US20090177802A1 - Service network system and server device - Google Patents

Service network system and server device Download PDF

Info

Publication number
US20090177802A1
US20090177802A1 US12/398,613 US39861309A US2009177802A1 US 20090177802 A1 US20090177802 A1 US 20090177802A1 US 39861309 A US39861309 A US 39861309A US 2009177802 A1 US2009177802 A1 US 2009177802A1
Authority
US
United States
Prior art keywords
server
client
service provision
service
representative
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/398,613
Inventor
Kazuyoshi Hoshino
Tadashi Kaji
Osamu Takata
Takahiro Fujishiro
Kohei Sawada
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US12/398,613 priority Critical patent/US20090177802A1/en
Publication of US20090177802A1 publication Critical patent/US20090177802A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1023Server selection for load balancing based on a hash applied to IP addresses or costs

Definitions

  • the present invention relates to a service network system and a server device, and more particularly to a service network system and a server device taking load reduction of a SIP server into consideration.
  • JP 2002-108840A discloses a technique by which a receive server receives a connection request as a representative of plural contents servers, and notifies a client of information on a permissible ticket as well as the contents server to be connected.
  • JP 2003-108537A discloses a technique by which a window server receives a connection request as a representative of plural service servers, and notifies a client of information on a service server to be connected.
  • JP 2003-209560A and JP 2003-178028A disclose a technique by which a SIP (session initiation protocol) is used as a protocol of communication start, and user authentication is conducted by the server.
  • JP 2003-242119A, JP 10-177552A, and JP 2003-099402A disclose a technique by which no SIP is used as the protocol of communication start, but a representative authentication server that conducts authentication in block is provided.
  • RFC3261, RFC2246, RFC2327, and “Key Management Extensions for SDP and RTSP” written by F. Lindholm disclose an IETF (internet engineering task force) standards related to the SIP.
  • RFC3261 is related to an RFC (request for comment) of the SIP, and discloses a method of conducting the authentication of the user and the encryption of the TLS message by TLS (transport layer security).
  • RFC2246 discloses the RFC related to the TLS.
  • RFC2327 discloses an RFC related to a method of describing session information (SDP: session description protocol) that is transmitted or received by the SIP.
  • SDP session description protocol
  • “Key Management Extensions for SDP and RTSP” discloses a method of exchanging key information that is used for encrypting communication data by SDP or RTSP (Real Time Streaming Protocol).
  • JP 2002-108840A or JP 2003-108537 communication of the receive server or a window server with a client is conducted by an HTTP (hypertext transportation protocol), and the SIP is not considered.
  • JP 2003-209560A discloses a method of acquiring an IP address of the server to be connected by a client.
  • JP 2003-178028A discloses a technique by which a management server that is connected to a network, and an authentication server that is connected to the management server are provided, and a terminal at a data supply side is logged in a terminal at a date request side.
  • JP 2003-242119A or JP 10-177552A discloses that an authentication server receives a service connection request from a client as a representative server, but service provision is conducted through the authentication server with the result that the authentication server becomes a bottleneck.
  • JP 2003-099402A discloses an authentication representative server, which merely requests authentication from a communication carrier server instead of a service provider.
  • a server device that represents plural service provision servers implements SIP server authentication or SIP message exchange as a representative, and notifies a service provision server of client communication information (encrypted communication information, message authentication information) that is acquired by the SIP message exchange.
  • the service provision server communicates with a client on the basis of the client communication information that is notified from the representative server.
  • FIG. 1 is a block diagram for explaining a system configuration according to a first embodiment
  • FIG. 2 is a block diagram for explaining a client hardware configuration according to the first embodiment
  • FIG. 3 is a block diagram for explaining a hardware configuration of the representative server according to the first embodiment
  • FIG. 4 is a block diagram for explaining a hardware configuration of the service provision server according to the first embodiment
  • FIG. 5A is a transition diagram for explaining a communication of the client, the SIP server, the representative server, and the service provision server with each other according to the first embodiment (No. 1);
  • FIG. 5B is a transition diagram for explaining the communication of the client, the SIP server, the representative server, and the service provision server with each other according to the first embodiment (No. 2);
  • FIG. 6 is a diagram for explaining a processing flow of the client according to the first embodiment
  • FIG. 7A is a diagram for explaining a processing flow of the representative server according to the first embodiment (No. 1);
  • FIG. 7B is a diagram for explaining a processing flow of the representative server according to the first embodiment (No. 2);
  • FIG. 8 is a flowchart for explaining processing of the service provision server according to the first embodiment
  • FIG. 9 is a diagram for explaining a server selection table provided by the service provision server according to the first embodiment.
  • FIG. 10 is a diagram for explaining a communication setting table provided by the representative server according to the first embodiment.
  • FIG. 11 is a diagram for explaining a service connection table provided by the representative server according to the first embodiment
  • FIG. 12 is a diagram for explaining a configuration of a service connection request addressed to a SIP server from a client and a message header according to the first embodiment
  • FIG. 13 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client according to the first embodiment
  • FIG. 14 is a diagram for explaining a configuration of a service connection response addressed to the SIP server from the representative server and a message header according to the first embodiment
  • FIG. 15 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client according to the first embodiment
  • FIG. 16 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body according to the first embodiment
  • FIG. 17 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body according to the first embodiment
  • FIG. 18 is a diagram for explaining a configuration of a service disconnection request addressed to the SIP server from the client and a message header according to the first embodiment
  • FIG. 19 is a diagram for explaining a message body of a service disconnection request addressed to the SIP server from the client according to the first embodiment
  • FIG. 20 is a diagram for explaining a configuration of a service disconnection response addressed to the SIP server from the representative server and a message header according to the first embodiment
  • FIG. 21 is a diagram for explaining a message body of a service disconnection response addressed to the SIP server from the representative server according to the first embodiment
  • FIG. 22 is a diagram for explaining a configuration of a client communication information deletion request addressed to the service provision server from the representative server and a message body according to the first embodiment
  • FIG. 23 is a diagram for explaining a configuration of a client communication information deletion response addressed to the representative server from the service provision server and a message body according to the first embodiment
  • FIG. 24 is a diagram for explaining a configuration of data that is communicated between the service provision server and the client according to the first embodiment
  • FIG. 25 is a diagram for explaining a configuration of encrypted data that is communicated between the service provision server and the client according to the first embodiment
  • FIG. 26A is a flowchart showing the processing of a representative server according to a second embodiment (No. 1);
  • FIG. 26B is a flowchart showing the processing of a representative server according to the second embodiment (No. 2);
  • FIG. 27 is a flowchart showing the processing of a service provision server according to the second embodiment
  • FIG. 28 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body according to the second embodiment.
  • FIG. 29 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body according to the second embodiment.
  • FIG. 1 is a block diagram for explaining a system configuration.
  • FIG. 2 is a block diagram for explaining a client hardware configuration.
  • FIG. 3 is a block diagram for explaining a hardware configuration of the representative server.
  • FIG. 4 is a block diagram for explaining a hardware configuration of the service provision server.
  • FIG. 5A is a transition diagram for explaining a communication of the client, the SIP server, the representative server, and the service provision server with each other.
  • FIG. 5B is a transition diagram for explaining the communication of the client, the SIP server, the representative server, and the service provision server with each other.
  • FIG. 6 is a diagram for explaining a processing flow of the client.
  • FIG. 1 is a block diagram for explaining a system configuration.
  • FIG. 2 is a block diagram for explaining a client hardware configuration.
  • FIG. 3 is a block diagram for explaining a hardware configuration of the representative server.
  • FIG. 4 is a block diagram for explaining a hardware configuration of the service provision server.
  • FIG. 5A
  • FIG. 7A is a diagram for explaining a processing flow of the representative server.
  • FIG. 7B is a diagram for explaining a processing flow of the representative server.
  • FIG. 8 is a flowchart for explaining processing of the service provision server.
  • FIG. 9 is a diagram for explaining a server selection table provided by the service provision server.
  • FIG. 10 is a diagram for explaining a communication setting table provided by the representative server.
  • FIG. 11 is a diagram for explaining a service connection table provided by the representative server.
  • FIG. 12 is a diagram for explaining a configuration of a service connection request addressed to a SIP server from a client and a message header.
  • FIG. 13 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client.
  • FIG. 14 is a diagram for explaining a configuration of a service connection response addressed to the SIP server from the representative server and a message header.
  • FIG. 15 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client.
  • FIG. 16 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body.
  • FIG. 17 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body.
  • FIG. 18 is a diagram for explaining a configuration of a service disconnection request addressed to the SIP server from the client and a message header.
  • FIG. 19 is a diagram for explaining a message body of a service disconnection request addressed to the SIP server from the client.
  • FIG. 20 is a diagram for explaining a configuration of a service disconnection response addressed to the SIP server from the representative server and a message header.
  • FIG. 21 is a diagram for explaining a message body of a service disconnection response addressed to the SIP server from the representative server.
  • FIG. 22 is a diagram for explaining a configuration of a client communication information deletion request addressed to the service provision server from the representative server and a message body.
  • FIG. 23 is a diagram for explaining a configuration of a client communication information deletion response addressed to the representative server from the service provision server and a message body.
  • FIG. 24 is a diagram for explaining a configuration of data that is communicated between the service provision server and the client.
  • FIG. 25 is a diagram for explaining a configuration of encrypted data that is communicated between the service provision server and the client.
  • a network 50 - 1 is connected with a plurality of clients 10 ( 10 - 1 , 10 - 2 , . . . ), a session management server (hereinafter referred to as “SIP server”) 20 having a session management function, a representative server 30 , and a plurality of service provision servers 40 ( 40 - 1 , 40 - 2 , . . . ).
  • the representative server 30 and the service provision server 40 are also connected to a network 50 - 2 .
  • the service provision server 40 includes an instant message server, a content distribution server that supplies various contents information to a client, and a conference call server that supports a conference call among a plurality of clients.
  • the letter strings that are attached to the respective clients 10 and the representative servers 30 and put in the parentheses indicate the device addresses that are used by IP packets which are transferred on the network 50 - 1 .
  • Each of those addresses partially includes an address “aaa.com” of the SIP server 20 , by which it is found that those terminals and the representative server belong to the SIP server 20 .
  • the connection (setting of the session) and the disconnection (end of the session) between each of the clients 10 and the representative server 30 are conducted through the SIP server 20 .
  • IP address is the client 1 [cll@aaa.com]: 192.0.2.1, the SIP server: 102.0.2.2, the service provision server 1 : 192.0.2.3, and the representative server [sv1@aaa.com]: 192.0.2.4.
  • the network 50 - 1 is used to communicate between the client and the representative server and between the client and the service provision server.
  • the network 50 - 2 is a server in-room LAN, and used to communicate between the representative server 30 and the service provision servers 40 .
  • the reason why the network 50 - 1 and the network 50 - 2 are separated from each other is to protect confidential information such as a message authentication parameter which is transmitted or received between the representative server 30 and the service provision servers 40 .
  • the representative server 30 and the service provision servers 40 may conduct a communication by using the network 50 - 1 .
  • the client 10 is made up of a processor (CPU) 12 , a memory 11 that temporarily stores various programs which are executed by the processor 12 and various tables to which the programs refer therein, an external storage device 13 that saves the various programs and the various tables to which the programs refer, and a network interface 14 that is connected to the network 50 - 1 , which are connected to a bus 15 .
  • processor CPU
  • memory 11 that temporarily stores various programs which are executed by the processor 12 and various tables to which the programs refer therein
  • an external storage device 13 that saves the various programs and the various tables to which the programs refer
  • a network interface 14 that is connected to the network 50 - 1 , which are connected to a bus 15 .
  • the representative server 30 shown in FIG. 3 is made up of a processor (CPU) 32 , a memory 31 that temporarily stores various programs which are executed by the processor 32 and various tables to which the programs refer therein, an external storage device 33 that saves the various program and the various tables to which the programs refer therein, a network interface 34 - 1 that is connected to the network 50 - 1 , and a network interface 34 - 2 that is connected to the network 50 - 2 , which are connected to a bus 35 .
  • the network 50 - 1 and the network 50 - 2 are physically separated from each other, and an access is conducted by using the individual network interfaces 34 - 1 and 34 - 2 .
  • the network 50 - 1 and the network 50 - 2 are logically separated from each other by setting a router or a firewall, thereby making it possible to take an access to both of the network 50 - 1 and the network 50 - 2 from one network interface.
  • the service provision server 40 shown in FIG. 4 is identical in the configuration with the representative server described with reference to FIG. 3 . That is, the service provision server 40 is made up of a processor (CPU) 42 , a memory 41 that temporarily stores various programs which are executed by the processor 42 and various tables to which the programs refer therein, an external storage device 43 that saves the various program and the various tables to which the programs refer therein, a network interface 44 - 1 that is connected to the network 50 - 1 , and a network interface 44 - 2 that is connected to the network 50 - 2 , which are connected to a bus 45 . It is possible to take an access to both of the network 50 - 1 and the network 50 - 2 from one network interface.
  • a processor CPU
  • memory 41 that temporarily stores various programs which are executed by the processor 42 and various tables to which the programs refer therein
  • an external storage device 43 that saves the various program and the various tables to which the programs refer therein
