WO2020222537A1 - Serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, et terminal primaire - Google Patents

Serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, et terminal primaire Download PDF

Info

Publication number
WO2020222537A1
WO2020222537A1 PCT/KR2020/005694 KR2020005694W WO2020222537A1 WO 2020222537 A1 WO2020222537 A1 WO 2020222537A1 KR 2020005694 W KR2020005694 W KR 2020005694W WO 2020222537 A1 WO2020222537 A1 WO 2020222537A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
primary
dedicated network
primary terminal
access control
Prior art date
Application number
PCT/KR2020/005694
Other languages
English (en)
Korean (ko)
Inventor
이현송
신태영
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority claimed from KR1020200052343A external-priority patent/KR102362078B1/ko
Publication of WO2020222537A1 publication Critical patent/WO2020222537A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to a server for controlling access to a private network of a secondary terminal accessing a private network through a primary terminal, and a primary terminal thereof.
  • Private LTE/5G technology separates public networks such as Internet networks from private networks such as corporate networks through Evolved Packet Core (EPC) of LTE/5G communication systems, and separates terminals into public networks or dedicated networks. Connect. According to the Private LTE/5G technology, the EPC connects the mobile communication terminal to a public network or a dedicated network based on an APN (Access Point Name) provided by the mobile communication terminal during initial access.
  • EPC Evolved Packet Core
  • the Private LTE/5G technology allows access to a dedicated network by allocating a fixed IP (Internet Protocol) only to authorized terminals through a terminal authentication procedure to enhance security. Therefore, the private LTE/5G technology has a technical limitation that is applied only to subscriber terminals of a specific mobile communication service provider that provides a dedicated network service.
  • IP Internet Protocol
  • Secondary terminals such as mobile communication terminals of other carriers or laptops that are accessed through Wi-Fi can be accessed through primary terminals such as Eggs, Mobile Routers, or smartphones. You can connect to a dedicated network.
  • the authentication procedure and the assigned fixed IP performed for the subscriber terminal of a specific mobile communication service provider providing a dedicated network service are targeted to the primary terminal. That is, the secondary terminal connected to the primary terminal cannot be assigned and authenticated with a static IP used in the dedicated network. IP allocation to the secondary terminal is performed according to the rules set in the primary terminal. In addition, traffic flowing from the secondary terminal to the dedicated network is transferred to the IP assigned by the primary terminal through Network Address Translation (NAT) or Port Address Translation (PAT). Therefore, it is impossible to manage and control the security of the secondary terminal in the dedicated network.
  • NAT Network Address Translation
  • PAT Port Address Translation
  • the primary terminal allocates a floating IP to the secondary terminal according to a rule set in the primary terminal, IP mobility of the secondary terminal between primary terminals cannot be fundamentally provided. Because, if the secondary terminal accesses the primary terminal A and is assigned an IP to use the service and then accesses the primary terminal B, the previously assigned IP from the primary terminal A cannot be used and the newly connected primary terminal B This is because an IP must be assigned from. Therefore, since the dedicated network manager cannot know the IP used by the secondary terminal for the secondary terminal accessing the dedicated network through the primary terminal, there is no way to manage and control the secondary terminal.
  • the problem to be solved by the present invention is to provide a dedicated network access control server and a primary terminal capable of controlling access to a dedicated network and managing IP mobility for a secondary terminal accessing a dedicated network through a primary terminal.
  • the dedicated network access control server includes a communication device, a memory, and a processor that executes a program stored in the memory, and the processor receives a primary connection request from a primary terminal. And, if the unique identifier of the primary terminal included in the primary access request is included in the pre-registered private network subscriber information, a primary access approval message for approving the primary access request is transmitted to the primary terminal, When a secondary access request of a secondary terminal connected to the primary terminal is received from the primary terminal and the unique identifier of the secondary terminal included in the secondary access request is included in the dedicated network subscriber information, the Transmits a secondary access approval message to approve the secondary access request to the primary terminal, transmits the uplink data of the secondary terminal received from the primary terminal to a dedicated network, and the secondary terminal received from the dedicated network Downlink data destined for is transmitted to the primary terminal.
  • the processor creates a tunnel with the primary terminal, sets routing information connecting the address of the tunnel and the IP address of the secondary terminal, and determines a tunneling header in the uplink data based on the routing information. After removal, it is transmitted to the dedicated network, and the tunneling header may be added to the downlink data to be transmitted to the primary terminal.
  • the primary access approval message includes an SSID (Service Set ID) assigned to the primary terminal, and the SSID is broadcasted by the primary terminal in short-range communication coverage and provided to the secondary terminal. have.
  • SSID Service Set ID
  • the processor receives a DHCP (Dynamic Host Configuration Protocol) relay message for requesting allocation of an IP address transmitted by the secondary terminal from the primary terminal, and a DHCP response message including an IP address allocated to the secondary terminal Is transmitted to the primary terminal, and the DHCP response message may be transmitted to the secondary terminal by the primary terminal.
  • a DHCP Dynamic Host Configuration Protocol
  • the processor sets routing information connecting the IP address of the serving primary terminal to which the secondary terminal is connected to the IP address of the secondary terminal, and secondary access to the secondary terminal received from the target primary terminal If the request is approved, the routing information is deleted and the IP address of the target primary terminal is updated with routing information linked to the IP address of the secondary terminal, and the target primary terminal moves the secondary terminal It may be a primary terminal serving a newly entered coverage after leaving the service coverage of the serving primary terminal.
  • the processor periodically exchanges an authentication message including connection state information of the primary terminal and the secondary terminal connected to the primary terminal, and the MAC (Media Access Control Address) of the secondary terminal obtained through the authentication message. ) It is possible to manage the connection state of the secondary terminal using the address.
  • a communication device for accessing a secondary terminal through a dedicated network
  • a memory storing a program for controlling the operation of the primary terminal, and the program are provided.
  • a processor that executes, wherein the processor is connected to a dedicated network access control server connected to the dedicated network through short-range communication and connected to the dedicated network through a mobile communication core network, and the dedicated network access control server of the primary terminal Sends a primary connection request requesting access to a dedicated network to receive a primary access approval message, and transmits a secondary connection request requesting access to the secondary terminal's dedicated network to the dedicated network access control server to send a secondary access approval message.
  • Receive, and relay transmission and reception of uplink data and downlink data of the secondary terminal between the secondary terminal and the dedicated network, and the uplink data and downlink data of the secondary terminal are transmitted to the dedicated network access control server. It is transmitted/received between the secondary terminal and the dedicated network via the network.
  • the processor creates a tunnel with the dedicated network access control server, sets routing information in association with the created tunnel address with the IP address of the secondary terminal, and when uplink data of the secondary terminal occurs, the uplink data
  • a tunneling header is added to and transmitted to the dedicated network access control server, and the tunneling header is removed from the downlink data received from the dedicated network access control server, and then transmitted to the secondary terminal, and the tunneling header is the primary terminal
  • a tunneling IP address of and a tunneling IP address of the dedicated network access control server may be set.
