JP2012085003A - Sip apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a session initiation protocol (SIP) apparatus capable of accurately excluding an illegal access from a WAN with a simple constitution and through a simple procedure.SOLUTION: A SIP apparatus includes: a SIP processing part for processing a SIP request; a WAN communication part for transferring a SIP request message coming from a WAN side to the SIP processing part by adding information indicating an effect that the message is received from the WAN side; and a LAN communication part for transferring a SIP request message coming from a LAN side to the SIP processing part. When an INVITE request message is the message from a station which is registered by the previous transmission of a REGISTER request message from the SIP apparatus, the SIP processing part receives the INVITE request.

Description

  The present invention relates to a SIP device that receives and processes a SIP (Session Initiation Protocol) request from both a LAN side and a WAN side.

  In general, IP telephones use SIP to establish connection between terminals (telephones), and perform voice signal transmission using VoIP (Voice over Internet Protocol). By the way, since both the SIP packet and the VoIP packet cannot pass through a NAT (Network Address Translation) unit built in the router, a terminal (IP telephone) on a LAN that is a local IP network is connected to a WAN that is a global IP network (IP). It was not possible to access the SIP server of the telecommunications carrier installed on the Internet. In order to realize this so-called NAT traversal, it was necessary to install a large-scale SIP proxy server or the like.

  Accordingly, the applicant has proposed a VoIP router device that can pass the SIP request message from the LAN to the WAN in order to realize this with a simple configuration (see Patent Document 1). Further, the applicant has realized a VoIP router device capable of transferring a SIP request between LAN and WAN.

JP-A-2005-160055

  When accepting a SIP request across the LAN and WAN, it is difficult to effectively eliminate unauthorized access. In particular, it is necessary to increase the security threshold for access from the WAN side. However, in IP filtering and SIP authentication, incoming calls from the WAN side and incoming calls from the LAN side are distinguished to effectively eliminate unauthorized access. Difficult to do. That is, there is a problem that if the security level is lowered, unauthorized access from the WAN side cannot be eliminated, and if the security level is raised, legitimate access from the LAN side is also eliminated.

  An object of the present invention is to provide a SIP device that can accurately eliminate unauthorized access from a WAN with a simple configuration and a simple procedure.

The SIP device according to the first aspect of the present invention transfers a SIP request message received from the WAN side to the SIP processing unit with information indicating that the SIP request message has been received from the WAN side. A WAN communication unit, and a LAN communication unit for transferring a SIP request message received from the LAN side to the SIP processing unit,
When the INVITE request message arrives from the WAN side, the SIP processing unit accepts the INVITE request if the INVITE request message is from a station registered by sending a REGISTER request message from us in advance. It is characterized by that.

  According to a second aspect of the present invention, the SIP processing unit further includes a URI of an INVITE request message received from the WAN side that has already been registered (extension registered) based on a REGISTER request received from the LAN side. In this case, the INVITE request is accepted.

  In the invention of claim 3, the SIP processing unit further includes a URI in which the INVITE request message received from the WAN side is a request for peer-to-peer connection, and the source URI is registered by a user operation. If the URI is already registered in the list (VoIP phone book), this INVITE request is accepted.

  The invention of claim 4 is characterized in that the SIP processing unit does not accept a REGISTER request message received from the WAN side.

  The invention according to claim 5 is characterized in that, when the SIP processing unit does not accept the SIP request message received from the WAN side, it does not return an error response to the transmission source terminal of the request message.

  According to a sixth aspect of the present invention, a router unit including a packet filter and a network address conversion unit is provided in parallel with the SIP processing unit between the WAN communication unit and the LAN communication unit, and the WAN communication unit and the LAN The communication unit transfers at least a packet of a SIP request message among the received packets to the SIP processing unit.

  According to the present invention, the SIP request message received from the WAN side is attached to the SIP processing unit with information indicating that the SIP request message has been received from the WAN side, and various filtering processes are performed on the SIP request message input from the WAN side. By performing the above, unauthorized access from the WAN side can be accurately eliminated.

