JP2006005947A - Receiver, authentication server, method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent a DoS (disturbance of service) attack without great load. <P>SOLUTION: A terminal 103 receives, from an authentication server 102, a connection permission command S203 including port number information and after the connection permission command S203 is received, in response to a connection request from a connection requesting terminal 101, connection is permitted in a port specified by the port number information included in the received connection permission command. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a receiving device, an authentication server, a method, and a program.

  Conventionally, the client is connected to the inside of the firewall and NATed to the private address (Patent Document 1).

Also, the firewall settings were not dynamic.
JP 2002-328887 A

  A high load was required to handle DoS (Denial of Service) attacks.

  The first receiving device of the present invention includes a receiving unit and a changing unit that changes a condition for permitting connection when receiving port number information for identifying a port from an authentication server that authenticates the connection requesting device. To do.

  When the second receiving device of the present invention receives the first signal from the receiving means and the authentication server that authenticates the connection requesting device, the port number included in the first signal after receiving the first signal. It is characterized by having permission means for permitting connection by the second signal received from the connection requesting device at the port specified by the information.

  The third receiving device of the present invention is characterized in that, when port number information specifying a port is received from an authentication server that authenticates the connection request device, the connection is limited according to the received port number information. To do.

  In the first, second, and third receiving apparatuses described above, the port number included in the connection request specifies the application of the receiving apparatus.

  The authentication server of the present invention is an authentication server for authenticating a connection requesting device, and is characterized by notifying a receiving device of port number information for connecting to the connection requesting device.

  According to the present invention, it is possible to prevent a denial of service attack without a large load.

(First embodiment)
FIG. 1 shows an outline of the first embodiment.

  Reference numeral 100 denotes an Internet network which is an example of a network. A connection request terminal (hereinafter abbreviated as “terminal A”) 101 is connected to the Internet network 101. Similarly, an authentication server 102 is connected to the Internet network. The authentication server 102 has an ID and password table 104 in which a pair of an ID and a password corresponding to the ID is stored. Reference numeral 103 denotes a connected terminal (hereinafter abbreviated as “terminal B”), which normally holds the connection port switching device 105 so as to refuse connection from an unspecified part. The connection permission table 106 stores information for permitting connection by the connection port opening / closing device 105 when a connection request is made.

  The connected terminal 103 is a receiving device in the embodiment of the present invention, and the authentication server 102 is a setting device that sets the receiving device 103 via the network 100. The connection request terminal 102 is a connection request device.

  FIG. 2 summarizes the flow of commands and connection procedures exchanged between the connection requesting terminal 101, the authentication server 102, and the connected terminal 103.

  When the connection request terminal 101 that issues the connection request starts communication with the connected terminal, first, an “authentication request command” S201 is issued to the authentication server. The command format and parameters in S201 will be described later.

  If the authentication server 102 fails to authenticate the requested command S201, the authentication server 102 returns a connection non-permission response (NACK) S202. If the authentication request command is authenticated, the authentication server 102 issues a connection permission request command S203 to the connected terminal 103 which is a connected terminal. Similarly, the authentication server 102 returns a connection permission response (ACK) S204 to the connection requesting terminal 101. The order of S203 and S204 may be reversed. In another embodiment, when a response ACK is returned from the connected terminal 103, the authentication server 102 returns a connection permission response (ACK) S204.

  When the connection requesting terminal 101 receives the ACK response of S204, it issues a connection requesting command S205 to the connected terminal 103.

  The connected terminal 103 is set to ignore (or reject) other than a predetermined command from the authentication server 102 during standby. The condition for accepting the received command while the connected terminal 103 is on standby is that the source IP address of the received command is a predetermined IP address. In one embodiment, the source IP address of the received command is a predetermined IP address, and the port number of the connected terminal 103 specified by the received command is a predetermined number. Is the case. When the connection target terminal 103 receives the connection permission request command S203 (predetermined signal) from the authentication server 102 during this standby, the connection target terminal 103 establishes a connection (connection between the connection request terminal 101 and the upper application) according to the command. Allow (or deny). The connection permission request command S203 includes port number information indicating a port number at which the connected terminal 103 receives a connection request from the connection request terminal 101.

  After receiving this port number information, the connected terminal 103 ignores (or rejects) a connection request specifying a port number other than the corresponding port number. In other words, the connected device 103 changes the condition for permitting the connection in accordance with the port number information included in the connection permission command S203. That is, before receiving the connection permission command S203 (predetermined signal), connections from other than the authentication server 102 are rejected. After receiving the connection permission command S203, the port number information included in the connection permission command S203 is used. Connection from the connection request terminal 101 is permitted at the specified port. When the connection request S205 is accepted on the connected terminal 103 side, communication of the upper application is subsequently started in S206. This higher-level application is specified by the port number and the protocol type that received the connection request from the connection request terminal 101. When the upper application communication S206 ends, an end processing command is transmitted in S207. The connected terminal 103 returns to a standby state where it is ignored (or rejected) except for a predetermined command from the authentication server 102.

  That is, the connected device (receiving device) 103 changes the condition for permitting the connection according to the port number information included in the connection permission instruction command S203. After receiving the connection permission instruction command S203, the connection request terminal 101 is permitted to connect at the port specified by the port number information included in the connection permission instruction command S203.

  When receiving the connection permission instruction command (first signal) S203 from the authentication server (first partner) 102, the connected terminal (receiving device) 103 and the connection requesting terminal (second partner) 101 are identified. Allow connection with the port. For example, the connected apparatus 101 sends a connection permission instruction command (first signal) including port information indicating a port permitted to connect to the connection requesting terminal (second partner) 101 to the authentication server (first partner). On the condition that it is received from 102, the connection between the port indicated by the port information and the connection requesting terminal (second partner) is permitted.

  Further, when the connected terminal (reception device) 103 receives the connection permission instruction command S203 (first signal) including the port number information from the authentication server (connection control device) 102, after the reception of the first signal. The connection by the second signal (connection request S205) received from the connection requesting terminal (connection requesting device) 101 is permitted at the port specified by the port number information included in the first signal.

  When the connected terminal (reception device) 103 receives the connection permission instruction command S203 (first signal) including the port number information from the authentication server (connection control device) 102, after receiving the first signal, The connection by the second signal (connection request S205) received from the connection request terminal (connection request device) 101 is permitted based on the first signal and the port number information included in the second signal.

  For example, the connected device 103 implements the functions of this embodiment with the configuration of the computer 900 shown in FIG. A computer 900 includes a CPU 901, a ROM 902, a RAM 903, a hard disk (HD) 907 and a disk controller (DC) 905 of a floppy (registered trademark) disk (FD) 908, and a network interface card (NIC) 906. A configuration in which communication is possible with each other via the network 904 is employed. The network interface card 906 connects the Internet network 100 shown in FIG. 1 to the system bus 904.

  The CPU 901 performs overall control of each component connected to the system bus 904 by executing software stored in the ROM 902 or the HD 907 or software supplied from the FD 908. That is, the CPU 901 reads out a processing program according to the processing sequence described below from the ROM 902, HD 907, or FD 908 and executes it, thereby performing control for realizing the operation in the present embodiment.