  • the processor broadcasts the SSID (Service Set ID) allocated to the primary terminal obtained from the primary access approval message in a wireless LAN section, and the SSID may be used for access with the secondary terminal.
  • SSID Service Set ID
  • the processor transmits a DHCP (Dynamic Host Configuration Protocol) relay message requesting IP address allocation of the secondary terminal received from the secondary terminal to the dedicated network access control server, and the received from the dedicated network access control server
  • DHCP Dynamic Host Configuration Protocol
  • a DHCP response message including the IP address of the secondary terminal is transmitted to the secondary terminal, and the DHP relay message is transmitted to the dedicated network access control server using the IP address received through the secondary access approval message.
  • the processor may periodically exchange an authentication message including connection state information of the secondary terminal with the dedicated network access control server.
  • authentication, access control, management, and IP mobility can be provided for a secondary terminal accessing a dedicated network through the primary terminal. Therefore, it is possible to track and monitor the traffic of the secondary terminal, so not only can it respond quickly and accurately in case of hacking or failure, but also the company manager can monitor and control the connection status of the terminal in real time. Last name can be provided.
  • FIG. 1 is a network configuration diagram according to an embodiment of the present invention.
  • FIG. 2 is a network configuration diagram according to another embodiment of the present invention.
  • FIG. 3 is a network configuration diagram according to another embodiment of the present invention.
  • FIG. 4 is a block diagram showing a detailed connection configuration of a primary terminal and a dedicated network access control server according to an embodiment of the present invention.
  • FIG. 5 is a flowchart showing an access procedure of a primary terminal according to an embodiment of the present invention.
  • FIG. 6 is a flowchart showing an access procedure of a secondary terminal according to an embodiment of the present invention.
  • FIG. 7 is a flowchart showing an access procedure of a primary terminal according to another embodiment of the present invention.
  • FIG. 8 is a flowchart showing an access procedure of a secondary terminal according to another embodiment of the present invention.
  • FIG. 9 is a flowchart illustrating a process in which a secondary terminal is assigned an IP according to an embodiment of the present invention.
  • FIG. 10 shows a tunneling process of uplink data according to an embodiment of the present invention.
  • FIG. 11 shows a tunneling process of downlink data according to an embodiment of the present invention.
  • FIG. 12 is a flowchart illustrating a process of managing an access state of a secondary terminal according to an embodiment of the present invention.
  • FIG. 13 is a network configuration diagram according to another embodiment of the present invention.
  • FIG. 14 is a diagram illustrating mobility of a secondary terminal according to an embodiment of the present invention.
  • FIG. 15 shows a tunneling process for providing mobility of a secondary terminal according to an embodiment of the present invention.
  • 16 is a flowchart illustrating a process in which a primary terminal provides mobility of a secondary terminal according to an embodiment of the present invention.
  • FIG. 17 is a block diagram showing a hardware configuration of a computing device according to an embodiment of the present invention.
  • transmitting or providing may include not only direct transmission or provision, but also transmission or provision indirectly through another device or using a bypass path.
  • a terminal is a generic concept that refers to a user terminal in communication, and includes User Equipment (UE), Mobile Station (MS), Mobile Terminal (MT), Subscriber Station (SS), Portable Subscriber Station (PSS), and AT ( Access Terminal), mobile station, mobile terminal, subscriber station, mobile subscriber station, user device, access terminal, wireless device, etc., and may be called UE, MS, MT, SS, PSS, AT, mobile station, mobile terminal, subscription It may include all or part of the functions of the local station, mobile subscriber station, user equipment, access terminal, wireless device, etc.
  • UE User Equipment
  • MS Mobile Station
  • MT Mobile Terminal
  • SS Subscriber Station
  • PSS Portable Subscriber Station
  • AT Access Terminal
  • the terminal is a base station (BS), an access point (AP), a radio access station (RAS), a node B (Node B), an advanced node B (evolved NodeB, eNodeB), a transmission/reception base station ( It can be connected to a remote server by accessing network devices such as Base Transceiver Station, BTS), and Mobile Multihop Relay (MMR)-BS.
  • BS base station
  • AP access point
  • RAS radio access station
  • Node B node B
  • evolved NodeB evolved NodeB
  • eNodeB transmission/reception base station
  • BTS Base Transceiver Station
  • MMR Mobile Multihop Relay
  • the base station is an access point (AP), a radio access station (RAS), a node B, a base transceiver station (BTS), and a mobile multihop relay (MMR).
  • AP access point
  • RAS radio access station
  • BTS base transceiver station
  • MMR mobile multihop relay
  • LTE Private Long Term Evolution
  • This private LTE technology separates packet data networks (PDNs) through a core network.
  • the PDN includes a public network and a dedicated network.
  • the dedicated network provides a mobile communication service with limited external access for specific subscribers, and for example, it can be called a dedicated network, a private network, an intranet, and a dedicated LTE network.
  • Such a dedicated network is distinguished from a public network that provides mobile communication services for an unspecified number of people.
  • Public networks can also be referred to as public networks, Internet, and general LTE networks.
  • the public network and the dedicated network mean separate traffic paths, and do not necessarily need to be physically separated.
  • the public network and the private network may be different bearers created in the same physical path.
  • LTE EPC Evolved Packet Core
  • FIG. 1 is a network configuration diagram according to an embodiment of the present invention
  • FIG. 2 is a network configuration diagram according to another embodiment of the present invention
  • FIG. 3 is a network configuration diagram according to another embodiment of the present invention.
  • a plurality of secondary terminals 100 access the primary terminal 200 through a local area network 700.
  • the primary terminal 200 accesses the dedicated network 600 via the base station 300, the core network 400, and the dedicated network access control server 500.
  • the plurality of secondary terminals 100 access the dedicated network 600 through the primary terminal 200.
  • the local area network 700 includes wired or wireless, for example, wireless LAN communication or USB (Universal Serial Bus) tethering communication.
  • the plurality of secondary terminals 100 are terminals equipped with a wireless LAN communication or USB tethering communication function, and include a notebook, a pad, a smartphone, an Internet of Things (IoT) terminal, and a PDA ( Personal Digital Assistants), MP3, tablet PC (Personal Computer), PMP (Portable Multimedia Player), laptop computer, personal computer, etc., but is not limited thereto.
  • a wireless LAN communication or USB tethering communication function include a notebook, a pad, a smartphone, an Internet of Things (IoT) terminal, and a PDA ( Personal Digital Assistants), MP3, tablet PC (Personal Computer), PMP (Portable Multimedia Player), laptop computer, personal computer, etc., but is not limited thereto.
  • the primary terminal 200 is a terminal equipped with a mobile communication function and a WiFi wireless LAN communication or USB tethering communication function, and may be a mobile router, a mobile phone, or an egg, but is not limited thereto.
  • the primary terminal 200 accesses the core network 400 through the base station 300.
  • the core network 400 may be a 5G core network as in FIG. 2 or a 4G LTE core network as in FIG. 3.
  • FIG. 2 it shows an embodiment in which the embodiment of the present invention is applied to a 5G core network.
  • Core network 400 is AMF (Access and Mobility Function) 401, UDM (User Data Management) 403, SMF (Session Management Function) 405, PCF (Policy Control Function) 407, public UPF ( User Plane Function) 409 and a dedicated UPF 411.
  • AMF Access and Mobility Function
  • UDM User Data Management
  • SMF Session Management Function
  • PCF Policy Control Function
  • public UPF User Plane Function
  • dedicated UPF 411 a dedicated UPF 411
  • the base station 300 communicates with the primary terminal 200 using 5G access technology.
  • the base station 300 is connected to a dedicated UPF 411 connected to the dedicated network 600 and a public UPF 409 connected to the public network 700, and connected to the AMF 401.
  • the dedicated network access control server 500 is connected to the dedicated UPF 411 and the dedicated network 600. Data transmitted and received between the dedicated UPF 411 and the dedicated network 600 passes through the dedicated network access control server 500. That is, the dedicated network access control server 500 routes uplink data and downlink data between the secondary terminal 100 and the dedicated network 600.
