(1) Field of the Invention
The present invention relates to a user terminal connection control method and apparatus for carrying out control of connecting user terminals to the Internet. More particularly, the invention relates to a packet forwarding apparatus for controlling the connection of a user terminal to an IP network after establishing a session with the user terminal in accordance with a Point to Point Protocol (PPP), and an authentication server for restricting user terminal access to the Internet.
(2) Description of Prior Art
When connecting a user terminal to the Internet via an Internet Service Provider (ISP) network managed by an Internet Connection Service Provider, an Internet Protocol (IP) address required for communication on the Internet is delivered from the ISP. In the network configuration including such an ISP network for Internet connection, an access network lies between user terminals and the ISP network.
In the access network, an access server for controlling connection/disconnection of each user terminal to the Internet or a packet forwarding apparatus called a Broadband Access Server (BAS) is located. In most cases, each user terminal is connected to the BAS by PPP over Ethernet (PPPoE), which is a technique for PPP-based connection on Ethernet. In standard Internet connection services, one IP address is delivered to every user. In this case, each user is allowed to connect only one terminal to the Internet at a time.
To enable a user to connect multiple terminals to the Internet using one IP address delivered to the user, it is needed to make the multiple terminals share the IP address by applying an address translation technique such as Network Address Translation (NAT) or IP Masquerade, using a device such as, for example, a broadband router. However, when the NAT or IP Masquerade is applied, a specific communication procedure may be required or types of usable applications may be restricted. Some ISPs offer an additional service of delivering multiple IP addresses to one user so that the user can connect multiple terminals to the Internet at the same time.
Since an access network is generally built as an Ethernet network which is a broadcast type network, it is relatively easy to attach user terminals to the network. Therefore, the ISP usually limits the number of connections to the Internet for each user in order to prevent unauthorized user access and to make effective use of network resources such as IP addresses and communication bandwidths.
Limitation of the number of connections for each user in PPPoE-based Internet connection environment is traditionally performed within an access network, in particular, at a Layer 2 (L2) switch located between user terminals and the BAS. The L2 switch is able to limit the number of connections of terminals per user by referring to a Media Access Control (MAC) address of each communication packet, for example, as described in Japanese Unexamined Patent Publication No. 2000-112852 (patent document 1).
The L2 switch described in the patent document 1 registers, for all packets it received, entry information indicating the correspondence of a source MAC address to a receiving port into a MAC address table and determines, by referring to this table, a forwarding destination port for each packet that will be received subsequently. According to the patent document 1, the L2 switch limits the number of user terminals connectable to the Internet at the same time, by deleting entry information for which no new packet having the registered MAC address has been received within a pre-specified period of aging time, from the MAC address table, and by limiting the number of entries (MAC addresses) allowed to be registered into the table for each port.
More specifically, the L2 switch limits the number of connections (MAC addresses) enabling communications at the same time for each port by stopping, when the number of entries for a specific port registered in the MAC address table has reached a predetermined upper limit, registering a new entry to the MAC address table (learning function) with respect to a packet having a new MAC address which will be received thereafter through the specific port and by discarding all subsequent incoming packets each having an unlearned MAC address for which the MAC address table has no entry.
As a prior art technique for limiting the number of connection terminals, for example, Japanese Unexamined Patent Publication No. 2003-16031 (patent document 2) proposes a connection control scheme for limiting the number of clients simultaneously connectable to a server in a client-server system using a TCP/IP protocol. According to the scheme described in the patent document 2, a priority table indicating the relation between the IP address of each client and connection priority level is equipped in a server to which clients may connect. When a connection request from a new client occurs in the state where the number of clients connected to the server has reached the upper limit, the server compares the connection priority level of the requester client to the lowest priority level among the clients already being connected to the server in the priority table. If the connection priority level of the requester client is higher, the server disconnects a session for one of the clients having the lowest priority level and accepts the new connection request. Otherwise, the server rejects the new connection request.
However, in the case of limiting the number of connections based on the MAC address, since the L2 switch regards multiple PPP sessions connected to the same user terminal as one connection, the number of PPP sessions cannot be limited. Further, this control scheme cannot limit such a terminal that is connected to the Internet via another L2 switch by a roaming user. In the control scheme that deletes a registered MAC address according to the aging time as described in the patent document 1, a user terminal that requests an urgent connection is unable to get immediate access to the Internet when the MAC address table has no space for new entries.
On the other hand, in the control scheme in which connection priority levels are assigned to all IP addresses and a lowest priority session being active is deleted when a new connection request occurs in the state where the number of connections has reached the upper limit as described in the patent document 2, such problems would occur that time is required to make a priority decision between the new connection request and existing connections and steady communication services cannot be provided to users because lowest priority sessions are often forcibly disconnected.