+

WO2004045173A1 - Systeme de controle d'acces au reseau - Google Patents

Systeme de controle d'acces au reseau Download PDF

Info

Publication number
WO2004045173A1
WO2004045173A1 PCT/JP2003/011435 JP0311435W WO2004045173A1 WO 2004045173 A1 WO2004045173 A1 WO 2004045173A1 JP 0311435 W JP0311435 W JP 0311435W WO 2004045173 A1 WO2004045173 A1 WO 2004045173A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
access
authentication
access network
terminal
Prior art date
Application number
PCT/JP2003/011435
Other languages
English (en)
Japanese (ja)
Inventor
Yoichiro Igarashi
Masaaki Takase
Original Assignee
Fujitsu Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Limited filed Critical Fujitsu Limited
Priority to JP2004551187A priority Critical patent/JP4159548B2/ja
Publication of WO2004045173A1 publication Critical patent/WO2004045173A1/fr
Priority to US11/075,104 priority patent/US20050148321A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to a network access control system that controls access to a network for a terminal capable of performing communication using a core network using a plurality of types of access networks.
  • IP bucket traffic Due to the rapid development of the Internet, IP bucket traffic is increasing rapidly. Furthermore, with the spread of mobile phones, there is a movement to standardize and commercialize IP bucket traffic in the third-generation mobile phone network (International Mobile Telecommunications 2000 (IMT-2000)). It is thought that high-speed IP communication in a mopile environment will spread.
  • IMT-2000 International Mobile Telecommunications 2000
  • ADSL Asymmetric Digital Subscriber Line
  • wireless public access means using various wireless LAN technologies, such as IEEE802.11b, IEEE802.11a, and Bluetooth, which are superior to mobile phones in terms of communication speed, are being provided.
  • Some businesses are providing access to access. That is, the movement to introduce wireless public access using various wireless LAN technologies such as IEEE 802. lla / b / g is rapidly progressing.
  • wireless LAN access operators are in actual operation, but have issues with roaming and authentication.
  • the authentication function is one of the most expensive functions for constructing a commercial communication network.
  • access methods based on standards such as wireless LAN have rapid technological progress and short product life. Therefore, considering the profitability of the business, it is difficult to put a high cost on the authentication function.
  • multiple single units have insecure access lines (unlike mobile phones, etc., and are themselves insecure lines), each of which uses different protocols for authentication and encrypted communication. If you try to do this, you need multiple certificates to prove the legitimacy of the host, and you need an authentication server to authenticate them according to the number of certificates. This clearly indicates that high costs are incurred, as in the case above.
  • existing mobile phone carriers Unlike a new entity that builds a new access network such as a wireless LAN and operates independently, existing mobile phone carriers have an existing mobile phone network.
  • One promising means for mobile phone carriers is to provide the existing mobile phone network and the wireless LAN link function as unique value-added services. For example, in the future of service maturity, it is conceivable that both service personnel will overlap. For this reason, it is desirable to provide the user with the function of “effective use” of both communication means.
  • An access point device comprising: a notification unit for notifying that there is a mobile station requesting authentication; and an input unit for inputting an instruction to permit or reject authentication of the mobile station by a network administrator.
  • This is a mobile communication service providing system that includes a mobile node, a foreign agent (FA), a home agent (HA), and a server system. It has control means for the HA and FA to determine the destination of the bucket.
  • extraction means for extracting a service profile corresponding to the mobile node from a database for managing a service profile including information for providing a service requested by the mobile node, and control means for using the extracted service profile
  • It has a service management means for editing in a format that can be edited and a distribution means for distributing the edited service profile to HA and FA.
  • HA and FA provide services by using control means according to the distributed service profile (for example, Patent Document 2). Further, as prior art documents related to the present application, there are techniques disclosed in Patent Documents 3 and 4 below.
  • Patent Document 1
  • Patent Document 2 Japanese Patent Application Laid-Open Publication No. 2001-34 5819 (Paragraph 00 15; FIG. 1 and FIG. 3) Patent Document 2
  • One of the objects of the present invention is to provide a network access control technology which makes it easy to introduce an access network such as a wireless LAN as an access means to a core network.
  • Another object of the present invention is to provide a network access control technique capable of performing authentication for use of an access network such as a wireless LAN of a terminal with high security.
  • Another object of the present invention is to provide a network access control technique capable of easily charging a terminal for use of an access network such as a wireless LAN network.
  • Another object of the present invention is to provide a network access control technique capable of cooperating between access networks.
  • the present invention is a network access control system
  • the present invention provides a method for transmitting a message from a terminal capable of using a core network using a plurality of access networks of different types including a main access network and at least one secondary access network, and passing through the main access network.
  • the secondary access network does not need to have its own authentication system. For this reason, it is easy to introduce a secondary access network. It can also reduce operating costs.
  • the main access network is a typical access network defined from among a plurality of access networks that can be used by terminals, and has an authentication RE function.
  • the secondary access network is a concept relative to the primary access network, and among the multiple access networks, the remaining access networks not specified in the primary access network correspond to this.
  • the secondary access network does not have an authentication function, or has an authentication function that is less secure than the authentication function of the main access network.
  • the main access network can further have a charging function.
  • the authentication request message further includes an authentication request for use of the main access network
  • the authentication unit is configured to control use of the main access network and the secondary access network.
  • An authentication process may be performed on the authentication request, and the transmitting unit may transmit the authentication response message for the primary access network and the secondary access network to the terminal.
  • the secondary access network can be authenticated simultaneously with the primary access network authentication procedure.
  • the transmitting means in the system according to the present invention when the authentication means authenticates the use of the secondary access network, transmits the authentication response message including the authorized use permission information of the secondary access network.
  • the terminal may notify the authenticated secondary access network of information for using the authenticated secondary access network.
  • the terminal connects to the secondary access network and communicates using the secondary access network. It is possible to perform trust.
  • the network access control system may further comprise a communication system using the secondary access network and the core network, in which a user of the terminal uses the secondary access network authenticated by the authentication means in accordance with usage conditions previously contracted. It is preferable to further comprise network control means for controlling the core network so that a service is provided.
  • the network control means for example, executes a communication service according to the use condition for the terminal to an edge node accommodating an access line of the authenticated secondary access network used by the mobile host. It is preferable to be configured to notify the user of control information.
  • the network access control system may further include a pay-per-use method in a case where the terminal uses the core network using the main access network, and a method in which the terminal uses the core network using the secondary access network. It is preferable to further include a charging unit that performs a process related to both the usage-based charging and the case-based charging.
  • the charging means notifies an edge node accommodating the access line of the authenticated secondary access network used by the terminal of a charging unit for performing metered charging for use of the terminal's secondary access network. It is preferable to include a charging unit notifying unit for calculating the charging unit based on the amount of the charging unit for the terminal measured by the edge node according to the charging unit.
  • the authentication unit includes: an authentication request message including an authentication request for the secondary access network from a terminal of a verbal user via the main access network. If received, said mouth An authentication process of the secondary access network for one roaming user is performed in cooperation with a roaming source authentication system, and the transmitting unit transmits an authentication response message to the roaming user authentication process via the main access network. It is preferable to configure so as to transmit to the terminal of the roaming user.
  • roaming users can be provided with access to the primary and secondary access networks through the network access control system according to the present invention.
  • the network control unit performs roaming with respect to an edge node accommodating the access line of the authenticated secondary access network used by the terminal of the roaming user. It is preferable to notify the user of control information for providing a communication service in accordance with the usage conditions of the secondary access network of the user.
  • the network control system is characterized in that the authentication request message is transmitted when the number of access networks available to the terminal changes due to the terminal moving within a range where the main access network can be used.
  • the network control means includes at least a request for authentication of the access network transmitted from the mobile host and becoming available, and the network control means uses the terminal in response to the reception of the authentication request message by the reception means.
  • the authentication unit performs an authentication process for the access network of the switching destination, and the transmitting unit transmits an authentication response message of the access network of the switching destination authenticated by the authentication unit. Is transmitted to the terminal via the main access network.
  • the network control means is configured to determine whether to switch the access network according to at least one of the contract contents of the user of the terminal and the current network state.
  • the network control means includes a plurality of secondary access networks that can be selected as a switching destination
  • the switching destination is determined based on the contract contents Z of the user of the mobile host or the current network state. It is preferable that the access network is determined.
  • the transmitting unit transmits the authentication response message including use permission information of the switching destination access network to the terminal in response to the authentication of the switching destination access network by the authentication unit.
  • the network control means notifies the access network of information for using the switching destination access network, and the network control means according to a usage condition contracted in advance by the user of the terminal with respect to the switching destination access network.
  • An edge node accommodating an access line of the secondary access network of the switching destination used by the terminal is provided in accordance with the usage conditions for the terminal so that a communication service using a core network is provided. It is preferable to configure so as to notify control information for implementing the communication service.
  • the network control unit when the communication service is performed in cooperation with the switching source edge node and the switching destination edge node, the network control unit performs the cooperation service on the switching source and switching destination edge nodes. It is preferable to notify each of the control information for performing this.
  • the network control means transmits control information for implementing a communication service that maintains communication quality before switching even when an access network is switched, to an edge node that accommodates the switching destination access line. , So that it is preferable to configure. Thereby, deterioration of communication quality due to switching can be suppressed.
  • the network control means when using the same access network of the terminal, when switching an edge node accommodating an access line of an access network used by the terminal, the control information notified to the switching source edge node; Preferably, the same control information is transmitted to the switching destination edge node.
  • the terminal user can switch the edge node in the same way as before switching. Service.
  • the network control means receives traffic information from an edge node accommodating the access line used by the terminal, and switches the access network to the terminal when the traffic exceeds a predetermined threshold. It is preferable that the request be made.
  • the network control means monitors a position of the terminal, and when the terminal moves to a position where a predetermined subsidiary access network can be used, notifies the terminal of the movement. Is preferred.
  • the receiving means receives the authentication request message including the status information from the terminal, and the network control means determines whether to switch an access line used by the terminal based on the status information. It is preferable to make a configuration such as to judge. Further, the receiving means receives the authentication request message including designation information for designating an access network to be switched from the mobile host, and the network control means comprises: an access network designated by the designation information. Is preferably determined as the switching destination access network.