  • a network interface 44 - 1 that is connected to the network 50 -
  • the mutual authentication and the encrypted communication setting are first conducted by a TLS negotiation that is disclosed in RFC 3261 between the SIP server 20 and the representative server 30 (T 501 : called “SIP server authentication”). Subsequently, a REGISER request (REGISTER message) that is a SIP request that registers its own location is transmitted to the SIP server 20 from the representative server 30 (T 502 ). The SIP server 20 transmits 200 OK that is a SIP response code indicative of the normal completion to the representative server 30 after having registered the location of the representative server 30 described in the received REGISTER request (T 503 ). It is necessary that the REGISTER message is implemented by the receive side (invited side).
  • the mutual authentication and the encrypted communication setting are conducted between the client 10 - 1 and the SIP server 20 by the TLS negotiation (T 504 ).
  • the SIP server 20 transmits 100 Trying indicative of on-connection to the client 10 - 1 (T 507 ), and then transfers the INVITE request to the representative server 30 (T 508 ).
  • the representative server 30 transmits 100 Trying to the SIP server 20 (T 509 ), and then transmits a client communication information setting request to the service provision server 40 - 1 (T 510 ).
  • the service provision server 40 - 1 receives the client communication information setting request, and sends back the client communication information setting response to the representative server 30 (T 511 ).
  • the representative server 30 that has received the client communication information setting response transmits 200 OK that is a service connection response to the SIP server 20 (T 512 ).
  • the SIP server 20 that has received the 200 OK transmits 200 OK to the client 10 - 1 , likewise (T 513 ).
  • the client 10 - 1 that has received 200 OK which is a service connection response transmits an ACK request which is a SIP request of the service connection confirmation to the SIP server 20 (T 514 ).
  • the SIP server 20 that has received the ACK request transmits the ACK request to the representative server 30 (T 515 ). Since the service provision server 40 - 1 and the client 10 - 1 replace the respective IP addresses and port Nos. with each other, the service provision server 40 - 1 and the client 10 - 1 are connected directly to each other to start the transmit/receive of the service data (T 517 ).
  • the SIP server 20 that has received the BYE request transmits the BYE request to the representative server 30 (T 519 ).
  • the representative server 30 that has received the BYE request transmits a client communication information deletion request to the service provision server 40 - 1 (T 520 ).
  • the service provision server 40 - 1 that has received the communication information deletion request transmits the communication information deletion response to the representative server 30 (T 521 ), and the representative server 30 that has received the communication information deletion response transmits a 200 OK that is a service disconnection response to the SIP server 20 (T 522 ).
  • the SIP server 20 that has received the 200 OK transmits the 200 OK that is a service disconnection response to the client (T 523 ). With the above operation, the communication is completed. A communication between the representative server 30 and the service provision server 40 is conducted through the network 50 - 2 shown in FIG. 1 , and other communications are conducted through the network 50 - 1 .
  • the client 10 produces a candidate for encrypted communication information which is used for a direction communication with the service provision server, and a candidate for message authentication information (S 601 ).
  • the client 10 transmits an INVITE message that sets those candidates in a body to the SIP server 20 (S 602 ).
  • the client 10 waits for a response from the SIP server (S 603 ), and upon receiving a 200 OK that is a service connection response from the SIP service 20 , the client 10 analyzes the 200 OK message, and acquires the selected encrypted communication information and message authentication information (S 604 ).
  • the client 10 After the client 10 transmits the ACK message that is a service connection confirmation request to the SIP server 20 (S 605 ), the client 10 transmits and receives application data with respect to the service provision server 40 by using the selected encrypted communication information and message authentication information (S 607 ).
  • the client 10 then transmits a BYE message that sets an erasing request of the message authentication information in a body to the SIP server 20 (S 607 ). Thereafter, the client 10 waits for a response from the SIP server (S 608 ), and completes the service use upon receiving the 200 OK that is the service disconnection response from the SIP server 20 .
  • the client 10 receives an error or times out in Steps 603 or 608 , the operation is transited to error processing in Step 609 or Step 610 .
  • the representative server 30 transmits a REGISTER message that sets the IP address (location) of the representative server 30 as contact information to the SIP server 20 (S 701 ), and waits for a response from the SIP server 20 (S 702 ).
  • the representative server 30 receives a 200 OK that is a location registration response from the SIP server 20
  • the representative server 30 waits for a message receive (S 703 ).
  • the representative server 30 analyzes the INVITE message and acquires the encrypted communication information candidate, the message authentication information candidate, and the application information (S 704 ).
  • the representative server 30 refers to a server selection table (which will be described later with reference to FIG. 9 ) that records a status of the service provision server therein, and selects the service provision server 40 - 1 that communicates directly with the client (S 705 ).
  • the representative server 30 refers to a communication setting table (which will be described later with reference to FIG. 10 ) that registers the encrypted communication information and message authentication information which are usable by the service provision server 40 - 1 therein, and selects the encrypted communication information and the message authentication information which are used for a communication between the client 10 and the service provision server 40 (S 706 ). Then, the representative server 30 transmits the selected encrypted communication information and message authentication information as well as the application information to the select service provision server 40 - 1 as the client communication information setting request (S 707 ), and waits for a response from the service provision server 40 - 1 (S 708 ).
  • a communication setting table which will be described later with reference to FIG. 10
  • the representative server 30 When the client communication information setting response indicative of a fact that the communication has been normally conducted is returned to the representative server 30 from the service provision server 40 - 1 , the representative server 30 adds an entry to the service connection cable (which will be described later with reference to FIG. 11 ), and updates the server selection table. Also, the representative server 3 transmits the 200 OK message including the selected encrypted communication information and message authentication information to the SIP server 20 (S 709 ), and again waits for the message receive (S 703 ).
  • the representative server 30 Upon receiving the ACK message from the SIP server 20 that is the service connection confirmation, the representative server 30 again waits for the message (S 703 ). In this situation, upon receiving a BYE message that is the service disconnection request from the SIP server 20 , the representative server 30 analyzes the BYE message, refers to the server selection table, and identifies the service provision server 40 - 1 that erases the encrypted communication information and the message authentication information (S 711 ). Then, the representative server 30 transmits a client communication information deletion request to the service provision server 40 - 1 (S 712 ), and waits for a response from the service provision server 40 - 1 (S 713 ).
  • the representative server 30 deletes the entry of the service connection table, and updates the server selection table. Also, the representative server 30 transmits a 200 OK message that notifies the client of the erasing of the message authentication information and the disconnection of the service to the SIP server 20 (S 714 ), and waits for the message receive (S 703 ).
  • the representative server 30 receives an error or times out in Steps 703 , 708 or 713 , the operation is transited to the error processing in Steps 721 , 722 or 723 .
  • the service provision server 40 when the service provision server 40 starts, the service provision server 40 first waits for a request receive from the representative server 30 (S 801 ). Upon receiving the client communication information setting request, the service provision server 40 analyzes the client communication information setting request from the representative server 30 , and acquires the encrypted communication information, the message authentication information, and the application information (S 802 ). The service provision server 40 sets the encrypted communication information, the message authentication information, and the application information in the client communication information setting table, and then transmits a client communication information setting response to the representative server 30 (S 803 ). Thereafter, the service provision server 40 starts to transmit and receive the service data directly with respect to the client according to the encrypted communication information, the message authentication information, and the application information. At a timing of this start, the service provision server 40 transits to waiting for the request receive from the representative server 30 even during transmitting or receiving the service data (S 801 ).
  • the service provision server 40 Upon receiving a client communication information processing request, the service provision server 40 analyzes the request, and stops transmitting and receiving the service data with respect to the client (S 805 ). The service provision server 40 erases the encrypted communication information, the message authentication information, and the application information which are used for the communication with the client from the client communication information setting table. Then, the service provision server 40 transmits a client communication deletion response to the representative server 30 (S 806 ), and again transits to waiting for the request receive from the representative server 30 (S 801 ).
  • a server selection table shown in FIG. 9 is a table that is recorded in the external storage device 33 of the representative server 30 .
  • a server selection table 50 is made up of a service provision server number 51 , the number of client connections 52 , and a response time 53 .
  • the representative server 30 refers to the server selection table 50 , and selects a service provision server that is small in the response time (that is, low in the load) among the service provision servers under the control.
  • a communication setting table shown in FIG. 10 is a table that is recorded in the external storage device 33 of the representative server 30 as with the server selection table.
  • a communication setting table 60 is made up of a service provision server number 61 , an encrypted algorithm 62 that can be communicated by the service provision server, and a message authentication algorithm 63 that can be authenticated by the service provision server.
  • the representative server 30 receives a new service request, the representative server 30 refers to the communication setting table 60 , and selects the encrypted algorithm and the message authentication algorithm which are adapted to the service provision server that is selected from the options submitted by the client. When the selected service provision server does not adapt to those algorithms, the service provision server is changed.
  • a service connection table shown in FIG. 11 is a table that is recorded in the external storage device 33 of the representative server 30 as with the server selection table and the communication setting table.
  • the service connection table 70 describes a Call-ID 71 that is sent from the client, a From 72 that is an address of the client, a To 73 that is a destination address of the request, and the service provision server that is a connected server 74 selected by the representative server.
  • the tag described in the from 72 and the To 73 is identification information of the address.
  • a service connection request packet 80 from the client to the SIP server as shown in FIG. 12 is a packet that is sent by T 506 in FIG. 5 .
  • the service connection request packet 80 is made up of an IP header 81 , a UDP/TCP header 82 , a service connection request message header 83 , and a service connection request message body 84 .
  • the service connection request message header 83 includes a connection request message of the SIP which is defined by RFC3261.
  • the SDP that is specified by RFC3266 is applied to the session description of the SIP.
  • the service connection request message header 83 includes “INVITE” indicating that the message is intended for the session connection request in a start line as a request method.
  • the service connection request message header 82 also includes URI sv1aaa.com of the representative server in the start line as the destination address.
  • An address of the client that is an originator is described in a Via header.
  • a to header and a From header indicate the destination and the originator, respectively, and a Call-ID is indicative of a session identifier that is designated by the originator.
  • a Cseq header is a Command Sequence and identifies a transaction within the session.
  • a Contact header is indicative of URI of the client 10 - 1 to be registered in the SIP server, and a Content-Type header and a Content-Length are indicative of the definition information on the SDP of the message body 84 .
  • the service request packet body 84 from the client to the SIP server as shown in FIG. 13 is a table made up of a setting item 841 and a setting value 842 .
  • the setting item 841 is made up of a client IP address, a client port number, a client communication information option 1 having no data encryption, a client communication information option 2 that implements data encryption, and the application information.
  • the corresponding setting values of those information are described in the setting value 842 .
  • the client communication information option 1 is made up of a client communication information ID(I), a message authentication code, and an authentication code common key.
  • the client communication information ID(I) is an ID that associates data that has been transmitted by the Initiator with the authentication code and the key.
  • the client communication information option 2 is made up of the client communication information ID (I), the message authentication code, the authentication code common key, a message encrypting method, and an encryption common key.
  • the client communication information ID (I) is an ID that associates the data that has been transmitted by the Initiator with the message authentication code and the encryption common key.
  • a service connection request packet 80 from the client to the SIP server is transferred to the representative server 30 from the SIP server.
  • a service connection response packet 90 from the representative server to the SIP server as shown in FIG. 14 is a packet that is transmitted by T 512 in FIG. 5 .
  • the service connection response packet 90 is made up of an IP header 91 , a UDP/TCP header 92 , a service request message header 93 , and a service connection response message body 94 .
  • the service connection response message header 93 includes a connection response message of the SIP.
  • the service connection response message header 93 includes “200 OK” which indicates that the message is intended for the session response in a start line as a request method. Since the Call-ID header and the Cseq header are the same as the connection request shown in FIG. 12 , it is understood that those headers are the connection response (permission) to the connection request. A To header and a From header are indicative of a destination and an originator of the connection request, respectively, as they are.
  • a service response packet body 94 from the common server to the SIP server as shown in FIG. 15 is a table made up of a setting item 941 and a setting value 942 .
  • the setting item 941 is made up of a client IP address, a client port number, a client communication information that is selected by the representative server, and application information. The corresponding setting values of those information are described in the setting value 942 .
  • the selected client communication information is made up of a client communication information ID(R), a message authentication code, and an authentication code common key.
  • the client communication information ID(R) is an ID that associates the data that has been transmitted by a Responder with the authentication code and the key.
  • the service connection response packet 90 from the representative server to the SIP server is transferred from the SIP server to the client 10 - 1 .