  • the SMF 405 determines whether to connect the primary terminal 200 to the public UPF 409 or to the dedicated UPF 411.
  • the SMF 405 performs authentication to determine whether the primary terminal 200 has a legitimate access right, and if the primary terminal 200 has a legitimate access right, the dedicated network 600 ) To allow access.
  • an IP address to be used by the primary terminal 200 is allocated in connection with the PCF 407.
  • the SMF 405 or the dedicated UPF 411 may provide a location-based service.
  • the process of creating a dedicated network session between the primary terminal 200 and the dedicated UPF 411 is a known technique and a detailed description thereof will be omitted.
  • the core network 400 includes a Mobility Management Entity (MME) 413, a Home Subscriber System (HSS) 415, a Serving Gateway (SGW) 417, a public packet data network gateway (PGW) 419, and a dedicated PGW ( 421), and PCRF (Policy and Charging Rule Function) 423.
  • MME Mobility Management Entity
  • HSS Home Subscriber System
  • SGW Serving Gateway
  • PGW public packet data network gateway
  • PCRF Policy and Charging Rule Function
  • the base station 300 communicates with the primary terminal 200 using LTE technology.
  • the base station 300 is connected to a dedicated PGW 421 connected to the dedicated network 600 and a public PGW 419 connected to the public network 700, and connected to the SGW 417 and the MME 413.
  • the dedicated network access control server 500 is connected to the dedicated PGW 421 and the dedicated network 600. Data transmitted and received between the dedicated PGW 421 and the dedicated network 600 passes through the dedicated network access control server 500. That is, the dedicated network access control server 500 routes uplink data and downlink data between the terminal 100 and the dedicated network 600.
  • the dedicated PGW 421 interlocks with the PCRF 423 to perform authentication to determine whether the primary terminal 200 has a legitimate access right, and if there is a legitimate access right, permits access to the dedicated network 600. At this time, the IP address to be used by the primary terminal 200 is allocated in connection with the PCRF 423.
  • the dedicated PGW 421 may provide a location-based service. The process of creating a dedicated network session between the primary terminal 200 and the dedicated PGW 421 is a known technique and a detailed description thereof will be omitted.
  • the primary terminal 200 is a wireless LAN (wireless LAN) such as Wi-Fi through a cellular signal such as LTE (Long Term Evolution) and 5G received from the base station 300.
  • a network access path is provided to a plurality of secondary terminals 100 located in a service area using local area network) communication or USB tethering communication.
  • the primary terminal 200 connects to the dedicated network access control server 500 when access to the dedicated network is permitted.
  • the dedicated network access procedure for the secondary terminal 100 is controlled by interlocking with the dedicated network access control server 500.
  • the dedicated network access control server 500 is a dedicated device that manages the secondary terminals 100 connected to the dedicated network 600 through the primary terminal 200, and has a service name such as EMG (Enterprise Mobile Gateway). Can be developed as The dedicated network access control server 500 provides dedicated network access authentication, management and IP mobility for a plurality of secondary terminals 100.
  • EMG Enterprise Mobile Gateway
  • the dedicated network access control server 500 When a connection is requested from the primary terminal 200, the dedicated network access control server 500 performs primary access authentication to determine whether the primary terminal 200 has a legitimate access right.
  • the dedicated network access control server 500 may perform authentication to determine whether the identifier of the primary terminal 200, for example, MSISDN (Mobile Station International Subscriber Directory Number), MAC, etc. is registered information.
  • MSISDN Mobile Station International Subscriber Directory Number
  • MAC Mobile Station International Subscriber Directory Number
  • SSID Service Set Identifier
  • the dedicated network access control server 500 When a secondary connection of the secondary terminal 100 is requested from the primary terminal 200, the dedicated network access control server 500 performs authentication to determine whether the secondary terminal 100 has a legitimate access right.
  • the dedicated network access control server 500 performs authentication to determine whether the identifier of the secondary terminal 200, for example, a MAC (Media Access Control) address, and a user ID/Password are registered information.
  • the dedicated network access control server 500 transmits a secondary connection approval message to the primary terminal 200 when the secondary terminal is successfully authenticated. Thereafter, the uplink data and downlink data of the secondary terminal 100 are transmitted and received with the primary terminal 200 through a tunnel established with the primary terminal 200.
  • the dedicated network access control server 500 provides IP mobility in which a fixed IP can be continuously used when the secondary terminal 100 moves and accesses the different primary terminals 200. Therefore, since it is possible to track and monitor traffic to the secondary terminal 100 in the dedicated network access control server 500, it is possible to respond quickly and accurately in case of hacking or failure, and the dedicated network manager monitors the access status of the terminal in real time. Because it can be controlled and controlled, it is possible to provide strong security in a wireless dedicated network service.
  • FIG. 4 is a block diagram showing a detailed connection configuration of a primary terminal and a terminal management system according to an embodiment of the present invention.
  • the configuration of FIG. 4 shows a configuration for explaining the interworking between the primary terminal 200 and the dedicated network access control server 500, and in order to implement the embodiment of the present invention, the primary terminal 200 and the dedicated network
  • the access control server 500 does not include only the configuration shown in FIG. 4.
  • the primary terminal 200 is a communication module 201, an authentication client 203, a tunneling client 205, a dynamic host configuration protocol (Dynamic Host Configuration Protocol, hereinafter referred to as'DHCP') It includes a relay 207 and a connection management unit 209.
  • the communication module 201, the authentication client 203, the tunneling client 205, the DHCP relay 207, and the connection management unit 209 are shown as independent configurations, but operate in conjunction with each other.
  • the communication module 201 connects to the secondary terminal 100 through wireless LAN or USB tethering communication such as Wi-Fi, and connects to the core network 400 through 5G or LTE communication.
  • the communication module 201 connects to the dedicated network 600 or the public network 700 through the core network 400.
  • the communication module 201 relays wireless communication between the secondary terminal 100 connected to the communication module 201 and the dedicated network 600 or the public network 700.
  • the communication module 201 connects to the dedicated network access control server 500 and the dedicated network 600 through the dedicated network gateways 411 and 421.
  • the secondary terminal 100 may connect to the communication module 201 through Wi-Fi or USB tethering communication, and use a dedicated network service through the communication module 201.
  • the communication module 201 may use the SSID received from the dedicated network access control server 500.
  • the communication module 201 broadcasts the SSID and is connected to the secondary terminal 100 accessed by using the broadcasted SSID.
  • the authentication client 203 interworks with the authentication server 503 of the dedicated network access control server 500 to perform connection authentication with the primary terminal 200, and authenticates necessary information when receiving a connection request from the secondary terminal 100 It transmits to the server 503 to relay authentication.
  • the request for access to the private network from the primary terminal 200 is referred to as a primary access request
  • the request for access to the private network by the secondary terminal 100 after the first access request is referred to as a secondary access request.
  • the tunneling client 205 interworks with the tunneling server 505 of the dedicated network access control server 500 to allocate a fixed IP to the secondary terminal and perform tunneling for providing mobility.
  • the tunneling client 205 creates a tunnel with the tunneling server 505 after authentication and IP allocation for the secondary terminal 100 is completed, and manages the created tunnel.
  • the DHCP relay 207 interworks with the DHCP server 507 of the dedicated network access control server 500 to receive the IP assigned by the DHCP server 507 to the secondary terminal 100 and transmits it to the secondary terminal 100.
