JP7450974B1 - Traffic control method in mobile communication network-based private network and mobile communication network-based private network system - Google Patents

Abstract

The present invention provides a traffic control technique in a private network that uses the configuration of a mobile communications core network as the internal configuration of the private network, which enables effective traffic control. A mobile communication network-based private network system 200 includes a packet data processing system of a mobile communication core network to which a user terminal 10 is connected, a traffic management device that holds a connection policy held in advance, and a connection policy and connection information. It includes a packet analyzer that compares and controls connections. The connection policy includes at least one of a whitelist that defines targets to which traffic is allowed or a blacklist that defines targets to block traffic. The packet data processing system is included in a private network system that is not controlled by the control policy device of the mobile communications core network. [Selection diagram] Figure 2

Description

The techniques described below relate to traffic control techniques in private networks based on mobile communication networks.

Companies and public institutions use intranets, which are private networks used internally, to provide certain services to their constituent users. Here, the private network corresponds to a system physically separated from the mobile communication network. If the private network is linked to a mobile communication network, users can connect to it through the mobile communication network.

Meanwhile, a mobile communication network can control traffic to users connected to a core network based on a preset policy.

User traffic control in a private network linked to a mobile communication network needs to be managed separately from the mobile communication network policy. The techniques described below seek to provide a private network that controls traffic using a control policy that is independent of the control policy of the mobile communications network. Furthermore, the technology described below attempts to provide a private network that dynamically utilizes information about users connected to a mobile communications network while controlling traffic using control policies independent of the mobile communications network. .

In a traffic control method in a mobile communication network-based private network, when subscriber identification information of a user terminal is registered in the mobile communication core network, a traffic management device registers the identification information of the user terminal and registering a terminal as a blacklist terminal or whitelist terminal; connecting the user terminal to the mobile communications core network; and transmitting a packet analysis device to a network for a specific service from the packet data processing system of the mobile communications core network. receiving a packet requesting connection and extracting connection information of the user terminal from the packet; and a packet analysis device comparing the connection information with a preset connection policy of the traffic management device to determine whether the intranet is connected. or including controlling the Internet connection.

A mobile communication network-based private network system includes a packet data processing system of a mobile communication core network to which a user terminal is attached, a traffic management device having a connection policy stored in advance, and a network connection from the packet data processing system. The packet analysis device receives a packet requesting the user terminal, extracts connection information of the user terminal from the packet, compares the connection information with a connection policy of the traffic management device, and controls an intranet or Internet connection. The connection policy includes at least one of a white list that defines targets for which traffic is allowed or a black list that defines targets for which traffic is blocked, and the packet data processing system includes a control policy device for the mobile communication core network. Included in an uncontrolled private network system.

The techniques described below allow connection to a private network through a mobile communications network, but allow traffic control independent of the mobile communications network. Furthermore, the technology described below enables effective traffic control in a private network that uses the configuration of a conventional mobile communication core network as the internal configuration of the private network.

This is an example of traffic control in a conventional mobile communication network system. This is an example of traffic control in a mobile communication network-based private network system. This is an example for policy setting and control process in mobile communication network-based private network system. 2 is an example of a flowchart for a traffic control process in a mobile communication network-based private network system; 1 is an example of a procedure flowchart for a traffic control process in a mobile communication network-based private network system;

Although the technology described below may be subject to various changes and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail. However, this is not intended to limit the technology described below to a specific embodiment, but includes all modifications, equivalents, and substitutes that fall within the spirit and scope of the technology described below. It should be understood that

Terms such as first, second, A, B, etc. may be used to describe various components, but the components are not limited by the above terms, but merely to distinguish one component from another. used only for the purpose of For example, a first component may be named a second component, and likewise a second component may be named a first component without departing from the scope of the technology described below. The term and/or includes any combination of a plurality of related listed items or a plurality of related listed items.

As used herein, the term singular should be understood to include the plural unless the context clearly dictates otherwise; Refers to the presence of a step, action, component, part, or combination thereof, and the presence of one or more other features or numbers, step-action components, parts, or combinations thereof. It should be understood that this does not exclude the possibility of the existence or addition of such things.

