Words on a tree, a network management based on an OSI management, MOI and a name tree, scope and target, and an abstract of ITU-T recommendation on access control method are described.
(Words on a tree)
Words such as "parent" on a tree are described.
A set having one or more top point is called as a tree if following conditions 1 and 2 are satisfied.
1 A set T has a specific top point called as a root. PA0 2 A set T of tops except for the root is divided to a vacant set or one or more trees T.sub.1 . . . ,T.sub.m which have no common set each other. These sets are called as a directly partial tree. PA0 1. As shown in FIG. 4(A), an object of the management operation of BaseToNthLevel scope is only BOI 23. PA0 2. As shown in FIG. 4(B), objects of the management operation of BaseObject scope are BOI 23 and a group of all MOI from BOI 23 to Nth level (in FIG. 4(B), N=2) MOI. PA0 3. As shown in FIG. 4(C), objects of the management operation of NthLevelOnly scope are only a group of MOI just below Nth level (in FIG. 4(C), N=3) MOI from BOI 23. PA0 4. As shown in FIG. 4(D), objects of the management operation of WholeSubtree scope are BOI 23 and a group of all MOI below from BOI 23. PA0 1. The "initiators" MOC is an MOC which indicates an initiator (an origin of issue of a management operation). PA0 2. The "targets" MOC is an MOC which indicates an MIB to be protected or to be opened against a certain authority. An object to be protected or an object to be opened is called as a target. The target is designated by scope and filter. PA0 3. The "rule" MOC is an MOC which indicates five rules for deciding denial and permission of the access from the "initiators" MOC and "targets" MCC. PA0 4. As shown in FIG. 5, there are five rules of "rule" MOC, including a global denial rule, which denies access of the management operation to all objects, an item denial rule, which denies access of the management operation to some objects, a global permission rule, which permits an access of the management operation to all objects, an item permission rule, which permits access of the management operation to some objects and default rule, which is applied when it is impossible to decide between denial and permission by using the aforementioned four rules. PA0 5. The decision of denial and permission is done according to a process shown in FIG. 5. In step S1, it is judged whether a global denial rule to be applicable exists or not. If the rule exists, all access is denied. If the rule does not exist, in next step S2, it is judged whether an item denial rule to be applicable exists or not. If the rule exists, access according to an access unit is denied. The access unit will be described later. If the rule does not exist, in step S3, it is judged whether a global permission rule to be applicable exists or not. If the rule exists, all access is permitted. If the rule does not exist, in next step S4, it is judged whether an item permission rule to be applicable exists or not. If the rule exists, access according to an access unit is permitted. If the rule does not exist, in step S5, an access permission or an access denial is decided by the default rule. The default rule, generally, is set so as to deny the access. PA0 a step for allowing only an MOI of which scope[i]=1 based on said calculation.
A root of a tree having no directly partial tree is called a leaf. A top point which is not a root and not a leaf is called a inner point. FIG. 19 shows a tree T which has nine top points indicated by circles 0.about.8. In FIG. 19, the top point 0 is a root. There are two directly partial trees T.sub.1,T.sub.2 in the tree T. One directly partial tree T, comprises one top point 1, another directly partial tree T.sub.21 comprises top points 2,3,4,5,6,7 and 8. Because the tree T.sub.1 has no directly partial tree, the root 1 of the tree T.sub.1 is a leaf of the tree T.
A top point which is included in the directly partial tree of the tree T of which root is a top point v is called a descendant of the top point v and the root of the directly partial tree is called a child of the top point v. The point v is a parent of the child. In FIG. 19, Descendants of the point 2 are the points 3.about.8, child of the point 2 are the points 3.about.5. A parent of the points 3.about.5 is the point 2.
A length a rout from the root to each point is called a level of the point and a maximum length among these routs is called as a depth of the tree T. In FIG. 19, Length of the rout from the root to the leaf 6 or 7 or 8 is maximum, the depth is 3.
In the table 1, a type of each point, parent, child, descendant and level of the tree T are shown in FIG. 19.