  • the present invention can be specified as an authentication server having functions as a receiving means, an authenticating means, and a transmitting means constituting the above-described network access control system, and an access control server having a function as a network controlling means. it can.
  • it can be specified as a terminal that uses multiple types of access networks through the network access control system.
  • FIG. 2 is a diagram showing the structure of an access control profile.
  • FIG. 3 is a diagram showing an example of an access control profile (common profile, ACP-C).
  • FIG. 4 is a diagram showing an example of an access control profile (individual profile, ACP-V).
  • FIG. 5 is an explanatory diagram of an operation example according to the access authentication method.
  • FIG. 6 is a sequence diagram showing an example of the access control procedure.
  • Figure 7 is a diagram showing an example of the format of an authentication request message when cooperating with authentication of the main access line.
  • Fig. 8 is a diagram showing an example of the format of an authentication request message (unique message) when not cooperating with the authentication of the main access line.
  • FIG. 9 (A) is a diagram showing an example of a functional configuration of the authentication server A A A and the access control server ACS
  • FIG. 9 (B) is a diagram showing an example of a functional configuration of the access control device AAAZACS.
  • FIG. 10 is a table showing an example of elements of a heterogeneous access line cooperation information database.
  • FIG. 11 is a sequence diagram showing an example of an authentication process for a secondary access line in the authentication server AAA and the access control server ACS. Yes,
  • FIG. 12 is a diagram showing an operation example of the common use of the chargeable information collection function
  • FIG. 13 is a diagram showing a configuration example of the edge node device (E N).
  • FIG. 14 is a sequence diagram illustrating a process of receiving an access control profile in the edge node device.
  • Figure 15 is a diagram showing an example of access control for roaming from other network operators (other carriers).
  • FIG. 16 is a diagram showing an operation example in the access line selection basic method
  • FIG. 17 is a flowchart showing an access network selection mechanism.
  • FIG. 18 is a flowchart showing an access network selection mechanism.
  • FIG. 19 is a diagram showing an operation example of the access permission procedure.
  • FIG. 20 is an explanatory diagram of an operation example related to the service continuation cooperation of the mobile between access lines. Yes,
  • Figure 21 is a table showing an example of a switch request message from an edge node to an access control server.
  • Fig. 22 is a diagram showing an operation example related to switching of access lines according to the state of the peripheral network resources.
  • Fig. 23 is a diagram showing an operation example related to automatic acquisition of an access line according to the user's contract conditions.
  • Figure 24 is a table showing an example of mobile host information.
  • Fig. 25 is a diagram showing an example of operation related to acquisition of an access line based on user terminal requirements.
  • Figure 26 is a table showing examples of application function types.
  • Fig. 27 is a diagram showing an operation example related to automatic switching of access lines depending on the type of application being used.
  • Fig. 28 is a diagram showing an example of the configuration of a network access terminal (mobile host).
  • Fig. 29 is a diagram showing an example of an authentication procedure for a secondary access line at the network access terminal.
  • FIG. 30 is a table showing an example of billing information.
  • Figure 31 shows an example of the format of an authentication response message when linking with authentication of the main access line.
  • Figure 32 is a diagram showing an example of the format of an authentication response message when not cooperating with the authentication of the main access line.
  • FIG. 33 is a diagram showing an example of the format of an authentication completion / access permission request message.
  • FIG. 34 is a diagram showing an example of the format of the access line change request message
  • FIG. 35 is a sequence diagram showing an operation example of the access control device (AAA / ACS). BEST MODE FOR CARRYING OUT THE INVENTION
  • FIG. 1 is a diagram showing an embodiment of a network access control system according to the present invention.
  • the embodiment shown in FIG. 1 is generally configured as follows.
  • a plurality of mobile access networks (Wireless Access Networks) are provided for a core network (CN: for example, BB (BackBone network)) of a certain network operator (also called a carrier (NOP (Network Operator))). Will be accommodated.
  • CN is connected to CN of one or more other carriers (BB of another carrier) as shown in FIG.
  • BB BackBone network
  • NOP Network Operator
  • a network system consisting of a CN and multiple mobile access networks provides users (subscribers) with communication services through the use of the core network via the mobile access network.
  • Various wireless access networks can be applied as the mobile access network.
  • the third-generation mobile phone standard IMT-2000 (W-CDMA , C dma2000 , etc.)
  • the second-generation Mobile phones cellular saying tongue standard (PDC (Personal Digital Cellular), cdmaOne , etc.) radio access network based on the (RAN: Radio Access Network)
  • wireless LAN networks such as IEEE802. Lla / b / g and HiSWAN, PHS networks, Bluetooth, etc.
  • PAN Primary Access Network J
  • S AN econdary secondary access networks
  • Access Network J is an access network in which an access authentication system for at least the user's mobile access network has been constructed, but the constructed authentication system provides commercial services. It is desirable that an access network that secures sufficient security is selected as a PAN in order to provide services, for example, as an access network that is preferably selected as a PAN, provided in existing commercial services, 2nd or 3rd generation mobile phone network (P) with a secure access authentication and billing system DC, FOMA (trademark), etc.)
  • PAN is determined, for example, by the CN carrier.
  • a SAN is an access network that does not have an access authentication system in its network, or has an access authentication system but its security level is lower than the access network specified as PAN.
  • SANs allow users to It has one or more areas (service areas) that can be used simultaneously with N. Ultimately all of the service area of SAN will be in the service area of PAN.
  • the access network (PAN and SAN) for the CN may include a fixed access network such as an xDSL network.
  • a mobile host MH
  • MH mobile node
  • MN mobile node
  • User terminal or“ subscriber terminal ”applies.
  • the mobile host can be connected to various types of access networks including PAN, and a mobile terminal (Mobile Station) that can use a communication service using CN via each access network. Applied. That is, the terminal can select and use a plurality of access methods.
  • the network access control system is composed of, for example, an authentication server (AAA: Authentication, Authorization and Accounting) housed in a CN and an access control server (ACS) on the network side. It controls a plurality of edge node devices (EN: Edge Node) corresponding to each mobile access network.
  • AAA Authentication, Authorization and Accounting
  • ACS access control server
  • AAA and ACS can be configured with one or more computers that have these functions together. That is, the functions of AAA and ACS may be realized by executing one or more computers by executing various programs stored in the storage device. In other words, AAA and ACS can be configured as an access control device (AAA / ACS) by combining the functions of both.
  • AAA and ACS can be configured as an access control device (AAA / ACS) by combining the functions of both.
  • AAA corresponds to the receiving means, authentication means, and transmitting means in the present invention
  • ACS corresponds to the network control means in the present invention.
  • the receiving means, the authenticating means, the transmitting means, and the network control means according to the present invention may be realized by cooperation between AAA and ACS.
  • the EN corresponding to each mobile access network is configured by adding a function for controlling access to users to a router or a layer 3 switch deployed in the periphery (boundary) of the CN.
  • Functions for controlling access are, for example, router A processor (such as a CPU) mounted on the switch 3 executes the program for realizing the functions stored in the storage device.
  • Each EN accommodates at least one access line of the corresponding mobile access network, and is connected to an access point (AP) installed in each mobile access network through the access line.
  • AP access point
  • the EN (E N-1) connected to the PAN contains at least one PAN access line (PAL: Primary Access Line) and is connected to the S.AN. (EN-2) accommodates at least one SAN access line (Sub Access Line (SAL)).
  • PAL Primary Access Line
  • SAL Subscribe Access Line
  • the mobile access networks corresponding to the PAN and the SAN respectively have one or more access points AP which also serve as base stations.
  • the EN (EN-1) connected to PAN is connected to the AP (AP-1) of PAN, and the EN (EN-2) connected to SAN is connected to the AP (AP -Connected to 2).
  • the terminal (MH) can have the following functions.
  • the following functions are realized by, for example, a processor mounted on the MH executing a program for realizing each function stored in the storage device.
  • Access line control function according to multiple access methods (connection method according to access network) for connecting to CN.
  • AAA has at least the following functions.
  • ACS has at least the following functions.
  • An access network selection function that selects the most suitable switching destination access line type based on the user's usage conditions (for example, the type of access line to be preferentially connected on a contract) or the current network status (Access line type selection unit).
  • an access control profile (ACP: Access Control Profile) describing individual access control information for the access line is given to the EN that accommodates the access line.
  • Function access control profile distribution unit
  • the access control profile database (AC P-DB), which can be used by the ACS, describes the AC P for each user (which describes the use conditions of the access line generated when the service is used).
  • Function access control profile registration unit.
  • EN (EN-1) connected to AP-1 of the PAN and EN (EN-2) connected to AP-2 of the SAN each have the following functions. Can be provided.
  • An access control profile management function (access control profile management unit) that stores individual service information (AC P-V) delivered from AAA or ACS for a certain validity period.
  • the CN After the authentication procedure of the access line to the MH, the CN performs bucket communication, service control, and the like for the user (MH).
  • the network access control system provides a user MH with a communication service using a CN by connecting to a predetermined access line.
  • This communication service is provided on condition that the network authenticates the mobile access network used by the user, and is performed in accordance with the contents of access control (use conditions) for the mobile access network used by the user.
  • the main feature of the network access control system is that the SAN does not have its own authentication system by performing authentication for SAL using the PAL authentication procedure. It is configured so that it is not necessary. It is also characterized in that a user is charged for using the SAL using a PAL charging system.
  • One of the features of the network access control system is that, based on the contract conditions with the user or the carrier's own judgment, the access line that the user (MH) should use while considering the network connection status of the user (MH). Provide a means for selecting
  • the original ACP is registered in the AC S-DB after the user and carrier have signed up for a communication service (service use conditions) and the authentication procedure executed when the MH uses the CN. It is delivered to the EN that houses the access line to be controlled as an opportunity.
  • a method of distributing ACP for example, a method disclosed in Japanese Patent Application Laid-Open No. 2001-237788 can be applied.
  • the carrier of the mobile access network does not own a specific access means (mobile access network) in addition to the carrier of the CN and the carrier who owns the equipment of the mobile access network.
  • An MVNO Mobile Virtual Network Operator
  • MVNO Mobile Virtual Network Operator
  • an access control profile used for network control in a network access control system
  • an ACP that describes the user's usage requirements, such as the type of access line that can be used for each MH user and the selection logic such as priority order, is specified in the user-carrier subscription contract. Hold and manage on the carrier side (network side). Then, the network access control system determines the access line to be used by the user through a data set (that is, an ACP) that enables access line connection control based on the access line use condition for each user. select.
  • a data set that is, an ACP
  • the ACP specifies the contents of access control on a user-by-user basis.
  • the information specified in the ACP includes the following elements, for example.
  • the ACP can be composed of the following two subsets (subcategories).
  • ACP common part (ACP-C: Access Control Profile Common-part)
  • the AC P-C specifies the types of all access lines available to the user, and the contract information of the user common to these access lines.
  • AC P-C is stored in the ACS-DB and is referenced by AA A and / or ACS.
  • ACP individual part (ACP-V: Access Control Profile Variant-part)
  • the AC P-V specifies, for each access line available to the user, the usage conditions of each access line and the relationship with other access lines that can be used within the contract range (priority order, cooperation details, etc.). Is done.
  • AC P-V is stored in AC P-DB in association with AC P-C. Alternatively, the AC P-V is generated as necessary based on the specified contents of the AC P-C, network conditions, and the like.
  • the AC P-V is delivered, stored, and held in the EN accommodating the access line used by the MH, triggered by an authentication request or the like for the MH's access line.