Before describing the drawings in detail, it will be made clear that the division of components in this specification is merely a division according to the main function that each component is responsible for. That is, two or more components described below may be combined into one component, or one component may be divided into two or more components according to more detailed functions. In addition to the main functions that each component is responsible for, each component described below may additionally perform some or all of the functions that other components are responsible for. It goes without saying that some of the main functions may be performed exclusively by other components.

Also, in performing a method or method of operation, steps of the method may occur out of the order specified, unless the context clearly dictates a particular order. That is, each step may occur in the same order as specified, may be performed substantially simultaneously, or may be performed in the opposite order.

FIG. 1 is an example of traffic control in a conventional mobile communication network system 100. FIG. 1 illustrates an LTE system by way of example.

The user terminal 10 is connected to an EPC (Evolved Packet Core, 120), which is a core system of a mobile communication network, through a base station (eNB, 110). FIG. 1 illustrates a part of the configuration of the EPC 120 necessary for explanation. The MME (Mobility Management Entity, 121) performs session management and mobility management for the user terminal 10. A Serving Gateway (SGW) 122 transmits data packets and serves as a handover reference point with a base station or other network. A PGW (PDN Gateway, 125) is configured to connect the user terminal 10 to an external data network.

PCRF (Policy and Charging Rules Function, 124) is a structure that provides policy and charging on a service and subscriber profile basis. The PCRF 124 corresponds to a configuration that controls connection to the user terminal 10 connected to the mobile communication network. Therefore, the PCRF 124 is involved in policy-based traffic control in the mobile communication network system 100.

According to the policy of the PCRF 124, the user terminal 10 can connect to the external Internet through the PGW 125. FIG. 1 illustrates the case of connecting to a private intranet P through the Internet. Therefore, the user terminal 10 connects to the intranet P via the mobile communication network system 100, and the intranet P provides services based on the information and requests of the connected terminals. Although the intranet P can control the traffic of the user terminal 10, this is not related to the policy of the PCRF 124, and it is difficult to utilize internal information of the mobile communication network (RADIUS authentication information, etc.) in this process.

FIG. 2 is an example for a private network system 200 coupled with a mobile communication network. In FIG. 2, the private network system 200 can control traffic on the private network based on information of the user terminal 10 connected to the mobile communication network.

FIG. 2 is an example of traffic control in a mobile communication network-based private network system 200. The user terminal 10 can be connected to a 4G or 5G mobile communication network. A user terminal can connect to a mobile communication network through an eNB or gNB.

The mobile communication network-based private network system 200 includes an EPC 210, a TMS (Traffic Management System, 220), and a DPI (Deep Packet Inspection, 230).

The user terminal 10 corresponds to a device previously registered in the EPC 210 as a mobile communication subscriber. FIG. 1 does not illustrate a structure (HSS, etc.) that holds information regarding the user terminal 10.

The EPC 210 corresponds to a core system of a mobile communication network. FIG. 2 illustrates only the PGW and UPF (User Plane Function), which are the packet data transmission configurations necessary for explanation in the EPC. PGW is a packet transmission gateway of a 4G mobile communication network, and UPF corresponds to a packet transmission configuration of a 5G mobile communication network.

TMS 220, which is a traffic management device, manages policies for traffic control. TMS 220 may receive certain information from EPC 210. For example, TMS 220 may be coupled to UPF and GTPP (GPT Prime).

The DPI 230, which is a packet analysis device, receives packets from the PGW or UPF. For example, the DPI 230 can receive a RADIUS generated when the user terminal 10 connects to a mobile communication network from the PGW or UPF.

The DPI 230 receives packets containing information generated by the user terminal 10. DPI 230 analyzes the received packet and extracts connection information and/or service information contained in the packet. The connection information corresponds to information generated when the user terminal 10 connects to a mobile communication network. The service information includes information regarding a service requested by the user terminal 10 from the intranet P. Furthermore, connection information in a broad sense may be used to include information generated while the user terminal 10 is connected to a network, service information, and the like.

