CN1883181A - Method and system for filtering multimedia traffic based on IP address bindings - Google Patents
Method and system for filtering multimedia traffic based on IP address bindings Download PDFInfo
- Publication number
- CN1883181A CN1883181A CNA2004800341195A CN200480034119A CN1883181A CN 1883181 A CN1883181 A CN 1883181A CN A2004800341195 A CNA2004800341195 A CN A2004800341195A CN 200480034119 A CN200480034119 A CN 200480034119A CN 1883181 A CN1883181 A CN 1883181A
- Authority
- CN
- China
- Prior art keywords
- binding
- terminal
- anchor point
- communication
- management node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
在为了确保适当的安全级而创建动态针孔的情况中,用于过滤通过防火墙(FW)的IP通信的方法和通信节点(CN)。本发明基于为通信创建一个安全的经过授权的通信锚点(TrGW),从而在所有通信经过锚点以后防火墙才执行分组过滤。本发明依赖翻译网关(TrGW)以及CPS(或SIP代理)和TrGW之间的接口,TrGW根据存储的映射表转换报头中的地址。当会话发起时,该接口允许CPS请求TrGW提供IP地址之间的绑定数据,在会话释放时,TrGW向该CPS提供绑定数据,该CPS释放该绑定。防火墙(FW)接收其IP地址属于TrGW的地址池的输入数据分组。因此,TrGW将丢弃不与现有呼叫相对应的所有输入数据分组,而有效数据分组将通过FW,FW会验证该数据分组不是畸形报文或其它攻击。
A method and communication node (CN) for filtering IP traffic passing through a firewall (FW) in case dynamic pinholes are created in order to ensure an appropriate level of security. The invention is based on creating a secure authorized communication anchor point (TrGW) for communication, so that the firewall performs packet filtering after all communication has passed through the anchor point. The present invention relies on the translation gateway (TrGW) and the interface between the CPS (or SIP proxy) and the TrGW, and the TrGW converts the address in the header according to the stored mapping table. When a session is initiated, this interface allows the CPS to request the TrGW to provide binding data between IP addresses. When the session is released, the TrGW provides the binding data to the CPS, and the CPS releases the binding. A firewall (FW) receives incoming data packets whose IP addresses belong to the address pool of the TrGW. Therefore, the TrGW will discard all incoming data packets that do not correspond to existing calls, and valid data packets will pass through the FW, and the FW will verify that the data packets are not malformed packets or other attacks.
Description
Cross reference to related application
The application's requirement is the priority of the U.S. Provisional Patent Application sequence number 60/524,640 on November 25th, 2003 to the submission date, and its content is hereby incorporated by.
Technical field
The present invention relates to the filtration of dynamic flow, more specifically, the present invention relates to filter node,, be used to dispose the method for this type of anchor point with the anchor point that filtration is together used, and the corresponding method that transmits data.
Background technology
Recently, the distribution of communication network is very extensive, and many users are using them every day.In this type of communication network, so-called packet exchange communication network more and more causes people's attention.Packet switching network is with the unit's of being grouped into transmission/reception data.Grouping partly is made up of header and pay(useful) load, and header transmits the control information such as the address information (source/destination) of (inter alia) grouping, and pay(useful) load partly transmits the real data such as voice.
Above-mentioned packet switching communication has various agreements.Yet, for the purpose of the present invention, IPv4 and/or IPv6 (they are different editions of well-known Internet protocol IP) as the example of this quasi-protocol are described.However, other packet switching protocol also can use with the present invention.Simultaneously, non-grouping exchange agreement also can use with the present invention, as long as can utilize Address Recognition source/destination.
Communication network constitutes the part of communications network system usually, and wherein in this system, the network of numerous operators cooperates with each other.Simultaneously, each network is made up of numerous so-called network domains, and network itself is by Virtual network operator operation, but the territory is by separately third party's (being different from Virtual network operator) control, on different agreement, move, perhaps have different address space definition etc.Therefore, for purposes of the invention, when relating to communication network, do not distinguish heterogeneous networks or same area not, might replace but communication network is intended to cover the institute of the net structure of summarizing above.On the contrary, communication network can be considered as communications network system.
About this type of communication network or network system, safety problem is more and more important.
Usually, communication is set up between two terminals/is carried out.Communication is initiated terminal and is called first terminal or user equipment (UE), and communication objective ground terminal is called the communication node CN or second terminal.Certainly, in two-way communication, when in response to the initiation terminal, communication node CN also can be used as user equipment (UE).Technical, two terminals are without any difference, and however, from a technical standpoint, terminal can be different.Yet as long as terminal is adapted to pass through the intermediate communication network and communicates, any difference all is inessential.
Set up or set up under the situation of communication at two terminals, utilize the source address and the destination address identification communication of terminal.Equally, because this communication may comprise the different content that will exchange or the traffic carrying capacity of type between terminal, as real-time traffic carrying capacity and non-real-time service amount, so separately traffic carrying capacity and port are separately connected.Therefore, port or port numbers are represented the improvement of using address information in this communication.
Yet the assailant might utilize untapped address or even port numbers to set up the duplicity or the dishonourable in behaviour communication of arrival user terminal, and in fact the user does not wish this type of communication.
Therefore, the safety problem in the communication network is more and more important.So-called fire compartment wall FW plays an important role to the safety of guaranteeing communication network.Therefore, can be considered as filter node in the communication network to fire compartment wall, it filters uncommitted traffic carrying capacity, and stops this type of traffic carrying capacity to arrive the terminal that approval receives this type of traffic carrying capacity.
