal node 31 (that is, display on the monitor device of the video imaged by the TV camera).
- the third terminal node 33 transmits broker information including (C21, X2, C11) to the upper relay device 70 via the lower relay device 42 ((2) in FIG. 3).
- the upper relay device 70 transfers the received broker information to the upper setting device 80.
- the higher-level communication module 801 of the higher-level setting device 80 receives broker information from each terminal node 33.
- the upper broker information storage unit 802 stores the broker information received by the upper communication module 801. Therefore, the broker information (second broker information) shown in the lower part of Table 8 is stored in the upper broker information storage unit 802.
- the broker information shown in Table 8 is stored in the higher-level broker information storage unit 802 as information indicating the cooperative relationship between the terminal nodes 31 and 33.
- the upper broker information determination module 803 indicates that the transmission source indicated by the first broker information is the second broker information. And the transmission destination indicated by the first broker information matches the transmission source indicated by the second broker information.
- the transmission source is the first terminal node 31 and the transmission destination is the third terminal node 33.
- the transmission source is the third terminal node 33 and the transmission destination is the first terminal node 31.
- the upper broker information setting unit 803 makes the upper relay unit 701 between the transmission source (first terminal node 31) indicated by the first broker information and the transmission destination (first terminal node 33) indicated by the first broker information. Generate partition information indicating relaying.
- the upper partition information update unit 804 transmits the upper partition information generated by the upper broker information setting unit 803 to the upper relay device 70. As a result, the upper partition information update unit 804 updates the upper partition information stored in the upper partition information storage unit 702 with the upper partition information generated by the upper broker information setting unit 803.
- the upper partition information update unit 804 requests the upper authentication server 90 to distribute a session key. Further, the upper partition information update unit 804 transmits the upper partition information generated by the upper broker information setting unit 803 to the upper authentication server 90 ((3) in FIG. 3). As a result, the higher-level authentication server 90 distributes the session key and updates the partition information (partition number).
- the first terminal node 31 performs encrypted communication with the lower relay apparatus 41 using a session key.
- the second terminal node 32 performs encrypted communication with the lower relay apparatus 42 using a session key.
- the lower relay apparatuses 41 and 42 perform encrypted communication with the upper relay apparatus 70 using a session key.
- permission and prohibition of communication between nodes are dynamically determined based on the upper partition information stored in the partition information storage unit 702. Can be controlled.
- the lower partition information storage unit 412 stores the lower partition information shown in Table 9 in the initial state.
- the lower relay apparatus 41 has the same partition number as that of the first terminal node 31, but does not match the partition number of the second terminal node 32. Therefore, according to Rule 1, the lower routing unit 413 does not permit communication between the terminal nodes 31 and 32.
- the first terminal node 31 When the first terminal node 31 requests cooperation with the second terminal node 32, the first terminal node 31 transmits broker information including (C11, X1, C12) to the lower relay apparatus 41.
- the lower relay apparatus 41 transfers the received broker information to the lower setting apparatus 51.
- the lower-level communication module 511 receives the broker information from the first terminal node 31.
- the lower broker information storage unit 512 stores the broker information received by the lower communication module 511.
- the second terminal node 32 When the second terminal node 32 accepts the cooperation with the first terminal node 31, the second terminal node 32 transmits broker information including (C12, X1, C11) to the lower relay apparatus 41.
- the lower relay apparatus 41 transfers the received broker information to the lower setting apparatus 51.
- the lower-level communication module 511 receives the broker information from the second terminal node 32.
- the lower broker information storage unit 512 stores the broker information received by the lower communication module 511.
- the broker information including (C11, X1, C12) and the broker information including (C12, X1, C11) are stored in the lower-level broker information storage unit 512.
- the lower broker information setting unit 513 generates partition information (partition information shown in Table 1) indicating that the relay is performed between the first terminal node 31 and the second terminal node 32.
- the lower partition information update unit 514 transmits the lower partition information generated by the lower broker information setting unit 513 to the lower relay device 41.
- the lower partition information update unit 514 updates the lower partition information stored in the lower partition information storage unit 412 to the lower partition information generated by the lower broker information setting unit 513.
- the lower partition information update unit 514 requests the lower authentication server 61 to distribute a session key. Further, the lower partition information update unit 514 transmits the lower partition information generated by the lower broker information setting unit 513 to the lower authentication server 61. As a result, the lower-level authentication server 61 distributes the session key and updates the partition information (partition number).
- the partition information of the partition information storage units 402 and 702 may be changed using a web server (not shown).
- the partition information is changed by accessing the web server from a terminal device such as a personal computer.
- you may use the relay apparatuses 40 and 70 as a web server as mentioned above.
- broker information setting units 803 and 503 perform relay between the transmission source and the transmission destination of the broker information to the relay units 701 and 401 based on one broker information stored in the broker information storage units 802 and 502. It may be configured to generate partition information indicating that the
- the broker information may include the user ID of the user. That is, the setting devices 50 and 80 may be configured to perform user authentication. In this way, it is possible to prevent the cooperative relationship between the nodes from being changed illegally.
- the broker information may be transmitted in an encrypted state. In this way, security can be improved.
- the setting devices 50 and 80 may be used as a web server.
- broker information is changed by accessing the setting devices 50 and 80 from a terminal device such as a personal computer.
- the setting devices 50 and 80 preferably authenticate users who access from the terminal device.
- the terminal device can be authenticated by the authentication server 90 by accessing the setting devices 50 and 80 from both the domains 21 and 22 or from either one of the domains 21 and 22 using the terminal device. Therefore, broker information can be changed safely.