DPI 230 may be connected to TMS 220 using a certain protocol (eg, FTP). For example, DPI 230 may communicate Diameter information to TMS 220, and DPI 230 may receive RADIUS information from TMS 220. The aforementioned Diameter and RADIUS are protocols for transmitting information related to authentication in mobile communications, and are shown in the drawings to mean information transmitted by the corresponding protocols. For example, the authentication-related information may include user information, location of the terminal, and the like. Of course, the mobile communication network-based private network system 200 may use other protocols to exchange information between the DPI 230 and the TMS 220.

The DPI 230 extracts connection information from the packet and controls the user terminal 10 to allow or block traffic by referring to the connection policy generated or transmitted by the TMS 220. The DPI 230 can be used as a standard for controlling traffic by combining one or more of various types of connection information.

The DPI 230 can allow or block the intranet P connection according to the connection information and connection policy of the user terminal 10. Further, the DPI 230 may allow or block traffic for a specific service using the Internet after connecting to the intranet P according to the connection information and connection policy of the user terminal 10.

FIG. 3 is an example of a policy setting and control process in a mobile communication network-based private network system 300. The mobile communication network-based private network system 300 of FIG. 3 is a system corresponding to the mobile communication network-based private network system 200 of FIG. 2. FIG. 3 additionally illustrates the configuration necessary for setting the connection policy.

Mobile communication network-based private network system 300 includes EPC 310, TMS 320, DPI 330, and push server 340.

As described above, the EPC 310 corresponds to the core network system of the mobile communication network. However, the private EPC 310 refers to an EPC dedicated to a specific company or institution that uses an intranet. That is, the private EPC 310 corresponds to a device allocated by a mobile communication network operator as a dedicated configuration of the private network system 300 of a specific company or institution.

The DPI 330 receives a packet containing a user terminal connection request or service request from the EPC 310 . The corresponding packet includes connection information. The packet basically contains identifier information for the user terminal. DPI 330 extracts connection information from the packet.

If the user terminal is a subscriber of a mobile communication network, the DPI 330 transmits the registration information of the corresponding terminal to the TMS 320. The registration information may include an identifier of the user terminal and/or a subscriber information identifier of the user terminal. The TMS 320 can register the corresponding user terminal as an object that can be connected to the private network system 300 using the registration information and perform rental processing.

DPI 330 receives a packet containing a user terminal service request from EPC 310 . The corresponding packet includes connection information. DPI 330 extracts connection information from the packet.

The DPI 330 can receive a connection policy for the user terminal requesting service from the TMS 320. The DPI 330 can control traffic to the corresponding user terminal by comparing the extracted connection information and the received connection policy.

TMS 320 may receive connection policies from administrator device 305 . The connection policy includes information for controlling traffic for a specific user or user terminal (hereinafter, description will be made based on the user terminal). The connection policy may include information regarding whether a specific user terminal is blacklisted or whitelisted. Further, the connection policy can specifically include a location (or area) for traffic control, a specific time (day of the week, specific time period, etc.), service classification information, and the like. The TMS 320 manages the connection policy and can update the connection policy according to information or instructions transmitted from the administrator device 305.

The DPI 330 manages traffic to user terminals by subscriber (user) and/or service. If the DPI 330 allows the service requested by the user terminal, it allows connection to the Internet address that provides the corresponding service through the switch SW, via the intranet P, or directly. When the DPI 330 blocks a service requested by a user terminal, it does not allow network connection. When the DPI 330 controls traffic for a specific user terminal, the corresponding control information can be transmitted to the TMS 320.

The TMS 320 may transmit control information to a push server 340, and the push server 340 may push control contents to the user terminal 10.

FIG. 4 is an example of a flowchart for a traffic control process 400 in a mobile communication network-based private network system.

The administrator can connect to the TMS using an administrator device (such as a PC) and register a connection policy for traffic control with the TMS (410).

Explain connectivity policy. The connection policy applies only to user terminals that connect to the private network system. Therefore, the connectivity policy is different from the PCRF policy of the mobile communication network.