  The RAM 903 functions as a main memory or work area for the CPU 901. The DC 905 controls access to the HD 907 and the FD 908 that store a boot program, various applications, an edit file, a user file, a network management program, the following processing program in the present embodiment, and the like. The NIC 906 exchanges data with the terminals 101 and 103 through the Internet 100.

  The network interface card 906 functions as the connection port switching device 105 that normally refuses connections from unspecified places under the control of the CPU 901. The RAM 903 or HD 907 holds a connection permission table 106. When there is a connection request, the CPU 901 refers to the connection permission table 106 and determines connection permission.

  The CPU 901 is a permission unit that permits connection, and changes a condition for permitting connection according to port number information included in the connection permission instruction command S203. That is, the connection request terminal 101 is permitted to connect at the port specified by the port number information.

  Note that the terminal 101 and the authentication server 102 can be configured like the computer 900 shown in FIG.

  The RAM 903 or HD 907 of the authentication server 102 holds the ID / password table 104 shown in FIG.

  FIG. 4 shows a software module configuration of the connection requesting terminal (terminal A) 101.

  An application 301 finally exchanges data with the connected terminal (terminal B). When the application starts to communicate with the connected terminal 103, first, the authentication server communication module 302 requests authentication from the authentication server 102 in FIG. At this time, authentication server address information 303 stored in advance as information of the connection destination authentication server 102 is used. In addition, in order to authenticate the connection requesting terminal 101 by the authentication server 102, self-terminal authentication information 304 stored in advance is used. That is, the authentication request command S201 includes authentication server address information 303 and own terminal authentication information 304. The self-terminal authentication information 304 includes the ID of the connection requesting terminal 101 and a password input with a keyboard (not shown) of the connection requesting terminal 101. All communication is performed through a common communication module 305.

  A connection request terminal 101 that is a connection request apparatus according to the present invention is a connection request apparatus that communicates with a connection target apparatus 103 that is a receiving apparatus and an authentication server 102 that is a setting apparatus via a network 100, and connects the network 100. The port number information for requesting connection to the network interface card 906 as a connection means and the connected terminal 103 as the receiving device is transmitted to the authentication server 102 as the setting device, and the port number corresponding to the port number information is set. The CPU 901 is a transmission unit that transmits a connection request S205 including the connection request S205 to the connection target device 103 that is a reception device.

  The connection request terminal 101 transmits the connection request S205 to the connected device 103 that is the receiving device in response to a response S204 from the authentication server 102 that is the setting device.

  FIG. 5 shows a software module configuration of the authentication server 102.

  The authentication request command S201 from the connection request terminal 101 is processed by the authentication request communication module 402 through the communication module 401. For this authentication, the ID, the ID and password stored in the password table 403, and the own terminal authentication information 304 of the connection requesting terminal 101 included in the authentication request command S201 are used. This ID / password table 403 is the same as the ID / password table 104 of FIG. If authenticated, the connection permission instruction processing module 404 requests the connection permission instruction S203 from the connected terminal 103. Further, the connection permission instruction processing module 404 transmits a connection permission response (ACK) S204 (or a connection non-permission response (NACK) S202) to the connection requesting terminal 101.

  FIG. 6 shows the structure of the ID / password table of 403 (104).

  F411 is an ID field in which an ID for specifying the connection requesting terminal is stored. F412 is a password field corresponding to the ID of F411. This table is registered in the RAM 903 or HD 907 from a keyboard (not shown).

  An authentication server 102 which is a setting device according to an embodiment of the present invention is a setting device for setting the connected terminal 103 which is a receiving device via the network 100, and is a network which is a connection means for connecting the network 100. The CPU 901 is a notification unit that notifies the interface card and port number information for connection to the connection request side 101 to the connected terminal 103 that is a receiving device.

  The authentication server 102 receives the port number information from the connection request side 101 and notifies the port number information received from the connection request side 101 to the connected terminal 103 that is a receiving device.

  In another form, the authentication server 102 determines a port number, notifies the connection request terminal 101 and the connected terminal 103 of port number information representing the determined port number, and connects the connection request terminal 101 and The connected terminal 103 determines the connection request and the connection permission based on the port number information determined and notified by the authentication server 102. The notification of the port number information from the authentication server 102 to the connection requesting terminal 101 is included in, for example, ACK (S202).

  FIG. 7 shows a software module configuration of the connected terminal 103.

  At the time of connection, first, an instruction (predetermined signal) S203 comes from the authentication server (first partner) 102. If this instruction S203 includes a predetermined port number, the authentication of 502 is performed through the communication module 501. Processed by the server communication module. This instruction S203 includes address information of the authentication server 102. The authentication server communication module 502 refers to the authentication server address information 503 to check whether the instruction is forged.

  If it is an instruction from the authentication server (first partner) existing in the authentication server address information 503, the authentication server communication module 502 analyzes the format of the command S203 and sets a value in the connection permission table 504. The value set in the connection permission table 504 is a value for permitting the connection request S205 from the connection requesting terminal 101. The connection request command S201 includes this value, and the connection request terminal 101 includes this value in the connection request S205. Thereafter, when there is a connection request S205 directly from the connection request terminal 101 (second partner), the connection permission control module 505 refers to the connection permission table 504, and the value included in the connection request S205. Is set in the connection permission table 504, whether a connection request is passed to the upper application 506 (connection with the upper application 506 is permitted) or communication (connection with the upper application 506) is rejected. To control. An example of a value set in the connection permission table 504 is a port number used to specify an application of the connected terminal 103. This value may be determined by the authentication server 102 and notified to the connection requesting terminal 101 and the connected terminal 102, and the connection requesting terminal 101 may include this value in the connection request S205.

  Conditions for permitting connection are set in the connection permission table 504. The authentication server communication module 502 rewrites (changes) the connection permission conditions set in the connection permission table 504 based on the port number information included in the connection permission instruction command S203.

  In addition, if it does not end normally, it may be possible that an entry remains in the connection permission table 504 for a long time. Therefore, when the no-communication state of the corresponding entry reaches a certain time, the connection permission table is monitored. A no-communication monitoring timer 507 for deleting the corresponding entry 504 is held.

  FIG. 8 shows the configuration of the connection permission table 504 of the connected terminal (terminal B) 103.

  Each entry is created by a connection permission instruction command S203 from the authentication server 102, and is deleted by the termination processing S207 of the connection requesting terminal (terminal A) 101 or the no-communication monitoring timer module 507.

  F511 is a source IP address field, which corresponds to the IP address of the connection requesting terminal 101. F512 is a source port number. F513 is a reception port number, and is a number that becomes an identifier indicating the upper application 506 together with the protocol type of F514. F515 is the no-communication elapsed time set by the no-communication monitoring timer 507, and when this value exceeds a certain value, the entry is deleted.

  In other words, the connected device (reception device) 101 includes a network interface card 906 that is a reception unit and a CPU 901 that is a permission unit that permits connection, and the CPU 901 receives a connection permission instruction command received by the network interface card 906. The condition for permitting connection is changed according to the port number information included in S203.