  • a client communication information setting request packet from the representative server to the service provision server as shown in FIG. 16 is a packet that is transmitted by T 510 in FIG. 5 .
  • the client communication information setting request packet 110 is made up of an IP header 111 , a UDP/TCP header 112 , a client communication information setting request message header 113 , a client communication information setting request message body 114 .
  • the client communication information setting request message body 114 is the same as the service connection request message body described with reference to FIG. 13 , from which the client communication information option 2 that has not been selected by the representative server 30 is except.
  • the client communication information setting request message body 114 is held in the service provision server 40 as the client communication information setting table.
  • a client communication information setting response packet from the service provision server to the representative server as shown in FIG. 17 is a packet that is transmitted by T 511 in FIG. 5 .
  • the client communication information setting response packet 120 is made up of an IP header 121 , a UDP/TCP header 122 , a client communication information setting response message header 123 , a client communication information setting response message body 124 .
  • the client communication information setting response message body 124 is the same as the service connection response message body described with reference to FIG. 15 . This is because the representative server transfers the message body to the SIP server without changing the message body as it is.
  • the protocol may be a protocol such as an HTTP (HyperText Transport Protocol) other than the SIP.
  • HTTP HyperText Transport Protocol
  • a service disconnection request packet 130 from the client to the SIP server as shown in FIG. 18 is a packet that is sent by T 518 in FIG. 5B .
  • the service disconnection request packet 130 is made up of an IP header 131 , a UDP/TCP header 132 , a service disconnection request message header 133 , and a service disconnection request message body 134 .
  • the service disconnection request message header 133 includes a disconnection request message of the SIP.
  • the service disconnection request message header 133 includes “BYE” that indicates that the message is intended for the session disconnection request in a start line as a request method, and includes “192.0.2.4” which is an IP address of the service provision server.
  • a service disconnection request packet body 134 from the client to the SIP server as shown in FIG. 19 is made up of a setting item 1341 and a setting value 1342 .
  • the setting item 1341 includes an IP address of the client, a port number, and a client communication information ID.
  • a setting value that is noticed by the service connection request message body ( FIG. 13 ) is set to the setting value of the client communication information ID.
  • a service disconnection response packet 140 from the representative server to the SIP server as shown in FIG. 20 is a packet that is sent in T 522 in FIG. 5 .
  • the service disconnection response packet 140 is made up of an IP header 141 , a UDP/TCP header 142 , a service disconnection response message header 143 , and a service disconnection response message body 144 .
  • the service disconnection response message header 143 includes a disconnection response message of the SIP.
  • the service disconnection response message header 143 includes “200 OK” which indicates that the message is intended for the session response in a start line as a request method. Since a Call-ID header and a Cseq header are identical with those of the disconnection request shown in FIG. 18 , it is understood that they are the disconnection response (permission) to the disconnection request.
  • a service disconnection response packet body 144 from the representative server to the SIP server as shown in FIG. 21 is made up of a setting item 1441 and a setting value 1442 .
  • the setting item 1441 includes an IP address and a port number of the service provision server, and a client communication information ID.
  • the setting value that is noticed by the service connection response message body ( FIG. 15 ) is set to the setting value of the client communication information ID.
  • a client communication information deletion request packet 150 from the representative server to the service provision server as shown in FIG. 22 is a packet that is sent by T 520 in FIG. 5 .
  • the client communication information deletion request packet 150 is made up of an IP header 151 , a UDP/TCP header 152 , a client communication information deletion request message header 153 , and a client communication information deletion request message body 154 .
  • the client communication information deletion request message body 154 is identical with the service disconnection request message body described with reference to FIG. 19 .
  • a client communication information deletion response packet 160 from the service provision server to the representative server as shown in FIG. 23 is a packet that is sent by T 521 in FIG. 5 .
  • the client communication information deletion response packet 160 is made up of an IP header 161 , a UDP/TCP header 162 , a client communication information deletion response message header 163 , and a client communication information deletion response message body 164 .
  • the client communication information deletion response message body 164 is the same as the service disconnection response message body described with reference to FIG. 21 . This is because the representative server transfers the message body to the SIP server without changing the message body as it is.
  • the protocol may be a protocol such as an HTTP (HyperText Transport Protocol) other than the SIP.
  • HTTP HyperText Transport Protocol
  • FIG. 24 shows a packet that is communicated between the client and the service provision server in the case where the representative server selects the client communication information option 1 that does not encrypt data in the service request messages from the client shown in FIG. 13 .
  • FIG. 25 shows a packet that is communicated between the client and the service provision server in the case where the representative server selects the client communication information option 2 that encrypts data in the service request messages from the client shown in FIG. 13 .
  • a data packet 170 is made up of an IP header 171 , a UDP/TCP header, a client communication information ID 173 , data 174 , and an HMAC 175 .
  • the client communication information ID 173 is made up of a client communication information ID(R) or a client communication information ID(I).
  • the client refers to the client communication information ID(R) that is attached to data, and grasps a message authentication code (HMAC-SHA1) and an authentication code common key (3541e2af1537fg3712ca12) which correspond to the client communication information ID(R) described with respect to FIG. 15 .
  • the HMAC 175 is demodulated by using the authentication code common key to generate a hash (1).
  • a hash (2) is generated by using data 174 and the message authentication code.
  • a data packet 180 is made up of an IP header 181 , a UDP/TCP header 182 , a client communication information ID 183 , an encrypted data 184 , and an HMAC 185 .
  • the data packet 180 is a streaming data from the service provision server toward the client.
  • the client refers to the client communication information ID(R) (not shown) which is attached to data, and grasps a message authentication code (HMAC-MD5: refer to FIG.
  • an authentication code common key (fe648c578b80a675), a message encrypting method (AES-128-CBC), and an encryption common key (1653fe648c578b424ef), which correspond to the client communication information ID(R).
  • the HMAC 185 is demodulated by using the authentication code common key to generate the hash (1).
  • the encrypted data 184 is demodulated by the encryption common key, and the hash (2) is generated by using the message authentication code.
  • the data packet is data from the data provision server to the client.
  • the service provision server refers to the client communication information ID(I) that is attached to data, and compares the generated two hash values with each other, thereby making it possible to confirm that the client is a regular client.
  • the authentication is conducted on only the representative server, it is unnecessary that the service provision server has an electronic certificate.
  • the client confirms a value of the HMAC that is given the message, thereby making it possible to confirm that the service provision server that conducts the communication is a service provision server under a correct representative server.
  • the encrypted communication makes it possible to keep the confidential property of service data.
  • the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing. In this embodiment, since the representative server selects the client communication information in a lump, there is advantageous in that the client communication information can be decided by one inquiry.
  • FIGS. 26A and 26B are flowcharts showing the processing of a representative server.
  • FIG. 27 is a flowchart showing the processing of a service provision server.
  • FIG. 28 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body.
  • FIG. 29 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body.
  • the representative server selects the encrypted communication information and the message authentication information.
  • the service provision server conducts the selection.
  • the second embodiment only differences from the first embodiment will be described. Accordingly, most of the drawings are common to or substantially identical with those of the first embodiment with slight differences.
  • the representative server 30 transmits a “REGISTER” message that sets its own IP address to the SIP server 20 as contact information (S 901 ). After waiting a response from the SIP server 20 (S 902 ), the representative server 30 receives “200 OK” and waits for message receive (S 903 ). After having received “INVITE”, the representative server 30 analyzes the INVITE message, and acquires a candidate for the encrypted communication information, a candidate for the message authentication information, and the application information (S 904 ). The representative server 30 refers to a server selection table ( FIG. 9 ) that records a status of the service provision server therein, and selects a service provision server that communicates with the client (S 905 ).
  • a server selection table FIG. 9
  • the representative server 30 transmits a candidate for the encrypted communication information, a candidate for the message authentication information, and a application information to the service provision server as a client communication information setting request (S 906 ).
  • a client communication information setting response which indicates that the normal communication has been conducted is returned from the service provision server 40 - 1 after the representative server 30 waits for a response from the service provision server 40 - 1 (S 907 )
  • the representative server 30 adds an entry to the service connection table, and updates the server selection table.
  • the representative server 30 transmits a 200 OK message that includes the encrypted communication information and the message authentication information which has been selected by the service provision server 40 - 1 to the SIP server 20 (S 908 ). Then, the representative server 30 again waits for the message receive (S 903 ).
  • the representative server 30 Upon receiving an ACK message from the SIP server 20 which is the service connection confirmation, the representative server 30 again waits for the message (S 903 ). In this situation, upon receiving a BYE message which is a service disconnection request from the SIP server 20 , the representative server 30 analyzes the BYE message, refers to the server selection table, and identifies the service provision server 40 - 1 that erases the encrypted communication information and the message authentication information (S 911 ). Then, the representative server 30 transmits a client communication information deletion request to the identified service provision server 40 - 1 ( 9712 ), and waits for a response from the service provision server 40 - 1 (S 913 ).
  • the representative server 30 When a client communication information deletion response which indicates that the normal communication has been conducted is returned from the service provision server 40 - 1 , the representative server 30 deletes an entry of the service connection table, and updates the server selection table. Also, the representative server 30 transmits a 200 OK message which notifies the client of the erasing of the encrypted communication information and the message authentication information as well as the disconnection of the service to the SIP server 20 (S 914 ), and waits for the message receive (S 903 ). When the representative server 30 receives an error or times out in Step 902 , 907 , or 913 , the representative server 30 transits to the error processing of Steps 921 , 922 , or 923 .
  • the service provision server 40 when the service provision server 40 starts, the service provision server 40 first waits for a request from the representative server 30 (S 501 ).
  • the service provision server 40 analyzes the client communication information setting request, and then acquires the encrypted communication information option, the message authentication information option, and the application information which are noticed from the representative server 30 (S 502 ).
  • the service provision server 40 selects the encrypted communication information and the message authentication information which are used for communication with the client (S 503 ), sets the encrypted communication information, the message authentication information, and the application information in the client communication information setting table, and transmits a client communication information setting response to the representative server 30 (S 504 ).
  • the service provision server 40 starts to directly transmit and receive the service data with respect to the client according to the encrypted communication information, the message authentication information, and the application information (S 505 ). This start allows the service provision server 40 to transit to the request receive wait status from the representative server 30 even while transmitting or receiving the service data (S 501 ).
  • the service provision server 40 When the service provision server 40 receives a client communication information deletion request, the service provision server 40 analyzes the request, and stops transmitting and receiving the service data with respect to the client (S 507 ). The service provision server 40 erases the encrypted communication information, the message authentication information, and the application information, which have been used for communication with the client from the client communication information setting table. Then, the service provision server 40 transmits a client communication information deletion response to the representative server 30 (S 508 ), and again transits to the request receive wait from the representative server 30 (S 501 ).
  • a client communication information setting request packet from the representative server to the service provision server as shown in FIG. 28 is a packet that is sent at a portion corresponding to T 510 in FIG. 5 .
  • a client communication information setting request packet 210 is made up of an IP header 211 , a UDP/TCP header 212 , a client communication information setting request message header 213 , and a client communication information setting request message body 214 .
  • the selection from the options submitted by the client is conducted by the service provision server 40 - 1 . Accordingly, the client communication information setting request message body 214 is identical with the service connection request message body described with reference to FIG. 13 .
  • a client communication information setting response packet from the service provision server to the representative server as shown in FIG. 29 is a packet that is sent at a portion corresponding to T 511 in FIG. 5 .
  • a client communication information setting response packet 220 is made up of an IP header 221 , a UDP/TCP header 222 , a client communication information setting response message header 223 , and a client communication information setting response message body 224 .
  • the client communication information setting response message body 224 is identical with the service connection response message body described with reference to FIG. 15 .
  • the authentication is conducted with respect to only the representative server, it is unnecessary that the service provision server has an electronic certificate.
  • the client confirms a value of the HMAC that is given the message, thereby making it possible to confirm that the service provision server that conducts the communication is a service provision server under a correct representative server.
  • the encrypted communication makes it possible to keep the confidential property of service data.
  • the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing.
  • the authentication is conducted with respect to only the representative server, it is unnecessary that the service provision server has an electronic certificate. It is unnecessary that the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing.