1 is a configuration diagram of an IP telephone system including a VoIP router according to an embodiment of the present invention. It is a block diagram of the VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router.

  An IP telephone system and a VoIP router according to an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a configuration diagram of an IP telephone system. The VoIP router 1 has a router function for connecting a LAN 2 that is a local IP network and a WAN (Internet) 3 that is a global IP network, and is a simple SIP that converts and forwards a SIP message between the LAN 2 and the WAN 3. It has a server function.

  Connected to the LAN 2 are an IP telephone 5 as an extension terminal and a gateway device 6 for connecting the IP telephone 5 to an exchange line. A personal computer 7 is also connected to the LAN 2. In this figure, only one IP telephone 5 is shown, but the number is not limited to one. Further, a normal telephone may be connected via a VoIP gateway. On the other hand, the SIP 3 of the communication carrier is connected to the WAN 3. A communication carrier is a carrier that provides public IP telephone service.

  In the system of this configuration, the VoIP router 1 functions as a normal router that connects the personal computer 7 to the WAN 3 that is the Internet, and also functions as a simple SIP server. The SIP server function of the VoIP router 1 includes: connection management of extension calls between IP telephones 5 in the LAN 2, call management of external IP telephones from the IP telephone 5 on the LAN 2 through the SIP server 4, and the SIP server 4 on the LAN 2 Management of incoming calls of an external IP telephone incoming to the IP telephone 5.

  FIG. 2 is a block diagram of the VoIP router 1. The VoIP router 1 has a LAN communication unit 10, a TCP / IP processing unit 11, a NAT 12, an IP filter 13, and a WAN communication unit 14 arranged in this order in order to realize a router function. The LAN communication unit 10 includes a LAN port and is connected to the LAN 2. The WAN communication unit 14 includes a WAN port and is connected to the WAN 3. The TCP / IP processing unit 11 is a functional unit that processes packets exchanged between the LAN 2 and the WAN 3. The NAT 12 is a functional unit that converts a global IP address and a local IP address (including IP masquerade). The IP filter 13 is a functional unit that performs pass / non-pass filtering on packets received from the WAN via the WAN communication unit 14 based on various information written in the header thereof. The various information includes, for example, an IP address, a service name, a port number, and the like. The IP filter 3 is set so as not to pass the SIP packet.

  Further, a SIP processing unit 15 is connected to the LAN communication unit 10 and the WAN communication unit 14 so as to bypass the routes of the TCP / IP processing unit 11, NAT 12, and IP filter 13. The SIP processing unit 15 functions as an extension SIP server for the LAN 2 and also functions as a simple SIP proxy server between the WAN 3 and the LAN 2.

  When the service of the packet received from the LAN 2 is SIP or VoIP, the LAN communication unit 10 transfers the packet to the SIP processing unit 15, and transfers the other service packets to the TCP / IP processing unit 11. When the service of the packet received from the WAN 3 is SIP or VoIP, the WAN communication unit 14 transfers the packet to the SIP processing unit 15 and transfers packets of other services to the IP filter 13. When the WAN communication unit 14 transfers a SIP packet (SIP request message) to the SIP processing unit 15, information indicating that the packet has arrived from the WAN 3 is attached.

The SIP processing unit 15 processes the SIP request message transferred from the LAN communication unit 10 in a normal procedure. In addition, when the SIP request message is transferred from the WAN communication unit 14, the SIP processing unit 15 adds the above-mentioned “information indicating that the call has been received from the WAN 3” to the SIP request message. In order to maintain security for this SIP request message, by default, only the INVITE request sent from the SIP server 4 of the communication carrier is permitted, and other than that, The request message is discarded. Even if the request message is discarded, the UA (User
An error message is not returned to Agent. Note that it is possible to permit the arrival of a request message other than the INVITE request received from other than the SIP server 4 by setting by the user, and when the request message is discarded, an error message is sent to the transmission source UA. It is also possible to set to reply.