The present invention relates separately to this type of safety problem and filter node or fire compartment wall.More specifically, it relates to the dynamic-configuration of the pin hole in the fire compartment wall and support to the real time business in communicating by letter.The wording of using among the present invention " pin hole " expression is used for interim effective permission that specific traffic arrives particular terminal, and permission is authorized by fire compartment wall or refused.Therefore, open pin hole represents to authorize permission, and the sealing pin hole is represented the refusal permission.
In many frameworks of communication network, need dynamic opening and the pin hole of closing in the fire compartment wall.For example, the communication that SIP (Session initiation Protocol) sets up need for the Media Stream by fire compartment wall (that is, UDP/RTP (the User Datagram Protoco (UDP) that is used for real time business, the TCP (transmission control protocol) that is used for timely message) and packet dynamic creation pin hole that need exchange between communication node (initiate terminal and communication node terminal) real-time protocol (RTP)).When communication stops, should eliminate (promptly closing) these pin holes, to avoid possible attack.
Then, the architecture that can make the 3GPP that IPv6 and IPv4 territory work in coordination (the 3rd generation partnership projects) network introduce and adopt with reference to Fig. 1 Short Description, more specifically, its network entity and interface.As can be seen, the present invention who describes with the lower part does not introduce new entity, but reuses the existing communication network architecture, and reuses the framework that adopts above in brand-new mode.
Recently, 3GPP has adopted architecture shown in Figure 1 to be used for working in coordination of IPv6 and IPv4 territory.Yet this is described as just example, and the present invention is not limited to the Ipv4/IPv6 territory, and on the contrary, it is intended to cover all situations in the interior network of single domain.Equally, the entity introduced of brief overview and interface is functional.
To explain that with the lower part the present invention solves the brand-new mode that fire compartment wall traversal problem is reused the current infrastructure that has existed.
Now, as from Fig. 1, drawing:
It is the gateway of changing the IP header when needed that the current architecture of working in coordination depends on translation gateway (TrGW): TrGW, generally speaking, and the address information that comprises in the grouping that its conversion or translation will transmit.
The current architecture of working in coordination also depends on IMS (IP Multimedia System) ALG (ALG): the functional of IMS ALG is, for the SIP/SDP protocol stack provides necessary application function, use communication between (Session initiation Protocol/Session Description Protocol) so that set up IPv6 and IPv4 SIP.
IMS ALG receives from CSCF node (CSCF, defined S-CSCF, serving CSCF and I-CSCF, the inquiry CSCF) or from IPv4 SIP network domains (CSCF such as (agency) P-CSCF, S-CSCF or I-CSCF are also referred to as sip server in this application) input SIP message.This territory can be an external domain, also can be the interior fields of communication network.Then, IMS ALG changes suitable SIP/SDP parameter, and the IPv6 address translation is become the IPv4 address, or opposite.Note that for the present invention protocol IP v4/IPv6 only is an example, it also is conceivable that other agreement develops.
IMS ALG revises SIP message body and the header that comprises this IP address.When session is initiated, IMS AIG will ask NA (P) T-PT (network address (and port) translation-protocol translation) that binding data between the different IP addresses (IPv6 to IPv4 or opposite) is provided, and discharge this binding when session discharges.Therefore, NA (P) T-PT is a kind of translation that state is arranged, and keeps the IPv6/IPv4 mapping table.
Introduce and adopt the Ix interface between TrGW and the IMS ALG simultaneously.This interface allows:
When session was initiated, IMS ALG request NA (P) T-PT provided the binding data between the different IP addresses (IPv6 is to IPv4 or opposite), and TrGW provides binding data to IMS ALG, and
When session discharged, IMS ALG discharged this binding.
In addition, Fig. 1 portrayal is based on the user equipment (UE) of IPv6 (this equipment is communicated by letter with communication node (not shown) CN based on IPv4).Agency-CSCF (P-CSCF) is shown simultaneously, and when initiating communication or session, it receives " first jumps " signaling information from user equipment (UE).Can be considered as so-called call processing server CPS to I-CSCF and S-CSCF, it represents an example of telecommunication management node.In addition, domain name server (DNS) and home subscriber server HSS constitute the part of this architecture.Above-described entity is mainly relevant with signaling and telecommunication management that the dotted line of expression signaling traffic amount is represented, and by translation gateway TrGW via IP-CAN (IP-Connectivity Access Network network) from user equipment (UE) to communication participant, it is the communication node (not shown), the transmission effective load data, " carrying " expression that the thick line in Fig. 1 is represented.
Because the entity/node that those skilled in the art are familiar with its general architecture and have various functions is so omit its detailed description herein.
Fire compartment wall filters IP based on filtering rule and comprises that filtering rule is considered source and destination IP address, protocol type and/or port numbers usually.For fear of attack, use the filtering rule configuring firewalls.This rule-like comprises static rule (for example, stopping TCP flooding or specific protocol) and dynamic programming (pin hole).Some application need carries out dynamic pin hole configuration in fire compartment wall.For example, SIP communication need dynamic creation/deletion in fire compartment wall (that is, opening/closing) pin hole, so that Media Stream by fire compartment wall, stops attack (UDP flooding etc.) simultaneously.Generally speaking, when communication begin/when stopping, based on the dynamic pin hole of application need opening/closing of UDP (User Datagram Protoco (UDP)).The description that note that SIP is as just example, and other agreement also can be used with the present invention, as WAP (WAP (wireless application protocol)) etc.