- the broker information can be changed using an HTML input form provided in the setting devices 50 and 80. For example, the source node ID, the domain ID to which the source belongs, and the request node ID may be entered in the input form.
- FIG. 4 shows a communication network system according to a modification of the present embodiment.
- the terminal nodes 31 and 32 are connected to the lower level setting device 51 via a communication path.
- the terminal nodes 33 and 34 are connected to the lower level setting device 52 via a communication path.
- the terminal nodes 31 and 32 are configured to transmit the broker information to the lower level setting device 51 instead of the lower level relay device 41.
- the terminal nodes 33 and 34 are configured to transmit broker information to the lower level setting device 52 instead of the lower level relay device 42.
- the broker information storage unit 502 stores the broker information received by the lower communication unit 501.
- the lower partition information update unit 504 is configured to transfer the broker information received from the terminal node 30 to the lower relay device 40.
- the lower partition information update unit 504 requests the lower authentication server 60 to distribute the lower session key before transmitting the broker information to the lower relay device 40. That is, the lower partition information update unit 504 encrypts the broker information using the lower session key distributed from the lower authentication server 60 and transmits it to the upper relay device 70.
- the lower partition information update unit 504 encrypts the lower partition information using the lower session key distributed from the lower authentication server 60 and transmits it to the lower relay device 40. That is, the lower partition information update unit 504 is configured to update the lower partition information stored in the lower partition information storage unit 402 after the lower authentication server 60 distributes the lower session key.
- the relay unit 401 is configured to transfer the broker information received from the lower setting apparatus 50 to the upper relay apparatus 70 (upper setting apparatus 80).
- the lower relay apparatuses 41 and 42 transfer the request for cooperation (broker information) from the lower nodes (terminal nodes 31, 32, 33, and 34) to the upper relay apparatus 70 (upper setting apparatus 80). Configured to perform services.
- the upper partition information update unit 804 requests the upper authentication server 90 to distribute the upper session key before transmitting the upper partition information to the upper relay device 70. Then, the upper partition information update unit 804 encrypts the upper partition information using the upper session key distributed from the upper authentication server 90 and transmits it to the upper relay device 70. That is, the upper partition information update unit 804 is configured to update the lower partition information stored in the upper partition information storage unit 702 after the upper authentication server 90 distributes the upper session key.
- the broker information transmitted by the terminal node 30 is first received by the lower level setting devices 51 and 52. Thereafter, the broker information is transmitted to the upper relay device 70 through the lower relay devices 41 and 42.
- the first terminal node 31 When the first terminal node 31 requests the third terminal node 33 to cooperate, the first terminal node 31 transmits the broker information (C11, X1, C21) to the lower setting device 51 ((1) in FIG. 4).
- the lower broker information storage unit 512 stores the broker information shown in Table 10.
- the lower partition information update unit 514 requests the lower authentication server 61 to distribute the lower session key ((2) in FIG. 4). Thereafter, the lower partition information update unit 504 encrypts the broker information using the lower session key distributed from the lower authentication server 61 and transmits it to the upper relay device 70 (upper setting device 80) ((3) in FIG. 4). ).
- the upper relay device 70 transmits the broker information received from the lower relay device 41 to the upper setting device 80.
- the third terminal node 33 When the third terminal node 33 requests cooperation from the first terminal node 31, the third terminal node 33 transmits the broker information (C21, X1, C11) to the lower setting device 52 ((4) in FIG. 4).
- the lower broker information storage unit 522 stores the broker information shown in Table 11.
- the lower partition information update unit 524 requests the lower authentication server 62 to distribute the lower session key ((5) in FIG. 4). Thereafter, the lower partition information update unit 524 encrypts the broker information using the lower session key distributed from the lower authentication server 62 and transmits it to the upper relay device 70 (upper setting device 80) ((6) in FIG. 4). ).
- the upper relay device 70 transmits the broker information received from the lower relay device 41 to the upper setting device 80.
- the upper communication unit 801 receives broker information from the lower setting devices 51 and 52 via the upper relay device 70 and the lower relay devices 41 and 42.
- the upper broker information storage unit 802 aggregates cooperation request data (broker information) and stores the broker information shown in Table 8.
- the upper level setting device 80 updates the partition information of the higher level key storage unit 902 and the higher level partition information storage unit 702 as described above ((7) in FIG. 4).
- communication between the first terminal node 31 and the third terminal node 33 is permitted. That is, communication between different lower domains 21 and 22 is permitted.
- each terminal node 30 only needs to know the network address for receiving the transfer service of each lower level relay apparatus 41, 42. Therefore, it becomes possible to set addresses closed in the lower domains 21 and 22. That is, configuration management can be performed for each of the lower domains 21 and 22, and configuration management is facilitated. For example, even when a NAT router is used and a unique address such as a private address is allocated to the lower domains 21 and 22, the lower domain can be obtained by fixing the network address for using the transfer service by default. Configuration management at 21 and 22 is facilitated.
- the partition information update units 804 and 504 request the authentication servers 90 and 60 to distribute the session key.
- the partition information update units 804 and 504 may wait for redistribution of the session key from the authentication servers 90 and 60.
- the partition information update units 804 and 504 may be configured to transmit partition information and broker information after the authentication servers 90 and 60 distribute the session key.
- the broker information may include attribute information.
- the attribute information is information that specifies whether to cooperate in units of lower domains 20 or in units of terminal nodes 30. More specifically, the attribute information includes “all” and “only”. “All” indicates that cooperation between all the terminal nodes 30 belonging to the lower domain 20 is permitted with the lower domain 20 as a unit. “Only” indicates that cooperation between the designated terminal nodes 30 is permitted.
