JP2015531173A - Network system, authentication device, subnet determination method and program - Google Patents

Abstract

A user can be attributed to an appropriate subnet from among a large number of subnets. A network system is based on a node connected to a plurality of subnets, a subnet to which the terminal has a connection right in response to a connection request from the terminal via the node, and a subnet to which the node is connected. And an authentication device for determining a subnet to be connected to the terminal. [Selection] Figure 1

Description

The present invention is based on the priority claim of Japanese Patent Application: Japanese Patent Application No. 2012-175120 (filed on August 7, 2012), the entire description of which is incorporated herein by reference. Shall.
The present invention relates to a network system, an authentication device, a subnet determination method, and a program, and more particularly, to a network system, an authentication device, a subnet determination method, and a program including a plurality of sub-networks (hereinafter referred to as “subnets”).

  Companies, educational institutions, and the like employ a network configuration in which subnets having several hierarchies are constructed in accordance with the organization configuration. In such a network, for example, a method of determining a subnet to which a terminal should belong is known by using terminal authentication using IEEE 802.1x and RADIUS (Remote Authentication Dial In User Service).

  Non-Patent Documents 1 and 2 propose a technique called OpenFlow. OpenFlow captures communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. Example 2 of Non-Patent Document 1 includes a virtual virtual area network (VLAN) in combination with an OpenFlow switch and an OpenFlow controller (hereinafter referred to as “controller”) that centrally controls the OpenFlow switch. It is described that a general network can be constructed.

  Further, Patent Document 1 discloses a management system and method for reducing a management burden by making management contents different for a plurality of devices to be managed with respect to a network.

  Patent Document 2 discloses a user terminal connection control method and apparatus capable of limiting the number of sessions that can be connected simultaneously and reducing forced session disconnection.

JP 2003-162510 A JP 2006-148648 A

Nick McKeown and 7 others, “OpenFlow: Enabling Innovation in Campus Networks”, [online], [searched July 13, 2012], Internet <URL: http://www.openflow.org/documents/ openflow-wp-latest.pdf> “OpenFlow Specification” Version 1.1.0 Implemented (Wire Protocol 0x02), [online], [searched July 13, 2012], Internet <URL: http://www.openflow.org/ documents / openflow-spec-v1.1.0.pdf>

  The following analysis is given by the present invention. In a company or an educational institution, a user generally belongs to two or more organizations or groups. For example, an employee of a company is an employee of the company, and also belongs to a business division or department. In addition, students at a school are enrolled students, belong to classes and departments, and in some cases, belong to laboratories, seminars, clubs, and circles. In this case, as a method of connecting to a target subnet, a method of accessing the target subnet via a commonly used subnet or a lowermost subnet is employed.

  However, the access method described above has a problem in that it is necessary to go through a subnet that is interposed from the user to the target subnet, resulting in increased network costs.

  In addition, there may be a method in which the user directly accesses the target subnet each time, but in that case, it is necessary to authenticate in the target subnet, and in many cases, other subnets are required in that state. There is a problem that cannot be connected.

  In short, in the method using IEEE802.1x and RADIUS, a user belongs to one subnet and access is permitted within the range, and the user can be connected to an appropriate subnet from a plurality of subnets. Not.

  In this respect, Example 2 of Non-Patent Document 1 is also the same, and it is only described that the controller manages user authentication and uses user location information to tag traffic.

  Similarly, in Patent Documents 1 and 2, there is no description or suggestion about connecting a user to an appropriate subnet from among a plurality of subnets.

  An object of the present invention is to provide a network system, an authentication device, a subnet determination method, and a program capable of connecting a user to an appropriate subnet from among a large number of subnets.

  According to the first aspect of the present invention, a node connected to a plurality of subnets, a subnet to which the terminal has a connection right in response to a connection request from the terminal via the node, and a subnet to which the node connects And an authentication device that determines a subnet to be connected to the terminal.

  According to the second aspect of the present invention, a connection to a node connected to a plurality of subnets, and a connection request from a terminal via the node, the subnet to which the terminal has a connection right, and the node connect An authentication device is provided that determines a subnet to be connected to the terminal based on a subnet to be connected.

  According to a third aspect of the present invention, an authentication apparatus connected to a node connected to a plurality of subnets receives a connection request from a terminal via the node to a subnet to which the terminal has a connection right. In response to the connection request, there is provided a subnet determination method including a step of determining a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected. . This method is linked to a specific machine called an authentication device that determines the attribution of a terminal in response to a connection request from the terminal.

  According to the fourth aspect of the present invention, a computer constituting an authentication apparatus connected to a node connected to a plurality of subnets is requested to connect from the terminal via the node to a subnet to which the terminal has a connection right. And a program for executing a process for determining a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected in response to the connection request. Is done. This program can be recorded on a computer-readable (non-transient) storage medium. That is, the present invention can be embodied as a computer program product.

  According to the present invention, a user can be attributed to an appropriate subnet from among a number of subnets.

It is a figure which shows the structure of the 1st Embodiment of this invention. It is a block diagram which shows the structure of the authentication server of the 1st Embodiment of this invention. It is a figure which shows the example of the entry of the node database (node DB) of the authentication server of the 1st Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of the 1st Embodiment of this invention. It is a sequence diagram showing the flow of the authentication process of the 1st Embodiment of this invention. It is a flowchart showing operation | movement of the authentication server of the 1st Embodiment of this invention. It is a block diagram which shows the modification 1-2 of the authentication server of the 1st Embodiment of this invention. It is a figure which shows the example of the entry of the connection number table of the authentication server of FIG. It is a figure which shows the deformation | transformation structure of the 1st Embodiment of this invention. It is a block diagram which shows the deformation | transformation structure 2 of the authentication server of the 1st Embodiment of this invention. It is a figure which shows the example of the entry of the group database (group DB) of the authentication server of FIG. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of FIG. It is a figure which shows the example of the entry of the node database (node DB) of the authentication server of FIG. It is a figure which shows the structure of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the authentication server of the 2nd Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of the 2nd Embodiment of this invention. It is a sequence diagram showing the flow of the authentication process of the 2nd Embodiment of this invention. It is another sequence diagram showing the flow of the authentication process of the 2nd Embodiment of this invention. It is a figure which shows the example of the entry of the connection terminal table of the authentication server of the 2nd Embodiment of this invention. It is a flowchart showing operation | movement of the authentication server of the 2nd Embodiment of this invention. It is a block diagram which shows the deformation | transformation structure 1 of the authentication server of the 2nd Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of FIG. It is a block diagram which shows the deformation | transformation structure 2 of the authentication server of the 2nd Embodiment of this invention. It is a figure which shows the example of the entry of the account group database (account group DB) of the authentication server of FIG. It is a block diagram which shows the deformation | transformation structure 3 of the authentication server of the 2nd Embodiment of this invention. It is a figure which shows the structure of the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the authentication server of the 3rd Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of the 3rd Embodiment of this invention. It is a figure which shows the example of the entry of the node database (node DB) of the authentication server of the 3rd Embodiment of this invention. It is a figure which shows the example of the entry of the connection terminal table of the authentication server of the 3rd Embodiment of this invention. It is a figure which shows another example of the entry of the connection terminal table of the authentication server of the 3rd Embodiment of this invention. It is a sequence diagram showing the flow of the authentication process of the 3rd Embodiment of this invention. It is another sequence diagram showing the flow of the authentication process of the 3rd Embodiment of this invention. It is a flowchart showing operation | movement of the authentication server of the 3rd Embodiment of this invention. It is a flowchart showing the detail of the determination process of the affiliation subnet of the authentication server of the 3rd Embodiment of this invention. It is a block diagram which shows the deformation | transformation structure 1 of the authentication server of the 3rd Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of FIG. It is a figure which shows the structure of the 4th Embodiment of this invention. It is a block diagram which shows the structure of the open flow switch (OFS) of the 4th Embodiment of this invention. It is a figure which shows the structure of the flow entry hold | maintained at the open flow switch (OFS) of the 4th Embodiment of this invention. It is a figure which shows the example of the processing content (action) which can be set to the instruction field of the flow entry of FIG. It is a block diagram which shows the structure of the authentication server of the 4th Embodiment of this invention. It is a figure which shows the example of the entry of the authentication database (authentication DB) of the authentication server of the 4th Embodiment of this invention. It is a block diagram which shows the structure of the open flow controller (OFC) of the 4th Embodiment of this invention. It is a figure which shows the example of the entry of the topology database (topology DB) of the OpenFlow controller (OFC) of the 4th Embodiment of this invention. It is a figure which shows the example of the entry of the connecting terminal memory | storage part of the open flow controller (OFC) of the 4th Embodiment of this invention. It is a figure which shows the example of the entry of the subnet database (subnet DB) of the OpenFlow controller (OFC) of the 4th Embodiment of this invention. It is a figure which shows the example of the element information of the entry of the subnet database (subnet DB) of FIG. It is a sequence diagram showing the flow of the authentication process of the 4th Embodiment of this invention. It is a sequence diagram showing the flow of the packet transfer process of the 4th Embodiment of this invention. It is a flowchart showing operation | movement of the open flow switch (OFS) of the 4th Embodiment of this invention. It is a flowchart showing operation | movement of the open flow controller (OFC) of the 4th Embodiment of this invention. It is a block diagram which shows the deformation | transformation structure of the open flow controller (OFC) of the 4th Embodiment of this invention. FIG. 54 is a diagram illustrating an example of entries in a group database (group DB) of the OpenFlow controller (OFC) in FIG. 53. FIG. 54 is a diagram illustrating an example of an entry in a connected terminal storage unit of the OpenFlow controller (OFC) in FIG. 53. It is a figure which shows another example of the entry of the authentication database (authentication DB) of the authentication server of the 4th Embodiment of this invention. It is a figure which shows the 1st specific aspect of this invention. It is a figure which shows the 2nd specific aspect of this invention. It is a block diagram which shows the structure of the open flow controller (OFC) of the 2nd specific aspect of this invention.

