JP2012205073A - Node device, server apparatus, and node connection management method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a node device, a server apparatus, and a node connection management method, which enable management of appropriate connection of devices also in consideration of the topology of a communication network.SOLUTION: A node device includes an acquisition part, a first transmission part, a reception part, and a connection control part. The acquisition part acquires slave node authentication information and slave node identification information from a slave node in advance of establishing a logical connection between the node device and the slave node. The first transmission part transmits the slave node authentication information to an authentication server and transmits topology verification information to a topology verification server. The reception part receives an authentication result of the authentication server and a verification result of the topology verification server. If the slave node is authenticated by the authentication server and if the logical connection between the node device and the slave node is determined to be right by the topology verification server, the connection control part establishes the logical connection between the node device and the slave node.

Description

  Embodiments described herein relate generally to a node device, a server device, and a node connection management method.

  In various communication networks constituting a next-generation energy supply system called a smart grid, the use of unauthorized devices causes enormous damage, so the connection of devices to the communication network is managed by an electric power company or the like. For example, when a smart meter is connected to an AMI (Advanced Metering Infrastructure) system, an electric power company performs authentication processing on the smart meter to verify its validity. Only smart meters that have been validated by the electric power company can transmit and receive application data on the AMI system.

  However, in such a device connection management method, if the validity of the device is recognized, it is possible to connect to the communication network, so that the valid device is mistaken for another device not originally intended for connection on the communication network. Even if they are connected, logical connection between the devices is permitted. For example, even if a neighbor's home energy management system (HEMS) is connected to a home smart meter, if the neighbor's HEMS is validated, the logic between the neighbor's HEMS and the home smart meter There is a problem that connection is permitted and unexpected communication is performed, so that connection management of devices to the communication network cannot be performed appropriately.

“Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References”, NIST Interoperability Requirements 7628, August 2010

  The problem to be solved by the present invention is to provide a node device, a server device, and a node connection management method that enable appropriate device connection management in consideration of the topology of a communication network.

  The node device according to the embodiment is a node device constituting a communication network. The node device includes an acquisition unit, a first transmission unit, a reception unit, and a connection control unit. The acquisition unit acquires, from the subordinate node, subordinate node authentication information and subordinate node identification information used for authentication of the subordinate node prior to establishing a logical connection with a subordinate node having a lower logical connection relationship. To do. The first transmission unit transmits the subordinate node authentication information to a first server device that authenticates the node on the communication network, and includes a topology including the subordinate node identification information and the self node identification information. The verification information is transmitted to the second server device that determines whether the logical connection between the nodes on the communication network is valid. The reception unit receives the authentication result of the subordinate node performed by the first server device based on the subordinate node authentication information, and is performed by the second server device based on the topology verification information. A determination result of the validity of the logical connection with the subordinate node is received. When the subordinate node is authenticated by the first server device and the logical connection between the subordinate node and the subordinate node is determined to be valid by the second server device, the connection control unit Establish a logical connection with the node.

  The server device according to the embodiment is a server device that determines whether logical connection between nodes on the communication network is valid. The server device includes a holding unit, a receiving unit, a determining unit, and a transmitting unit. The holding unit holds topology information indicating a relationship between nodes in which logical connection is allowed in the communication network and conditions for establishing the logical connection. Prior to establishing a logical connection between any subject node on the communication network and a subordinate node having a lower logical connection relationship with the subject node, Topology verification information including identification information and identification information of the subject node is received. The determination unit compares the topology verification information with the topology information and determines the validity of the logical connection between the subordinate node and the subject node. The transmission unit transmits a determination result of the validity of the logical connection between the subordinate node and the subject node to the subject node.

1 is an overall configuration diagram of a communication network. The functional block diagram which shows the internal function structure of a node apparatus. The conceptual diagram which shows an example of topology verification information. The flowchart explaining operation | movement of a node apparatus. The functional block diagram which shows the internal function structure of an authentication server. The conceptual diagram which shows an example of authentication information. The flowchart explaining operation | movement of an authentication server. The functional block diagram which shows the internal function structure of a topology verification server. The conceptual diagram which shows an example of topology information. The flowchart explaining operation | movement of a topology verification server. The sequence diagram explaining the specific example of a series of operation | movement in the whole communication network. The sequence diagram explaining the specific example of a series of operation | movement in the whole communication network. The conceptual diagram which shows the other example of topology information. The conceptual diagram which shows the other example of topology information. The conceptual diagram which shows the other example of topology information.

(First embodiment)
FIG. 1 is an overall configuration diagram of a communication network including a node device and a server device according to the first embodiment. This communication network includes a plurality of node devices N11, N21, N22, N31, N32, and N33, an authentication server (first server device) AS that authenticates each node device, and a network topology verification between nodes. A topology verification server (second server device) TS that determines whether or not the logical connection is valid.

  In the communication network shown in FIG. 1, a plurality of node devices have an acyclic directed graph topology in which a logical connection relationship is a hierarchical structure. The node at the top of the hierarchy is the first-stage node device N11, and two second-stage node devices N21 and N22 are logically connected to the first-stage node device N11 as nodes lower than the first-stage node device N11. In addition, two third-stage node devices N31 and N32 are logically connected to the second-stage node device N21 as lower nodes of the second-stage node device N21, and 2 nodes as lower-level nodes of the second-stage node N22. Two third stage node devices N32 and N33 are logically connected to the second stage node N22.

  In general, a logical connection has a direction, and an arrow in FIG. 1 indicates the direction of the logical connection. In this specification, a node device having a higher logical connection relationship between two node devices is referred to as a “subordinate node”, and a node device having a lower logical connection relationship is referred to as a “subordinate node”. That is, in the communication network shown in FIG. 1, the subordinate nodes of the first stage node device N11 are the second stage node devices N21 and N22, and the subordinate nodes of the second stage node device N21 are the third stage node devices N31 and N32. The subordinate nodes of the second stage node device N22 are the third stage node devices N32 and N33. The third stage node devices N31, N32, N33 have no subordinate nodes.

  The third-stage node devices N31, N32, and N33 are respectively the second-stage node devices N21 and N22 that are the main nodes with respect to the own node, and the first-stage nodes that are the main nodes with respect to the second-stage node devices N21 and N22. Via the device N11, data transmission / reception with the authentication server AS and the topology verification server TS becomes possible. Further, the second-stage node devices N21 and N22 can transmit and receive data to and from the authentication server AS and the topology verification server TS by way of the first-stage node device N11 that is a main node with respect to the own node. FIG. 1 shows a configuration in which the authentication server AS and the topology verification server TS are connected in series to the first-stage node device N11. However, the authentication server AS and the topology verification server TS are connected to the first-stage node device N11. It may be configured to be connected in parallel. Further, in the communication network shown in FIG. 1, it is assumed that there is at most one logical connection between two node devices, but it is also possible that two logical connections with different directions exist between the two node devices. is there. In this case, the main node and the subordinate node are switched according to the direction of the logical connection.