  The connected terminal (receiving device) 101 has a network interface card 906 as a receiving means, and when a connection permission instruction command (first signal) S203 is received from the authentication server (first partner) 102, a connection is established. The CPU 901 is a permission unit that permits connection between the request terminal (second partner) 101 and a predetermined port. For example, the connected apparatus 101 sends a connection permission instruction command (first signal) including port information indicating a port permitted to connect to the connection requesting terminal (second partner) 101 to the authentication server (first partner). On the condition that it is received from 102, the connection between the port indicated by the port information and the connection requesting terminal (second partner) is permitted.

  The connected terminal 103 which is a receiving apparatus according to the embodiment of the present invention is a receiving means for receiving port number information. The port number is determined by the network interface card 906 which is the connection port switching apparatus 105 and the network interface card 906. After receiving the information (including the connection permission instruction command S203), the CPU 901 is a permission unit that permits the connection at the port specified by the port number information received by the network interface card 906.

  In response to the connection request S205 in which the port number and the protocol type are specified, the connected terminal 103 determines whether the port number based on the comparison between the port number specified in the connection request S205 and the port number information included in the connection permission instruction command S203. The connection with the application 506 specified by the number and the protocol type is permitted.

  The connected terminal 103 receives the connection permission instruction command S203 based on the port number information included in the connection permission instruction command S203 received by the network interface card 906, and then receives the connection received by the network interface card 906 by the CPU 901. Connection is permitted based on the port number information included in the request S205.

  The connected terminal 103 receives a connection permission instruction command S203 from the authentication server 102 which is a connection control device, and receives a connection request S205 from the connection request terminal 101 which is a connection requesting device.

  The connected terminal 103 invalidates the port number information received by the network interface card 906 when the communication permitted to be connected by the CPU 901 is completed.

  The connected terminal 103 invalidates the port number information received by the network interface card 906 after a predetermined time counted by the non-communication monitoring timer 507.

  The connected terminal 103 receives the address information together with the port number information from the network interface card 906, and the CPU 901 determines whether to permit the connection based on the port number information and the address information.

  FIG. 9 shows the format of the authentication request command S201 sent from the connection request terminal 101 to the authentication server 102. This is a logical representation of an IP packet header and payload.

  F601 to F604 are information included in the header portion of the IP packet.

  F 601 is an IP address of the authentication server 102 and is used as a destination for transferring a packet to the server 102. The connection request terminal 101 uses the connection server address information 303 as the destination IP address F601. F602 is the IP address of the connection requesting terminal 101. F603 is a port number corresponding to the authentication request communication module 402 of the authentication server 102. In this embodiment, the port number is 1645. This number is a unique and known number for all connection requesting terminals and connected terminals that use the authentication server 102. The authentication request command S201 whose port number F603 is 1645 is processed by the authentication request communication module 402 through the communication module 401.

  F604 is a port number when the connection requesting terminal 101 issues the authentication request command. The port number may change for each command, but in the present embodiment, the same port number is used in the authentication request command in S201 and the connection request in S205.

  F605 to F610 are portions corresponding to the payload of the IP packet. Here, portions corresponding to the TCP and UDP protocols are omitted.

  F605 is a command type, and stores a character string [AuthReq] representing an authentication request command. F606 is an ID unique to the connection requesting terminal 101. F607 is a password character string corresponding to the ID. The connection requesting terminal 101 uses the ID and password included in its own terminal authentication information 304 as ID (F606) and password F607. F608 is the IP address of the connected terminal 103 that the connection requesting terminal 101 desires to connect to. Similarly, F609 is a port number corresponding to the application 506 that desires connection of the connected terminal 103, and F610 is a protocol type.

  FIG. 10 shows a format of a connection permission instruction command S203 issued from the authentication server 102 to the connected terminal 103. This is a logical representation of an IP packet header and payload.

  F701 to F704 are information included in the header portion of the IP packet.

  F 701 is the IP address of the connected terminal 103, and is used as a destination for transferring the packet to the connected terminal 103. The authentication server 102 uses the IP address of the connected terminal 103 included in the desired connection destination IP (F608) of the connection request command S201 as the counterpart IP address 103. F 702 is the IP address of the authentication server 102. F703 is a port number corresponding to the authentication server communication module 502 of the connected terminal 103. In this embodiment, the port number is 1645. This number is a unique and known number in all terminals that accept the connection permission instruction command S203 from the authentication server 102. The connection permission instruction command S203 whose port number F703 is 1645 is processed by the authentication server communication module 502 through the communication module 501.

  F704 is a port number when the authentication server 102 issues the connection permission instruction command S203. In the present embodiment, the port number is the same as F603 (the port number corresponding to the authentication request communication module 402 of the authentication server 102) in the command of S201.

  F705 to F709 are portions corresponding to the payload of the IP packet. Here, portions corresponding to the TCP and UDP protocols are omitted.

  F705 is a command type, in which a character string [PortOpenReq] representing a connection permission instruction command is stored. F707 is the IP address of the connection requesting terminal 101. The authentication server 102 uses the IP address F602 of the connection request terminal 101 included in the authentication request command S201 as the IP address F707 of the connection request terminal 101. F707 is a port number scheduled to be used when the connection requesting terminal 101 connects to the connected terminal 103.

  The authentication server 102 uses, as the connection request source port number F707, the port number F605 when the connection request terminal 101 included in the authentication request command S201 issues the authentication request command. As the port number F707 scheduled to be used when the connection requesting terminal 101 connects to the connected terminal 103, a port number other than the port number F605 when the connection requesting terminal 101 issues the authentication request command can be used. In this case, the port number to be used when the connection requesting terminal 101 connects to the connected terminal 103 is included in the authentication request command S201.

  F708 is a port number corresponding to the application 506 of the connected terminal 103 that the connection requesting terminal 101 desires to connect to. The authentication server 102 corresponds to the application 506 of the connected terminal 103 that the connection requesting terminal 101 desires to connect to, and the port number F609 corresponding to the application 506 that desires to connect to the connected terminal 103 included in the authentication request command S201. Used as port number F708. F709 is a protocol type. The authentication server 102 uses the protocol type F610 included in the authentication request command S201 as the protocol type F709.

  FIG. 11 is a flowchart of the operation of the connection request terminal 101 that issues a connection request according to this embodiment. This flowchart shows a program that the CPU 901 reads out from the ROM 902, HD 907, or FD 908 and executes it.

  When there is a communication request from the application 301, first the connection to the authentication server 102 is made in S801. The connection destination IP address used at this time is the IP address stored in the authentication server address information 303. First, in S802, the authentication server communication module 302 issues an authentication request command S201 (FIG. 9). This authentication request command S201 includes a connection destination port number F609. The connection destination port number F609 identifies the application 506 in which the connected terminal 103 is located together with the protocol type F610.

  In S803, the process waits for a response S202 or S204 from the authentication server 102, and if the connection disapproval response (NACK) in S202 returns, the process proceeds to S804, and if the connection permission response (ACK) in S204 returns, the process proceeds to S805.

  Since the subsequent processing cannot be continued in S804, the communication with the authentication server 102 is disconnected, and the authentication server communication module 302 notifies the application 301 that issued the authentication request that the connection is not permitted. finish.