  First, an outline of an embodiment of the present invention will be described with reference to the drawings. Note that the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.

  In one embodiment of the present invention, a node connected to a plurality of subnets (corresponding to 20 in FIG. 1) and a connection request from a terminal (10 in FIG. 1) via the node (20 in FIG. 1) And an authentication device (corresponding to the authentication server 30 in FIG. 1) that performs the authentication process. More specifically, this authentication apparatus is connected to the terminal (10 in FIG. 1) based on the subnet to which the terminal (10 in FIG. 1) has a connection right and the subnet to which the node (20 in FIG. 1) connects. Determine the subnet to connect to. Note that the subnet to which the terminal (10 in FIG. 1) has a connection right can be acquired based on the result of the authentication process with the terminal (10 in FIG. 1).

  As described above, the terminal can be connected to an appropriate subnet according to the connection right.

[First Embodiment]
Next, a first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 is a diagram showing the configuration of the first exemplary embodiment of the present invention. Referring to FIG. 1, a configuration including a terminal 10, a node 20 to which the terminal 10 is connected, an authentication server 30, and two or more subnets 40A to 40N to which the node 20 is connected is shown. In FIG. 1, the number of terminals 10 and nodes 20 is one, but a plurality of terminals 10 and nodes 20 may be connected.

  The terminal 10 is a device used by a user, such as a computer, a mobile device, a game machine, or a mobile phone.

  The node 20 is a network device such as a network switch, a router, or a wireless access point. The node 20 implements communication between the terminal 10 and the subnets 40A to 40N with reference to a table that stores connection destinations (terminals 10 and subnets 40A to 40N) of the respective ports. In the table or the like, the terminal 10 can be identified by the MAC address. Information about what subnet is connected to each port may be set in the node 20 in advance, or from the management server (not shown) or the like when starting the network system or changing the configuration. You may make it notify.

  The authentication server 30 is a device for terminal or user authentication, such as a RADIUS server, a DIAMETER server that operates according to the DIAMETER protocol, or an LDAP server that operates according to the Lightweight Directory Access Protocol.

  The subnets 40 </ b> A to 40 </ b> N may be networks such as Ethernet (registered trademark), VLAN (Virtual Local Area Network), VPN (Virtual Private Network), optical network, ADSL (Asymmetric Digital Subscriber). Network), 3G network, LTE (UMTS Long Term Evolution), PHS (Personal Handy-phone System) network, wireless LAN, WiMAX (Worldwide Interoperability for Microwaves).

  Note that the node 20 and the authentication server 30 may be directly connected, or may be connected via a subnet or a dedicated network.

  FIG. 2 is a block diagram illustrating a configuration of the authentication server according to the first embodiment of this invention. Referring to FIG. 2, the authentication server 30 of the present embodiment includes a node database (hereinafter referred to as “DB”) 31, an authentication DB 32, an affiliation determination unit 33, an authentication processing unit 34, and an authentication result notification. Part 35.

  The node DB 31 is a database that stores entries that record subnets to which the nodes 20 are connected. FIG. 3 is a diagram illustrating an example of entries in the node DB 31. The node ID is an identifier for uniquely identifying the node. The subnet ID is an identifier for uniquely identifying the subnet. For example, when the node 20 is connected to a plurality of subnets among the subnets 40 </ b> A to 40 </ b> N, the entry of the node 20 records the subnet ID of the subnet connected to the node 20.

  The authentication DB 32 associates information for authenticating the terminal (ID / user name / account name / terminal ID / MAC address, password / passphrase, certificate) with a list of subnets to which the authenticated terminal can be connected. It is a database that stores the entries. FIG. 4 is a diagram illustrating examples (A) to (D) of entries in the authentication DB 32. The user ID in FIG. 4A is an identifier for identifying a user, and may be a user name. The password shown in FIG. 4A is a character string used for user authentication. The terminal ID in (B) of FIG. 4 is an identifier that uniquely identifies the terminal 10. The MAC address in FIG. 4C is the MAC address of the terminal 10. The certificate shown in FIG. 4D is a certificate such as PKI (Public Key Infrastructure) registered in the terminal. The subnet ID is the same as the subnet ID of the node DB 31, and each entry has one or more subnet IDs.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. FIG. 5 is a sequence diagram showing a flow of authentication processing according to the first embodiment of this invention. Referring to FIG. 5, first, the terminal 10 transmits an authentication request (connection request) to the node 20 (S01).

  The node 20 transfers an authentication request (connection request) to the authentication server 30 (S02). The authentication server 30 performs an authentication process. When the authentication is successful, the authentication server 30 determines a subnet to which the terminal belongs, and transmits an authentication response to the terminal 10 via the node 20 (S03, S04).

  The node 20 stores the correspondence between the subnet and the terminal 10 (or the port to which the terminal 10 is connected) in an internal table or the like based on the authentication response from the authentication server 30, and thereafter, the packet from the terminal 10 is stored. To the appropriate subnet.

  Further, in the example of FIG. 5, at the time of authentication, the authentication is completed by exchanging a single round-trip message. However, the message may be exchanged a plurality of times depending on the authentication method employed.

  Here, a procedure for determining a subnet by the authentication server 30 in FIG. 5 will be described. FIG. 6 is a flowchart showing the operation of the authentication server according to the first embodiment of this invention. Referring to FIG. 6, first, upon receiving an authentication request (connection request) from the terminal 10, the authentication processing unit 34 of the authentication server 30 performs an authentication process with reference to the authentication DB 32 (step S101).

  As a result of the authentication processing, if the authentication is successful (Yes in step S102), the affiliation determining unit 33 obtains a list of subnets to which the node 20 that is the source of the authentication request (connection request) is connected from the node DB 31 ( Step S103).

  Next, the affiliation determination unit 33 collates the subnet list obtained in step S103 with the information on the subnet to which the terminal has the connection right acquired by the authentication processing unit 34 from the authentication DB 32, and selects the terminal 10 from those that match. A subnet to be assigned is determined (step S104).

  The authentication result notifying unit 35 transmits a response of authentication success to the terminal 10 via the node 20 with the subnet information determined in step S104 added (step S105).

  As a result of the authentication process in step S101, if the authentication fails (No in step S102), the authentication result notifying unit 35 transmits an authentication failure response to the terminal 10 via the node 20 (step S106). .

  In addition, when there are a large number of subnets to which the terminal 10 should belong in step S104, a method of determining by random numbers or the like from these may be employed.

  As described above, according to the present embodiment, the terminal 10 can belong to a plurality of subnets only through the authentication procedure.

[Modification of First Embodiment]
Subsequently, some variations of the first embodiment will be introduced.
[Modification 1-1 (Using Priority)]
A modification in which a priority is added to the subnet ID for each terminal 10 in the authentication DB 32 of the authentication server 30 is conceivable. Accordingly, in the subnet determination process in step S104 of FIG. 6, the authentication server 30 can select a subnet with a high priority from subnets connected to the node 20. As a method for assigning priority to the subnet ID, there is a method in which the priority ID information field is added to each field, and the subnet ID of each entry is arranged in order of priority. In this way, it is possible to connect the terminal to the subnet in consideration of the priority set for each terminal.