  In general, the graph topology can be hierarchized. It is possible to define a logical connection of the Nth layer between any two nodes where at least one path exists in the graph topology of the (N-1) th layer, and a logical connection X having the Nth layer. If all of the paths of the graph topology of the (N-1) th layer constituting the network pass through the logical connection Y having the (N-1) th layer, the logical connection X is said to depend on the logical connection Y. For example, the communication network shown in FIG. 1 represents the graph topology of the 0th hierarchy, and the first hierarchy having a logical connection having the first node device N11 as a main node and the third node device N31 as a subordinate node at the upper level. It is possible to define a graph topology. In this case, the logical connection of the graph topology of the first hierarchy having the first node device N11 as the main node and the third node device N31 as the subordinate node is the first node device N11 as the main node and the second node device N21 as the subordinate node. And the logical connection of the graph topology of the 0th hierarchy having the second-stage node device N21 as the main node and the third-stage node device N31 as the subordinate node. The logical connection of the N-th layer graph topology is also simply referred to as the N-th layer logical connection.

  The communication network shown in FIG. 1 can be configured as an AMI system in a smart grid, for example. In this case, examples of the first-stage node device N11 include a micro energy management system (μEMS) and a meter data management system (MDMS) server. An example of the second stage node device N21 is a smart meter. Further, as an example of the second-stage node device N22, there is a CEMS (Community Energy Management System). An example of the third stage node device N31 is an electric vehicle. Moreover, HEMS (Home Energy Management System) is mentioned as an example of the third stage node device N32. An example of the third stage node N33 is a storage battery.

  Each of these node devices has a function to physically connect directly to other node devices in the MAC layer or PHY layer. As an example of physical direct connection in the MAC layer, for example, a predetermined data link protocol frame is transmitted and received between node devices. An example of physical direct connection in the PHY layer is, for example, transmission / reception of radio waves between node devices.

  FIG. 2 is a functional block showing an internal functional configuration common to the first-stage node device N11 and the second-stage node devices N21 and N22 having subordinate nodes (that is, capable of becoming main nodes) in the communication network shown in FIG. FIG. These first-stage node device N11 and second-stage node devices N21 and N22 (hereinafter, collectively referred to as node device Nx when there is no need to distinguish them) are, for example, a CPU, ROM, RAM, input / output circuit, etc. A control function as a main node involved in establishing a logical connection with a subordinate node by executing a control program stored in a ROM using a RAM as a work area, with a microcomputer provided with As described above, the functions of the acquisition unit 101, the first transmission unit 102, the reception unit 103, the connection control unit 104, and the second transmission unit 105 are realized.

  Prior to establishing a logical connection with a subordinate node, the acquiring unit 101 acquires subordinate node authentication information and subordinate node identification information used for subordinate node authentication from the subordinate node. As the subordinate node authentication information, authentication information used for general network access authentication can be used. For example, the IP address or MAC address of the subordinate node can be used as the subordinate node identification information.

  The first transmission unit 102 transmits the subordinate node authentication information acquired by the acquisition unit 101 to the authentication server AS, and topology verification information including the subordinate node identification information acquired by the acquisition unit 101 and the own node identification information. Is transmitted to the topology verification server TS.

  FIG. 3 is a conceptual diagram showing an example of topology verification information. For example, the topology verification information includes subject node identification information, subordinate node identification information, and a physical connection flag. The subordinate node identification information is identification information of the subordinate node acquired by the acquisition unit 101, and the subject node identification information is identification information of the own node that becomes the subject node with respect to the subordinate node. As the identification information of the own node, for example, the IP address or MAC address of the own node can be used. The physical connection flag is 1-bit information indicating whether or not the subordinate node is physically directly connected to the own node, and the MAC layer or PHY layer described above between the subordinate node and the own node. When there is a physical direct connection at “1”, it is “1”, and when it does not exist, “0”. When the topology verification server TS manages a plurality of topology hierarchies, a topology hierarchy level represented by an integer of 0 or more may be used instead of the physical flag. “0” corresponds to the value “1” of the physical connection flag, and values of the other topology hierarchy levels correspond to the value “0” of the physical connection flag.

  The first transmission unit 102 determines whether or not the subordinate node is physically directly connected to the own node, and the subordinate node acquired by the acquisition unit 101 is included in the main node identification information that is identification information of the own node. Topology verification information is generated by adding node identification information and a physical connection flag indicating whether or not there is a physical direct connection between subordinate nodes, and the generated topology verification information is transmitted to the topology verification server TS.

  The receiving unit 103 receives the authentication result of the subordinate node performed by the authentication server AS based on the subordinate node authentication information, and the result of the topology verification process performed by the topology verification server TS based on the topology verification information, that is, The judgment result of the validity of the logical connection between the subordinate node and the own node is received.

  When the subordinate node is authenticated by the authentication server AS, and the topology verification server TS determines that the logical connection between the subordinate node and the own node is valid, the connection control unit 104 is connected to the subordinate node. Establish a logical connection. That is, the connection control unit 104 authenticates the subordinate node by the authentication server AS, and even when the reception unit 103 receives the authentication result of the authentication success, the topology verification server TS performs a connection between the subordinate node and the own node. When it is determined that the logical connection is not valid and the reception unit 103 receives the verification result of the topology verification failure, the logical connection with the subordinate node is not established. The connection control unit 104 can store the identification information of the subordinate node for a certain period of time and immediately reject a connection request from the same subordinate node during this period. Here, the topology verification server TS determines that the logical connection between the subordinate node and the self node is not valid, for example, when the logical connection between the subordinate node and the self node is not assumed, Predetermined constraints for establishing a logical connection between the node and the own node (for example, conditions such as the order of logical connections between node devices on the communication network and the presence or absence of physical direct connection) The case where it does not satisfy is mentioned. Details of topology verification by the topology verification server TS will be described later.

  The second transmission unit 105 updates the connection state indicating that the logical connection is established with the subordinate node when the connection control unit 104 establishes the logical connection with the subordinate node. Connection state update information indicating that the logical connection with the subordinate node is not established when the logical connection with the subordinate node is released while the information is transmitted to the topology verification server TS Is transmitted to the topology verification server TS. As described above, the second transmission unit 105 transmits, to the topology verification server TS, connection state update information for indicating either “established” or “blocked” regarding the state of the logical connection with the subordinate node. Send.

  FIG. 4 is a flowchart for explaining the operation of the node device Nx. The series of processing shown in the flowchart of FIG. 4 is started when the node device Nx receives a logical connection request from another node device that is a subordinate node.

  When the process is started, first, in step S101, the acquiring unit 101 acquires the subordinate node authentication information and the subordinate node identification information from the subordinate node.

  Next, in step S102, the first transmission unit 102 adds the physical node identification information acquired in step S101 to the subject node identification information, which is identification information of the own node, and the physical direct Topology verification information is generated by adding a physical connection flag indicating the presence or absence of connection. Then, the first transmission unit 102 transmits the subordinate node authentication information acquired in step S101 to the authentication server AS, and transmits the generated topology verification information to the topology verification server TS.

  Next, in step S103, the receiving unit 103 receives the authentication result X of the subordinate node from the authentication server AS and also receives the topology verification result Y from the topology verification server TS.

  Next, in step S104, the connection control unit 104 indicates that the authentication result X of the subordinate node received in step S103 indicates that the authentication is successful, and the topology verification result Y received in step S103 indicates that the topology verification is successful. It is determined whether it is what is shown. If either the authentication result X of the subordinate node or the verification result Y of the topology indicates failure (step S104: No), the connection control unit 104 determines the logic between the subordinate node in step S105. The establishment of the connection is rejected, and the series of processing ends.