  • the DHCP relay 207 may be selectively mounted on the primary terminal 200 according to an embodiment. For example, when using a static IP previously input to the secondary terminal 100, the DHCP relay 207 is not used.
  • a DHCP server may be mounted.
  • the DHCP server directly receives the IP of the secondary terminal 100 when receiving the secondary connection approval message of the secondary terminal 100, and the secondary terminal 100 The IP address of the terminal 100 is directly transmitted to the secondary terminal 100.
  • the dedicated network access control server 500 includes a communication device 501, an authentication server 503, a tunneling server 505, a DHCP server 507, and a connection management unit 509.
  • the communication device 501 routes uplink data received from the communication module 201 to the dedicated network 600, and routes downlink data received from the dedicated network 600 to the communication module 201.
  • the authentication server 503 interlocks with the authentication client 203 of the primary terminal 200 to authenticate access to the primary terminal 100 and the secondary terminal 200.
  • the authentication server 503 may manage authentication information so that only the authorized primary terminal 200 and the secondary terminal 100 can access the dedicated network 600. For example, the identifiers of the primary terminal 200 and secondary terminal 100 that are permitted to access the dedicated network 600 are stored, and the identifiers of the primary terminal 100 and the secondary terminal 100 requesting access authentication It is possible to perform authentication to determine whether it is a registered identifier.
  • the tunneling server 505 creates a tunnel in connection with the tunneling client 205 of the primary terminal 200 and manages the created tunnel.
  • the DHCP server 507 may allocate an IP to the secondary terminal 100 in a DHCP method.
  • the DHCP server 507 is a configuration selectively mounted on the dedicated network access control server 500, and the secondary terminal 100 uses a pre-input static IP or the authentication server 503 When IP is assigned to 100, it may not be included in the dedicated network access control server 500.
  • the connection management unit 509 manages the connection state of the primary terminal 200 and the secondary terminal 100.
  • a RADIUS (Remote Authentication Dial In User Service) protocol may be used.
  • the access management unit 509 periodically exchanges a RADIUS Accounting message with the access management unit 209 of the primary terminal 200 or accesses the secondary terminal 100 through a ping test. Manage the state.
  • the primary terminal 200 is connection state information including the start time of each secondary terminal 100 and the network connection, the end time of the network connection, and the total connection time for each identifier of the connected at least one secondary terminal 100 May be periodically transmitted to the connection management unit 509. Then, the connection management unit 509 may store the connection state information received from the primary terminal 200 and provide it through a separate user interface (or operator interface).
  • FIG. 5 is a flowchart showing an access procedure of a primary terminal according to an embodiment of the present invention. That is, it shows a procedure in which a pre-connection is established between the primary terminal 200 and the dedicated network access control server 500.
  • the authentication server 503 of the dedicated network access control server 500 pre-registers subscriber information (S101).
  • the pre-registered subscriber information is primary terminal information and secondary terminal information, and may be stored in the form of a table as shown in Table 1.
  • LTE_ID Primary terminal identifier
  • MSISDN Secondary terminal identifier
  • MAC Static IP enterprise_a 010-1111-1234 12:34:56:78:90:AB 10.0.1.2 enterprise_a 010-1111-5678 12:34:56:78:90:BB 10.0.1.3 enterprise_b 010-2222-5678 12:34:56:78:90:BC 30.0.1.2 ... ... ... ...
  • the subscription identifier is information that identifies a subscriber, and may be, for example, a company name if it is a corporate subscriber.
  • the subscription identifier (LTE_ID) is matched with information identifying at least one primary terminal 200 and information identifying at least one secondary terminal 100.
  • the primary terminal identifier may be MSISDN (Mobile Station Integrated System Digital Network), MAC (Media Access Control), or the like, and the secondary terminal identifier may be MAC, user ID/Password, and the like.
  • MSISDN of the primary terminal 200 and the secondary terminal 100 are described only with MAC and a static IP, but the identifier of the terminal used is not limited thereto.
  • the fixed IP is the secondary terminal 100. As an IP address used in, it may be assigned to the secondary terminal 100 or previously set in the secondary terminal 100. If a fixed IP is already set in the secondary terminal 100, the fixed IP can be used when authenticating the secondary terminal 100.
  • the communication module 201 accesses the core network 400 to perform a dedicated network access procedure, and is assigned an IP (S105). That is, the communication module 201 sends a'Attach Request' message to the core network 400 to request access to the dedicated network, and when the dedicated network access authority is authenticated, the communication module 201 is assigned an IP designated to be used when accessing the dedicated network 600. This is generally the same as the procedure for the terminal to access the dedicated network 600 through the core network 400, so a detailed description will be omitted.
  • the authentication client 203 of the primary terminal 200 sends a primary connection request message requesting an access to the dedicated network access control server 500. It transmits (S107). At this time, a RADIUS ACCOUNTING REQUEST message may be used.
  • the items of the primary access request message transmitted in step S107 include the IP address of the private network of the primary terminal 200 and a unique identifier (MSISDN, MAC, etc.) of the primary terminal 200.
  • the authentication server 503 of the dedicated network access control server 500 performs authentication to determine whether the primary terminal information received in step S107, that is, MSISDN, MAC, etc., is registered in the subscriber information in step S101 (S109). That is, the authentication server 503 determines whether the primary terminal 200 requesting access is a registered dedicated network service subscriber.
  • the authentication server 503 of the dedicated network access control server 500 determines whether the authentication in step S109 is successful (S111).
  • the authentication server 503 of the dedicated network access control server 500 transmits a message (RADIUS ACCOUNTING RESPONSE) for disallowing access due to authentication failure to the authentication client 203 of the primary terminal 200 ( S113).
  • a message (RADIUS ACCOUNTING RESPONSE) for disallowing access due to authentication failure to the authentication client 203 of the primary terminal 200 ( S113).
  • the authentication server 503 of the dedicated network access control server 500 provides a primary access approval message for approving the connection due to the authentication success to the authentication client 203 of the primary terminal 200.
  • RESPONSE is transmitted (S115).
  • the RADIUS ACCOUNTING RESPONSE may include a Dynamic Host Configuration Protocol (DHCP) server IP address, a tunnel IP address, and an SSID used by the primary terminal.
  • DHCP Dynamic Host Configuration Protocol
  • the authentication client 203 of the primary terminal 200 registers the DHCP IP address, the tunnel IP address, and the SSID of the primary terminal received in step S115 (S117). That is, the authentication client 203 registers the DHCP IP address to the DHCP relay 207 and the SSID to be used by the primary terminal to the communication module 201.
  • tunneling client 205 requests the creation of tunneling to the registered tunnel IP address, and the tunneling server 505 of the dedicated network access control server 500 creates tunneling with the tunneling client 205 (S119).
  • tunnelings include IPSec (IP Security) VPN, SSL (Secure Sockets Layer) VPN, PPTP (Point-to-Point Tunneling Protocol), GRE (Generic Routing Encapsulation), GTP (General Packet Radio Service Tunneling Protocol), LWAPP (Lightweight Access Point Protocol) or the like may be used, but is not limited thereto.
  • IPSec IP Security
  • SSL Secure Sockets Layer
  • PPTP Point-to-Point Tunneling Protocol
  • GRE Generic Routing Encapsulation
  • GTP General Packet Radio Service Tunneling Protocol
  • LWAPP Lightweight Access Point Protocol
  • 6 is a flowchart showing a secondary terminal access process according to an embodiment of the present invention, which is added after the step of FIG. 5.
  • the secondary terminal 100 listens for an SSID broadcast by at least one primary terminal 200 (S201). Then, the listening SSID is selected (S203).
  • step S203 may be selected by the user or may be automatically selected according to network settings.
  • the secondary terminal 100 transmits an Extensible Authentication Protocol (EAP)-Start message for requesting access to the primary terminal 200 corresponding to the selected SSID (S205).
  • EAP Extensible Authentication Protocol
  • the communication module 201 of the primary terminal 200 transmits an EAP-Request (Identity) message requesting ID information for subscriber authentication to the secondary terminal 100 (S207).