[Modification 1-2 (considering the number of connected terminals)]
FIG. 7 is a block diagram illustrating a further modification of the authentication server according to the first embodiment of this invention. The difference from the configuration of the authentication server shown in FIG. 2 is that a connection number table 36 is added, and the affiliation determination unit also determines the affiliation subnet of the terminal 10 with reference to the connection number table 36.

  FIG. 8 is a diagram illustrating an example of entries in the connection number table 36 of the authentication server 30A in FIG. As shown in FIG. 8, the connection number table 36 is a table for managing the number of connected terminals for each subnet.

  The authentication server 30A in FIG. 7 uses the connection number table for the subnet acquired in step S103 in step S104 in FIG. 6 and the subnet information that can be connected to the terminal acquired by the authentication processing unit 34 from the authentication DB 32. The number of connected terminals is obtained from 36. Then, the authentication server 30A determines a subnet to which the terminal 10 should belong, in consideration of the number of connected terminals, from the subnets that match each other. Further, when the authentication server 30A determines the subnet to which the terminal 10 should belong, the authentication server 30A increases the number of connected terminals in the corresponding subnet in the connection number table 36 by one. When the terminal 10 leaves the node 20, the authentication server 30 </ b> A decreases the number of connected terminals in the subnet to which the corresponding terminal is connected from the connection number table 36 by one.

  An example of a subnet selection rule that takes into account the number of connected terminals is a method of selecting a subnet with the smallest number of connected terminals. In this way, the number of connected terminals between the subnets 40A to 40N can be leveled.

[Modification 1-3 (Considering Subnet Load)]
FIG. 9 is a block diagram showing a further modification of the first embodiment of the present invention. The difference from the overall configuration shown in FIG. 1 is that a load measuring unit 50 is connected to the authentication server 30B.

  9 measures the packet amount or the packet usage rate per unit time for each of the subnets 40A to 40N.

  Then, in step S104 of FIG. 6, the authentication server 30B of FIG. 9 has the number of packets or the packet utilization rate among the subnets 40A to 40N connected to the node 20 based on the measurement result of the load measuring unit 50. The lowest one that can be connected to the terminal 10 is selected. By doing so, it becomes possible to achieve load balancing between the subnets 40A to 40N.

[Modification 1-4 (Introduction of Subnet Group)]
FIG. 10 is a block diagram illustrating a further modification of the authentication server according to the first embodiment of this invention. A difference from the configuration of the authentication server shown in FIG. 2 is that a group DB 37 for managing subnets in units of groups is added, and is referred to when authentication processing or belonging subnets are determined.

  FIG. 11 is a diagram illustrating an example of entries in the group DB 37 of FIG. Referring to FIG. 11, a group ID that is an identifier that uniquely identifies a group is associated with a subnet ID of a subnet that belongs to the group.

  When such a group DB 37 is provided, the authentication DB 32 and the node DB 31 in FIG. 2 can be simplified as follows. FIG. 12 shows an example of an entry in the authentication DB 32, which has a configuration in which a group ID to which the terminal 10 or the user has a connection right is associated instead of one or more subnet IDs. FIG. 13 shows an example of an entry in the node DB 31, which has a configuration in which group IDs of subnets to which the node is connected are associated in place of one or more subnet IDs.

  The authentication server 30C in this configuration uses the authentication DB 32, the node DB 31, and the group DB 37 as described above, and the subnet group to which the terminal 10 can be connected among the groups of subnets 40A to 40N connected to the node 20. Select. By doing in this way, it becomes possible to reduce an administrator's effort regarding the correlation with a node, a terminal, and a subnet. In the example of FIG. 10, the node DB 31 and the authentication DB 32 share the group DB 37. However, the group DB 37 may be used only for one. Also, different group DBs may be provided and used.

  Although the above 1st Embodiment of this invention and its modification were demonstrated, it is also possible to combine each modification. For example, the modification 1-2 or the modification 1-3 and the modification 1-4 may be combined to determine the affiliated subnet in consideration of the number of terminals and the load in units of subnet groups.

[Second Embodiment]
Next, a second embodiment of the present invention that assumes that a priority regarding connection to a subnet is set between terminals will be described. FIG. 14 is a diagram showing the configuration of the second exemplary embodiment of the present invention. Referring to FIG. 14, in the second embodiment of the present invention, two or more terminals 10A to 10M, a node 20 to which the terminals 10A to 10M are connected, an authentication server 60, and two or more to which the node 20 is connected. Subnets 40A to 40N are shown. Since the node 20 and the subnets 40A to 40N are the same as those in the first embodiment, description thereof is omitted. The terminals 10A to 10M are the same as those in the first embodiment except that there are a plurality of terminals. Hereinafter, a description will be given focusing on differences from the first embodiment.

  FIG. 15 is a block diagram illustrating a configuration of the authentication server according to the second embodiment of this invention. Referring to FIG. 15, a node DB 31, an authentication DB 32, an affiliation determination unit 33, an authentication processing unit 34, an authentication result notification unit 35, a connection terminal table 38, and a connection release notification unit 35-2 are provided. The configuration is shown.

  The node DB 31 is the same as the node DB 31 of the authentication server 30 of the first embodiment.

  The authentication DB 32 is substantially the same as the authentication DB 32 of the authentication server 30 of the first embodiment, but has a configuration in which the connection priority of each terminal or each user is added to each entry. FIG. 16 is a diagram illustrating examples (A) to (D) of entries in the authentication DB 32 of the authentication server 60 according to the present embodiment. Each has a configuration in which a “connection priority” field is added to the entry of the authentication DB 32 of the authentication server 30 of the first embodiment shown in FIG.

  Here, “connection priority” will be described. The connection priority is a value indicating the priority when the subject (terminal / user) authenticated by each entry in the authentication DB 32 uses the subnets 40A to 40N. The authentication server 60 according to the present embodiment, when a certain number of users are connected to the subnet, when a user with a high connection priority later requests connection, from among the existing users, the connection priority Select a low-user and disconnect.

  The connection terminal table 38 is a table that records the terminals 10A to 10M connected to the subnets 40A to 40N. FIG. 17 is a diagram illustrating an example of entries in the connection terminal table 38. In the example of FIG. 17, the subnet ID is associated with the connection terminal information of all terminals connected to the subnet. Each connection terminal information includes a node ID indicating a node to which the terminal is connected, terminal information of the terminal (MAC address, certificate, user name, connection port, etc.), and connection priority. Contains.

  Thus, by recording the node ID, the terminal information, and the connection priority in the connection terminal information, it is possible to omit the process of searching for the connection priority, terminal information, and node ID of the terminal during the subnet determination process. Therefore, high-speed processing can be expected.

  In the present embodiment, it is assumed that an upper limit of the number of terminals that can be connected simultaneously is set in each of the subnets 40A to 40N. For example, it is assumed that the authentication server 60 grasps the upper limit of the number of terminals by providing a connection terminal number upper limit field in the connection terminal table 38.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. 18 and 19 are sequence diagrams illustrating the flow of authentication processing according to the second embodiment of this invention. FIG. 18 is a sequence diagram in the case where the number of connected terminals is less than the upper limit of the number of connected terminals. The basic flow is the same as that of the first embodiment shown in FIG.

  FIG. 19 is a sequence diagram when the number of terminal connections in the subnet determined as the connection destination reaches the upper limit as a result of accepting the authentication request (connection request) of the terminal 10A. Specifically, when the authentication server 60 receives an authentication request (connection request) from the terminal 10A via the node 20 (S11 to S12), the authentication server 60 determines a terminal to be disconnected (here, referred to as a terminal 10B). The terminal 10B is disconnected through the node 20 (S13 to S14). On the other hand, the authentication server 60 transmits an authentication response to the terminal 10A via the node 20 (S15 to S16).

  When an authentication request (connection request) is sent from the disconnected terminal 10 (S17 to S18), the authentication server 60 keeps the upper limit on the number of connected terminals in the previous subnet. It is decided to belong to the subnet, and an authentication response is transmitted (S19 to S20).

  Further, the operation of the node 20 during the authentication response transfer and the packet transfer operation after authentication are the same as those of the node 20 of the first embodiment. When the connection release is received from the authentication server 60, the node 20 deletes information related to the corresponding terminal from the storage device or the like, and treats it as an unauthenticated terminal.

  Further, transmission of the connection release notification from the authentication server 60 in S14 of FIG. 19 to the terminal 10B can be omitted. In this case, the node 20 stops the packet transfer to the terminal 10B. On the other hand, as shown in FIG. 19, when the connection cancellation is notified from the node 20 to the terminal 10B, the terminal 10B that has been disconnected can promptly issue an authentication request (connection request). Can be shortened.