Abstract

A server device that represents a plurality of service provision servers implements authentication and a SIP message exchange with respect to a SIP server as a representative, and notifies a service provision server of client communication information that is acquired by the SIP message exchange. The service provision server communicates with a client on the basis of the client communication information that is notified from the representative server.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • This is a divisional of U.S. application Ser. No. 11/417,054, filed May 4, 2006. This application relates to and claims priority from Japanese Patent Application No. 2005-138082, filed on May 11, 2005. The entirety of the contents and subject matter of all of the above is incorporated herein by reference.
    • BACKGROUND OF THE INVENTION
  • The present invention relates to a service network system and a server device, and more particularly to a service network system and a server device taking load reduction of a SIP server into consideration.
  • JP 2002-108840A discloses a technique by which a receive server receives a connection request as a representative of plural contents servers, and notifies a client of information on a permissible ticket as well as the contents server to be connected. Also, JP 2003-108537A discloses a technique by which a window server receives a connection request as a representative of plural service servers, and notifies a client of information on a service server to be connected.
  • JP 2003-209560A and JP 2003-178028A disclose a technique by which a SIP (session initiation protocol) is used as a protocol of communication start, and user authentication is conducted by the server. JP 2003-242119A, JP 10-177552A, and JP 2003-099402A disclose a technique by which no SIP is used as the protocol of communication start, but a representative authentication server that conducts authentication in block is provided.
  • RFC3261, RFC2246, RFC2327, and “Key Management Extensions for SDP and RTSP” written by F. Lindholm disclose an IETF (internet engineering task force) standards related to the SIP. RFC3261 is related to an RFC (request for comment) of the SIP, and discloses a method of conducting the authentication of the user and the encryption of the TLS message by TLS (transport layer security). RFC2246 discloses the RFC related to the TLS. RFC2327 discloses an RFC related to a method of describing session information (SDP: session description protocol) that is transmitted or received by the SIP. “Key Management Extensions for SDP and RTSP” discloses a method of exchanging key information that is used for encrypting communication data by SDP or RTSP (Real Time Streaming Protocol).
  • In the case where a service provider provides a service by using a plurality of service provision servers, it is necessary to acquire and install an electronic certificate in each of the service provision servers. Also, when the service provision servers communicate with the SIP server, individually, it is necessary that the SIP server holds communication session information in each of the service provision servers. As a result, a processing load increases.
  • In the technique that is disclosed in JP 2002-108840A or JP 2003-108537, communication of the receive server or a window server with a client is conducted by an HTTP (hypertext transportation protocol), and the SIP is not considered. JP 2003-209560A discloses a method of acquiring an IP address of the server to be connected by a client.
  • JP 2003-178028A discloses a technique by which a management server that is connected to a network, and an authentication server that is connected to the management server are provided, and a terminal at a data supply side is logged in a terminal at a date request side. JP 2003-242119A or JP 10-177552A discloses that an authentication server receives a service connection request from a client as a representative server, but service provision is conducted through the authentication server with the result that the authentication server becomes a bottleneck. JP 2003-099402A discloses an authentication representative server, which merely requests authentication from a communication carrier server instead of a service provider.
  • As described above, the techniques that are disclosed in patent documents described above do not provide means for solving the problem to be solved by the invention even by the single document or the combination thereof. There is proposed a structure in which a load dispersion device that conducts the authentication and encryption is located upstream of the service provision server. In this case, the load dispersion device becomes a bottle neck of processing.
    • SUMMARY OF THE INVENTION
  • A server device that represents plural service provision servers implements SIP server authentication or SIP message exchange as a representative, and notifies a service provision server of client communication information (encrypted communication information, message authentication information) that is acquired by the SIP message exchange. The service provision server communicates with a client on the basis of the client communication information that is notified from the representative server.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • These and other objects and advantages of this invention will become more fully apparent from the following detailed description taken with the accompanying drawings wherein:
  • FIG. 1 is a block diagram for explaining a system configuration according to a first embodiment;
  • FIG. 2 is a block diagram for explaining a client hardware configuration according to the first embodiment;
  • FIG. 3 is a block diagram for explaining a hardware configuration of the representative server according to the first embodiment;
  • FIG. 4 is a block diagram for explaining a hardware configuration of the service provision server according to the first embodiment;
  • FIG. 5A is a transition diagram for explaining a communication of the client, the SIP server, the representative server, and the service provision server with each other according to the first embodiment (No. 1);
  • FIG. 5B is a transition diagram for explaining the communication of the client, the SIP server, the representative server, and the service provision server with each other according to the first embodiment (No. 2);
  • FIG. 6 is a diagram for explaining a processing flow of the client according to the first embodiment;
  • FIG. 7A is a diagram for explaining a processing flow of the representative server according to the first embodiment (No. 1);
  • FIG. 7B is a diagram for explaining a processing flow of the representative server according to the first embodiment (No. 2);
  • FIG. 8 is a flowchart for explaining processing of the service provision server according to the first embodiment;
  • FIG. 9 is a diagram for explaining a server selection table provided by the service provision server according to the first embodiment;
  • FIG. 10 is a diagram for explaining a communication setting table provided by the representative server according to the first embodiment;
  • FIG. 11 is a diagram for explaining a service connection table provided by the representative server according to the first embodiment;
  • FIG. 12 is a diagram for explaining a configuration of a service connection request addressed to a SIP server from a client and a message header according to the first embodiment;
  • FIG. 13 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client according to the first embodiment;
  • FIG. 14 is a diagram for explaining a configuration of a service connection response addressed to the SIP server from the representative server and a message header according to the first embodiment;
  • FIG. 15 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client according to the first embodiment;
  • FIG. 16 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body according to the first embodiment;
  • FIG. 17 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body according to the first embodiment;
  • FIG. 18 is a diagram for explaining a configuration of a service disconnection request addressed to the SIP server from the client and a message header according to the first embodiment;
  • FIG. 19 is a diagram for explaining a message body of a service disconnection request addressed to the SIP server from the client according to the first embodiment;
  • FIG. 20 is a diagram for explaining a configuration of a service disconnection response addressed to the SIP server from the representative server and a message header according to the first embodiment;
  • FIG. 21 is a diagram for explaining a message body of a service disconnection response addressed to the SIP server from the representative server according to the first embodiment;
  • FIG. 22 is a diagram for explaining a configuration of a client communication information deletion request addressed to the service provision server from the representative server and a message body according to the first embodiment;
  • FIG. 23 is a diagram for explaining a configuration of a client communication information deletion response addressed to the representative server from the service provision server and a message body according to the first embodiment;
  • FIG. 24 is a diagram for explaining a configuration of data that is communicated between the service provision server and the client according to the first embodiment;
  • FIG. 25 is a diagram for explaining a configuration of encrypted data that is communicated between the service provision server and the client according to the first embodiment;
  • FIG. 26A is a flowchart showing the processing of a representative server according to a second embodiment (No. 1);
  • FIG. 26B is a flowchart showing the processing of a representative server according to the second embodiment (No. 2);
  • FIG. 27 is a flowchart showing the processing of a service provision server according to the second embodiment;
  • FIG. 28 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body according to the second embodiment; and
  • FIG. 29 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body according to the second embodiment.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Hereinafter, a description will be given in more detail of the embodiments of the present invention with reference to the accompanying drawings.
    • First Embodiment
  • A first embodiment of the present invention will be described with reference to FIGS. 1 to 25. FIG. 1 is a block diagram for explaining a system configuration. FIG. 2 is a block diagram for explaining a client hardware configuration. FIG. 3 is a block diagram for explaining a hardware configuration of the representative server. FIG. 4 is a block diagram for explaining a hardware configuration of the service provision server. FIG. 5A is a transition diagram for explaining a communication of the client, the SIP server, the representative server, and the service provision server with each other. FIG. 5B is a transition diagram for explaining the communication of the client, the SIP server, the representative server, and the service provision server with each other. FIG. 6 is a diagram for explaining a processing flow of the client. FIG. 7A is a diagram for explaining a processing flow of the representative server. FIG. 7B is a diagram for explaining a processing flow of the representative server. FIG. 8 is a flowchart for explaining processing of the service provision server. FIG. 9 is a diagram for explaining a server selection table provided by the service provision server. FIG. 10 is a diagram for explaining a communication setting table provided by the representative server. FIG. 11 is a diagram for explaining a service connection table provided by the representative server.
  • FIG. 12 is a diagram for explaining a configuration of a service connection request addressed to a SIP server from a client and a message header. FIG. 13 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client. FIG. 14 is a diagram for explaining a configuration of a service connection response addressed to the SIP server from the representative server and a message header. FIG. 15 is a diagram for explaining a message body of the service connection request addressed to the SIP server from the client. FIG. 16 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body. FIG. 17 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body. FIG. 18 is a diagram for explaining a configuration of a service disconnection request addressed to the SIP server from the client and a message header. FIG. 19 is a diagram for explaining a message body of a service disconnection request addressed to the SIP server from the client. FIG. 20 is a diagram for explaining a configuration of a service disconnection response addressed to the SIP server from the representative server and a message header. FIG. 21 is a diagram for explaining a message body of a service disconnection response addressed to the SIP server from the representative server. FIG. 22 is a diagram for explaining a configuration of a client communication information deletion request addressed to the service provision server from the representative server and a message body. FIG. 23 is a diagram for explaining a configuration of a client communication information deletion response addressed to the representative server from the service provision server and a message body. FIG. 24 is a diagram for explaining a configuration of data that is communicated between the service provision server and the client. FIG. 25 is a diagram for explaining a configuration of encrypted data that is communicated between the service provision server and the client.
  • In a service network system 100 shown in FIG. 1, a network 50-1 is connected with a plurality of clients 10 (10-1, 10-2, . . . ), a session management server (hereinafter referred to as “SIP server”) 20 having a session management function, a representative server 30, and a plurality of service provision servers 40 (40-1, 40-2, . . . ). The representative server 30 and the service provision server 40 are also connected to a network 50-2. The service provision server 40 includes an instant message server, a content distribution server that supplies various contents information to a client, and a conference call server that supports a conference call among a plurality of clients.
  • The letter strings that are attached to the respective clients 10 and the representative servers 30 and put in the parentheses indicate the device addresses that are used by IP packets which are transferred on the network 50-1. Each of those addresses partially includes an address “aaa.com” of the SIP server 20, by which it is found that those terminals and the representative server belong to the SIP server 20. The connection (setting of the session) and the disconnection (end of the session) between each of the clients 10 and the representative server 30 are conducted through the SIP server 20. In the following description, it is assumed that the IP address is the client 1 [cll@aaa.com]: 192.0.2.1, the SIP server: 102.0.2.2, the service provision server 1: 192.0.2.3, and the representative server [sv1@aaa.com]: 192.0.2.4.
  • The network 50-1 is used to communicate between the client and the representative server and between the client and the service provision server. On the other hand, the network 50-2 is a server in-room LAN, and used to communicate between the representative server 30 and the service provision servers 40. The reason why the network 50-1 and the network 50-2 are separated from each other is to protect confidential information such as a message authentication parameter which is transmitted or received between the representative server 30 and the service provision servers 40. In the case where the encrypted communication is conducted between the representative server 30 and the service provision servers 40, the representative server 30 and the service provision servers 40 may conduct a communication by using the network 50-1.
  • A configuration of the client will be described with reference to FIG. 2. The client 10 is made up of a processor (CPU) 12, a memory 11 that temporarily stores various programs which are executed by the processor 12 and various tables to which the programs refer therein, an external storage device 13 that saves the various programs and the various tables to which the programs refer, and a network interface 14 that is connected to the network 50-1, which are connected to a bus 15.
  • The representative server 30 shown in FIG. 3 is made up of a processor (CPU) 32, a memory 31 that temporarily stores various programs which are executed by the processor 32 and various tables to which the programs refer therein, an external storage device 33 that saves the various program and the various tables to which the programs refer therein, a network interface 34-1 that is connected to the network 50-1, and a network interface 34-2 that is connected to the network 50-2, which are connected to a bus 35. In the hardware configuration of the representative server, the network 50-1 and the network 50-2 are physically separated from each other, and an access is conducted by using the individual network interfaces 34-1 and 34-2. However, the network 50-1 and the network 50-2 are logically separated from each other by setting a router or a firewall, thereby making it possible to take an access to both of the network 50-1 and the network 50-2 from one network interface.
  • The service provision server 40 shown in FIG. 4 is identical in the configuration with the representative server described with reference to FIG. 3. That is, the service provision server 40 is made up of a processor (CPU) 42, a memory 41 that temporarily stores various programs which are executed by the processor 42 and various tables to which the programs refer therein, an external storage device 43 that saves the various program and the various tables to which the programs refer therein, a network interface 44-1 that is connected to the network 50-1, and a network interface 44-2 that is connected to the network 50-2, which are connected to a bus 45. It is possible to take an access to both of the network 50-1 and the network 50-2 from one network interface.
  • Referring to FIGS. 5A and 5B, the mutual authentication and the encrypted communication setting are first conducted by a TLS negotiation that is disclosed in RFC 3261 between the SIP server 20 and the representative server 30 (T501: called “SIP server authentication”). Subsequently, a REGISER request (REGISTER message) that is a SIP request that registers its own location is transmitted to the SIP server 20 from the representative server 30 (T502). The SIP server 20 transmits 200 OK that is a SIP response code indicative of the normal completion to the representative server 30 after having registered the location of the representative server 30 described in the received REGISTER request (T503). It is necessary that the REGISTER message is implemented by the receive side (invited side).
