JP2008022167A - Equipment terminal device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To eliminate problems such as false impersonation, communication trace by a third party (violation of privacy), and duplication of address, in remote access communication of an apparatus terminal device. <P>SOLUTION: The apparatus terminal device with a communication function via the Internet comprises a holding means 201 for holding a plurality of embedded unique addresses in advance; and a generating means 203 which selects an optimum address depending on the network environment to which the apparatus terminal device is connected from among the embedded addresses held by the holding means 201, and generates an address using the selected optimum embedded address. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a device terminal device used when remote access communication is performed with a user-owned nonPC device from a remote location to a nonPC device at home in communication between nonPC devices via the Internet. More specifically, the present invention relates to a device terminal device having a firewall system that easily passes through a firewall of a home network and realizes access to a nonPC device in the home.

  At present, many information home appliances equipped with a network communication function have appeared. In addition, services such as browsing the video of a web camera at home via the Internet and setting a recording reservation for a video recorder at home via the Internet are being performed. In the future, as the ubiquitous networking progresses, it can be easily predicted that such non-PC devices compatible with the network will provide various services.

  In particular, it will be more demanded to remotely access a nonPC device installed at home from a nonPC device taken outside. However, various technical problems remain in remote access communication via the Internet using such nonPC devices.

  Until now, when performing remote access from an external network to an in-house network or the like, a remote access method using another reliable line has been used. For example, a remote access server connected to a general public network line (telephone line) is installed in the in-house network, dial-up connection is made to the telephone number, and user authentication is performed to connect to the in-house network. However, since the above remote access method has a small bandwidth and a high communication cost, in recent years, remote access methods using other lines have appeared.

  The SSL-VPN technology is a method in which IP communication used on the Internet is directly used as a remote access line. At this time, connection source / destination authentication using SSL technology is performed to reduce costs and improve operational convenience.

  In addition, there is a remote access method using IPsec. However, the remote access method as described above is a method that assumes remote access from a PC, and can be said to be a method that places importance on security functions. In a nonPC device, there are cases where it is difficult to implement the above-mentioned remote access method with an emphasis on security with limited resources of the nonPC device. In the first place, unlike a PC, remote access by a nonPC device is intended for access itself, and there are many aspects that are considered to provide at least a minimum security function.

  For example, suppose that a user purchases a Web camera that can distribute video over the Internet and a viewer that browses the video. For requests to check the state of pets at home from the outside, there are few scenes that require encryption of communication contents during remote access, rather high-quality images, high frame rate images, and easier Improvement of operability that can realize remote access is desired.

  As described above, in the case of remote access by a nonPC device, it is not optimal to use the remote access technology that has been used by PCs so far. Various studies have been conducted on remote access technology specialized for such non-PC devices. One of them is a firewall system that makes use of the characteristics of IPv6 addresses (see, for example, Patent Document 1).

  In the above firewall system, the host part of the IPv6 address is fixedly determined and given a meaning, and policy setting and packet check are realized only by the host part. This aims to reduce and simplify the load of external access control work on the nonPC device (that is, the work of setting the external access permission / non-permission of the target nonPC device by the purchaser of the nonPC device). Such a remote access method for changing the policy of the firewall or the packet filter minimizes the security function for remote access on the nonPC device side, which leads to preventing the cost increase of the nonPC device to some extent.

Japanese Patent Laid-Open No. 2004-289788

  However, the firewall setting by the IPv6 host unit as described above has a very weak aspect because the address information is directly used for remote access authentication.

  First, there is a case where the host part of the IPv6 address cannot be fixedly set depending on the connected network environment. That is, the host part of the IPv6 address must be unique within the same segment. For this reason, if terminals having the same host part exist in the same segment, the host part must be changed because the address by the host part is already in use.

  Next, in the IPv6 address generation rule, the host unit can set any bit string. That is, an embedded host address incorporated in a certain nonPC device can be set as a host unit of another terminal (for example, a PC capable of manually setting an IPv6 address). This makes it possible to easily impersonate the corresponding device in a system in which authentication is performed by the host unit.

  Finally, there is a privacy problem that what kind of terminal device communicates from the IPv6 address is traced. By performing IPv6 address setting and communication by a fixed host unit, the communication log is analyzed, and it is easy to determine what terminal is communicating with which terminal. . In particular, in the case of a nonPC device, it is a big problem as a privacy problem to analyze what device the user has from a communication log.

The present invention has been made in view of the above problems of the background art, and aims to improve a firewall authentication system in communication between non-PC devices.
Another object of the present invention is to solve problems such as misrepresentation, communication trace (privacy) by a third party, address duplication, etc. by more intelligently setting the address of the nonPC device in the external network.