  Next, a subnet determination procedure by the authentication server 60 in FIGS. 18 and 19 will be described. FIG. 20 is a flowchart showing the operation of the authentication server 60 according to the second embodiment of this invention. Referring to FIG. 20, upon receiving an authentication request (connection request) from the terminal 10 (hereinafter referred to as “terminal 10” unless specifically distinguished from the terminals 10 </ b> A to 10 </ b> M), authentication processing of the authentication server 60 is performed. The unit 34 performs an authentication process with reference to the authentication DB 32 (step S201).

  As a result of the authentication process in step S201, if the authentication fails (No in step S202), the authentication result notifying unit 35 transmits a response of the authentication failure to the terminal 10 via the node 20 (step S203).

  On the other hand, if the authentication is successful as a result of the authentication process (Yes in step S202), the affiliation determining unit 33 connects from the node DB 31 to a list of subnets to which the node 20 that is the source of the authentication request (connection request) is connected. The priority is obtained (step S204).

  Next, the affiliation determining unit 33 collates the list of subnets acquired in step S204 with the information on the subnets to which the terminal acquired from the authentication DB 32 by the authentication processing unit 34 has a connection right, and selects the terminal 10 from among those that match. A subnet to be assigned is determined (step S205).

  Next, the affiliation determination unit 33 acquires the connection terminal information group of the determined subnet from the connection terminal table 38 (step S206), and confirms whether or not the number of connection terminals of the determined subnet is less than the upper limit ( Step S207).

  As a result of the confirmation, if the number of connected terminals in the determined subnet is less than the upper limit (Yes in step S207), the affiliation determining unit 33 is the terminal that has been successfully authenticated this time as the connected terminal of the corresponding subnet in the connected terminal table 38. Is added (step S211). Then, the authentication result notifying unit 35 transmits a response of authentication success to the terminal 10 via the node 20 with the subnet information determined in step S205 added (step S212).

  On the other hand, as a result of the confirmation, if the number of connected terminals in the determined subnet has reached the upper limit (No in step S207), the affiliation determining unit 33 succeeds in the current authentication among the connected terminals acquired in step S206. It is checked whether there is a terminal having a lower connection priority than the connection priority of the terminal that has been selected (step S208). If there is no corresponding terminal, the process returns to step S205 to select another subnet (No in step S208).

  On the other hand, when there is a terminal having a connection priority lower than the connection priority of the terminal successfully authenticated this time among the terminals connected to the corresponding subnet, the affiliation determination unit 33 cancels the connection from these terminals. A target terminal is selected (step S209), and the connection cancellation of the terminal is notified to the node 20 (step S210). The subsequent operation is the same as when the determined number of connected terminals in the subnet is less than the upper limit (steps S211 and S212). In step S211, the terminal that has been disconnected is replaced with a terminal that is newly connected.

  As in the first embodiment, when there are a large number of subnets to which the terminal 10 should belong in step S205, a method of determining by random numbers or the like from these may be employed.

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, it is possible to determine the belonging subnet in consideration of the connection priority for each terminal. In this embodiment, since there is an upper limit on the number of terminals that can be connected to each subnet, there may be cases where connection to the subnet cannot be made even if the authentication is successful.

[Modification of Second Embodiment]
Subsequently, some variations of the second embodiment will be introduced.
[Modification 2-1 (Introduction of Subnet Group)]
FIG. 21 is a block diagram illustrating a modification of the authentication server according to the second embodiment of this invention. A difference from the configuration of the authentication server 60 shown in FIG. 15 is that a group DB 37 for managing subnets in units of groups is added, and is referred to when authentication processing or belonging subnets are determined.

  The group DB 37 and the node DB 31 are the same as the group DB 37 and the node DB 31 in the modified example 1-4 of the first embodiment (see FIGS. 11 and 13).

  FIG. 22 shows an example of an entry in the authentication DB 32, in which a group ID that the terminal 10 or the user has a connection right is associated with instead of one or more subnet IDs.

  The authentication server 60A in this configuration uses the authentication DB 32, the node DB 31 and the group DB 37 as described above, as in the first to fourth modifications of the first embodiment, and is connected to the node 20. A group of subnets to which the terminal 10 can be connected is selected from the groups 40A to 40N. By doing in this way, it becomes possible to reduce an administrator's effort regarding the correlation with a node, a terminal, and a subnet. In the example of FIG. 21, the group DB 37 is shared by the node DB 31 and the authentication DB 32, but only one of them may use the group DB. Also, different group DBs may be provided and used.

[Modification 2-2 (Management by Connection Priority Group)]
FIG. 23 is a block diagram showing a further modification of the authentication server according to the second embodiment of this invention. The authentication server 60B of FIG. 23 is configured to include an account group DB 39 that manages the connection priority of each terminal 10 in a group unit without providing the “connection priority” field in the authentication DB 32.

  FIG. 24 shows an example of entries in the account group DB 39. In the example of FIG. 24, for each account group, an entry in which a connection priority is associated with an account belonging to the account group is shown. As the account, the user name, terminal name, MAC address, entry main key information, etc. of the authentication DB 32 can be used.

  The authentication server 60B in this configuration acquires the connection priority of the terminal 10 that has been successfully authenticated from the account group DB 39. In this way, it is not necessary to set the connection priority for each account, and simplification of management is realized.

[Modification 2-3 (Combination of Modifications 2-1 and 2-2)]
FIG. 25 is a block diagram showing a further modification of the authentication server according to the second embodiment of this invention. The authentication server 60C of FIG. 25 is configured to include both a group DB 37 and an account group DB 39.

  By doing so, it is possible to simplify both the management of the subnet and the management of the connection priority, similarly to the above-described variants 2-1, 2-2.

[Third Embodiment]
Next, a description will be given of a third embodiment of the present invention in which priority is given to subnets and the belonging subnet is determined in accordance with the connection priority of the user. FIG. 26 is a diagram showing the configuration of the third exemplary embodiment of the present invention. Referring to FIG. 26, in the third embodiment of the present invention, two or more terminals 10A to 10M, a node 20 to which the terminals 10A to 10M are connected, an authentication server 70, and two or more to which the node 20 is connected. Subnets 40A to 40N are shown. Since the terminals 10A to 10M, the node 20, and the subnets 40A to 40N are the same as those in the second embodiment, description thereof is omitted. Hereinafter, the difference from the second embodiment will be mainly described.

  FIG. 27 is a block diagram illustrating a configuration of the authentication server according to the third embodiment of this invention. Referring to FIG. 27, a node DB 31, an authentication DB 32, an affiliation determination unit 33, an authentication processing unit 34, an authentication result notification unit 35, a connection terminal table 38, and a connection release notification unit 35-2 are provided. The configuration is shown. The basic configuration is the same as that of the authentication server 60 of the second embodiment shown in FIG. 15, but in this embodiment, the entry configuration of the node DB 31, the authentication DB 32 and the connection terminal table 38 and the affiliation determination unit 33. The operation is different. These will be described in detail below.

  FIG. 28 is a diagram illustrating examples (A) to (D) of entries in the authentication DB 32 of the authentication server 70 according to the present embodiment. In each configuration, the subnet ID group is omitted from the entry of the authentication DB 32 of the authentication server 60 of the second embodiment shown in FIG.

  FIG. 29 is a diagram illustrating an example of entries in the node DB 31 of the authentication server 70 according to the present embodiment. Unlike the entry of the node DB 31 of the first and second embodiments shown in FIG. 3, not only the subnet ID but also the connection order and permission priority from each node to each subnet can be stored.

  Here, the “connection order” is a value representing the priority when using the subnet from each node, and is determined from the throughput, response time, stability, etc. of the subnet. The higher the connection order, the higher the quality as a network. The “permission priority” is a value for comparison with the connection priority of each entry in the authentication DB 32, and a terminal having a connection priority lower than the permission priority is controlled so that it cannot connect to the subnet.

  The connection order and permission priority are set at the time of node setting, at startup, at the time of configuration change, and the like. Of course, the network administrator may be able to change it according to the load status of the subnet.

  The connection terminal table 38 is a table that records the terminals 10A to 10M connected to the subnets 40A to 40N. As shown in FIG. 30, the basic configuration is the same as the connection terminal table 38 of the second embodiment shown in FIG.

  In the present embodiment, there is also a method of configuring the terminal connection table 38 with entries for each node. FIG. 31 shows an example of an entry in this case. By doing so, the searchability of the connection status in node units is improved.