  • On the other hand, the mutual authentication and the encrypted communication setting are conducted between the client 10-1 and the SIP server 20 by the TLS negotiation (T504). When the INVITE request that is a service connection request is transmitted to the SIP server 20 from the client 10-1 (T506), the SIP server 20 transmits 100 Trying indicative of on-connection to the client 10-1 (T507), and then transfers the INVITE request to the representative server 30 (T508). The representative server 30 transmits 100 Trying to the SIP server 20 (T509), and then transmits a client communication information setting request to the service provision server 40-1 (T510).
  • The service provision server 40-1 receives the client communication information setting request, and sends back the client communication information setting response to the representative server 30 (T511). The representative server 30 that has received the client communication information setting response transmits 200 OK that is a service connection response to the SIP server 20 (T512). The SIP server 20 that has received the 200 OK transmits 200 OK to the client 10-1, likewise (T513).
  • The client 10-1 that has received 200 OK which is a service connection response transmits an ACK request which is a SIP request of the service connection confirmation to the SIP server 20 (T514). The SIP server 20 that has received the ACK request transmits the ACK request to the representative server 30 (T515). Since the service provision server 40-1 and the client 10-1 replace the respective IP addresses and port Nos. with each other, the service provision server 40-1 and the client 10-1 are connected directly to each other to start the transmit/receive of the service data (T517).
  • When a BYE request that is a SIP request of the service disconnection request is transmitted to the SIP server 20 from the client 10-1 (T518), the SIP server 20 that has received the BYE request then transmits the BYE request to the representative server 30 (T519). The representative server 30 that has received the BYE request transmits a client communication information deletion request to the service provision server 40-1 (T520). The service provision server 40-1 that has received the communication information deletion request transmits the communication information deletion response to the representative server 30 (T521), and the representative server 30 that has received the communication information deletion response transmits a 200 OK that is a service disconnection response to the SIP server 20 (T522). The SIP server 20 that has received the 200 OK transmits the 200 OK that is a service disconnection response to the client (T523). With the above operation, the communication is completed. A communication between the representative server 30 and the service provision server 40 is conducted through the network 50-2 shown in FIG. 1, and other communications are conducted through the network 50-1.
  • Subsequently, the operation of the client, the representative server, and the service provision server will be described below. Referring to FIG. 6, the client 10 produces a candidate for encrypted communication information which is used for a direction communication with the service provision server, and a candidate for message authentication information (S601). The client 10 transmits an INVITE message that sets those candidates in a body to the SIP server 20 (S602). Thereafter, the client 10 waits for a response from the SIP server (S603), and upon receiving a 200 OK that is a service connection response from the SIP service 20, the client 10 analyzes the 200 OK message, and acquires the selected encrypted communication information and message authentication information (S604).
  • After the client 10 transmits the ACK message that is a service connection confirmation request to the SIP server 20 (S605), the client 10 transmits and receives application data with respect to the service provision server 40 by using the selected encrypted communication information and message authentication information (S607).
  • The client 10 then transmits a BYE message that sets an erasing request of the message authentication information in a body to the SIP server 20 (S607). Thereafter, the client 10 waits for a response from the SIP server (S608), and completes the service use upon receiving the 200 OK that is the service disconnection response from the SIP server 20. When the client 10 receives an error or times out in Steps 603 or 608, the operation is transited to error processing in Step 609 or Step 610.
  • Referring to FIGS. 7A and 7B, when the representative server 30 starts, the representative server 30 transmits a REGISTER message that sets the IP address (location) of the representative server 30 as contact information to the SIP server 20 (S701), and waits for a response from the SIP server 20 (S702). When the representative server 30 receives a 200 OK that is a location registration response from the SIP server 20, the representative server 30 waits for a message receive (S703). When the representative server 30 receives an INVITE message from the SIP server 20, the representative server 30 analyzes the INVITE message and acquires the encrypted communication information candidate, the message authentication information candidate, and the application information (S704). Thereafter, the representative server 30 refers to a server selection table (which will be described later with reference to FIG. 9) that records a status of the service provision server therein, and selects the service provision server 40-1 that communicates directly with the client (S705).
  • The representative server 30 refers to a communication setting table (which will be described later with reference to FIG. 10) that registers the encrypted communication information and message authentication information which are usable by the service provision server 40-1 therein, and selects the encrypted communication information and the message authentication information which are used for a communication between the client 10 and the service provision server 40 (S706). Then, the representative server 30 transmits the selected encrypted communication information and message authentication information as well as the application information to the select service provision server 40-1 as the client communication information setting request (S707), and waits for a response from the service provision server 40-1 (S708).
  • When the client communication information setting response indicative of a fact that the communication has been normally conducted is returned to the representative server 30 from the service provision server 40-1, the representative server 30 adds an entry to the service connection cable (which will be described later with reference to FIG. 11), and updates the server selection table. Also, the representative server 3 transmits the 200 OK message including the selected encrypted communication information and message authentication information to the SIP server 20 (S709), and again waits for the message receive (S703).
  • Upon receiving the ACK message from the SIP server 20 that is the service connection confirmation, the representative server 30 again waits for the message (S703). In this situation, upon receiving a BYE message that is the service disconnection request from the SIP server 20, the representative server 30 analyzes the BYE message, refers to the server selection table, and identifies the service provision server 40-1 that erases the encrypted communication information and the message authentication information (S711). Then, the representative server 30 transmits a client communication information deletion request to the service provision server 40-1 (S712), and waits for a response from the service provision server 40-1 (S713). When the client communication information deletion response indicative of the fact that the communication has been normally conducted is returned from the service provision server 40-1, the representative server 30 deletes the entry of the service connection table, and updates the server selection table. Also, the representative server 30 transmits a 200 OK message that notifies the client of the erasing of the message authentication information and the disconnection of the service to the SIP server 20 (S714), and waits for the message receive (S703). When the representative server 30 receives an error or times out in Steps 703, 708 or 713, the operation is transited to the error processing in Steps 721, 722 or 723.
  • Referring to FIG. 8, when the service provision server 40 starts, the service provision server 40 first waits for a request receive from the representative server 30 (S801). Upon receiving the client communication information setting request, the service provision server 40 analyzes the client communication information setting request from the representative server 30, and acquires the encrypted communication information, the message authentication information, and the application information (S802). The service provision server 40 sets the encrypted communication information, the message authentication information, and the application information in the client communication information setting table, and then transmits a client communication information setting response to the representative server 30 (S803). Thereafter, the service provision server 40 starts to transmit and receive the service data directly with respect to the client according to the encrypted communication information, the message authentication information, and the application information. At a timing of this start, the service provision server 40 transits to waiting for the request receive from the representative server 30 even during transmitting or receiving the service data (S801).
  • Upon receiving a client communication information processing request, the service provision server 40 analyzes the request, and stops transmitting and receiving the service data with respect to the client (S805). The service provision server 40 erases the encrypted communication information, the message authentication information, and the application information which are used for the communication with the client from the client communication information setting table. Then, the service provision server 40 transmits a client communication deletion response to the representative server 30 (S806), and again transits to waiting for the request receive from the representative server 30 (S801).
  • A server selection table shown in FIG. 9 is a table that is recorded in the external storage device 33 of the representative server 30. A server selection table 50 is made up of a service provision server number 51, the number of client connections 52, and a response time 53. When the representative server 30 receives a new service request, the representative server 30 refers to the server selection table 50, and selects a service provision server that is small in the response time (that is, low in the load) among the service provision servers under the control.
  • A communication setting table shown in FIG. 10 is a table that is recorded in the external storage device 33 of the representative server 30 as with the server selection table. A communication setting table 60 is made up of a service provision server number 61, an encrypted algorithm 62 that can be communicated by the service provision server, and a message authentication algorithm 63 that can be authenticated by the service provision server. When the representative server 30 receives a new service request, the representative server 30 refers to the communication setting table 60, and selects the encrypted algorithm and the message authentication algorithm which are adapted to the service provision server that is selected from the options submitted by the client. When the selected service provision server does not adapt to those algorithms, the service provision server is changed.
  • A service connection table shown in FIG. 11 is a table that is recorded in the external storage device 33 of the representative server 30 as with the server selection table and the communication setting table. The service connection table 70 describes a Call-ID 71 that is sent from the client, a From 72 that is an address of the client, a To 73 that is a destination address of the request, and the service provision server that is a connected server 74 selected by the representative server. The tag described in the from 72 and the To 73 is identification information of the address.
  • A service connection request packet 80 from the client to the SIP server as shown in FIG. 12 is a packet that is sent by T506 in FIG. 5. The service connection request packet 80 is made up of an IP header 81, a UDP/TCP header 82, a service connection request message header 83, and a service connection request message body 84. The service connection request message header 83 includes a connection request message of the SIP which is defined by RFC3261. The SDP that is specified by RFC3266 is applied to the session description of the SIP.
  • The service connection request message header 83 includes “INVITE” indicating that the message is intended for the session connection request in a start line as a request method. The service connection request message header 82 also includes URI sv1aaa.com of the representative server in the start line as the destination address.
  • An address of the client that is an originator is described in a Via header. A to header and a From header indicate the destination and the originator, respectively, and a Call-ID is indicative of a session identifier that is designated by the originator. A Cseq header is a Command Sequence and identifies a transaction within the session. A Contact header is indicative of URI of the client 10-1 to be registered in the SIP server, and a Content-Type header and a Content-Length are indicative of the definition information on the SDP of the message body 84.
  • The service request packet body 84 from the client to the SIP server as shown in FIG. 13 is a table made up of a setting item 841 and a setting value 842. The setting item 841 is made up of a client IP address, a client port number, a client communication information option 1 having no data encryption, a client communication information option 2 that implements data encryption, and the application information. The corresponding setting values of those information are described in the setting value 842. The client communication information option 1 is made up of a client communication information ID(I), a message authentication code, and an authentication code common key. The client communication information ID(I) is an ID that associates data that has been transmitted by the Initiator with the authentication code and the key. The client communication information option 2 is made up of the client communication information ID (I), the message authentication code, the authentication code common key, a message encrypting method, and an encryption common key. The client communication information ID (I) is an ID that associates the data that has been transmitted by the Initiator with the message authentication code and the encryption common key. A service connection request packet 80 from the client to the SIP server is transferred to the representative server 30 from the SIP server.
  • A service connection response packet 90 from the representative server to the SIP server as shown in FIG. 14 is a packet that is transmitted by T512 in FIG. 5. The service connection response packet 90 is made up of an IP header 91, a UDP/TCP header 92, a service request message header 93, and a service connection response message body 94. The service connection response message header 93 includes a connection response message of the SIP.
  • The service connection response message header 93 includes “200 OK” which indicates that the message is intended for the session response in a start line as a request method. Since the Call-ID header and the Cseq header are the same as the connection request shown in FIG. 12, it is understood that those headers are the connection response (permission) to the connection request. A To header and a From header are indicative of a destination and an originator of the connection request, respectively, as they are.
  • A service response packet body 94 from the common server to the SIP server as shown in FIG. 15 is a table made up of a setting item 941 and a setting value 942. The setting item 941 is made up of a client IP address, a client port number, a client communication information that is selected by the representative server, and application information. The corresponding setting values of those information are described in the setting value 942. The selected client communication information is made up of a client communication information ID(R), a message authentication code, and an authentication code common key. The client communication information ID(R) is an ID that associates the data that has been transmitted by a Responder with the authentication code and the key. The service connection response packet 90 from the representative server to the SIP server is transferred from the SIP server to the client 10-1.
  • A client communication information setting request packet from the representative server to the service provision server as shown in FIG. 16 is a packet that is transmitted by T510 in FIG. 5. The client communication information setting request packet 110 is made up of an IP header 111, a UDP/TCP header 112, a client communication information setting request message header 113, a client communication information setting request message body 114. The client communication information setting request message body 114 is the same as the service connection request message body described with reference to FIG. 13, from which the client communication information option 2 that has not been selected by the representative server 30 is except. The client communication information setting request message body 114 is held in the service provision server 40 as the client communication information setting table.
  • A client communication information setting response packet from the service provision server to the representative server as shown in FIG. 17 is a packet that is transmitted by T511 in FIG. 5. The client communication information setting response packet 120 is made up of an IP header 121, a UDP/TCP header 122, a client communication information setting response message header 123, a client communication information setting response message body 124. The client communication information setting response message body 124 is the same as the service connection response message body described with reference to FIG. 15. This is because the representative server transfers the message body to the SIP server without changing the message body as it is.
