1. Field of the Invention
This invention relates to a mobile communication system having a home agent for transferring a communication packet to a mobile communication device connected to a foreign network and a mobile communication method in the mobile communication system, and more particularly to a mobile communication system and a mobile communication method having high security without the need for intricate maintenance or administration.
The invention also relates to a mobile communication system and a mobile communication method for generating management information of a mobile communication device in the mobile communication system having a home agent for transferring a communication packet to a mobile communication device connected to a foreign network.
2. Description of the Related Art
FIG. 20 is a drawing to show the configuration of a mobile communication system in a related art. FIGS. 21 and 22 are drawings to show the configurations of a mobile communication device 10 and a home agent 20 shown in FIG. 20.
In FIG. 20, a home network 100 is a subnetwork to which the mobile communication device 10 (simply, the device) 10 is originally connected. A foreign network 200 is a subnetwork to which the device 10 moved from the home network 100 is actually connected. The device 10 can be carried portably and the subnetwork to which the device 10 is connected changes with a move of the device 10. A personal computer 30 is a source node and transmits and receives a communication packet to and from the device 10 to conduct communications with the device 10.
The home network 100, the foreign network 200, and the personal computer 30 are connected by Internet 300. The networks 100 and 200 are provided with routers R1 and R2, which are connected to nodes in the networks 100 and 200.
In FIG. 21, the device 10 has memory 11, an address generation section 12, and an authentication section 13, corresponds to mobile IPv6 of communication protocol (Internet Protocol Version 6), and has a mobile node function in mobile IP. Specific information to identify the device 10 (for example, identifier such as serial number) and a MAC (Media Access Control) address are stored previously (for example, at the manufacturing time, repair time, etc., of the device 10) in the memory 11 of the device 10. The address generation section 12 generates the IP address of the device 10 and stores the IP address in the memory 11. The authentication section 13 performs authentication of the node of the communicating party.
The device 10 is assigned a home address and a care of address. The home address is an address uniquely assigned to the device 10 independently of the subnetwork and is the same network address as the home network 100. The care of address is an address assigned in the foreign network 200.
In FIG. 22, the home agent 20 has memory 21, a transfer section 22, and an authentication section 23 and operates on a node in the home network 100. When the device 10 exists in the foreign network 200, the home agent 20 receives a communication packet addressed to the device 10 and references the contents of the memory 21 and the transfer section 22 transfers the communication packet to the device 10. The authentication section 23 performs authentication of the node of the communicating party.
The operation of the mobile communication system is as follows:
First, the operation of registering the device 10 in the home agent 20 will be discussed.
The user starts the home agent 20 in a node having a home agent function on the home network 100 and installs the device 10 in the home network 100. The router R1 gives a prefix (corresponding to the network address of the home network 100) to the device 10. Accordingly, the address generation section 12 of the device 10 generates the home address of the device 10 from the MAC address stored in the memory 11 of the device 10 and the given prefix, and stores the home address in the memory 11. It also stores the home address in the memory 21 of the started home agent 20. A shared key generation section (not shown) generates a first shared key and stores the first shared key in the memory 11 and the memory 21 of the device 10 and the home agent 20.
The user creates a list of recording the serial number and the home address of the device 10 in the personal computer 30, etc., to distinguish the device 10 from other devices.
Next, the operation of registering installation of the device 10 in the foreign network 200 in the home agent 20 will be discussed.
The device 10 is installed in the foreign network 200. The router R2 existing in the foreign network 200 gives a prefix (corresponding to the network address of the foreign network 200) to the device 10. Accordingly, the address generation section 12 of the device 10 generates the care of address of the device 10 in the foreign network 200 from the MAC address stored in the memory 11 of the device 10 and the given prefix, and stores the care of address in the memory 11.
The device 10 transmits a communication packet including the care of address to the home agent 20. At the time, it uses the first shared key stored in the memory 11 to indicate validity for the home agent 20. The authentication sections 13 and 23 of the device 10 and the home agent 20 perform authentication based on the first shared key. If authentication is granted, a communication packet encrypted with the first shared key is transmitted and received and the care of address in the communication packet is stored in the memory 21; the home address and the care of address of the device 10 are associated with each other for registration in the memory 21.
Next, the operation of transmission of a communication packet from the personal computer 30 to the device 10 connected to the foreign network 200 will be discussed.
The user searches the list for the home address of the device 10 with the identifier of the device 10 as a keyword and enters the home address of, the device 10 in the personal computer 30. The personal computer 30 transmits a communication packet to the home address of the device 10 as the destination. The home agent 20 receives the communication packet and knows the destination of the communication packet from the correspondence between the home address and the care of address in the memory 21 and transmits the communication packet to the device 10 with the care of address as the destination. Accordingly, the communication packet transmitted from the personal computer 30 arrives at the foreign network device 10 and communications are started between the device 10 and the personal computer 30.
JP-B-3617952 and JP-B-3621917 are referred to as related art.
In the mobile communication system described above, the user uses the specific information of the device 10 to identify the device 10 of the destination from among a plurality of devices. Thus, the user needs to create a list of recording the serial number and the home address of the device 10 in the personal computer 30, etc., and needs to search the list for the home address of the device 10 from the specific information of the device 10 and enter the home address of the device 10 in the personal computer 30. That is, the list describing the correspondence between the specific information of the device 10 and the home address needs to be managed additionally.
As the number of devices 10 increases, the following problems arise: (1) the time and labor for creating the list are required accordingly; (2) the possibility that an error will occur at the list creating time is high; (3) the time and labor for searching an enormous list for the device 10 each time communications with the device 10 are conducted are required; and (4) the possibility that a setting mistake will occur when the home address obtained from the list is set in the personal computer 30 is high.
The home network 100 to which the device 10 belongs is often constructed originally by the user and the time and labor for administration, maintenance, and management of the home network 100 and the home agent 20 are required; this is a problem.
Further, a malicious third party obtaining the list can conduct communications with the device 10; this is a problem.
In the mobile communication system described above, a plurality of devices 10 are connected to the foreign network and to use the specific information of the device 10 to identify the device 10 of the destination from among a plurality of devices 10, the user additionally creates and manages a list of recording the serial number (specific information) and the home address of the device 10 in association with each other in the personal computer 30, etc. The user searches the list for the home address of the device 10 from the specific information of the device 10 and enters the home address of the device 10 in the personal computer 30, whereby communications between the specific device 10 and the personal computer 30 are conducted.
In such a configuration, as the number of devices 10 increases, the time and labor for the user to create the list are required accordingly, and there is a possibility that an error will occur at the list creating time. The number of devices 10 increases, whereby the amount of the data stored in the personal computer 30 grows and if the storage capacity of the personal computer 30 is not large, the load on the apparatus grows.
It is also necessary to search an enormous list for the device 10 each time communications with the device 10 are conducted, and the time and labor are required and when the home address obtained from the list is set in the personal computer 30, a setting mistake may occur.
To overcome such problems, it is considered that when delivering the device 10 to the user, the device provider such as the manufacturer delivers the device 10 including an external storage device 50 such as a USB recording the serial number and the home address of the device 10 in association with each other.
FIG. 23 shows a configuration example of a mobile communication system for performing authentication with an external storage device connected. Such a configuration is adopted, whereby the memory of the personal computer 30 is not consumed and thus the load on the apparatus is decreased. A second shared key is stored in each of the delivered device 10 and the delivered external storage device 50 as shown in FIGS. 24 and 25, whereby authentication can be performed between the device 10 and the external storage device 50 and the external storage device 50 is connected to the personal computer 30, whereby the device 10 to conduct communications can be determined, so that the need for referencing the list created in the personal computer 30, etc., is eliminated and the load on the user is lightened.
In the form in which when delivering the device 10 to the user, the device provider also delivers a product stored in the external storage device 50 recording the serial number and the home address of the device 10 in association with each other, if the user purchases a large number of devices 10, as many external storage devices 50 as the number of the devices 10 are in possession of the user accordingly; it is intricate for the user to manage the external storage devices to manage a plurality of devices.
For the user, it is desirable that as management of the device 10 connected to the foreign network 200, grouping, etc., should be able to be set in response to administration. For example, to manage a plurality of devices, the user might want to group the devices-according to administration of the devices in such a manner that the devices are grouped into several blocks for management as in a first grouping example as the devices are managed for each installation area, or that to adopt a plurality of managers, devices 1 to n-1 are managed by a first manager F and devices n to N are managed by a second manager as in a second grouping example, as shown in FIG. 26.
In FIG. 23, however, such a point is not assumed. That is, the external storage devices 50 are provided in a one-to-one correspondence with the devices 10 and thus additional intricate work of listing, etc., becomes necessary for grouping, etc., to manage the devices 10.