  The device terminal device of the present invention is a device terminal device equipped with a communication function via the Internet, and holding means for holding a plurality of unique built-in addresses in advance, and the built-in held by the holding means Generating means for selecting an address according to a connected network environment and generating an address using any one of the selected built-in addresses.

  According to the present invention, problems such as misrepresentation, communication trace (privacy) by a third party, address duplication, and the like are solved in remote access of a device terminal device.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a network configuration diagram of an embodiment of the present invention.

  In FIG. 1, reference numeral 100 denotes the Internet, which enables communication using the IPv6 protocol. Reference numeral 101 denotes a Web camera. The Web camera 101 can distribute video using an IPv6 communication protocol.

  Reference numeral 102 denotes a viewer. The viewer 102 can receive and display video using the IPv6 communication protocol. In other words, the web camera 101 and the viewer 102 communicate via the Internet, thereby enabling remote video browsing. Reference numeral 103 denotes a user home LAN. Reference numeral 104 denotes a firewall.

  The firewall 104 can define a policy by a host part of an IPv6 address. That is, only the host part (lower 64 bits) of the IPv6 address can be compared with the address of the policy information, and the packet can be passed or discarded.

  Reference numeral 105 denotes an authentication server. The authentication server 105 is a server managed by the manufacturer of the Web camera 101 or the viewer 102 or a service vendor entrusted with it, and holds information incorporated in each device at the time of manufacture.

  Specifically, built-in addresses are stored in the Web camera 101 and the viewer 102 at the time of manufacture, and all of the information is also stored on the server side. Then, regarding the built-in address of the device, it is determined whether or not the address is indeed incorporated into the product. Reference numeral 106 denotes an external network.

  FIG. 2 is an internal module configuration diagram of the viewer 102, the firewall 104, and the authentication server 105 in an embodiment of the present invention.

  First, the internal module configuration of the viewer 102 will be described. Reference numeral 201 denotes address data, which stores a built-in address of a device to be incorporated when the device is manufactured. Reference numeral 202 denotes a firewall setting module, which is a module for making a request to change the policy setting of the firewall 104. An address generation module 203 performs processing for generating an IPv6 address. Reference numeral 204 denotes an environment detection module that performs processing for detecting that the viewer 102 is connected to an external network different from the home network.

  Next, the internal module configuration of the firewall 104 will be described. Reference numeral 205 denotes a remote setting module, which receives a policy setting request from the firewall setting module 202 and performs a process of correcting policy data to be described later.

  The policy setting application exchanged between the firewall setting module 202 and the remote setting module 205 uses general firewall remote setting means (such as http, telnet, and ssh). Reference numeral 206 denotes policy data, which stores policy information describing conditions for passing and discarding packets that pass through the firewall.

  A firewall module 207 compares received packet information with the policy information stored in the policy data 206, and performs packet passing and discarding processing. Reference numeral 208 denotes an address authentication module, which authenticates the contents of the policy setting application received from the firewall setting module 202 received by the remote authentication module 205. Specifically, a built-in address inquiry application that extracts a built-in address of a device in a policy setting application from the firewall setting module 202 and inquires of the authentication server 105 whether there is a correct device built-in address. Issue. Only policy setting applications that pass this address authentication process are accepted, and the policy data is updated.

  Reference numeral 209 denotes an embedded address authentication module installed in the authentication server 105. The embedded address inquiry application from the address authentication module 208 is received, the embedded address information in the embedded address inquiry application is extracted, and compared with the embedded address of the device stored in the authentication server 105. Here, if the embedded address inquired in the embedded address inquiry application is surely an embedded address incorporated in the device at the time of manufacture, authentication completion is returned, and if not, authentication failure is returned. Reference numeral 210 denotes device data, which holds a built-in address incorporated when the device is manufactured.

  FIG. 3 is a diagram for explaining the entire sequence in one embodiment of the present invention. The Web camera 101 connected to the user home LAN 103 is 301. The viewer 102 connected to the user home LAN 103 is 302. The firewall 104 connected to the user home LAN 103 is 303.

  On the other hand, the viewer 302 connected to the user's home LAN 103 can be taken out of the user's home, moved to the external network 106, and the viewer connected is 304. The authentication server 105 connected to the Internet 100 is 305.

  First, the user connects each device to the user home LAN 103. Next, the Web camera 301 connected to the user home LAN 103 is set to enable the video distribution service. On the other hand, in the viewer 302 connected to the user's home LAN 103, when connected to the user's home LAN 103, the environment detection module 204 operates to perform connection environment detection processing.

  At this time, when connected to the home network for the first time, a firewall policy setting application is made by the firewall setting module 202 (311). Specifically, the built-in address held by the viewer 302 connected to the user home LAN 103 is transmitted to the firewall 303 connected to the user home LAN 103.