  • the EN refers to the received AC P-V and controls access to the MH according to the reference. At this time, the EN can refer to the AC P-V to recognize the cooperative relationship with other access lines and perform the necessary cooperative processing.
  • AC Ps (AC P-C and AC P-V) are defined for each user and stored in the AC P-DB.
  • the AC P-V is extracted by the ACS as additional data when authenticating the connection to the MH access line, and is distributed and held by the corresponding EN.
  • the EN has an access control function, and the access control function of the EN performs access control according to the rules specified in AC P-V.
  • FIG. 2 is a diagram illustrating a structure of an ACP
  • FIG. 3 is a diagram illustrating an example of an AC PC
  • FIG. 4 is a diagram illustrating an example of an AC PV.
  • the AC P is composed of AC P-C and AC P-V.
  • the AC P-C has at least the subscriber identification information (NAI etc.) and the usage.
  • NAI subscriber identification information
  • the information can include information on security level, validity of authentication session, validity of authentication session, and usage authority.
  • ACP-V is prepared for each access line type, and as shown in Fig. 4, caro identification information, operation status (currently in use (packet continuity), transfer / blocking), transfer (transfer) It can include information on the leading edge device, authentication cycle, maximum bandwidth, and charging conditions.
  • the data structure of ACP-C and ACP-V can be composed of fields of each information element and possible values.
  • the first access authentication method (hereinafter referred to as “first method”) is an MH that can use a plurality of access lines. This is the procedure for obtaining permission to connect to the line. For example, using the authentication procedure used when connecting to PAL, it is possible to perform SAL connection authentication simultaneously with PAL connection authentication.
  • the mobile host MH transmits the authentication request message for the PAL to the CN including information necessary for the authentication of the predetermined SAL.
  • the network access control system integrates and implements the authentication procedure for both PAL and SAL access lines.
  • An MH having means for connecting to multiple access lines, when dynamically using individual access lines (migrating from one access line to another access line), when connecting to the destination line,
  • the authentication procedure had to be performed using an authentication system prepared separately from the line before the transfer.
  • the first method solves such a problem.
  • the authentication procedure for the plurality of access lines is integrated into any one of the authentication procedures.
  • the respective devices on the user side (MH side) and the network side related to the network access control system have the following functions.
  • the MH has an authentication request message sending function (authentication request message sending unit) and an authentication response message processing function (authentication response message processing unit).
  • the authentication request message sending function is associated with an authentication protocol control function (included in the access line control function) for a certain access line (first access line; for example, PAL).
  • the authentication information on the other coexisting access line (second access line; for example, SAL) is transmitted in the authentication request message for the access line.
  • the MH includes a storage device that stores authentication information corresponding to each access line available to the user.
  • the authentication response message processing function relates to the authentication protocol control function for an access line, receives an authentication response message from the AAA, and uses the other access lines included in the authentication response message.
  • the permission information (for example, the packet encryption key) is extracted and stored (cached) in the storage device inside the MH.
  • AAA has an authentication request message processing function (authentication request message processing unit).
  • the authentication request message processing function is part of the authentication protocol control function provided by AAA.
  • the authentication request message processing function extracts authentication information for the second access line from the authentication request message for the first access line from the MH, performs an authentication operation, and further performs authentication for the first access line.
  • the response message (authentication confirmation message) is accompanied by the authentication response (use permission information) for the second access line, and the response is returned to the MH.
  • the network has a function to enable the MH that has been authenticated (permitted to use) for the first and second access lines to the AP accommodating the SAL to use the access line.
  • FIG. 5 is a diagram illustrating an example of the first access authentication method.
  • Fig. 5 shows an example of operation when SAL authentication is performed using the PAL authentication procedure.
  • FIG. 5 shows an access control device (AAZAZCS) in which the function of AAA and the function of ACS are integrated.
  • AAZAZCS access control device
  • the MH detects that it can connect to the PAL and the SAL, and generates an authentication request message for the PAL including the authentication information for the SAL. Send (Fig. 5; (1)).
  • the MH can detect that it can be connected to them, for example, by receiving radio waves from the PAN and the SAN.
  • the AAA ACS receives the authentication request message via AP-1 and EN-1 corresponding to the PAN, analyzes the authentication request message, and performs an authentication operation related to PAL and SAL. At this time, the AAA ACS detects that the MH can access the SAL (FIG. 5; (2)). This detection process can be detected based on the contents specified in the ACP of the MH user (usage conditions), the current network state (including the state of the MH), and the like.
  • the AAA / ACS transmits a message requesting access permission of the MH to the AP (AP-2) corresponding to the SAL ( Figure 5; (3)).
  • This message contains the usage permission information for the AP to allow access from the MH, is transmitted to the AP-2 via EN (EN-2) corresponding to the SAL, and is managed by the AP-2 .
  • AAAZAC S in order to respond that the authentication result is valid for both PAL and SAL, AAAZAC S generates an authentication response message for PAL including PAL and SAL use permission information and sends it to MH. ( Figure 5; (4)).
  • This authentication response message arrives at the MH via PAL.
  • the MH acquires the PAL and SAL use permission information and caches it.
  • the MH can connect to the SAL using the cached use permission information and receive provision of a communication service using the CN (eg, bucket communication via the CN) (FIG. 5; (Five)).
  • FIG. 6 is a sequence diagram showing another operation example of the first access authentication method by the network access control system.
  • FIG. 6 shows an operation example in which the operation according to the first method is performed in cooperation between AAA and ACS.
  • the operation example in FIG. 6 is as follows.
  • the power of the MH is turned on at the current location (PAN usable range (service area) ⁇ ) (step S l). Then, an authentication request message for PAL is generated in the MH. At this time, the authentication information for all other access lines (one or more SALs) available at the MH's location is extracted from the storage device in the MH, and the PAL authentication information is required. Request message (step S2). Next, the MH sends an authentication request message for PAL (step S3). The authentication request message is forwarded via the PAN to the CN's edge node EN-1.
  • the edge node EN-1 Upon receiving the PAL authentication request message, the edge node EN-1 determines the AAA capable of authenticating the MH corresponding to the request source of the authentication request message, and transfers the authentication request message to the AAA (step S). Four).
  • the AAA When the AAA receives the authentication request message, the AAA performs an authentication process based on the authentication request, and determines whether the PAL and the SAL to be authenticated can be accessed by authenticating the validity of the requesting MH (step S5). ).
  • the AAA determines that the MH is valid in the authentication process, the AAA sends a message (ACS request message) requesting the ACP corresponding to the MH (user) to the ACS (step S6).
  • the access control server ACS Upon receiving the ACS request message, the access control server ACS permits access to the SAL available at the location where the MH is located. For this reason, the access control server ACS extracts the user's ACP-C from the ACP-DB and uses it at the location where the MH is located from the heterogeneous access line information database (described later). Extract possible access line type information (applicable access line information corresponding to area code indicating location). For the detection of the location, the method (location registration procedure) applied to the existing mobile phone network can be adopted.
  • the ACS compares the access line type of the SAL described on the AC PC with the access line type extracted from the heterogeneous access line database, thereby obtaining an access that the MH can use at the location where the MH is located. Select the line type (step S7).
  • the ACP-C includes ancillary conditions such as priority between access lines, it can be configured so that at least one SAL access line type is selected according to the ancillary conditions. For example, when there are a plurality of access line types that match between databases, the access line with the highest priority can be selected.
  • the AC S sends the AC P for the MH identified in the ACS request message.
  • An AC response message including (AC P-C and AC P-V) is generated and returned to AAA (step S8).
  • the AC P included in the ACS response message includes an AC P-C, an AC P-V corresponding to the PAL, and an AC PV corresponding to the selected access line type (SAL).
  • SAL selected access line type
  • AAA receives the AC S reply message, AC S Chi AC P caries included in the response message, to store the management table in the storage device that holds AC PC itself (Step S 9) 0
  • the AAA delivers the plurality of AC P-Vs in the ACS response message to the respective ENs accommodating the access lines (access lines corresponding to the PAL and the SAL) associated with the AC P-V. That is, the AAA transmits the ACP-V of the SAL to the corresponding EN (EN-2) (step S10).
  • the EN-2 When the EN-2 receives the AC PV of the SAL, the EN-2 stores the AC P-V in the management entry of the management table prepared on the storage device in the EN-2, and stores the AP corresponding to the EN-2. -Extract the information to be referenced in 2 (AC PV sub-information; for example, the encryption key of the bucket used in the wireless section (between MH-AP2)) and deliver it to AP-2 (Step S11).
  • AC PV sub-information for example, the encryption key of the bucket used in the wireless section (between MH-AP2)
  • AP-2 under the control of EN-2 (controlling whether or not to transmit a packet to the MH) receives and stores the sub information included in the AC P-V related to the MH as use permission information. As a result, AP-2 enters a state in which access to SAL from the MH can be permitted.
  • the AAA also sends AC P-V corresponding to the PAL to EN_1 (step SI2).
  • the EN-1 receives the PAL AC P-V, it performs the same operation as the EN-2, and the information to be referred to by the AP-1 corresponding to the EN-1 (AC PV sub-information: For example, wireless
  • the section transmits the section encryption key) to AP-1 (step S13).
  • AP-1 under EN-1 (controlling whether to transmit a bucket with MH) receives and stores AC PV sub-information related to MH. As a result, AP-1 is in a state where access to the PAL from the MH can be permitted.
  • the operations in steps S10 and S11 and the operations in steps S12 and S13 are a set of operations, respectively.
  • the number of AC PV transmission destinations depends on the AC S determination condition (the number of selected access lines).
  • the AC P-V may be directly transmitted from the ACS to each corresponding EN.
  • the sub information (access permission message) transmitted from the EN to the AP may be held in advance by the EN, or the sub information transmitted from the AAA may be transferred to the AP by the EN.
  • the AAA when the AAA performs the authentication processing, it generates an authentication response (authentication confirmation) message including use permission information (for example, a bucket encryption key) for the PAL and the SAL, and transmits the message to the MH.
  • the authentication response message is transferred to the MH via the EN-1 and the AP-1 (PAL) and received by the MH.
  • the MH When the MH receives the authentication response message, it extracts the use permission information from this, and stores and manages the use permission information. Then, the access line control function of the SAL in the MH can perform communication using the SAL using the use permission information of the SAL.
  • FIG. 7 is a diagram showing an example of a packet (authentication request packet) of an authentication request message sent from the MH.
  • the authentication request packet includes, as a payload, authentication information for SAL in addition to authentication information for PAL.
  • the SAL authentication information can include the SAL access point number and the SAL address in addition to the user identification information (eg, user name, password, etc .; not shown).
  • the SAL authentication information corresponding to each SAL is set as a payload.
  • the SAL AP number is a number for identifying the SAL access point.
  • the SAL address is an MH address (for example, a care-of address in the case of Mobile IP) corresponding to a bucket destination address via the SAL.
  • the contents of the PAL authentication information are almost the same as the SAL authentication information.
  • the SAL authentication information is added to the PAL authentication request message. Therefore, the type of PAL does not matter.
  • authentication for a specific access line is integrated with the authentication procedure for another access line, and authentication for both access lines is performed substantially simultaneously.
  • authentication can be performed by using an authentication system of another existing access line. Therefore, on the network side, when the access network (access line) is switched between different types, the switching can be performed without using an original authentication system for the authentication procedure for the access network to be switched. In addition, it is possible to reduce the cost required when introducing a specific access network as a core network access network.