  • the secondary terminal 100 transmits an EAP-Response (Identity) message including a MAC address to be used as subscriber authentication information to the primary terminal 200 (S209).
  • EAP-Response Identity
  • the secondary terminal 100 transmits an EAP-Response (Identity) message including the MAC address and the fixed IP address to the primary terminal 200.
  • EAP-Response Identity
  • the authentication client 203 of the primary terminal 200 transmits a RADIUS Access Request message requesting a secondary connection of the secondary terminal 100 to the dedicated network access control server 500 (S211).
  • the radius access request message includes the MAC address of the secondary terminal 100.
  • the fixed IP is also included in the radius access request message.
  • the authentication server 503 of the dedicated network access control server 500 determines whether the fixed IP address of the secondary terminal 100 is included in the radius access request message received in step S211 (S213).
  • the authentication server 503 of the dedicated network access control server 500 determines whether the MAC address and the fixed IP address of the terminal received in step S213 are information registered in Table 1. Do (S215). For example, if the authentication server 503 includes the MAC address 12:34:56:78:90:AB and the IP address 10.0.1.3 of the terminal 100 in the radius access request message, the MAC address is Table 1 However, since the IP address matching the MAC address is not 10.0.1.3, access authentication of the secondary terminal 100 may be disapproved.
  • the authentication server 503 of the dedicated network access control server 500 determines whether the MAC address of the terminal received in step S211 is information registered in Table 1 ( S217).
  • the authentication server 503 of the dedicated network access control server 500 checks whether the authentication in step S215 or S217 is successful (S219).
  • the authentication server 503 transmits a second access permission message (RADIUS ACCESS RESPONSE) due to authentication failure to the authentication client 203 of the primary terminal 200 (S221). Then, the communication module 201 of the primary terminal 200 transmits an EAP Failure message notifying the authentication failure to the secondary terminal 100 (S223).
  • a second access permission message RRADIUS ACCESS RESPONSE
  • the authentication server 503 of the dedicated network access control server 500 sets a terminal interface band, which is a network band to be used by the secondary terminal 100 and the primary terminal 200 (S225). Then, the set terminal interface band is included in the secondary access authorization message (RADIUS ACCESS RESPONSE) and transmitted to the authentication client 203 of the primary terminal 200 (S227).
  • a terminal interface band which is a network band to be used by the secondary terminal 100 and the primary terminal 200
  • the authentication server 503 allocates a wireless LAN IP address according to the fixed IP address band of the terminal 100 to the primary terminal 200.
  • the authentication server 503 sets a network band to be used in the terminal interface. Then, the wireless LAN IP address of the primary terminal 200 is allocated as a server address within the set network band and transmitted (S227).
  • the communication module 201 of the primary terminal 200 generates a terminal interface based on the terminal interface band received in step S227 (S229).
  • the terminal interface refers to communication between the secondary terminal 100 and the communication module 201 of the primary terminal 200.
  • the wireless LAN IP address of the primary terminal 200 received (S227) from the authentication server 503 by the communication module 201 is set or registered as an IP address to communicate with the secondary terminal 100 Includes doing.
  • the communication module 201 of the primary terminal 200 transmits an EAP Success message indicating success of the access authentication to the secondary terminal 100 (S231).
  • the network bands of the two devices are the same.
  • the authentication server 503 sets the network band to 10.0.0.0/30 and the wireless LAN IP address of the primary terminal 200 is set to 10.0.0.1/30
  • the secondary terminal ( 100) should be assigned 10.0.0.2/30.
  • the IP address setting of the secondary terminal 100 is performed through the process of FIG. 9.
  • FIGS. 7 and 8 an embodiment of a method in which a tunnel is created for each secondary terminal 100 will be described.
  • FIG. 7 is a flowchart showing an access procedure of a primary terminal according to another embodiment of the present invention. That is, it shows a procedure in which a pre-connection is established between the primary terminal 200 and the dedicated network access control server 500.
  • steps S301 to S317 of FIG. 7 are the same as steps S101 to S117 of FIG. 5, except that step S119 of FIG. 5 is not present in FIG. 7.
  • the primary terminal 200 does not create a tunnel with the dedicated network access control server 500. This tunnel is then created between the secondary terminal 200 and the dedicated network access control server 500. This will be described in FIG. 8.
  • FIG. 8 is a flowchart showing a secondary terminal access procedure according to another embodiment of the present invention.
  • the secondary terminal 100 listens for an SSID broadcast by at least one primary terminal 200 (S401). Then, the listened SSID is selected (S403).
  • step S403 may be selected by the user or may be automatically selected according to network settings.
  • the secondary terminal 100 transmits an Extensible Authentication Protocol (EAP)-Start message for requesting an access to the primary terminal 200 corresponding to the selected SSID (S405).
  • EAP Extensible Authentication Protocol
  • the communication module 201 of the primary terminal 200 transmits an EAP-Request (Identity) message requesting ID information for subscriber authentication to the secondary terminal 100 (S407).
  • the secondary terminal 100 transmits an EAP-Response (Identity) message including a MAC address and a user ID/Password to be used as subscriber authentication information to the primary terminal 200 (S409).
  • the user ID/Password is used for the secondary terminal 100 to access (for example, log in) the primary terminal 200, and is registered in the primary terminal 200 from the secondary terminal 100 in advance. have.
  • the authentication client 203 of the primary terminal 200 transmits the secondary connection request of the secondary terminal 100 to the dedicated network access control server 500 (S411).
  • the Radius protocol may be used.
  • the authentication procedure of the primary terminal 200 and the dedicated network access control server 500 is described using the Radius protocol, but is not limited thereto.
  • the primary terminal 200 transmits a RADIUS Access Request message to the dedicated network access control server 500 (S411).
  • the radius access request message may include the MAC address of the secondary terminal 100, the user ID/Password, and the MSISDN of the primary terminal 200.
  • the user ID/Password may be registered as subscriber information in step S301 of FIG. 7.
  • the authentication server 503 of the dedicated network access control server 500 determines whether the fixed IP address of the secondary terminal 100 is included in the radius access request message received in step S411 (S413). .
  • the authentication server 503 of the dedicated network access control server 500 is the MAC address, user ID/Password, and fixed IP of the secondary terminal 100 received in step S411. It is determined whether the address is information registered in Table 1 (S415). For example, when the authentication server 503 includes the MAC address 12:34:56:78:90:AB and the IP address 10.0.1.3 of the secondary terminal 100 in the radius access request message, the MAC address is Although shown in Table 1, since the IP address matching the MAC address is not 10.0.1.3, access authentication of the secondary terminal 100 may be disapproved.
  • the authentication server 503 of the dedicated network access control server 500 registers the MAC address and user ID/Password of the terminal received in step S411 in Table 1. It is determined whether it is information (S417).
  • the authentication server 503 of the dedicated network access control server 500 checks whether the authentication in step S415 or S417 is successful (S419).
  • the authentication server 503 transmits a RADIUS ACCESS RESPONSE due to authentication failure to the authentication client 203 of the primary terminal 200 (S421). Then, the communication module 201 of the primary terminal 200 transmits an EAP Failure message notifying the authentication failure to the secondary terminal 100 (S423).
  • the authentication server 503 transmits a second connection approval message (RADIUS ACCESS RESPONSE) due to the authentication success to the authentication client 203 of the primary terminal 200 (S425).
  • the challenge authentication process may be additionally performed according to the EAP authentication method used, and this is a known technique and a detailed description thereof will be omitted.
  • the tunneling client 205 of the primary terminal 200 requests the tunneling server 505 of the registered dedicated network access control server 500 to create a tunnel, and the tunneling server 505 of the dedicated network access control server 500 Tunneling with the tunneling client 205 is created (S427).
  • This tunneling is the same as described in FIG. 5.
  • the communication module 201 of the primary terminal 200 sends the secondary terminal 100 to the authentication success of the secondary connection request.
  • An EAP Success message informing is transmitted (S429).
  • FIG. 9 is a flowchart illustrating a DHCP relay process in which an IP is assigned by a secondary terminal according to an embodiment of the present invention, and shows an operation after step S231 of FIG. 6 or step S429 of FIG. 8.
  • FIG. 9 may be omitted according to embodiments.
  • the DHCP relay procedure is not used.
  • the primary terminal 200 may be equipped with a DHCP server instead of a DHCP relay.
  • the primary terminal 200 directly receives the IP of the secondary terminal 100 in the step of receiving the secondary connection approval message of the secondary terminal 100, and responds to the request of the secondary terminal 100. Accordingly, the IP address of the secondary terminal 100 is directly transmitted to the secondary terminal 100.
  • the dedicated network access control server 500 registers the MAC address of the secondary terminal 100 and the IP band to be used (S501).
  • the secondary terminal 100 transmits a DHCP request message requesting the IP address allocation of the secondary terminal 100 to the primary terminal 200 (S503).
  • the DHCP request message includes the MAC of the secondary terminal 100.
  • the DHCP relay 207 of the primary terminal 200 transmits a DHCP relay message to the DHCP server 507 of the dedicated network access control server 500 (S505). At this time, the DHCP relay 207 transmits a DHCP relay message using the DHCP server IP address obtained in step S117 of FIG. 5 or step S317 of FIG. 7.
  • the DHCP relay message includes the MAC of the secondary terminal 100 received in step S503.
  • the DHCP server 507 of the dedicated network access control server 500 allocates a registered IP band, that is, a terminal IP address mapped to the MAC of the secondary terminal 100 set in step S501 (S507).
  • the DHCP server 507 of the dedicated network access control server 500 transmits a DHCP response message including the assigned secondary terminal IP address to the primary terminal 200 (S509).
  • the DHCP relay 207 of the primary terminal 200 transfers the received (S509) DHCP response message to the secondary terminal 100 (S511).
  • FIG. 10 shows a tunneling process of uplink (UL) data according to an embodiment of the present invention.
  • an IP address allocated by the secondary terminal 100 to use when communicating with the primary terminal 200 in a wireless LAN is 1.1.1.2.
  • the dedicated network IP address assigned by the primary terminal 200 from the core network 400 is 10.1.1.2.
  • the dedicated network IP address used by the dedicated network access control server 500 when communicating with the core network 400 is 50.1.1.2.
  • the primary terminal 200 and the dedicated network access control server 500 perform tunneling communication.
  • the tunneling IP address of the primary terminal 200 is 192.168.0.4.
  • the tunneling IP address of the dedicated network access control server 500 is 192.168.0.1.
  • the tunneling client 205 of the primary terminal 200 and the tunneling server 505 of the dedicated network access control server 500 perform tunneling communication using these tunneling IP addresses.
  • the secondary terminal 100 transmits uplink data destined for an IP address (Internet IP) of a specific server in the dedicated network 600 to the primary terminal 200.
  • IP Internet IP
  • SIP Source IP
  • DIP Destination IP
  • IP Internet IP
  • the communication module (201 in FIG. 4) of the primary terminal 200 transfers the uplink data received from the secondary terminal 100 to the tunneling client (205 in FIG. 4). Then, the tunneling client 205 adds a tunneling header to the uplink data received from the terminal 100.
  • the SIP of the tunneling header is set to the tunneling IP address (192.168.0.4) of the primary terminal 200, and the DIP is set to the tunneling IP address (192.168.0.1) of the dedicated network access control server 500. In this way, the uplink data to which the tunneling header has been added is transmitted to the dedicated network access control server 500.
  • the tunneling server (505 in FIG. 4) of the dedicated network access control server 500 removes the tunneling header from the uplink data received from the primary terminal 200. Then, the uplink data transmitted from the original secondary terminal 100 from which the tunneling header has been removed is transmitted to a specific server.
  • FIG. 11 shows a tunneling process of downlink data according to an embodiment of the present invention.
  • the description of the same contents as in FIG. 10 is omitted, and only the contents of downlink data are described.
  • the dedicated network access control server 500 receives downlink data from a specific server in the dedicated network 600.
  • SIP is set to the IP address (Internet IP) of a specific server
  • DIP Disposination IP
  • the communication device 501 of the dedicated network access control server 500 transmits the received downlink data to the tunneling server 505.
  • the tunneling server 505 adds a tunneling header to downlink data.
  • the SIP of the tunneling header is set to the tunneling IP address (192.168.0.1) of the dedicated network access control server 500, and the DIP is set to the tunneling IP address (192.168.0.4) of the primary terminal 200.
  • Downlink data to which the tunneling header has been added is transmitted to the primary terminal 200 as described above.
  • the tunneling client 207 of the primary terminal 200 removes the tunneling header from the downlink data received from the tunneling server 205.
  • the downlink data transmitted from the original server from which the tunneling header has been removed to the secondary terminal 100 is transferred to the secondary terminal 100.
  • FIG. 12 is a flowchart illustrating a process of managing an access state of a terminal according to an embodiment of the present invention.
  • connection management unit 209 transmits a message requesting management of the connection state of the secondary terminal 100.
  • the Radius protocol may be used.
  • the primary terminal 200 transmits a Radius Accounting Request: Start message to the dedicated network access control server 500 (S601).
  • the message of step S601 includes an identifier of the secondary terminal 100 and connection state information.
  • the connection status information is set to Connect.
  • connection management unit 509 of the dedicated network access control server 500 registers the information received in step S401 (S603). In this case, based on the information received in step S601, the connection state can be managed as shown in Table 2.
  • the terminal type may be received in step S601, or may be mapped and registered with a MAC address in advance.
  • the connection management unit 509 of the dedicated network access control server 500 transmits a response message (RADIUS Accounting Response) to the primary terminal 200 (S605).
  • the access management unit 209 of the primary terminal 200 requests a radius accounting request to update the connection state of the terminal 100: an interim update message to the dedicated network access control server 500 ) To transmit (S609).
  • the triggering event may be a period.
  • the connection management unit 509 of the dedicated network access control server 500 updates the connection state information of the secondary terminal based on the message in step S409 (S611). Then, a response message (RADIUS Accounting Response) is transmitted to the primary terminal 200 (S613).
  • a response message (RADIUS Accounting Response) is transmitted to the primary terminal 200 (S613).
  • the primary terminal 200 sends a message (RADIUS Accounting Request: Stop) requesting termination of the access state management of the secondary terminal 100 to access the dedicated network. It is transmitted to the control server 500 (S617). At this time, the connection state information included in the message is set as disconnected.
  • a message (RADIUS Accounting Request: Stop) requesting termination of the access state management of the secondary terminal 100 to access the dedicated network. It is transmitted to the control server 500 (S617). At this time, the connection state information included in the message is set as disconnected.
  • connection management unit 509 of the dedicated network access control server 500 changes the connection state to the secondary terminal 100 to disconnected (S619) based on the message in step S617, and a response message ( RADIUS Accounting Response) is transmitted to the primary terminal 200 (S621).
  • the dedicated network access control server 500 may determine whether the secondary terminal 100 has access to the dedicated network, and inform the enterprise manager of the dedicated network access status of the terminal 100 through an administrator portal.
  • FIG. 13 is a network configuration diagram according to another embodiment of the present invention, and a description of the same configuration as that of FIG. 1 is omitted.
  • the configuration is mostly the same as that of FIG. 1, but the difference is that the secondary terminal 100 can access a plurality of primary terminals 200.
  • Each of the primary terminal #A (200A), the primary terminal #B (200B), and the primary terminal #N (200C) have their respective service coverage.
  • the secondary terminal 100 accesses the primary terminal #A (200A), primary terminal #B (200B), and primary terminal #N (200C) providing service coverage in which the secondary terminal 100 is located. .
  • the primary terminal #A(200A), the primary terminal #B(200B), and the primary terminal #N(200C) to which the secondary terminal 100 is connected are also Changes.
  • FIG. 14 is an exemplary view showing a process of changing a primary terminal by moving a secondary terminal according to an embodiment of the present invention.
  • the secondary terminal 100 when the secondary terminal 100 is connected to the primary terminal #A (200A), the secondary terminal 100 is the primary terminal #A (200A)-base station 300-core network ( 400)-Transceives data with the dedicated network 600 through the data path A including the dedicated network access control server 500.
  • the secondary terminal 100 moves and enters the service coverage of the primary terminal #B (200B), the secondary terminal 100 performs the procedures of FIGS. 8 and 9 with the primary terminal #B (200B). .
  • the dedicated network access control server 500 recognizes the movement of the secondary terminal 100. Accordingly, the dedicated network access control server 500 deletes the existing tunnel of the secondary terminal 100, that is, the routing setting to the tunnel between the primary terminal #A (200A) and the dedicated network access control server 500. .
  • a new routing setting for a tunnel between the primary terminal #B 200B and the dedicated network access control server 500 is newly created. Thereafter, the data path between the secondary terminal 100 and the dedicated network 600 is changed from the data path A to the data path B.
  • the transmission procedure of uplink data is similar to that of FIG. 10. That is, since the primary terminal 200 to which the secondary terminal 100 is connected has changed, the procedure of FIG. 10 is performed through the primary terminal 200 to which the secondary terminal 100 is connected.
  • the transmission procedure of downlink data is similar to that of FIG. 11, except that the information of the primary terminal #B 200B is included in the tunneling header. This will be described with reference to FIG. 15.
  • FIG. 15 shows a tunneling process for providing mobility of a terminal according to an embodiment of the present invention.
  • it shows an embodiment of providing mobility of a terminal during a downlink data tunneling process, and descriptions of the same contents as in FIGS. 10 and 11 are omitted, and only other contents are described.
  • the tunnel IP address used by the dedicated network access control server 500 for tunneling communication with the primary terminal #A 200A is 192.168.0.1.
  • the tunnel IP address used by the dedicated network access control server 500 for tunneling communication with the primary terminal #B 200B is 192.168.1.1.
  • the dedicated network access control server 500 transmits downlink data set to SIP: Internet IP, DIP: 1.1.1.2 from the dedicated network 600. Receive.
  • the tunneling server 507 of the dedicated network access control server 500 adds a tunneling header to downlink data.
  • the SIP (Source IP) of the tunneling header is set to the tunnel IP address (192.168.0.1) of the dedicated network access control server 500 for connection with the primary terminal #A (200A), and the DIP is set to the primary terminal #A. It is set to the IP address (192.168.0.4) of (200A).
  • SIP Source IP
  • the SIP Source IP
  • the DIP is set to the primary terminal #A. It is set to the IP address (192.168.0.4) of (200A).
  • downlink data to which a tunneling header has been added is transmitted to the primary terminal #A 200A.
  • Primary terminal #A (200A) removes the tunneling header from the received downlink data, and then transmits it to the secondary terminal 100.
  • the tunneling server 507 of the dedicated network access control server 500 is a downlink from the dedicated network 600 to the secondary terminal 100 Add a tunneling header to the data.
  • the SIP of the tunneling header is set to the tunnel IP address (192.168.1.1) of the dedicated network access control server 500 for connection with the primary terminal #B (200B), and the DIP of the tunneling header is set to the primary terminal #B (200B).
  • the downlink data to which the tunneling header has been added is transmitted to the primary terminal #B (200B) instead of the primary terminal #A (200A).
  • the primary terminal #B (200B) removes the tunneling header from the received downlink data, and then transmits it to the secondary terminal 100.
  • 16 is a flowchart illustrating a process of changing routing information of a primary terminal according to an embodiment of the present invention, and shows a process of providing mobility of the secondary terminal 100.
  • the tunneling server 507 of the dedicated network access control server 500 is the primary terminal #A (200A). Routing information linking the IP address of) and the IP address of the secondary terminal 100 is set (S703). Then, the tunneling server 507 removes or adds a tunneling header to the uplink data or downlink data of the secondary terminal 100 based on this routing information.
  • the secondary terminal 100 moves and disconnects from the service coverage of the primary terminal #A (200A) and disconnects, and enters the coverage serviced by the primary terminal #B (200B), the secondary terminal 100 ) Is connected to the primary terminal #B (200B) (S705).
  • the primary terminal #B (200B) transmits a secondary access request including the MAC of the secondary terminal to the dedicated network access control server 500 (S707). Then, the tunneling server 507 of the dedicated network access control server 500 determines whether there is preset routing information in the MAC of the secondary terminal 100, and if there is preset routing information, the terminal 100 moves the mobile router. Since this is a case, the routing information including the IP address of the primary terminal #A (200A) and the IP address of the secondary terminal 200 that has been previously set is deleted, and the IP address of the primary terminal #B (200B) and the secondary The IP address of the terminal 200 is updated with associated routing information (S709).
  • Routing information including the IP address of the terminal #B and the IP address of the secondary terminal 100 is set.
  • the downlink data to which the tunneling header transmitted from the tunneling server 507 is added is transmitted to the primary terminal #B 200B.
  • the secondary terminal 100 can use a continuous service.
  • the connection state of the secondary terminal 100 can be continuously managed.
  • FIG. 17 is a block diagram showing a hardware configuration of a computing device according to an embodiment of the present invention.
  • Computing for implementing the operation of the primary terminal 200 and/or the dedicated network access control server 500 described in FIGS. 1 to 16 Shows the configuration of the device.
  • the computing device 900 is composed of hardware including a communication device 901, a memory 903, a storage device 905, and at least one processor 907, and The combined and executed program is stored.
  • the hardware has a configuration and performance capable of implementing the present invention.
  • the program includes instructions for implementing the operating method of the present invention described with reference to FIGS. 1 to 16, and implements the present invention by combining it with hardware such as the memory device 903 and the processor 907.
  • the embodiments of the present invention described above are not implemented only through an apparatus and a method, but may be implemented through a program that realizes a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, ainsi que le terminal primaire. Le serveur de commande d'accès à un réseau dédié comprend un dispositif de communication, une mémoire et un processeur conçu pour exécuter un programme stocké dans la mémoire. Le processeur effectue les opérations consistant à : recevoir une demande d'accès primaire provenant d'un terminal primaire ; si un identifiant intrinsèque du terminal primaire intégré dans la demande d'accès primaire fait partie des informations d'abonné à un réseau dédié enregistrées à l'avance, transmettre au terminal primaire un message d'approbation d'accès primaire qui approuve la demande d'accès primaire ; si un identifiant intrinsèque du terminal secondaire intégré dans la demande d'accès secondaire fait partie des informations d'abonné à un réseau dédié, recevoir du terminal primaire une demande d'accès secondaire d'un terminal secondaire connecté au terminal primaire de façon à transmettre au terminal primaire un message d'approbation d'accès secondaire qui approuve la demande d'accès secondaire ; puis transmettre à un réseau dédié des données de liaison montante du terminal secondaire provenant du terminal primaire et transmettre au terminal primaire des données de liaison descendante provenant du réseau dédié et dirigées vers le terminal secondaire.
PCT/KR2020/005694 2019-04-30 2020-04-29 Serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, et terminal primaire WO2020222537A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2019-0050892 2019-04-30
KR20190050892 2019-04-30
KR10-2020-0052343 2020-04-29
KR1020200052343A KR102362078B1 (ko) 2019-04-30 2020-04-29 1차 단말을 통하여 전용망에 접속하는 2차 단말의 전용망 접속을 제어하는 서버 및 그 1차 단말