  • In FIGS. 16 and 17, since a communication between the representative server and the service provision server uses the network 50-2 that is a secure local area network, the protocol may be a protocol such as an HTTP (HyperText Transport Protocol) other than the SIP.
  • A service disconnection request packet 130 from the client to the SIP server as shown in FIG. 18 is a packet that is sent by T518 in FIG. 5B. The service disconnection request packet 130 is made up of an IP header 131, a UDP/TCP header 132, a service disconnection request message header 133, and a service disconnection request message body 134. The service disconnection request message header 133 includes a disconnection request message of the SIP. The service disconnection request message header 133 includes “BYE” that indicates that the message is intended for the session disconnection request in a start line as a request method, and includes “192.0.2.4” which is an IP address of the service provision server.
  • A service disconnection request packet body 134 from the client to the SIP server as shown in FIG. 19 is made up of a setting item 1341 and a setting value 1342. The setting item 1341 includes an IP address of the client, a port number, and a client communication information ID. A setting value that is noticed by the service connection request message body (FIG. 13) is set to the setting value of the client communication information ID.
  • A service disconnection response packet 140 from the representative server to the SIP server as shown in FIG. 20 is a packet that is sent in T522 in FIG. 5. The service disconnection response packet 140 is made up of an IP header 141, a UDP/TCP header 142, a service disconnection response message header 143, and a service disconnection response message body 144. The service disconnection response message header 143 includes a disconnection response message of the SIP. The service disconnection response message header 143 includes “200 OK” which indicates that the message is intended for the session response in a start line as a request method. Since a Call-ID header and a Cseq header are identical with those of the disconnection request shown in FIG. 18, it is understood that they are the disconnection response (permission) to the disconnection request.
  • A service disconnection response packet body 144 from the representative server to the SIP server as shown in FIG. 21 is made up of a setting item 1441 and a setting value 1442. The setting item 1441 includes an IP address and a port number of the service provision server, and a client communication information ID. The setting value that is noticed by the service connection response message body (FIG. 15) is set to the setting value of the client communication information ID.
  • A client communication information deletion request packet 150 from the representative server to the service provision server as shown in FIG. 22 is a packet that is sent by T520 in FIG. 5. The client communication information deletion request packet 150 is made up of an IP header 151, a UDP/TCP header 152, a client communication information deletion request message header 153, and a client communication information deletion request message body 154. The client communication information deletion request message body 154 is identical with the service disconnection request message body described with reference to FIG. 19.
  • A client communication information deletion response packet 160 from the service provision server to the representative server as shown in FIG. 23 is a packet that is sent by T521 in FIG. 5. The client communication information deletion response packet 160 is made up of an IP header 161, a UDP/TCP header 162, a client communication information deletion response message header 163, and a client communication information deletion response message body 164. The client communication information deletion response message body 164 is the same as the service disconnection response message body described with reference to FIG. 21. This is because the representative server transfers the message body to the SIP server without changing the message body as it is.
  • In FIGS. 22 and 23, since a communication between the representative server and the service provision server uses the network 50-2 that is a secure local area network, the protocol may be a protocol such as an HTTP (HyperText Transport Protocol) other than the SIP.
  • A packet that is communicated between the client and the service provision server will be described with reference to FIGS. 24 and 25. In this example, FIG. 24 shows a packet that is communicated between the client and the service provision server in the case where the representative server selects the client communication information option 1 that does not encrypt data in the service request messages from the client shown in FIG. 13. Also, FIG. 25 shows a packet that is communicated between the client and the service provision server in the case where the representative server selects the client communication information option 2 that encrypts data in the service request messages from the client shown in FIG. 13.
  • Referring to FIG. 24, a data packet 170 is made up of an IP header 171, a UDP/TCP header, a client communication information ID 173, data 174, and an HMAC 175. The client communication information ID 173 is made up of a client communication information ID(R) or a client communication information ID(I). In this example, it is assumed that the data packet 170 is streaming data from the service provision server toward the client. The client refers to the client communication information ID(R) that is attached to data, and grasps a message authentication code (HMAC-SHA1) and an authentication code common key (3541e2af1537fg3712ca12) which correspond to the client communication information ID(R) described with respect to FIG. 15. The HMAC 175 is demodulated by using the authentication code common key to generate a hash (1). On the other hand, a hash (2) is generated by using data 174 and the message authentication code. When the hash (1) and the hash (2) are equal to each other, it can be confirmed that the server provision server which is an originator of the data packet 170 is a regular service provision server under the representative server.
  • Referring to FIG. 25, a data packet 180 is made up of an IP header 181, a UDP/TCP header 182, a client communication information ID 183, an encrypted data 184, and an HMAC 185. In this example, it is assumed that the data packet 180 is a streaming data from the service provision server toward the client. The client refers to the client communication information ID(R) (not shown) which is attached to data, and grasps a message authentication code (HMAC-MD5: refer to FIG. 13), an authentication code common key (fe648c578b80a675), a message encrypting method (AES-128-CBC), and an encryption common key (1653fe648c578b424ef), which correspond to the client communication information ID(R). Then, the HMAC 185 is demodulated by using the authentication code common key to generate the hash (1). On the other hand, the encrypted data 184 is demodulated by the encryption common key, and the hash (2) is generated by using the message authentication code. When the hash (1) and the hash (2) are equal to each other, it can be confirmed that the server provision server which is an originator of the data packet 180 is a regular service provision server under the representative server. In FIGS. 24 and 25, the data packet is data from the data provision server to the client. On the contrary, in the data from the client to the service provision server, likewise, the service provision server refers to the client communication information ID(I) that is attached to data, and compares the generated two hash values with each other, thereby making it possible to confirm that the client is a regular client.
  • According to this embodiment, because the authentication is conducted on only the representative server, it is unnecessary that the service provision server has an electronic certificate. The client confirms a value of the HMAC that is given the message, thereby making it possible to confirm that the service provision server that conducts the communication is a service provision server under a correct representative server. Also, the encrypted communication makes it possible to keep the confidential property of service data.
  • It is unnecessary that the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing. In this embodiment, since the representative server selects the client communication information in a lump, there is advantageous in that the client communication information can be decided by one inquiry.
    • Second Embodiment
  • A second embodiment of the present invention will be described with reference to FIGS. 26 to 29. In this example, FIGS. 26A and 26B are flowcharts showing the processing of a representative server. FIG. 27 is a flowchart showing the processing of a service provision server. FIG. 28 is a diagram for explaining a configuration of a client communication information setting request addressed to the service provision server from the representative server and a message body. FIG. 29 is a diagram for explaining a configuration of a client communication information setting response addressed to the representative server from the service provision server and a message body.
  • In the above-described first embodiment, the representative server selects the encrypted communication information and the message authentication information. On the contrary, in the second embodiment, the service provision server conducts the selection. In the second embodiment, only differences from the first embodiment will be described. Accordingly, most of the drawings are common to or substantially identical with those of the first embodiment with slight differences.
  • A processing flow of the representative server will be described with reference to FIGS. 26A and 26B. When the representative server 30 starts, the representative server 30 transmits a “REGISTER” message that sets its own IP address to the SIP server 20 as contact information (S901). After waiting a response from the SIP server 20 (S902), the representative server 30 receives “200 OK” and waits for message receive (S903). After having received “INVITE”, the representative server 30 analyzes the INVITE message, and acquires a candidate for the encrypted communication information, a candidate for the message authentication information, and the application information (S904). The representative server 30 refers to a server selection table (FIG. 9) that records a status of the service provision server therein, and selects a service provision server that communicates with the client (S905).
  • The representative server 30 transmits a candidate for the encrypted communication information, a candidate for the message authentication information, and a application information to the service provision server as a client communication information setting request (S906). When a client communication information setting response which indicates that the normal communication has been conducted is returned from the service provision server 40-1 after the representative server 30 waits for a response from the service provision server 40-1 (S907), the representative server 30 adds an entry to the service connection table, and updates the server selection table. Also, the representative server 30 transmits a 200 OK message that includes the encrypted communication information and the message authentication information which has been selected by the service provision server 40-1 to the SIP server 20 (S908). Then, the representative server 30 again waits for the message receive (S903).
  • Upon receiving an ACK message from the SIP server 20 which is the service connection confirmation, the representative server 30 again waits for the message (S903). In this situation, upon receiving a BYE message which is a service disconnection request from the SIP server 20, the representative server 30 analyzes the BYE message, refers to the server selection table, and identifies the service provision server 40-1 that erases the encrypted communication information and the message authentication information (S911). Then, the representative server 30 transmits a client communication information deletion request to the identified service provision server 40-1 (9712), and waits for a response from the service provision server 40-1 (S913). When a client communication information deletion response which indicates that the normal communication has been conducted is returned from the service provision server 40-1, the representative server 30 deletes an entry of the service connection table, and updates the server selection table. Also, the representative server 30 transmits a 200 OK message which notifies the client of the erasing of the encrypted communication information and the message authentication information as well as the disconnection of the service to the SIP server 20 (S914), and waits for the message receive (S903). When the representative server 30 receives an error or times out in Step 902, 907, or 913, the representative server 30 transits to the error processing of Steps 921, 922, or 923.
  • Referring to FIG. 27, when the service provision server 40 starts, the service provision server 40 first waits for a request from the representative server 30 (S501). When the service provision server 40 receives a client communication information setting request, the service provision server 40 analyzes the client communication information setting request, and then acquires the encrypted communication information option, the message authentication information option, and the application information which are noticed from the representative server 30 (S502). The service provision server 40 selects the encrypted communication information and the message authentication information which are used for communication with the client (S503), sets the encrypted communication information, the message authentication information, and the application information in the client communication information setting table, and transmits a client communication information setting response to the representative server 30 (S504). Thereafter, the service provision server 40 starts to directly transmit and receive the service data with respect to the client according to the encrypted communication information, the message authentication information, and the application information (S505). This start allows the service provision server 40 to transit to the request receive wait status from the representative server 30 even while transmitting or receiving the service data (S501).
  • When the service provision server 40 receives a client communication information deletion request, the service provision server 40 analyzes the request, and stops transmitting and receiving the service data with respect to the client (S507). The service provision server 40 erases the encrypted communication information, the message authentication information, and the application information, which have been used for communication with the client from the client communication information setting table. Then, the service provision server 40 transmits a client communication information deletion response to the representative server 30 (S508), and again transits to the request receive wait from the representative server 30 (S501).
  • A client communication information setting request packet from the representative server to the service provision server as shown in FIG. 28 is a packet that is sent at a portion corresponding to T510 in FIG. 5. A client communication information setting request packet 210 is made up of an IP header 211, a UDP/TCP header 212, a client communication information setting request message header 213, and a client communication information setting request message body 214. In the second embodiment, the selection from the options submitted by the client is conducted by the service provision server 40-1. Accordingly, the client communication information setting request message body 214 is identical with the service connection request message body described with reference to FIG. 13.
  • A client communication information setting response packet from the service provision server to the representative server as shown in FIG. 29 is a packet that is sent at a portion corresponding to T511 in FIG. 5. A client communication information setting response packet 220 is made up of an IP header 221, a UDP/TCP header 222, a client communication information setting response message header 223, and a client communication information setting response message body 224. The client communication information setting response message body 224 is identical with the service connection response message body described with reference to FIG. 15.
  • According to this embodiment, because the authentication is conducted with respect to only the representative server, it is unnecessary that the service provision server has an electronic certificate. The client confirms a value of the HMAC that is given the message, thereby making it possible to confirm that the service provision server that conducts the communication is a service provision server under a correct representative server. Also, the encrypted communication makes it possible to keep the confidential property of service data.
  • It is unnecessary that the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing.
  • According to the present invention, because the authentication is conducted with respect to only the representative server, it is unnecessary that the service provision server has an electronic certificate. It is unnecessary that the SIP server authenticates the individual service provision servers, and also it is unnecessary that the communication session is held between the SIP server and the individual service provision servers. As a result, the load of the SIP server can be reduced. Also, because the data communication is conducted directly between the client and the service provision server, the representative server does not become the bottle neck of processing.
  • The foregoing description of the preferred embodiments of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention. The embodiments were chosen and described in order to explain the principles of the invention and its practical application to enable one skilled in the art to utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto, and their equivalents.