  • second method a second access authentication method (hereinafter, referred to as a “second method”) by the network access control system according to the present invention will be described.
  • the second method is processing related to SAL authentication that is not linked to PAL authentication. That is, the second method is a connection authentication means for an MH capable of using a plurality of access lines and a plurality of access lines capable of using the MH.
  • a connection authentication procedure for a certain access line for example, PAL
  • one or more other access lines for example, SAL.
  • the authentication request for another access line can be sent as an opportunity to send an authentication request for another access line independently of this access line authentication trigger while using the authentication procedure for one access line.
  • This makes it possible to independently execute connection authentication of a certain access line and connection authentication of another access line as needed.
  • the first access authentication method integrates PAL and SAL connection authentication with, for example, the PAL authentication timing (start timing of an authentication session) and executes the PAL authentication procedure (PAL authentication protocol).
  • This first access authentication method is an operation mode mainly when the MH newly requires PAL and SAL connection authentication (registration request), such as when the MH is turned on.
  • the validity period of the authentication session for each access line is different from each other.
  • the validity period of a PAL authentication session is 10 minutes, while the validity period of a SAL authentication session is 5 minutes. May be shorter than the validity period of the service.
  • PAL and SAL The authentication is performed at substantially the same time, and thereafter, the validity period of the SAL authentication session expires before the MH sends the next PAL and SAL authentication request message according to the first access authentication method. , communication is possible force s become interrupted with SAL.
  • the MH independently generates and sends an SAL authentication request message without waiting for the next processing for sending an authentication request message to the PAL.
  • SAL authentication is performed in the PAL authentication procedure, as in the first method.
  • the following method can realize the second method.
  • the MH has an authentication request message sending function and an authentication response message processing function.
  • the authentication request message sending function in the second method is a PAL protocol control function, which is a PAL authentication request message that contains authentication information (maintained in the MH) not only for PAL but also for other coexisting SALs. It has a function to send a different message (referred to as “unique message”) according to the PAL authentication procedure.
  • the authentication response message processing function receives a message including a SAL authentication response to an original message in accordance with the PAL authentication procedure, and includes information on the use of SAL included in this message (for example, The packet encryption key) is extracted and stored (cached) inside the MH.
  • the second access authentication method will be described with reference to FIG.
  • the MH uses the authentication protocol control function of the PAL to send an authentication request message (a unique message) including the authentication information for the SAL.
  • an authentication request message (a unique message) including the authentication information for the SAL.
  • AAAZAC S Fig. 5; (1).
  • the AAA / ACS receives the unique message from the MH and performs the SAL authentication operation. At this time, the MH senses that it can access the SAL (FIG. 5; (2)).
  • the AAA / ACS transmits a message requesting access permission of the MH to the access point AP-2 of the SAL via the EN-2 (FIG. 5; (3)).
  • the AAAZAC S responds via the P AL that the S AL has been authenticated (FIG. 5; (4)). Thereafter, the MH can perform communication using the SAL (FIG. 55)).
  • FIG. 8 is a diagram showing an example of an authentication request bucket (unique message) used in the second method.
  • a number for identifying the AP of the SAL to be authenticated by the subscriber is described as the access point number.
  • the address for SAL an address (for example, a care-of address in the case of Mobile IP) equal to the destination address of a packet passing through SAL is described.
  • PAL identification information information for identifying a normal PAL (for example, a PIN (Personal Identification Number: a digit string for personal authentication) in the case of a PSTN (Public Switched Telephone Network)). , Or NAI).
  • PIN Personal Identification Number: a digit string for personal authentication
  • PSTN Public Switched Telephone Network
  • NAI NAI
  • the authentication information for SAL may be described in the format of the PAL authentication message. Therefore, the type of PAL does not matter.
  • the SAL authentication session can be updated independently of the PAL authentication cycle and the SAL can be used continuously. it can.
  • AAA and ACS recognize the connection between the access line currently in use and the access line that can be transferred if certain conditions related to MH are satisfied at the location where each user (MH) is located. Initiate transition between lines. These automatically generate and distribute the access control profile (AC PV) for the relevant MH to the EN that accommodates the destination access line on the CN side when the transition conditions are met.
  • AC PV access control profile
  • FIG. 9 (A) and 9 (B) are functional block diagrams showing configuration examples of the authentication server AAA and the access control server ACS.
  • FIG. 10 is a table showing the contents of the heterogeneous access line link information database j. It's a bunore.
  • AAA includes a user authentication function (user authentication unit) 11, an access line information extraction unit 12, and an ACS message control unit 13 as authentication server functions. ing.
  • the user authentication function 11 controls general functions (user authentication function) as an authentication server.
  • the access line information extractor 12 includes information on the access line to be authenticated (access line information; subscriber identification information, access line type, and MH location) included in the PAL authentication request message (or original message). (Including area code).
  • the ACS message control unit 13 composes a message (ACS request message) for notifying the extracted access line information to the ACS, and sends the message to the access control server (ACS). Also, the ACS message control unit 13 receives the ACS response message from the ACS.
  • the ACS has an ACS message processing unit (protocol control) 14, an access control profile (ACP) generation unit 15, and an access control profile (ACP) as access control server functions.
  • Transmission section 16 access control information database (AC P-DB) 17, and heterogeneous access line link information database 18.
  • the ACS message processing unit 14 controls a message used for receiving an ACP request message and transmitting an ACP response message and protocol with the AAA.
  • the ACP generation unit 15 determines the conditions currently available for the access type that the MH requires use (authentication).
  • the ACP sending section 16 performs ACP message conversion (ACP generation).
  • AC P-DB 17 stores and manages AC P in MH units. Database function.
  • the heterogeneous access line link information database 18 manages, as a database, a set of information on access lines that can be used in the managed unit area specified by the carrier.
  • the heterogeneous access line cooperation information database 18 includes, for example, an area code of PAL, an applicable access line indicating other access lines available in the corresponding area code, and It can be composed of one or more records for each area code with the number of subscribers as an element.
  • FIG. 9A shows an access control device (AAA / ACS) having AAA and ACS functions.
  • AAAZACS has a user authentication function 19, a message processing section 20, It is specified as a device including a protocol control unit 21, an access control unit 22, and a user / terminal database 23.
  • the message processing unit 20 corresponds to the ACS message processing unit 14 and the ACP transmission unit 16 shown in FIG. Still, the protocol control unit 21 and the access control unit 22 correspond to the ACP generation unit 15 and the ACP transmission unit 16 shown in FIG. 9 (A).
  • the user's terminal database 23 corresponds to the ACP-DB 17 and the heterogeneous access line cooperation information database 18 shown in FIG. 9 (A).
  • the PAL is a third-generation mobile phone network (for example, a W-CDMA network) and the SAL is an IEEE802.lib network.
  • a W-CDMA network for example, a W-CDMA network
  • the SAL is an IEEE802.lib network.
  • FIG. 11 is a flowchart showing the processing of AAA and ACS.
  • the AAA receives an authentication request message (including the SAL authentication information) from the MH (step S001).
  • the AAA user authentication unit extracts authentication information from the authentication request message and performs an authentication process (S002).
  • the access line information extraction unit extracts access line information to be authenticated from the authentication request message (S003), and the ACS message control unit generates an ACS request message including the extracted access line information. And send it to ACS.
  • the ACS request message is received by the ACS message processing unit of the ACS and passed to the ACS generation unit.
  • the ACP generation unit references the ACP_DB and the heterogeneous access line link information database using the access line information included in the ACS request message, and determines the location of the user and the user's subscription contract. Based on predetermined conditions such as usage conditions (defined content in ACP), it is determined whether the user can access SAL or not (SAL availability) (S004).
  • the ACP transmission unit If the ACP generation unit can permit the MH to use the SAL, the ACP transmission unit generates each AC PV for the PAL and the SAL (S005), and includes an ACS response message including the generated AC PV. Generate At this time, the selection criteria of the access line according to the service content specified in the AC P-V can also be described in the AC P-V.
  • the ACS response message is transmitted from the ACS message processing unit to AAA.
  • the access line information extracting unit extracts each ACPV included in the response message.
  • AAA transmits each ACP-V to the corresponding EN, respectively (S006).
  • the user authentication function transmits an authentication response message including the PAL and SAL use permission information to the MH via the PAL (S007).
  • the AAA transmits a message including information for permitting the MH to use the PAL and the SAL to each AP corresponding to the message (S008).
  • the process of transmitting the AC P-V to the EN and the process of transmitting the usage permission information to the AP may be performed on the ACS side.
  • the AAA may perform the authentication process only for the access network (access line) permitted to access by the ACS. Also, if the ACS determines that access is not possible, the AAA may send an authentication rejection message for the access line to the MH. '
  • FIG. 35 is a sequence diagram showing an operation of the access control device (AAA-no ACS) as shown in FIG. 9 (B).
  • the message processing unit (message receiving unit) 20 receives an authentication request message (see FIG. 7) from the MH (S111). Then, the message processing unit 111 passes the authentication request message to the access control unit 22. (S 1 1 2).
  • the access control unit 22 passes the authentication request message to the user authentication function (authentication server function) 19 (S113). Then, the user authentication function 19 refers to the user / terminal database 23 (S114) and performs a user authentication process (S115). The user authentication function 19 returns the result of the user authentication process to the access control unit 22 as a user authentication response (S116).
  • authentication server function authentication server function
  • the access control unit 22 refers to the ACP (AC P-C, AC PV) of the user requesting the authentication request message held in the user's terminal database 23 (S 1 1 7). Then, the access control unit 22 determines whether the user can access the access line Z or not (S118).
  • ACP AC P-C, AC PV
  • the access control unit 22 notifies the protocol control unit 21 to that effect (S119). Then, the protocol control unit 21 generates an access control profile (AC P-V) to be notified to the corresponding EN and an (bucket) encryption / decryption key to be used when using the access line. (S120). Then, the protocol control unit 21 passes the generated AC P-V and the encryption / decryption key to the message processing unit 20 (S122).
  • AC P-V access control profile
  • the message processing unit 20 transmits the AC P-V and the encryption / decryption key to the EN accommodating the access line permitted to use (S122). Subsequently, the message processing unit 20 generates an authentication response message (see FIG. 31) including the encrypted Z-decryption key, and transmits it to the terminal (MH) of the user (S12). 3). The authentication response message arrives at the relevant MH via the primary access line (PAL).
  • the access control unit 22 refers to “Subscriber identification information” of item 1 of the ACPC (see FIG. 3) in the database 23, and issues the ACPC power authentication request. Check the profile of the user (terminal) that requested the message.
  • step S118 if the confirmation in step 1 has been completed normally (the profile and the terminal identification information match), the access control unit 22 will return to the item No. 2 of the AC P-C. See "Available Access Lines".
  • PHS Personal Handy phone System
  • Public wireless LAN is available as a secondary access line.
  • the access control unit 22 next refers to ACPC-C No. 3 “selection priority” and determines the priority of the line that the user wishes to connect to. For example, it recognizes that the contract content uses public wireless LAN as the first candidate and uses PHS as the second candidate. However, in the final decision of the line to which the user is allowed to connect (access), the network operator must confirm that the access line of the public wireless LAN has free space.
