IP network system and its access control method, IP address distributing device, and IP address distributing method

US 8,605,582 B2
Filed: 11/06/2008
Issued: 12/10/2013
Est. Priority Date: 11/08/2007
Status: Active Grant

First Claim

Patent Images

1. An IP address generating device comprising:

an address generation request receiving unit which receives a request to generate an IP address from a terminal device;

an IP address generating unit which sets a specific area in a node identifier of the IP address as an access control data area, and generates the IP address including a communication policy which is embedded in the access control data area and indicates whether a packet is to be admitted or not, wherein the IP address generating unit generates the IP address in response to the request; and

a communication policy searching unit which determines the communication policy based on user information for a terminal device to which the IP address is distributed, when the IP address is generated, andwherein the access control data area is located at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed, and wherein the communication policy consists of a single bit, and the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An IP network system includes an IP address generating device that sets a specific area in a node identifier of an IP address as an access control area that can be filtered by a network layer control device, and generates an IP address including a communication policy of the IP network system embedded in the access control area, and the network layer control device capable of filtering the access control area, wherein the network layer control device is configured to perform filtering setting according to the communication policy and thereby performs access control.

Citations

25 Claims

1. An IP address generating device comprising:
- an address generation request receiving unit which receives a request to generate an IP address from a terminal device;
  
  an IP address generating unit which sets a specific area in a node identifier of the IP address as an access control data area, and generates the IP address including a communication policy which is embedded in the access control data area and indicates whether a packet is to be admitted or not, wherein the IP address generating unit generates the IP address in response to the request; and
  
  a communication policy searching unit which determines the communication policy based on user information for a terminal device to which the IP address is distributed, when the IP address is generated, andwherein the access control data area is located at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed, and wherein the communication policy consists of a single bit, and the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The IP address generating device according to claim 1, wherein the communication policy searching unit determines the communication policy based on available time information associated with the terminal device, wherein the available time information indicates a time when access is permitted to be granted.
  - 3. The IP address generating device according to claim 1, wherein the communication policy searching unit determines the communication policy based on user attribute information associated with the terminal device.
  - 4. The IP address generating device according to claim 1, further comprising:
    - a user ID searching unit which manages a user ID associated with user information of a terminal device to which the IP address is distributed, and notifies a user ID made by an authentication server when a user of the terminal device is successfully authenticated by the authenticating server, andwherein the communication policy searching unit determines the communication policy based on the user information associated with the user ID.
  - 5. The IP address generating device according to claim 4, wherein the user ID searching unit obtains the user ID and a layer-2 identifier of the terminal device successfully authenticated by the authenticating server, andthe IP address generating unit generates an IP address specific to the user ID even if a layer-2 identifier of the terminal device is identical to another layer-2 identifier.
  - 6. The IP address generating device according to claim 4, wherein the communication policy searching unit determines the communication policy based on available time information associated with the terminal device, when the IP address is generated.
  - 7. The IP address generating device according to claim 4, wherein the communication policy searching unit determines the communication policy based on user attribute information associated with the terminal device, when the IP address is generated.

8. An IP network system comprising:
- a network control device that performs access control, andan address generation request receiving unit which receives a request to generate an IP address from a terminal device;
  
  an IP address generating device that sets a specific area in a node identifier of an IP address as an access control area, and generates the IP address including a communication policy which is embedded in the access control area and indicates whether a packet is to be admitted or not, wherein the IP address generating unit generates the IP address in response to the request;
  
  wherein the network layer control device is configured to perform filtering setting according to the communication policy which consists of a single bit;
  
  wherein the IP address generating device is configured to determine the communication policy based on user attribute information associated with the terminal device; and
  
  wherein the access control data area is located at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed, and wherein the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.
- View Dependent Claims (9, 10, 11)
- - 9. The IP network system according to claim 8, wherein the network layer control device is configured to perform the access control dynamically, by changing data in the access control area of the IP address dynamically when the IP address generating device generates an IP address.
  - 10. The IP network system according to claim 8, further comprising a terminal device,wherein the network layer control device is configured to perform filtering control of the IP address based on attribute information of a user, by determining the communication policy based on the attribute information for the user of the terminal device to which the IP address is distributed and to generate data for the access control area according to the determined communication policy when the IP address generating device generates the IP address.
  - 11. The IP network system according to claim 10, further comprising an authenticating device,wherein the terminal device is configured to request, when obtaining the IP address, the authenticating device to provide authentication, and to request, if the authentication by the authentication device succeeds, the IP address generating device to generate the IP address to access the IP network system.

12. An IP address generating method, with which an IP address generating device generates an IP address for a terminal device, the method comprising:
- setting a specific area in a node identifier of the IP address as an access control area; and
  
  generating an IP address including a communication policy which is embedded in the access control area and indicates whether a packet is to be admitted or not;
  
  wherein the communication policy is determined based on user information for the terminal device to which the IP address is distributed, when the IP address is generated, and the communication policy consists of a single bit, and the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address, andwherein the IP address is generated in response to a request from the terminal device by locating the access control data area at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The IP address generating method according to claim 12, wherein the communication policy is determined based on available time information associated with the terminal device, wherein the available time information indicates a time when access is permitted to be granted.
  - 14. The IP address generating method according to claim 12, wherein the communication policy is determined based on user attribute information associated with the terminal device.
  - 15. The IP address generating method according to claim 12, wherein, by associating user information of the terminal device to which the IP address is distributed with a user ID managed by an authenticating server capable of user authentication, the communication policy based on the user information is determined for the terminal device, the user of which has been successfully authenticated, upon being notified of the user ID made by the authenticating server when the user of the terminal device is successfully authenticated by the authenticating server.
  - 16. The IP address generating method according to claim 15, wherein by obtaining the user ID and a layer-2 identifier of the terminal device successfully authenticated by the authenticating server, an IP address specific to the user ID is generated even if the layer-2 identifier of the terminal device is identical to another layer-2 identifier.