Up to the present, people have proposed to be used for several solutions of the dynamic pin hole control of fire compartment wall, carry out A brief introduction below:
1. use false UDP grouping:
According to this method, user equipment (UE) sends a mute UDP grouping, and fire compartment wall FW opens pin hole based on this grouping.Yet fire compartment wall FW can't determine when and close pin hole (because session foundation/dismounting that UDP communication does not have TCP to have).As selection, user equipment (UE) can send mute UDP grouping so that create pin hole in fire compartment wall FW, and transmits lasting this type of the mute UDP that sends of this grouping by the cycle and divide into groups.Yet this method has two subject matters: (1) user equipment (UE) is not understood the timer of the state of creating in fire compartment wall FW, and (2) may cause sending a large amount of bytes on this Radio Link, therefore waste resource.
2. use and know for example fire compartment wall FW of SIP:
The FW that knows SIP carries out syntactic analysis to the SIP signaling, and opening/closing pin hole when needed.Yet this requires the SIP signaling is visible in fire compartment wall, and when using SIP compresses (for example, in 3GPP and 3GPP2 IMS), perhaps fire compartment wall FW can not decompress to it.In addition, this solution makes that the control of fire compartment wall FW is too many, and Virtual network operator is to small part (preferable usually is the control that keeps his product and/or network) out of hand.At last, when using IPsec (Internet protocol (IP) safety) or TLS (Transport Layer Security) encryption in order to protect SIP, can not use this solution.
3. use the interface between fire compartment wall FW and the application server (for example, the sip server among the IMS):
Although (for example defining this class interface, MIDCOM among the IETF (middlebox communications of MIDCOM:IETF definition), IETF-internet engineering task group), but they still are in the early stage standard deboost phase, its standardization effort needs time, and the availability in its product is far away, yet need dispose each system (as IMS) before fire compartment wall FW supports this class interface.In addition, although this solution allows to control in the product (as sip server) of manufacturer, it disposes the product that is not totally independent of other companies.
4. be used to dispose the signaling protocol from the terminal UE to FW of FW:
The signaling protocol of the required pin hole in TIST agreement (topological insensitive service traversal), CASP agreement (stride and use signaling protocol) and the fire compartment wall of other document proposition from terminal opening and closing network.Yet these methods remain draft, and this type of solution standardization also needs for a long time.
Summary of the invention
Therefore, the objective of the invention is, for the problem relevant with dynamic pin hole provides a kind of selectivity solution, this solution can be disposed and the shortcoming relevant with the proposal of summarizing above not fast.
According to the present invention, this purpose is for example to realize in order to following method:
The method that is used for the anchor point of configure communication network, this method may further comprise the steps: the first terminal communication session is initiated in the telecommunication management node request via described communication network, when described telecommunication management node request, on anchor point, at first set up the binding that is used for first terminal, transmit described initiation request from described telecommunication management node to second terminal according to the binding of setting up, described second terminal is confirmed described request to described telecommunication management node, when described telecommunication management node request, on described anchor point, set up the binding that is used for second terminal for the second time.
According to the favourable further development of this method,
The step that-described request is initiated may further comprise the steps, and indicates the address of the terminal relevant with this communication session at least to described telecommunication management node;
-described indication step further comprises, notifies the port numbers of the described communication session of described first terminal;
The step of-described foundation binding may further comprise the steps, and another name and described each terminal are connected;
The step of-described foundation binding further may further comprise the steps, the association another name of each terminal of storage on described anchor point;
-described affirmation step further may further comprise the steps, and notifies the port numbers of the described communication session of described second terminal;
-this method further may further comprise the steps, and notifies the described first terminal initiation session by the binding of using described second terminal;
-this method further may further comprise the steps, stop the communication session of first terminal via the telecommunication management node request of described communication network, transmit described termination request from described telecommunication management node to second terminal based on the binding of setting up, described second terminal is confirmed described request to described telecommunication management node, at first when described telecommunication management node request, on this anchor point, at first discharge the binding that is used for first terminal, secondly when described telecommunication management node request, release for the second time is used for the binding of second terminal on described anchor point;
-described release steps may further comprise the steps, the association another name of each terminal of deletion on described anchor point.
Equally, according to the present invention, this purpose is for example to realize in order to following method:
Transmit the method for data in the communication session of setting up between first and second terminals in communication network, wherein this method may further comprise the steps, transmit the data that need transmission to anchor point from first terminal, dispose the table of this anchor point with each binding of storing these terminals, the binding of the configuration by using these terminals, transmit the data that need transmission from this anchor point to the filter node of described network, and based on filtering the described data that need transmit on the described filter node of being bundled in of described terminal.
Along with the favourable further development of this method,
-described filtration step further comprises, makes the described data that need to transmit arrive second terminal via described filter node based on this binding, if should have this binding in the binding of configuration;
-described filtration step further comprises, stops described data to arrive second terminal by described filter node based on this binding, if there is not this binding in the binding of this configuration,
-described relay step may further comprise the steps, and carries out address transition based on the binding of this configuration.
Equally, according to the present invention, this purpose is for example to realize in order to anchorage:
Anchor point in the communication network, this anchor point comprises: receiver at first receives the bind request from the binding that is used to set up first terminal of asking the initiation communication session of telecommunication management node; Processor, bind request in response to described reception, at first set up the binding of described first terminal, and return described binding to described telecommunication management node, described receiver receives the bind request of binding that is used to set up second terminal relevant with this communication session from this telecommunication management node for the second time, and when described telecommunication management node request, described processor is set up the binding of second terminal for the second time.
Favourable further development according to this anchor point
-described processor comprises, the distributing equipment that handle another name and described each terminal connect when setting up this binding;
-described anchor point comprises the memory of the association another name that is used to store each terminal.
Equally, according to the present invention, this purpose is for example to realize in order to anchorage:
Anchor point in the communication network, this anchor point comprises, receiver, being used to receive need be from the data of first terminal to the transmission of second terminal; Memory is used to store the table that respectively disposes binding of these terminals; Processor, the binding of the configuration by using these terminals, relaying to the filter node of described network needs the data that transmit.
Favourable further development according to described anchor point
-described processor comprises an address translator, and the latter is based on the binding executive address conversion of this configuration.
Equally, according to the present invention, this purpose is for example to realize with following filter node:
Filter node in the communication network, this filter node comprises: receiver, be used to receive the data that need be sent to second terminal from first terminal from anchor point, wherein this anchor point keeps the binding of these terminals; Processor is used to analyze the binding of described terminal; And filter, rely on analysis result to filter described data.
Favourable further development according to this filter node
-described filter transmits the described data that need transmission based on this binding to second terminal, if there is this binding in the binding of the configuration on this anchor point;
-described filter transmits described data based on this binding prevention to second terminal, if there is not this binding in the binding of the configuration on this anchor point.
Therefore, as from see previously, needing usually to create in the situation of dynamic pin hole in order to ensure suitable safe level (for example, the UDP stream in the SIP communication), the present invention's definition can make the method for IP communication security by fire compartment wall.The present invention is based on following idea, create the communication anchor point of a secure and authorized, thereby all communications are through anchor point before fire compartment wall is carried out packet filtering.
Therefore, by realizing that the present invention can obtain following advantage at least:
1. the present invention does not need special FW configuration interface ((from the terminal to the fire compartment wall) do not need the ALG among the FW yet) at least;
2. the present invention can support the communication (can make the user avoid common IP and threaten, as everyone knows " TCP SYN flood ", " Teardrop " etc.) that SIP sets up safely;
3. the present invention does not need standardization, and its deployment is faster than the deployment of the standardized solution of needs;
4. when adopting this solution, the present invention does not need a large amount of current CPS (S-CSCF/I-CSCF) realizations of revising, and does not need to revise in a large number sip proxy server yet and realizes;
5. the present invention does not need current infrastructure (terminal, IMS (IP Multimedia System) etc.) is carried out any modification/upgrading;
6. another advantage of the present invention is not rely on any external parties, does not also rely on any standardization forum, therefore, can be developed by single manufacturer fully.
As result of the present invention, all data business volumes all can be passed through anchor point, anchor point such as translation gateway TrGW, but this is not a problem, because all data also must be passed through fire compartment wall.(on the contrary, TrGW can be configured to physically adjacent with fire compartment wall or be in the inside of fire compartment wall, vice versa.)
Therefore, as summarizing above, needing to create in the situation of dynamic pin hole in order to ensure suitable safe level (for example, the UDP stream in the SIP communication), the present invention's definition can make such as the method for IP-based communication by fire compartment wall.The present invention is based on following idea, create the communication anchor point of a secure and authorized, thereby just carry out packet filtering through fire compartment wall after the anchor point in all communications.The present invention does not introduce new entity, but reuses existing framework.The present invention relies on the interface between TrGW (translation gateway) and CPS (or sip agent) and the TrGW, and the functional of TrGW is according to the IP address in the IP mapping table conversion IP header of storage.
This interface allows: when session was initiated, CPS request TrGW provided the binding data between the IP address, and when session discharged, TrGW provided binding data to this CPS, and this CPS discharges this binding.FW should be the fire compartment wall that has state, and externally on the interface, only accepts the input packet that its IP address belongs to the address pool of TrGW.Therefore, TrGW will abandon not and existing call or corresponding all the input packets (stoping the attempt of all attacks) of session, and valid data groupings will be by FW, and FW can verify that this packet is not lopsided message or other attack (as TCP SYN flood etc.).
Description of drawings
Together with reference to following description, above-mentioned advantage with other will be more obvious in conjunction with the accompanying drawings, wherein:
The known architecture that the 3GPP that Fig. 1 explanation is used to IPv6 and IPv4 network are worked in coordination adopts;
The invention that Fig. 2 explanation this paper relevant with the configuration of anchor point proposes;
IP grouping route when Fig. 3 describes the invention of proposing about data-transfer applications this paper;
Fig. 4 describes the realization of the present invention special process for selective relevant with the configuration of anchor point;
Fig. 5 explanation is according to the anchor point relevant with the configuration of anchor point of the present invention;
Fig. 6 explanation transmits relevant anchor point according to of the present invention with data;
Fig. 7 explanation transmits relevant filter node according to of the present invention with data; And
The signaling that Fig. 8 explanation is relevant with the termination of communication session.
Embodiment
Following with reference to the present invention of accompanying drawing detailed description.
For the present invention is described, the SIP that description is had real-time stream calls out.Yet method described herein is not limited to use the situation of SIP (as 3GPP IMS), but can be applied to for example situation of WAP.Usually, create dynamic pin hole at needs but do not exist in other operational environment of firewall configuration interface, also can use the present invention.
Be appreciated that the present invention uses the anchor point such as translation gateway (TrGW).Anchor point functional is the address according to IP mapping table conversion such as the IP address in the IP header of storage; It is functional to be similar to a NAT NAT.Simultaneously, as can be seen, the present invention uses the interface between CPS (or sip agent) and the TrGW.This interface allows: when session is initiated, CPS (or sip agent) request TrGW provide the binding data between the IP address (seeing also following detailed explanation), this TrGW provides this binding data to this CPS (or sip agent), and when session discharged, this CPS (or sip agent) discharged this binding.
At first, with reference to Fig. 2, this figure describes the method for the anchor point that is used for configure communication network.
Fig. 2 explanation utilizes the conduct communication of its address ip 1 sign to initiate the terminal UE of terminal, call processing server CPS as an example of telecommunication management node, translation gateway TrGW as an example of anchor point, the gateway FW that after the configuration anchor point, is used to communicate by letter (explanation after a while), and the communication objective ground terminal of utilizing its address ip 3 signs, i.e. communication node CN.
In communication between terminals, there is the logic associating that can be called calling between the terminal.Within this type of is called out, can transmit the data of difference " content " or traffic carrying capacity type, that is the data of different service quality QOS are as real-time or non-real-time service amount etc.Various types of data/traffic carrying capacitys transmit in so-called session, and wherein session constitutes the part of calling itself.In addition, session not only can identify with the address of terminal, and can identify with the port numbers of each terminal in addition, wherein guides/amount of managing business via port numbers.Translation gateway maintenance/storage conversion table or mapping table, in conversion table or mapping table, the IP address (InitIP) and the corresponding IP address CorrIP (another name of representing this terminal) that communication are initiated terminal connect.As selecting (not shown), mapping table not only comprises terminal address, and comprises each port of each terminal in addition.
The method that is used to dispose anchor point TrGW is described below.This method may further comprise the steps:
In first step 1, UE sends SIP to its CPS and invites, and formulates the IP address ip 1 and the port numbers of the Media Stream in SDP (Session Description Protocol) field of its expectation.For the purpose of this explanation, we call IP1 and port numbers Port#1 the IP address and the port numbers of the Media Stream of this UE expectation.In other words, via the telecommunication management node CPS of described communication network, ask first terminal UE to initiate communication session.Simultaneously, the step that described request is initiated may further comprise the steps, at least to the address of described telecommunication management node CPS indicating terminal UE, the CN relevant with this communication session, and described indication step further comprises, notifies the port numbers Port#1 of the described communication session of described first terminal UE.
In second step 2, CPS sends request to TrGW, so that the IP address of this UE, i.e. IP1 to be provided.This request request connects the address of the terminal of IP address and initiation request, to set up binding.Then, when described telecommunication management node CPS asks, on this anchor point (TrGW), at first set up the binding that is used for first terminal UE such as the anchor point of TrGW.
This means that TrGW connects another IP address (another name) 1P_2 and IP_1, and in its mapping table, create clauses and subclauses to store this association.As selection, this CPS can provide the port numbers Port#1 of user equipment (UE), and as selection, TrGW can assign another port numbers Port#2.This information of storage in mapping table is filtered the input packet so that resemble as described in the back with higher granularity equally.Based on the binding that anchor point TrGW provides, CPS revises the SDP field that SIP invites: more specifically, utilize IP2 and Port#2 (optional) substitute I P1 and Port#1.
Then, TrGW sends to CPS and replys, and provides IP_2 as the bind address that is associated with IP1.Utilize this associated response of step 3 explanation among Fig. 2.
After this, in step 4, described telecommunication management node CPS transmits described initiation request based on the binding of setting up to the second terminal CN, and by using the binding IP address IP2 related with user equipment (UE), CPS sends SIP to communication node and invites.
(not shown among Fig. 2) in response, the callee utilizes for example " SIP 200 OK " answering call management node CPS.Therefore, the described second terminal CN confirms described request to described telecommunication management node CPS.
Signaling paths in the Media Stream capacity of destination " SIP 200 Ok " message in the above-mentioned signaling flow returns.In fact, also can even in replying, other return them at so-called " SIP 183 Session Progressprovisional response ".
When for example receiving SIP 200 Ok, the IP address ip 3 (and optional port numbers Port#3) of the callee's of appointment communication node in the SDP field on the CPS request binding anchor point TrGW.This is equivalent to when described telecommunication management node request, sets up the binding that is used for the second terminal CN on described anchor point for the second time.
TrGW provides (when setting up for the second time) address ip 4 and port numbers Port#4 (optional), and CPS will specify them in the SDP field of the SIP 200 Ok messages that finally return to terminal UE.
Carry out these steps, thus the callee CN " seeing " single IP address, i.e. and IP_2 is as the IP address of calling party UE.During communication, all by anchor point TrGW route, TrGW will carry out required address translation in all packets.If do not set up the step of the address binding of terminal called, this UE will send packet to CN from IP1, and the SIP signaling will indicate IP2 as initiating the address.
Follow-on-call management node CPS transmits the SIP message to terminal UE.From the angle of terminal UE, callee CN expectation is positioned at the Media Stream on IP4 and for example Port#4 (optional).Therefore, need notify the initiation of the described first terminal UE session, wherein in this notice, will use the binding of described second terminal.
By adopting this IP address and port numbers to send Media Stream, packet will arrive TrGW, and the latter will discern the binding related with this stream.
Therefore, the two includes following steps the step of described foundation binding, another name and described each terminal UE, CN are connected, that is these terminals are (and under optional port numbers) " famous " in different addresses, and for example, IP2 replaces IP1, and IP4 replaces IP3.
Equally, the step of setting up binding further may further comprise the steps, and on described anchor point, for example stores the association another name of each terminal with the form of look-up table in the memory of this anchor point.
(in addition, as selection, described affirmation step further may further comprise the steps, and notifies the described second terminal CN port numbers Port#3 of described communication session.)
Therefore, make a call or during communication session, on anchor point, dispose mapping table in request.
Fig. 8 represents the process in accordance with the present invention relevant with the termination of communication session.In this, this method further comprises step S81, this step stops the communication session (request of termination also can be initiated by communication node, and this node serves as " first terminal " thereafter) of first terminal UE via the telecommunication management node CPS request of described communication network.Then, based on the binding of setting up, this stops request to transmit (S82) from described telecommunication management node CPS to the second terminal CN, and second terminal is confirmed described request (S83) to described telecommunication management node CPS.This management node CPS relays (S84) this request to anchor point TrGW.
Then, occur discharging first (S85), when described telecommunication management node CPS request (S84), on anchor point TrGW, discharge the binding of first terminal UE, occur discharging for the second time (S86), when described telecommunication management node request (S84), on described anchor point TrGW, discharge the binding of the second terminal CN.These release steps may further comprise the steps, the association another name of each terminal of deletion on described anchor point.This means the clauses and subclauses (shown in Fig. 2,3 and 4) of wiping selectively in the mapping table.
The configuration of anchor point so far, has been described.The communication of using the anchor point that disposes is above below described.
Usually, relate to data in the communication session of being set up between a UE, CN in the communication network and the 2nd CN, the UE terminal according to the method for transmission data of the present invention.This method may further comprise the steps, and transmits the data that need transmission from a UE, CN terminal to anchor point TrGW, and anchor point is configured to store the table of each binding that is used for these terminals.Then, the binding of the configuration by using these terminals, relaying from the filter node of the fire compartment wall FW of anchor point to all networks as described needs the data that transmit.After this, based on the binding of described terminal, on described filter node, filter the described data that need transmission.
More specifically, filtration further comprises, makes the described data that need to transmit arrive the 2nd CN, UE terminal by described filter node based on this binding, if there is this binding in the binding of configuration.Equally, filtration further comprises, stops described data to arrive the 2nd CN, UE terminal by described filter node based on this binding, if do not have this binding in the binding of configuration.
With reference to Fig. 3, this means that after disposing anchor point in a manner described next procedure is, send traffic carrying capacity from UE to CN and from CN to UE in the following manner based on the binding of configuration:
First kind of situation (from UE to CN descending):
Data are sent to TrGW from UE, send to FW and send to CN thus from TrGW then, as describing below (Fig. 3 is not shown).
Second kind of situation (from CN to UE up):
Data are sent to TrGW from CN, then send to FW and send to UE thus, as describing below (Fig. 3 is not shown) from TrGW.
Below be described in detail:
The effective load data of initiating from user equipment (UE) is sent to anchor point by force.When having a plurality of anchor point in this network, its implementation is that anchor point and each terminal are connected, and for example, relies on the address and/or the position of terminal or relies on any other standard, for example, relies on relevant traffic carrying capacity type.
Anchor point TrGW revises the IP header of input packet in the following manner, thereby different with the header of dateout grouping:
-source IP address is modified as IP_2 from IP_1
-purpose IP address is modified as IP_3 from IP_4
-alternatively, source port number is modified as Port#2 from Port#1
-alternatively, the destination slogan is modified as Port#3 from Port#4.
For input IP packet, callee's (being CN) sends the IP packet as replying from its address ip _ 3 to the alias address IP_2 of user equipment (UE).
Equally, these IP packets arrive anchor point TrGW, and the latter revises packet in the following manner:
-source IP address is modified as IP_4 from IP_3,
-purpose IP address is modified as IP_1 from IP_2,
-alternatively, source port number is modified as Port#4 from Port#3,
-alternatively, the destination slogan is modified as Port#1 from Port2.
In a word, during communication, send to filter node by force such as fire compartment wall having the packet of revising header.That is, the data of sending from anchor point TrGW are sent to fire compartment wall by force.When having a plurality of fire compartment wall in this network, its implementation is, fire compartment wall and each anchor point are connected, and for example, relies on the address and/or the position of anchor point, perhaps relies on any other standard.
Then, fire compartment wall is configured, purpose is to make to pass through fire compartment wall from the input packet in the IP address pool of anchor point TrGW, and stops other packet.Therefore, know the address pool of the binding of the communication that process is authorized as the fire compartment wall of filter node.
This knowledge for example obtains in the following manner, when on anchor point, setting up or deleting binding, and each binding of setting up recently or deleting of anchor point notice fire compartment wall.As selection, when receiving packet, whether fire compartment wall can be inquired about anchor point so that learn relevant address is the part of the address pool of anchor point.Other possibility is conceivable, so that fire compartment wall obtains the knowledge of the address pool of anchor point.
This type of communication means allows:
-abandoning the invalid data that arrives fire compartment wall divides into groups,
-abandon the invalid data grouping that arrives anchor point TrGW, for example, do not transmit not and the corresponding input of existing session IP packet to fire compartment wall,
-to the input packet of user equipment (UE) payment from effective node
-fire compartment wall contrasts common IP and threatens the input packet of (as TCP SYN flood, Ping of death etc.) inspection from effective node
Alternatively, when the configuration anchor point,, then when filtering input IP packet, also can use this information if CPS provides the port numbers and the IP address of communication node.
The unique data grouping of permission by TrGW and fire compartment wall be legal CN (that is; be subjected to the SIP of the UE in the network of this FW protection CN in calling out; otherwise TrGW will abandon them) legitimate ip address that generate, that point to UE, with the corresponding packet of protocol type that UE allows, vice versa.
In order to realize the present invention, dispose anchor point TrGW in a manner described.Simultaneously, dispose interface between TrGW and the CPS in a manner described.This interface can be based on LDAP (Light Directory Access Protocol), or COPS (common open policy service protocol) agreement.
Perhaps the additional functionality of CPS (request that CPS sends to TrGW, the modification of SIP message) is added in the current CPS realization, perhaps in sip proxy server, realize.CPS will transmit all SIP signalings to this sip agent, and this sip agent will be carried out aforesaid operations.
Fig. 4 in the accompanying drawing illustrates this modification.This method flow and flow process shown in Figure 2 are similar, but in this is revised, the functional of CPS of giving among Fig. 2 are transferred on the sip proxy server between CPS and the anchor point.CPS only is used to initiate the request of communication session to relaying as the sip proxy server of alternative telecommunication management node, and respectively replys/confirm to the UE relay.Therefore, omit its detailed description herein.
Like this,, more specifically, serve as the indication IP address (with optional port numbers) of " dynamic programming " of fire compartment wall by analysis, can realize communication security by analyzing SIP signaling and the data that between communication node, exchange.
With reference to method the present invention has been described hereinbefore.Yet, note that the present invention relates to the node of corresponding modify equally.
Therefore, be appreciated that, can construct anchor point in the following manner in view of the method for configuration anchor point.
Anchor point according to the present invention shown in Figure 5 comprises: receiver at first receives the bind request from the binding that is used to set up first terminal of asking the communication session initiation of telecommunication management node; Processor, at first set up the binding of described first terminal UE in response to the bind request of described reception, and return described binding to described telecommunication management node, and described receiver receives the bind request of binding that is used to set up second terminal relevant with this communication session from this telecommunication management node for the second time, and when described telecommunication management node request, described processor is set up the binding of the second terminal CN for the second time.Note that this receiver is actually a receiver/transmitter, the information relevant with the binding of setting up is acted on behalf of-CSCF) returned to transmitter section (or to telecommunication management node CPS.Represent the bind request that receives respectively although note that Fig. 5, this figure only is used for illustration purpose, and certainly (the same interface of or agency's-CSCF) anchor point receives by arriving this telecommunication management node CPS in two requests that receive constantly in difference.
In addition, this processor comprises distributing equipment, and this equipment connects another name and described each terminal when setting up binding, and this anchor point comprises the memory that the association that is used to store each terminal is called.
In addition, be appreciated that about communication means, anchor point is constructed in the following manner.Thus, although, must be noted that this is used for illustration purpose with this anchor point of different description of drawings.In fact, at any time, anchor point according to the present invention is equipped with all internal unit/devices, although being running statuses according to anchor point, they present selectively, that is, and at the configuration anchor point or when communicating by letter via anchor point.Equally, can between communication or in communication period, be configured, preferably the treatment facility of anchor point is configured to allow parallel processing configuration and communication process.Equally, some assembly of anchor point is not double configuration, but is used for two purposes, configuration and communicate by letter (for example, receiver, memory).
Anchor point according to the present invention shown in Figure 6 comprises: receiver is used to receive the data that need transmit to the second terminal CN, UE from a UE, CN terminal; Be used to store the memory of each binding table of these terminals; Relay the processor of the data that need transmission to the filter node FW of described network by the binding of using these terminals.Certainly, this receiver is actually a receiver/transmitter, and plays transmitter, so that relay data according to the result of this processor.As described in communication means, this processor and this memory and the wherein binding cooperation of storage, the header of modification data.Note that this anchor point only selectively relays the data of the binding information with its data/address to fire compartment wall, that is, prevent to fire compartment wall transmit with this anchor point in do not store its another name (binding) the related data of terminal address.This means that this anchor point detects binding, and only transmit according to the valid data grouping of binding, in this regard, constituted the part of firewall functionality to filter node.Yet, can belong to fire compartment wall itself to same functionality.
Equally, be appreciated that, construct filter node in the following manner about communication means.
Filter node according to the present invention shown in Figure 7 comprises: receiver, be used to receive the data that need transmit to the second terminal CN, UE from a UE, CN terminal, be used to receive the data of anchor point of the binding of these terminals of self-sustaining, be used to analyze the processor of the binding of described terminal, and rely on analysis result to filter the filter of described data.
Especially, described filter transmits the described data that need transmission based on this binding to the second terminal CN, UE, if there is this binding in the binding of the configuration on this anchor point, and described filter transmits described data based on this binding prevention to the second terminal CN, UE, if there is not this binding in the binding of the configuration on this anchor point.The data that nondelivery is prevented from, but with its deletion or abandon.Therefore, the filter node inspection seems that from what anchor point arrived this filter node effective (for example, because by this anchor point) packet is not invalid.
The frame circuit diagram that note that anchor point and filter node is to provide under the situation without any the specific implementation details.Can use such as digital signal processor DSP or the hardware such as ASIC (application-specific integrated circuit (ASIC)) or with software and realize these nodes.As long as this node can carry out with reference to the method that will carry out/step describe functional, all realizations all are feasible.