  Also in this embodiment, it is assumed that the upper limit of the number of terminals that can be connected simultaneously is set in each of the subnets 40A to 40N. For example, it is assumed that the authentication server 70 grasps the upper limit of the number of terminals by providing a connection terminal number upper limit field in the connection terminal table 38.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. 32 and 33 are sequence diagrams showing the flow of authentication processing according to the third embodiment of the present invention. FIG. 32 is a sequence diagram when the number of connected terminals is less than the upper limit of the number of connected terminals, and the basic flow is the same as that of the first embodiment shown in FIG.

  FIG. 33 is a sequence diagram when the number of terminal connections in the subnet determined as the connection destination reaches the upper limit as a result of accepting the authentication request (connection request) of the terminal 10A. Specifically, when the authentication server 70 receives an authentication request (connection request) from the terminal 10A via the node 20 (S11 to S12), the authentication server 70 determines a terminal to be disconnected (herein, the terminal 10B). The terminal 10B is disconnected through the node 20 (S13 to S14). On the other hand, the authentication server 60 transmits an authentication response to the terminal 10A via the node 20 (S15 to S16).

  When an authentication request (connection request) is sent from the disconnected terminal 10B (S17 to S18), the authentication server 70 keeps the upper limit on the number of connected terminals in the previous subnet. It is decided to belong to the subnet, and an authentication response is transmitted (S19 to S20).

  The operation of the node 20 at the time of the authentication response transfer and the packet transfer operation after the authentication are the same as those of the node 20 in the first and second embodiments. When the connection release is received from the authentication server 70, the node 20 deletes the information related to the corresponding terminal from the storage device or the like and treats it as an unauthenticated terminal.

  Moreover, the point which can also omit transmission of the connection cancellation notification with respect to the terminal 10B from the authentication server 70 of S14 of FIG. 33 is the same as that of 2nd Embodiment.

  Next, a subnet determination procedure by the authentication server 70 in FIGS. 32 and 33 will be described. FIG. 34 is a flowchart showing the operation of the authentication server 70 according to the third embodiment of this invention. Referring to FIG. 34, first, upon receiving an authentication request (connection request) from the terminal 10, the authentication processing unit 34 of the authentication server 70 performs an authentication process with reference to the authentication DB 32 (step S301).

  As a result of the authentication process in step S301, if the authentication has failed (No in step S302), the authentication result notifying unit 35 transmits an authentication failure response to the terminal 10 via the node 20 (step S303).

  On the other hand, if the authentication is successful as a result of the authentication process (Yes in step S302), the affiliation determining unit 33 lists from the node DB 31 a list of subnet information to which the source node 20 of the authentication request (connection request) is connected ( (Including the connection priority) (step S304).

  Next, the affiliation determination unit 33 determines the terminal 10 based on the list of subnet information acquired in step S304, the connection priority of the terminal acquired by the authentication processing unit 34 from the authentication DB 32, and the status of each subnet acquired from the connection terminal table 38. Is determined to belong to (step S305).

  Next, the affiliation determining unit 33 checks whether or not the determined number of connected terminals in the subnet is less than the upper limit (step S306).

  As a result of the confirmation, if the number of connected terminals in the determined subnet is less than the upper limit (No in step S306), the affiliation determining unit 33 sets the connected terminal of the corresponding subnet in the connected terminal table 38 as a terminal that has been successfully authenticated this time. Is added (step S309). Then, the authentication result notifying unit 35 transmits, to the terminal 10 via the node 20, a response of authentication success to which the subnet information determined in step S305 is added (step S310).

  On the other hand, if the number of connected terminals in the determined subnet has reached the upper limit as a result of the confirmation (Yes in step S306), the affiliation determining unit 33 selects a connection release target from the connected terminals acquired in step S304. (Step S307), and notifies the node 20 of the disconnection of the terminal (step S308). The subsequent operation is the same as when the number of connected terminals in the determined subnet is less than the upper limit (steps S309 and S310). In step S309, the terminal that has been disconnected is replaced with the terminal that is newly connected.

  Here, the method for determining the subnet to which the terminal 10 should belong in step S305 in FIG. 34 will be described in more detail. FIG. 35 is a flowchart showing details of the determination processing of the subnet to which the authentication server belongs according to the third embodiment of this invention. Referring to FIG. 35, first, the affiliation determining unit 33 selects a subnet whose permission priority is equal to or lower than the connection priority of the terminal 10 from subnets connected to the node 20 (step S401).

  Next, the affiliation determining unit 33 sorts the subnets selected in step S401 in the order of connection order (step S402), and selects the one with the highest connection order as a target (step S403).

  If the subnet selected as the target has not reached the upper limit of the number of connected terminals (Yes in step S404), the affiliation determining unit 33 determines the target subnet as the connected subnet (step S405).

  On the other hand, when the subnet selected as the target has reached the upper limit of the number of connected terminals (No in step S404), the affiliation determining unit 33 determines whether there is a terminal having a connection priority lower than that of the terminal 10 in the subnet selected as the target. That is, it is confirmed whether or not the terminal can be replaced (step S406). Here, if there is no terminal having a connection priority lower than that of the terminal 10 in the subnet selected as the target (No in step S406), the affiliation determining unit 33 selects the next-ranked subnet from the subnets sorted in step S402. (Step S407), the process after step S404 is executed.

  On the other hand, when there is a terminal having a connection priority lower than that of the terminal 10 in the subnet selected as the target (Yes in step S406), the affiliation determination unit 33 determines a terminal having a connection priority lower than that of the connection priority, The subnet selected in S403 or S407 is determined as a connection subnet (step S408).

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, it is possible to determine the belonging subnet in consideration of the connection order of subnets and the connection priority of terminals. Also in this embodiment, since there is an upper limit on the number of terminals that can be connected to each subnet, there may occur a case where connection to the subnet cannot be made even if the authentication is successful.

[Modification of Third Embodiment]
Subsequently, a modification of the third embodiment will be introduced.

[Modification 3-1 (Management by Connection Priority Group)]
FIG. 36 is a block diagram illustrating a modification of the authentication server according to the third embodiment of this invention. The authentication server 70A of FIG. 36 manages the connection priority in units of groups of the terminals 10 without providing the “connection priority” field in the authentication DB 32, as in the modified example 2-2 of the second embodiment. The account group DB 39 is configured.

  FIG. 37 shows an example of an entry in the authentication DB 32 in this modification. In the example of FIG. 37, the authentication DB 32 stores only information for authentication. The other information for each account is acquired from the account group DB 39 illustrated in FIG.

  The authentication server 70A in this configuration acquires the connection priority of the terminal 10 that has been successfully authenticated from the account group DB 39. By doing so, similarly to the modified embodiment 2-2 of the second embodiment, it is not necessary to set the connection priority for each account, thereby simplifying the management.

[Fourth Embodiment]
Subsequently, a fourth embodiment of the present invention will be described in which an optimal subnet is selected using the OpenFlow described in Non-Patent Documents 1 and 2. FIG. 38 is a diagram showing the configuration of the fourth exemplary embodiment of the present invention. Referring to FIG. 38, the fourth embodiment of the present invention relates to a terminal 10, an open flow switch (OFS) 20A to which the terminal 10 is connected, an authentication server 81, an open flow controller (OFC) 82, and an OFS 20A. Two or more subnets 40A to 40N to be connected are shown. In the example of FIG. 38, a host device 83 that is a communication partner of the terminal 10 is connected to the subnet 40A among the subnets 40A to 40N.

  The terminal 10 is the same as the terminal 10 of the first embodiment.

  The OFS 20A is an open flow switch described in Non-Patent Document 1. FIG. 39 is a block diagram showing the configuration of the OFS 20A. Referring to FIG. 39, the OFS 20A includes a flow entry storage unit 22 that holds a flow entry set from the OFC 82, and a packet processing unit 21 that processes a received packet with reference to the flow entry. .

  FIG. 40 is a diagram illustrating an example of a flow entry. The flow entry includes a rule (match condition) field that is matched with the packet header, a flow statistics information field (Counters) that is updated when a packet that conforms to the rule (match condition) is received, and a packet that conforms to the rule (match condition). And an instruction field (Instructions) for storing processing contents (Action) to be applied to.

  FIG. 41 is a table showing action names and action contents defined in Non-Patent Document 2 as an example. OUTPUT is an action for outputting a received packet from a designated port (interface). SET_VLAN_VID to SET_TP_DST are actions for correcting the corresponding field of the packet header.