TABLE 1 ______________________________________ top point type parent child descendant level ______________________________________ 0 root none {1,2 } {1 .about. 8 } 0 leaf 0 { } { } 1 2 inner 0 {3 .about. 5 } {3 .about. 8 } point 3 inner 2 {6 .about. 8 } {6 .about. 8 } 2 point 4 leaf 0 { } { } 2 5 leaf 0 { } { } 2 6 leaf 0 { } { } 3 7 leaf 0 { } { } 3 8 leaf 0 { } { } 3 ______________________________________
(Network management based on OSI management)
In a network management system based on the Open System Interconection (OSI), an abstractly described management object is defined as some MO (Managed Object) and an information of the MO is exchanged between a manager system and an agent system by using CMIS (Common Management Information Service). See [ITU-T. Rec. X.711, Common Management Information Protocol for ITU-T Applications, Mar. 1991] and [Hisao Ohkane, TCP/IP and OSI network management.about.SNMP and CMIP.about., Software Research Center, 1993]. Hereinafter, the management system is called a manager and the agent system is called an agent.
FIG. 1, shows a network management based on OSI management. In FIG. 1, The network management is by a network management system and a managed apparatus. The network management system comprises a management console 11 and a manager 12. The managed apparatus comprises an agent 13 and an MIB (Management Information Base) 14. In the MIB, a group of MO such as total number of packets to be transferred, total number of received packets and total number of received packets including error are stored. The network management is achieved by exchanging a management information on MO through a network 15 between the manager 12 and the agent 13, on the basis of using the CMIP (Common Management Information Protocol).
For example, when the manager 12 issued a management operation 16 that means "get" of a number of already received packets, the agent 13 sends a response 17 such as "88 packets" from content of the MIB 14.
(Managed object instance and name tree)
Regarding MO, a kind of MO having the same character is called MOC (Managed Object Class). Each instance belonging to a certain MOC is called an MOI (Managed Object Instance). For an example of an MOC, a printer MOC 18 is shown in FIG. 2(A) and a printer MOI 19 in the printer MOC 18 is shown in FIG. 2(B).
Regarding a naming tree, in FIG. 3, the logical naming tree comprises a plural number of MOI 20 shown by white circles. A group of MOI is managed by a tree construction and stored in the MIB. For an example of the naming tree, the naming tree 22 of a telecommunication carrier 21 indicated by [XXX].
(Scope and Filter)
In CMIS, there are some scope (scope parameter) and some filter (filter parameter) by which one management operation enables to operate a plural number of MOI for reducing the amount of telecommunication taking place between the manager and the agent. Generally, scope and filter are set by an operator and an application program.
Scope is a parameter for designating a range of MOI to be managed in the naming tree. When using scope, BOI (Base Object Instance) is designated, wherein BOI is a start point in the designation of the range. Table 2 shows four kinds of scope defined by CMIS, namely BaseObject scope, BaseToNthLevel scope (N is not a negative integer), NthLevelOnly scope (N is not a negative integer) and WholeSubtree scope. FIG. 4 shows some examples of scope. In FIG. 4, BOI is MOI 23 indicated by a black circle.
TABLE 2 ______________________________________ scope definition ______________________________________ BaseObject A range is only BOI. BaseToNthLevel A range is a group of all MOI from BOI to Nth level MOI. BOI itself is included. NthLevelOnly A range is a group of MOI just below Nth level from BOI. WholeSubtree A range is a group all MOI below BOI. BOI itself is included. ______________________________________
Namely,
Filter is a parameter for designating further an object of a management operation from the MOI group in the range designated by scope. Filter is a logical equation indicating a size of MOI, coincidence of MOI and existence of MOI itself. For an example of a filter using an attribute of Printer MOI 19 shown in FIG. 2, there is a filter that (connection interface=RS232C) and (a number of printed sheets before last one hour &gt;50), wherein "and" is a logical product.
(Abstract of access control based on ITU-T recommendation X.711)
For an interconnection among telecommunication carriers, the network management based on OSI management is opened and security functions such as access control becomes very important. In ITU-T recommendation X.711, "initiators" MOC, "targets" MCC and "rule" MOC are described and a plan for deciding denial and permission of the access. See [ITU-T. Rec. X.711, System Management: Object and attributes for access control, Dec. 1995].