  • Step 4 For example, if the conditions for judging that the user can provide (use) a public wireless LAN are met, the network encrypts the bucket for the user to the user. / Access is granted by distributing the decryption key (S119-S123). At this time, in S120, the time at which the predetermined access validity period ends from the time of the permission is set in the profile (ACP-V).
  • a predetermined unit of measurement access authentication time, packet transmission / reception amount, etc.
  • usage-based charging according to the authentication time and bucket volume
  • the charging system that the carrier has already established for PAL is used for SAL charging without preparing a dedicated charging mechanism for each SAL. This makes it easier to introduce a new access network to the CN and reduces operating costs.
  • the AAA functions as an authentication server and a billing server, and has a function of transmitting MH identification information and billing conditions to an EN that accommodates the SAL during SAL authentication.
  • Billing conditions can include billing target, billing unit, and billing unit price. it can.
  • the charging condition for example, MH packet communication using SAL is specified as a charging target, the amount of packet transmission / reception is specified as a charging unit, and the charge per unit packet amount is specified as a charging unit price. .
  • the EN is notified of at least the charging unit in the charging conditions. Note that a bucket according to a specific protocol can be designated as a charge target.
  • the EN accommodating the SAL has a function to measure the amount (for example, the amount of packet transmission / reception) according to the charging unit based on the identification information of the MH received from the AAA and the charging condition (at least the charging unit). . Furthermore, the EN that accommodates the SAL has a function to periodically transmit the amount corresponding to the measured charging unit to the AAA as charging information.
  • FIG. 12 is a diagram illustrating an operation example of the SAL pay-as-you-go. An operation example will be described with reference to FIGS.
  • the AAA transmits, to the EN (EN-2) accommodating the SAL, identification information of the corresponding MH and information indicating a charging unit (amount of transmitted / received buckets) (Fig. 12; (1)). This information can be included in the ACP-V (see Figure 4, “6. Billing conditions”).
  • the EN-2 specifies the MH using the identification information of the MH received from the AAA, and based on the information of the charging unit related to the MH, the EN-2 specifies the MH.
  • the bucket transmission / reception amount in the MH bucket communication is measured (FIG. 12; (2)).
  • the edge router counts the amount based on the charging unit such as the amount of packet transmission / reception.
  • the condition of the packet to be counted can be determined by the contents set by AC P-V.
  • FIG. 30 shows an example of the billing information transmitted here.
  • the billing information is configured as a record including, for example, user identification information (eg, NAI), applicable access line type, and packet transmission / reception amount (eg, number of buckets). You.
  • the AAA has information on the charging conditions (charging target, charging unit, and charging unit price) for the MH.
  • the AAA uses the information on the charging unit price. Then, calculate the fee for using the SAL for the MH.
  • a AA calculates the billing amount by multiplying the number of packets by the billing unit price.
  • the existing charging systems (AAA and EN) prepared for PAL perform charging processing for the use of the access line specified as SAL. Therefore, there is no need to prepare a billing system for SAL separately from PAL in advance.
  • the process of transmitting the identification information and the charging condition is performed by the AAA transmitting the AC P-V for SAL to the MH user including the identification information and the charging condition to the EN-2. May be.
  • the edge node device is installed at the edge of the CN and performs access control in units of MH in addition to a general router function. At least one edge node device is provided for each access line type. However, it can be deployed in a range of subscriber areas defined by geographical or population density.
  • the edge node device generally includes an edge router function, an access control profile delivery message protocol control function (ACS delivery message control function), and an access control profile retention storage function (ACS retention storage function). , An access authentication information management function, an access filter function, and an individual condition packet transfer function.
  • the edge node function is a function that governs the functions that a router generally has (such as bucket routing and forwarding).
  • the ACS delivery message protocol control function is a function to control the processing related to the message (ACS delivery message) containing the ACS of each MH delivered from the ACS or AAA, and receives the ACS delivery message. Then, this is analyzed and ACS is extracted.
  • the ACS holding and storing function is a storage means for holding the ACS extracted by the ACS sending message protocol control function in the EN for a certain validity period and a management function thereof.
  • the ACS management function manages each ACS in accordance with, for example, an expiration date (eg, deletes an ACS after its expiration date).
  • the access authentication information management function is a function for managing whether access to the MH is enabled or disabled for each MH based on the authentication information (authentication result and the like) transmitted from the AAA.
  • the access filter function is a function that cooperates with the access authentication information management function and rejects (discards) the bucket related to the MH if access to the MH is not possible.
  • the individual condition packet transfer function is a function to transfer the bucket of the applicable MH to a predetermined destination in accordance with the bucket transfer condition (transition condition) described in the ACS, in cooperation with the ACS holding and storing function.
  • FIG. 13 is a diagram illustrating a configuration example of an edge node device.
  • the edge node device includes a message transmitting / receiving unit 24, a protocol control unit 25, an access control unit 26, and a service information management unit 27. These can be realized by a processor (including a memory) mounted on the edge node device executing a predetermined program.
  • the message transmitting / receiving unit 24 implements an edge node function.
  • the message transmitting / receiving unit 24 manages an individual condition packet transfer function based on information from the service information management unit 27.
  • the protocol control unit 25 implements an ACS delivery message protocol control function.
  • the access control unit 26 implements an access filter function.
  • the service information management unit 27 implements an ACS holding / storing function and an access authentication information management function.
  • FIG. 14 is a sequence diagram showing an ACS reception process in the edge node device having the configuration shown in FIG. Using Fig. 14, a certain MH user moves to an area that can access PAL (for example, W-CDMA network) and an area that can access PAL and SAL (for example, IEEE802.lib network).
  • PAL for example, W-CDMA network
  • SAL for example, IEEE802.lib network
  • the AAA or ACSS sends an AC P to each edge node device accommodating the PAL and SAL, according to the MH and the access line type. Send a message containing (AC P-V) (AC P delivery message).
  • the message transmitting / receiving unit 24 receives the ACP delivery message (S011), and the protocol control unit 2 Pass to 5 (SO 1 2).
  • the protocol control unit 25 analyzes the message, extracts the AC P-V from the message, and uses the access control contents (service information) described in the ACP-V as the access control unit 26 and the service information management unit.
  • Set to management section 27 For example, when the contents of the access control are forwarded to the SAL EN when the packet addressed to the MH received by the PAL EN is transmitted, the protocol control unit 25 transmits such a setting to the access control unit 26 and the service information.
  • the message transmitting / receiving unit 24 refers to the contents of the access control set in the access control unit 26 and / or the service information management unit 27, and The processing is performed (S0115).
  • the message transmitting / receiving unit 24 refers to the access control contents by the access control unit 26 and the service information managed by the service information management unit 27. Based on these, the packet is transferred to the SAL EN, and the SAL EN transfers the packet to the MH via the SAL.
  • ⁇ 8> Access control for roaming from other network operators For users who subscribe to and use wireless hosts of other carriers, as roaming users, users who are compatible with the wireless communication system In some cases, a network access line is used. As an access authentication method in this case, the access authentication of the roaming mobile host is transferred from the other carrier network to the authentication device of the own carrier network, and a temporary access control profile dedicated to the mouthing user is issued. The use of the access line of the own network is permitted.
  • MH has the following functions.
  • -A a PAL protocol control function, a function to send authentication information (maintained in the MH) not only for itself but also for other coexisting SALs.
  • the network side capability (roaming source) has the following functions.
  • this function transfers the MH access permission notification received from the roaming source to the MH.
  • the network side capability (roaming destination) has a function to make the authenticated MH available to the AP accommodating the SAL based on the authentication result for the SAL received from the verbal source.
  • FIG. 15 is a diagram showing an operation example of access control for roaming from another N ⁇ P.
  • the contents of the operation example shown in FIG. 15 are as follows.
  • the MH is the MH of the user who has subscribed to another carrier's network (roaming source network).
  • the MH detects that it is possible to connect to the SAL at a location where the PAL and SAL are available by roaming using the existing method, the MH sends the SAL authentication request message via the PAL to the source network of the roaming source. (Fig. 15; (1)).
  • the format of the authentication message (see FIGS. 7 and 8) applied in the first and second methods described above can be applied as the authentication request message.
  • the roaming source authentication server senses that the MH can also access the SAL when authenticating the SAL authentication request (FIG. 15; (2)).
  • the roaming source authentication server sends an authentication complete message to the roaming destination network (CN) authentication server (AAA) (Fig. 15; (3)).
  • CN roaming destination network
  • AAA authentication server
  • the message format as shown in Fig. 31 can be applied as a message requesting (requesting) access permission.
  • the message may include an encryption / decryption key between the terminal and the access point.
  • the roaming destination AAA sends a message requesting access permission of the corresponding MH to the EN and AP accommodating the SAL (Fig. 15; (4)).
  • the roaming destination AAA authenticates the SAL to the roaming source authentication server. (Fig. 15; (5)), and the roaming source authentication server responds to the MH that the SAL has been authenticated via PAL by sending an authentication response message (Fig. 15; (5)). 6)). Thereafter, the MH can perform communication using the SAL (Fig. 15; (7)).
  • the authentication service control device determines and permits the access line to be connected from the contents of the access control profile for the user to be authenticated and the state of the network, and notifies the user of this.
  • the access line to be connected is selected based on the priority of coordination of multiple access lines (variable depending on time, location, etc.).
  • the ACS is a part of the authentication server or a device that cooperates with the authentication server, and has a function of selecting an access line to be assigned to the user (MH).
  • the access line selection logic executed in the ACS will be described.
  • This case corresponds to the case where the authentication session does not exist (the latest authentication session has expired) at the time when the MH sends the authentication request message (at the time of sending the registration request for the mobile host).
  • AAA sends an access line selection request (ACS request message) to ACS.
  • the ACS references the ACP for the user, drawn from the ACP-DB in conjunction with the MH's authentication procedure.
  • the communication status (network status) is transmitted to the ACS together with the communication status (communication parameters) such as the received radio wave intensity of the MH transmitted from the MH in the authentication procedure. It can be used as a parameter of access line selection logic in ACS.
  • the ACS selects the destination access line based on the ACP (and communication parameters).
  • the ACS shall: First, determine the destination access line, and then refer to the communication parameters as necessary.
  • the generated AC P-V is delivered to the corresponding edge node (EN) by profile delivery message and used for access control.
  • the ACS will also deliver the corresponding AC P-V to the EN containing the PAL.
  • the control state (operating state) in AC P-V at this time is “blocked state”, that is, it indicates that EN of PAL is not provided for data transfer of the corresponding MH at this time.
  • the AC P-V is distributed by a profile delivery message to the EN that houses the source access line.
  • the “operating state” of the AC P-V is “forwarding” for the transfer source. This is because the bucket to the mobile host, which had passed through the edge node before the migration, was transferred to the edge node of the migration destination, so that the mobile host currently accommodated in the access line of the migration destination was transferred to the mobile host. The bucket is delivered.
  • This case corresponds to the case where the MH has an authentication session before expiration of the validity period and is already using some access line.
  • the ACS in the CN detects (selects) the transition of the access line under certain conditions for the MH. This operates as a periodic monitoring program in the ACS.However, at this point, since the latest state of the MH is not known, the ACS detects the access line of the migration destination to be detected only as a candidate for the migration destination. Detected as
  • the ACS waits for the arrival of the next authentication request message among the periodic authentication request messages of the MH.