  The authentication server 81 is a device that authenticates the terminal 10. FIG. 42 is a block diagram showing the configuration of the authentication server 81. As shown in FIG. The authentication server 81 includes an authentication DB 811, an authentication processing unit 812, and an authentication result notification unit 813 corresponding to the authentication DB 32, the authentication processing unit 34, and the authentication result notification unit 35 of the authentication server of the first to third embodiments. ing. The reason why the configuration is simplified compared to the authentication servers of the first to third embodiments is that the OFC 82 that has received the authentication result from the authentication result notifying unit 813 executes the subsequent processing.

  FIG. 43 is a diagram illustrating examples (A) to (D) of entries in the authentication DB 811. Each has the same configuration as the entry in the authentication DB 32 of the authentication server 30 of the first embodiment shown in FIG.

  The OFC 82 is obtained by adding an assigned subnet determination function to the OpenFlow controller of Non-Patent Document 2. In the present embodiment, it is assumed that the subnets 40A to 40N include an OFS equivalent to the OFS 20A. As a result, the entire network can be controlled by the OFC 82. Of course, OFS may not be included in the subnets 40A to 40N. In this case, the corresponding subnet is only excluded from the path control from the OFC 82.

  FIG. 44 is a block diagram showing the configuration of the OFC 82 of the present embodiment. Referring to FIG. 44, the OFC 82 of the present embodiment includes a terminal affiliation determination unit 821 corresponding to the affiliation determination unit 33 of the authentication server of the first to third embodiments, a connection terminal storage unit 822, a topology DB 823, A subnet DB 824, a packet processing unit 825, a route calculation unit 826, and a flow setting unit 827 are provided.

  The topology DB 823 is a database that records connection information of all subnets. FIG. 45 is a diagram illustrating a configuration example of entries in the topology DB 823. The upper part (A) of FIG. 45 is a format for recording a link connecting the OFSs 20A, and includes a pair of DPID (DataPathID) which is an identifier of the OFS 20A and a port number. The lower part (B) of FIG. 45 shows a format when a device such as a terminal or a host device is connected to the end of the port. The DPID which is the identifier of the OFS 20A, the port, and the MAC address of the connected device Consists of. A combination of these entries can describe the connection relationship of all subnets.

  The connection terminal storage unit 822 corresponds to the node DB 31 of the authentication server according to the first to third embodiments, and stores subnets to which the terminal 10 connected to any OFS 20A can be connected.

FIG. 46 is a diagram illustrating an example of entries in the connection terminal storage unit 822. As illustrated in FIG. In the example of FIG.
The DPID of the OFS 20A to which the terminal 10 is connected, the port number, terminal information, the subnet ID of the selected subnet (main subnet ID), and the subnet ID of the subnet to which the terminal can be connected are configured in association with each other. Note that a MAC address or the like can be used as the terminal information in FIG.

  The subnet DB 824 is a database in which elements belonging to the subnets 40A to 40N are recorded. FIG. 47 is a diagram illustrating an example of entries in the subnet DB 824. In the example of FIG. 47, each entry includes a subnet ID for identifying a subnet and element information.

  FIG. 48 is a diagram illustrating an example of element information. As shown in (A) to (C) of FIG. 48, the element information is connected to the pair of the DPID and port number of the OFS connected to the subnet, the MAC address of the device belonging to the subnet, and the subnet (VLAN). It is described by a set of DPID, port number, VLAN Tag, etc.

  When the packet processing unit 825 receives a packet for setting the flow entry from the OFS 20A, the packet processing unit 825 outputs it to the terminal affiliation determining unit 821. When a response is returned from the terminal affiliation determination unit 821, the packet processing unit 825 outputs a packet and a response (affiliation subnet) from the terminal affiliation determination unit 821 to the route calculation unit 826.

  The terminal affiliation determining unit 821 refers to the topology DB 823, the connected terminal storage unit 822, and the subnet DB, determines the subnet to which the terminal 10 that has transmitted the input packet belongs, and responds to the packet processing unit. .

  The route calculation unit 826 refers to the topology DB 823 and the connected terminal storage unit 822, and follows the packet based on the packet for setting the flow entry and the belonging subnet determined by the terminal belonging determination unit 821. Calculate the packet (flow) transfer route. As a route calculation method in the route calculation unit 826, the Dijkstra method can be used.

  The flow setting unit 827 generates a flow entry for causing the OFS on the route calculated by the route calculation unit 826 to perform packet transfer according to the route, and sets it in each OFS. For setting the flow entry to each OFS, the FLOW MOD message of Non-Patent Document 2 can be used.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. FIG. 49 is a sequence diagram illustrating a flow of authentication processing according to the fourth embodiment of this invention. 49, first, when a packet related to the authentication request (connection request) is transmitted from the terminal 10 (S21), the OFS 20A transfers the packet related to the authentication request (connection request) to the OFC 82 (S22). The OFC 82 transfers a packet related to the authentication request (connection request) to the authentication server 81 (S23).

  When the authentication process is completed, the authentication server 81 transmits the result as an authentication response packet to the OFC 82 (S24). The OFC 82 transfers the authentication response packet to the OFS 20A and transmits it to the terminal 10 (S25, S26).

  The other basic flow is only the replacement of the authentication server 30 and the OFC 82 and authentication server 81 in the first embodiment shown in FIG.

  FIG. 50 is a sequence diagram showing the flow of communication processing between the terminal 10 and the host device 83 after the authentication processing. Referring to FIG. 50, when the terminal 10 transmits a communication packet addressed to the host device (S31), the OFS 20A transfers the communication packet to the OFC 82 (S32). The OFC 82 calculates a route for transmitting a communication packet to the host device 83 via the subnet 40A based on the result of the authentication processing, and sets a flow entry in the OFS 20A and the OFS on the route of the subnet 40A (S33, S34). Then, the first communication packet addressed to the host device is transmitted to the OFA of 40A in the subnet and transferred to the host device 83 (S35, S36).

  Thereafter, the packet transmitted from the terminal 10 to the host device is transferred to the host device 83 via the OFS on the path of the OFS 20A and the subnet 40A by the flow entry set in S33 and S34 (S31-2, S32-2, S36-2).

  Subsequently, the operation of the OFS 20A in FIGS. 49 and 50 will be described in detail with reference to the drawings. FIG. 51 is a flowchart showing the operation of the OFS 20A when receiving a packet according to the fourth embodiment of this invention. Referring to FIG. 51, first, when receiving a packet, the OFS 20A searches the flow entry storage unit 22 for a flow entry having a rule (match condition) that matches the received packet (step S501).

  If no flow entry having a rule (match condition) that matches the received packet is found as a result of the search (No in step S502), the OFS 20A transfers the received packet to the OFS 82 to generate (set) a flow entry. ) Is requested (step S503). This operation corresponds to the packet transfer from the OFS 20A to the OFC 82 in S22 in FIG. 49 and S32 in FIG.

  As a result of the search, when a flow entry having a rule (match condition) that matches the received packet is found (Yes in step S502), the OFS 20A executes the processing content (action) described in the instruction field of the flow entry. (Step S504). This operation corresponds to the packet transfer from the OFS 20A to the OFC 82 in S22 in FIG. 49 and S32 in FIG. This operation corresponds to packet transfer from the OFS 20A to the subnet 40A in S32-2 in FIG.

  Next, the operation of the authentication server 81 that has received the packet related to the authentication request (connection request) from the OFC 82 in S23 of FIG. 49 will be described. When the authentication server 81 receives a packet related to the authentication request (connection request), the authentication processing unit 812 searches the authentication DB 811 and performs the authentication process. Specifically, the search is performed from the entry illustrated in FIG. 43 that matches the transmission source of the packet related to the authentication request (connection request).

  As a result of the authentication processing, if an entry that matches the transmission source of the packet related to the authentication request (connection request) is not found and authentication fails, the authentication server 81 authenticates the authentication failure from the authentication result notification unit 813 to the OFC 82. Send a response. On the other hand, if the authentication is successful, the authentication server 81 transmits an authentication response to the OFC 82 from the authentication result notification unit 813 with the subnet ID list of the account included in the searched entry added.

  Subsequently, the operation of the OFC 82 in FIGS. 49 and 50 will be described in detail with reference to the drawings. FIG. 52 is a flowchart showing the operation of the OFC 82 according to the fourth embodiment of this invention. Referring to FIG. 52, first, when a packet is received, the OFC 82 checks whether or not the received packet is a packet related to an authentication request (connection request) (step S601). Here, when the received packet is a packet related to the authentication request (connection request) (Yes in step S601), the OFC 82 transfers the received packet to the authentication server 81. This operation corresponds to the packet transfer from the OFC 82 to the authentication server 81 in S23 of FIG.