  On the other hand, when both the authentication result X of the subordinate node and the verification result Y of the topology indicate success (step S104: Yes), the connection control unit 104 performs logic between the subordinate node and the subordinate node in step S106. Approve connection establishment. When the logical connection with the subordinate node is established before the predetermined time elapses (step S107: Yes, step S108: No), the second transmission unit 105 establishes a connection with the subordinate node in step S109. The connection state update information indicating that the logical connection is established between them is transmitted to the topology verification server TS, and the series of processes is terminated.

  On the other hand, when the connection control unit 104 has approved the establishment of the logical connection with the subordinate node but the predetermined time has elapsed without establishing the logical connection with the subordinate node (step S107: No, step S108: Yes), the process is terminated as it is. Here, the predetermined time elapses without establishing a logical connection with the subordinate node, for example, when a logical connection request is erroneously transmitted from the subordinate node to the node device Nx. In addition, the topology verification server TS succeeds in the topology verification in a state where there is no physical direct connection between the node device Nx and the subordinate node, but the node device Nx establishes a logical connection with the subordinate node. It is also assumed that a physical direct connection is determined to be necessary and a logical connection is not established. Even in such a case, the process ends after a predetermined time elapses without establishing a logical connection with the subordinate node.

  Next, the authentication server AS will be described. The authentication server AS is a server device that performs authentication processing on each node device on the communication network shown in FIG.

  FIG. 5 is a functional block diagram showing an internal functional configuration of the authentication server AS. The authentication server AS has a hardware configuration using a general computer having a communication function for performing communication on a communication network, for example, and holds authentication information by executing an application program for authentication processing Each function of the unit 201, the reception unit 202, the authentication processing unit 203, and the authentication result transmission unit 204 is realized.

  The authentication information holding unit 201 holds authentication information for performing authentication processing on each node device on the communication network.

  FIG. 6 is a conceptual diagram illustrating an example of authentication information held by the authentication information holding unit 201. The authentication information exemplified in FIG. 6 is a table that records, as one entry, a combination of two pieces of information of identification information of each node device predetermined as a valid node on the communication network and an authentication key for the node device. It is represented by Among these, the identification information of each node device is included in the above-described subordinate node authentication information, and the authentication key is not included in the subordinate node authentication information. In the example of the authentication information shown in FIG. 6, the identification information of the first-stage node device N11 is represented as “n11”, the authentication key for the first-stage node device N11 is represented as “k11”, and the identification information of the second-stage node device N21 is represented as “n21”. The authentication key for the second-stage node device N21 is represented as “k21”. Also, the identification information of the second stage node device N22 is represented as “n22”, the authentication key for the second stage node device N22 is represented as “k22”, the identification information of the third stage node device N31 is represented as “n31”, and the third stage node. The authentication key for the device N31 is represented as “k31”. The identification information of the third-stage node device N32 is represented as “n32”, the authentication key for the third-stage node device N32 is represented as “k32”, the identification information of the third-stage node device N33 is represented as “n33”, and the third-stage node. The authentication key for the device N33 is represented as “k33”.

  The receiving unit 202 receives dependent node authentication information from the node device Nx. As the subordinate node authentication information, as described above, authentication information used for general network access authentication can be used. Here, it is assumed that the subordinate node authentication information includes subordinate node identification information.

  The authentication processing unit 203 compares the subordinate node authentication information received by the receiving unit 202 from the node device Nx with the authentication information held by the authentication information holding unit 201, and authenticates the node device that is a subordinate node with respect to the node device Nx. Process. As a verification method of authentication information, for example, when the common key is an authentication key, the subordinate node authentication information received from the node device Nx includes a signature calculated by the node device Nx using its own common key. The processing unit 203 regards that the verification is successful when the signature calculated using the common key for the node device Nx for the received dependent node authentication information matches the signature included in the received dependent node authentication information. . In this case, the subordinate node authentication information received from the node device Nx does not include a common key.

  The authentication result transmission unit 204 sends the result of the authentication process performed by the authentication processing unit 203 based on the subordinate node authentication information, that is, the authentication result of the node device that is a subordinate node to the node device Nx, to the node device Nx. To send.

  FIG. 7 is a flowchart for explaining the operation of the authentication server AS. First, in step S201, the receiving unit 202 receives dependent node authentication information transmitted from the node device Nx. Next, in step S202, the authentication processing unit 203 verifies the subordinate node authentication information received in step S201 with the authentication information held by the authentication information holding unit 201, so that the subordinate node is valid as a node on the communication network. Whether authentication is performed.

  Next, in step S203, the authentication result transmission unit 204 determines whether or not the subordinate node is authenticated as a valid node in step S202. If the subordinate node is authenticated (step S203: Yes), step S204 is performed. Then, an authentication result X indicating successful authentication is transmitted to the node device Nx. On the other hand, if the subordinate node is not authenticated as a valid node (step S203: No), the authentication result transmission unit 204 transmits an authentication result X indicating an authentication failure to the node device Nx in step S205. .

  Next, the topology verification server TS will be described. The topology verification server TS is a server device that determines whether the logical connection between nodes on the communication network is valid by verifying the network topology.

  FIG. 8 is a functional block diagram showing an internal functional configuration of the topology verification server TS. The topology verification server TS has, for example, a hardware configuration using a general computer having a communication function for performing communication on a communication network, and executes topology application information by executing a topology verification application program. The functions of the holding unit 301, the updating unit 302, the receiving unit 303, the determining unit 304, and the determination result transmitting unit 305 are realized.

  The topology information holding unit 301 holds topology information indicating a relationship between nodes in which logical connection is permitted and conditions for establishing the logical connection in a communication network in which the topology verification server TS verifies the topology.

  FIG. 9 is a conceptual diagram illustrating an example of topology information held by the topology information holding unit 301. The topology information illustrated in FIG. 9 includes identification information (subject node identification information) of a node device Nx that can be a subject node on the communication network, and identification information (subordinate node) that is a subordinate node for the subject node. (Identification information), a physical connectivity request flag, a connection group, a connection order, and a combination of six pieces of information are represented by a table that records as one entry. In the example of FIG. 9, the identification information of the first stage node device N11 is “n11”, the identification information of the second stage node device N21 is “n21”, the identification information of the second stage node device N22 is “n22”, and the third stage node The identification information of the device N31 is represented as “n31”, the identification information of the third stage node device N32 is represented as “n32”, and the identification information of the third stage node device N33 is represented as “n33”.

  From the topology information illustrated in FIG. 9, in the communication network shown in FIG. 1, the first-stage node device N11 (main node), the second-stage node device N21 (subordinate node), the first-stage node device N11 (main node), and the second-stage node device. Node device N22 (subordinate node), second stage node device N21 (subordinate node) and third stage node device N31 (subordinate node), second stage node device N21 (subordinate node) and third stage node device N32 (subordinate node) ), Between the second stage node device N22 (main node) and the third stage node device N32 (subordinate node), between the second stage node device N22 (subject node) and the third stage node device N33 (subordinate node), It can be seen that logical connections are allowed for each.

  The physical connectivity request flag indicates whether a physical direct connection at the MAC layer or the PHY layer needs to exist between these two nodes for logical connection between the subject node and the subordinate node. 1-bit information indicating "1" when physical direct connection is required for logical connection between the main node and the subordinate node of each entry, and when physical direct connection is not required “0”. In the example of FIG. 9, the physical connectivity request flag of all entries is “1”, and there is a physical direct connection between the main node and the subordinate node in all logical connections. It can be seen that this is a condition for establishing a logical connection. When the topology verification server TS manages a plurality of topology hierarchies, a topology hierarchy level represented by an integer of 0 or more may be used instead of the physical connection request flag. The value “0” corresponds to the value “1” of the physical connection request flag, and the values of the other topology hierarchy levels correspond to the value “0” of the physical connection request flag.

  The connection group list is information representing a connection group that is a set of logical connections in which the connection order described later is valid, and is represented by a set of integers of 0 or more corresponding to each connection group. Here, it is assumed that there are two connection groups, connection group “0” and connection group “1”, in the communication network shown in FIG. When a logical connection between an arbitrary subject node and subordinate node on the communication network is represented by (subject node identification information, subordinate node identification information), the connection group “0” is logically represented from the topology information illustrated in FIG. The connections (n11, n21), (n11, n22), (n21, n31), (n21, n32), (n22, n32) are configured, and the connection group “1” includes logical connections (n11, n22), ( n22, n33).

  The connection order is information that specifies the order of logical connections within the connection group indicated by the connection group list. In order to establish a logical connection between a main node and a subordinate node whose connection order value is x and whose connection order value is x, the connection order value is less than x in the same connection group. The condition is that another logical connection is established. In the example shown in FIG. 9, in order to establish a logical connection (n21, n32), it is a condition that logical connections (n21, n31), (n22, n32) belonging to the same connection group “0” are established. In order to establish the logical connections (n21, n31) and (n22, n32), the logical connections (n11, n21) and (n11, n22) belonging to the same connection group “0” must be established. Become. In order to establish the logical connection (n22, n33), it is a condition that the logical connection (n11, n22) belonging to the same connection group “1” is established.

  The connection status flag is 1-bit information indicating whether or not a logical connection is currently established between the subject node and the subordinate node, and between the subject node and the subordinate node of each entry. If the logical connection is established, the value is “1”. If the logical connection is not established, the value is “0”. The restriction condition based on the connection order can be determined by referring to the connection state flag.

  The updating unit 302 updates the connection state flag in the topology information held by the topology information holding unit 301 based on the connection state update information transmitted from the node device Nx described above. That is, when the update unit 302 transmits connection state update information indicating that the above-described node device Nx has established a logical connection with the subordinate node, the update unit 302 sets the connection state flag of the topology information from “0”. When the connection state update information indicating that the node device Nx described above has disconnected the logical connection with the subordinate node is transmitted to “1”, the connection state flag of the topology information is changed from “1” to “1”. Rewrite to "0". Thereby, the connection status flag of the topology information always reflects the latest status of the logical connection between the nodes in the communication network. Further, when the topology verification server TS manages a plurality of topology layers, if the connection status flag of the topology information for the logical connection of the (N-1) th layer is rewritten from “1” to “0”, this logic The topology information connection status flag is rewritten to “0” for each of the Nth layer logical connections that depend on the connection and whose topology information connection status flag is “1”. When rewriting the connection state flag in consideration of the dependency of the logical connection between adjacent layers, the connection state update information needs to be transmitted only for the logical connection of the lowest layer managed by the topology verification server TS. .

  The receiving unit 303 receives topology verification information transmitted before the node device Nx, which is an arbitrary subject node on the communication network, establishes a logical connection with the subordinate node. As described above, the topology verification information includes main node identification information that is identification information of the node device Nx that has transmitted the topology information, and identification information of a subordinate node that the node device Nx intends to establish a logical connection. Some subordinate node identification information and a physical connection flag indicating whether or not there is a physical direct connection between the main node and the subordinate node are included.

  The determination unit 304 collates the topology verification information received by the receiving unit 303 from the node device Nx with the topology information held by the topology information holding unit 301, and compares the node device Nx that is the subject node and the node device that is the subordinate node. The validity of the logical connection is judged (verification of network topology).

  Specifically, the determination unit 304 first searches for topology information using a combination of subject node identification information and subordinate node identification information included in the topology verification information as a key, and logical connection between the subject node and the subordinate node. Check if there is an entry for. Here, if there is no entry corresponding to the topology information, it is determined that the logical connection between the main node and the subordinate node is not valid because it is not assumed on the communication network.

  Further, when the corresponding entry exists in the topology information, the determination unit 304 determines whether or not the constraint condition for establishing the logical connection between the main node and the subordinate node is satisfied. That is, the determination unit 304 collates the physical connectivity request flag of the corresponding entry with the physical connectivity flag included in the topology verification information, the physical connectivity request flag value is “1”, and the physical connectivity flag value. When “0” is “0”, it is determined that there is no physical direct connection necessary for establishing a logical connection between the main node and the subordinate node, and therefore it is determined not to be valid. In addition, the determination unit 304 confirms the connection group list and the connection order in the topology information, and the logical connection whose connection order value is smaller than the logical connection of the corresponding entry in the connection group to which the logical connection of the corresponding entry belongs. Is identified. Then, referring to the connection state flag regarding the specified logical connection, if there is a connection state flag value of “0”, it is established before the logical connection between the main node and the subordinate node. It is determined that the logical connection to be made is not valid because the logical connection is not established.

  The determination result transmission unit 305 displays the verification result of the network topology performed by the determination unit 304 based on the topology verification information, that is, the determination result of the validity of the logical connection between the node device Nx that is the main node and the subordinate node. To the node device Nx.

  FIG. 10 is a flowchart for explaining the operation of the topology verification server TS. First, in step S301, the reception unit 303 receives topology verification information transmitted from the node device Nx. Next, in step S302, the determination unit 304 collates the topology verification information received in step S301 with the topology information held by the topology information holding unit 301, so that the node device Nx that is the subject node and the subordinate node Verify whether the logical connection between them is valid.

  Next, in step S303, the determination result transmission unit 305 determines whether or not the logical connection between the node device Nx that is the main node and the subordinate node is determined to be valid in step S302. If it is determined that the logical connection is valid (step S303: Yes), in step S304, a verification result Y indicating successful verification is transmitted to the node device Nx. On the other hand, when it is determined that the logical connection between the node device Nx and the subordinate node is not valid (step S303: No), the determination result transmission unit 305 fails to verify the node device Nx in step S305. An authentication result Y indicating is transmitted.

  Next, in step S306, the update unit 302 determines whether connection state update information has been transmitted from the node device Nx. When the connection state update information is transmitted from the node device Nx (step S306: Yes), the update unit 302, in step S307, according to the connection state update information transmitted from the node device Nx, the topology information holding unit. 301 rewrites the connection status flag of the topology information held in 301. On the other hand, when the connection state update information is not transmitted from the node device Nx (step S306: No), the processing is ended as it is.

  Next, a specific example of a series of operations in the entire communication network of this embodiment will be described. FIG. 11 shows the communication network shown in FIG. 1, after establishing the logical connection between the second-stage node device N21 and the first-stage node device N11, and then between the third-stage node device N31 and the second-stage node device N21. It is a sequence diagram which shows a series of operation | movement until establishing a logical connection between. In the configuration of the communication network shown in FIG. 1, the authentication server AS and the topology verification server TS are connected in series in this order to the first stage node device N11. Data transmission / reception is performed via the authentication server AS.

  In FIG. 11, first, the second stage node device N21 transmits a connection request D101 requesting establishment of a logical connection to the first stage node device N11. This connection request D101 includes subordinate node authentication information relating to the validity of the second stage node device N21 and subordinate node identification information that is identification information of the second stage node device N21.

  When receiving the connection request D101 from the second-stage node device N21, the first-stage node device N11 extracts dependent node authentication information and dependent node identification information from the connection request D101. Then, the first-stage node device N11 generates topology verification information including the dependent node identification information extracted from the connection request D101 and the main node identification information that is the identification information of the own node and the physical connection flag. Then, the first-stage node device N11 transmits a connection request D102 storing the generated topology verification information and the dependent node authentication information extracted from the connection request D101 to the authentication server AS.

  When the authentication server AS receives the connection request D102 from the first-stage node device N11, the authentication server AS extracts subordinate node authentication information and topology verification information from the connection request D102. Then, the authentication server AS authenticates the second-stage node device N21 using the subordinate node authentication information. When the authentication is successful, the authentication server AS sends a verification request D103 storing the topology verification information extracted from the connection request D102 to the topology verification server. Send to TS.

  When the topology verification server TS receives the verification request D103 from the authentication server AS, the topology verification server TS extracts the topology verification information from the verification request D103. Then, the topology verification server TS verifies the network topology by using this topology verification information, and determines that the logical connection between the second-stage node device N21 and the first-stage node device N11 is valid. The verification result R101 shown is transmitted to the authentication server AS.

  Upon receiving the verification result R101 from the topology verification server TS, the authentication server AS generates a connection response R102 by adding an authentication result indicating authentication success to the verification result R101. To N11.

  Upon receiving the connection response R102 from the authentication server AS, the first-stage node device N11 approves establishment of a logical connection with the second-stage node device N21 and generates a connection response R103 indicating that the logical connection is permitted. Then, this connection response R103 is transmitted to the second stage node device N21. When the logical connection is established between the first-stage node device N11 and the second-stage node device N21, the logical connection is established with the second-stage node device N21 to the topology verification server TS. The connection state update information D104 indicating that is transmitted. This connection state update information D104 is transmitted to the topology verification server TS via the authentication server AS.

  When the topology verification server TS receives the connection state update information D104 from the first-stage node device N11, the topology verification server TS updates the connection state flag of the topology information according to the connection state update information D104.

  Next, the third stage node device N31 transmits a connection request D105 requesting establishment of a logical connection to the second stage node device N21. This connection request D105 includes subordinate node authentication information relating to the validity of the third stage node device N31 and subordinate node identification information that is identification information of the third stage node device N31.

  When receiving the connection request D105 from the third-stage node device N31, the second-stage node device N21 extracts the dependent node authentication information and the dependent node identification information from the connection request D105. Then, the second-stage node device N21 generates topology verification information including the dependent node identification information extracted from the connection request D105, including the main node identification information that is the identification information of the own node and the physical connection flag. Then, the second stage node device N21 transmits the connection request D106 storing the generated topology verification information and the subordinate node authentication information extracted from the connection request D105 to the first stage node device N11.

  When receiving the connection request D106 from the second-stage node device N21, the first-stage node device N11 extracts the topology verification information and the subordinate node identification information from the connection request D106. Then, the first-stage node device N11 transmits a connection request D107 storing the topology verification information and the subordinate node identification information extracted from the connection request D106, to the authentication server AS.

  When the authentication server AS receives the connection request D107 from the first-stage node device N11, the authentication server AS extracts subordinate node authentication information and topology verification information from the connection request D107. Then, the authentication server AS authenticates the third-stage node device N31 using the subordinate node authentication information. When the authentication is successful, the authentication server AS sends a verification request D108 storing the topology verification information extracted from the connection request D107 to the topology verification server. Transmit to TS.

  When the topology verification server TS receives the verification request D108 from the authentication server AS, the topology verification server TS extracts the topology verification information from the verification request D108. Then, the topology verification server TS verifies the network topology using this topology verification information, and determines that the logical connection between the third-stage node device N31 and the second-stage node device N21 is valid. A verification result R104 indicating success is transmitted to the authentication server AS.

  Upon receiving the verification result R104 from the topology verification server TS, the authentication server AS generates a connection response R105 by adding an authentication result indicating authentication success to the verification result R104. To N11.

  When receiving the connection response R105 from the authentication server AS, the first-stage node device N11 extracts an authentication result indicating a successful authentication and a verification result indicating a successful verification from the connection response R105. Then, the first stage node device N11 transmits a connection response R106 storing the authentication result and the verification result extracted from the connection response R105 to the second stage node device N21.

  When the second stage node device N21 receives the connection response R106 from the first stage node device N11, the second stage node device N21 approves the establishment of the logical connection with the third stage node device N31, and indicates that the logical connection is permitted. R107 is generated and this connection response R107 is transmitted to the third stage node device N31. When the logical connection is established between the second-stage node device N21 and the third-stage node device N31, the logical connection is established with the third-stage node device N31 to the topology verification server TS. The connection state update information D109 indicating that it is in the connected state is transmitted. This connection state update information D109 is transmitted to the topology verification server TS via the first-stage node device N11 and the authentication server AS.

  When the topology verification server TS receives the connection state update information D109 from the second stage node device N21, the topology verification server TS updates the connection state flag of the topology information according to the connection state update information D109. The topology information illustrated in FIG. 9 is topology information immediately after the connection state flag is updated in accordance with the connection state update information D109 from the second-stage node device N21. The topology information illustrated in FIG. 9 includes entries and logical information about the logical connection (n11, n21). In the entry related to connection (n21, n31), the value of the connection status flag is “1”, and in the other entries, the value of the connection status flag is “0”.

  FIG. 12 shows the topology information held by the topology verification server TS in the state shown in FIG. 9, that is, the logical connection between the second-stage node device N21 and the first-stage node device N11, the third-stage node device N31, and the second-stage node device N11. FIG. 11 is a sequence diagram showing a series of operations when the third-stage node device N32 tries to establish a logical connection with the second-stage node device N21 after the logical connection with the node device N21 is established. .

  In FIG. 12, first, the third stage node device N32 transmits a connection request D201 requesting establishment of a logical connection to the second stage node device N21. This connection request D201 includes subordinate node authentication information relating to the validity of the third stage node device N32 and subordinate node identification information which is identification information of the third stage node device N32.

  When receiving the connection request D201 from the third-stage node device N32, the second-stage node device N21 extracts dependent node authentication information and dependent node identification information from the connection request D201. Then, the second stage node device N21 generates topology verification information including the subject node identification information that is the identification information of the own node and the physical connection flag in the subordinate node identification information extracted from the connection request D201. Then, the second stage node device N21 transmits a connection request D202 storing the generated topology verification information and the subordinate node authentication information extracted from the connection request D201 to the first stage node device N11.

  When receiving the connection request D202 from the second stage node device N21, the first stage node device N11 extracts the topology verification information and the subordinate node identification information from the connection request D202. Then, the first-stage node device N11 transmits a connection request D203 storing the topology verification information extracted from the connection request D202 and the subordinate node identification information to the authentication server AS.

  When the authentication server AS receives the connection request D203 from the first-stage node device N11, the authentication server AS extracts the subordinate node authentication information and the topology verification information from the connection request D203. Then, the authentication server AS authenticates the third-stage node device N32 using the subordinate node authentication information. When the authentication is successful, the authentication server AS sends a verification request D204 storing the topology verification information extracted from the connection request D203 to the topology verification server. Send to TS.

  When the topology verification server TS receives the verification request D204 from the authentication server AS, the topology verification server TS extracts the topology verification information from the verification request D204. Then, the topology verification server TS uses this topology verification information to verify the network topology, and determines the validity of the logical connection between the third-stage node device N32 and the second-stage node device N21. At this time, the topology information held by the topology verification server TS is in the state of FIG. 9, and the entry of the logical connection (n11, n21) and the entry related to the logical connection (n21, n31) have a connection state flag value of 1, otherwise In the entry, the value of the connection status flag is 0.

  Here, referring to the topology information shown in FIG. 9, the logical connection (n21, n32) between the third-stage node device N32 and the second-stage node device N21 belongs to the connection group “0”, and The value is “3”. Then, there is a logical connection (n22, n32) as a logical connection that belongs to the same connection group “0” as the logical connection (n21, n32) and has a lower connection order value than the logical connection (n21, n32). The value of the connection status flag of the entry relating to this logical connection (n22, n32) is “0”. Accordingly, the topology verification server TS determines that the logical connection between the third-stage node device N32 and the second-stage node device N21 is not valid, and transmits a verification result R201 indicating a verification failure to the authentication server AS. To do.

  Upon receiving the verification result R201 from the topology verification server TS, the authentication server AS generates a connection response R202 by adding an authentication result indicating authentication success to the verification result R201. To N11.

  When receiving the connection response R202 from the authentication server AS, the first-stage node device N11 extracts an authentication result indicating authentication success and a verification result indicating verification failure from the connection response R202. Then, the first stage node device N11 transmits a connection response R203 storing the authentication result and the verification result extracted from the connection response R202 to the second stage node device N21.

  Upon receiving the connection response R203 from the first stage node device N11, the second stage node device N21 generates a connection response R204 indicating that the establishment of the logical connection with the third stage node device N32 is rejected. This connection response R204 is transmitted to the third stage node device N32. As a result, it is possible to reject a logical connection in an order different from a predetermined predetermined connection order as an invalid logical connection.

  In the specific example described with reference to the sequence diagrams of FIGS. 11 and 12, the connection request and the connection response exchanged between the node devices are, for example, PANA (Protocol for Carrying Authentication for Network Access) defined by RFC5191. ) Messages can be used. In this case, the subordinate node becomes a PANA client, and when the first-stage node device N11 is a main node, the first-stage node device N11 becomes a PANA authentication agent. When the second-stage node devices N21 and N22 are main nodes, the second-stage node devices N21 and N22 as the main nodes are PANA relays, the first-stage node device N11 is a PANA authentication agent, and the PANA relay is connected to the PANA client. Forward PANA messages to and from PANA authentication agents. The operation of the PANA relay is defined in the Internet draft “http://tools.ietf.org/html/draft-ohba-pana-relay-02”.

  When the PANA message is used for the connection request and the connection response, the dependent node authentication information is included in the EAP-Payload attribute of the PANA message. The subordinate node identification information included in the topology verification information is the IP address or MAC address of the PANA client. The principal node identification information included in the topology verification information is the IP address or MAC address of the PANA authentication agent when the principal node is a PANA authentication agent, and the IP address of the PANA relay when the principal node is a PANA relay. Address or MAC address. The authentication result of whether the subordinate node is valid and the verification result of whether the logical connection between the subject node and the subordinate node is valid are included in the Result-Code attribute of the PANA message.

  Further, as a connection request and connection response between the PANA authentication agent and the authentication server SA, for example, a RADIUS (Remote Authentication Dial-In User Service) protocol message defined in RFC2865 can be used. In that case, the subordinate node authentication information is included in the EAP-Message attribute of the RADIUS message. Further, as dependent node identification information included in the topology verification information, the IP address or MAC address of the dependent node is included in the Calling-Station-Id attribute of the RADIUS message. Further, as the subject node identification information included in the topology verification information, the IP address or MAC address of the PANA authentication agent is used when the subject node is a PANA authentication agent, and the IP address or PANA relay address of the PANA relay when the subject node is a PANA relay. The MAC address is included in the Called-Station-Id attribute of the RADIUS message.

  As described above in detail with reference to specific examples, according to the present embodiment, the validity of a node device is determined when attempting to establish a logical connection between a plurality of node devices constituting a communication network. In addition to the authentication processing, the network topology is verified to determine the validity of the logical connection. When the node device is authenticated as a valid device and the validity of the logical connection is recognized, the logical connection between the node devices is established. Therefore, it is possible to effectively prevent various security problems caused by a node device on the communication network establishing a logical connection with another node device that is not originally intended to be connected.

  Further, according to the present embodiment, the validity of the logical connection between the node devices is also considered in consideration of the constraint condition depending on the connection order of each node device constituting the communication network and the constraint condition regarding the presence or absence of physical direct connection. Therefore, it is possible to appropriately manage connection of each node device constituting the communication network and improve the safety of the communication system. Also, by utilizing the dependency of logical connections between adjacent hierarchies, the logical connection can be shut off quickly and with a small number of messages.

(Second Embodiment)
Next, a second embodiment will be described. This embodiment is partially different from the first embodiment described above in the constraint conditions for establishing a logical connection between node devices. The configuration and basic operations of the communication system and each node device, authentication server AS, and topology verification server TS constituting the communication system are the same as those in the first embodiment described above. Below, only the characteristic part of this embodiment is demonstrated.

  FIG. 13 is a conceptual diagram showing an example of topology information held by the topology information holding unit 301 of the topology verification server TS in the present embodiment. The topology information illustrated in FIG. 13 includes a logical connection number, identification information of a node device Nx that can be a main node on the communication network (subject node identification information), and an identification of a node device that is a subordinate node for this main node. It is represented by a table that records a combination of six pieces of information (dependent node identification information), physical connectivity request flag, connection constraint vector set, and connection order flag as one entry. In the example of FIG. 13, the identification information of the first stage node device N11 is “n11”, the identification information of the second stage node device N21 is “n21”, and the identification of the second stage node device N22 is the same as the example shown in FIG. The information is represented as “n22”, the identification information of the third stage node device N31 as “n31”, the identification information of the third stage node device N32 as “n32”, and the identification information of the third stage node device N33 as “n33”. Yes.

  The logical connection number indicates the logical connection relationship number of each entry recorded in the topology information. In the example of FIG. 13, the logical connection number “1” is assigned to the logical connection (n11, n21) between the first-stage node device N11 and the second-stage node device N21. The logical connection number “2” is assigned to the logical connection (n11, n22) with the second stage node device N22. Also, the logical connection number “3” is assigned to the logical connection (n21, n31) between the second stage node device N21 and the third stage node device N31, and the second stage node device N21 and the third stage node are connected. The logical connection number “4” is assigned to the logical connection (n21, n32) with the device N32. Further, the logical connection number “5” is given to the logical connection (n22, n32) between the second stage node device N22 and the third stage node device N32, and the second stage node device N22 and the third stage node are provided. The logical connection number “6” is assigned to the logical connection (n22, n33) with the device N33.