17. A method of controlling access in an IP network system including a terminal device, a network layer control device, and an IP address generating device, the method comprising:
- a setting and generating operation of the IP address generating device comprising setting a specific area in a node identifier of an IP address as an access control area and generating an IP address including a communication policy which is embedded in the access control area and indicates whether a packet is to be admitted or not, wherein the IP address is generated in response to a request from the terminal device by locating the access control data at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed;
  
  a receiving and accessing operation of the terminal device comprising receiving the IP address generated by the IP address generating device and accessing the IP network system with the received IP address; and
  
  a controlling operation of the network layer control device having the filtering setting set according to the communication policy comprising performing access control according to the communication policy, based on the IP address issued by the terminal device;
  
  wherein the communication policy is generated based on user attribute information associated with the terminal device, and the communication policy consists of a single bit, and the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.
- View Dependent Claims (18)
- - 18. The method of controlling access according to claim 17, the IP network system further comprising an authentication device, wherein the method further comprises:
    - a requesting operation of the terminal device comprising requesting the authentication device to provide authentication when obtaining an IP address; and
      
      a requesting operation of the terminal device comprising requesting the IP address generating device to generate the IP address to access the IP network system if the authentication by the authentication device succeeds.

19. A computer readable non-transitory memory containing a program of instructions for enabling a computer, serving as an IP address generating device configured to generate an IP address for a terminal device, to execute processes, comprising:
- a setting process comprising setting a specific area in a node identifier of the IP address as an access control area; and
  
  a generating process comprising generating the IP address including a communication policy which is embedded in the access control area and indicates whether a packet is to be admitted or not;
  
  wherein the IP address is generated in response to a request from the terminal device by locating the access control data area at a following bit of a PrefixID field which is included in the request and containing data identifying a network to which the address is to be distributed; and
  
  wherein the communication policy is determined based on user information for a terminal device to which the IP address is distributed, when the IP address is generated, and the communication policy consists of a single bit, and the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer readable non-transitory memory containing the program according to claim 19, wherein the communication policy is determined based on available time information associated with the terminal device, wherein the available time information indicates a time when access is permitted to be granted.
  - 21. The computer readable non-transitory memory containing the program according to claim 19, wherein the communication policy is determined based on user attribute information associated with the terminal device.
  - 22. The computer readable non-transitory memory containing the program according to claim 19, wherein by associating the user information for the terminal device to which the IP address is distributed with a user ID managed by an authenticating server capable of user authentication, the communication policy based on the user information is determined for the terminal device, the user of which has been successfully authenticated, upon being notified of the user ID made by the authenticating server when the user of the terminal device is successfully authenticated by the authenticating server.
  - 23. The computer readable non-transitory memory containing the program according to claim 22, wherein by obtaining a user ID and a layer-2 identifier of the terminal device successfully authenticated by the authenticating server, an IP address specific to the user ID is generated even if the layer-2 identifier of the terminal device is identical to another layer-2 identifier.

24. A computer readable non-transitory memory containing a an IP address generated by an IP address generating unit for a terminal device, comprising:
- a specific area which is set in a node identifier of the IP address as an access control area, andwherein the IP address includes a communication policy which is embedded in the access control area, and includes whether a packet is to be admitted or not;
  
  wherein the communication policy is determined based on user information for a terminal device to which the IP address is distributed, and consists of a single bit;
  
  wherein the IP address further comprises a PrefixID field containing data identifying a network to which the address is to be distributed, and the access control data area is located at a following bit of the PrefixID field; and
  
  wherein the access control data area is located at a leading bit of an interface ID (IFID) when the IP address is an IPv6 address, and the access control data area is located at a host unit when the IP address is an IPv4 address.

25. A computer readable non-transitory memory containing an IP address generated by an IP address generating unit for a terminal device, comprising:
- a specific area which is set in a node identifier of the IP address as an access control area; and
  
  wherein the IP address includes a communication policy which is embedded in the access control area, and includes whether a packet is to be admitted or not;
  
  wherein the communication policy is determined based on user information for a terminal device to which the IP address is distributed, and consists of a single bit;
  
  wherein the IP address for a terminal device further comprises a PrefixID field containing data identifying a network to which the address is to be distributed, and the access control data area is located at a following bit of the PrefixID field; and
  
  wherein the access control data area is located at the 65th bit of the address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Iwai, Takanori
Primary Examiner(s)
SEFCHECK, GREGORY B

Application Number

US12/266,097
Publication Number

US 20090122798A1
Time in Patent Office

1,860 Days
Field of Search

None
US Class Current

370/230
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 61/35   involving non-standard use ...

H04L 61/5014   using dynamic host configur...

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

IP network system and its access control method, IP address distributing device, and IP address distributing method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

IP network system and its access control method, IP address distributing device, and IP address distributing method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links