  Hereinafter, the processing procedure in which the SIP processing unit 15 processes the SIP request message received from the WAN 3 will be described in detail with reference to the flowcharts of FIGS. When the SIP processing unit receives a request message from the WAN 3, that is, when a SIP packet to which information indicating that it has arrived from the WAN 3 is transferred from the WAN communication unit 14, the SIP processing unit Perform the action.

  FIG. 3 shows a main routine. When a request message arrives from the WAN 3 to the domain of the SIP processing unit 15, it is determined whether the request message is a REGISTER request (S10) or an INVITE request (S12). In the case of a REGISTER request (YES in S10), REGISTER incoming processing (S11: see FIG. 5) is executed. In the case of an INVITE request (YES in S12), INVITE incoming processing (S13: refer to FIG. 6) is executed. If the request message received from WAN 3 is a message other than a REGISTER request or INVITE request (NO in S10 and S12), this message is discarded (S14). In other words, request messages other than REGISTER and INVITE are not accepted from WAN 3 in order to maintain security. The request message is discarded according to the procedure shown in FIG.

  FIG. 4 is a flowchart showing the request discarding process. This procedure is used to discard an incoming request message. First, it is determined whether or not an error message indicating that the request is to be discarded is returned to the sender UA (S20). Whether to allow a reply to the transmission source UA is set in advance by the user. If reply to the transmission source UA station is permitted (YES in S20), an error code (401, 403 or 404) corresponding to the reason for discarding the message is returned (S21). In the case of S14 in FIG. 3, 403 “Forbidden” is returned. If the reply to the transmission source UA is not permitted (NO in S20), the process ends without doing anything. The reason why the error code is not returned is to prevent the partner station from notifying the existence of the SIP processing unit 15.

  FIG. 5 is a flowchart showing REGISTER incoming processing. This processing operation is executed in S11 of FIG. 3 when a REGISTER request is received from WAN3. First, it is determined whether or not an incoming REGISTER request from the WAN 3 is permitted (S30). Whether or not to accept the REGISTER request from the WAN 3 is set in advance by the user. When the incoming REGISTER request is permitted (YES in S30), the transmitting station is authenticated (S32). This authentication process may be performed by, for example, general digest authentication. If the authentication is OK, the requested URI is registered in the database (S35). Thereafter, processing such as sending a reply to the effect that registration has been completed to the transmitting station is executed.

  On the other hand, when the incoming REGISTER request from the WAN 3 is not permitted (NO in S30), the request is discarded according to the procedure shown in FIG. 4 (S31). When an error code is returned, 403 “Forbidden” is returned. Similarly, if the transmitting station cannot be authenticated (NO in S33), the request processing is performed in the same manner as shown in FIG. 4 (S34). In this case, the returned error code is 401 “Unauthorized”.

  FIG. 6 is a flowchart showing the INVITE incoming call process. This processing operation is executed in S13 of FIG. 3 when an INVITE request is received from WAN3. In this operation, first, a request URI corresponding to the destination URI is checked (S40). If the request URI is a registered URI, that is, the URI described in the contact header of the REGISTER request transmitted from this apparatus to the SIP server of the communication carrier (YES in S40), the communication carrier is Assuming that the call originates from the external IP phone that has passed through, it is determined whether it matches any of the phone numbers described in the database (S41). If they match (YES in S41), the INVITE request is transferred to the extension terminal (IP telephone 5) to which the telephone number is assigned to make an incoming call (S42). If the telephone numbers do not match, it is determined that the telephone number is different, and the request discarding process is executed according to the procedure shown in FIG. 4 (S43). When an error code is returned, 404 “Not found” is returned.