  • the communication status (received radio field strength, etc.) of both the PAL and SAL related to the MH at this time is incorporated as a parameter in the authentication request message, and reaches the AAA.
  • the AAA extracts the MH communication state parameter and sends it to the ACS. 5.
  • the ACS receiving the MH communication state parameter uses the communication state parameter to determine whether the previously detected migration destination candidate is available. If the migration is possible (for example, the area code of the selected destination access line matches the MH location information), the AAA authenticates the access line migration instruction (including the destination access line type) in an authentication response. Notify the MH in the message.
  • the MH Upon receiving the authentication response message for the periodic registration, the MH recognizes that the access line transfer has been instructed. For this reason, the protocol control function in the MH switches the valid access line to the migration destination access line included in the authentication response message. As a result, thereafter, communication on the access line of the transfer destination becomes possible.
  • the corresponding AC PV is distributed to the EN accommodating the destination access line selected by the ACS and the EN accommodating the source access line by profile delivery message.
  • the “operating state” of the AC P-V delivered to the source EN is in the “forwarding” state. This is because packets to the MH that passed through the relevant EN before the transfer of the access line are transferred to the target EN to reach the relevant MH currently accommodated in the target access line. It is to make it.
  • FIG. 16 is a diagram showing an example of the control procedure in this section
  • FIGS. 17 and 18 are flowcharts showing an access network selection mechanism.
  • the AAA receives the authentication request message from the MH (S021), and performs a normal authentication process (user authentication message process; S022). In order to determine the access network (access line type) to be permitted to use, it requests the ACS to determine the access line type.
  • the AAA extracts the AC P-C prepared for each MH from the AC P-DB (S023).
  • the AC PC is obtained (S024; YES)
  • the mobile host information (communication state parameter; radio wave) included in the authentication request message sent from the MH to the extracted AC PC is transmitted. State, etc.) and notify the ACS. That is, the AAA gives the ACS an access line selection request including the AC P-C, the state of the authentication session, the radio wave condition of the terminal, and the like. If there is no AC P-C (S 0 24; NO), the process proceeds to S 0 25. Thereafter, the AAA waits for a response to the access line selection request from the ACS.
  • the AAA Upon receiving the response message from the ACS, the AAA updates the authentication session management information (S025) and generates an authentication response message (S026). That is, the AAA sends the access network information included in the response message (access control information including the access network (access line type) assigned to the MH) included in the authentication response message to the terminal (S 0 2 7). Then, the AAA returns to the message waiting state.
  • the ACS determines whether or not there is an authentication session for the MH from the communication state parameter included in the request message. (S032).
  • an authentication session exists (periodic update) (S032; NO)
  • the ACS has previously generated access authentication information for this MH and holds it in conjunction with the authentication session. Will be.
  • the ACS retrieves the currently used access line type from the management table (access control management table) in the ACS (S034), and executes the latest mobile communication.
  • the access network is determined (S036) in comparison with the host status (access line in use) (S036).
  • the AAA changes the type of access line being used if necessary.
  • the information is transmitted from AAA simply by referring to the MH communication status parameters (such as radio wave status) transmitted from MH.
  • the access line type (access network) is selected or determined (S033).
  • the determination processing of S037 is performed, and based on the determination result, the access network-specific control information (AC P-V) is transmitted to the determined access network side EN. I do.
  • the AC S makes a NO determination in S 037 (if the selected candidate is not a secondary access line)
  • the AC S executes the AC P with respect to the PAL as the main access line profile distribution processing.
  • -Generate V S041)
  • generate an access control profile delivery message S042
  • send it to the corresponding EN S043.
  • the selected access network is SAN (SA L) In (S 037; YE S)
  • an AC P-V for the SAL is generated (S 0 38), and an access control profile delivery message is generated (S 0 3 9), and send it out to the corresponding EN (S040).
  • profile distribution processing for the main access line (S041 to S043) is performed, and ACP-V is also transmitted to EN on the PAN (PAL) side.
  • the content of the operation status indication in this AC PV is “blocking (non-use) J of the relevant line”.
  • an access line selection response (determined access network) is returned to AAA.
  • the ACS stores the AC P-C in the AC P-DB and returns to the message waiting state.
  • the AC P-V may be transmitted to the corresponding EN via AAA.
  • the operation after the operation example shown in FIGS. 17 and 18 is as shown in FIG. 16, for example. That is, as shown in FIG. 16, after the authentication by AAA is completed, the AC P-V is delivered to each EN corresponding to the PAL and the SAL (FIG. 16; (1)).
  • the EN accommodating each of the PAL and the SAL interprets the operation state of the packet with reference to the AC P-V.
  • the EN transfers the packet to the other EN.
  • the destination EN sends the packet received from the source EN to the MH via its own access line (Fig. 16; (2)).
  • the MH sends a bucket to the CN via the access line corresponding to the transfer destination according to the transfer instruction included in the authentication response message (to the host accommodated by the BB of another carrier connected to the CN). Bucket) (Fig. 16; (3)).
  • the EN When the AC P-V is delivered to the EN that houses the SAL, the EN will be based on the authentication information previously exchanged between the MH and the network by the PAL authentication procedure for the containing access line. To allow data communication via SAL.
  • the authentication information of the MH is transmitted to the EN accommodating the SAL.
  • This authentication information is included in the AC P-V.
  • the EN Upon receiving the authentication information, the EN recognizes the contents of the AC P-V and performs an operation of permitting access with respect to the MH.
  • This permissible procedure corresponds to, for example, an operation of registering the MAC address of a registered MH in the case of a wireless LAN access point.
  • the received authentication information is notified to the SAL protocol control device, and when it is received, the state becomes the same as the completion of various authentication procedures on the normal access line.
  • a A A has an authentication information generation function.
  • the authentication information generation function is to generate the authentication information of the SAL after the validity of the MH itself for the SAL is guaranteed in the authentication procedure using the PAL of the MH.
  • This delivery function is a function to deliver the authentication information of the SAL that is going to newly start use (migrate from the migration source) to the MH by the authentication procedure using PAL (transmission of the authentication response message via PAL). It is.
  • the MH has a function of extracting authentication information.
  • the MH that has received the authentication information extracts authentication information (for example, a bucket encryption key) related to the SAL included in the authentication response message, and notifies the SAL protocol control function inside the MH of the extracted authentication information.
  • the protocol control function of the SAL in the MH that has received the notification of the authentication information stores the authentication information and uses it in the subsequent data communication.
  • the EN has a function to release access restrictions on the network side.
  • the authentication information generated by the ACS is delivered by an access control information delivery message (the message for delivery of the ACPV) to the EN that contains the SAL that the MH wants to start communication.
  • the EN that received this message sends the SA
  • the authentication information of L is extracted and held, and based on this authentication information, the bucket is subjected to the forwarding control so as to pass the bucket transmitted from the MH to the SAL.
  • FIG. 19 is a diagram illustrating an operation example according to the access permission procedure.
  • the contents of the access permission procedure shown in Figure 19 are as follows.
  • the AAA sends an authentication completion message (authentication confirmation message) to the AP accommodating the MH.
  • This authentication completion message includes the SAL use permission information (for example, information such as the encryption key between the MH and the AP) (Fig. 19; (1)).
  • SAL use permission information for example, information such as the encryption key between the MH and the AP
  • an authentication completion message having a format as shown in FIG. 33 can be applied.
  • a A A sends an authentication confirmation (authentication response) message to the corresponding MH via PAL.
  • This authentication confirmation message includes the SAL use permission information (for example, information such as the encryption key between the mobile host and the access point) (Fig. 19; (2)).
  • SAL use permission information for example, information such as the encryption key between the mobile host and the access point
  • FIGS. 31 and 32 can be applied.
  • the MH can perform secure communication via the SAL using the use permission information (encryption key, etc.) distributed to the MH and the AP (FIG. 19; (3)).
  • the MH moves between heterogeneous access lines, there may be differences in the characteristics (for example, line speed) of the access network before and after the move, depending on the judgment of the ACS in the CN. For example, suppose that the MH using the public wireless LAN service has moved out of the area where the public wireless LAN service is provided by physical movement to an area where only the PDC is provided.
  • the ACS recognizes this, and With regard to the quality of the application used in the access network, the priority of the quality content is specified in advance, and the AC P-V including the content that maintains the high-priority quality item as much as possible is delivered to the destination EN .
  • the ACS compares the difference between the access line type of the transfer destination and the control content of the current access line (the transfer source) in the access line switching procedure, and according to the user, Extract items (based on contract conditions) that prioritize quality maintenance, and generate AC PV for the destination line that has contents (parameters) that can maintain quality regardless of line transfer for this item, Deliver to the EN that houses the access line at the transition destination.
  • the EN of the transfer destination receives the MH for the access line to be transferred to the relevant MH based on the specified priority items and parameters described in the AC PV. Perform control.
  • FIG. 20 is an explanatory diagram of an operation example according to a control procedure of service continuation cooperation between access lines.
  • the contents of the operation example shown in FIG. 20 are as follows.
  • the ACS controls access control for the EN (old EN) that accommodates the source access line and the EN (new EN) that accommodates the destination access line.
  • An AC PV (service information) containing the contents is transmitted (FIG. 20; (1)).
  • the AAA can transmit an access permission request message having a format as shown in Fig. 33 to each EN. If the packet addressed to the MH reaches the old EN, the old EN AC P- V (service The bucket is forwarded to the new EN according to the contents of the new information (Fig. 20; (2)).
  • the old EN notifies the applicable MH that the service content of the bucket addressed to the relevant MH is different from the content described in the APC-V (Fig. 20; (3)). At this time, the old EN can notify the MH using the message format as shown in Figure 33.
  • the corresponding MH requests the correspondent node (CN: Correspondent Node) to change the setting of the transmission packet as needed (Fig. 20; (4)).
  • the MH transmits an application-dependent message to the other node such that a request message according to the protocol of the application (eg, streaming) to be applied is transmitted.
  • the network access control system detects the movement of the mobile host on the network side and can set the connection to the destination Will be described.
  • the ACS in the CN transfers the AC P-V generated for the MH to the migration destination. Distribute to EN. This makes it possible to distribute the AC P-V at a higher speed than when the AC P-V is generated for the first time.
  • Switching method 1 switching of access lines depending on the state of peripheral network resources; Figs. 21 and 22
  • the network access control system can switch and shift access lines based on resource status that depends on traffic conditions in the network. For example, when the MH is performing data communication using a PDC network as an access line, the voice circuit switching network in the PDC network may be temporarily congested (due to special events such as year-end). . In such a case, call switching is generally performed on the exchange side. Similarly, the EN that accommodates each access line has traffic The EN monitors the status of the traffic and exceeds a certain threshold value. Ask to initiate a line transfer.
  • the ACS receiving this request selects a transferable MH according to the line transfer logic, and switches the access line for this MH.
  • FIG. 21 is a table showing an example of a switching occurrence request message.
  • the message No. 1 in Fig. 21 is a request message sent from the EN to the ACS to request movement to another access network.Because the access network accommodated by the EN is congested, Includes request to transfer MH to another access network.
  • the message of No. 2 is a request message for transmitting a movable notification from another access network sent from EN to ACS, and is sent to the access network (traffic accommodated by EN). Includes that MH contained in another access network can be transferred to its own access network because there is room.
  • FIG. 22 is a diagram showing an operation example according to a control procedure for switching access lines in this section.
  • the contents of the operation example shown in FIG. 22 are as follows.
  • the EN that accommodates the MH via the SAL monitors the status of the SAL, and when the SAL status exceeds a certain threshold (for example, the threshold for the number of access lines), the AAAZAC S To that effect (Fig. 22; (1)). At this time, the EN can be configured to transmit a message having a format as shown in FIG. The fact that the threshold value has been exceeded is set in a field such as service information.
  • a certain threshold for example, the threshold for the number of access lines
  • the AAAS ACS searches for the MH contained in the other EN (the MH contained in the EN corresponding to the PAN as shown in Fig. 22) among the MHs contained in the EN. Then, the corresponding MH is notified to switch the access line (Fig. 22; (2)). At this time, for example, a message as shown in FIG. 33 can be applied.
  • the AAA / AC S is the EN that accommodates the access line before switching (old EN: EN-2 in Fig. 22), while the EN that accommodates the access line after switching (new EN: the one in Fig. 22) Notify EN-3) of ACP-V for transferring the bucket addressed to the MH (Fig. 22; (3)).
  • the message shown in Fig. 33 can be applied. it can.
  • the MH switches the access line.
  • the access line switching method the first method described above can be applied.
  • the SAL of SAN-I is switched to the SAL of SAN-2.
  • the MH uses the switched access line (SAL of SAN-2) (Fig. 22; (4)).
  • the old EN When the old EN receives a packet addressed to the MH that has switched the access line, it transfers the packet to the new EN (Fig. 22 (5)).
  • Switching method 2 (automatic acquisition of access line based on user contract conditions; Fig. 23)
  • the network access control system For a user (MH) communicating using a certain access line, if another access line specified in this user's ACP becomes available for a predetermined reason (improvement of radio wave condition, etc.)
  • the network access control system detects the state of this other access line on the network side, automatically seizes the line (permits communication), notifies the user of this, and enables connection.
  • the PAN is a general mobile phone network (such as a PDC) and the SAN is a wireless LAN network constituting a public wireless LAN service. It is also assumed that PANs are available in almost all areas of the user's activities, whereas the use areas of SAN are scattered.
  • the network access control system can detect the location of the MH, and the AAAZA CS can also detect the PAN's cell identification information (area code) and the available location of the SAN (for example, the public). It has a correspondence table with the locations where wireless LAN services can be used, and can recognize that the location of the MH has moved from an area where only PAN can be used to an area where PAN and SAN can be used. .
  • FIG. 23 is a diagram illustrating an example of a control procedure of the switching method in this section.
  • the contents of the control procedure shown in Fig. 23 are as follows.
  • AAAZAC S notifies the MH that the SAN is available.
  • a message format as shown in FIG. 33 can be applied.
  • the user wants to use SAN it sends an access line switching request to AAA / ACS (Fig. 23; (1)).
  • a message format as shown in FIG. 34 can be applied.
  • the AAAZAC S upon receiving the access line switching request from the MH, recognizes that the user wants to use the SAN, and executes the access authentication procedure of the SAN and the generation process of the AC P-V. Then, the generated AC PV is transmitted to each EN (EN-1 and EN-2) corresponding to PAL and SAL, respectively (Fig. 23; (2)). At this time, the AC P-V is notified by a message as shown in FIG. 33, for example. Thereafter, packets destined for the MH are interpreted by EN-1 and EN-2, respectively. At this time, EN-1 determines that the PAN is not appropriate for packet transfer, and transfers the packet to EN-2.
  • EN-2 determines that the SAN is appropriate for the transfer of the packet, and transmits the packet (including the packet transferred from EN-1) addressed to the MH to the MH via the SAN. Also, the MH sends a packet addressed to the other node via the SAN.
  • the MH on the user side has a function of feeding back its own state, for example, the reception radio wave condition, etc., to the network side.
  • the network access control system uses an access line that the MH can use depending on the MH state information. Select and capture.
  • the communication speed of wireless LAN devices is higher than that of mobile communication systems such as PDC.
  • mobile communication systems such as PDC.
  • the communication speed of the MH is a dominant factor with respect to the throughput of the CN, which affects the perceived speed of the application executed on the MH. I do.
  • the network access control system performs the transition operation between access lines, A decision is made as to whether or not the transfer is possible in consideration of the state of the access line at the transfer destination. Specifically, if the access line of the transfer destination candidate is congested (the capacity is large and the throughput is low, etc.), the transfer is not performed. Conversely, if the currently used access line is congested or the signal condition deteriorates, the access line is shifted to the destination access line.
  • the network access control system switches the access line when requested by the MH.
  • the MH has a function (communication parameter addition function) of including reception quality data (communication parameters) such as radio field intensity in a wireless section, which the MH itself grasps, in a PAL authentication request message.
  • reception quality data communication parameters
  • the reception quality data can be transmitted to AA AACS of CN.
  • the AAAZACS refers to the reception quality data from the MH when deciding on the selection of the access line of the migration destination, and uses it for the selection decision.
  • FIG. 24 is a table showing an example of communication parameters (mobile host information) held in the MH. As shown in Fig. 24, radio field intensity, throughput, and a service area (location) can be applied as communication parameters.
  • FIG. 25 is a diagram showing an example of the control procedure in this section.
  • the control procedure shown in Fig. 25 is as follows.
  • the MH detects that the secondary access line S AL is available, and sends an authentication request for the secondary access line to the authentication server AAAZAC S (Fig. 25; (1)).
  • the message format shown in FIGS. 7 and 8 can be applied.
  • AAAZAC S after the end of authentication,?
  • An AC P-V corresponding to each EN-2 containing £ 1 ⁇ -1 and 51 ⁇ containing 1 ⁇ is transmitted (Fig. 25; (2)).
  • the ACP-V at this time can be transmitted, for example, according to a message format as shown in FIG.
  • the MH can communicate using SAL (Fig. 25; (3)).
  • EN-1 When EN-1 receives a packet addressed to MH, it forwards this packet to EN-2 according to the contents of AC P-V.
  • Switching method 4 (automatic switching of access circuits depending on the type of application being used; Figs. 26, 27)
  • the MH currently connected to the network using the specified access line When using an application, this application may require the use of a specific access line as a usage condition.
  • the network access control system detects such a request from the application, and notifies the MH of the notification as needed when switching the access line.
  • mobile communication systems such as PDC are inferior to wireless LANs in terms of communication speed, but are said to have higher security.
  • some applications executed on the MH require higher security than the communication speed.
  • applications may require certain network capabilities (bandwidth, etc.) for smooth execution.
  • the network access control system controls access line switching so that the access line used by the MH can be switched to the access line corresponding to the application request in response to a request from the application.
  • the MH has a function (application request information addition function) that puts the information (application request information) indicating the type of access line requested by the application, which is recognized by the MH itself, in the PAL authentication request message. Have.
  • the application request information can be transmitted to the AAA / ACS of the CN.
  • the AAA / ACS refers to the application request information when deciding the selection of the destination access line, and uses it to determine the access line.
  • Figure 26 is a table showing examples of the types of applications that want to use a specific access line. As shown in Fig. 26, examples of applications include password input, credit card number input, streaming, and software download.
  • FIG. 27 is a diagram showing an example of a series of control procedures in this section.
  • the control procedure shown in Fig. 27 is as follows.
  • this application requests the use of the PAN (the application has instructed via the PAL) It is a case.
  • the MH Sends a PAL authentication request message containing application request information (including at least the PAL access line type) to AAA / ACS (access line designation specification) (Fig. 27; (1)).
  • application request information including at least the PAL access line type
  • AAA / ACS access line designation specification
  • the AAA / ACS sends the AC P-V, which instructs only the bucket in accordance with the instruction from the application, to pass through the PAL to the E N-1
  • Each is sent to the EN-2 that contains the SA L (Fig. 27; (2)).
  • packets according to the instructions from the application are transmitted and received using PAL (Fig. 27; (3)).
  • EN-2 When a packet arrives at EN-2 in accordance with an instruction from the application, EN-2 forwards the packet to EN-1 containing PAL, and the transmitted packet is EN-1 Sent to MH via PAL.
  • a mobile host (MH) will be described as an example of a terminal.
  • FIG. 28 is a diagram illustrating a configuration example of a mobile host MH as an example of a network access terminal.
  • the mobile host shall consist of a primary access line (PAL) message transmitting / receiving unit 25, a secondary access line (SAL) message transmitting / receiving unit 26, a protocol control unit 27, and an access means selecting unit 28. Can be.
  • PAL primary access line
  • SAL secondary access line
  • the mobile host can send an authentication request message as shown in Figs. 7 and 8 (see section ⁇ 3>).
  • FIG. 29 is a sequence diagram illustrating an operation example of the mobile host. As an example, a case where the MH moves from an area where only PAN is available to an area where both PAN and SAN are available will be described.
  • the PAL message transmitting / receiving unit 25 and the SAL message transmitting / receiving unit 26 detect that the PAN and the SAN can be accessed, respectively, and print this. The notification is made to the col control unit 27 (S051, S052).
  • the protocol control unit 27 creates an authentication request message for SAL (or for PAL and SAL) (S053), and passes it to the PAL message transmitting / receiving unit 25 (S054).
  • the PAL message transmitting / receiving unit 25 transmits this authentication request message to the AAA in the CN via the PAN (S055).
  • the PAL message transmitting / receiving unit 25 receives the SAL authentication response message via the PAN (S056), and passes it to the protocol control unit 27 (S057).
  • the protocol control unit 27 extracts information (use permission information) necessary for the MH to use the SAL, such as a bucket encryption key included in the authentication response message (S058), and transmits and receives the SAL message. Hand over to the department (S060).
  • the SAL message transmitting / receiving unit 26 stores and manages the SAL use permission information in a predetermined storage area. Further, the protocol control unit 27 notifies the access unit selection unit 28 that both access units (PAL and SAL) are available (S059).
  • an appropriate access line is selected in the access means selection unit 28, and an appropriate process such as encryption is performed using a held key or the like. After that, bucket transmission is performed.
  • the protocol control unit 27 creates an authentication request message for the specified access line, and transmits it from the PAL message transmitting / receiving unit 25 via PAN. With this authentication procedure, the network detects that the access line specified by the application is used.
  • the PAL message transmitting / receiving unit 25 receives the authentication response for the specified access line via the PAN, and the protocol control unit 27 uses the access line specified in the access means selecting unit 28. Instruct In addition, it extracts the use permission information such as the key included in the authentication response message and stores it in the message transmission / reception unit corresponding to the specified access line.
  • an access network such as a wireless LAN as an access means to a core network. Further, according to the present invention, cooperation between access networks such as switching of access networks can be achieved.
  • all users who use the mobile carrier and the existing access network can link with the existing infrastructure network service while ensuring the security of the new access network at low cost.
  • Network resources can be used effectively.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un système de contrôle d'accès au réseau qui comprend : une unité de réception qui permet de recevoir un message de demande d'authentification contenant une demande d'authentification relative à l'utilisation d'un réseau d'accès secondaire, envoyée depuis un hôte mobile qui peut utiliser un réseau central en passant par une pluralité de types de réseaux d'accès différents, y compris un réseau d'accès principal et au moins un réseau d'accès secondaire, lequel message arrive au réseau central via le réseau d'accès principal et contient une demande d'authentification relative à l'utilisation du réseau d'accès secondaire ; une unité d'authentification qui effectue l'authentification en réponse à la demande d'authentification du réseau d'accès secondaire ; et une unité de transmission qui transmet un message de réponse d'authentification concernant le réseau d'accès secondaire, lequel message arrive à l'hôte mobile via le réseau d'accès principal.
PCT/JP2003/011435 2002-11-13 2003-09-08 Systeme de controle d'acces au reseau WO2004045173A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2004551187A JP4159548B2 (ja) 2002-11-13 2003-09-08 ネットワークアクセス制御システム
US11/075,104 US20050148321A1 (en) 2002-11-13 2005-03-07 Network access control system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2002329820 2002-11-13
JP2002/329820 2002-11-13