Namely,
As access unit, there are a management operation (a rough access unit), an MOI being an object in a management operation (a moderate access unit) and an attribution of an MOI being an object in a management operation (a fine access unit). In the case of any access unit, an algorithm is necessary to decide between denial and permission, wherein the algorithm decides an intersection between an object of management operation and the protect object, or decides an object of management operation included within the open object.
However, such algorithm is not prescribed by an ITU-T recommendation X.711 at all.
Prior art.
(access control by using a management operation as the access unit)
There is known access control by using a management operation as the access unit reported by [Ohno, Yoda, Fujii ; Access Control Method in Telecommunication Network, CS94(39):19-24, Jun. 1994].
This prior art will be described referring to FIG. 6 and table 3. The naming tree T shown in FIG. 6 is comprises MOI indicated by A.about.N. Corresponding to the naming tree T, as shown in table 3, "initiators" MOC, "targets" MOC and "rule" MOC are defined. MOI.sub.A, MOI.sub.B, MOI.sub.C . . . MOI.sub.N are used, in the case of designating each MOI.
TABLE 3 ______________________________________ MOC MOI ______________________________________ initiators X initiators Y targets MOI.sub.C ,MOI.sub.F , MOIG.sub.G , MOI.sub.J : targets 1 targets MOI.sub.D ,MOI.sub.F , MOI.sub.G : targets 2 rule X can not access targets 1. (item denial rule : rule 1) rule Y can access targets 2. (item permission rule : rule 2) rule All management operations are denied. (default nile : nile 3) ______________________________________
table 3, the initiators X and the initiators Y are defined as MOI belonging to the "initiators" MOC. The initiators X is MOI indicating the origin X of issue of the management operation and the initiators Y is MOI indicating the origin Y of issue of the management operation. Further, the targets 1 and the targets 2 are defined as MOI belonging to "targets" MOC. The targets 1 is MOI of which protect object and open object are MOI.sub.C. MOI.sub.F. MOI.sub.G and MOI.sub.j. The targets 2 is MOI of which protect object and open object are MOI.sub.D, MOI.sub.F and MOI.sub.G. The rule 1, the rule 2 and the rule 3 are defined as MOI belonging to "rule" MOC. The rule 1 is an item denial rule which denies any management operation from the origin X of issue, the rule 2 is an item permission rule which permits all management operations from the origin Y of issue and the rule 3 is a default rule which denies any management operation from all origin of issue.
(Decision of access denial in FIG. 6 and table 3: process of item denial rule)
For example, if a management operation having "WholeSubtree scope" of which BOI is MOI.sub.J from initiator X the item denial rule 1 is applied according table 3. At this time, as shown in FIG. 7, because MOI.sub.J in the management operation 24 is included within protect object 25, the management operation is denied.
Therefore, in the case of using the management operation as an access unit, if there is an intersection between a part of the object of the management operation and the protect object, the management operation is denied.
(Decision of access permission in FIG. 6 and table 3: process of item permission rule)
For example, if a management operation having "2ndLevelOnly scope" of which BOI is MOI.sub.A from initiator Y, the item permission rule 2 is applied according to table 3. At this time, as shown in FIG. 8, because MOI.sub.E in the management operation 26 is not included within open object 27, the management operation is not permitted.
Therefore, in the case of using the management operation as an access unit, if all the object included within open object, the management operation is not allowed.
As mentioned-above, in the prior art access control using the management operation as an access unit, if there is an intersection between an object of the management operation and the protect object, MOI access is denied even if the access should not have been denied.
Further, in the prior art access control using the management operation as an access unit, if there is an intersection between object of the management operation and the protect object, MOI access is denied even if the access is permitted.
These problems do not occur in an access control using the MOI as an access unit.
Accordingly, an object of the present invention is to provide a new access control using the MOI as an access unit.
Another object of the present invention is to provide a method for exchanging the identification name, a method for scope enumeration, a method for target enumeration and a method for detecting an intersection.