Publications (1)

Publication Number Publication Date
WO2020222537A1 true WO2020222537A1 (fr) 2020-11-05

Family

ID=73029364

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2020/005694 WO2020222537A1 (fr) 2019-04-30 2020-04-29 Serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, et terminal primaire

Country Status (1)

Country Link
WO (1) WO2020222537A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114513785A (zh) * 2022-02-22 2022-05-17 新华三技术有限公司 一种终端认证方法及装置
WO2024001120A1 (fr) * 2022-06-29 2024-01-04 中国电信股份有限公司 Procédé d'accès à l'isolement de réseau, et système de réseau de communication, dispositif et support de stockage

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100523403B1 (ko) * 2003-07-02 2005-10-25 주식회사 케이티프리텔 무선 모뎀과 무선 랜 장치간의 심리스 수직 로밍 제어방법 및 프로그램을 기록한 기록매체
US20110261787A1 (en) * 2008-12-03 2011-10-27 Panasonic Corporation Secure tunnel establishment upon attachment or handover to an access network
US20130103833A1 (en) * 2010-06-30 2013-04-25 British Telecommunications Public Limited Company Method and apparatus for a mobile node to connect different access routers while maintaining a consistent network address
US20140362807A1 (en) * 2012-02-24 2014-12-11 Ruckus Wireless, Inc. Wireless Services Gateway
US9622143B1 (en) * 2013-08-01 2017-04-11 Juniper Networks, Inc. Access point name mappings for a layer two wireless access network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100523403B1 (ko) * 2003-07-02 2005-10-25 주식회사 케이티프리텔 무선 모뎀과 무선 랜 장치간의 심리스 수직 로밍 제어방법 및 프로그램을 기록한 기록매체
US20110261787A1 (en) * 2008-12-03 2011-10-27 Panasonic Corporation Secure tunnel establishment upon attachment or handover to an access network
US20130103833A1 (en) * 2010-06-30 2013-04-25 British Telecommunications Public Limited Company Method and apparatus for a mobile node to connect different access routers while maintaining a consistent network address
US20140362807A1 (en) * 2012-02-24 2014-12-11 Ruckus Wireless, Inc. Wireless Services Gateway
US9622143B1 (en) * 2013-08-01 2017-04-11 Juniper Networks, Inc. Access point name mappings for a layer two wireless access network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114513785A (zh) * 2022-02-22 2022-05-17 新华三技术有限公司 一种终端认证方法及装置
CN114513785B (zh) * 2022-02-22 2023-10-20 新华三技术有限公司 一种终端认证方法及装置
WO2024001120A1 (fr) * 2022-06-29 2024-01-04 中国电信股份有限公司 Procédé d'accès à l'isolement de réseau, et système de réseau de communication, dispositif et support de stockage

Similar Documents

Publication Publication Date Title
WO2014148859A1 (fr) Méthode et équipement utilisateur permettant de mettre en œuvre des communications dispositif à dispositif entre ue
WO2018174373A1 (fr) Procédé de gestion de session et nœud smf
WO2011139096A2 (fr) Procédé et appareil permettant de réaliser un transfert
WO2015065062A1 (fr) Procédé et système de transfert intercellulaire
WO2017176013A1 (fr) Procédé pour traiter une requête d'accès provenant d'un équipement utilisateur (ue), et nœud de réseau
WO2010126326A2 (fr) Procédé et appareil destinés à assister un accès à un protocole internet (ip) local dans une femtocellule d'un système de communication sans fil
WO2011021875A2 (fr) Serveur pour plan de commande au niveau d'un réseau de communication mobile et procédé de commande de service d'accès ip local
WO2011149316A2 (fr) Appareil et procédé destinés à supporter la mobilité dans un système de communication sans fil hétérogène
WO2015030537A1 (fr) Procédé et appareil de prise en charge de plusieurs connexions dans un lan sans fil
WO2015012631A1 (fr) Procédé permettant de résoudre des problèmes de sécurité au moyen de paires nh et ncc dans un système de communication mobile
WO2017030399A1 (fr) Procédé et appareil d'accès d'ue
WO2011014015A2 (fr) Procédé de fourniture de services de communication, d'un système de communication sans fil à un terminal et appareil associé
WO2015037947A1 (fr) Procédé et dispositif pour paramétrer des supports de dérivation locaux
WO2012108660A2 (fr) Serveur pour plan de commande dans un réseau de communication mobile et procédé pour permettre au serveur de commander un service
WO2014046431A2 (fr) Procédé pour établir correctement un service d'accès ip local
WO2014003455A1 (fr) Procédé de détermination de contrôle d'accès
WO2012138110A2 (fr) Procédé pour garantir l'établissement d'accès ip local correctement
WO2013005992A2 (fr) Procédé permettant d'éviter l'échec du transfert intercellulaire
KR102362078B1 (ko) 1차 단말을 통하여 전용망에 접속하는 2차 단말의 전용망 접속을 제어하는 서버 및 그 1차 단말
WO2020222537A1 (fr) Serveur de commande d'accès à un réseau dédié d'un terminal secondaire accédant à un réseau dédié par l'intermédiaire d'un terminal primaire, et terminal primaire
WO2018084686A1 (fr) Procédé de gestion de session
WO2015034227A1 (fr) Nœud radio communicant avec un terminal dans un environnement de communication prenant en charge plusieurs réseaux radio, et procédé de communication radio
WO2018038412A1 (fr) Procédé et équipement utilisateur permettant la connexion au moyen d'une pluralité d'accès dans un réseau de nouvelle génération
WO2020004986A1 (fr) Procédé et dispositif de communication dans un système de communication sans fil
WO2014030894A1 (fr) Procédé pour la configuration d'une liaison à grande vitesse dans un système wlan, et dispositif pour la mise en œuvre dudit procédé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20799336

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20799336

Country of ref document: EP

Kind code of ref document: A1