  In step S <b> 805, communication with the authentication server 102 is disconnected, and the application 301 is notified from the authentication server communication module 302 that connection is permitted. The application 301 connects to the subsequent connected terminal 103 when the connection permission is obtained.

  In step S806, the application 301 issues a connection request S205 for starting communication in an upper layer to the connected terminal 103. The connection request S205 includes a connection destination port number and a protocol type. The connection destination port number identifies the application 506 with the connected terminal 103 together with the protocol type. In S807, the process waits until a connection is actually made to the connection request S205. This processing is, for example, a TCP session establishment flow or processing in a higher-level application.

  In step S <b> 808, the communication module 305 disconnects communication with the connected terminal 103 in response to the completion of communication by the higher-level application 301 depending on whether the application 301 is communicating.

  In other words, the connection request terminal 101 which is the connection request apparatus of the present invention, under the control of the CPU 901 which executes processing based on the program of FIG. 11, the connected apparatus 103 which is a receiving apparatus and the authentication server 102 which is a setting apparatus. And communicate via the network 100. Specifically, port number information (including authentication request command S201) that requests connection to the connected terminal 103 that is the receiving device is transmitted to the authentication server 102 that is the setting device (S802), and the port number information is included in the port number information. The connection request S205 including the corresponding port number is transmitted to the connected device 103 that is the receiving device (S806). The connection request terminal 101 transmits the connection request S205 to the connected device 103 as the receiving device (S806) in response to the response ACK from the authentication server 102 as the setting device (S803).

  FIG. 12 is a flowchart showing the operation of the authentication server 102 according to this embodiment. This flowchart shows a program that the CPU 901 reads out from the ROM 902, HD 907, or FD 908 and executes it.

  This server 102 always waits for an authentication request from the terminal.

  In step S901, an authentication request from the connection requesting terminal is awaited. When there is an actual connection request from the connection request terminal 101, parameters F601 to F610 of the authentication request command 201 are extracted in S902.

  In step S903, a password character string is extracted from the ID / password table 403 based on the ID of F606 and compared with the character string of F607. In S905, the character strings are compared, and if they are the same, it is regarded as being authenticated and the process proceeds to S907. If the character string is different here, it is considered that the character string has not been authenticated, and the process proceeds to S906.

  Since it was not authenticated in S906, the subsequent processing is not continued, and communication with the connection requesting terminal 101 is simply disconnected and the processing is terminated.

  In S907, a connection permission instruction command S203 is issued to the connected terminal 103. This connection permission instruction command S203 includes a connection destination port number F708. The desired connection destination port number F708, together with the protocol type F709, identifies the application 506 with the connected terminal 103. The authentication server 102 includes the desired connection destination port number F609 and the protocol type F610 included in the authentication request command S201 as the desired connection destination port number F708 and the protocol type F709 in the connection permission instruction command S203. In another form, a command for notifying the authentication server 102 of the connection destination port number F609 and the protocol type F610 from the connection request terminal 103 is provided separately from the authentication request command S201. In S908, a connection permission response S204 is returned to the connection requesting terminal 101. In step S909, the connection request terminal 101 is disconnected from the authentication request process.

  That is, the authentication server 102 that is the setting device according to the embodiment of the present invention is connected to the connected terminal 103 that is a receiving device via the network 100 under the control of the CPU 901 that executes processing based on the program of FIG. This is a setting device that performs the setting. Specifically, the port number information (including the connection permission instruction command S203) for connecting to the connection requesting side 101 is notified to the connected terminal 103 which is the receiving device (S907). In this embodiment, the authentication server 102 receives the port number information (including the authentication request command 201) from the connection request side 101 (S901), and the port number information received from the connection request side 101 is received by the receiving device in S907. A certain connected terminal 103 is notified.

  In another form, the authentication server 102 determines the port number, notifies the connection request terminal 101 of the port number information indicating the determined port number, and notifies the connected terminal 103 (S907). The terminal 101 and the connected terminal 103 are determined by the authentication server 102 and make a connection request and connection permission determination based on the notified port number information. The notification of the port number information from the authentication server 102 to the connection requesting terminal 101 is included in the ACK (S202) transmitted in S908, for example.

  FIG. 13 is a flowchart showing the operation of the connected terminal 103 according to the present embodiment. This flowchart shows a program that the CPU 901 reads out from the ROM 902, HD 907, or FD 908 and executes it.

  In S1001, only the connection from the authentication server 102 is awaited. The connected terminal 103 holds a global IP and has the ability to accept various services. Normally, the connection port for accepting communication is provided by the authentication server communication module 502 from the authentication server 102. Only a connection port for accepting communication (port 1645 set in F703 in FIG. 10) is set. However, a case where there are a plurality of authentication servers 102 is conceivable.

  When there is a connection request in S1001, the connection request source IP address (source IP address) is extracted in S1002. In S1003, the authentication server address table 503 in which the address of the authentication server 102 is stored is referred to and compared. If the IP address of the connection request source is included in the table 503, the process proceeds to step S1006 to accept an instruction from the authentication server 102 in step S1005.

  If no IP address is included in the authentication server address table 1004 in S1005, the process proceeds to S1011 as a connection request from a general terminal.

  In step S1006, the authentication server communication module 502 performs connection processing with the authentication server 102. In step S1007, the process waits for a connection permission instruction command S203 from the authentication server 102. Upon receiving the connection permission instruction command S203 whose partner port number is the 1645 port, the authentication server communication module 502 extracts connection permission instruction parameters F701 to F709 in S1008. In S1009, the desired connection source IP address F706, the desired connection source port number F707, the desired connection destination port number F708, and the protocol type F709 are stored in the fields F511 to F514 of the connection permission table 504 from the parameters extracted in S1008, and the disconnection process is performed. The process proceeds to S1018. The no-communication monitoring timer 507 starts counting.

  After the connection permission instruction command S203 is received, a connection request S205 is received. The connected terminal 103 is connected based on the connection port number included in the connection permission instruction command S203 and stored in the connection permission table 504. It is determined whether the connection requested by the request S205 is permitted. Conditions for permitting connection are set in the connection permission table 504, and the CPU 901 includes port number information (desired connection destination port number F708) included in the connection permission instruction command S203 (for example, protocol type F709, connection requesting source port). The connection permission condition set in the connection permission table 504 is changed according to the number F707). The connection destination port number F708 and the protocol identification F709 specify the application 506 in which the terminal 103 is connected.

  On the other hand, if the connection is not from the authentication server 102 in S1005, parameters are extracted from the connection request packet in S1011. The parameters extracted here are the IP address of the connection request source, the protocol type, the port number of the connection request source, and the port number for requesting connection to the connected terminal 103.

  In step S1012, the F511 field in the connection permission table 504 is referred to, and it is determined whether the connection request source IP address extracted from the packet is a connection-permitted IP address. If the IP address of the connection request source in the connection request S205 is in one of the fields of F511, the process proceeds to S1013, and if not, the process proceeds to the connection rejection flow S1017.

  In S1013, it is determined whether or not the port number for requesting connection in the connection request packet is in the reception port number field F513 from among the IP address entries matched in S1012. In the example of FIG. 8, if the source IP address is 192.168.1.2, it is determined whether the port number for requesting connection in the connection request packet is 80. That is, when the connected terminal (receiving device) 103 receives a connection permission instruction command S203 (first signal) including port number information from the authentication server (first partner) 102 (S1007), the first signal After the reception of the port number information (first information) included in the first signal and the second signal, the connection by the second signal (connection request S205) received from the connection requesting terminal (second partner) 101 is received. Based on the port number specified by the port number information included in the second signal and the port specified by the port number information included in the second signal) (S1013).

  Here, in another embodiment, the connection is limited by the type of TCP / UDP protocol corresponding to F514 and the port number of the transmission source corresponding to F512. On the other hand, in this embodiment, the determination is made based on the IP address F511 and the reception port number F513 having the highest importance. Further, connection restriction may be applied only by the reception port number F513.

  If it is determined in S1013 that the connection is permitted, the connection request terminal 101 and the application 506 are actually connected in S1014. The application 506 is specified by the protocol type extracted from the packet for requesting connection and the port number for requesting connection to the connected terminal 103. If the protocol type is TCP and the port number is 80, the application 506 is HTTP.

  In step S1015, the process waits until an end instruction is issued from the application 506. When the upper application 506 ends in step S1016, the corresponding entries F511 to F515 are deleted from the connection permission table 504. The no-communication monitoring timer 507 deletes the corresponding entries F511 to F515 when the no-communication elapsed time F515 reaches a predetermined time (for example, 1 minute). In any case, the entries F511 to F515 are invalidated, and connection is not permitted by the information included in the entries.

  In step S1017, the connection is rejected before the process is passed to the application 506. Further, in this process, it is conceivable that an error response indicating that the authentication server 102 has not been authenticated is returned instead of simple connection rejection.

  In step S1018, a connection disconnection process for all corresponding communications is performed, and all the series of communications are terminated.

  That is, the connected terminal 103, which is the receiving apparatus according to the embodiment of the present invention, controls the port number information (F708) included in the connection permission instruction command S203 under the control of the CPU 901 that executes processing based on the program of FIG. ), The connection permission condition set in the connection permission table 504 is changed. On the condition that the connection permission instruction command (first signal) S203 is received from the authentication server (first partner) 102 (S1007), the connection request terminal (second partner) 101 is connected to the predetermined port. Allow (S1013). For example, the connected apparatus 101 sends a connection permission instruction command (first signal) including port information indicating a port permitted to connect to the connection requesting terminal (second partner) 101 to the authentication server (first partner). On the condition that it is received from 102, the connection between the port indicated by the port information and the connection requesting terminal (second partner) is permitted.

  Also, the port number information (including the connection permission instruction command S203) is received (S1007), and the network interface card 906 that is the connection port switching device 105 is controlled based on the received port number information (S1013). Specifically, after receiving the port number information (including the connection permission instruction command S203), the connection specified by the received port number information is permitted based on the received port number information (S1013) ( S1013).

  In response to the connection request S205 in which the port number and the protocol type are specified, the connected terminal 103 is based on a comparison between the port number specified in the connection request S205 and the port number information included in the connection permission instruction command S203 in S1013. Thus, the connection with the application 506 specified by the port number and the protocol type is permitted.

  After receiving the connection permission instruction command S203 based on the port number information included in the connection permission instruction command S203, the connected terminal 103 receives the port number included in the connection request S205 received by the network interface card 906 in S1013. Allow connection based on information.

  The connected terminal 103 receives a connection permission instruction command S203 from the authentication server 102 which is a connection control device, and receives a connection request S205 from the connection request terminal 101 which is a connection requesting device.

  The connected terminal 103 invalidates the port number information received by the network interface card 906 when communication permitted to be connected is terminated (S1015) (S1016).

  The connected terminal 103 invalidates the port number information after a predetermined time counted by the no-communication monitoring timer 507.

  The connected terminal 103 receives the address information together with the port number information, and the CPU 901 permits the connection based on the port number information and the address information (S1012, S1013).

  As described above, in this embodiment, only the connection request terminal 101 having the IP address permitted by the connection permission instruction command S203 is connected to the application 506. In this embodiment, the port number that permits connection is designated from the authentication server 102 to the connected terminal 103, but a port number other than the port number that permits connection may be designated. Further, instead of designating the boat number itself for permitting connection, if a certain port number, for example, 25 is designated, connection with a port number that is a multiple of 25 may be permitted.

  Therefore, the security level can be improved depending on the security of the authentication server 102 and the level of authentication performed by the authentication server.

  For the purpose of simply preventing a DoS attack, even if the action of authenticating the client itself by the authentication server 102 is not strict, if the IP address of the terminal that is performing the DoS attack is known, control using only the IP address is possible. You can also take the method.

  Therefore, it is possible to prevent a denial-of-service attack at a terminal that receives a connection from an unspecified number.

  In addition, it is possible to authenticate the terminal of the connected party.

(Modification of the first embodiment)
FIG. 14 is a flowchart showing a modification of the first embodiment. FIG. 14 is a modification of the flow of FIG.

  This modification can ensure security more easily when various protocols for communication between terminals are conceivable.

  When the connection request terminal 101 on the connection request side starts communication with the connected terminal 103, first, an “authentication request command” S1201 is issued to the authentication server 102.

  Regarding the format and parameters of the command of S1201, F609 and F610 in FIG. 9 are not required.

  When the connection is permitted for the authentication request command S1201, the authentication server 102 issues a connection permission request command S1202 to the terminal B103 that is a connected terminal. The command format at this time includes F701 to F706 in FIG.

  The terminal B 103 which is a connected terminal is set to ignore (or reject) other than a predetermined command from the authentication server 102 during standby. The condition for accepting the received command while the connected terminal 103 is on standby is that the source IP address of the received command is a predetermined IP address. In one embodiment, the source IP address of the received command is a predetermined IP address, and the port number of the connected terminal 103 specified by the received command is a predetermined number. Is the case.

  When the connected terminal B 103 receives the connection permission request command S1202 from the authentication server 102 during this standby state, the connected terminal B 103 performs a setting for permitting access from all the IP addresses specified in S1203.

  Specifically, the value is set in the connection permission table of FIG. 8, but first, the IP address of the connection request source of F706 is extracted from the command of S1202 and set in the field of F511. The other fields F512, F513, and F514 are not particularly limited (all source port numbers of F512 are permitted. All reception port numbers of F513 are permitted. Protocols of F514 are TCP and UDP) Permission).

  In S1204, a connection permission response S1204 is returned to the authentication server 102.

  In S1205, the authentication server 102 returns the connection permission response of S1204 received from the connected terminal B103 to the connection requesting terminal A101.

  Upon receiving the connection permission response in S1205, the connection request terminal 101 issues a connection request command S1206 to the connected terminal 102 using an arbitrary port number. The connection request command S1206 includes the IP address of the connection request terminal 101 and port number information indicating the port number of the connected terminal 103 that the connection request terminal 101 desires to connect to.

  The connected terminal 103 has already set the IP address of the terminal A101 in the connection permission table (FIG. 8) (S1203), and permits all other parameters (permits connection to all ports). Yes, the connection according to the request S1206 from the connection requesting terminal 101 (including the IP address of the connection requesting terminal 101) can be accepted. In step S1207, the port number connected in step S1206 is extracted and set in the connection permission table (FIG. 8), and connections from other ports are not permitted thereafter. This port number is included in the connection request command S1206. After accepting the connection request S1206 including this port number, the connected terminal 103 ignores (or rejects) the connection request designating a port number other than the corresponding port number.

  That is, a condition for permitting connection is set in the connection permission table. The connection request S1206 includes port number information for specifying a port, and the connection permission condition in the connection permission table is changed according to the port number information (at a port other than the port specified by the port number information). Limit connections).

  Thereafter, in step S1208, communication of the upper application is started. The upper application is specified by the port number and the protocol type.

  When the upper application communication S1208 ends, an end process command is transmitted in S1209. The connected terminal 103 returns to a standby state where it is ignored (or rejected) except for a predetermined command from the authentication server 102.

  In S1203, connection to all ports is permitted. For example, connection to a known port number is permitted in both the terminals 101 and 103, and connection to other port numbers is not permitted. Also good. For example, connection to an even-numbered port number may be permitted, and connection to an odd-numbered port number may not be permitted.

  FIG. 15 shows a software module configuration of the connected terminal 103.

  At the time of connection, first, an instruction S1202 comes from the authentication server 102. This instruction S1202 is processed by the authentication server communication module 1502 through the communication module 1501. This instruction 1202 includes a predetermined port number. If the instruction S1202 includes a predetermined port number, the authentication server communication module 1502 indicates whether or not the instruction S1202 is forged at this time. Check the information. If it is an instruction from the authentication server existing in the authentication server address information 1503, the IP address of the connection requesting terminal 101 is specified by analyzing the format of the command S1202, and a value is set in the connection permission table 1504. At this time, the port number permits all ports.

  Thereafter, when there is a connection request S1206 from the connection request terminal 101, the connection permission control module 1505 refers to the connection permission table 1504 and controls whether to pass the connection request to the higher-level application 1506 or to refuse communication. To do. Here, if the source IP address of the connection request S1206 matches the source IP address set in the connection permission table 1504, the host application 1506 specified by the port number and protocol type included in the connection request S1206 The connection request terminal 101 is connected.

  When communication starts, the communication port detection module 1507 detects the source IP address and the port number to be used, and changes the port number in the connection permission table 1504 to only one. That is, the port number F513 corresponding to the source IP address F511 of the connection request S1206 is registered in the connection permission table 1504. Thereafter, the connection permission control module 1505 does not permit connection requests other than this port number. The connection request S1206 includes port number information indicating a port number (for example, 80) for connecting to the connection requesting terminal 101. After receiving this port number information, the connection control module 1505 has a number other than 80. Connection with port number of is not allowed. The port number that does not permit this connection is specified by the port number information included in the connection request S1206.

  In a certain form, the software (program) of FIG. 15 is executed by the CPU 901, and the terminal 103 of the present modification operates as described here. This program may be stored in a predetermined area of the RAM 902 and read and executed by the CPU 901.

  In this modification, the flow is different, but the configurations in FIGS. 1 and 3 are common.

  The connected device 103 that is a receiving device of the present invention includes a network interface 906 that is a receiving unit that receives port number information (connection request S1206) that identifies a port, and a CPU 901 that is a permitting unit that permits connection. The CPU 901 changes the condition for permitting connection according to the port number information.

  The connected device 103 is a port specified by the network interface board 906 which is a receiving means for receiving port number information and the port number information received by the receiving means after receiving the port number information by the receiving means. CPU 901 which is a permission means for permitting the connection. This port number information is included in the connection request S1206, and the connected device 103 restricts connections other than the port specified by this port number information.

  In this modification, when the network interface card 906 receives a connection request S1026 including port number information for specifying a port, the CPU 901 changes a condition for permitting connection according to the received port number information (port number information). Restrict connections on ports other than those specified by Conditions for permitting connection are set in the connection permission table 1504. The connection with the application 1506 specified by the port number information and the protocol type included in the connection request S1206 is permitted. After receiving the port number information, connections other than those specified by the port number information are restricted.

(Second Embodiment)
Next, a second embodiment will be described.

  FIG. 16 shows a flow of the present embodiment. The configurations of the terminals 101 and 103 and the relay server 102A (corresponding to the authentication server 102 in FIG. 1) are the same as the configurations of the terminals 101 and 103 and the authentication server 102 in the first embodiment. In the first and second embodiments, the connected terminal (receiving device) 103 connects a connection request specifying a predetermined port number with an application specified by the port number and the protocol type. In the first embodiment, the connected terminal (receiving device) 103 sets the port number information included in the connection permission instruction command S203 and the port number included in the connection request S205 from the connection requesting terminal (device) 101. Allow connection. In the second embodiment, the connected terminal (receiving device) 103 determines a port number, and the transmission requesting terminal (device) 101 includes a port number determined by the connected terminal (receiving device) 103. Request S1106 is transmitted.

  The terminal 103 in this embodiment transmits a first signal (connection permission response S1104) and receives a second signal (connection request S1105), and a second signal (connection request). Determining means (CPU 901) for determining port number information for receiving (S1105). The transmission / reception means (network interface card 906) transmits a first signal (connection permission response S1104) including the port number information determined by the determination means (CPU 901), and the determination means adds the determined port number information to the determined port number information. Based on this, the connection by the second signal is permitted.

  Further, when a predetermined signal (connection permission instruction command S1102) is received from the first partner (relay server 102A), the CPU 901 permits connection between the second partner (connection request terminal 101) and a specific port. It is permission means to do.

  When the terminal 103 receives the third signal (connection permission instruction command S1102), the terminal 103 transmits a first signal (S1104) including the port number information determined by the CPU (determining means) 901. The third signal (connection permission instruction command) S1102 is received from the relay server (relay apparatus) 102A, and the second signal (connection request) S1105 is received from the terminal (connection request apparatus) 101, and the first signal (Connection permission response) S1104 is transmitted to the relay server (relay device) 102A.

  The relay server 102A according to the present embodiment is a setting device for setting a communication device via the network 100. The port number information used for connection between the connected side 103 and the communication device (terminal) 101 on the connection request side is Notification is made to the communication device (terminal) 101 on the connection request side. The connected side 103 determines a port number used for connection with the communication apparatus (terminal) 101 on the connection request side, and notifies the relay server 102A of it.

  The connection request terminal 101 of this embodiment is a connection request device that communicates with the receiving device (terminal) 103 and the setting device (relay server) 102A via the network 100, and is a connection means (network interface card) for connecting the network 100. 906 and transmission / reception means (CPU) 901 for receiving information on a port number used for connection with the receiving apparatus 103 and transmitting a connection request including the port number corresponding to the port number information to the receiving apparatus 103. The CPU 901 transmits the connection request S1106 to the receiving device 103 in response to a response S1105 from the setting device (relay server 102A).

  The relay server 102A receives the port number information from the connected side 103, and notifies the port number information received from the connected side 103 to the connection requesting terminal 101 that is the connection requesting side.

  In another form, the relay server 102A determines a port number, notifies the connection request terminal 101 and the connected terminal 103 of port number information representing the determined port number, and connects the connection request terminal 101 and The connected terminal 103 determines the connection request and the connection permission based on the port number information determined and notified by the relay server 102A. The notification of the port number information from the relay server 102A to the connected terminal 103 is included in, for example, the connection instruction command S1102.

  The terminals 101 and 103 and the relay server 102A perform the following operations when the CPU 901 executes software stored in the ROM 902 or the HD 907 or software supplied from the FD 908. The CPU 901 reads out a processing program according to the processing sequence described below from the ROM 902, HD 907, or FD 908 and executes it, thereby performing control for realizing the operation in this embodiment.

  In the present embodiment, security can be secured more easily when the terminals communicate with each other to some extent in advance, and further, when the terminals start communication, the relay server 102A performs communication. It is a form that can be suitably applied to a model in which session control is performed.

  When the connection request terminal A101 that issues the connection request starts communication with the connected terminal B103, first, a “connection request command” S1101 is issued to the relay server 102A.

  Regarding the command format and parameters of S1101, the connection destination port number F609 and the protocol type F610 in FIG. 9 are not required.

  When permitting a connection in response to the connection request command S1101, the relay server 102A issues a connection permission request command S1102 (third signal) to the terminal B103 which is a connected terminal. The command format at this time includes F701 to F706 in FIG. Here, when the relay server 102A rejects the connection in response to the connection request command S1101, the description is omitted. However, as in the first embodiment, when the connection is rejected, Nack is returned to the terminal 101. .

  In step S1103, the terminal B 103, which is a connected terminal, dynamically (for example, randomly) determines a port number for permitting connection, and at the same time, permits connection to the port number.

  Specifically, a value is set in the connection permission table of FIG. 8. First, the IP address of the connection request source 101 in F706 is extracted from the command in S1102 and set in the field in F511. In addition, the Port number dynamically (eg, randomly) determined in S1103 in the terminal B103 is set in F513. In this embodiment, the other fields F512 and F514 are not particularly limited (all source port numbers of F512 are permitted. The protocol of F514 permits TCP and UDP). In the form of FIG. 16, the connection port number is determined after the connection permission command S1102 is received. However, the port number is determined prior to the reception of the connection permission command S1102, and the connection permission is received by the reception of the connection permission command S1102. The connection request source IP address F706 included in the command S1102 and a predetermined port number may be registered in F511 and F513 of the connection permission table.

  In S1104, a connection permission response S1104 (first signal) including the connection port number determined in S1103 is returned to the relay server 102A. This connection port number is port number information that identifies a port that is permitted to be connected in response to a connection request from the terminal 101.

  In S1105, the relay server 102A returns the connection permission response of S1104 received from the connected terminal B103 to the connection requesting terminal A101. This connection permission response S1105 includes the connection port number determined in S1103. In the form of FIG. 16, in another form, the connection permission response is returned from the terminal B103 to the terminal A101 via the relay server 102A. However, the terminal A101 does not pass directly (the relay server 102A) from the terminal B103. Return to.

  When the connection request terminal A101 receives the connection permission response of S1105, the connection request terminal A101 issues a connection request command S1106 to the connected terminal B103 using the connection permission port number therein.

  On the connected terminal B 103 side, the IP address of the terminal A 101 and the port number of the connection request command S 1106 (second signal) are already set (S 1103) in the connection permission table (FIG. 8). If a connection request including a port number is received, the connection is accepted (permitted). Even if the connection permission table 504 includes an IP address, if the port number is different, the connection is rejected. Thereafter, communication of the upper application is started in S1107. This higher-order application is specified by the port number (port number determined in S1103) included in the connection request S1106 and the protocol type. In a form in which the terminal 103 uses a predetermined protocol (for example, TCP) or a form in which a protocol to be used for each connection requesting terminal is determined (for example, a protocol used by a certain terminal is determined by UDP), a protocol is used. The type is registered in advance in the RAM 903 or the ROM 902, and is not necessarily included in the connection request S1106.

  When the upper application communication S1107 ends, a termination processing command is transmitted in S1108. When the communication S1107 in connection with the connection request S1106 ends, the terminal B103 deletes (invalidates) the port number determined in S1103 from the connection permission table 504. Also, the terminal B 103 invalidates even when the non-communication elapsed time in the connection permission table 504 reaches a predetermined time.

  The terminal 103 in this embodiment transmits a connection permission response (first signal) S1104 including port number information, receives a connection request (second signal) S1106, and receives a connection request (first signal) based on the port number information. 2 signal) Connection by S1106 is permitted.

  FIG. 17 shows a software module configuration of the connected terminal 103.

  At the time of connection, first, an instruction S1102 comes from the relay server 102A. This instruction is processed by the authentication server communication module 1402 through the communication module 1401. At this time, whether or not the instruction S1102 has been forged is checked with reference to the authentication server address information 1403. If it is the instruction S1102 from the relay server 102A existing in the authentication server address information 1403, the format of the command S1102 is analyzed to identify the IP address F706 of the connection requesting terminal. Further, the port number for communication is determined in 1407, and a value is set in the connection permission table (F511, F513) 1404 together with the IP address of the connection requesting terminal 101. The port number determined by the communication port determination module 1407 is returned to the relay server 102A through the authentication server communication module 1402.

  Thereafter, when there is a connection request S1106 from the connection request terminal 101, the connection permission control module 1405 refers to the connection permission table 1404 and passes the connection request to the upper application 1406 (allows connection with the upper application 1406). Or communication) (connection with the upper application 1406) is controlled.

  In a certain form, the software (program) of FIG. 17 is executed by the CPU 901, and the terminal 103 of this modification operates as described here. This program may be stored in a predetermined area of the RAM 902 and read and executed by the CPU 901.

  In this modification, the flow is different, but the configurations in FIGS. 1 and 3 are common.

  The terminal 103 of the present embodiment transmits a connection permission response (first signal) S1104 and receives and transmits a connection request (second signal) S1106, and a connection request (second signal). ) Determination means (CPU 901) for determining port number information for receiving S1106. The network interface card 906 transmits a connection permission response (first signal) S1104 including the port number information determined by the CPU 901, and the CPU 901 connects based on the port number information according to the connection request (second signal) S1106. Allow. That is, if the connection request S1106 is a connection request to the port specified by this port number information, connection by this connection request S1106 is permitted. The connection request S1106 includes a connection destination port number. When terminal 103 receives connection permission instruction command (third signal) S1102 from relay server 102A, terminal 103 transmits connection permission response (first signal) S1104.

  The connection request (second signal) S1106 is connected to the application 1406 corresponding to the port number (and protocol type) included in the connection request (second signal) S1106.

  By specifying a random port number that is not unique to the application on the unconnected terminal 103 side, the effect of preventing attacks targeting a specific port can be enhanced.

(Modification of the second embodiment)
FIG. 18 shows a flow of a modification of the second embodiment.

  In this modification, a case will be described in which various protocols for communication between terminals are conceivable, and a session of another service is established between the same terminals while one service is communicating.

  When the connection request terminal 101 on the connection request side starts communication with the connected terminal 103, first, a “connection relay request command” S1301 is issued to the relay server 102A.

  Regarding the format and parameters of the command of S1301, F609 and F610 in FIG. 9 are not required.

  In response to the connection relay request command S1301, the relay server 102A issues a connection permission request command S1302 to the terminal B103 that is a connected terminal. The command format at this time includes F701 to F706 in FIG.

  Terminal B 103, which is a connected terminal, performs a setting for permitting a predetermined negotiation port number for access from the IP address designated in S1303.

  Specifically, the value is set in the connection permission table of FIG. 8, but first, the IP address of the connection request source of F706 is extracted from the command of S1302 and set in the field of F511. In addition, as the transmission source port number of F512 and the reception port number of F513, a negotiation port number that is uniquely determined in advance by all terminals related to this system is set. The F514 protocol is also set to a predetermined protocol.

  In S1304, a connection permission response S1304 is returned to the relay server 102A.

  In S1305, the relay server 102A returns the connection permission response of S1304 received from the connected terminal B103 to the connection requesting terminal A101.

  Upon receiving the connection permission response in S1305, the connection requesting terminal 101 uses the negotiation port number and protocol (value set in F512-F514) described in S1303, and in S1306, the terminal B103 and the higher-order application thereafter. Negotiate for Among these, the port number to be used is determined by both the terminal A101 and the terminal B103. In an example, the terminal 101 sends the desired port number to the terminal 103, the terminal 103 determines whether or not connection is possible at the port, and notifies the terminal 101 of the determination result. If the terminal 103 does not accept the connection at that port, the terminal 101 sends another port number to the terminal 103 and waits for a reply from the terminal 103 in response thereto. In another example, the port number desired by the terminal 103 is sent to the terminal 101, and the terminal 101 determines whether or not connection is possible at that port, and notifies the terminal 103 of the determination result.

  In S1307, the port number and IP address used in the actual higher-order application determined in S1306 are set in the connection permission table. Specifically, the entry for negotiation with the terminal A has already been set in S1303, but one entry is further added. Among them, F511 sets the IP address of the terminal A currently negotiated, and F512, F513, and F514 set the parameters determined by negotiation in S1306.

  Thereafter, communication of the upper application 1 is started in S1308.

  In this case, if another upper application 2 is to be used, the negotiation for the upper application 2 is performed again using the negotiation port between the terminal A and the terminal B in S1309 as in S1306 and S1307, and the new port The number is determined, and a new entry for the upper application 2 is added to the connection permission table 504 in S1310, as in S1307.

  Thereafter, communication of the upper application 2 is started in S1311.

  When the communication S1308 of the upper application 1 is completed, the termination process command 1 is transmitted in S1312.

  When the communication S1311 of the upper application 2 is terminated, the termination process command 2 is transmitted in S1313.

  FIG. 19 shows a module configuration of the connected terminal 103.

  At the time of connection, first, an instruction S1302 is received from the relay server 102A. This instruction S1302 is processed by the authentication server communication module 1602 through the communication module 1601. At this time, whether or not the instruction is forged is checked by referring to the authentication server address information 1603. If it is an instruction from the authentication server existing in the authentication server address information 1603, the IP address of the connection requesting terminal 101 is identified by analyzing the format of the command S1302, and a value is set in the connection permission table 1604. At this time, the port number is a negotiation-use port number determined in advance between terminals related to this system.

  After that, when there is a connection negotiation request S1306 from the connection request terminal 101, the connection permission control module 1605 refers to the connection permission table 1604 and determines whether to pass the connection request to the service negotiation module 1607 or to refuse communication. Control.

  The service negotiation module 1607 negotiates communication including the port number actually used with the connection requesting terminal.

  The port number determined by this exchange and the value of the IP address of the connection requesting terminal 101 are set in the connection permission table 1604.

  Thereafter, when there is a connection request for actual application communication from the connection request terminal 101 side, the connection permission control module 1605 refers to the connection permission table 1604 and passes the connection request to the upper application 1606 or rejects the communication. Control what to do.

  Even during communication, a new port number can be used again through the negotiation module 1607 for communication of a new application.

It is the figure which showed the outline | summary of this invention. It is a flow of commands and connection procedures exchanged between a connection requesting terminal, an authentication server, and a connected terminal. It is the block diagram which showed the structure of the to-be-connected terminal. It is the figure which showed the module structure of the connection request | requirement terminal (terminal A). It is the figure which showed the module structure of the authentication server. It is the figure which showed the structure of the table of 403. FIG. It is the figure which showed the module structure of the to-be-connected terminal. It is the figure which showed the structure of the connection permission table of a to-be-connected terminal (terminal B) 103. 4 is a diagram illustrating a format of an authentication request command sent from the connection request terminal 101 to the authentication server 102. FIG. It is the figure which showed the format of the connection permission instruction | indication command issued with respect to a to-be-connected terminal from the authentication server. It is a flowchart of operation | movement of the connection request terminal which issues a connection request. 4 is a flowchart showing the operation of the authentication server 102. 5 is a flowchart showing an operation of a connected terminal 103. It is a flow of a modification. It is the figure which showed the module structure of the terminal of a modification. This is the second flow. It is the figure which showed the module structure of the 2nd terminal. It is a modification of the 2nd flow. It is the figure which showed the module structure of the modification of a 2nd terminal.

Explanation of symbols

101 Connection request terminal 102 Authentication server 103 Connected terminal

Claims (12)

  A receiving device comprising: a receiving unit; and a changing unit that changes a condition for permitting a connection when receiving port number information for identifying a port from an authentication server that authenticates the connection requesting device.   A receiving method characterized by changing a condition for permitting a connection when receiving port number information for identifying a port from an authentication server for authenticating a connection requesting device.   A receiving program for changing a condition for permitting a connection when receiving port number information for identifying a port from an authentication server for authenticating a connection requesting device.   When the first signal is received from the receiving means and the authentication server that authenticates the connection requesting device, the connection request is made at the port specified by the port number information included in the first signal after the reception of the first signal. A receiving apparatus comprising permission means for permitting connection by a second signal received from the apparatus.   When the first signal is received from the authentication server that authenticates the connection requesting device, it is received from the connection requesting device at the port specified by the port number information included in the first signal after the reception of the first signal. A receiving method, wherein connection by a second signal is permitted.   When the first signal is received from the authentication server that authenticates the connection requesting device, it is received from the connection requesting device at the port specified by the port number information included in the first signal after the reception of the first signal. A receiving program that permits connection by a second signal.   When receiving port number information for identifying a port from an authentication server that authenticates the connection requesting device, the receiving device restricts the connection according to the received port number information.   When receiving port number information for identifying a port from an authentication server for authenticating a connection requesting device, the receiving method is characterized in that the connection is restricted according to the received port number information.   When receiving port number information for identifying a port from an authentication server for authenticating a connection requesting device, a receiving program that restricts connection according to the received port number information.   An authentication server for authenticating a connection requesting device, wherein the receiving server is notified of port number information for connecting to the connection requesting device.   An authentication method for authenticating a connection requesting device, wherein the receiving device is notified of port number information for connecting to the connection requesting device.   An authentication program for authenticating a connection requesting device, wherein the receiving program is notified of port number information for connecting to the connection requesting device.

Images