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US11/075,104 Continuation US20050148321A1 (en) 2002-11-13 2005-03-07 Network access control system

Publications (1)

Publication Number Publication Date
WO2004045173A1 true WO2004045173A1 (fr) 2004-05-27

Family

ID=32310580

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2003/011435 WO2004045173A1 (fr) 2002-11-13 2003-09-08 Systeme de controle d'acces au reseau

Country Status (2)

Country Link
JP (1) JP4159548B2 (fr)
WO (1) WO2004045173A1 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006115344A (ja) * 2004-10-15 2006-04-27 Matsushita Electric Ind Co Ltd 無線ネットワークシステム、無線端末収容装置及び通信装置
JP2006304158A (ja) * 2005-04-25 2006-11-02 Nec Corp 仮想閉域網システム、サーバ、ユーザ端末、アクセス方法、プログラム及び記録媒体
JP2006309008A (ja) * 2005-04-28 2006-11-09 Ntt Docomo Inc アクセスシステム、多様アクセスシステム収容装置、認証承認鍵生成装置及びアクセス制御方法
JP2007288550A (ja) * 2006-04-18 2007-11-01 Nakayo Telecommun Inc 無線lanシステム
JP2008011180A (ja) * 2006-06-29 2008-01-17 Nec Corp ネットワーク制御システム、無線通信装置、及びネットワーク制御方法
JP2008547354A (ja) * 2005-06-28 2008-12-25 テレフオンアクチーボラゲット エル エム エリクソン(パブル) 統合通信ネットワークにおけるネットワークアクセスの制御手段及び方法
WO2010071133A1 (fr) * 2008-12-15 2010-06-24 株式会社エヌ・ティ・ティ・ドコモ Procédé de communication mobile, station de base émettrice-réceptrice, contrôleur de réseau de radiocommunication, dispositif de réseau d'infrastructure et dispositif de passerelle
JP2010534953A (ja) * 2007-06-13 2010-11-11 クゥアルコム・インコーポレイテッド モバイルデータパケットネットワークにおけるアカウンティングのための方法及び装置
JP4927939B2 (ja) * 2006-04-14 2012-05-09 クゥアルコム・インコーポレイテッド ホーム・エージェントの自動選択
WO2012164863A1 (fr) * 2011-06-03 2012-12-06 Sony Corporation Appareil de communication sans fil, appareil de traitement d'informations, système de communication et procédé de communication
JP2013258547A (ja) * 2012-06-12 2013-12-26 Hitachi Ltd 移動通信システム、および、移動通信方法
JP2015518682A (ja) * 2012-05-09 2015-07-02 中興通訊股▲ふん▼有限公司Ztecorporation ネットワークアクセス方法および装置
JP2017118243A (ja) * 2015-12-22 2017-06-29 株式会社Kddi総合研究所 認証装置、アクセスポイント、通信装置及びプログラム
JP2018007001A (ja) * 2016-06-30 2018-01-11 エヌ・ティ・ティ・コミュニケーションズ株式会社 通信装置、加入者情報制御サーバ、接続制御方法及びコンピュータプログラム
JP2020099097A (ja) * 2015-08-04 2020-06-25 日本電気株式会社 通信システム、通信装置、通信方法、端末、プログラム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10307798A (ja) * 1997-05-02 1998-11-17 Nec Corp 負荷分散型認証サーバにおける認証方式
JP2000324551A (ja) * 1999-05-13 2000-11-24 Nippon Telegr & Teleph Corp <Ntt> 無線端末認証方法
JP2001217866A (ja) * 2000-01-31 2001-08-10 Fujitsu Ltd ネットワークシステム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10307798A (ja) * 1997-05-02 1998-11-17 Nec Corp 負荷分散型認証サーバにおける認証方式
JP2000324551A (ja) * 1999-05-13 2000-11-24 Nippon Telegr & Teleph Corp <Ntt> 無線端末認証方法
JP2001217866A (ja) * 2000-01-31 2001-08-10 Fujitsu Ltd ネットワークシステム

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4689225B2 (ja) * 2004-10-15 2011-05-25 パナソニック株式会社 無線ネットワークシステム、無線端末収容装置及び通信装置
JP2006115344A (ja) * 2004-10-15 2006-04-27 Matsushita Electric Ind Co Ltd 無線ネットワークシステム、無線端末収容装置及び通信装置
JP2006304158A (ja) * 2005-04-25 2006-11-02 Nec Corp 仮想閉域網システム、サーバ、ユーザ端末、アクセス方法、プログラム及び記録媒体
JP2006309008A (ja) * 2005-04-28 2006-11-09 Ntt Docomo Inc アクセスシステム、多様アクセスシステム収容装置、認証承認鍵生成装置及びアクセス制御方法
JP4547296B2 (ja) * 2005-04-28 2010-09-22 株式会社エヌ・ティ・ティ・ドコモ アクセス制御システム及びアクセス制御方法
JP2008547354A (ja) * 2005-06-28 2008-12-25 テレフオンアクチーボラゲット エル エム エリクソン(パブル) 統合通信ネットワークにおけるネットワークアクセスの制御手段及び方法
JP4845962B2 (ja) * 2005-06-28 2011-12-28 テレフオンアクチーボラゲット エル エム エリクソン(パブル) 統合通信ネットワークにおけるネットワークアクセスの制御手段及び方法
JP4927939B2 (ja) * 2006-04-14 2012-05-09 クゥアルコム・インコーポレイテッド ホーム・エージェントの自動選択
JP2007288550A (ja) * 2006-04-18 2007-11-01 Nakayo Telecommun Inc 無線lanシステム
US8929884B2 (en) 2006-06-29 2015-01-06 Nec Corporation Communication network control system, radio communication apparatus, and communication network control method
US8787166B2 (en) 2006-06-29 2014-07-22 Nec Corporation Communication network control system, radio communication apparatus, and communication network control method
JP2008011180A (ja) * 2006-06-29 2008-01-17 Nec Corp ネットワーク制御システム、無線通信装置、及びネットワーク制御方法
US8155620B2 (en) 2007-06-13 2012-04-10 Qualcomm Incorporated Method and apparatus for accounting in a mobile data packet network
JP2010534953A (ja) * 2007-06-13 2010-11-11 クゥアルコム・インコーポレイテッド モバイルデータパケットネットワークにおけるアカウンティングのための方法及び装置
WO2010071133A1 (fr) * 2008-12-15 2010-06-24 株式会社エヌ・ティ・ティ・ドコモ Procédé de communication mobile, station de base émettrice-réceptrice, contrôleur de réseau de radiocommunication, dispositif de réseau d'infrastructure et dispositif de passerelle
CN102246557A (zh) * 2008-12-15 2011-11-16 株式会社Ntt都科摩 移动通信方法、无线基站、无线线路控制站、核心网络装置以及网关装置
WO2012164863A1 (fr) * 2011-06-03 2012-12-06 Sony Corporation Appareil de communication sans fil, appareil de traitement d'informations, système de communication et procédé de communication
US9918347B2 (en) 2011-06-03 2018-03-13 Sony Corporation Wireless communication apparatus, information processing apparatus, communication system, and communication method
US10798763B2 (en) 2011-06-03 2020-10-06 Sony Corporation Wireless communication apparatus, information processing apparatus, communication system, and communication method
JP2015518682A (ja) * 2012-05-09 2015-07-02 中興通訊股▲ふん▼有限公司Ztecorporation ネットワークアクセス方法および装置
JP2013258547A (ja) * 2012-06-12 2013-12-26 Hitachi Ltd 移動通信システム、および、移動通信方法
JP2020099097A (ja) * 2015-08-04 2020-06-25 日本電気株式会社 通信システム、通信装置、通信方法、端末、プログラム
US11743810B2 (en) 2015-08-04 2023-08-29 Nec Corporation Communication system, communication apparatus, communication method, terminal, and non-transitory medium
US12250625B2 (en) 2015-08-04 2025-03-11 Nec Corporation Communication system, communication apparatus, communication method, terminal, and non-transitory medium
JP2017118243A (ja) * 2015-12-22 2017-06-29 株式会社Kddi総合研究所 認証装置、アクセスポイント、通信装置及びプログラム
JP2018007001A (ja) * 2016-06-30 2018-01-11 エヌ・ティ・ティ・コミュニケーションズ株式会社 通信装置、加入者情報制御サーバ、接続制御方法及びコンピュータプログラム

Also Published As

Publication number Publication date
JP4159548B2 (ja) 2008-10-01
JPWO2004045173A1 (ja) 2006-03-16

Similar Documents

Publication Publication Date Title
JP4789918B2 (ja) 異種ネットワークシステム、ネットワークノード、および移動ホスト
RU2323532C2 (ru) Способ взаимодействия во взаимодействующей сети блс для быстрого выбора оборудованием пользователя сети мобильной связи для доступа
US8406756B1 (en) Wireless network load balancing and roaming management system
CN110999344B (zh) 手动漫游和数据使用权
JP4409950B2 (ja) 移動体ネットワーク間のアクセスを切替える方法と装置
EP1588513B1 (fr) Mecanismes de gestion de service qualite umts et ip bases sur des regles dans des reseaux de mobiles ip
US8185127B1 (en) Method and system for allocating network resources for a single user operating multiple devices
JP4138742B2 (ja) セルラーネットワークによって援助された端末のアドホックネットワーク化
US7519036B2 (en) Method of user access authorization in wireless local area network
KR20220066069A (ko) 다중 액세스를 위한 정책 제어
US20050148321A1 (en) Network access control system
CN1894985B (zh) 通信系统中的控制决策
US8184575B2 (en) Packet communication network and subscriber-associated-information delivery controller
JP4166942B2 (ja) 移動無線網用インターネットプロトコルトラフィックフィルタ
CN110366207A (zh) 分类和路由与用户设备相关联的网络流量的系统和方法
JP4159548B2 (ja) ネットワークアクセス制御システム
CA2549112A1 (fr) Procede et systemes pour services de communication selon le protocole internet sans frais
CN104584630A (zh) 根据访问服务的服务质量对通讯网络中的漫游管理
JP4309426B2 (ja) ワイアレスローカルエリアネットワークにおけるユーザー端末のネットワーク選択情報を決定する対話型方法
WO2005004384A1 (fr) Procede de rejet d&#39;alternative pour information de selection de reseau d&#39;un terminal utilisateur dans un reseau local sans fil
US11929907B2 (en) Endpoint assisted selection of routing paths over multiple networks
EP1661313B1 (fr) Procede et appareil permettant de valider l&#39;acces dans un environnement de reseau local sans fil
US20050102424A1 (en) Method for secure access of a WLAN-enabled terminal in a data network and device for carrying out said method
CN104541552A (zh) 根据话费使用情况对通讯网络中漫游的管理
JP6212302B2 (ja) 複数の無線ベアラにアクセスする方法及び装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP US

WWE Wipo information: entry into national phase

Ref document number: 2004551187

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 11075104

Country of ref document: US

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载