  Having received the firewall policy setting application from the viewer 302 connected to the user home LAN 103, the firewall 303 connected to the user home LAN 103 makes an embedded address inquiry application to the authentication server 305 by the address authentication module 208 (312).

  The authentication server 305 that has received the built-in address inquiry application 312 determines whether the built-in address of the inquiry is surely an address pre-installed in the device manufactured by the company, and connected the result to the user home LAN 103. It returns to the firewall 303 (313).

  The firewall 303 connected to the user home LAN 103 that has received the embedded address inquiry application result 313 determines reception of the firewall policy setting application 311 requested by the viewer 302 connected to the user home LAN 103 based on the result.

  Specifically, when the result 313 of the embedded address inquiry application is authentication completion, the registered embedded address is the host part of the IPv6 address as the source address, and the user home is the destination address. A policy setting that permits passage of a packet having the address of the LAN 103 is input to the policy data. The result of the firewall policy setting application 311 is transmitted from the firewall 303 connected to the user home LAN 103 to the viewer 302 connected to the user home LAN 103 (314).

  The viewer 302 connected to the user home LAN 103 that has completed the firewall policy setting application 311 sets its own IP address, and communicates with the Web camera 301 connected to the user home LAN 103 existing in the user home LAN 103.

  Now, the user takes out the viewer 302 connected to the user home LAN 103 outside the home and connects to the external network (315).

  The viewer 304 connected to the external network is subjected to environment detection processing by the environment detection module 204, and an address is set (316).

  Details regarding this processing will be described later. When the address setting 316 by the environment detection processing detects the environment, the viewer 304 connected to the external network acquires the address of the Web camera 301 connected to the user home LAN 103 as a communication partner using some means. Then, an image browsing request is communicated to the Web camera 301 connected to the user home LAN 103 (317).

  The firewall 303 connected to the user home LAN 103 receives the packet 317 for the image browsing request, and the firewall module 207 performs a check. At this time, if the policy by the firewall policy setting application 311 is entered in the policy data 206, the image browsing request communication 317 is permitted to pass, and the packet is transferred to the Web camera 301 connected to the user home LAN 103. (318).

  The Web camera 301 connected to the user home LAN 103 that has received the image browsing request receives the request and returns image data (319). The firewall 303 connected to the user home LAN 103 that has received the image data 319 is similarly checked by the firewall module 207 and transfers the image data (320). The viewer 304 connected to the external network that has received the image data 320 browses the image data to the viewer.

  FIG. 4 shows an example of address information stored in the address data 201 of the viewer 102 according to an embodiment of the present invention.

  Reference numeral 401 denotes a built-in address, which is a host part of an IPv6 address incorporated at the time of device manufacture. Reference numeral 402 denotes a prefix at the time of registration, which is prefix information (network part information of an IPv6 address) when firewall policy setting is performed by the firewall setting module 202.

  Reference numeral 403 denotes use prefix information, which is prefix information when an IPv6 global address is generated using a corresponding built-in address. Reference numeral 404 denotes a set time, which is the time when the corresponding built-in address is used. Reference numerals 411 to 413 denote embedded address entries.

  Here, the contents in FIG. 4 will be described in detail. In the entry 411, since the prefix at the time of registration and the usage prefix are different, it is understood that this built-in address was last used in the external network.

  Note that the time used in the external network is 12:00:31 on December 22, 2004. In the entry 412, since the prefix and the use prefix at the time of registration are the same, it is found that this built-in address is the last used in the home network.

  Since the entry 413 does not have a use prefix and a set time, it can be seen that the built-in address has not been used yet though the firewall policy setting process has been performed.

  FIG. 5 is a diagram showing a processing flow of the environment detection module 204 in one embodiment of the present invention.

  First, the activation of the environment detection module is RA reception by 501. When the RA is received, information in the RA is acquired. Specifically, the network prefix is information on the network part of the IPv6 address to be used in the network to which the viewer 102 is connected. In 502, the registration-time prefix information in the address data 201 is obtained from all entries.

  Then, in 503, it is determined whether or not the registration-time prefix information acquired in 502 exists. Here, if the firewall policy setting application 311 has already been made for the firewall, the process proceeds to 504 because the prefix information at the time of registration exists.

  On the other hand, if the firewall policy setting application 311 has not been made, there is no prefix at the time of registration, and the process proceeds to 513.

  When the firewall policy setting has been completed, the RA information acquired in 501 in 504 is compared with a plurality of registration prefix information acquired in 502 to determine whether there is a matching entry. . If there is one or more entries that match the RA information and the prefix upon registration, the process proceeds to 512, and if there is no matching entry, the process proceeds to 505. That is, this determination is a determination as to whether or not a connection has been made to a network for which a firewall policy setting application has been made previously.

  When connected to an external network, the used prefix information is acquired from the address data 201 at 505 from all entries. In 506, the RA information acquired in 501 is compared with the use prefix information acquired in 505, and it is determined whether or not there is an unmatched entry. If there is one or more entries whose RA information and usage prefix do not match, the process proceeds to 507, and if all the usage prefixes match RA, the process proceeds to 511. Based on this determination, the built-in address entries used in the past are extracted from the external network to which the viewer 102 is connected.

  In 507, an entry having different RA information and usage prefix is acquired in 506. Then, the embedded address of the corresponding entry is acquired at 508, and the RA information acquired at 501 is overwritten and registered in the use prefix field of the corresponding entry at 509. In 510, the RA information acquired in 501 and the embedded address acquired in 508 are passed to the address generation module 203 to generate an address.

  The above processing flow is a flow when the viewer 102 completes the firewall policy setting processing in the user home LAN 103 and is connected to the external network for the first time or the second to third times. Hereinafter, the processing flow in the case of different situations will be described.

  For example, it is assumed that the viewer 102 has completed the firewall policy setting process in the user home LAN 103 and has connected to the same external network many times. In this case, in the determination at 506, the process proceeds to 511. In other words, this is a case where the RA information acquired in 501 exists in the use prefix of all entries existing in the address data 201.

  In 511, the set time items of all entries are extracted, and the oldest item entry is acquired at that time. Subsequent processing is continued from 508 of the previous description. That is, among the built-in addresses used in the past in the corresponding external network, the oldest built-in address is used.

  Next, it is assumed that the viewer 102 completes the firewall policy setting process in the user home LAN 103, connects to the same external network several times, and then connects to the user home LAN 103 again. In this case, the process proceeds to 512 according to the determination in 504. In other words, if at least one RA information acquired at 501 matches the prefix information at the time of registration of all entries acquired at 502, the process proceeds to 512. In 512, in the determination of 504, an arbitrary entry is acquired from the entry in which the RA information matches the registration prefix. This is because the built-in address for which the firewall policy setting has been completed is used in the home network. Thereafter, the processing proceeds to 508.

  Finally, it is assumed that the viewer 102 has never performed firewall policy setting processing in the user home LAN 103. In this case, the process proceeds to 513 in the determination of 503. At 513, firewall policy setting processing is performed. In 514, the RA information acquired in 501 is registered in the prefix item at the time of registration of the entry of the embedded address that has been set in 513. Then, the processing proceeds to 512, and the built-in address for which the firewall policy setting has been completed is used.

  Note that the firewall policy setting in 513 is basically performed for all embedded addresses existing in the address data 201. Further, only a part of the built-in addresses existing in the address data 201 can be used for firewall policy setting, and the determination is not defined in the present invention. The embodiment of the present invention has been described above.

1 is a configuration diagram of a network system according to an embodiment of the present invention. It is an internal module block diagram of the network system which concerns on embodiment of this invention. It is a figure for demonstrating the whole sequence of the network system which concerns on embodiment of this invention. It is a figure which shows the address data information regarding the network system which concerns on embodiment of this invention. It is a figure for demonstrating the processing flow regarding the network system which concerns on embodiment of this invention.

Explanation of symbols

100 Internet 101 Web camera 102 Viewer 103 User home LAN
104 Firewall 105 Authentication Server 106 External Network 201 Address Data 202 Firewall Setting Module 203 Address Generation Module 204 Environment Detection Module 205 Remote Setting Module 206 Policy Data 207 Firewall Module 208 Address Authentication Module 209 Built-in Address Authentication Module 210 Device Data

Claims (4)

A device terminal device equipped with a communication function via the Internet,
Holding means for holding a plurality of unique embedded addresses in advance;
Generating means for selecting the built-in address held by the holding means according to a connected network environment, and generating an address using any of the selected built-in addresses. Equipment terminal device.   The holding means holds embedded address information used for address generation in the past, and the generating means selects the embedded address in consideration of the embedded address information of the holding means. The device terminal device according to claim 1.   A plurality of unique built-in addresses held in advance by the holding means are transmitted to the firewall device, and the plurality of unique built-in addresses held in advance are designated as source addresses from the Internet. The apparatus terminal device according to claim 1, further comprising a setting unit configured to set a firewall policy that allows communication packets to pass.   Receiving a plurality of unique built-in addresses held in advance by the device terminal device, determine whether the received built-in address is a built-in address that is surely built in the corresponding device terminal device, The apparatus terminal device according to any one of claims 1 to 3, further comprising a changing unit that changes the setting of the firewall policy according to a result of the determination.

Images