WO2014083653A1 - Communication apparatus and communication system - Google Patents

Communication apparatus and communication system Download PDF

Info

Publication number
WO2014083653A1
WO2014083653A1 PCT/JP2012/080936 JP2012080936W WO2014083653A1 WO 2014083653 A1 WO2014083653 A1 WO 2014083653A1 JP 2012080936 W JP2012080936 W JP 2012080936W WO 2014083653 A1 WO2014083653 A1 WO 2014083653A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless terminal
service
vpn
account
setting
Prior art date
Application number
PCT/JP2012/080936
Other languages
French (fr)
Japanese (ja)
Inventor
大佑 高橋
栄一 堀内
高田 佳典
善文 堀田
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2012/080936 priority Critical patent/WO2014083653A1/en
Publication of WO2014083653A1 publication Critical patent/WO2014083653A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L12/283Processing of data at an internetworking point of a home automation network
    • H04L12/2836Protocol conversion between an external network and a home network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L2012/284Home automation networks characterised by the type of medium used
    • H04L2012/2841Wireless

Definitions

  • the present invention relates to a communication device that connects a public network and a home network, and a communication system including the communication device.
  • home appliances such as televisions, recorders, and air conditioners that can be connected to a network have recently appeared.
  • M2M Machine to Machine
  • One of the functions being studied is a remote operation function from outside the house.
  • a system for inputting reservation information from an external system to a digital recorder in a home has been realized.
  • This digital recorder is installed in a state of being connected to a home network, but is connected to a public network via the home network and connected to a server that manages reservations of this digital recorder.
  • the user inputs reservation information to the server, and the reservation information input to the server is transferred to the digital recorder by accessing the server from the digital recorder.
  • Such a control method via a server can be regarded as an indirect remote operation to home appliances.
  • a method of performing control directly without using a server For example, as a method of connecting to a home network from the outside such as the Internet, a virtual private network (VPN) is connected to the home network using an encryption protocol such as IPsec (Security Architecture for Internet Protocol).
  • IPsec Security Architecture for Internet Protocol
  • control method used in the home network can be applied as it is through remote access as it is through the VPN.
  • the advantage is that control / operation can be realized with the same interface.
  • mobile phones called smartphones that have been rapidly spreading in recent years are equipped with a VPN client function as a standard feature, and since home appliance control apps are distributed due to increasing demand for smartphone use, The affinity to the internal and external common interface is considered high.
  • VPN connection setting is difficult is that setting is required on both the server side and the client side.
  • server side for example, user name and password account settings and registration to the DDNS (Dynamic Domain Name System) service for server IP address resolution must be performed, and the client side also needs to be set according to the server.
  • DDNS Dynamic Domain Name System
  • some commercially available home routers have a VPN server function, but it is necessary to manually register the setting value from the browser setting screen of the setting PC and manually set an account on the smartphone side.
  • Manual configuration on both these routers and smartphones is considered to be a barrier for housewives and elderly people with little network knowledge.
  • VPN connection to the home network becomes common in the future, it is expected that housewives and elderly people will become main users. Therefore, a technique for solving this problem is necessary.
  • Patent Document 1 discloses a technology for connecting using a SIP server. This technique is called “SIP dial-up connection”, and is a technique for establishing a VPN connection when a call is made to a home gateway having a telephone function. For this reason, registration in a system for searching for an IP address such as DDNS becomes unnecessary, and it is considered that the burden on the user is reduced. However, in Patent Document 1, it is necessary to register an account by a user's hand with respect to a client terminal that actually performs a home gateway and VPN connection, which is complicated in this respect.
  • Patent Document 2 proposes a method for solving the trouble of account registration by automating account registration for VPN connection.
  • the present invention has been made in view of the above, and it is an object of the present invention to obtain a communication device and a communication system capable of setting up a VPN connection that achieves both maintenance of high security and elimination of complexity of user work. Objective.
  • the present invention is located at a wireless terminal connectable to a home network and an external network, and a connection point between the home network and the external network.
  • a communication apparatus that operates as the gateway in a communication system including a gateway that provides a service to the wireless terminal and provides a second service to the wireless terminal on an external network side, wherein the first service
  • Information management means for setting the original wireless terminal as a wireless terminal that can use the second service And wherein the Rukoto.
  • the wireless terminal satisfying a certain condition is automatically set as necessary, and manual setting is not necessary. There is an effect that the complexity of the work of the person can be eliminated.
  • FIG. 1 is a diagram illustrating a configuration example of a communication system according to the first embodiment.
  • FIG. 2 is a diagram illustrating a communication mode in which the mobile wireless terminal connects to the HGW using the VPN.
  • FIG. 3 is a diagram illustrating a configuration example of the HGW.
  • FIG. 4 is a diagram illustrating a configuration example of the mobile wireless terminal.
  • FIG. 5 is a diagram illustrating a configuration example of the VPN account DB.
  • FIG. 6 is a diagram illustrating a configuration example of the wireless LAN authentication setting DB.
  • FIG. 7 is a diagram illustrating a configuration example of the account automatic generation DB.
  • FIG. 8 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the first embodiment.
  • FIG. 8 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the first embodiment.
  • FIG. 9 is a diagram illustrating a configuration example of a communication system according to the second embodiment.
  • FIG. 10 is a diagram illustrating a configuration example of the HGW according to the second embodiment.
  • FIG. 11 is a diagram illustrating a configuration example of the incoming call history DB.
  • FIG. 12 is a diagram illustrating a configuration example of the account automatic generation DB according to the second embodiment.
  • FIG. 13 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the second embodiment.
  • FIG. 1 is a diagram illustrating a configuration example of a communication system according to the first embodiment.
  • the communication system of the present embodiment includes a home gateway (HGW) 1, a public network 2, a home network 3, a portable wireless terminal 4, and in-home devices 5-7.
  • HGW home gateway
  • the HGW 1 is a gateway that connects the public network 2 as an external network and the home network 3. It also has a function to operate as a wireless LAN access point and a function to operate as a VPN server.
  • the public network 2 is a general term for data communication networks of the Internet and mobile phones, and is often configured as an aggregate of a plurality of networks.
  • the home network 3 is a network that accommodates home devices, and the home devices 5 to 7 are connected by a wired LAN or a wireless LAN.
  • the portable wireless terminal 4 is connected to the HGW 1 by the wireless LAN 9.
  • the portable wireless terminal 4 also has a function of making a VPN connection to the HGW 1 via the public network 2, and pre-setting (account setting) necessary for performing the VPN connection is described later when connecting to the wireless LAN 9. To complete the account automatic setting sequence.
  • the in-home devices 5 to 7 are, for example, a television, a recorder, an air conditioner or the like having a function of connecting to a network.
  • FIG. 2 is a diagram illustrating a communication mode in which the mobile wireless terminal 4 connects to the HGW 1 using the VPN 8.
  • the portable wireless terminal 4 can remotely access devices (home devices 5 to 7) in the home network 3 by connecting to the HGW 1 using the VPN 8.
  • the mobile wireless terminal 4 needs to perform account setting for the VPN connection with the HGW 1 in the connection form shown in FIG. 1.
  • the in-home devices 5 to 7 connected to the home network 3 can accept control from the portable wireless terminal 4 connected by VPN.
  • FIG. 3 is a diagram illustrating a configuration example of the HGW 1 which is a communication device according to the present invention.
  • the HGW 1 is roughly composed of two functional blocks, a CPU board 101 and a layer 2 switch (L2SW) 102.
  • L2SW layer 2 switch
  • the L2SW 102 includes a plurality of home network connection ports 106 to 108 and an internal connection port 109.
  • the L2SW 102 is not essential for the HGW 101 and may not be mounted depending on the configuration.
  • the CPU board 101 includes, as main components, a router function unit 103, other function units 104, a WAN interface 105, an internal connection port 110, a wireless LAN connection port 111, a VPN account database (DB) 112, a wireless LAN authentication setting database. (DB) 113, wireless LAN unit 114, account automatic generation unit 121, and account automatic generation database (DB) 122.
  • a router function unit 103 other function units 104
  • a WAN interface 105 an internal connection port 110
  • DB VPN account database
  • DB wireless LAN authentication setting database
  • DB wireless LAN authentication setting database
  • DB wireless LAN authentication setting database
  • DB account automatic generation unit 121
  • DB account automatic generation database
  • the router function unit 103 implements a communication protocol stack and functions used in each protocol, and implements a firewall function as a part of protocol stacks such as PPP 115, IPsec 116, PPPoE 117, L2TP 118, and NAPT 119, and a router function.
  • the packet filtering function (Packet Filtering) 120 is implemented.
  • the other function unit 104 is a processing unit that provides functions other than the functions included in the router function unit 103, and provides a setting parameter management function, a GUI function, a telephone function, and the like necessary for operating the HGW 101 as a device. To do.
  • the WAN interface 105 is an interface for connecting to the public network
  • the internal connection port 110 is an interface for connecting to the L2SW 102 on the home network 3 side
  • the wireless LAN connection port 111 is a connection port for the wireless LAN.
  • the VPN account DB 112 is a database for managing accounts of users who are permitted to use the VPN remote access system (users who are permitted VPN connection to the local HGW 1), that is, user names and passwords for user authentication.
  • the wireless LAN authentication setting DB 113 is a database for storing settings for the wireless LAN unit 114 to authenticate wireless devices.
  • the wireless LAN unit 114 executes terminal authentication processing, and accepts connection by wireless LAN if the authentication is successful.
  • the account automatic generation unit 121 refers to the account automatic generation DB 122 when receiving a request from a terminal (for example, the portable wireless terminal 4) connected by the wireless LAN, and creates an account (user name, password, etc.) for VPN connection. Information) and the setting in the own device is changed so that the requesting terminal can make a VPN connection.
  • the account automatic generation DB 122 is a database that holds settings (information) that the account automatic generation unit 121 refers to when generating an account for VPN connection.
  • FIG. 4 is a diagram illustrating a configuration example of the mobile wireless terminal 4.
  • the portable wireless terminal 4 includes a public network connection function unit 401, a wireless LAN connection function unit 402, a VPN client function unit 403, an OS function unit 404, and a home appliance control S / W 405 as main components.
  • the home appliance control S / W 405 includes a home appliance control unit 406, a VPN setting communication unit 407, a VPN client setting unit 408, and other functional units 409.
  • the public network connection function unit 401 is a function for connecting to a public network of a mobile line, and performs Internet data communication and telephone communication.
  • the wireless LAN connection function unit 402 is a function for connecting to the HGW 1 and other wireless LAN access points.
  • the VPN client function unit 403 is a function for performing VPN connection, and VPN client functions such as IPsec, L2TP (Layer 2 Tunneling Protocol), and PPTP (Point-to-Point Tunneling Protocol) are implemented.
  • the VPN client function unit 403 may be incorporated in the home appliance control S / W 405.
  • the OS function unit 404 includes other functions such as an OS.
  • the home appliance control S / W 405 has a function of communicating and controlling with the in-home devices 5 to 7 in the home network, and also has a function of performing VPN automatic setting with the HGW 1.
  • the home appliance control unit 406 performs home appliance control.
  • the VPN setting communication unit 407 performs VPN setting negotiation for automatically setting an account for VPN connection.
  • the client setting unit 408 holds setting information (that is, an account for VPN connection) for operating as a VPN client.
  • the VPN setting communication unit 407 may have a function of sending information unique to the own device (portable wireless terminal 4), such as a telephone number or a MAC address, to the HGW 1.
  • the other function unit 409 includes a general S / W function such as a GUI.
  • the VPN automatic setting communication unit 407 of the home appliance control S / W 405 is activated, and an account automatic setting sequence to be described later As a result, the account setting for VPN connection to the HGW 1 is automatically performed (the account setting is completed without requiring an operation such as information input by the user).
  • FIG. 5 is a diagram showing a configuration example of the VPN account DB 112 provided in the HGW 1 (see FIG. 3).
  • the VPN account DB 112 manages “user”, “user name”, and “password” in association with each other.
  • “User” is information for identifying the user
  • “User name” and “Password” are information used in the authentication process of the associated user.
  • IPsec assumed in the HGW 1 of this embodiment, it is common to use a user authentication method called XAUTH.
  • XAUTH user authentication method
  • the VPN account DB 112 is described on the assumption that it holds a user account (user name and password) in such IPsec XAUTH authentication. However, depending on the implementation of the VPN function, information stored in the VPN account DB 112 (managed) Information) is not limited to this.
  • FIG. 6 is a diagram illustrating a configuration example of the wireless LAN authentication setting DB 113 provided in the HGW 1 (see FIG. 3).
  • the wireless LAN authentication setting DB 113 manages parameters such as “wireless interface”, “SSID”, “authentication method”, and “password”.
  • “Wireless LAN interface” is information indicating an actual wireless interface such as the wireless LAN interface 111 (see FIG. 3).
  • “SSID” is an identifier of the wireless LAN access point and is a name given to avoid interference.
  • the “authentication method” is an authentication method used when the wireless LAN client software performs connection authentication, and there is an encryption method such as WEP / WPS / WPS2.
  • the “password” is a password required when a client terminal such as the mobile wireless terminal 4 connects to the wireless LAN access point, that is, a password used for connection authentication for determining whether or not to permit the connection.
  • the wireless LAN unit 114 of the HGW 1 refers to the wireless LAN authentication setting DB 113 and determines whether to accept the connection request.
  • the description is based on wireless LAN access point software called hostapd, but the information held in the wireless LAN authentication setting DB 113 is not limited to this depending on the implementation of the wireless LAN function.
  • FIG. 7 is a diagram illustrating a configuration example of the account automatic generation DB 122 provided in the HGW 1 (see FIG. 3).
  • the automatic account creation DB 122 describes settings for automatically creating an account for VPN connection, and manages “reference DB” and “security level” as setting items.
  • “Reference DB” indicates a database to be referred to when an account is generated.
  • the wireless LAN authentication setting DB 113 is designated.
  • the “security level” includes “authentication method”, “password”, and the like as detailed parameters.
  • the “authentication method” describes a wireless LAN authentication method that allows automatic account generation
  • the “password” describes the number of password characters that allow automatic account generation.
  • the account automatic generation unit 121 of the HGW 1 determines whether or not an account generation request can be made based on the “reference DB” and “security level” managed by the account automatic generation DB 122. Specifically, when the information registered in the database indicated by the “reference DB” satisfies the condition set for the “security level”, the account generation request is accepted. A plurality of databases may be set in the “reference DB”. When the account automatic generation DB 122 has the contents shown in FIG. 7, the account automatic generation unit 121 refers to the wireless LAN authentication setting DB 113, and “authentication method”, “password”, and the like managed therein are stored in the account automatic generation DB 122.
  • the “security level” is satisfied, specifically, if the authentication method is WEP, WPA or WPA2 and the password is longer than n characters, an account generation request is accepted (a VPN account is generated). Note that depending on the implementation of the account automatic generation unit 121, the information held in the account automatic generation DB 122 is not limited to this.
  • FIG. 8 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the first embodiment.
  • the portable wireless terminal 4 If the VPN account setting is not completed, the portable wireless terminal 4 is not permitted to connect even if it transmits a VPN connection request to the HGW 1 via the public network 2 (steps S11 and S12). In this case, the portable wireless terminal 4 can establish a VPN connection to the HGW 1 by performing a wireless LAN connection to the HGW 1 in the home network 3 and setting a VPN account.
  • the VPN account setting procedure is shown below.
  • the portable wireless terminal 4 performs wireless LAN authentication by a specified authentication method such as password authentication and establishes a connection with the HGW 1 (step S21).
  • the wireless LAN authentication is performed with reference to information registered in the wireless LAN authentication setting DB 113.
  • the portable wireless terminal 4 transmits a VPN account generation request to the HGW 1 in order to notify that the VPN connection is desired (step S22).
  • the VPN setting communication unit 407 generates and transmits a VPN account generation request.
  • the VPN account generation request is passed to the account automatic generation unit 121 via the wireless LAN unit 114, and the account automatic generation unit 121 first refers to the account automatic generation DB 122 (steps). S23).
  • the security level is equal to or higher. If the security level of the mobile wireless terminal 4 is equal to or higher than the set value, the account automatic generation unit 121 regards the identity as being confirmed in the wireless LAN connection, and generates a VPN account with this as collateral. The generated information is registered in the VPN account DB 112 (step S25). At this time, various settings necessary for permitting VPN connection to the requesting portable wireless terminal 4, such as registration in DDNS, are also performed. Note that the method for generating each piece of information included in the VPN account is not particularly defined. Any existing method may be used. Further, the wireless LAN unit 114 sends the VPN account generated by the account automatic generation unit 121 to the requesting portable wireless terminal 4 and pays it out (step S26).
  • the portable wireless terminal 4 When the portable wireless terminal 4 receives the VPN account as a response to the VPN account generation request transmitted in step S22, it sets the received VPN account (step S27).
  • the VPN client setting unit 408 sets the VPN account.
  • step S24 shows an example in which it is determined in step S24 that the security level of the transmission source portable wireless terminal 4 of the VPN account generation request is equal to or higher than the set value.
  • the security level may be set. It may be determined that the value is less than the value. In such a case, the processing after step S25 is not executed.
  • the HGW 1 notifies the portable wireless terminal 4 that the VPN account is not generated.
  • the portable wireless terminal 4 and the HGW 1 use another method, for example, set a VPN account by a user's manual setting, retransmit the VPN account generation request after the security level becomes equal to or higher than the set value, etc. It is necessary to set by this method.
  • the portable wireless terminal 4 that has received the VPN account in steps S22 to S27 can make a VPN connection to the HGW 1 via the public network 2 (steps S31 and S32).
  • the mobile wireless terminal transmits a VPN account generation request while connected to the HGW via the wireless LAN, and the HGW that has received the VPN account generation request
  • a VPN account is generated.
  • security at the time of automatic account setting of the portable wireless terminal can be improved.
  • the home gateway has been described as an example, but the present invention can also be applied to a home router having a wireless LAN function and a VPN function.
  • Embodiment 2 FIG.
  • the communication device home gateway
  • the home gateway determines whether or not to issue a VPN account in consideration of other information on the HGW in addition to the authentication strength of the wireless LAN.
  • it is possible to further improve security at the time of automatic account setting. In the present embodiment, only parts different from the first embodiment will be described.
  • FIG. 9 is a diagram illustrating a configuration example of the communication system according to the second embodiment.
  • the communication system according to the present embodiment is obtained by adding a SIP server 10 to the communication system according to the first embodiment shown in FIG. 1 and replacing HGW1 with HGW1a.
  • the SIP server 10 is a server that relays messages transmitted and received in order to establish a session between SIP (Session Initiation Protocol) clients, and holds information on each SIP client. It is assumed that the HGW 1a and the portable wireless terminal 4 of this embodiment have a function that operates as a SIP client.
  • SIP Session Initiation Protocol
  • FIG. 10 is a diagram illustrating a configuration example of the HGW 1a.
  • the HGW 1a is obtained by replacing the CPU board 101 of the HGW 1 (see FIG. 3) described in the first embodiment with a CPU board 101a.
  • the CPU board 101 a has a configuration in which an incoming call history database (DB) 123 is added to the CPU board 101.
  • DB incoming call history database
  • FIG. 11 is a diagram illustrating a configuration example of the incoming call history DB 123 provided in the HGW 1a.
  • the incoming call history DB 123 manages “phone number” and “incoming time”. “Telephone number” is information indicating the telephone number of the other party who made a call to itself (HGW 1a), and “incoming call time” is information indicating the date and time when the incoming call was made.
  • the HGW 1a registers the other party's telephone number and the time (date and time) at that time in the incoming call history DB 123. Registration in the incoming call history DB 123 is performed by the other function unit 104.
  • the configuration of the account automatic generation DB 122 of the HGW 1a is as shown in FIG. That is, it is assumed that the wireless LAN authentication setting DB and the incoming call history DB 123 are set as the reference DB.
  • the security level parameters associated with the wireless LAN authentication setting DB are “authentication method” and “password”.
  • the security level parameter associated with the incoming call history DB 123 is “reception standby time”.
  • the “preliminary arrival time” is the elapsed time since the incoming call. In the example of FIG. 12, the setting of “preliminary arrival time” is “within 5 minutes”.
  • the HGW 1a has the security level (authentication method and password) associated with the wireless LAN authentication setting DB 113.
  • a VPN account is paid out to a portable wireless terminal that satisfies the conditions and has an elapsed time of 5 minutes or less after the incoming call. It should be noted that the set value of “arrival reserve time” may be another value.
  • FIG. 13 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the second embodiment.
  • the same step numbers are assigned to the processes common to the sequence of the first embodiment (see FIG. 8). That is, steps S41, S42, and S24a are different processes from the first embodiment.
  • the description will focus on the parts different from the first embodiment.
  • the configuration of the incoming call history DB 123 is as shown in FIG. 11, and the configuration of the account automatic generation DB 122 is as shown in FIG.
  • the portable wireless terminal 4 performs wireless LAN authentication (step S21), establishes a connection with the HGW 1a, and then makes a call to the HGW 1a.
  • the HGW 1a receives an incoming call via the SIP server 10 (step S41).
  • the HGW 1a that received the incoming call registers the telephone number of the caller and the date and time when the incoming call was received in the incoming call history DB 123 (step S42).
  • the HGW 1a does not need to respond to an incoming call.
  • illustration is omitted, the portable wireless terminal 4 stops the transmission when detecting that the calling of the HGW 1a is started.
  • the portable wireless terminal 4 transmits a VPN account generation request to the HGW 1a in order to notify that the VPN connection is desired (step S22). At this time, the own telephone number information is added to the VPN account generation request and transmitted.
  • the account automatic generation unit 121 first refers to the account automatic generation DB 122 (step S23).
  • the account automatic generation DB 122 of FIG. 12 since the reference DB is the wireless LAN authentication setting DB and the incoming call history DB, the account automatic generation unit 121 is set by referring to the wireless LAN authentication setting DB 113 next. It is confirmed whether the authentication method and password satisfying the conditions set in the account automatic generation DB 122. If the conditions are satisfied, the incoming call history DB 123 is referred to and the VPN account generation request is transmitted. It is checked whether an incoming call from the original portable wireless terminal 4 has occurred within a past fixed time (within 5 minutes) (step S24a).
  • the security level of the portable wireless terminal 4 is equal to or higher than the set value set in the account automatic generation DB 122.
  • the security level of the portable wireless terminal 4 is equal to or higher than the set value set in the account automatic generation DB 122, it is assumed that the identity is confirmed in the wireless LAN connection and the telephone number, and this is used as a collateral.
  • the account automatic generation unit 121 creates a VPN account and registers it in the VPN account DB 112 (step S25). The subsequent procedure is the same as in the first embodiment.
  • step S24a the order of the databases referred to in step S24a may be changed (the incoming call history DB 123 may be confirmed first).
  • the mobile wireless terminal makes a call to the HGW before transmitting the VPN account generation request while connected to the HGW via the wireless LAN.
  • the HGW that has received the VPN account generation request determines that the requesting mobile wireless terminal satisfies a certain security level, the HGW generates a VPN account.
  • the security can be further improved as compared with the first embodiment. Can do.
  • a password authentication method for requesting a password when a VPN account is requested to be issued specifically, a method for transmitting a password by a VPN account generation request. This method may be combined with the method described in the first embodiment or the method described in the second embodiment.
  • Embodiment 3 the account automatic setting method of the VPN connection service has been described.
  • an automatic setting method can be applied to any service that needs to be set in both the mobile wireless terminal and the HGW. It is.
  • a system that controls home electric appliances in response to a web browser access of a portable wireless terminal from outside the house has been studied.
  • the communication apparatus is useful as a communication apparatus having a VPN connection function, and is particularly suitable for a communication apparatus having a function of operating as a wireless LAN access point (master station).
  • HGW Home gateway
  • 2 public networks 3 home networks
  • 4 mobile wireless terminals 5-7 home devices
  • 8 VPN 9 wireless LAN
  • 10 SIP server 101, 101a CPU board, 102 layer 2 switch ( L2SW), 103 router function unit, 104 other function unit, 105 WAN interface, 106-108 home network connection port, 109, 110 internal connection port, 111 wireless LAN connection port, 112 VPN account database (DB), 113 Wireless LAN authentication setting database (DB), 114 Wireless LAN unit, 115 PPP, 116 IPsec, 117 PPPoE, 118 L2TP, 119 NAPT, 120 Packet filtering function (Packet Filtering), 121 Account automatic generation unit, 122 Account automatic generation database (DB), 123 Incoming call history database (DB), 401 Public network connection function unit, 402 Wireless LAN connection function unit, 403 VPN client function unit, 404 OS, etc. Functional part, 405 Home appliance control S / W, 406 Home appliance control part, 407 VPN setting communication part, 408