Claims (7)

1. A service network system, comprising:
a plurality of service provision servers that provide information services;
a session management server that executes a communication protocol for establishing and disconnecting a session according to a request from a client; and
a representative server that is representative of the plurality of service provision servers and executes the communication protocol with respect to the session management server,
wherein said plurality of service provision servers, said session management server, and said representative server are connected to a first network, and
said plurality of service provision servers and said representative server are further connected to a second network.
2. The service network system according to claim 1,
wherein said second network comprises a local area network.
3. The service network system according to claim 1,
wherein said representative server and said plurality of service provision servers communicate with each other on the second network.
4. A server device characterized by being connected to a first network together with a plurality of clients, a plurality of service provision servers that provide information services, and a session management server that executes a communication protocol for establishing and disconnecting a session according to a request from the client, by being connected to a second network together with the plurality of service provision servers, and communicating with the plurality of service provision servers on the second network, and by representing the plurality of service provision servers and executing a communication protocol with respect to the session management server on the first network.
5. The server device according to claim 4, characterized by recording a table including an encrypted algorithm and a message authentication algorithm which can be used by the plurality of service provision servers.
6. The server device according to claim 4, characterized by recording a table including the client and the service provision server that is being used when at least one of the plurality of service provision servers is being used.
7. A serve device, comprising:
a processor that is connected to a bus;
a memory that temporarily stores a program which is executed by the processor and a table to which the program refers;
an external storage device that saves the program and the table;
a first network interface that is connected to a first network; and
a second network interface that is connected to a second network,
wherein said firs network is connected with a plurality of clients, a plurality of service provision servers that provide information services, and a session management server that executes a communication protocol for establishing and disconnecting a session according to a request from the client,
said second network is connected with the plurality of service provision servers,
a client address and first client communication information which are received from the client are transmitted to the service provision server which is selected from the plurality of service provision servers on the second network, and
a service provision server address and second client communication information which are received from the selected service provision server on the second network are transmitted toward the client.
US12/398,613 2005-05-11 2009-03-05 Service network system and server device Abandoned US20090177802A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/398,613 US20090177802A1 (en) 2005-05-11 2009-03-05 Service network system and server device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2005-138082 2005-05-11
JP2005138082A JP4690767B2 (en) 2005-05-11 2005-05-11 Network system, server device, and communication method
US11/417,054 US8041822B2 (en) 2005-05-11 2006-05-04 Service network system and server device
US12/398,613 US20090177802A1 (en) 2005-05-11 2009-03-05 Service network system and server device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/417,054 Division US8041822B2 (en) 2005-05-11 2006-05-04 Service network system and server device

Publications (1)

Publication Number Publication Date
US20090177802A1 true US20090177802A1 (en) 2009-07-09

Family

ID=37390541

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/417,054 Expired - Fee Related US8041822B2 (en) 2005-05-11 2006-05-04 Service network system and server device
US12/398,613 Abandoned US20090177802A1 (en) 2005-05-11 2009-03-05 Service network system and server device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/417,054 Expired - Fee Related US8041822B2 (en) 2005-05-11 2006-05-04 Service network system and server device

Country Status (3)

Country Link
US (2) US8041822B2 (en)
JP (1) JP4690767B2 (en)
CN (1) CN1863214B (en)

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2376214A1 (en) 1999-06-08 2000-12-14 The Trustees Of Columbia University In The City Of New York Network telephony appliance and system for inter/intranet telephony
US8468131B2 (en) * 2006-06-29 2013-06-18 Avaya Canada Corp. Connecting devices in a peer-to-peer network with a service provider
US7872994B2 (en) * 2006-08-11 2011-01-18 Cisco Technology, Inc. SIP out-of-dialog REFER mechanism for handoff between front-end and back-end services
FR2908880B1 (en) * 2006-11-21 2009-01-16 Centre Nat Rech Scient INTEGRATED MONOLITHIC INTERFERENCE DETECTION DEVICE
JP2009081852A (en) * 2007-09-04 2009-04-16 Seiko Epson Corp File transfer system and method of transferring same
JPWO2009066596A1 (en) * 2007-11-22 2011-04-07 日本電気株式会社 Communication system, communication method, and authentication cooperation apparatus
CN101868945A (en) * 2007-11-22 2010-10-20 日本电气株式会社 Communication system, communication method, and communication session integration device
WO2009066595A1 (en) * 2007-11-22 2009-05-28 Nec Corporation Communication system, communication method, and server management device
JP2011129962A (en) * 2008-02-25 2011-06-30 Nec Corp Service trigger control system, server, method, and program
JP5422939B2 (en) * 2008-08-25 2014-02-19 富士通株式会社 CHANGE PROGRAM, INFORMATION PROCESSING DEVICE, AND CHANGE METHOD
US8244836B2 (en) * 2008-08-29 2012-08-14 Red Hat, Inc. Methods and systems for assigning provisioning servers in a software provisioning environment
US20120189122A1 (en) * 2011-01-20 2012-07-26 Yi-Li Huang Method with dynamic keys for mutual authentication in wireless communication environments without prior authentication connection
JP5685158B2 (en) * 2011-07-22 2015-03-18 パナソニックIpマネジメント株式会社 Authentication device
US10575172B2 (en) 2014-07-04 2020-02-25 Freebit Co., Ltd. Method and system for setting smartphone account
US9678773B1 (en) 2014-09-30 2017-06-13 Amazon Technologies, Inc. Low latency computational capacity provisioning
US9146764B1 (en) 2014-09-30 2015-09-29 Amazon Technologies, Inc. Processing event messages for user requests to execute program code
US9600312B2 (en) 2014-09-30 2017-03-21 Amazon Technologies, Inc. Threading as a service
US9413626B2 (en) 2014-12-05 2016-08-09 Amazon Technologies, Inc. Automatic management of resource sizing
US9733967B2 (en) 2015-02-04 2017-08-15 Amazon Technologies, Inc. Security protocols for low latency execution of program code
US9588790B1 (en) 2015-02-04 2017-03-07 Amazon Technologies, Inc. Stateful virtual compute system
CN104683731B (en) * 2015-03-20 2019-02-19 苏州科达科技股份有限公司 A kind of method and system for being communicated between heterogeneous platform
JP6485250B2 (en) * 2015-06-26 2019-03-20 セイコーエプソン株式会社 Network system and network system control method
US9910713B2 (en) 2015-12-21 2018-03-06 Amazon Technologies, Inc. Code execution request routing
US11132213B1 (en) 2016-03-30 2021-09-28 Amazon Technologies, Inc. Dependency-based process of pre-existing data sets at an on demand code execution environment
US10102040B2 (en) 2016-06-29 2018-10-16 Amazon Technologies, Inc Adjusting variable limit on concurrent code executions
US10853115B2 (en) 2018-06-25 2020-12-01 Amazon Technologies, Inc. Execution of auxiliary functions in an on-demand network code execution system
US11146569B1 (en) 2018-06-28 2021-10-12 Amazon Technologies, Inc. Escalation-resistant secure network services using request-scoped authentication information
US10949237B2 (en) 2018-06-29 2021-03-16 Amazon Technologies, Inc. Operating system customization in an on-demand network code execution system
US11099870B1 (en) 2018-07-25 2021-08-24 Amazon Technologies, Inc. Reducing execution times in an on-demand network code execution system using saved machine states
US11243953B2 (en) 2018-09-27 2022-02-08 Amazon Technologies, Inc. Mapreduce implementation in an on-demand network code execution system and stream data processing system
US11099917B2 (en) 2018-09-27 2021-08-24 Amazon Technologies, Inc. Efficient state maintenance for execution environments in an on-demand code execution system
US11943093B1 (en) * 2018-11-20 2024-03-26 Amazon Technologies, Inc. Network connection recovery after virtual machine transition in an on-demand network code execution system
US11010188B1 (en) 2019-02-05 2021-05-18 Amazon Technologies, Inc. Simulated data object storage using on-demand computation of data objects
US11861386B1 (en) 2019-03-22 2024-01-02 Amazon Technologies, Inc. Application gateways in an on-demand network code execution system
US11119809B1 (en) 2019-06-20 2021-09-14 Amazon Technologies, Inc. Virtualization-based transaction handling in an on-demand network code execution system
US11159528B2 (en) 2019-06-28 2021-10-26 Amazon Technologies, Inc. Authentication to network-services using hosted authentication information
US11115404B2 (en) 2019-06-28 2021-09-07 Amazon Technologies, Inc. Facilitating service connections in serverless code executions
US11190609B2 (en) 2019-06-28 2021-11-30 Amazon Technologies, Inc. Connection pooling for scalable network services
US11119826B2 (en) 2019-11-27 2021-09-14 Amazon Technologies, Inc. Serverless call distribution to implement spillover while avoiding cold starts
US11714682B1 (en) 2020-03-03 2023-08-01 Amazon Technologies, Inc. Reclaiming computing resources in an on-demand code execution system
US11188391B1 (en) 2020-03-11 2021-11-30 Amazon Technologies, Inc. Allocating resources to on-demand code executions under scarcity conditions
US11550713B1 (en) 2020-11-25 2023-01-10 Amazon Technologies, Inc. Garbage collection in distributed systems using life cycled storage roots
US11593270B1 (en) 2020-11-25 2023-02-28 Amazon Technologies, Inc. Fast distributed caching using erasure coded object parts
US11388210B1 (en) 2021-06-30 2022-07-12 Amazon Technologies, Inc. Streaming analytics using a serverless compute system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020038425A1 (en) * 2000-09-28 2002-03-28 Kanno Shin-Ichi Distributed order reception system, reception server, content server, distributed order reception method, and computer program product
US6374300B2 (en) * 1999-07-15 2002-04-16 F5 Networks, Inc. Method and system for storing load balancing information with an HTTP cookie
US20030051042A1 (en) * 2001-09-13 2003-03-13 International Business Machines Corporation Load balancing method and system for allocation of service requests on a network
US6564261B1 (en) * 1999-05-10 2003-05-13 Telefonaktiebolaget Lm Ericsson (Publ) Distributed system to intelligently establish sessions between anonymous users over various networks
US20030126441A1 (en) * 2001-11-21 2003-07-03 Laux Thorsten O. Method and system for single authentication for a plurality of services
US20050050317A1 (en) * 2000-11-03 2005-03-03 Andre Kramer A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel
US20050144200A1 (en) * 1999-12-02 2005-06-30 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20060095501A1 (en) * 2003-08-06 2006-05-04 Naoyuki Mochida Relay server, relay server service management method, service providing system and program
US20080086564A1 (en) * 2002-01-15 2008-04-10 Janis Rae Putman Communication application server for converged communication services

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10177552A (en) 1996-12-17 1998-06-30 Fuji Xerox Co Ltd Authentication answer method and authentication answer device using the answer method
JP3603524B2 (en) * 1997-02-05 2004-12-22 株式会社日立製作所 Networking method
US6658473B1 (en) * 2000-02-25 2003-12-02 Sun Microsystems, Inc. Method and apparatus for distributing load in a computer environment
US6862623B1 (en) * 2000-04-14 2005-03-01 Microsoft Corporation Capacity planning for server resources
US6941384B1 (en) * 2000-08-17 2005-09-06 International Business Machines Corporation Methods, systems and computer program products for failure recovery for routed virtual internet protocol addresses
US6954784B2 (en) * 2000-08-17 2005-10-11 International Business Machines Corporation Systems, method and computer program products for cluster workload distribution without preconfigured port identification by utilizing a port of multiple ports associated with a single IP address
US6965930B1 (en) * 2000-10-20 2005-11-15 International Business Machines Corporation Methods, systems and computer program products for workload distribution based on end-to-end quality of service
US6963917B1 (en) * 2000-10-20 2005-11-08 International Business Machines Corporation Methods, systems and computer program products for policy based distribution of workload to subsets of potential servers
US7218626B2 (en) 2001-05-29 2007-05-15 Interdigital Technology Corporation System and method for reducing information communicated between universal mobile telecommunication system multimedia capable units
JP2003029932A (en) * 2001-07-18 2003-01-31 Hitachi Ltd Disk controller
JP2003099402A (en) 2001-09-21 2003-04-04 Nec Soft Ltd Authentication agent server, method and program
JP3842100B2 (en) * 2001-10-15 2006-11-08 株式会社日立製作所 Authentication processing method and system in encrypted communication system
JP2003178028A (en) 2001-12-12 2003-06-27 Sony Corp Network system, information processing device and method, recording medium, and program
JP3640927B2 (en) 2002-01-11 2005-04-20 株式会社エヌ・ティ・ティ・ドコモ IP address obtaining method and client server system in IP network, and client terminal and server used in the client server system
JP2003242119A (en) 2002-02-20 2003-08-29 Pfu Ltd User certification server, and control program therefor
AU2003254880A1 (en) * 2002-08-08 2004-02-25 Sharp Kabushiki Kaisha Communication relay device
US7543061B2 (en) * 2003-06-26 2009-06-02 Microsoft Corporation Method and system for distributing load by redirecting traffic
US7478152B2 (en) * 2004-06-29 2009-01-13 Avocent Fremont Corp. System and method for consolidating, securing and automating out-of-band access to nodes in a data network
CA2632235A1 (en) * 2005-12-02 2007-06-07 Citrix Systems, Inc. Method and apparatus for providing authentication credentials from a proxy server to a virtualized computing environment to access a remote resource

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6564261B1 (en) * 1999-05-10 2003-05-13 Telefonaktiebolaget Lm Ericsson (Publ) Distributed system to intelligently establish sessions between anonymous users over various networks
US6374300B2 (en) * 1999-07-15 2002-04-16 F5 Networks, Inc. Method and system for storing load balancing information with an HTTP cookie
US20050144200A1 (en) * 1999-12-02 2005-06-30 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20020038425A1 (en) * 2000-09-28 2002-03-28 Kanno Shin-Ichi Distributed order reception system, reception server, content server, distributed order reception method, and computer program product
US20050050317A1 (en) * 2000-11-03 2005-03-03 Andre Kramer A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel
US20030051042A1 (en) * 2001-09-13 2003-03-13 International Business Machines Corporation Load balancing method and system for allocation of service requests on a network
US20030126441A1 (en) * 2001-11-21 2003-07-03 Laux Thorsten O. Method and system for single authentication for a plurality of services
US20080086564A1 (en) * 2002-01-15 2008-04-10 Janis Rae Putman Communication application server for converged communication services
US20060095501A1 (en) * 2003-08-06 2006-05-04 Naoyuki Mochida Relay server, relay server service management method, service providing system and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Rosenberg et al, RFC 3261, SIP: Session Initiation protocol, June 2002, pages 1-269. *

Also Published As

Publication number Publication date
JP4690767B2 (en) 2011-06-01
US20060288120A1 (en) 2006-12-21
CN1863214A (en) 2006-11-15
CN1863214B (en) 2011-10-26
US8041822B2 (en) 2011-10-18
JP2006318075A (en) 2006-11-24

Similar Documents

Publication Publication Date Title
US8041822B2 (en) Service network system and server device
US6895439B2 (en) Authentication and protection for IP application protocols based on 3GPP IMS procedures
US7813509B2 (en) Key distribution method
US7243370B2 (en) Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
US7870384B2 (en) Offload processing for secure data transfer
US7441119B2 (en) Offload processing for secure data transfer
US8205074B2 (en) Data communication method and data communication system
US7246233B2 (en) Policy-driven kernel-based security implementation
US20070078986A1 (en) Techniques for reducing session set-up for real-time communications over a network
US20030105977A1 (en) Offload processing for secure data transfer
EP0838930A2 (en) Pseudo network adapter for frame capture, encapsulation and encryption
US7496949B2 (en) Network system, proxy server, session management method, and program
US20030105957A1 (en) Kernel-based security implementation
CN107612931B (en) Multipoint conversation method and multipoint conversation system
CA2551263A1 (en) Method and apparatus for verifying encryption of sip signalling
US7694015B2 (en) Connection control system, connection control equipment and connection management equipment
US20090113063A1 (en) Authentication method and apparatus for integrating ticket-granting service into session initiation protocol
US20050141531A1 (en) Communication relay method and relay device
US20030105952A1 (en) Offload processing for security session establishment and control
JP2006270431A (en) Call controller, terminal, their programs, and communication channel establishment method
JP5022474B2 (en) Server apparatus, communication method and program
JP4035523B2 (en) COMMUNICATION METHOD, ROUTER, ROUTER PROCESSING METHOD, AND PROGRAM
KR100990009B1 (en) Authentication Method for Preventing Man-in-the-Middle Attack in the Negotiation Using SIP Security Mechanism
JP2005333256A (en) System and method for transfer system control, and program for transfer system control

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION