1. Technical Field
Aspects of the present invention relate to an IP (Internet Protocol) network system and its access control method, IP address distributing device and IP address distributing method, and, more specifically, relate to an access control technology using an IP address.
2. Description of the Related Art
Conventionally, in order for a device that controls the network layer (herein after “network layer control device”), such as a router, to perform access control using an IP address, the network layer control device needs to have a setting of permission/non-permission for a transfer of packet based on the IP address. To perform access control, at the network layer, for each user by using the network layer control device, a communication policy, for each user, of permission/non-permission for communication is first determined. Then, a MAC (Media Access Control) address of a terminal used by each user and an IP address used by each user are managed in association with each other. Access control is eventually implemented by setting, for the network layer control device such as a router, permission/non-permission for communication using the IP address according to the communication policy for each user. In this case, when the user changes the IP address to use, the setting of the network layer control device must be changed according to the change. In addition, when the user changes the terminal to use, the MAC address must be changed, as well.
As related art, Japanese Patent Laid-Open No. 2004-172931 (hereinafter “Patent Document 1”) discloses a firewall system supporting dynamic IP address assignment. The system disclosed in Patent Document 1 controls, based on the MAC address of each terminal, access to the Internet from a terminal to which an IP address with an assignment time limit has been dynamically assigned, and blocks access to the Internet from a terminal using an IP address with an expired assignment time limit.
In addition, Japanese Patent Laid-Open No. Hei. 10-135982 (Hereinafter “Patent Document 2” discloses a technology for assigning multiple IP addresses to one MAC address. In the Patent Document 2, activation of a different server application is thereby enabled among multiple server applications that have been waiting for an incoming transmission at the same port number, if the IP addresses are different even though the MAC address and the port number are the same.
However, when access control using an IP address specific to each user is performed in an IP network system using the network layer control device such as a router according to the related arts as described above, the following problems occur.
If a network layer control device such as a router according to the related art performs filtering for individual users on the basis of an IP address used by each user, the router setting for the entire IP network system has to be changed every time the IP address used by each user or a communication policy for each user is changed. This increases the load of the router to perform setting change processing. Even if the IP address used by each user or the communication policy for each user is fixed to avoid the increase of the load to perform the setting change processing, various other problems, as described below, result.
If an IP address used by each user is set as a fixed address, for example, an IP network system administrator has to manually manage the association between a user and an IP address to be used by the user. As a result, the workload of the administrator is increased. If a communication policy for a user is fixed, for example, the IP network system will lose flexibility and become inconvenient.