Connection policy may be categorized into (i) area information, (ii) connection time, and (iii) service identification information.

(1) In connection policy, area information means the area where the user terminal is located. The area information may be set as a specific building, a specific factory, a specific indoor area, a specific outdoor area, etc. Area information may be defined as data such as GPS coordinates, connectivity or proximity to a specific base station(s), mobile communication network cells, and the like.

(2) Connection time means the time when the user terminal connects to the network or requests a specific service. The connection time may be defined as a specific time of the day, a specific day of the week, a specific month, a specific year, or the like.

(3) Service identification information is information that identifies a specific service provided by the private network. A particular service may be identified by IP, IP and port number, TCP port number, UDP port number, application name, domain name, host name, etc.

The TMS registers the user terminal connected to the private EPC of the private network (420). The TMS rents the MSISDN (Mobile Station International Subscriber Directory Number) of the connected user terminal in the mobile communication network, and records the IMEI (International Mobile Equipment) of the connected user terminal. tIdentity). The DPI will control only the terminals registered by the TMS as traffic control targets.

During the registration process, the TMS can also set whether the user terminal is subject to whitelist-based control or blacklist-based control. Additionally, the TMS may individually set connection policies for user terminals. That is, the TMS can set different connection policies for each identifier of a corresponding terminal.

Thereafter, the user terminal connects to the private network and requests a certain service (430). A user terminal currently connected to a private network and requesting a service is named a target terminal.

The DPI receives a packet containing a service request for the target terminal from the private EPC. DPI extracts the necessary information from the received packet. The DPI can extract information such as a terminal identifier, a terminal location, and a terminal service level.

The DPI first checks whether the target terminal has been rented as a registered terminal connectable to the private network system (440). DPI blocks traffic unless the target terminal is a registered terminal. If the target terminal is a registered terminal, the DPI will control traffic according to a preset connection policy (Yes at 440).

The DPI controls the traffic of the target terminal with reference to the connection policy of the TMS. The DPI checks whether the target terminal belongs to the whitelist (450). If the target terminal is a whitelist-based terminal, only services corresponding to the registered policy will be allowed. The DPI compares the connection information of the target terminal with the connection policy, and if the connection information of the target terminal is the same (sign) as the connection policy (Yes in 460), the packet is transmitted over the Internet (switch) (490). The DPI compares the connection information of the target terminal with the connection policy, and blocks traffic if the connection information of the target terminal is not the same as the connection policy.

The connection information extracted by the DPI is information corresponding to the connection policy described above. The connection information may include at least one of (i) location of the terminal, (ii) connection time or service request time, and (iii) service identification information.

(1) The location of the terminal can be determined using RADIUS location information of the mobile communication network. If the location of the target terminal is included in the area information of the connection policy, the DPI transmits the packet of the target terminal over the Internet.

(2) Connection time is the time when the target terminal connected to the network (mobile communication network or private network). The service request time is the time when the target terminal requests a specific service, and may be the same as the connection time, or may be a future time after the connection time. DPI transmits packets of the target terminal over the Internet if the connection time of the target terminal includes the connection time allowed by the connection policy.

(3) Service identification information is information that identifies a service. The service identification information may include at least one of an IP, an IP and port number, a TCP port number, a UDP port number, an application name, a domain name, and a host name. If the identification information of the service requested by the target terminal is included in the service information allowed by the connection policy, the DPI transmits the packet of the target terminal over the Internet.

If the target terminal is not a whitelist-based terminal, it will fall under the control of a blacklist-based terminal. If the target terminal is not a whitelist-based terminal (No in 450), the DPI can check whether the target terminal belongs to the blacklist (470). If the target terminal is not a blacklist-based terminal, the DPI may again check whether the target terminal is a registered terminal.

If the target device is a blacklist-based device, only services corresponding to the registered policy will be blocked. The DPI compares the connection information of the target terminal with the connection policy, and if the connection information of the target terminal is not the same (sign) as the connection policy (No in 480), transmits the packet over the Internet (switch) (490). The DPI compares the connection information of the target terminal with the connection policy, and blocks the traffic if the connection information of the target terminal is the same (sign) as the connection policy.

The connection information extracted by the DPI is information corresponding to the connection policy described above. The connection information may include at least one of (i) location of the terminal, (ii) connection time or service request time, and (iii) service identification information.

(1) The location of the terminal can be determined using RADIUS location information of the mobile communication network. DPI blocks traffic if the location of the target terminal is included in the area information of the connection policy.

(2) Connection time is the time when the target terminal connected to the network (mobile communication network or private network). The service request time may be the time when the target terminal requests a specific service, which may be the same as the connection time, or may be a future time after the connection time. DPI blocks traffic if the connection time of the target terminal includes the connection time allowed by the connection policy.

(3) Service identification information is information that identifies a service. The service identification information may include at least one of an IP, an IP and port number, a TCP port number, a UDP port number, an application name, a domain name, and a host name. The DPI blocks traffic if the identification information of the service requested by the target terminal is included in the service information allowed by the connection policy.

FIG. 5 is an example of a procedure flowchart for a traffic control process 500 in a mobile communication network-based private network system.

The TMS 320 sets a connection policy in advance (501). The connection policy can be set based on the various information described above (area information, connection time, and service identifier). The connection policy may be set using a combination of various information (area information, connection time, and service identifier). Additionally, the connection policy may be set for each user terminal. The connection policy may be set for each specific user group. The user group may be set in advance based on the subscription identifier of the terminal or the identifier of the terminal.

The user terminal 10 connects to the private EPC 310 (511). When the user terminal 10 connects to a private network for the first time, it may request registration for use of the private network (512).

The TMS 320 performs registration and rental processing for the terminal that requested registration (521).

Thereafter, the user terminal 10 requests a specific service while connecting to the private network (531). TMS 320 communicates the blacklist-based and/or whitelist-based connection policy to DPI 330 (532). TMS 320 may transmit the overall connectivity policy to DPI 330.

Although not shown, the DPI 330 may optionally analyze the packet to identify the user terminal and transmit the user terminal identification information to the TMS 320. In this case, the TMS 320 may transmit the connection policy specified by the corresponding identifier to the DPI 330.

Packets from the user terminal 10 are transmitted to the DPI 330. DPI 330 can analyze the packet and extract connection information. DPI 330 compares connection information and connection policy to control traffic to user terminal 10 . The traffic control process is as described above.

If the user terminal 10 is based on a whitelist, the DPI 330 allows only services according to the registered policy (552) and blocks other traffic (551). If the user terminal 10 is based on a blacklist, the DPI 330 blocks only services corresponding to the registered policy (551) and allows other traffic (552).

Further, the traffic control method and the operation method of the traffic control device as described above can be implemented as a program (or application) including an executable algorithm that can be executed by a computer. The program may be provided and stored on a temporary or non-transitory computer readable medium.

A non-transitory readable medium is a medium that stores data semi-permanently and can be read by a device, rather than a medium that stores data for a short period of time, such as a register, cache, or memory. means. Specifically, the various applications or programs mentioned above can be applied to CDs, DVDs, hard disks, Blu-ray discs, USBs, memory cards, ROMs (read-only memories), PROMs (programmable read only memories), and EPROMs (Erasable PROMs, EPROMs). Alternatively, the information may be stored in a non-transitory readable medium such as an electrically EPROM (EEPROM) or a flash memory.

Temporarily readable media are static lum (STATIC RAM, SRAM), dynamic rums (Dynamic RAM, DRAM), synchronus de Diram (Synchronous DRAM, SDRAM), 2x -speed SDRAM (DOUBLE DATA (DOUBLE DATA). Rate SDRAM, DDR SDRAM), enhanced type It refers to various types of RAM such as SDRAM (Enhanced SDRAM, ESDRAM), Synclink DRAM (SLDRAM), and Direct Rambus RAM (DRRAM).

This example and the drawings attached to this specification only clearly show a part of the technical idea included in the above-mentioned technology, and the technical ideas included in the specification and drawings of the above-mentioned technology are It can be said that all modifications and specific embodiments that can be easily deduced by those skilled in the art within the scope of the concept are included in the scope of rights of the above-mentioned technology.

Claims (6)

When the subscriber identification information of a user terminal is registered in the mobile communication core network, the traffic management device registers the IMEI (International Mobile Equipment Identity) of the user terminal and blacklists or whitelists the user terminal. The stage of registering as a terminal;
attaching the user terminal to the mobile communication core network;
a packet analysis device receiving a packet requesting network connection for a specific service from the packet data processing system of the mobile communication core network, and extracting connection information of the user terminal from the packet; Comparing the connection information with a preset connection policy of the traffic management device and controlling the intranet connection of the user terminal or the Internet connection via the intranet based on a blacklist or whitelist. Although it includes
The packet data processing system, the packet analysis device, and the traffic management device are included in a private network system, and the private network system is an independent network system that is not controlled by a control policy device of the mobile communication core network;
(i) If the connection information includes location information extracted from authentication information generated when the user terminal connects to the mobile communications core network, the packet analysis device determines the location of at least one base station. controlling the connection by determining whether the location of the user terminal specified as a reference is located within a specific area of the connection policy;
(ii) If the connection information includes the time at which the network connection is requested, the packet analysis device determines whether the time falls within a specific day of the week or a specific time of day in the connection policy; controlling said connection;
(iii) If the connection information includes service information requested through the network connection, the service information consists of an IP, an IP and port number, a TCP or UDP port number, a name of a host, a name of a domain, and a name of an application. at least one selected from the group, the packet analysis device controls the connection by determining whether the service information matches the service target of the connection policy;
A traffic control method in a mobile communication network-based private network. The method of controlling traffic in a mobile communication network-based private network according to claim 1, further comprising the step of the traffic management device receiving the connection policy for controlling traffic of the user terminal from a manager device. a packet data processing system of a mobile communication core network to which a user terminal is attached;
a traffic management device that has a connection policy stored in advance; and a traffic management device that receives a packet requesting network connection from the packet data processing system, extracts connection information of the user terminal from the packet, and determines the connection of the traffic management device. The user terminal includes a packet analysis device that compares the connection information with a policy and controls an intranet or an Internet connection via the intranet based on a blacklist or a whitelist;
The connection policy includes at least one of a white list defining targets to which traffic is allowed or a black list defining targets to block traffic,
The packet data processing system is included in a private network system that is not controlled by a control policy device of the mobile communication core network.
(i) If the connection information includes location information extracted from authentication information generated when the user terminal connects to the mobile communications core network, the packet analysis device determines the location of at least one base station. controlling the connection by determining whether the location of the user terminal specified as a reference is located within a specific area of the connection policy;
(ii) If the connection information includes the time at which the network connection is requested, the packet analysis device determines whether the time falls within a specific day of the week or a specific time of day in the connection policy; controlling said connection;
(iii) If the connection information includes service information requested through the network connection, the service information consists of an IP, an IP and port number, a TCP or UDP port number, a name of a host, a name of a domain, and a name of an application. at least one selected from the group, the packet analysis device controls the connection by determining whether the service information matches the service target of the connection policy;
Mobile communication network-based private network system. The mobile communication network-based private network system according to claim 3, further comprising a manager device that generates the connection policy and transmits it to the traffic management device. The connection information includes an IMEI (International Mobile Equipment Identity) of the user terminal,
The policy information includes an IMEI of the user terminal that is registered when subscriber identification information of the user terminal is registered in a mobile communication network;
4. The mobile communication network-based private network system according to claim 3, wherein the packet analysis device blocks traffic to the user terminal if the IMEI of the user terminal is not information registered in the connection policy. The packet analysis device allows only the services included in the connection policy to be provided to the user terminal if the user terminal belongs to the whitelist;
4. The mobile communication network-based private network system according to claim 3, wherein if the user terminal belongs to the blacklist, only the services included in the connection policy are cut off to the user terminal.

Images