  Here, a random character string is included in the contact URI of the REGISTER request message transmitted from the VoIP server 1 to the SIP server of the communication carrier in order to prevent unauthorized access due to impersonation. Therefore, if the request URI of the request message sent by the communication carrier to the VoIP server is a URI including this random character string, it is determined that the request message is sent from a valid SIP server. be able to. In S40, the other station is authenticated using this URI. In S41, the telephone number is extracted from the TO header (for example, telephone number @ domain or telephone number @ IP address) of the INVITE request message, and the database is searched with this telephone number.

  If the request URI is not a registered URI (NO in S40), the header contact URI is checked (S44). This contact URI corresponds to the transmission source URI of the present invention. If the contact URI in the header is a registered URI (YES in S44), the IP telephone 5 registered for extension via the LAN 2 is taken outside and received via the WAN 3, and this INVITE Is permitted, and the process proceeds to S41. The extension registered URI is a URI registered in the extension database by the REGISTER request received from the IP telephone 5 on the LAN 2.

  If the request URI is not registered at the upper level and the contact URI is not registered at the extension (NO in S44), it is determined whether this INVITE request is a request for peer-to-peer (P2P) communication, that is, P2P incoming ( S45). If the incoming call is a P2P incoming call (YES in S45), it is determined whether a P2P incoming call (outside line P2P incoming call) from the WAN 3 is permitted (S46). If the incoming P2P call is permitted, it is determined whether the FROM URI is registered in the VoIP telephone directory (S47). If it is registered (YES in S47), it is determined that the user of the VoIP router 1 is an incoming call from a communication partner registered by himself / herself, and this request is allowed to be received and INVITE processing is executed (S48). The VoIP phone book is a list of call destination URIs registered by the user.

  If the INVITE request is not a P2P request (NO in S45), if the unit does not permit incoming P2P calls (NO in S46), or if the telephone number is not registered in the VoIP phone book (NO in S47) In step S49, the request is discarded according to the procedure shown in FIG. When an error code is returned, 404 “Not found” is returned.

  In this embodiment, when an INVITE request message arrives from the WAN side, whether or not “the INVITE request message is from a station registered by sending a REGISTER request message in advance from us” is determined. The determination is made based on whether or not “the destination URI of the request message is the (higher registered) URI described in the REGISTER request transmitted in advance from us to the transmission source station of the INVITE request message”. However, the determination is not limited to this.

1 VoIP router 2 LAN
3 WAN
10 LAN communication unit 14 WAN communication unit 15 SIP processing unit

Claims (6)

A SIP processing unit for processing a SIP request;
A WAN communication unit for transferring a SIP request message received from the WAN side to the SIP processing unit with information indicating that the SIP request message has been received from the WAN side;
A LAN communication unit for transferring a SIP request message received from the LAN side to the SIP processing unit;
With
When the INVITE request message arrives from the WAN side, the SIP processing unit accepts the INVITE request if the INVITE request message is from a station registered by sending a REGISTER request message from us in advance. SIP equipment. The SIP processing unit further accepts the INVITE request when the source URI of the INVITE request message received from the WAN side is already registered based on the REGISTER request accepted from the LAN side. SIP equipment. The SIP processing unit further includes a URI already received in a URI list in which an INVITE request message received from the WAN side is a peer-to-peer connection request and the source URI is registered by a user operation. The SIP device according to claim 1, wherein the SIP device accepts the INVITE request.   The SIP device according to any one of claims 1 to 3, wherein the SIP processing unit does not accept a REGISTER request message received from the WAN side.   5. The SIP device according to claim 1, wherein when the SIP processing unit does not accept a SIP request message received from the WAN side, the SIP processing unit does not return an error response to a transmission source terminal of the request message. 6. A router unit including a packet filter and a network address conversion unit between the WAN communication unit and the LAN communication unit is provided in parallel with the SIP processing unit,
The SIP device according to any one of claims 1 to 5, wherein the WAN communication unit and the LAN communication unit transfer at least a packet of a SIP request message among the received packets to the SIP processing unit.

Images