- the lower level setting device 51 changes the partition information stored in the lower level partition information storage unit 412 from the contents shown in Table 1 to Table 12. Change to the content shown.
- the lower level setting device 51 changes the partition information stored in the lower level key storage unit 612 from the contents shown in Table 5 to the contents shown in Table 13.
- the lower level setting device 52 changes the partition information stored in the lower level partition information storage unit 422 from the contents shown in Table 2 to the contents shown in Table 14.
- the lower level setting device 52 changes the partition information stored in the lower level key storage unit 622 from the contents shown in Table 6 to the contents shown in Table 15.
- the partition number of the first terminal node 31 is 1.1.1
- the partition number of the second terminal node 32 is 1.2.
- the lower routing unit 413 permits the communication between the first terminal node 31 and the lower relay device 41 according to rule 2.
- the lower routing unit 413 does not permit communication between the second terminal node 32 and the lower relay device 41.
- the partition number of the third terminal node 33 is 1.2.1
- the partition number of the fourth terminal node 34 is 1.1.
- the lower routing unit 423 permits communication between the third terminal node 33 and the lower relay device 42 according to rule 2.
- the lower routing unit 423 does not permit communication between the fourth terminal node 34 and the lower relay device 42.
- each domain 10, 21, 22 has partition information. Therefore, access control between nodes can be managed at a plurality of locations. Therefore, the safety of communication between nodes is improved.
- the partition information (lower partition information and upper partition information) includes an identification number (node ID) of each of a plurality of nodes belonging to the lower domain 20, and a local associated with each identification number. Partition number and global partition number.
- the local partition number is used to determine whether relaying between nodes belonging to the same lower domain 20 is possible. That is, the local partition number is a partition number in the domain. Furthermore, the local partition number is valid only within a specific subdomain.
- the global partition number is used to determine whether or not communication relay between nodes belonging to different domains is possible.
- the local partition number is a partition number outside the domain.
- the global partition number is valid for the entire communication network system.
- the partition information storage units 702, 412, and 422 and the key storage units 902, 612, and 622 each have an area for storing a local partition number and a global partition number for each node.
- the routing units 703, 413, and 423 perform control (access control) of the relay units 701, 411, and 422 according to the following rules.
- Rule 1 Allow communication between nodes with the same local partition number within the same domain.
- the partition information storage units 702, 412, and 422 store the partition information shown in Table 16, Table 17, and Table 18, respectively.
- the key storage units 902, 612, and 622 store the partition information shown in Table 19, Table 20, and Table 21, respectively.
- the relay devices 70, 41, and 42 allow communication between nodes having the same local partition number, and allow communication between nodes having the same global partition number. In the configuration of this embodiment, it can be said that the partition number is multiplexed.
- the lower partition information storage unit 412 of the lower relay apparatus 41 stores the partition information shown in Table 17, and the lower key storage unit 612 of the lower authentication server 61 stores the partition information shown in Table 20. Therefore, the first terminal node 31 is allowed to communicate with the nodes in the lower domain 21 (lower relay device 41 and second terminal node 32). The first terminal node 31 is allowed to communicate with a node (upper relay device 70) outside the lower domain 21. Similarly, the second terminal node 32 is permitted to communicate with nodes in the lower domain 21 (lower relay device 41 and first terminal node 31). The second terminal node 32 is permitted to communicate with a node (upper relay apparatus 70) outside the lower domain 21.
- the global partition number of the second terminal node 32 is changed from “G: 1.1” to “G: 1. Change to 2 ”.
- the second terminal node 32 is permitted to communicate with the node having the same local partition number within the same domain 21.
- the second terminal node 32 does not match the global partition number with the lower relay apparatus 41. Therefore, the lower relay apparatus 41 does not allow the second terminal node 32 to communicate with a node outside the lower domain 21.
- the terminal nodes 31 and 32 each have a TV camera.
- the image captured by the terminal node 31 is transmitted to a node outside the lower domain 21, and the image captured by the terminal node 32 is not transmitted to a node outside the lower domain 21.
- Such a setting change can be performed only by changing the partition information (partition number) stored in the partition information storage units 702, 412, and 422 of the domains 10, 21, and 22 to which the node to be changed belongs.
- access control between nodes belonging to the same domain 10, 21, 22 and access control between nodes belonging to different domains 10, 21, 22 can be performed simultaneously.
- communication between terminal nodes 31 and 32 belonging to the same domain 21 and communication between terminal nodes 31 and 33 belonging to different domains 21 and 22 can be simultaneously performed.
- Other configurations and operations of the communication network system according to the present embodiment are the same as those of the communication network system according to the first embodiment, and thus description thereof is omitted.
- the partition information may include various partition numbers such as a management partition number. If various partition numbers are associated with each node, communication can be restricted and permitted in various ranges. For example, the scope of application of these services can be flexibly changed when updating firmware or linking with other services.
- the communication network system of the present embodiment is different from the communication network system of the first embodiment in the contents of partition information.
- each terminal node 30 stores an object identifier for uniquely identifying a service (object) provided by the terminal node 30.
- Each terminal node 30 stores an interface identifier for uniquely identifying the service attribute (interface) of the object.
- the first terminal node 31 has an object (video captured by a TV camera) in a third terminal node 31 belonging to a lower domain 22 different from the lower domain 21 to which the first terminal node 31 belongs. ), The object identifier corresponding to the object is disclosed to the external network.
- the first terminal node 31 transmits a provision message together with the object identifier to the relay device 70 in order to disclose the object identifier.
- the relay device 70 receives the provision message from the first terminal node 31, the relay device 70 discloses the object identifier so that a third party can recognize it. Only the object identifier is disclosed. Therefore, the image captured by the TV camera is not transferred, and a third party cannot view this image.
- the third terminal node 33 accesses the relay device 70 when trying to enjoy the service provided by the first terminal node 31. As a result, the third terminal node 33 recognizes the identifier of the service for transferring the video (the object identifier and the identifier of the first terminal node 31 that provides the service), and passes through the relay device 70 to the first terminal. Enjoy the services provided by the node 31.
- the partition information in this embodiment includes an object identifier for identifying an object and an interface identifier for identifying an interface.
- the partition information in the present embodiment includes an object identifier of the terminal node 30 (source node) that provides the service and an interface identifier of the terminal node 30 (transmission destination node) that enjoys the service, in addition to the partition number. Including.
- the partition can be set by variously describing the combination of the object identifier and the interface identifier set in the terminal node 30 in the partition information storage unit 702. Therefore, the number of information combinations handled by the partition information storage unit 702 can be simplified. Further, the information handled by the partition information storage unit 702 can be flexible.
- Each node (relay device 40, 41, 70, terminal node 31, 32, 33, 34) that constructs the communication network system of this embodiment may have one or more objects.
- One object may have a plurality of interfaces. Therefore, if an object identifier and an interface identifier are used as partition information, a plurality of types of service attributes can be requested for a plurality of types of functions by using only one piece of identification information (node ID or domain ID) for a node. In other words, a single address can provide a plurality of services.
- a plurality of services can be provided with a small number of connections.
- a node that enjoys a service can access a plurality of objects with a small number of connections. Therefore, for example, a service enjoyed by selecting a desired object from a plurality of objects of a node can be flexibly changed.
- the object identifier is expressed as OID
- the interface identifier is expressed as IID.
- OID object identifier
- IID interface identifier
- the object identifier OID1 corresponds to an object that is a program that defines the camera.
- the interface identifier IID1 corresponds to zoom.
- the interface identifier IID2 corresponds to pan.
- Wildcards can also be used to associate object identifiers with interface identifiers.
- a wild card is represented by “*”.
- associations such as OID1: * and *: IID1 are possible.
- OID1: * means that an arbitrary interface identifier is associated with the object identifier OID1.
- *: IID1 means that an arbitrary object identifier is associated with the interface identifier IID1.
- the interface identifiers IID1 and IID2 can be associated with the object identifier OID1.
- a cooperative relationship of OID1: IID1, OID1: IID2 can be set.
- Nodes having these object identifiers and interface identifiers can be linked. That is, by using a combination of an object identifier and an interface identifier as appropriate, it is possible to simplify the setting of the linkage relationship and increase the flexibility of the linkage relationship.
- Other configurations and operations of the communication network system according to the present embodiment are the same as those of the communication network system according to the first embodiment, and thus description thereof is omitted.
- the partition number is described by a network address and a subnet mask.
- the identification information (node ID) of each node is a MAC address in the domains 10, 21, 22 is there.
- the upper relay device 70 has a function of giving a network address and a subnet mask in response to a request from a node in the upper domain 10.
- the lower relay apparatuses 41 and 42 have a function of giving a network address and a subnet mask in response to requests from nodes in the lower domains 21 and 22, respectively.
- the relay devices 70, 41, and 42 have the same function as a router having a DHCP function.
- the relay apparatuses 70, 41, and 42 can dynamically change the permission and prohibition of communication between nodes based on the partition information.
- the partition information of this embodiment includes a local partition number and a global partition number as in the second embodiment.
- the private address is used as the local partition number
- the global address is used as the global partition number.
- the partition information storage units 702, 412, and 422 store the partition information shown in Table 22, Table 23, and Table 24, respectively.
- the key storage units 902, 612, and 622 store partition information shown in Table 25, Table 26, and Table 27, respectively.
- each relay device 70, 41, 42 gives an IP address (IPv4 or IPv6) to each of the setting devices 80, 51, 52.
- IPv4 or IPv6 IP address assigned to each of the setting devices 80, 51, 52.
- Each relay device 70, 41, 42 stores the IP address given to the setting device 80, 51, 52.
- the higher-level relay device 70 may give an address to each setting device 80, 51, 52.
- the upper relay device 70 has a router function.
- the lower relay apparatuses 41 and 42 have a function of a NAT router (router having a NAT function).
- the lower relay apparatus 40 has a private address (private network address and subnet mask) and a global address (global network address and subnet mask).
- the private address of the lower relay apparatus 41 is “172.16.1.0/24”
- the private address of the lower relay apparatus 42 is “172.16.2.0/24”.
- the global address of the lower relay apparatus 41 is “1.0.1.0/24”
- the global address of the lower relay apparatus 42 is “1.0.2.0/24”.
- the first terminal node 31 When the first terminal node 31 requests cooperation with the third terminal node 33, the first terminal node 31 transmits broker information to the lower level setting device 51.
- the node ID included in this broker information is a MAC address.
- the third terminal node 33 requests cooperation with the first terminal node 31, the third terminal node 33 transmits broker information to the lower level setting device 52. That is, the terminal node 30 transmits a cooperation request simultaneously with the MAC address that is the node ID.
- the lower level setting devices 51 and 52 use the DHCP function to assign the network address and subnet mask of the Internet protocol corresponding to the node IDs of the terminal nodes 31 and 33 to the partition information storage units 412 and 422 (or the key storage units 612 and 622), respectively. Get from. As a result, the lower setting devices 51 and 52 generate IP addresses and assign them to the terminal nodes 31 and 33, respectively. That is, in the communication network system of the present embodiment, the lower level setting device 50 performs bidirectional communication with the terminal node 30. On the other hand, in the communication network system of the first embodiment, the lower level setting device 50 only receives a signal from the terminal node 30.
- the lower level setting device 50 processes the cooperation request from the terminal node 30 simultaneously with the assignment of the IP address to the terminal node 30. If the requested node ID of the broker information is a node ID belonging to the same domain 20 as the transmission source node ID, the lower level setting device 50 updates the partition information of the lower level partition information storage unit 402 and the lower level key storage unit 602. When the terminal node 30 that requests cooperation is reconnected, update of the key storage unit 602 and distribution of the session key by the key distribution unit 601 are executed. That is, the partition information is updated with the distribution of the session key.
- the partition information storage unit 402 is also used as a routing table of the NAT router.
- the lower level setting device 50 transmits the broker information to the higher level setting device 80 through the lower level relay device 40.
- the upper level setting device 80 updates partition information of the higher level partition information storage unit 702 and the higher level key storage unit 902 based on the received broker information. That is, the upper key unit 902 works in conjunction with the upper partition information storage unit 702 that is the routing table of the upper domain 10.
- the key storage unit 902 is updated together with the distribution of the session key by the key distribution unit 901 when the terminal node 30 requesting cooperation is reconnected.
- the communication network system of this embodiment uses a global address instead of a global partition number and uses a private address instead of a local partition number. Therefore, the partition number corresponds to an IP address including a global address and a private address by the NAT function. Therefore, the lower relay apparatus 40 selects whether or not to execute the NAT function according to the cooperation request (broker information).
- the lower level relay apparatus 40 executes the NAT function. Therefore, the lower relay apparatus 40 creates a conversion table for the NAT function.
- the lower-level relay device 40 does not execute the NAT function. Therefore, the lower relay apparatus 40 does not create a conversion table for the NAT function.
- the lower relay apparatus 40 obtains an IP address by the DHCP server function when the terminal node 30 that requests cooperation is reconnected.
- the lower level relay apparatus 40 creates a conversion table for the NAT function using the partition number of the terminal node 30 and the IP address (address value) obtained by the DHCP server function.
- the partition number matches the address for routing. Therefore, it is possible to select whether to permit or prohibit communication, that is, access control for each node.
- the partition number corresponds to an IP address including a private address by the NAT function. Therefore, the access control setting and the NAT function transparency setting can be performed simultaneously. In other words, when prohibiting communication beyond the domain, it is only necessary to prevent the NAT function from being transmitted without assigning a global address. Flexible setting is possible according to the cooperation request.
- the upper relay device 70 may be configured by a router. Further, the lower relay apparatuses 41 and 42 may be configured by a LAN switch having a layer 3 (L3) switching function in the Internet protocol.
- the network addresses and subnet masks of the relay apparatuses 41 and 42 are set in the same manner as in the above example.
- the IP addresses of the relay apparatuses 41 and 42 may be IPv4 IP addresses or IPv6 IP addresses. Further, the technical concept of the present embodiment can be applied to any address system that performs mask processing similar to IPv4 or IPv6. Further, the address may be assigned by using an auto IP, UPnP, IPv6 link local address, PPPoE function or the like instead of the DHCP server.
- Other configurations and operations of the communication network system according to the present embodiment are the same as those of the communication network system according to the second embodiment, and thus description thereof is omitted.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
図1に示すように、本実施形態の通信ネットワークシステムは、上位ドメイン10を有する。上位ドメイン10は、複数の下位ドメイン20を有する。複数の下位ドメイン20は、それぞれ住宅に設けられた通信ネットワーク(ホームネットワーク)である。このように本実施形態の通信ネットワークシステムは、ドメインが階層化されたマルチドメインの通信ネットワークである。
下位中継装置41および端末ノード31,32と上位中継装置70とはパーティション番号が一致していない。しかしながら、規則2により、下位ルーティングユニット413は、下位中継装置41と上位中継装置70との間の通信を許可し、端末ノード31,32と上位中継装置70との間の通信を許可する。規則1により、下位中継装置41と第1端末ノード31との間の通信が許可され、下位中継装置41と第2端末ノード32との間の通信が許可されている。よって、下位中継装置41および端末ノード31,32と上位中継装置70とが通信可能になる。
本実施形態の通信ネットワークシステムでは、パーティション情報(下位パーティション情報および上位パーティション情報)は、下位ドメイン20に属する複数のノードそれぞれの識別番号(ノードID)と、各識別番号にそれぞれ紐付けされたローカルパーティション番号およびグローバルパーティション番号と、を含む。
本実施形態の通信ネットワークシステムは、パーティション情報の内容が実施形態1の通信ネットワークシステムと異なる。
第1端末ノード31が、自身が属する下位ドメイン21と異なる下位ドメイン22に属する第3端末ノード31にオブジェクト(TVカメラにより撮像された映像)を提供する場合、当該オブジェクトに対応するオブジェクト識別子を外部ネットワークに公開する。第1端末ノード31は、オブジェクト識別子を公開するために、中継装置70に提供メッセージをオブジェクト識別子とともに送信する。中継装置70が第1端末ノード31から提供メッセージを受信すると、中継装置70は、第三者が認識できるようにオブジェクト識別子を公開する。なお、公開されるのはオブジェクト識別子だけである。よって、TVカメラにより撮像された映像は転送されず、第三者がこの映像を見ることはできない。
本実施形態の通信ネットワークシステムでは、パーティション番号はネットワークアドレスとサブネットマスクとにより記述されている。また、各ノード(中継装置70,41,42、設定装置80,51,52、端末ノード31,32,33,34)の識別情報(ノードID)はドメイン10,21,22内におけるMACアドレスである。
Claims (9)
- 複数のノードと、
前記ノード間に介在される中継装置と、
前記中継装置に接続される設定装置と、を備え、
前記中継装置は、
前記ノード間の中継をする中継ユニットと、
前記中継ユニットに前記ノード間の中継をさせるかどうかを決定するためのパーティション情報を記憶するパーティション情報記憶ユニットと、
前記パーティション情報記憶ユニットに記憶された前記パーティション情報の内容に従って前記中継ユニットを制御するルーティングユニットと、を有し、
前記設定装置は、
前記ノード間の中継が要求されたことを示すブローカ情報を受信する受信ユニットと、
前記受信ユニットが受信した前記ブローカ情報を記憶するブローカ情報記憶ユニットと、
前記ブローカ情報記憶ユニットに記憶された前記ブローカ情報を参照して前記パーティション情報を生成するブローカ情報設定ユニットと、
前記中継装置の前記パーティション情報記憶ユニットに記憶された前記パーティション情報を前記ブローカ情報設定ユニットで生成された前記パーティション情報に更新するパーティション情報更新ユニットと、を含んでいることを特徴とする通信ネットワークシステム。 - 前記ブローカ情報は、送信元を示す情報と、送信先を示す情報と、を含み、
前記送信元は、前記中継ユニットに信号の中継を要求するノードであり、
前記送信先は、前記送信元が信号の受け取りを要求するノードであり、
前記ブローカ情報設定ユニットは、第1ブローカ情報と第2ブローカ情報との2つの前記ブローカ情報が前記ブローカ情報記憶ユニットに記憶されると、前記第1ブローカ情報の示す前記送信元が前記第2ブローカ情報の示す前記送信先と一致し、かつ、前記第1ブローカ情報の示す前記送信先が前記第2ブローカ情報の示す前記送信元と一致するかどうかを判定するブローカ情報判定モジュールと、
前記ブローカ情報判定モジュールによって前記第1ブローカ情報の示す前記送信元が前記第2ブローカ情報の示す前記送信先と一致し、かつ、前記第1ブローカ情報の示す前記送信先が前記第2ブローカ情報の示す前記送信元と一致すると判定されると、前記第1ブローカ情報の示す前記送信元と前記第1ブローカ情報の示す前記送信先との間の中継を前記中継ユニットにさせるための前記パーティション情報を生成するパーティション情報生成モジュールと、を有することを特徴とする請求項1記載の通信ネットワークシステム。 - 前記ノードは、所定の機能を実現するためのプログラムであるインターフェイスの集合体であるオブジェクトを有し、
前記パーティション情報は、前記オブジェクトを識別するためのオブジェクト識別子と、前記インターフェイスを識別するためのインターフェイス識別子と、を含むことを特徴とする請求項1記載の通信ネットワークシステム。 - 複数の下位ドメインを有する上位ドメインを有し、
前記下位ドメインのそれぞれは、複数のノードと、前記ノード間に介在される下位中継装置とを有し、
前記下位中継装置は、
前記ノード間の中継をする下位中継ユニットと、
前記下位中継ユニットに前記ノード間の中継をさせるかどうかを決定するための下位パーティション情報を記憶する下位パーティション情報記憶ユニットと、
前記下位パーティション情報記憶ユニットに記憶された前記下位パーティション情報の内容に従って前記下位中継ユニットを制御する下位ルーティングユニットと、を有し、
前記上位ドメインは、異なる前記下位ドメインに属する前記下位中継装置間に介在される上位中継装置と、前記上位中継装置に接続される上位設定装置と、を有し、
前記上位中継装置は、
前記下位中継ユニット間の中継をする上位中継ユニットと、
前記上位中継ユニットに前記下位中継ユニット間の中継をさせるかどうかを決定するための上位パーティション情報を記憶する上位パーティション情報記憶ユニットと、
前記上位パーティション情報記憶ユニットに記憶された前記上位パーティション情報の内容に従って前記上位中継ユニットを制御する上位ルーティングユニットと、を有し、
前記上位設定装置は、
前記下位中継ユニット間の中継が要求されたことを示す上位ブローカ情報を受信する上位受信ユニットと、
前記上位受信ユニットが受信した前記上位ブローカ情報を記憶する上位ブローカ情報記憶ユニットと、
前記上位ブローカ情報記憶ユニットに記憶された前記上位ブローカ情報を参照して前記上位パーティション情報を生成する上位ブローカ情報設定ユニットと、
前記上位パーティション情報記憶ユニットに記憶された前記上位パーティション情報を前記上位ブローカ情報設定ユニットで生成された前記上位パーティション情報に更新する上位パーティション情報更新ユニットと、を含んでいることを特徴とする通信ネットワークシステム。 - 前記下位ドメインのそれぞれは、前記下位中継装置に接続される下位設定装置を有し、
前記下位設定装置は、
前記ノード間の中継が要求されたことを示す下位ブローカ情報を受信する下位受信ユニットと、
前記下位受信ユニットが受信した前記下位ブローカ情報を記憶する下位ブローカ情報記憶ユニットと、
前記下位ブローカ情報記憶ユニットに記憶された前記下位ブローカ情報を参照して前記下位パーティション情報を生成する下位ブローカ情報設定ユニットと、
前記下位パーティション情報記憶ユニットに記憶された前記下位パーティション情報を前記下位ブローカ情報設定ユニットで生成された前記下位パーティション情報に更新する下位パーティション情報更新ユニットと、を含んでいることを特徴とする請求項4記載の通信ネットワークシステム。 - 前記下位ドメインは、当該下位ドメイン内での通信に用いる下位セッション鍵を配布する下位認証サーバを有し、
前記上位ドメインは、前記下位ドメインとの間での通信に用いる上位セッション鍵を配布する上位認証サーバを有し、
前記上位パーティション情報更新ユニットは、前記下位認証サーバが前記下位セッション鍵を配布し、かつ、前記上位認証サーバが前記上位セッション鍵を配布した後に、前記上位パーティション情報記憶ユニットに記憶された前記上位パーティション情報を更新するように構成されることを特徴とする請求項4または請求項5記載の通信ネットワークシステム。 - 前記下位ドメインは、当該下位ドメイン内での通信に用いる下位セッション鍵を配布する下位認証サーバを有し、
前記上位ドメインは、前記下位ドメインとの間での通信に用いる上位セッション鍵を配布する上位認証サーバを有し、
前記上位パーティション情報更新ユニットは、前記上位認証サーバが前記上位セッション鍵を配布した後に、前記上位パーティション情報記憶ユニットに記憶された前記上位パーティション情報を更新するように構成され、
前記下位パーティション情報更新ユニットは、前記下位認証サーバが前記下位セッション鍵を配布した後に、前記下位パーティション情報記憶ユニットに記憶された前記下位パーティション情報を更新するように構成されることを特徴とする請求項5記載の通信ネットワークシステム。 - 前記下位パーティション情報は、前記下位ドメインに属する複数の前記ノードそれぞれの識別番号と、各前記識別番号にそれぞれ紐付けされたローカルパーティション番号およびグローバルパーティション番号と、を含み、
前記ローカルパーティション番号は、同じ前記下位ドメインに属する前記ノード間の中継の可否の判定に使用され、
前記グローバルパーティション番号は、異なるドメインに属する前記ノード間の通信の中継の可否の判定に使用されることを特徴とする請求項7記載の通信ネットワークシステム。 - 前記パーティション情報は、前記ノードの識別番号と、前記識別番号に紐付けされたパーティション番号と、を含み、
前記ルーティングユニットは、前記中継ユニットを制御して前記パーティション番号が一致している前記ノード間の中継を行わせるように構成され、
前記パーティション番号は、前記ノードに与えられたネットワークアドレスとサブネットマスクとの両方を用いて決定されていることを特徴とする請求項1記載の通信ネットワークシステム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010542133A JP5261502B2 (ja) | 2008-12-12 | 2009-12-11 | 通信ネットワークシステム |
EP09831967.6A EP2372960B1 (en) | 2008-12-12 | 2009-12-11 | Communication network system |
US13/133,997 US8671207B2 (en) | 2008-12-12 | 2009-12-11 | Communication network system |
CN200980149520.6A CN102246472B (zh) | 2008-12-12 | 2009-12-11 | 通信网络系统 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008-317440 | 2008-12-12 | ||
JP2008317440 | 2008-12-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010067864A1 true WO2010067864A1 (ja) | 2010-06-17 |
Family
ID=42242849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2009/070754 WO2010067864A1 (ja) | 2008-12-12 | 2009-12-11 | 通信ネットワークシステム |
Country Status (5)
Country | Link |
---|---|
US (1) | US8671207B2 (ja) |
EP (1) | EP2372960B1 (ja) |
JP (1) | JP5261502B2 (ja) |
CN (1) | CN102246472B (ja) |
WO (1) | WO2010067864A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012134710A (ja) * | 2010-12-21 | 2012-07-12 | Panasonic Corp | 認証システム、認証装置及びプログラム |
JP2012165383A (ja) * | 2011-02-04 | 2012-08-30 | General Electric Co <Ge> | メッシュネットワーク内で無効なノードを識別するシステム、方法、および装置 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201417535A (zh) * | 2012-10-31 | 2014-05-01 | Ibm | 根據風險係數的網路存取控制 |
CN112204925B (zh) * | 2018-07-13 | 2022-10-28 | 三菱电机楼宇解决方案株式会社 | 具有误操作防止功能的电梯系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005184792A (ja) * | 2003-11-27 | 2005-07-07 | Nec Corp | 帯域制御装置、帯域制御方法及び帯域制御プログラム |
JP2007005847A (ja) | 2005-06-21 | 2007-01-11 | Alaxala Networks Corp | ネットワークにおけるデータ伝送制御 |
JP2008048055A (ja) * | 2006-08-11 | 2008-02-28 | Nippon Telegr & Teleph Corp <Ntt> | 接続制御システム、接続制御装置、接続制御方法および接続制御プログラム |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6618764B1 (en) * | 1999-06-25 | 2003-09-09 | Koninklijke Philips Electronics N.V. | Method for enabling interaction between two home networks of different software architectures |
KR20020079785A (ko) * | 2000-12-27 | 2002-10-19 | 마쯔시다덴기산교 가부시키가이샤 | 홈버스 시스템에서의 라우팅 처리 및 방법 |
US7681032B2 (en) * | 2001-03-12 | 2010-03-16 | Portauthority Technologies Inc. | System and method for monitoring unauthorized transport of digital content |
US7194622B1 (en) * | 2001-12-13 | 2007-03-20 | Cisco Technology, Inc. | Network partitioning using encryption |
KR100513277B1 (ko) * | 2003-04-16 | 2005-09-09 | 삼성전자주식회사 | 개별적으로 존재하는 네트워크를 연결하는 장치 및 방법 |
JP4329388B2 (ja) * | 2003-04-22 | 2009-09-09 | ソニー株式会社 | データ通信システム、データ通信装置及びデータ通信方法、並びにコンピュータ・プログラム |
US7624431B2 (en) * | 2003-12-04 | 2009-11-24 | Cisco Technology, Inc. | 802.1X authentication technique for shared media |
JP2005311507A (ja) * | 2004-04-19 | 2005-11-04 | Nippon Telegraph & Telephone East Corp | Vpn通信方法及びvpnシステム |
GB2445791A (en) * | 2007-01-17 | 2008-07-23 | Electricpocket Ltd | Interconnection of Universal Plug and Play Networks using eXtensible Messaging and Presence Protocol Streams |
CN101378358B (zh) * | 2008-09-19 | 2010-12-15 | 成都市华为赛门铁克科技有限公司 | 一种实现安全接入控制的方法及系统、服务器 |
-
2009
- 2009-12-11 CN CN200980149520.6A patent/CN102246472B/zh not_active Expired - Fee Related
- 2009-12-11 US US13/133,997 patent/US8671207B2/en active Active
- 2009-12-11 EP EP09831967.6A patent/EP2372960B1/en active Active
- 2009-12-11 WO PCT/JP2009/070754 patent/WO2010067864A1/ja active Application Filing
- 2009-12-11 JP JP2010542133A patent/JP5261502B2/ja active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005184792A (ja) * | 2003-11-27 | 2005-07-07 | Nec Corp | 帯域制御装置、帯域制御方法及び帯域制御プログラム |
JP2007005847A (ja) | 2005-06-21 | 2007-01-11 | Alaxala Networks Corp | ネットワークにおけるデータ伝送制御 |
JP2008048055A (ja) * | 2006-08-11 | 2008-02-28 | Nippon Telegr & Teleph Corp <Ntt> | 接続制御システム、接続制御装置、接続制御方法および接続制御プログラム |
Non-Patent Citations (1)
Title |
---|
See also references of EP2372960A4 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012134710A (ja) * | 2010-12-21 | 2012-07-12 | Panasonic Corp | 認証システム、認証装置及びプログラム |
JP2012165383A (ja) * | 2011-02-04 | 2012-08-30 | General Electric Co <Ge> | メッシュネットワーク内で無効なノードを識別するシステム、方法、および装置 |
Also Published As
Publication number | Publication date |
---|---|
US8671207B2 (en) | 2014-03-11 |
EP2372960B1 (en) | 2014-09-10 |
CN102246472B (zh) | 2014-04-23 |
CN102246472A (zh) | 2011-11-16 |
EP2372960A1 (en) | 2011-10-05 |
JPWO2010067864A1 (ja) | 2012-05-24 |
EP2372960A4 (en) | 2013-01-16 |
JP5261502B2 (ja) | 2013-08-14 |
US20110320621A1 (en) | 2011-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8051461B2 (en) | System and method for establishing secured connection between home network devices | |
US8307093B2 (en) | Remote access between UPnP devices | |
US8561147B2 (en) | Method and apparatus for controlling of remote access to a local network | |
JP2004048234A (ja) | ユーザ認証システムおよびユーザ認証方法 | |
JPWO2005027438A1 (ja) | パケット中継装置 | |
CA2530343A1 (en) | System for the internet connections, and server for routing connections to a client machine | |
KR20100022927A (ko) | 홈 네트워크에서의 개인정보 보호 방법 및 장치 | |
JP4524906B2 (ja) | 通信中継装置、通信中継方法、および通信端末装置、並びにプログラム記憶媒体 | |
JP5261502B2 (ja) | 通信ネットワークシステム | |
KR100906677B1 (ko) | UPnP 네트워크의 원격지 보안 접속 시스템 및 방법 | |
JP2006081142A (ja) | ネットワークカメラ、ddnsサーバおよび映像配信システム | |
JP4576637B2 (ja) | ネットワークカメラ、管理サーバおよび映像配信システム | |
JP2003078570A (ja) | サービス提供方法、中継装置及びサービス提供装置 | |
KR20070018196A (ko) | 원격에서의 국부망 액세스에 대한 보안을 확보하는 방법 및장치 | |
JP4713420B2 (ja) | 通信システム、およびネットワーク機器の共有方法 | |
JP2006109152A (ja) | ネットワーク上で通信を行う接続要求機器、応答機器、接続管理装置、及び通信システム | |
JP2004194312A (ja) | クライアント機器への接続をルーティングするためのサーバ | |
JP2008010934A (ja) | ゲートウェイ装置、通信制御方法、プログラム、およびプログラムを記録した記憶媒体 | |
JP2006115285A (ja) | 映像配信システムおよびネットワークカメラ | |
JP2006025259A (ja) | 接続管理機器、及びコンテンツ送信機器 | |
US20100161808A1 (en) | Image forming apparatus and service providing method | |
JP2007104438A (ja) | 宅外アクセスシステム、サーバ、および通信方法 | |
JP2006209406A (ja) | 通信機器 | |
JP2008206081A (ja) | マルチホーミング通信システムに用いられるデータ中継装置およびデータ中継方法 | |
Chowdhury et al. | Interconnecting multiple home networks services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980149520.6 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09831967 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2010542133 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13133997 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009831967 Country of ref document: EP |