  On the other hand, if the received packet is not a packet related to the authentication request (connection request) (No in step S601), the OFC 82 checks whether the received packet is a packet related to the authentication response from the authentication server 81 (step S603). ). If the received packet is a packet related to the authentication response from the authentication server 81, the OFC 82 further confirms whether or not the content of the authentication response is an authentication success (step S604). Here, when the content of the authentication response is an authentication failure, the processing of steps S605 to S607 is omitted.

  If the content of the authentication response is successful, the OFC 82 refers to the topology DB 823 and the subnet DB 824 to determine a connectable subnet from the OFS 20A to which the terminal 10 is connected, and the terminal 10 attached to the authentication response The connectable subnet ID list is matched with the subnet group to which the terminal 10 can be connected (step S605).

  In addition, as subnets connectable from each OFS, those whose DPIDs of the element information of the entries in the subnet DB 824 match each other, and the DPIDs of connectable OFS are recorded as the element information of the entries of the subnet DB 824 by following the link from the topology DB 823. You can choose what is.

  Next, the OFC 82 determines a subnet to which the terminal 10 belongs from the determined subnet group (step S606). Next, the OFC 82 connects the DPID of the OFS 20A to which the terminal 10 is connected, the port number, the terminal information (MAC address), the main subnet ID (subnet ID of the determined belonging subnet), and a list of subnets to which the terminal can be connected. It memorize | stores in the terminal memory | storage part 822 (step S607).

  As described above, when the result of the authentication process is obtained, the OFC 82 transfers an authentication response to the terminal 10 via the OFS 20A (step S608).

  On the other hand, if the received packet is neither a packet related to the authentication request (connection request) nor a packet related to the authentication response from the authentication server 81 (No in step S603), the OFC 82 sends the connection terminal storage unit 822 to the transmission source terminal. An entry, that is, an entry having the DPID of the OFS 20A that is the source of the received packet, the In Port of the packet header, and the source MAC address is searched (step S609).

  As a result of the search, if there is a matching entry, that is, the belonging subnet is determined, the OFC 82 sends the topology DB 823 and the source MAC address, destination MAC address, source IP address, destination IP of the packet header of the received packet. Route calculation is performed using an address or the like (step S611).

  If there is no matching entry as a result of the search, the OFC 82 uses the topology DB 823 and the received packet as starting points for ports belonging to the subnet to which the terminal 10 can be connected (a plurality of ports if there are a plurality of ports) of the OFS 20A. Route calculation is performed using the destination MAC address, destination IP address, etc. of the packet header (step S612).

  Next, the OFC 82 selects the route calculation result with the lowest network cost among the route calculation results starting from each port as the route (step S613). Here, the one with the lowest network cost can be calculated using the number of hops and the response time. Of course, it is also possible to take into account the load status of each subnet.

  When the calculation of the route is completed, the OFC 82 calculates a flow entry to be set in the OFS on the calculated route in the flow setting unit 827 (step S614).

  Next, the OFC 82 sets the calculated flow entry in the flow entry storage unit 22 of each OFS (step S615). This operation corresponds to the flow entry setting process in S33 and S34 of FIG.

  Finally, the OFC 82 transmits the received packet to the OFS at the end of the calculated path, and instructs the destination host device 83 to transmit the received packet from the port connected to the destination of the received packet ( Step S615). This operation corresponds to the packet output instruction in S35 of FIG.

  In step S605, when there are a plurality of subnets to which the terminal 10 should belong, a method of determining from among these using a random number or the like may be employed. Further, when the order of the subnet list is the connection priority, the subnet may be connected to a higher priority subnet.

  In the flowchart of FIG. 52, the subnet to which each OFS can be connected is calculated in step S605. However, a link may be searched for each OFS in advance to calculate a connectable subnet. . In this way, the processing speed can be increased.

  As described above, according to the present embodiment, it is possible not only to determine the belonging subnet but also to perform end-to-end path control.

[Modification of Fourth Embodiment]
Subsequently, a modification of the fourth embodiment will be introduced.

[Modification 4-1 (Introduction of Subnet Group)]
FIG. 53 is a block diagram showing a modified form of the OFC of the fourth embodiment of the present invention. The OFC 82A in FIG. 53 is a point that a group DB 828 for managing subnets in units of groups is added and is referred to when a belonging subnet is determined, similarly to the modified embodiment 1-4 of the first embodiment.

  FIG. 54 is a diagram showing an example of entries in the group DB 828 of FIG. Referring to FIG. 54, a group ID that is an identifier that uniquely identifies a group is associated with a subnet ID of a subnet that belongs to the group.

  Further, in this modification, the entry in the connection terminal recording unit 822 is also simplified as follows. FIG. 55 is a diagram showing an example of entries in the connection terminal recording unit 822 of FIG. In the example of FIG. 55, group IDs are associated instead of subnet ID groups of subnets to which the terminal can connect.

  In this modification, the entry of the authentication DB 811 of the authentication server 81 is also simplified as follows. FIG. 56 is a diagram illustrating an example of an entry in the authentication DB 811 of the authentication server 81 when the group DB 828 is added to the OFC 82A. In the example of FIG. 56, group IDs are associated instead of subnet ID groups of subnets to which the terminal can connect.

  The OFC 82A in this configuration uses the group DB 828 to select a subnet group to which the terminal 10 can be connected from among the subnets 40A to 40N connected to the OFS 20A. By doing in this way, it becomes possible to reduce an administrator's effort regarding the correlation with a node, a terminal, and a subnet.

[Modification 4-2 (Integration of Authentication Server and OFC)]
In the fourth embodiment described above, the authentication server 81 and the OFC 82 are described as being provided independently, but the OFC 82 may be provided with an authentication function. In this way, since communication is not required for authentication, the processing speed can be expected to increase. Of course, the effect of the invention of the fourth embodiment is not impaired.

Finally, some additional embodiments of the present invention are supplemented.
[Modification 5-1 (Providing Node with Authentication Function)]
In the first to third embodiments, authentication is performed by the authentication servers 30, 60, and 70. For example, as shown in FIG. 57, an authentication function (authentication unit 201) equivalent to the authentication server 30 is provided. A configuration using the node 20 </ b> C possessed can also be adopted. According to this configuration, a configuration is considered in which the value of each DB is acquired or set from the authentication information server 90 at a certain time, etc., at the time of installation, configuration change, start-up, value change, etc. It is done.

  In this way, since communication is not required for authentication, an increase in processing speed can be expected, and the authentication server does not become a bottleneck. Furthermore, authentication is possible even when communication with the authentication server is interrupted. Of course, the effects of the inventions of the first to third embodiments are not impaired.

[Modification 5-2 (Intermediate form between Modification 5-1 and the first to third embodiments)]
When communication with the authentication servers 30, 60, and 70 is possible, it is possible to employ a form in which authentication is performed by the authentication servers 30, 60, and 70, and authentication is performed at the node when the communication is interrupted. According to this configuration, when communication with the authentication server is possible, the connection destination can be determined based on the latest and much information. And even if it falls into the state which cannot communicate with an authentication server, it is possible to determine a connection destination.

[Modification 5-3 (Authentication function is realized using OFS and OFC)]
Instead of the nodes (including those with the authentication function) of the first to third embodiments described above, a configuration using OFS and OFC can be employed. FIG. 58 is a diagram showing a configuration in which OFS and OFC are arranged instead of the nodes (including those with an authentication function) of the first to third embodiments.

  FIG. 59 is a diagram showing a detailed configuration of the OFC in the configuration of FIG. In the example of FIG. 59, the OFC 82B includes a connection terminal storage unit 822 that records the MAC address of a terminal that has been authenticated, and a packet processing unit 825. The packet processing unit 825 in FIG. 59, when a packet comes from the OFS, not the authentication-related packet but also the communication packet, when the transmission source MAC address or the destination MAC address of the packet header is the authenticated MAC address Otherwise, the packet is not processed. By doing in this way, it becomes possible to implement | achieve the function equivalent to the node 20C with an authentication function shown to the modification 5-1.

[Other Specific Embodiment 6-1 (Specific Embodiment of Second Embodiment)]
When the configuration of the second embodiment is applied to a hierarchical organization such as a company or a university, there may be a network that can be used throughout the entire company / university, a higher-level department network, and a departmental network as subnets. In such an environment, there are cases where the department network is laid only in an area where the department is located, and the network of the upper department is also laid only in the area where the lower department is located.

  The user has the authority to connect in the order of the department to which the user belongs, the upper department, and the company-wide network, but the convenience of connection is high in the order described.