  The physical connectivity request flag and the connection state flag are the same as in the example shown in FIG. That is, the physical connectivity request flag indicates whether or not a physical direct connection between these nodes is necessary for logical connection between the subject node and the subordinate node, and the connection state flag indicates the subject node. It indicates whether or not a logical connection is currently established between the subordinate node and the subordinate node. When the topology verification server TS manages a plurality of topology hierarchies, similarly to the example shown in FIG. 9, a topology hierarchy level represented by an integer of 0 or more is used instead of the physical connection request flag. In this case, the topology hierarchy level value “0” corresponds to the physical connection request flag value “1”, and other topology hierarchy level values correspond to the physical connection request flag value “0”.

  The connection constraint vector set is information related to the constraint condition for establishing the logical connection of each entry, and is information representing the relationship with all other logical connections allowed on the communication network. When determining whether a logical connection with a certain logical connection number is valid, a connection constraint vector set corresponding to the logical connection number is referred to.

  The connection constraint vector set is represented by a set of connection constraint vectors that are N-dimensional vectors having elements of value “0” or “1”. Here, N is the total number of records in the topology information table. Each connection constraint vector in the set of connection constraint vectors for a certain logical connection represents an element constraint condition, and the logical sum of these element constraint conditions becomes the connection constraint condition for this logical connection. When the value of the i-th element of the connection constraint vector is “1”, this means that the value of the connection state flag of the logical connection corresponding to the logical connection number i needs to be “1”. When the value of the i-th element of the vector is “0”, it means that the value of the connection state flag of the logical connection corresponding to the logical connection number i need not be “1”.

  For example, the connection constraint vector set for the logical connection (n21, n31) having the logical connection number “3”, that is, the logical connection when the main node is the second-stage node device N21 and the subordinate node is the third-stage node device N31. Is {(1, 1, 0, 0, 0, 0)}. In order to establish a logical connection with the logical connection number “3”, the connection flag value of the logical connection (n11, n21) with the logical connection number “1” and the logical connection number with the logical connection number “2” are used. This means that both the connection state flag values of the connections (n11, n22) need to be “1”.

  Further, the connection constraint vector set for the logical connection (n21, n32) having the logical connection number “4”, that is, the logical connection when the main node is the second-stage node device N21 and the subordinate node is the third-stage node device N32. Is {(1,1,1,0,0,0), (1,1,0,0,1,0)}. In order to establish a logical connection with the logical connection number “4”, the connection flag value of the logical connection (n11, n21) with the logical connection number “1” and the logical connection number with the logical connection number “2” are used. The values of the connection state flags of the connections (n11, n22) are both “1”, and the value of the connection flag of the logical connection (n21, n31) with the logical connection number “3” or logical This means that one of the connection status flag values of the logical connection (n22, n33) with the connection number “5” needs to be “1”.

  In the topology verification server TS of the present embodiment, when the reception unit 303 receives the topology verification information from the node device Nx, the determination unit 304 includes the topology verification information including information on a connection constraint vector set as illustrated in FIG. The topology information is collated, and the validity of the logical connection between the node device Nx that is the main node and the node device that is the subordinate node is determined (verification of the network topology).

  Specifically, as in the first embodiment, the determination unit 304 first searches the topology information using a combination of the principal node identification information and the subordinate node identification information included in the topology verification information as a key. Check whether there is an entry for the logical connection between the node and the subordinate node. Here, if there is no entry corresponding to the topology information, it is determined that the logical connection between the main node and the subordinate node is not valid because it is not assumed on the communication network.

  Further, when the corresponding entry exists in the topology information, the determination unit 304 determines whether or not the constraint condition for establishing the logical connection between the main node and the subordinate node is satisfied. That is, as in the first embodiment, the determination unit 304 collates the physical connectivity request flag of the corresponding entry with the physical connection flag included in the topology verification information, and the value of the physical connectivity request flag is When the value of “1” and the physical connection flag is “0”, there is no physical direct connection necessary to establish a logical connection between the main node and the subordinate node. to decide.

  Further, the determination unit 304 refers to the connection constraint vector set of the corresponding entry, and specifies the logical connection number of another logical connection that should be established before establishing this logical connection. Then, referring to the connection state flag regarding the specified logical connection, if there is a connection state flag value of “0”, it is established before the logical connection between the main node and the subordinate node. It is determined that the logical connection to be made is not valid because the logical connection is not established.

  As described above, according to the present embodiment, a logical connection between node devices in consideration of a relationship with another logical connection that is a constraint condition for establishing the logical connection for a logical connection between arbitrary nodes. Therefore, it is possible to improve the safety of the communication system by appropriately managing the connection of each node device constituting the communication network.

(Third embodiment)
Next, a third embodiment will be described. In the present embodiment, the configuration of the topology information held by the topology information holding unit 301 of the topology verification server TS is different from the first and second embodiments described above. The configuration and basic operations of the communication system and each node device, authentication server AS, and topology verification server TS constituting the communication system are the same as those in the first embodiment described above. Below, only the characteristic part of this embodiment is demonstrated.

  FIG. 14 is a conceptual diagram illustrating an example of topology information held by the topology information holding unit 301. The topology information illustrated in FIG. 14 includes, as in FIG. 9, the identification information (subject node identification information) of the node device Nx that can be the main node on the communication network, and the node device that is a subordinate node for this main node. This is represented by a table that records a combination of six pieces of identification information (subordinate node identification information), physical connectivity request flag, connection group, connection rank, and connection rank flag as one entry. However, unlike the example of FIG. 9, the value of the subordinate node identification information of each entry in the table is a wild card (*). This indicates that the node devices identified by the main node identification information of entries belonging to the same connection group may be connected to each other in any topology (mesh connection is possible). In FIG. 14, node devices n11, n12, and n13 can be mesh-connected. The node devices n21, n22, and n23 can also be mesh-connected. FIG. 14 also shows a state in which no logical connection has been established yet. A logical connection entry whose subordinate node identification value is a wildcard is created statically, and based on this, a logical connection entry whose subordinate node identification value is not a wildcard is dynamically generated or Deleted. In FIG. 14, the connection order is the same for all entries. This indicates that the connection order of logical connections belonging to the same connection group is arbitrary.

  FIG. 15 shows entries in the topology information table relating to logical connections (n11, n12) dynamically created from the state of FIG. Since the value of the subordinate node identification information of this entry is not a wild card, it means that this entry is dynamically created and deleted.

  As described above, according to this embodiment, it is possible to form a connection group that allows an arbitrary connection order and an arbitrary topology with a table having a smaller number of entries. Node devices can be added and deleted efficiently in a network with a small connection topology constraint.

  According to the node device, the server device, and the node connection management method according to at least one embodiment described above, it is possible to realize appropriate device connection management in consideration of the topology of the communication network.

  In addition, although some embodiment of this invention was described, these embodiment is shown as an example and is not intending limiting the range of invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  For example, the node device Nx may be mounted on the same device as the authentication server AS or the topology verification server TS. The authentication server AS and the topology verification server TS may be mounted on the same device.

  The dependent node authentication information and the topology verification information may be carried in one message. In addition, the subordinate node authentication information may be divided into a plurality of messages, and in that case, there may be a plurality of message round trips between the node device Nx and the authentication server AS in order to carry the subordinate node authentication information. Similarly, the topology verification information may be divided into a plurality of messages, and in that case, there may be a plurality of message round trips between the node device Nx and the authentication server AS in order to carry the topology verification information.

  Further, the node device Nx and the authentication server AS may communicate via an intermediate node. In that case, the protocol for carrying dependent node authentication information between the node device Nx and the intermediate node may be different from the protocol for carrying dependent node authentication information between the intermediate node and the authentication server AS. Further, the intermediate node may be the topology verification server TS.

  Similarly, the node device Nx and the topology verification server TS may communicate via an intermediate node. In that case, the protocol that carries the topology verification information between the node device Nx and the intermediate node and the protocol that carries the topology verification information between the intermediate node and the topology verification server TS may be different. Further, the intermediate node may be the authentication server AS.

  The topology verification server TS may be realized as a plurality of server devices. In that case, the topology information may be held in a distributed database constituted by these server devices.

  Further, when the subordinate node authentication information includes subordinate node identification information, this node identification information may be used as subordinate node identification information.

  The node device Nx is a power meter, an electric vehicle, a sensor, a home appliance, and an energy device such as a storage battery, a photovoltaic power generation device, a HEMS, a BEMS (Building Energy Management System), or a CEMS (Community Energy Management System). May be implemented.

  In addition, characteristic functions in the node device Nx, the authentication server AS, and the topology verification server TS can be realized by a program executed by a computer.

Nx node device AS authentication server (first server device)
TS topology verification server (second server device)
DESCRIPTION OF SYMBOLS 101 Acquisition part 102 1st transmission part 103 Reception part 104 Connection control part 105 2nd transmission part 301 Topology information holding part 302 Update part 303 Reception part 304 Judgment part 305 Judgment result transmission part

Claims (13)

A node device constituting a communication network,
An acquisition unit for acquiring, from the subordinate node, subordinate node authentication information and subordinate node identification information used for authentication of the subordinate node prior to establishing a logical connection with a subordinate node having a lower logical connection relationship; ,
The subordinate node authentication information is transmitted to a first server device that authenticates a node on the communication network, and topology verification information including the subordinate node identification information and the self node identification information is transmitted to the communication network. A first transmission unit that transmits to a second server device that determines whether the logical connection between the upper nodes is valid;
Receiving the authentication result of the subordinate node performed by the first server device based on the subordinate node authentication information, and the subordinate node performed by the second server device based on the topology verification information; A receiving unit that receives a determination result of the validity of the logical connection between
When the subordinate node is authenticated by the first server device and the logical connection between the subordinate node and the subordinate node is determined to be valid by the second server device, And a connection control unit that establishes a logical connection.   When a logical connection with the subordinate node is established, information indicating that a logical connection is established with the subordinate node is transmitted to the second server device, and the subordinate node A second transmission unit configured to transmit information indicating that a logical connection is not established with the subordinate node to the second server device when the logical connection with the node is released; The node device according to claim 1, further comprising:   The node device according to claim 1, wherein the connection control unit does not establish a logical connection with the subordinate node when the subordinate node is not physically directly connected. The topology verification information includes physical connection information indicating whether or not the subordinate node is physically directly connected;
When the physical connection information included in the topology verification information indicates that the subordinate node is not physically connected directly, the logical connection between the subordinate node is not valid by the second server device The node device according to claim 3, wherein the node device is determined.   The said acquisition part acquires the said subordinate node authentication information and the identification information of the said subordinate node from the said subordinate node according to the protocol prescribed | regulated by RFC5191 standard, The any one of Claims 1-4 characterized by the above-mentioned. The node device described in 1. A server device that determines whether a logical connection between nodes on a communication network is valid,
A holding unit for holding topology information indicating a relationship between nodes in which logical connection is permitted in the communication network and a condition for establishing the logical connection;
Prior to any logical node on the communication network establishing a logical connection with a subordinate node having a lower logical connection relationship with the main node, the subordinate node identifies information on the subordinate node and the subordinate node A receiving unit for receiving topology verification information including identification information of the subject node;
A determination unit that compares the topology verification information with the topology information and determines the validity of the logical connection between the subordinate node and the subject node;
A server device, comprising: a transmission unit that transmits a result of determining the validity of a logical connection between the subordinate node and the subject node to the subject node. The topology information includes connection state information indicating whether or not a logical connection is currently established between nodes that allow logical connection in the communication network;
The determination unit, when the logical connection between the subordinate node and the subject node does not satisfy the constraint condition determined based on the connection state information, the logical connection between the subordinate node and the subject node The server device according to claim 6, wherein the server device is determined not to be valid. The topology information includes connection order information that specifies the order of logical connections between nodes as information on the constraint condition;
The determination unit determines that a logical connection between other nodes to be established prior to a logical connection between the subordinate node and the subject node is not established based on the connection state information. In this case, it is determined that the logical connection between the subordinate node and the subject node is not valid. The topology information further includes connection group information representing a connection group that is a set of logical connections for which the connection order information is valid,
The determination unit establishes a logical connection between other nodes in the same connection group to be established prior to a logical connection between the subordinate node and the subject node based on the connection state information. 9. The server device according to claim 8, wherein if it is determined that the logical node is not valid, it is determined that the logical connection between the subordinate node and the subject node is not valid. The topology information further includes connection constraint vector set information representing a relationship with all other logical connections allowed in the communication network as information on the constraint condition,
The determination unit identifies and specifies a logical connection between other nodes that should be established when establishing a logical connection between the subordinate node and the subject node based on the connection constraint vector set information. And determining that the logical connection between the subordinate node and the subject node is not valid when it is determined that the logical connection between the other nodes is not established based on the connection state information. The server device according to claim 7. The topology information includes physical connectivity request information indicating whether or not a physical direct connection is necessary as a condition for establishing a logical connection between nodes that allow a logical connection in the communication network;
The topology verification information includes physical connection information indicating whether the subordinate node is physically directly connected to the subject node;
The determination unit determines that the subordinate node and the main node need to be physically directly connected to establish a logical connection between the subordinate node and the main node. And when the physical connection information included in the topology verification information indicates that the subordinate node is not physically directly connected to the main node. The server apparatus according to claim 6, wherein the logical connection between the server and the server is determined not to be valid. A method executed in a node apparatus constituting a communication network,
Obtaining subordinate node authentication information and subordinate node identification information used for authenticating the subordinate node from the subordinate node prior to establishing a logical connection with a subordinate node having a lower logical connection relationship;
The subordinate node authentication information is transmitted to a first server device that authenticates a node on the communication network, and topology verification information including the subordinate node identification information and the self node identification information is transmitted to the communication network. Transmitting to the second server device for determining whether the logical connection between the upper nodes is valid;
Receiving the authentication result of the subordinate node performed by the first server device based on the subordinate node authentication information, and the subordinate node performed by the second server device based on the topology verification information; Receiving a determination result of the validity of the logical connection between:
When the subordinate node is authenticated by the first server device and the logical connection between the subordinate node and the subordinate node is determined to be valid by the second server device, Establishing a logical connection. A node connection management method comprising: A method executed in a server device that determines whether a logical connection between nodes on a communication network is valid,
The server device holds topology information indicating a relationship between nodes in which logical connection is allowed in the communication network and a condition for establishing the logical connection;
Prior to any logical node on the communication network establishing a logical connection with a subordinate node having a lower logical connection relationship with the main node, the subordinate node identifies information on the subordinate node and the subordinate node Receiving topology verification information including identification information of a principal node;
Collating the topology verification information with the topology information to determine the validity of the logical connection between the subordinate node and the subject node;
Transmitting a judgment result of the validity of the logical connection between the subordinate node and the subject node to the subject node.

Images