Therefore, just as described above, in for the situation of guaranteeing the dynamic pin hole of the necessary establishment of suitable safe level, the present invention's definition is used for filtering IP method for communicating and the communication node by fire compartment wall.The present invention is based on the anchor point of creating the secure and authorized that is used to communicate by letter, wherein all communications are just carried out packet filtering by fire compartment wall behind the anchor point earlier.The present invention does not introduce new entity, but reuses existing framework.The present invention relies on the interface between translation gateway TrGW and CPS (or sip agent) and the TrGW, and wherein TrGW is according to the address in the mapping table conversion header of storage.This interface allows: when session was initiated, CPS request TrGW provided the binding data between the IP address, and when session discharged, TrGW provided binding data to CPS, and CPS discharges this binding.FW should be the filter that has state, and externally on the interface, only accepts the input packet that its IP address belongs to the address pool of TrGW.Therefore, abandon on TrGW not and corresponding all the input packets of existing call, and the valid data grouping will be by this FW, this FW will confirm that this packet is not lopsided message, neither other attack.
Although, should be appreciated that foregoing description and accompanying drawing only are with example the present invention to be described with reference to only selecting to have described the present invention as the specific implementations of example.Therefore, the preferred implementation of this method and node can change within the scope of the appended claims.
Claims (24)
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US52464003P | 2003-11-25 | 2003-11-25 | |
| US60/524,640 | 2003-11-25 | ||
| US10/822,874 | 2004-04-13 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1883181A true CN1883181A (en) | 2006-12-20 |
Family
ID=37520273
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2004800341195A Pending CN1883181A (en) | 2003-11-25 | 2004-11-24 | Method and system for filtering multimedia traffic based on IP address bindings |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1883181A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102948124A (en) * | 2010-06-18 | 2013-02-27 | 瑞典爱立信有限公司 | Method and apparatus for handling public identities in an internet protocol multimedia subsystem network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6954790B2 (en) * | 2000-12-05 | 2005-10-11 | Interactive People Unplugged Ab | Network-based mobile workgroup system |
| US7146418B2 (en) * | 2001-11-16 | 2006-12-05 | Microsoft Corporation | Method and system for providing transparent mobility support |
-
2004
- 2004-11-24 CN CNA2004800341195A patent/CN1883181A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6954790B2 (en) * | 2000-12-05 | 2005-10-11 | Interactive People Unplugged Ab | Network-based mobile workgroup system |
| US7146418B2 (en) * | 2001-11-16 | 2006-12-05 | Microsoft Corporation | Method and system for providing transparent mobility support |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102948124A (en) * | 2010-06-18 | 2013-02-27 | 瑞典爱立信有限公司 | Method and apparatus for handling public identities in an internet protocol multimedia subsystem network |
| CN102948124B (en) * | 2010-06-18 | 2017-05-24 | 瑞典爱立信有限公司 | Method and apparatus for handling public identities in an internet protocol multimedia subsystem network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100804291B1 (en) | Method and system for filtering multimedia traffic based on IP address bindings | |
| CN1913472A (en) | Voice over IP network architecture | |
| CN101371532B (en) | Method and apparatus for handling ims terminal's call request including request for real-time service received over ims domain by csi terminal | |
| CN100409644C (en) | Policy Coordination in Communication Networks | |
| KR101454502B1 (en) | A method and apparatus for internet protocol multimedia bearer path optimization through a succession of border gateways | |
| CN1941753A (en) | IP interconnected gateway in next-generation Internet and method for interconnecting IP domain | |
| CN101030865A (en) | Network address conversion and/or firewall spanning platform, system and method | |
| US20040034793A1 (en) | Method for providing media communication across firewalls | |
| CN1890931A (en) | System, apparatus, and method for establishing circuit-switched communications via packet switched network signaling | |
| CN101119270A (en) | Network boundary processing method | |
| CN1571440A (en) | A system and method for implementing multimedia call crossing private network | |
| CN101036371A (en) | Apparatus and method for mapping overlapping internet protocol addresses in layer two tunneling protocols | |
| CN101079807A (en) | A mesh relaying method and IP communication system for controlling media transmission path | |
| CN1756242A (en) | System and method for carrying services by circuit switching in IP multimedia subsystem | |
| CN1665238B (en) | Networking System of Next Generation Network | |
| EP2026528B1 (en) | Integrated internet telephony system and signaling method thereof | |
| CN1665235A (en) | A method for traversing subnets and a system for traversing subnets | |
| CN1925450A (en) | Communication method preventing circumbendibus of media-flow | |
| CN1794829A (en) | Method of establishing circuit exchange network to IMS network calling route | |
| CN1902889A (en) | Call set-up systems | |
| CN101013937A (en) | Method and apparatus for preventing media proxy from hacker attack | |
| CN1838616A (en) | Media stream distribution system and distribution method | |
| CN102171989A (en) | Protection against unsolicited communication for internet protocol multimedia subsystem | |
| KR100727069B1 (en) | Interworking method and system in SIP based wireless packet switching network system | |
| KR100705567B1 (en) | VIO call processing system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160115 Address after: Espoo, Finland Applicant after: Technology Co., Ltd. of Nokia Address before: Espoo, Finland Applicant before: Nokia Oyj |
|
| AD01 | Patent right deemed abandoned | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20200407 |