  More preferably, when the user connects, it is possible to connect to a connectable network based on the region / location of the access point or access point based on the priority of the user, thereby improving user convenience.

  Furthermore, if there is a guest or roaming network, this network needs to be separated from other networks, so it is desirable that the user can select a subnet at the node.

[Other Specific Form 6-2 (Specific Form of Third Embodiment)]
In the third embodiment, the node 20 serving as an access point or switch may be connected to a plurality of subnets having properties different from 3G, WiMAX, PHS, light, and the like. The subnet connection order is determined from the throughput, response time, and stability of these subnets, and the connection priority is determined for the user.

  Based on the connection priority of the user and the connection priority of the subnet, the user is automatically determined which subnet to use.

  For example, it is assumed that users are grouped with government staff, fire department staff, general users, etc., and the priority order of general users is set to the lowest order.

  With this setting, it is possible to perform control such that communication is permitted to general users only when urgent communication is not being performed. When emergency communication is performed, the connected general user is disconnected and connected from a line with a lower connection priority. Alternatively, connection is prohibited.

[Other Specific Form 6-3 (Specific Form of Fourth Embodiment)]
When the configuration of the fourth embodiment is applied to a hierarchical organization such as a company or a university, there may be a network that can be used throughout the entire company / university, a network in a higher department, and a network in a department as subnets. In such an environment, when the OFS 20A can be connected to a department or company-wide network and the user connects the department with priority, the user is connected to the department network.

  When a user accesses a company-wide service, the department network passes through several routers, but the company-wide network can also be used. Therefore, route calculation is performed in all cases. It can also be used directly.

  In addition, each part (processing means) of the authentication server and OFC shown in each of the above-described embodiments is realized by a computer program that causes a computer constituting these devices to execute the above-described processing using the hardware. You can also.

  Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and further modifications, substitutions, and adjustments are possible without departing from the basic technical idea of the present invention. Can be added. For example, the network configuration and the number of nodes (OFS), terminals, and subnets used in each of the above-described embodiments are merely examples, and the number is not limited.

  Further, in each of the above-described embodiments, it has been described that the subnet group to which the terminal has a connection right is acquired from the authentication DB 32 or the like of the authentication server. However, for example, as a result of authentication processing with the terminal, the terminal or its user has It is also possible to adopt a configuration in which role information is acquired and a subnet group to which the terminal has a connection right is acquired from another device (access control device) based on this role information.

Finally, a preferred form of the invention is summarized.
[First embodiment]
(Refer to the network system from the first viewpoint)
[Second form]
In the first form,
The authentication system is a network system that performs an authentication process with the terminal and determines a subnet to which the terminal has a connection right.
[Third embodiment]
In the first or second form,
The terminal is set with a connection priority,
The authentication device
A network system that determines a subnet to be connected to the terminal based on a connection priority of the terminal.
[Fourth form]
In the third form,
Connection order is set for each of the subnets,
The authentication apparatus is a network system that determines a subnet so that a terminal having a high connection priority is connected to a subnet having a high connection order.
[Fifth embodiment]
In the third or fourth form,
The authentication apparatus is a network system that excludes a subnet whose connection order is a predetermined level or higher from connection candidates of terminals whose connection priority is a predetermined level or lower.
[Sixth embodiment]
In any one of the third to fifth embodiments,
Each subnet has an upper limit on the number of connected terminals,
When the authentication device receives a connection request from a terminal having a high connection priority in a state where the number of connection terminals in a certain subnet has reached the upper limit, the authentication apparatus releases the connection of the terminal having a low connection priority from the subnet, and A network system that connects high-priority terminals.
[Seventh form]
In any one of the first to sixth aspects,
The authentication device
A network system for determining a subnet so as to perform communication using a subnet having a low network cost with a communication destination.
[Eighth form]
In any one of the first to seventh embodiments,
Furthermore, a load measuring unit for measuring the load state of each subnet is included,
The authentication device
A network system that excludes a subnet whose load status is a predetermined high load status from connection targets.
[Ninth Embodiment]
In any one of the first to eighth embodiments,
The connection priority is set for each account,
The authentication device
A network system for determining a subnet to be connected to the terminal based on a connection priority corresponding to an account at the time of authentication of the terminal.
[Tenth embodiment]
In any one of the first to ninth embodiments,
Each of the subnets is grouped,
The authentication device
Based on the subnet group to which the terminal has connection rights and the subnet group to which the node connects,
A network system for determining a subnet to be connected to the terminal.
[Eleventh form]
In any one of the first to tenth forms,
A network system in which an authentication function is provided in the node, and a subnet to which the terminal has a connection right is determined based on an authentication result by the node.
[Twelfth embodiment]
(Refer to the authentication device according to the second viewpoint)
[13th form]
(Refer to the subnet determination method from the third viewpoint above)
[14th form]
(Refer to the program from the fourth viewpoint above.)

  Each disclosure of the above-mentioned patent document and non-patent document is incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) within the scope of the claims of the present invention. Is possible. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.

10, 10A to 10M terminal 20 node 21 packet processing unit 22 flow entry storage unit 20A OFS
Node with 20C authentication function 30, 30A, 30B, 60, 60A, 60B, 60C, 70, 70A, 81 Authentication server 31 Node database (node DB)
32,811 Authentication database (authentication DB)
33 Affiliation determination unit 34, 812 Authentication processing unit 35, 813 Authentication result notification unit 35-2 Connection release notification unit 36 Connection number table 37, 828 Group database (group DB)
38 connection terminal table 39 account group database (account group DB)
40A to 40N Subnet 50 Load measurement unit 81 Authentication server 82, 82A, 82B OFC
83 Host Device 90 Authentication Information Server 201 Authentication Unit 821 Terminal Affiliation Determination Unit 822 Connected Terminal Storage Unit 823 Topology Database (Topology DB)
824 Subnet database (Subnet DB)
825 packet processing unit 826 route calculation unit 827 flow setting unit

Claims (14)

A node connected to multiple subnets;
In response to a connection request from a terminal via the node, an authentication device that determines a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected;
Including network systems.   The network system according to claim 1, wherein the authentication apparatus performs an authentication process with the terminal to determine a subnet to which the terminal has a connection right. The terminal is set with a connection priority,
The authentication device
The network system according to claim 1 or 2, wherein a subnet to be connected to the terminal is determined based on a connection priority of the terminal. Connection order is set for each of the subnets,
The network system according to claim 3, wherein the authentication apparatus determines a subnet so that a terminal having a high connection priority is connected to a subnet having a high connection order.   The network system according to claim 3 or 4, wherein the authentication device excludes a subnet having a connection order of a predetermined level or higher from connection candidates of terminals having the connection priority of a predetermined level or lower. Each subnet has an upper limit on the number of connected terminals,
When the authentication device receives a connection request from a terminal having a high connection priority in a state where the number of connection terminals in a certain subnet has reached the upper limit, the authentication apparatus releases the connection of the terminal having a low connection priority from the subnet, and The network system according to any one of claims 3 to 5, wherein a terminal having a high priority is connected. The authentication device
The network system according to any one of claims 1 to 6, wherein a subnet to be connected to the terminal is determined so as to perform communication using a subnet having a low network cost with a communication destination. Furthermore, a load measuring unit for measuring the load state of each subnet is included,
The authentication device
The network system according to claim 1, wherein a subnet whose load state is a predetermined high load state is excluded from connection targets. The connection priority is set for each account,
The authentication device
The network system according to claim 1, wherein a subnet to be connected to the terminal is determined based on a connection priority corresponding to an account at the time of authentication of the terminal. Each of the subnets is grouped,
The authentication device
Based on the subnet group to which the terminal has connection rights and the subnet group to which the node connects,
The network system according to claim 1, wherein a subnet to be connected to the terminal is determined.   The network system according to claim 1, wherein an authentication function is provided in the node, and a subnet to which the terminal has a connection right is determined based on an authentication result by the node. Connected to nodes connected to multiple subnets,
In response to a connection request from a terminal via the node, an authentication apparatus that determines a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected. An authentication device connected to a node connected to multiple subnets
Receiving a connection request from a terminal via the node to a subnet to which the terminal has a connection right;
In response to the connection request, the method includes a step of determining a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected. To a computer that configures an authentication device connected to a node connected to multiple subnets,
A process of accepting a connection request from a terminal via the node to a subnet to which the terminal has a connection right;
A program for executing a process of determining a subnet to be connected to the terminal based on a subnet to which the terminal has a connection right and a subnet to which the node is connected in response to the connection request.

Images