Abstract

The present invention provides a communication apparatus that operates, as a home gateway (1), in a communication system comprising: mobile radio terminals (4) capable of connecting to a home network (3) and to a public network (2); and the home gateway (1) that is located at a point connecting the home network (3) and public network (2) and that provides a first service to the mobile radio terminals (4) on the side of the home network (3) and also provides a second service to the mobile radio terminals (4) on the side of the public network (2). When the communication apparatus operating as the home gateway (1) receives a request from that one of the mobile radio terminals (4) currently using the first service which has a security level satisfying a given condition, the communication apparatus generates and transmits, to the requesting mobile radio terminal (4), information necessary for using the second service, while setting the requesting mobile radio terminal (4) as a mobile radio terminal (4) that can use the second service.

Description

通信装置および通信システムCommunication apparatus and communication system
 本発明は、公衆網とホームネットワークを接続する通信装置、およびこの通信装置を含んだ通信システムに関する。 The present invention relates to a communication device that connects a public network and a home network, and a communication system including the communication device.
 ネットワーク技術の進歩により、通信デバイスが安価で小型に実現可能となったため、今日ではさまざまな種類の機器がネットワークに接続されて動作するようになってきている。家庭内に設置される電化製品についても、宅内ネットワーク環境の充実により、装置単体ではなく装置外部の情報と連動して動作するための通信機能を備えるものが多くなった。例えば、ネットワークに接続可能なテレビやレコーダ、エアコン等の家庭電化製品(以下、家電機器と称する)が近年登場している。 Due to the advancement of network technology, communication devices can be realized at low cost and in small size, and today, various types of devices are connected to the network and operate. Many appliances installed in the home are equipped with a communication function for operating in conjunction with information outside the device rather than the device alone due to the enhancement of the home network environment. For example, home appliances (hereinafter referred to as home appliances) such as televisions, recorders, and air conditioners that can be connected to a network have recently appeared.
 これらネットワークに接続可能な家電機器においては、機器同士が連携して動作するM2M(Machine to Machine)技術や、省電力化のための電力可視化技術等が研究されている。 For home appliances that can be connected to these networks, research is being conducted on M2M (Machine to Machine) technology in which devices operate in cooperation with each other, power visualization technology for power saving, and the like.
 その検討されている機能の一つとして、宅外からの遠隔操作機能があげられる。例えば、現在では家庭内にあるデジタルレコーダに対して、外部のシステムから予約情報を投入するシステムが実現されている。このデジタルレコーダは家庭内のネットワークに接続された状態で設置されるが、家庭内のネットワークを介して公衆網に接続し、このデジタルレコーダの予約を管理するサーバに接続する。ユーザは予約情報をサーバに対して入力し、サーバに入力された予約情報はデジタルレコーダからサーバへのアクセスにより、デジタルレコーダへと転送される。 One of the functions being studied is a remote operation function from outside the house. For example, nowadays, a system for inputting reservation information from an external system to a digital recorder in a home has been realized. This digital recorder is installed in a state of being connected to a home network, but is connected to a public network via the home network and connected to a server that manages reservations of this digital recorder. The user inputs reservation information to the server, and the reservation information input to the server is transferred to the digital recorder by accessing the server from the digital recorder.
 このようなサーバを介した制御方法は、家電機器への間接的な遠隔操作と捉える事ができる。一方で、サーバを介さず直接的に制御を行う方法も存在する。例えば、家庭内のネットワークに対してインターネット等の外部から接続する方法としては、IPsec(Security Architecture for Internet Protocol)等の暗号化プロトコルを使って仮想プライベート網(Virtual Private Network:VPN)をホームネットワークと公衆網との接続点であるホームゲートウェイ(HGW)とホームネットワークへ接続する端末の間で設定し、サーバを経由せずに家電機器へアクセスする方法である。 Such a control method via a server can be regarded as an indirect remote operation to home appliances. On the other hand, there is also a method of performing control directly without using a server. For example, as a method of connecting to a home network from the outside such as the Internet, a virtual private network (VPN) is connected to the home network using an encryption protocol such as IPsec (Security Architecture for Internet Protocol). This is a method of setting between a home gateway (HGW), which is a connection point with a public network, and a terminal connected to the home network, and accessing home appliances without going through a server.
 VPNを用いた遠隔アクセスを用いた場合、ホームネットワーク内で使用していた制御方式が、VPNを通してそのまま遠隔アクセス越しに適用することができる為、ホームネットワーク内でのローカルな制御/操作と、遠隔からの制御/操作を同一のインタフェースで実現できることがメリットとして挙げられる。特に、近年急速に普及してきたスマートフォンと呼ばれる携帯電話機では、VPNクライアント機能が標準で装備されていること、スマートフォン利用の需要の高まりから各社家電制御アプリを配信していることから、VPN接続による宅内外共通インタフェースへの親和性が高いと考えられる。 When remote access using VPN is used, the control method used in the home network can be applied as it is through remote access as it is through the VPN. The advantage is that control / operation can be realized with the same interface. In particular, mobile phones called smartphones that have been rapidly spreading in recent years are equipped with a VPN client function as a standard feature, and since home appliance control apps are distributed due to increasing demand for smartphone use, The affinity to the internal and external common interface is considered high.
 ここで、ホームネットワークへVPN接続を行うためには、宅内のルータやホームゲートウェイ上でVPNサーバを公開する必要があるが、VPN接続の設定は、ネットワークの専門知識が必要であり、一般ユーザにとっては煩雑で敷居が高いという課題が存在する。VPN接続設定が難しい理由として、サーバ側とクライアント側両方に設定が必要なことがあげられる。サーバ側では、例えば、ユーザ名やパスワードのアカウント設定および、サーバIPアドレス解決のためのDDNS(Dynamic Domain Name System)サービスへの登録を行う必要があり、クライアント側でもサーバに合わせた設定を行う必要がある。例えば現在の市販のホームルータはVPNサーバ機能を持つものも存在するが、上記設定値を設定用PCのブラウザ設定画面から手動で登録し、スマートフォン側にも手動でアカウントを設定する必要がある。これらのルータおよびスマートフォン双方への手動設定は、ネットワーク知識の少ない主婦層や高齢者の方々にとっては障壁が高いと考えられる。将来、ホームネットワークにVPN接続を行うことが一般的になった際には、主婦層・高齢者の方々がメインユーザとなることが予想されるため、この課題を解決する技術が必要である。 Here, in order to make a VPN connection to the home network, it is necessary to open a VPN server on the router or home gateway in the home. However, setting up the VPN connection requires network expertise, which is necessary for general users. The problem is that it is complicated and has a high threshold. The reason why VPN connection setting is difficult is that setting is required on both the server side and the client side. On the server side, for example, user name and password account settings and registration to the DDNS (Dynamic Domain Name System) service for server IP address resolution must be performed, and the client side also needs to be set according to the server. There is. For example, some commercially available home routers have a VPN server function, but it is necessary to manually register the setting value from the browser setting screen of the setting PC and manually set an account on the smartphone side. Manual configuration on both these routers and smartphones is considered to be a barrier for housewives and elderly people with little network knowledge. When VPN connection to the home network becomes common in the future, it is expected that housewives and elderly people will become main users. Therefore, a technique for solving this problem is necessary.
 このような観点において、特許文献1では、SIPサーバを用いて接続する技術が公開されている。この技術は「SIPダイヤルアップ接続」とよばれ、電話機能を持つホームゲートウェイへ電話をかけることを契機としてVPN接続を行う手法である。このため、DDNSのようなIPアドレスを検索するシステムへの登録が不要となり、ユーザ負担は減少すると考えられる。しかしながら、特許文献1では、ホームゲートウェイおよびVPN接続を実際に行うクライアント端末に対してユーザの手によってアカウントを登録する必要があり、この点において煩雑である。 From this point of view, Patent Document 1 discloses a technology for connecting using a SIP server. This technique is called “SIP dial-up connection”, and is a technique for establishing a VPN connection when a call is made to a home gateway having a telephone function. For this reason, registration in a system for searching for an IP address such as DDNS becomes unnecessary, and it is considered that the burden on the user is reduced. However, in Patent Document 1, it is necessary to register an account by a user's hand with respect to a client terminal that actually performs a home gateway and VPN connection, which is complicated in this respect.
 一方、特許文献2では、VPN接続のためのアカウントの登録を自動化することによって、アカウント登録の手間を解決する方法が提案されている。 On the other hand, Patent Document 2 proposes a method for solving the trouble of account registration by automating account registration for VPN connection.
特許第4750761号公報Japanese Patent No. 4750761 特表2007-538311号公報Special table 2007-538311 gazette
 しかしながら、特許文献2に記載の発明では、アクティベーションキーを送付してきた端末すべてに設定の払い出しを行ってしまい、どのような端末を認証し、アカウントの自動生成を行うか、といった観点において、セキュリティ上の課題が存在する、という問題があった。 However, in the invention described in Patent Document 2, the setting is paid out to all the terminals that have sent the activation key, and in terms of what kind of terminal is authenticated and the account is automatically generated, There was a problem that the above issues existed.
 本発明は、上記に鑑みてなされたものであって、高いセキュリティ性の維持と利用者の作業の煩雑さの解消とを両立させたVPN接続設定が可能な通信装置および通信システムを得ることを目的とする。 The present invention has been made in view of the above, and it is an object of the present invention to obtain a communication device and a communication system capable of setting up a VPN connection that achieves both maintenance of high security and elimination of complexity of user work. Objective.
 上述した課題を解決し、目的を達成するために、本発明は、ホームネットワークおよび外部ネットワークに接続可能な無線端末と、ホームネットワークと外部ネットワークの接続点に位置し、ホームネットワーク側では第1のサービスを前記無線端末に提供し、外部ネットワーク側では第2のサービスを前記無線端末に提供するゲートウェイと、を備えた通信システムにおいて、前記ゲートウェイとして動作する通信装置であって、前記第1のサービスを利用中の無線端末のうち、セキュリティレベルが一定条件を満たしている無線端末から要求を受けた場合に、前記第2のサービスを利用する際に必要な情報を生成して返送するとともに、要求元の無線端末を前記第2のサービスを利用可能な無線端末として設定する情報管理手段、を備えることを特徴とする。 In order to solve the above-described problems and achieve the object, the present invention is located at a wireless terminal connectable to a home network and an external network, and a connection point between the home network and the external network. A communication apparatus that operates as the gateway in a communication system including a gateway that provides a service to the wireless terminal and provides a second service to the wireless terminal on an external network side, wherein the first service When a request is received from a wireless terminal whose security level satisfies a certain condition among wireless terminals using the service, information necessary for using the second service is generated and returned. Information management means for setting the original wireless terminal as a wireless terminal that can use the second service; And wherein the Rukoto.
 本発明にかかる通信装置によれば、一定の条件を満たしている無線端末については必要な設定を自動的に行い、手動による設定を不要としたので、設定動作時のセキュリティ性を高めるとともに、利用者の作業の煩雑さを解消することができる、という効果を奏する。 According to the communication device of the present invention, the wireless terminal satisfying a certain condition is automatically set as necessary, and manual setting is not necessary. There is an effect that the complexity of the work of the person can be eliminated.
図1は、実施の形態1の通信システムの構成例を示す図である。FIG. 1 is a diagram illustrating a configuration example of a communication system according to the first embodiment. 図2は、携帯無線端末がVPNを利用してHGWに接続する通信形態を示す図である。FIG. 2 is a diagram illustrating a communication mode in which the mobile wireless terminal connects to the HGW using the VPN. 図3は、HGWの構成例を示す図である。FIG. 3 is a diagram illustrating a configuration example of the HGW. 図4は、携帯無線端末の構成例を示す図である。FIG. 4 is a diagram illustrating a configuration example of the mobile wireless terminal. 図5は、VPNアカウントDBの構成例を示す図である。FIG. 5 is a diagram illustrating a configuration example of the VPN account DB. 図6は、無線LAN認証設定DBの構成例を示す図である。FIG. 6 is a diagram illustrating a configuration example of the wireless LAN authentication setting DB. 図7は、アカウント自動生成DBの構成例を示す図である。FIG. 7 is a diagram illustrating a configuration example of the account automatic generation DB. 図8は、実施の形態1の通信システムにおいてVPNアカウントを設定するシーケンスの一例を示す図である。FIG. 8 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the first embodiment. 図9は、実施の形態2の通信システムの構成例を示す図である。FIG. 9 is a diagram illustrating a configuration example of a communication system according to the second embodiment. 図10は、実施の形態2のHGWの構成例を示す図である。FIG. 10 is a diagram illustrating a configuration example of the HGW according to the second embodiment. 図11は、着呼履歴DBの構成例を示す図である。FIG. 11 is a diagram illustrating a configuration example of the incoming call history DB. 図12は、実施の形態2のアカウント自動生成DBの構成例を示す図である。FIG. 12 is a diagram illustrating a configuration example of the account automatic generation DB according to the second embodiment. 図13は、実施の形態2の通信システムにおいてVPNアカウントを設定するシーケンスの一例を示す図である。FIG. 13 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the second embodiment.
 以下に、本発明にかかる通信装置および通信システムの実施の形態を図面に基づいて詳細に説明する。なお、この実施の形態によりこの発明が限定されるものではない。 Hereinafter, embodiments of a communication apparatus and a communication system according to the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.
実施の形態1.
 図1は、実施の形態1の通信システムの構成例を示す図である。図示したように、本実施の形態の通信システムは、ホームゲートウェイ(HGW)1、公衆網2、ホームネットワーク3、携帯無線端末4、宅内装置5~7を含んで構成されている。 Embodiment 1 FIG.
FIG. 1 is a diagram illustrating a configuration example of a communication system according to the first embodiment. As shown in the figure, the communication system of the present embodiment includes a home gateway (HGW) 1, a public network 2, a home network 3, a portable wireless terminal 4, and in-home devices 5-7.
 HGW1は、外部ネットワークとしての公衆網2とホームネットワーク3を接続するゲートウェイである。また、無線LANのアクセスポイントとして動作する機能、VPNのサーバとして動作する機能を有している。公衆網2はインターネットや携帯電話のデータ通信用ネットワークの総称であり、しばしば複数のネットワークの集合体として構成される。ホームネットワーク3は家庭内の機器を収容するネットワークであり、有線LANや無線LANによって宅内機器5~7が接続される。携帯無線端末4は、無線LAN9によってHGW1と接続されている。この携帯無線端末4、公衆網2を介してHGW1にVPN接続する機能も有しており、VPN接続を行うために必要な事前設定(アカウントの設定)は、無線LAN9へ接続する際に、後述するアカウント自動設定シーケンスを併せて実施することにより完了させる。宅内装置5~7は、例えば、ネットワークへの接続機能を備えたテレビ、レコーダ、エアコン等である。 The HGW 1 is a gateway that connects the public network 2 as an external network and the home network 3. It also has a function to operate as a wireless LAN access point and a function to operate as a VPN server. The public network 2 is a general term for data communication networks of the Internet and mobile phones, and is often configured as an aggregate of a plurality of networks. The home network 3 is a network that accommodates home devices, and the home devices 5 to 7 are connected by a wired LAN or a wireless LAN. The portable wireless terminal 4 is connected to the HGW 1 by the wireless LAN 9. The portable wireless terminal 4 also has a function of making a VPN connection to the HGW 1 via the public network 2, and pre-setting (account setting) necessary for performing the VPN connection is described later when connecting to the wireless LAN 9. To complete the account automatic setting sequence. The in-home devices 5 to 7 are, for example, a television, a recorder, an air conditioner or the like having a function of connecting to a network.
 図2は、携帯無線端末4がVPN8を利用してHGW1に接続する通信形態を示す図である。図2に示したように、携帯無線端末4は、VPN8を利用してHGW1に接続することによりホームネットワーク3内の機器(宅内装置5~7)に遠隔アクセスが可能となっている。なお、携帯無線端末4は、VPN8を利用するには、図1に示した接続形態において、VPN接続のためのアカウント設定をHGW1との間で行っておく必要がある。ホームネットワーク3に接続されている宅内装置5~7は、VPN接続した携帯無線端末4からの制御を受け付けることが可能である。 FIG. 2 is a diagram illustrating a communication mode in which the mobile wireless terminal 4 connects to the HGW 1 using the VPN 8. As shown in FIG. 2, the portable wireless terminal 4 can remotely access devices (home devices 5 to 7) in the home network 3 by connecting to the HGW 1 using the VPN 8. In order to use the VPN 8, the mobile wireless terminal 4 needs to perform account setting for the VPN connection with the HGW 1 in the connection form shown in FIG. 1. The in-home devices 5 to 7 connected to the home network 3 can accept control from the portable wireless terminal 4 connected by VPN.
 図3は、本発明にかかる通信装置であるHGW1の構成例を示す図である。HGW1は、大きく分けてCPU基板101とレイヤ2スイッチ(L2SW)102の2つの機能ブロックから構成される。 FIG. 3 is a diagram illustrating a configuration example of the HGW 1 which is a communication device according to the present invention. The HGW 1 is roughly composed of two functional blocks, a CPU board 101 and a layer 2 switch (L2SW) 102.
 L2SW102は複数のホームネットワーク接続用ポート106~108および内部接続用ポート109を備えている。L2SW102はHGW101に必須ではなく、構成により実装されない場合もある。 The L2SW 102 includes a plurality of home network connection ports 106 to 108 and an internal connection port 109. The L2SW 102 is not essential for the HGW 101 and may not be mounted depending on the configuration.
 CPU基板101は、主たる構成要素として、ルータ機能部103、その他機能部104、WANインタフェース105、内部接続用ポート110、無線LAN接続用ポート111、VPNアカウントデータベース(DB)112、無線LAN認証設定データベース(DB)113、無線LAN部114、アカウント自動生成部121およびアカウント自動生成データベース(DB)122を備えている。 The CPU board 101 includes, as main components, a router function unit 103, other function units 104, a WAN interface 105, an internal connection port 110, a wireless LAN connection port 111, a VPN account database (DB) 112, a wireless LAN authentication setting database. (DB) 113, wireless LAN unit 114, account automatic generation unit 121, and account automatic generation database (DB) 122.
 ルータ機能部103は、通信プロトコルスタックおよび各プロトコルで使用する機能を実装しており、PPP115、IPsec116、PPPoE117、L2TP118、NAPT119といったプロトコルスタックや、ルータ機能の一部としてファイアーウォール機能を実現するためのパケットフィルタリング機能(Packet Filtering)120を実装している。その他機能部104は、ルータ機能部103に含まれる機能以外の機能を提供する処理部であり、HGW101を装置として動作させるために必要な、設定パラメータの管理機能やGUI機能、電話機能等を提供する。WANインタフェース105は公衆網に接続するためのインタフェース、内部接続用ポート110はホームネットワーク3側のL2SW102に接続するためのインタフェース、無線LAN接続用ポート111は無線LANの接続用ポートである。VPNアカウントDB112は、VPN遠隔アクセスシステムの使用を許可するユーザ(自HGW1に対するVPN接続を許可するユーザ)のアカウント、すなわち、ユーザ名やユーザ認証用パスワード等を管理するデータベースである。無線LAN認証設定DB113は、無線LAN部114が無線機器を認証するための設定を保存するためのデータベースである。無線LAN部114は、携帯無線端末4などの無線LAN端末から接続要求を受けると、端末の認証処理を実行し、認証成功であれば無線LANによる接続を受けつける。アカウント自動生成部121は、無線LANにより接続された端末(例えば携帯無線端末4)から要求を受けた場合に、アカウント自動生成DB122を参照して、VPN接続用のアカウント(ユーザ名、パスワードなどの情報)を生成するとともに、要求元の端末がVPN接続可能となるように自装置内の設定を変更する。アカウント自動生成DB122は、アカウント自動生成部121がVPN接続用のアカウントを生成する際に参照する設定(情報)を保持するデータベースである。 The router function unit 103 implements a communication protocol stack and functions used in each protocol, and implements a firewall function as a part of protocol stacks such as PPP 115, IPsec 116, PPPoE 117, L2TP 118, and NAPT 119, and a router function. The packet filtering function (Packet Filtering) 120 is implemented. The other function unit 104 is a processing unit that provides functions other than the functions included in the router function unit 103, and provides a setting parameter management function, a GUI function, a telephone function, and the like necessary for operating the HGW 101 as a device. To do. The WAN interface 105 is an interface for connecting to the public network, the internal connection port 110 is an interface for connecting to the L2SW 102 on the home network 3 side, and the wireless LAN connection port 111 is a connection port for the wireless LAN. The VPN account DB 112 is a database for managing accounts of users who are permitted to use the VPN remote access system (users who are permitted VPN connection to the local HGW 1), that is, user names and passwords for user authentication. The wireless LAN authentication setting DB 113 is a database for storing settings for the wireless LAN unit 114 to authenticate wireless devices. When receiving a connection request from a wireless LAN terminal such as the portable wireless terminal 4, the wireless LAN unit 114 executes terminal authentication processing, and accepts connection by wireless LAN if the authentication is successful. The account automatic generation unit 121 refers to the account automatic generation DB 122 when receiving a request from a terminal (for example, the portable wireless terminal 4) connected by the wireless LAN, and creates an account (user name, password, etc.) for VPN connection. Information) and the setting in the own device is changed so that the requesting terminal can make a VPN connection. The account automatic generation DB 122 is a database that holds settings (information) that the account automatic generation unit 121 refers to when generating an account for VPN connection.
 図4は、携帯無線端末4の構成例を示す図である。携帯無線端末4は、主たる構成要素として、公衆網接続機能部401、無線LAN接続機能部402、VPNクライアント機能部403、OS等機能部404および家電制御S/W405により構成されている。家電制御S/W405は、家電制御部406、VPN設定通信部407、VPNクライアント設定部408およびその他機能部409を備えている。 FIG. 4 is a diagram illustrating a configuration example of the mobile wireless terminal 4. The portable wireless terminal 4 includes a public network connection function unit 401, a wireless LAN connection function unit 402, a VPN client function unit 403, an OS function unit 404, and a home appliance control S / W 405 as main components. The home appliance control S / W 405 includes a home appliance control unit 406, a VPN setting communication unit 407, a VPN client setting unit 408, and other functional units 409.
 公衆網接続機能部401は、携帯回線の公衆網に接続を行う機能であり、インターネットのデータ通信や電話通信を行う。無線LAN接続機能部402は、HGW1やその他の無線LANアクセスポイントに接続するための機能である。VPNクライアント機能部403は、VPN接続を行うための機能であり、IPsecやL2TP(Layer 2 Tunneling Protocol)、PPTP(Point-to-Point Tunneling Protocol)等のVPNクライアント機能が実装される。VPNクライアント機能部403は、家電制御S/W405に組み込まれていてもよい。OS等機能部404は、OS等のその他機能を含む。家電制御S/W405はホームネットワーク内において、宅内装置5~7と通信・制御する機能を持ち、また、HGW1とVPN自動設定を行うための機能を持つ。家電制御S/W405において、家電制御部406は家電制御を行う。VPN設定通信部407はVPN接続用のアカウントの自動設定を実施するためのVPN設定ネゴシエーションを行う。クライアント設定部408はVPNクライアントとして動作するための設定情報(すなわち、VPN接続用のアカウント)を保持する。なお、VPN設定通信部407は、HGW1へ自装置(携帯無線端末4)固有の情報、例えば電話番号やMACアドレス、を送付する機能を有していても良い。その他機能部409は、GUI等の一般的なS/W機能を含む。VPN設定通信部407やVPNクライアント設定部408を含む携帯無線端末4が宅内無線LANに接続している時に、家電制御S/W405のVPN自動設定通信部407を起動し、後述するアカウント自動設定シーケンスを実施することで、HGW1にVPN接続するためのアカウント設定を自動的に行う(ユーザによる情報入力等の操作を必要とすることなくアカウント設定を完了する)。 The public network connection function unit 401 is a function for connecting to a public network of a mobile line, and performs Internet data communication and telephone communication. The wireless LAN connection function unit 402 is a function for connecting to the HGW 1 and other wireless LAN access points. The VPN client function unit 403 is a function for performing VPN connection, and VPN client functions such as IPsec, L2TP (Layer 2 Tunneling Protocol), and PPTP (Point-to-Point Tunneling Protocol) are implemented. The VPN client function unit 403 may be incorporated in the home appliance control S / W 405. The OS function unit 404 includes other functions such as an OS. The home appliance control S / W 405 has a function of communicating and controlling with the in-home devices 5 to 7 in the home network, and also has a function of performing VPN automatic setting with the HGW 1. In the home appliance control S / W 405, the home appliance control unit 406 performs home appliance control. The VPN setting communication unit 407 performs VPN setting negotiation for automatically setting an account for VPN connection. The client setting unit 408 holds setting information (that is, an account for VPN connection) for operating as a VPN client. Note that the VPN setting communication unit 407 may have a function of sending information unique to the own device (portable wireless terminal 4), such as a telephone number or a MAC address, to the HGW 1. The other function unit 409 includes a general S / W function such as a GUI. When the portable wireless terminal 4 including the VPN setting communication unit 407 and the VPN client setting unit 408 is connected to the home wireless LAN, the VPN automatic setting communication unit 407 of the home appliance control S / W 405 is activated, and an account automatic setting sequence to be described later As a result, the account setting for VPN connection to the HGW 1 is automatically performed (the account setting is completed without requiring an operation such as information input by the user).
 図5は、HGW1(図3参照)が備えているVPNアカウントDB112の構成例を示す図である。図示したように、VPNアカウントDB112は、「ユーザ」、「ユーザ名」および「パスワード」を対応付けて管理している。「ユーザ」はユーザを識別するための情報、「ユーザ名」および「パスワード」は対応付けられているユーザの認証処理で使用する情報である。本実施の形態のHGW1で想定しているIPsecにおいては、XAUTHと呼ばれるユーザ認証方法を用いることが一般的となっており、ユーザ名やパスワードを事前に登録しておき、IPsecクライアントの接続要求時に届いたユーザ名及びパスワードと照合され、IPsecクライアントの接続を許可するかどうかが決定される。例えば、HGW1は、IPsecクライアントとしてのユーザ#1の携帯無線端末4を対象とした認証処理において、ユーザ名=user_1かつパスワード=pa***1が携帯無線端末4から送信されてきた場合は認証成功として接続を許可し、これ以外の場合は認証失敗として接続を拒否する。VPNアカウントDB112はこのようなIPsecのXAUTH認証におけるユーザアカウント(ユーザ名およびパスワード)を保持するものを想定し記載されているが、VPN機能の実装によっては、VPNアカウントDB112が保持する情報(管理する情報)はこの限りではない。 FIG. 5 is a diagram showing a configuration example of the VPN account DB 112 provided in the HGW 1 (see FIG. 3). As illustrated, the VPN account DB 112 manages “user”, “user name”, and “password” in association with each other. “User” is information for identifying the user, and “User name” and “Password” are information used in the authentication process of the associated user. In IPsec assumed in the HGW 1 of this embodiment, it is common to use a user authentication method called XAUTH. When a user name and a password are registered in advance and an IPsec client connection request is made, The received user name and password are checked, and it is determined whether or not to permit connection of the IPsec client. For example, the HGW 1 authenticates when the user name = user_1 and the password = pa *** 1 are transmitted from the portable wireless terminal 4 in the authentication process for the portable wireless terminal 4 of the user # 1 as an IPsec client. Connection is permitted as success, and connection is rejected as authentication failure otherwise. The VPN account DB 112 is described on the assumption that it holds a user account (user name and password) in such IPsec XAUTH authentication. However, depending on the implementation of the VPN function, information stored in the VPN account DB 112 (managed) Information) is not limited to this.
 図6は、HGW1(図3参照)が備えている無線LAN認証設定DB113の構成例を示す図である。図示したように、無線LAN認証設定DB113は、「無線インタフェース」、「SSID」、「認証方法」、「パスワード」などのパラメータを管理している。「無線LANインタフェース」は、無線LANインタフェース111(図3参照)のような実際の無線インタフェースを示す情報である。「SSID」は、無線LANアクセスポイントの識別子であり、混信を避けるために付けられる名前である。「認証方法」は、無線LANクライアントソフトが接続認証を行う際に用いる認証方法であり、WEP/WPS/WPS2などの暗号化方式が存在する。「パスワード」は、携帯無線端末4などのクライアント端末が無線LANアクセスポイントへ接続する際に必要なパスワード、すなわち、接続を許可するか否かを判断する接続認証で使用するパスワードある。HGW1の無線LAN部114は、携帯無線端末4などから接続要求を受けた場合、この無線LAN認証設定DB113を参照し、接続要求を受け付けるか否かを判断する。本実施の形態では、hostapdという無線LANアクセスポイントソフトウェアを基準に説明を行っているが、無線LAN機能の実装によっては、無線LAN認証設定DB113の持つ情報はこの限りではない。 FIG. 6 is a diagram illustrating a configuration example of the wireless LAN authentication setting DB 113 provided in the HGW 1 (see FIG. 3). As illustrated, the wireless LAN authentication setting DB 113 manages parameters such as “wireless interface”, “SSID”, “authentication method”, and “password”. “Wireless LAN interface” is information indicating an actual wireless interface such as the wireless LAN interface 111 (see FIG. 3). “SSID” is an identifier of the wireless LAN access point and is a name given to avoid interference. The “authentication method” is an authentication method used when the wireless LAN client software performs connection authentication, and there is an encryption method such as WEP / WPS / WPS2. The “password” is a password required when a client terminal such as the mobile wireless terminal 4 connects to the wireless LAN access point, that is, a password used for connection authentication for determining whether or not to permit the connection. When receiving a connection request from the portable wireless terminal 4 or the like, the wireless LAN unit 114 of the HGW 1 refers to the wireless LAN authentication setting DB 113 and determines whether to accept the connection request. In this embodiment, the description is based on wireless LAN access point software called hostapd, but the information held in the wireless LAN authentication setting DB 113 is not limited to this depending on the implementation of the wireless LAN function.
 図7は、HGW1(図3参照)が備えているアカウント自動生成DB122の構成例を示す図である。図示したように、アカウント自動生成DB122には、VPN接続用のアカウントを自動生成する際の設定が記されており、設定項目として、「参照DB」および「セキュリティレベル」を管理している。「参照DB」はアカウントを生成する際に参照するデータベースを示しており、図7の例では、無線LAN認証設定DB113が指定されている。「セキュリティレベル」は、詳細パラメータとして、「認証方法」、「パスワード」などを含んでいる。例えば、「認証方法」にはアカウントの自動生成を許可する無線LAN認証方法が、「パスワード」にはアカウントの自動生成を許可するパスワード文字数がそれぞれ記されている。HGW1のアカウント自動生成部121は、アカウント自動生成DB122が管理している「参照DB」および「セキュリティレベル」に基づいて、アカウント生成要求の可否を判断する。具体的には、「参照DB」が示しているデータベースに登録されている情報が「セキュリティレベル」に設定されている条件を満たしている場合、アカウント生成要求を受け付ける。なお、「参照DB」に複数のデータベースを設定するようにしてもよい。アカウント自動生成DB122が図7に示した内容の場合、アカウント自動生成部121は、無線LAN認証設定DB113を参照し、そこで管理されている「認証方法」、「パスワード」などがアカウント自動生成DB122の「セキュリティレベル」を満たしていれば、具体的には、認証方法がWEP、WPAまたはWPA2であり、なおかつパスワードn文字以上の場合にはアカウント生成要求を受け付ける(VPNアカウントを生成する)。なお、アカウント自動生成部121の実装によっては、アカウント自動生成DB122の持つ情報はこの限りではない。 FIG. 7 is a diagram illustrating a configuration example of the account automatic generation DB 122 provided in the HGW 1 (see FIG. 3). As shown in the figure, the automatic account creation DB 122 describes settings for automatically creating an account for VPN connection, and manages “reference DB” and “security level” as setting items. “Reference DB” indicates a database to be referred to when an account is generated. In the example of FIG. 7, the wireless LAN authentication setting DB 113 is designated. The “security level” includes “authentication method”, “password”, and the like as detailed parameters. For example, the “authentication method” describes a wireless LAN authentication method that allows automatic account generation, and the “password” describes the number of password characters that allow automatic account generation. The account automatic generation unit 121 of the HGW 1 determines whether or not an account generation request can be made based on the “reference DB” and “security level” managed by the account automatic generation DB 122. Specifically, when the information registered in the database indicated by the “reference DB” satisfies the condition set for the “security level”, the account generation request is accepted. A plurality of databases may be set in the “reference DB”. When the account automatic generation DB 122 has the contents shown in FIG. 7, the account automatic generation unit 121 refers to the wireless LAN authentication setting DB 113, and “authentication method”, “password”, and the like managed therein are stored in the account automatic generation DB 122. If the “security level” is satisfied, specifically, if the authentication method is WEP, WPA or WPA2 and the password is longer than n characters, an account generation request is accepted (a VPN account is generated). Note that depending on the implementation of the account automatic generation unit 121, the information held in the account automatic generation DB 122 is not limited to this.
 図8は、実施の形態1の通信システムにおいてVPNアカウントを設定するシーケンスの一例を示す図である。 FIG. 8 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the first embodiment.
 VPNアカウントの設定が完了していない場合、携帯無線端末4は、公衆網2を介してHGW1へVPN接続要求を送信しても、接続不許可となる(ステップS11、S12)。この場合、携帯無線端末4は、ホームネットワーク3においてHGW1へ無線LAN接続を行い、VPNアカウントを設定することにより、HGW1へのVPN接続が可能となる。以下、VPNアカウントの設定手順を示す。 If the VPN account setting is not completed, the portable wireless terminal 4 is not permitted to connect even if it transmits a VPN connection request to the HGW 1 via the public network 2 (steps S11 and S12). In this case, the portable wireless terminal 4 can establish a VPN connection to the HGW 1 by performing a wireless LAN connection to the HGW 1 in the home network 3 and setting a VPN account. The VPN account setting procedure is shown below.
 VPNアカウントの設定動作において、携帯無線端末4は、パスワード認証等の規定された認証方法により無線LAN認証を行い、HGW1との接続を確立する(ステップS21)。なお、無線LAN認証は無線LAN認証設定DB113に登録されている情報を参照して行う。次に、携帯無線端末4は、VPN接続を行いたい旨を伝えるため、VPNアカウント生成要求をHGW1へ送信する(ステップS22)。なお、VPNアカウント生成要求の生成と送信はVPN設定通信部407が行う。 In the VPN account setting operation, the portable wireless terminal 4 performs wireless LAN authentication by a specified authentication method such as password authentication and establishes a connection with the HGW 1 (step S21). The wireless LAN authentication is performed with reference to information registered in the wireless LAN authentication setting DB 113. Next, the portable wireless terminal 4 transmits a VPN account generation request to the HGW 1 in order to notify that the VPN connection is desired (step S22). Note that the VPN setting communication unit 407 generates and transmits a VPN account generation request.
 VPNアカウント生成要求を受信したHGW1においては、VPNアカウント生成要求が無線LAN部114を介してアカウント自動生成部121に渡され、アカウント自動生成部121は、まず、アカウント自動生成DB122を参照する(ステップS23)。ここでは、アカウント自動生成DB122が図7に示した内容であるものとして説明を続ける。図7では「参照DB=無線LAN認証設定DB」であるため、アカウント自動生成部121は、次に、無線LAN認証設定DB113を参照し、携帯無線端末4のセキュリティレベルが設定値以上かどうか、すなわち、携帯無線端末4のセキュリティレベルがアカウント自動生成DB122に設定されているセキュリティレベル以上かどうか確認する(ステップS24)。ここでは、セキュリティレベル以上であるものとする。アカウント自動生成部121は、携帯無線端末4のセキュリティレベルが設定値以上の場合、無線LAN接続においてその身元が確認されているとみなし、これを担保として、VPNアカウントを生成する。また、生成した情報をVPNアカウントDB112へ登録する(ステップS25)。このとき、要求元の携帯無線端末4にVPN接続を許可するために必要な各種設定、例えばDDNSへの登録なども併せて行う。なお、VPNアカウントに含まれる各情報の生成方法については特に規定しない。既存の如何なる方法で生成しても構わない。また、無線LAN部114が、アカウント自動生成部121で生成されたVPNアカウントを要求元の携帯無線端末4へ送付し払い出す(ステップS26)。 In the HGW 1 that has received the VPN account generation request, the VPN account generation request is passed to the account automatic generation unit 121 via the wireless LAN unit 114, and the account automatic generation unit 121 first refers to the account automatic generation DB 122 (steps). S23). Here, the description will be continued assuming that the account automatic generation DB 122 has the contents shown in FIG. Since “reference DB = wireless LAN authentication setting DB” in FIG. 7, the account automatic generation unit 121 next refers to the wireless LAN authentication setting DB 113 to check whether the security level of the portable wireless terminal 4 is equal to or higher than the set value. That is, it is confirmed whether the security level of the portable wireless terminal 4 is equal to or higher than the security level set in the account automatic generation DB 122 (step S24). Here, it is assumed that the security level is equal to or higher. If the security level of the mobile wireless terminal 4 is equal to or higher than the set value, the account automatic generation unit 121 regards the identity as being confirmed in the wireless LAN connection, and generates a VPN account with this as collateral. The generated information is registered in the VPN account DB 112 (step S25). At this time, various settings necessary for permitting VPN connection to the requesting portable wireless terminal 4, such as registration in DDNS, are also performed. Note that the method for generating each piece of information included in the VPN account is not particularly defined. Any existing method may be used. Further, the wireless LAN unit 114 sends the VPN account generated by the account automatic generation unit 121 to the requesting portable wireless terminal 4 and pays it out (step S26).
 携帯無線端末4は、ステップS22で送信したVPNアカウント生成要求に対する応答としてVPNアカウントの送付を受けると、受信したVPNアカウントを設定する(ステップS27)。VPNアカウントの設定はVPNクライアント設定部408が行う。 When the portable wireless terminal 4 receives the VPN account as a response to the VPN account generation request transmitted in step S22, it sets the received VPN account (step S27). The VPN client setting unit 408 sets the VPN account.
 なお、図8では、ステップS24において、VPNアカウント生成要求の送信元携帯無線端末4のセキュリティレベルが設定値以上と判断する例を示したが、アカウント自動生成DB122の内容によっては、セキュリティレベルが設定値未満と判断する場合もある。そのような場合には、ステップS25以下の処理を実行しない。このとき、HGW1は、携帯無線端末4に対してVPNアカウントの生成拒否を通知する。この場合、携帯無線端末4およびHGW1は、他の方法、例えば、ユーザの手動設定によりVPNアカウントを設定する、セキュリティレベルが設定値以上となるようにしてからVPNアカウント生成要求を再送信する、などの方法で設定を行う必要がある。 8 shows an example in which it is determined in step S24 that the security level of the transmission source portable wireless terminal 4 of the VPN account generation request is equal to or higher than the set value. However, depending on the contents of the account automatic generation DB 122, the security level may be set. It may be determined that the value is less than the value. In such a case, the processing after step S25 is not executed. At this time, the HGW 1 notifies the portable wireless terminal 4 that the VPN account is not generated. In this case, the portable wireless terminal 4 and the HGW 1 use another method, for example, set a VPN account by a user's manual setting, retransmit the VPN account generation request after the security level becomes equal to or higher than the set value, etc. It is necessary to set by this method.
 上記のステップS22~S27によりVPNアカウントの払い出しを受けた携帯無線端末4は、HGW1に対して、公衆網2を介したVPN接続が可能となる(ステップS31、S32)。 The portable wireless terminal 4 that has received the VPN account in steps S22 to S27 can make a VPN connection to the HGW 1 via the public network 2 (steps S31 and S32).
 このように、本実施の形態の通信システムにおいて、携帯無線端末は、無線LANを介してHGWに接続している状態でVPNアカウントの生成要求を送信し、VPNアカウントの生成要求を受信したHGWは、要求元の携帯無線端末が一定のセキュリティレベルを満足していると判断した場合、VPNアカウントを生成することとした。これにより、一定の条件を満たしている携帯無線端末についてはVPNアカウントの手動設定が不要となり、VPNを使用するために必要な設定の煩雑さを軽減できる。すなわち、無線LAN接続時に強固な認証を行っていることを担保として、VPN接続サービスのアカウントを自動的に払い出すことが可能となり、従来技術で課題であった、手動によるVPN設定の煩雑さを解決できる。加えて、携帯無線端末の自動アカウント設定時のセキュリティ性を高めることができる。 As described above, in the communication system according to the present embodiment, the mobile wireless terminal transmits a VPN account generation request while connected to the HGW via the wireless LAN, and the HGW that has received the VPN account generation request When it is determined that the requesting mobile wireless terminal satisfies a certain security level, a VPN account is generated. This eliminates the need for manual setting of the VPN account for portable wireless terminals that satisfy certain conditions, and reduces the complexity of the settings necessary to use the VPN. In other words, it is possible to automatically issue an account for a VPN connection service, ensuring that strong authentication is performed at the time of wireless LAN connection, and the complexity of manual VPN setting, which was a problem with the prior art, can be avoided. can be solved. In addition, security at the time of automatic account setting of the portable wireless terminal can be improved.
 なお、本実施の形態においては、ホームゲートウェイを例に説明したが、無線LAN機能およびVPN機能を持つホームルータにも適用可能である。 In the present embodiment, the home gateway has been described as an example, but the present invention can also be applied to a home router having a wireless LAN function and a VPN function.
 また、VPNアカウントを設定する場合について説明したが、従来のVPNアカウントの設定と同様の手順が必要な機能、すなわち、2台の通信装置の双方において手動設定が必要な機能を設定する際にも、本実施の形態は適用可能である。 In addition, the case of setting a VPN account has been described, but also when setting a function that requires the same procedure as that for setting a conventional VPN account, that is, a function that requires manual setting in both of the two communication devices. This embodiment can be applied.
実施の形態2.
 上述した実施の形態1では、無線LANの認証強度を担保としてVPNアカウントの払い出しを行う通信装置(ホームゲートウェイ)について説明を行った。これに対して、本実施の形態のホームゲートウェイでは、無線LANの認証強度に加えて、HGW上のその他の情報も考慮してVPNアカウントの払い出しを行うか否かを判断する。本実施の形態によれば、アカウント自動設定時のセキュリティ性をさらに高めることができる。なお、本実施の形態では、実施の形態1と異なる部分についてのみ説明する。 Embodiment 2. FIG.
In the first embodiment described above, the communication device (home gateway) that performs the payment of the VPN account with the authentication strength of the wireless LAN as collateral has been described. On the other hand, the home gateway according to the present embodiment determines whether or not to issue a VPN account in consideration of other information on the HGW in addition to the authentication strength of the wireless LAN. According to the present embodiment, it is possible to further improve security at the time of automatic account setting. In the present embodiment, only parts different from the first embodiment will be described.
 図9は、実施の形態2の通信システムの構成例を示す図である。本実施の形態の通信システムは、図1に示した実施の形態1の通信システムに対してSIPサーバ10を追加し、さらに、HGW1をHGW1aに置き換えたものである。SIPサーバ10は、SIP(Session Initiation Protocol)クライアント間でセッションを確立するために送受信されるメッセージを中継するサーバであり、各SIPクライアントの情報を保持している。なお、本実施の形態のHGW1aおよび携帯無線端末4はSIPクライアントとして動作する機能を有しているものとする。 FIG. 9 is a diagram illustrating a configuration example of the communication system according to the second embodiment. The communication system according to the present embodiment is obtained by adding a SIP server 10 to the communication system according to the first embodiment shown in FIG. 1 and replacing HGW1 with HGW1a. The SIP server 10 is a server that relays messages transmitted and received in order to establish a session between SIP (Session Initiation Protocol) clients, and holds information on each SIP client. It is assumed that the HGW 1a and the portable wireless terminal 4 of this embodiment have a function that operates as a SIP client.
 図10は、HGW1aの構成例を示す図である。HGW1aは、実施の形態1で説明したHGW1(図3参照)のCPU基板101をCPU基板101aに置き換えたものである。CPU基板101aは、CPU基板101に着呼履歴データベース(DB)123が追加された構成となっている。 FIG. 10 is a diagram illustrating a configuration example of the HGW 1a. The HGW 1a is obtained by replacing the CPU board 101 of the HGW 1 (see FIG. 3) described in the first embodiment with a CPU board 101a. The CPU board 101 a has a configuration in which an incoming call history database (DB) 123 is added to the CPU board 101.
 図11は、HGW1aが備えている着呼履歴DB123の構成例を示す図である。図示したように、着呼履歴DB123は、「電話番号」および「着呼時間」を管理している。「電話番号」は、自身(HGW1a)に対して電話をかけてきた相手の電話番号を示す情報、「着呼時間」は、着呼があった日時を示す情報である。HGW1aは、着呼があると、相手の電話番号とそのときの時刻(日時)を対応付けて着呼履歴DB123に登録する。着呼履歴DB123への登録はその他機能部104が行う。 FIG. 11 is a diagram illustrating a configuration example of the incoming call history DB 123 provided in the HGW 1a. As shown in the figure, the incoming call history DB 123 manages “phone number” and “incoming time”. “Telephone number” is information indicating the telephone number of the other party who made a call to itself (HGW 1a), and “incoming call time” is information indicating the date and time when the incoming call was made. When there is an incoming call, the HGW 1a registers the other party's telephone number and the time (date and time) at that time in the incoming call history DB 123. Registration in the incoming call history DB 123 is performed by the other function unit 104.
 本実施の形態では、HGW1aのアカウント自動生成DB122の構成は図12に示したものとする。すなわち、参照DBとして無線LAN認証設定DBおよび着呼履歴DB123が設定されているものとする。無線LAN認証設定DBに対応付けられたセキュリティレベルのパラメータは、実施の形態1と同様に、「認証方法」および「パスワード」としている。着呼履歴DB123に対応付けられたセキュリティレベルのパラメータは「着予備時間」としている。「着予備時間」は着呼してからの経過時間とする。図12の例では、「着予備時間」の設定が「5分以内」となっており、この場合、HGW1aは、無線LAN認証設定DB113に対応付けられているセキュリティレベル(認証方法およびパスワード)の条件を満たしており、なおかつ、着呼してからの経過時間が5分以内の携帯無線端末に対してVPNアカウントの払い出しを行う。なお、「着予備時間」の設定値は他の値としても構わない。 In this embodiment, it is assumed that the configuration of the account automatic generation DB 122 of the HGW 1a is as shown in FIG. That is, it is assumed that the wireless LAN authentication setting DB and the incoming call history DB 123 are set as the reference DB. As in the first embodiment, the security level parameters associated with the wireless LAN authentication setting DB are “authentication method” and “password”. The security level parameter associated with the incoming call history DB 123 is “reception standby time”. The “preliminary arrival time” is the elapsed time since the incoming call. In the example of FIG. 12, the setting of “preliminary arrival time” is “within 5 minutes”. In this case, the HGW 1a has the security level (authentication method and password) associated with the wireless LAN authentication setting DB 113. A VPN account is paid out to a portable wireless terminal that satisfies the conditions and has an elapsed time of 5 minutes or less after the incoming call. It should be noted that the set value of “arrival reserve time” may be another value.
 図13は、実施の形態2の通信システムにおいてVPNアカウントを設定するシーケンスの一例を示す図である。図13のシーケンスにおいては、実施の形態1のシーケンス(図8参照)と共通の処理に対して同じステップ番号を付している。すなわち、ステップS41、S42およびS24aが実施の形態1と異なる処理である。ここでは、実施の形態1と異なる部分を中心に説明する。なお、着呼履歴DB123の構成は図11に示したものとし、アカウント自動生成DB122の構成は図12に示したものとする。 FIG. 13 is a diagram illustrating an example of a sequence for setting a VPN account in the communication system according to the second embodiment. In the sequence of FIG. 13, the same step numbers are assigned to the processes common to the sequence of the first embodiment (see FIG. 8). That is, steps S41, S42, and S24a are different processes from the first embodiment. Here, the description will focus on the parts different from the first embodiment. The configuration of the incoming call history DB 123 is as shown in FIG. 11, and the configuration of the account automatic generation DB 122 is as shown in FIG.
 携帯無線端末4は、無線LAN認証を行い(ステップS21)、HGW1aとの接続を確立した後、HGW1aへ電話発信を行う。この結果、HGW1aはSIPサーバ10経由で着呼を受ける(ステップS41)。着呼を受けたHGW1aは、発信元の電話番号と着呼を受けた日時を着呼履歴DB123に登録する(ステップS42)。なお、HGW1aは、着呼に応答する必要は無い。図示を省略しているが、携帯無線端末4は、HGW1aの呼び出しが開始されたことを検出すると発信を中止する。 The portable wireless terminal 4 performs wireless LAN authentication (step S21), establishes a connection with the HGW 1a, and then makes a call to the HGW 1a. As a result, the HGW 1a receives an incoming call via the SIP server 10 (step S41). The HGW 1a that received the incoming call registers the telephone number of the caller and the date and time when the incoming call was received in the incoming call history DB 123 (step S42). The HGW 1a does not need to respond to an incoming call. Although illustration is omitted, the portable wireless terminal 4 stops the transmission when detecting that the calling of the HGW 1a is started.
 その後、携帯無線端末4は、VPN接続を行いたい旨を伝えるため、VPNアカウント生成要求をHGW1aへ送信する(ステップS22)。このとき、自身の電話番号情報をVPNアカウント生成要求に付加して送信する。 Thereafter, the portable wireless terminal 4 transmits a VPN account generation request to the HGW 1a in order to notify that the VPN connection is desired (step S22). At this time, the own telephone number information is added to the VPN account generation request and transmitted.
 VPNアカウント生成要求を受信したHGW1aにおいて、アカウント自動生成部121は、まず、アカウント自動生成DB122を参照する(ステップS23)。図12のアカウント自動生成DB122では、参照DBが無線LAN認証設定DBおよび着呼履歴DBとされているため、アカウント自動生成部121は、次に、無線LAN認証設定DB113を参照し、設定されている認証方法およびパスワードがアカウント自動生成DB122に設定されている条件を満たしているかどうかを確認し、条件を満たしている場合には、さらに、着呼履歴DB123を参照し、VPNアカウント生成要求の送信元の携帯無線端末4からの着呼が過去一定時間以内(5分以内)に発生していたかどうか確認する(ステップS24a)。ここでは、過去5分以内に着呼があったものとする。すなわち、携帯無線端末4のセキュリティレベルがアカウント自動生成DB122に設定されている設定値以上であるものとする。携帯無線端末4のセキュリティレベルがアカウント自動生成DB122に設定されている設定値以上の場合、無線LAN接続、および電話番号においてその身元が確認されているとみなし、これを担保として、実施の形態1と同様に、アカウント自動生成部121はVPNアカウントを作成およびVPNアカウントDB112への登録を行う(ステップS25)。以降の手順は実施の形態1と同様である。 In the HGW 1a that has received the VPN account generation request, the account automatic generation unit 121 first refers to the account automatic generation DB 122 (step S23). In the account automatic generation DB 122 of FIG. 12, since the reference DB is the wireless LAN authentication setting DB and the incoming call history DB, the account automatic generation unit 121 is set by referring to the wireless LAN authentication setting DB 113 next. It is confirmed whether the authentication method and password satisfying the conditions set in the account automatic generation DB 122. If the conditions are satisfied, the incoming call history DB 123 is referred to and the VPN account generation request is transmitted. It is checked whether an incoming call from the original portable wireless terminal 4 has occurred within a past fixed time (within 5 minutes) (step S24a). Here, it is assumed that an incoming call has been received within the past 5 minutes. That is, it is assumed that the security level of the portable wireless terminal 4 is equal to or higher than the set value set in the account automatic generation DB 122. In the case where the security level of the portable wireless terminal 4 is equal to or higher than the set value set in the account automatic generation DB 122, it is assumed that the identity is confirmed in the wireless LAN connection and the telephone number, and this is used as a collateral. Similarly, the account automatic generation unit 121 creates a VPN account and registers it in the VPN account DB 112 (step S25). The subsequent procedure is the same as in the first embodiment.
 なお、ステップS24aで参照するデータベースの順番を入れ替えてもよい(着呼履歴DB123を先に確認してもよい)。 Note that the order of the databases referred to in step S24a may be changed (the incoming call history DB 123 may be confirmed first).
 このように、本実施の形態の通信システムにおいて、携帯無線端末は、無線LANを介してHGWに接続している状態でVPNアカウントの生成要求を送信する前に、HGWに対して発呼を行い、VPNアカウントの生成要求を受信したHGWは、要求元の携帯無線端末が一定のセキュリティレベルを満足していると判断した場合、VPNアカウントを生成することとした。本実施の形態によれば、HGWに電話をするという手順(および電話番号)を知らないと、VPNアカウントの払い出しが行われないため、実施の形態1と比較して、さらにセキュリティ性を高めることができる。 As described above, in the communication system according to the present embodiment, the mobile wireless terminal makes a call to the HGW before transmitting the VPN account generation request while connected to the HGW via the wireless LAN. When the HGW that has received the VPN account generation request determines that the requesting mobile wireless terminal satisfies a certain security level, the HGW generates a VPN account. According to the present embodiment, since the VPN account is not paid out unless the procedure (and telephone number) for making a call to the HGW is known, the security can be further improved as compared with the first embodiment. Can do.
 なお、セキュリティレベルの向上のその他の例として、VPNアカウントの払い出しを要求する際にパスワードを求めるパスワード認証方法、具体的には、VPNアカウント生成要求でパスワードを送信する方式も存在する。この方式を実施の形態1で説明した方式、または実施の形態2で説明した方式と組み合わせてもよい。 As another example of improving the security level, there is a password authentication method for requesting a password when a VPN account is requested to be issued, specifically, a method for transmitting a password by a VPN account generation request. This method may be combined with the method described in the first embodiment or the method described in the second embodiment.
実施の形態3.
 上述した実施の形態1および2においては、VPN接続サービスのアカウント自動設定方法について説明したが、このような自動設定方法は、携帯無線端末およびHGWの双方に設定が必要なサービスであれば適応可能である。例えば、宅外からの携帯無線端末のWebブラウザアクセスに応答し、家電機器を制御するようなシステムが検討されている。このようなシステムの場合、HGW側にユーザアカウントを作成し、その情報を携帯無線端末のブラウザソフトウェアに設定する必要がある。このようなHGWおよび携帯無線端末の双方に設定が必要なサービス対して実施の形態1および2で説明した手法を適用することにより、ユーザによる手動設定を排除し、設定の煩雑さを解消できる。 Embodiment 3 FIG.
In the first and second embodiments described above, the account automatic setting method of the VPN connection service has been described. However, such an automatic setting method can be applied to any service that needs to be set in both the mobile wireless terminal and the HGW. It is. For example, a system that controls home electric appliances in response to a web browser access of a portable wireless terminal from outside the house has been studied. In the case of such a system, it is necessary to create a user account on the HGW side and set the information in the browser software of the portable wireless terminal. By applying the method described in the first and second embodiments to such a service that needs to be set for both the HGW and the portable wireless terminal, manual setting by the user can be eliminated, and setting complexity can be eliminated.
 以上のように、本発明にかかる通信装置は、VPN接続機能を有する通信装置として有用であり、特に、無線LANのアクセスポイント(親局)として動作する機能を併せ持つ通信装置に適している。 As described above, the communication apparatus according to the present invention is useful as a communication apparatus having a VPN connection function, and is particularly suitable for a communication apparatus having a function of operating as a wireless LAN access point (master station).
 1,1a ホームゲートウェイ(HGW)、2 公衆網、3 ホームネットワーク、4 携帯無線端末、5~7 宅内装置、8 VPN、9 無線LAN、10 SIPサーバ、101,101a CPU基板、102 レイヤ2スイッチ(L2SW)、103 ルータ機能部、104 その他機能部、105 WANインタフェース、106~108 ホームネットワーク接続用ポート、109,110 内部接続用ポート、111 無線LAN接続用ポート、112 VPNアカウントデータベース(DB)、113 無線LAN認証設定データベース(DB)、114 無線LAN部、115 PPP、116 IPsec、117 PPPoE、118 L2TP、119 NAPT、120 パケットフィルタリング機能(Packet Filtering)、121 アカウント自動生成部、122 アカウント自動生成データベース(DB)、123 着呼履歴データベース(DB)、401 公衆網接続機能部、402 無線LAN接続機能部、403 VPNクライアント機能部、404 OS等機能部、405 家電制御S/W、406 家電制御部、407 VPN設定通信部、408 VPNクライアント設定部、409 その他機能部。 1, 1a Home gateway (HGW), 2 public networks, 3 home networks, 4 mobile wireless terminals, 5-7 home devices, 8 VPN, 9 wireless LAN, 10 SIP server, 101, 101a CPU board, 102 layer 2 switch ( L2SW), 103 router function unit, 104 other function unit, 105 WAN interface, 106-108 home network connection port, 109, 110 internal connection port, 111 wireless LAN connection port, 112 VPN account database (DB), 113 Wireless LAN authentication setting database (DB), 114 Wireless LAN unit, 115 PPP, 116 IPsec, 117 PPPoE, 118 L2TP, 119 NAPT, 120 Packet filtering function (Packet Filtering), 121 Account automatic generation unit, 122 Account automatic generation database (DB), 123 Incoming call history database (DB), 401 Public network connection function unit, 402 Wireless LAN connection function unit, 403 VPN client function unit, 404 OS, etc. Functional part, 405 Home appliance control S / W, 406 Home appliance control part, 407 VPN setting communication part, 408 VPN client setting part, 409 Other functional part.

Claims (5)

  1.  ホームネットワークおよび外部ネットワークに接続可能な無線端末と、ホームネットワークと外部ネットワークの接続点に位置し、ホームネットワーク側では第1のサービスを前記無線端末に提供し、外部ネットワーク側では第2のサービスを前記無線端末に提供するゲートウェイと、を備えた通信システムにおいて、前記ゲートウェイとして動作する通信装置であって、
     前記第1のサービスを利用中の無線端末のうち、セキュリティレベルが一定条件を満たしている無線端末から要求を受けた場合に、前記第2のサービスを利用する際に必要な情報を生成して返送するとともに、要求元の無線端末を前記第2のサービスを利用可能な無線端末として設定する情報管理手段、
     を備えることを特徴とする通信装置。     A wireless terminal that can be connected to a home network and an external network, and located at a connection point between the home network and the external network. The home network provides a first service to the wireless terminal, and the external network provides a second service. In a communication system comprising a gateway provided to the wireless terminal, a communication device that operates as the gateway,
    When a request is received from a wireless terminal whose security level satisfies a certain condition among wireless terminals that are using the first service, information necessary for using the second service is generated. Information management means for returning and setting the requesting wireless terminal as a wireless terminal that can use the second service;
    A communication apparatus comprising:
  2.  前記第1のサービスを無線LAN通信とし、前記第2のサービスをVPN接続サービスとすることを特徴とする請求項1に記載の通信装置。 The communication apparatus according to claim 1, wherein the first service is wireless LAN communication, and the second service is a VPN connection service.
  3.  前記第1のサービスを無線LAN通信とし、前記第2のサービスを、前記ホームネットワークに接続されている家電機器を対象としたWebブラウザアクセスによる制御とすることを特徴とする請求項1に記載の通信装置。 2. The control according to claim 1, wherein the first service is wireless LAN communication, and the second service is control by a web browser access for a home appliance connected to the home network. Communication device.
  4.  電話の着呼が発生した場合に、相手の電話番号および着呼の発生時刻を取得して記憶する着呼履歴データベース、
     をさらに備え、
     前記情報管理手段は、無線端末からの要求信号に当該無線端末の電話番号情報が含まれ、かつ過去の一定時間内に当該無線端末からの着呼が発生している場合に、セキュリティレベルが一定条件を満たしていると判断することを特徴とする請求項1、2または3に記載の通信装置。     An incoming call history database for acquiring and storing the telephone number of the other party and the time of occurrence of the incoming call when an incoming call occurs;
    Further comprising
    The information management means has a constant security level when the request signal from the wireless terminal includes the telephone number information of the wireless terminal and an incoming call from the wireless terminal has occurred within a certain past time. The communication apparatus according to claim 1, 2 or 3, wherein it is determined that the condition is satisfied.
  5.  ホームネットワークおよび外部ネットワークに接続可能な無線端末と、
     ホームネットワークと外部ネットワークの接続点に位置し、ホームネットワーク側では第1のサービスを前記無線端末に提供し、外部ネットワーク側では第2のサービスを前記無線端末に提供するゲートウェイと、
     を備え、
     前記無線端末は、前記第1のサービスを利用中に、前記第2のサービスを利用する際に必要な情報の要求を前記ゲートウェイに対して行い、
     前記ゲートウェイは、前記要求を受けた場合、要求元の無線端末のセキュリティレベルが一定条件を満たしているかどうかを確認し、一定条件を満たしていれば、前記第2のサービスを利用する際に必要な情報を生成して返送するとともに、要求元の無線端末を前記第2のサービスを利用可能な無線端末として設定することを特徴とする通信システム。     A wireless terminal connectable to a home network and an external network;
    A gateway that is located at a connection point between a home network and an external network, provides a first service to the wireless terminal on the home network side, and provides a second service to the wireless terminal on the external network side;
    With
    The wireless terminal makes a request for information necessary for using the second service to the gateway while using the first service,
    When the gateway receives the request, it checks whether the security level of the requesting wireless terminal satisfies a certain condition, and if it meets the certain condition, it is necessary for using the second service. A communication system characterized by generating and returning information and setting a requesting wireless terminal as a wireless terminal that can use the second service.
PCT/JP2012/080936 2012-11-29 2012-11-29 Communication apparatus and communication system WO2014083653A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2012/080936 WO2014083653A1 (en) 2012-11-29 2012-11-29 Communication apparatus and communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2012/080936 WO2014083653A1 (en) 2012-11-29 2012-11-29 Communication apparatus and communication system

Publications (1)

Publication Number Publication Date
WO2014083653A1 true WO2014083653A1 (en) 2014-06-05

Family

ID=50827326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2012/080936 WO2014083653A1 (en) 2012-11-29 2012-11-29 Communication apparatus and communication system

Country Status (1)

Country Link
WO (1) WO2014083653A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108064442A (en) * 2017-07-25 2018-05-22 深圳前海达闼云端智能科技有限公司 Smart machine control method, control device and control system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002042861A2 (en) * 2000-11-13 2002-05-30 Ecutel, Inc. System and method for secure network mobility
JP2004180020A (en) * 2002-11-27 2004-06-24 Toshiba Corp Communication repeater, communication system, and communication control program
JP2007082079A (en) * 2005-09-16 2007-03-29 Nec Corp Inter-network connecting device and simple authentication system and method using the same
JP2009246957A (en) * 2008-03-11 2009-10-22 Nec Corp Security policy control system, security policy control method, and program
JP2010035101A (en) * 2008-07-31 2010-02-12 Yamaha Corp Access control apparatus, and program

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002042861A2 (en) * 2000-11-13 2002-05-30 Ecutel, Inc. System and method for secure network mobility
US20020066036A1 (en) * 2000-11-13 2002-05-30 Gowri Makineni System and method for secure network mobility
EP1350151A2 (en) * 2000-11-13 2003-10-08 Ecutel, Inc. System and method for secure network mobility
JP2004524724A (en) * 2000-11-13 2004-08-12 エクテル・インコーポレーテッド System and method for improving mobility on a reliable network
JP2004180020A (en) * 2002-11-27 2004-06-24 Toshiba Corp Communication repeater, communication system, and communication control program
US20040158634A1 (en) * 2002-11-27 2004-08-12 Kabushiki Kaisha Toshiba Communication scheme using outside DTCP bridge for realizing copyright protection
JP2007082079A (en) * 2005-09-16 2007-03-29 Nec Corp Inter-network connecting device and simple authentication system and method using the same
JP2009246957A (en) * 2008-03-11 2009-10-22 Nec Corp Security policy control system, security policy control method, and program
JP2010035101A (en) * 2008-07-31 2010-02-12 Yamaha Corp Access control apparatus, and program

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108064442A (en) * 2017-07-25 2018-05-22 深圳前海达闼云端智能科技有限公司 Smart machine control method, control device and control system
CN108064442B (en) * 2017-07-25 2020-12-08 深圳前海达闼云端智能科技有限公司 Intelligent equipment control method, control device and control system

Similar Documents

Publication Publication Date Title
JP4750761B2 (en) Connection control system, connection control method, connection control program, and relay device
US7542455B2 (en) Unlicensed mobile access (UMA) communications using decentralized security gateway
US8468219B2 (en) Minimum intervention authentication of heterogeneous network technologies (MIAHNT)
US20100107223A1 (en) Network Access Method, System, and Apparatus
EP1575231A1 (en) Internet connection system and server for routing connection to client device
US20090043891A1 (en) Mobile WiMax network system including private network and control method thereof
WO2008106850A1 (en) A method and system for controlling network access
WO2011150610A1 (en) Method and system for dynamically adjusting bandwidth services, and broadband policy system
WO2018192179A1 (en) Ip address allocation method and device
JP5982402B2 (en) Call method and apparatus using home network
WO2014176964A1 (en) Communication managing method and communication system
CN101309284A (en) Remote access communication method, apparatus and system
WO2014166271A1 (en) Hqos control method, rsg, and hqos control system
WO2013170814A2 (en) Mobile terminal with built-in pppoe dialing function and dialing method thereof
JP4965499B2 (en) Authentication system, authentication device, communication setting device, and authentication method
WO2014083653A1 (en) Communication apparatus and communication system
US8184618B2 (en) Methods and apparatus for use in a packet data network
JP5367386B2 (en) IP telephone terminal apparatus, VPN server apparatus, IP telephone server apparatus, and IP telephone system using them
JP6047480B2 (en) Session establishment method
JP2006229265A (en) Gateway system
KR101114921B1 (en) Processing apparatus and method for providing virtual private network service on mobile communication
JP2009267638A (en) Terminal authentication/access authentication method, and authentication system
US20200287868A1 (en) Systems and methods for in-band remote management
JP6186066B1 (en) System and method for notifying event occurrence
CN101365238A (en) Session converting method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12889134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12889134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP