CN100440850C - Method of multimedia service NAT traversing and system thereof - Google Patents
Method of multimedia service NAT traversing and system thereof Download PDFInfo
- Publication number
- CN100440850C CN100440850C CNB2003101210780A CN200310121078A CN100440850C CN 100440850 C CN100440850 C CN 100440850C CN B2003101210780 A CNB2003101210780 A CN B2003101210780A CN 200310121078 A CN200310121078 A CN 200310121078A CN 100440850 C CN100440850 C CN 100440850C
- Authority
- CN
- China
- Prior art keywords
- message
- address
- load content
- port
- acting server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a communication system and a method in a next generation network, and also discloses a method and a system for transforming and traversing multimedia service network addresses. Thus, signals and medium flows of a receiving and a transmitting ports, which are inconsistent, can successfully traverse NAT/FW. The present invention is respectively provided with an agent client and an agent server inside and outside the NAT/FW, wherein the agent client distributes different UDP or TCP ports for different grouping user terminals in a private network. Thereby, the agent client sets up different tunnels with the agent server. By the tunnels which are transparent to service data, the grouping user terminals can normally interact with the signals and the medium flows of a host in a public network.
Description
Technical field
The present invention relates to communication system and method in the next generation network, particularly the system and method for multimedia service based traversal network address conversion/fire compartment wall in the next generation network.
Background technology
Next generation network (Next Generation Network is called for short " NGN ") is a milestone of telecommunication history, and it indicates the arrival in new generation telecommunication network epoch.Angle from development, NGN is from traditional public switched telephone network based on circuit switching (Public Switched TelephoneNetwork, abbreviation " PSTN ") stepped gradually to paces in based on packet switching, it has carried all business of original PSTN network, great amount of data transmission is unloaded to internetworking agreement (Internet Protocol, be called for short " IP ") in the network to alleviate the heavy burden of PSTN network, the new features with the IP technology increase and have strengthened many old and new's business again.In this sense, NGN is based on time division multiplexing (Time Division Multiplexing, be called for short " TDM ") the PSTN speech network and the product that merges based on the packet network of internetworking agreement/asynchronous transfer mode (IP/ATM), it makes that integrated services such as voice, video, data become possibility on new generation network.At present, NGN becomes the focus of research.
NGN can be divided into four levels on function: access and transport layer, medium transport layer, key-course, web services layer.Soft switch (SoftSwitch) is for NGN provides calling control and the connection control function with business that real-time requires, and is that NGN calls out the core with control.Soft switch member (SoftX) is the key member of the network control layer of NGN, provides integrated service and calls out the equipment of control.It mainly acts on and comprising: call out control, SGW, gateway control, integrated service, enhancing business etc.
Along with the NGN network progressively moves towards commercial from experiment, NGN user's access more and more becomes a serious problem.Because NGN is a network based on the Packet Based Network carrying, insert the user and come addressing by the IP address, in short supply and safety waits each reason and current network is owing to the IP address, a large amount of enterprise network and residence network have all adopted network address translation (the Network Address Translation of private IP address by outlet basically, be called for short " NAT ")/fire compartment wall (Firewall is called for short " FW ") access public network.
Fire compartment wall is used for the restricting data bag and unrestrictedly enters in the network.Generally be to set some packet filtering principles, fire compartment wall comes the judgment data bag whether to meet the filtration principle by source address, destination address, source port, target port and the agreement of checking packet, and what meet just can pass through fire compartment wall.Usually the server that some is needed extraneous visit during practical application is placed in this zone as Web server etc., and firewall configuration becomes all data that mail to the corresponding port of these servers can be passed through.
NAT is used to make the interior main frame of many private networks by less public network address visit public network, can hide private network IP simultaneously, protect the interior main frame of private network not to be subjected to outside world.Its principle is when main frame in the private network need be visited public network, public network address by a free time of NAT server dynamic assignment is given this main frame, when this main frame no longer needs to visit public network (when for example this main frame is for a long time not to the public network transmission or from public network reception message), the NAT server is regained the public network address that has distributed.
The scheme that the FW/NAT of industry solution at present penetrates has multiple, such as simple traversal (the Simple Traversal of UDP Through Network AddressTranslators of User Datagram Protoco (UDP) to network address translation, abbreviation " STUN "), by trunking scheme based traversal network address conversion (Traversal UsingRelay Network Address Translators is called for short " TURN "), Full Proxy schemes such as (Full Proxy).Below these major programmes are done simple introduction.
In the STUN mode, private network inserts the user and obtains the external address of its address correspondence on outlet NAT in advance by certain mechanism, just directly fill in the external address that exports on the NAT in the address information described in the message load then, rather than the interior user's of private network private IP address, content in the message load just need not to be modified through NAT the time like this, only need to get final product by the IP address of common NAT flow process conversion heading, the IP address information in the load is again consistent with the heading address information.Simple Traversal of UDP Through Network Address Translators just is based on the transfer problem that this thinking solves application layer address.
Application program of user, pass through User Datagram Protoco (UDP) (User Datagram Protocol as the STUN server (STUN SERVER) of STUN client (STUN CLIENT) outside NAT, be called for short " UDP ") send and ask STUN message, STUN SERVER receives request message, produce response message, carry the source port of request message in the response message, i.e. the outside port of STUN CLIENT correspondence on NAT.Response message sends to STUN CLIENT by NAT then, STUNCLIENT learns the external address that it is corresponding on NAT by the content in the response message body, and after it is inserted in the UDP load of hello protocol, inform the opposite end, the RTP of local terminal (RealTime Transfer Protocol is called for short " RTP ") receiver address and port numbers are outer address and port numbers of NAT.Owing on NAT, set up the NAT mapping item of Media Stream in advance, so Media Stream passing through NAT smoothly by Simple Traversal of UDP Through Network Address Translators.
The Simple Traversal of UDP Through Network Address Translators biggest advantage is to need not existing NAT/FW equipment to do any change.Since in the actual network environment, existing a large amount of NAT/FW, and these NAT/FW do not support packet voice (Voice over IP, abbreviation " VoIP ") application, if solve this problem with MIDCOM or NAT/ALG mode, need to replace prior NAT/FW, this is not too easy.And adopt the STUN mode to need not to change NAT/FW, and this is its sharpest edges, the STUN mode can be used in the network environment of a plurality of NAT series connection simultaneously.
According to the STUN principle, STUN SERVER must be placed in the public network, can be embedded in the public network Softswitch (SoftX), owing to set up the NAT mapping item of Media Stream in advance by Simple Traversal of UDP Through Network Address Translators on NAT, so Media Stream passing through NAT smoothly.
The limitation of STUN need to be application program to support the function of STUN CLIENT, and promptly the network terminal of NGN need possess STUN CLIENT function.While STUN also is not suitable for supporting passing through of TCP connection, does not therefore support the H323 application protocol.The STUN mode does not also support the NGN business to the passing through of fire compartment wall in addition, and the STUN mode is not supported passing through of symmetrical NAT type simultaneously.
The thinking of the solution NAT problem of TURN mode is similar to STUN, also be based on private network access user and obtain its privately owned address correspondence in advance in the address of public network by certain mechanism, the address information described in message load is just directly filled in the mode of this public network address then.Different is, the address that the STUN mode obtains is the address on the outlet NAT, and it is address on the TURN server (TURN SERVER) that the TURN mode obtains the address.
The TURN application model as shown in Figure 1, system is by conversational service user 10,11, NAT/FW20,21, SoftX40,41 and TURN SERVER60 form.Its address by distribution T URN Server and port as TURN client (TURN CLIENT) external accept address and port, promptly the message that sends of private user all will carry out Relay through TURN SERVER and transmits.Be worth pointing out that STUN mode and TURN mode are distinguished maximum place just for these.This mode application model is except the advantage with STUN mode, also solve STUN and used the defective that can't penetrate symmetrical NAT (SymmetricNAT) and firewall box, promptly no matter enterprise network/residence network outlet is the NAT/FW of which kind of type, can realize penetrating of NAT, TURN supports based on transmission control protocol (Transfer Control Protocol simultaneously, abbreviation " TCP ") application is as the H323 agreement.TURNSERVER Control Allocation address and port in addition, can distribute RTP (RealTime TransferProtocol, be called for short " RTP ")/RTCP Real-time Transport Control Protocol (RealTime Transfer ControlProtocol, abbreviation " RTCP ") address is to the address of accepting as the local terminal client, wherein the RTCP port numbers adds l for the RTP port numbers, thereby avoided under the STUN application model any distribution of outlet NAT, made client can't receive the RTCP message that the opposite end sends RTP/RTCP address port number.
The limitation of TURN need to be terminal to support TURN CLIENT, and this point equally has requirement to the network terminal with STUN.In addition, all messages all must be transmitted through TURN SERVER, have increased the delay of bag and the possibility of packet loss.
Full Proxy (Full Proxy) scheme is that a Proxy Server is arranged outside NAT, and the terminal use regards Proxy Server as Softswitch in the private network, and Proxy Server is transmitted to real soft switch again through after the signaling process; Proxy Server can regard the user as again to soft switch, the terminal use is when called in the private network, Softswitch is issuing Proxy Server earlier to called subscriber's call request, and ProxyServer is transmitted to real called subscriber again through after the signaling process.As the agency of Media Stream, caller still is that called Media Stream all passes through Proxy Server to Proxy Server simultaneously.
Its NAT passes through principle and is when the private net terminal call signaling arrives Proxy, Proxy Server will resolve call signaling protocol, the RTP/RTCP information of carrying in the agreement is resolved and handled, noting call signaling address and port, user private network Media Stream RTP/RTCP address and port are simultaneously, revising call signaling private net address information and RTP/RTCP address information is the external public network IP address of Proxy Server itself, revise call signaling port and Media Stream port outside port simultaneously, then call signaling is sent to soft switch or opposite end for distributing on the Proxy Server.Call signaling and Media Stream just can carry out transfer by Proxy Server between calling and called like this.The first packet of Proxy Server employing simultaneously refreshes mode and comes the more session entry of new media stream, promptly after terminal is sent medium, NAT through enterprise's outlet changes arrival Proxy Server, obtain exporting address and the port information that NAT goes up dynamic assignment by first packet study, thereby upgrade the medium streaming session list item, set up a complete medium streaming session list item, finish the medium forwarding capability.
In actual applications, there is following problem in such scheme: when the signaling receiving end mouth of multimedia terminal with make a start when mouthful inconsistent, may cause the signaling can't passing through NAT or FW equipment; When the receiving end mouth of RTP or RTCP with make a start when mouthful inconsistent, may cause the Media Stream can't passing through NAT or FW equipment.Especially the inconsistent situation of RTP transmitting-receiving port is very general in video terminal.
Problem hereto, the reason that above-mentioned several prior art produces this problem is similar, with STUN is example, if the RTP of STUN CLIENT transmitting-receiving port is inconsistent, what then set up in advance on NAT by Simple Traversal of UDP Through Network Address Translators is the NAT mapping item (P1) that the RTP of Media Stream makes a start mouthful, the NAT mapping item (P2) that does not have RTP receiving end mouth, so the opposite end still sends to Media Stream the P1 of NAT device, afterwards the RTP that is forwarded to STUN CLIENT by NAT device makes a start on the mouth, mouth is not handled the message of reception but STUN CLIENT makes a start, with packet loss, cause STUN CLIENT can't hear the speech or the image of opposite end.
In addition, H.323 signaling protocol as one of ip voice signaling or NGN signaling is more special, one H.323 calling procedure relate to RAS, Q.931, H.245 wait three call signaling protocols and three kinds of call signaling addresses, and the call signaling address of Q931 depends on the mutual result of RAS message, H.245 signaling address depends on the Q.931 result of interacting message, and the mode of this dynamic negotiation signaling address is also brought some problems in NAT passes through.
STUN also is not suitable for supporting passing through of TCP connection, does not therefore support H.323 application protocol (H.323 the agreement that Q.931 waits in the protocol architecture is based on the TCP connection).Though TURN supports passing through of TCP connection, but because the Q.931 and H.245 address in the calling procedure is not mutual in the TURN agreement usually, can't obtain their mapping addresss outside NAT, so TURN Client does when called, Q.931 Server can not find the called and signaling address H.245, and the TCP that can't set up these signalings connects; If before registration process H.323, also signaling address Q.931 and is H.245 shone upon on NAT by the TURN agreement, then must be that the Client end is at first initiated the TCP connection, and for preventing this connection of the aging maintenance of NAT, no matter whether have real calling all like this, and H.245 the signaling address normally just generates in interacting message Q.931, so this is irrational.
For application protocol H.323, the PROXY Server in the Full Proxy technology can't initiatively learn the mapping address of Q.931 signaling address on NAT of the H.323 terminal in the NAT, does the problem that continues when called so also can't resolve this terminal.
Summary of the invention
In view of this, main purpose of the present invention is the method and the system thereof that provide a kind of multimedia service network address transition to pass through to make that inconsistent signaling of sending and receiving port and Media Stream can successful passing through NAT/FW.
For achieving the above object, the invention provides the method that a kind of multimedia service network address transition is passed through, comprise following steps:
When the A agent client is received from the service message of packet user terminal, described service message is encapsulated in the load content of channel message, the transfer of this channel message by network address translation services device or fire compartment wall sent to acting server;
The described acting server of B solves described service message from the load content of the channel message received, load content to described service message is resolved, revise address and port information in the load content of this service message, amended service message is sent to Softswitch or opposite end packet user terminal;
When the described acting server of C is received from the back message using of described Softswitch or opposite end packet user terminal, load content to this back message using is resolved, revise address and port information in the load content of this response message, amended back message using is encapsulated in the load content of channel message, the transfer of this channel message by described network address translation services device or fire compartment wall sent to described agent client;
The described agent client of D solves described back message using from the load content of the channel message received, and described back message using is transmitted to described packet user terminal.
Wherein, described service message is the call signaling message, and the address among the described step B in the modification load content and the step of port information comprise following substep:
Write down call signaling address and port in the described load content, and the call signaling address in the described load content is become the call signaling address and the port in public network of the call distribution that described acting server asked for this call signaling message with port modifications;
Change the address in the load content and the step of port information among the described step C and comprise following substep:
Become described call signaling address and the port that is recorded with port modifications with responding the signaling address in the described load content.
Described service message is specially media stream real-time host-host protocol or RTCP Real-time Transport Control Protocol message;
The address among the described step B in the load content of the described service message of modification and the step of port information comprise following substep:
Write down described media stream real-time host-host protocol or RTCP Real-time Transport Control Protocol address and port, media stream real-time host-host protocol in the described load content or RTCP Real-time Transport Control Protocol address are become address in public network and the port of described acting server for this media stream real-time host-host protocol or the pairing allocated for media streams of RTCP Real-time Transport Control Protocol RTP/RTCP message with port modifications;
The address among the described step C in the load content of the described back message using of modification and the step of port information comprise following substep:
The media stream real-time host-host protocol that the described load content of back message using is entrained or RTCP Real-time Transport Control Protocol address and port are modified as the described media stream real-time host-host protocol that is recorded or RTCP Real-time Transport Control Protocol address and port
Also comprise following steps:
Described acting server is encrypted the load content of described channel message earlier before described agent client sends described channel message;
When described agent client is received from the described channel message of described acting server, the load content of described channel message is decrypted;
Described agent client is encrypted the load content of described channel message earlier before described acting server sends described channel message;
When described acting server is received from the described channel message of described agent client, the load content of described channel message is decrypted.
Also comprise following steps:
Described acting server and described agent client authenticate when setting up the tunnel and be connected mutually.
The system that the present invention also provides a kind of multimedia service network address transition to pass through comprises packet user terminal, agent client, network address translation services device or fire compartment wall, acting server and Softswitch;
Described packet user terminal is positioned at private network, is used to initiate service message and receives back message using;
Described agent client is positioned at private network, be used for the load content that is encapsulated into channel message from the service message of described packet user terminal, this channel message is sent to described acting server, and from load content, solve back message using, this back message using is sent to described packet user terminal from the channel message of described acting server;
Described network address translation services device or fire compartment wall are used to described packet user terminal to provide to insert the service of public network, and transmit channel message mutually for described agent client and described acting server;
Described acting server is positioned at public network, be used for solving service message from channel message from described agent client, load content to described service message is resolved, revise address and port information in the load content of this service message, amended service message is sent to Softswitch or opposite end packet user terminal, and the load content from the back message using of described Softswitch or opposite end packet user terminal is resolved, revise address and port information in the load content of this response message, amended back message using is encapsulated in the load content of channel message, this channel message that has encapsulated amended back message using is sent to described agent client;
Described Softswitch is used to provide integrated service and calls out control, when receiving that the message of described packet user terminal is given in response, is transmitted to described acting server for the message of described packet user terminal this response.
Wherein, be based on the tunnel of User Datagram Protoco (UDP) or transmission control protocol between described acting server and the described agent client.
Tunnel between described acting server and the described agent client adopts Generic Routing Encapsulation or Internet Protocol Security agreement to communicate.
Described network address translation services device or fire compartment wall are plural serial stages.
By relatively finding, technical scheme difference with the prior art of the present invention is, inside and outside agent client and the acting server of being provided with respectively at NAT/FW, agent client is that the different grouping user terminal in the private network distributes different UDP or tcp port, thereby sets up different tunnels with acting server.Packet user terminal to the message that public network sends, at first is encapsulated as channel message at agent client, sends to acting server by NAT/FW then, after this be descapsulated into original message and forwarding at acting server.Similarly, to return the message of packet user terminal from public network, at first be encapsulated as channel message, send to agent client by NAT/FW then, after this be descapsulated into original message and be forwarded to corresponding packet user terminal at agent client at acting server.
Difference on this technical scheme, brought comparatively significantly beneficial effect, can solve up hill and dale because the RTP of packet user terminal transmitting-receiving port is inconsistent and cause the problem that Media Stream can't passing through NAT/FW, and can pass through the NAT/FW of plural serial stage, can also thoroughly solve the NAT/FW crossing problem of the agreement of similar H.323 this dynamic negotiation call signaling port.This is because inconsistent signaling of sending and receiving port and media stream message are encapsulated as the channel message of same port numbers at agent client or acting server, so can pass through NAT/FW smoothly.And at the private network place, agent client can be communicated by letter with the packet user terminal in the same private network with port arbitrarily, simultaneously at the public network place, acting server can with port arbitrarily send or receive need with the mutual message of packet user terminal in the private network.
The present invention program does not need to revise packet user terminal or transforms NAT/FW equipment in the network, can protect original investment, to not having packet user terminal and the proprietorial telecom operators of NAT/FW equipment are more suitable.
The fail safe that can transmit in addition by encryption raising information to channel message.
Description of drawings
Fig. 1 is the system construction drawing under the TURN mode;
Fig. 2 is the system construction drawing that multimedia service NAT according to an embodiment of the invention passes through;
Fig. 3 is the method flow diagram that call signaling NAT according to an embodiment of the invention passes through.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
The system construction drawing of FULL PROXY mode according to an embodiment of the invention is described referring now to Fig. 2.
For outstanding the present invention, only mark the part that substantial connection is arranged with the present invention among the figure.As shown in Figure 2, system is made up of packet user terminal 10 and 11, NAT/FW20 and 21, acting server 30, Softswitch (SoftX) 40 and 41.Wherein, packet user terminal 10,11 links to each other with acting server 30 by NAT/FW20,21 respectively; Acting server 30 links to each other with SoftX40,41.Solid line is a Media Stream among the figure, and dotted line is a signaling flow.
NAT/FW20, the 21st, the equipment of realization nat feature and firewall functionality is configured in the position that private network inserts public network usually.It is used on the one hand prevent that packet is unconfined enters in the network, and main frame is not subjected to outside world in the protection private network; By the network address port conversion, hide private network IP on the other hand, make the interior a plurality of terminals of private network can share the public network IP address of lesser amt.Described in prior art, NAT/FW20,21 generally can't allow audio realize passing through.
Acting server 30 is in the public network, be used for being used for penetrating NAT/FW20,21 tunnel with the agent client 50,51 of private network framework together, and to from or the original message that is sent to packet user terminal carry out the Full Proxy conversion.Here the tunnel of saying is meant the passage of UDP or TCP.Tunnel between acting server 30 and the agent client 50,51 is transparent to the service message by this tunnel transmission.
SoftX40, the 41st, Softswitch as the key member of the network control layer of NGN, is used to provide integrated service and calls out control.
When acting on behalf of client 50,51 and receive the message that need be transferred to public network, with new channel message of structure, the load content of the message that will transmit as channel message, increase IP header, the UDP/TCP information in tunnel, then this channel message is transmitted to acting server 30.Acting server 30 is received after this channel message, record tunnel information (IP header, UDP/TCP information), from the load content of channel message, solve original message then, and the load content of original message resolved, call signaling transmitting-receiving address in the load content of record original message, the transmitting-receiving address of medium RTP/RTCP, then this call signaling transmitting-receiving address is modified as acting server 30 and is the call signaling address in public network of this call distribution, the transmitting-receiving address of RTP/RTCP is modified as acting server 30 is the address in public network of this allocated for media streams.Then this message is sent to SoftX40,41 or the opposite end packet user terminal.
Receive from SoftX40 when acting on behalf of server 30,41 or during the back message using of opposite end packet user terminal, earlier the load content is resolved, call signaling in this load content transmitting-receiving address is modified as ticket call signaling receiving and transmission address, the transmitting-receiving address of medium RTP/RTCP in this load content is modified as the transmitting-receiving address of the RTP/RTCP of record, then amended message is inserted in the load of a newly-built channel message, the IP header in the tunnel of record before increasing, UDP/TCP information sends to agent client 50 then, 51.Agent client 50,51 solves back message using from the load content of the channel message received, this back message using is sent to corresponding packet user terminal.
Because the transmitting-receiving port of agent client 50,51 can be in full accord, therefore can solve the problem that inconsistent signaling that causes of sending and receiving port and Media Stream can't passing through NAT/FW effectively.Because the tunnel is transparent to the message that will transmit, therefore also can support well for signaling protocol H.323.
In addition, in order to prevent the aging of tunnel mapping address on the NAT/FW20,21, need between acting server 30 and agent client 50,51, increase a kind of simple heartbeat message, for example can regularly send a sleazy empty message to acting server 30 from agent client 50,51.
Specify the method that call signaling NAT according to an embodiment of the invention passes through in conjunction with Fig. 3 more below.
In step 110, packet user terminal 10 sends the call signaling message to agent client 50, and the IP of this a message source address is the IP/ port of packet user terminal 10, and the destination address of this message is the IP/ well-known port of acting server 30.So-called well-known port is meant and has in the industry cycle formed industry standard or sanctified by usage and a certain application corresponding port that for example port 21 is the file transfer protocol (FTP) well-known ports of (FileTransfer Protocol is called for short " FTP ").The UDP/TCP header of this message is the UDP/TCP head of original call signaling message.The UDP/TCP message load of this message is original call signaling message content.
After this enter step 120, when agent client 50 is received from the call signaling message of packet user terminal 10, construct a new channel message, the load content of the message that will transmit as channel message, increase IP header, the UDP/TCP information in tunnel, then channel message is transmitted to NAT/FW20.The IP of this a message source address is the IP/ port of agent client 50, and the destination address of this message is the IP/ well-known port of acting server 30.The UDP/TCP header of this message is a tunnel UDP/TCP head.The UDP/TCP message load of this message is certain variation of call signaling message or call signaling message, for example increases some proprietary protocol fields or message is encrypted in the beginning of call signaling message.
After this enter step 130, NAT/FW20 makes conventional NAT address transition to the channel message of receiving, for this channel message distributes a public network address/port, replace the private network source address/port of this channel message, note the corresponding relation between public network address/port that is assigned with and the private net address/port that is replaced then, at last this channel message is sent to acting server 30.The IP of this a message source address is the mapping IP/ port that NAT/FW20 is done address, agent client 50 tunnel, and the destination address of this message is the IP/ well-known port of acting server 30.The UDP/TCP header of this message is a tunnel UDP/TCP head.The UDP/TCP message load of this message is certain variation of call signaling message or call signaling message.The technical staff who is familiar with field of the present invention will appreciate that, before the address corresponding relation in NAT/FW20 lost efficacy, in case NAT/FW20 receives the message from the above-mentioned public network address/port that is assigned with of being sent to of public network, then NAT/FW20 can become the public network address/port translation of this message the private net address/port of record, and is transmitted to the respective packets user terminal in the private network.
After this enter step 140, acting server 30 is received after this channel message, record tunnel information (IP header, UDP/TCP information), from the load of channel message, solve the original call signaling message then, and the load content of original call signaling message resolved, call signaling transmitting-receiving address in the load content of record original call signaling message, the transmitting-receiving address of medium RTP/RTCP are revised the call signaling address in public network that becomes this call distribution with this call signaling transmitting-receiving address then.Then this message is sent to SoftX40.The IP of this a message source address is that acting server 30 is the call signaling address in public network of this call distribution, and the destination address of this message is the IP/ well-known port of SoftX40.The UDP/TCP header of this message is the UDP/TCP head of acting server and Softswitch communication protocol.The UDP/TCP message load of this message is that original call signaling message content is carried out call signaling message content after the relative address conversion.
After this enter step 150, SoftX40 sends it back the signaling message of answering to acting server 30.The IP of this a message source address is the IP/ port of SoftX40, and the destination address of this message is that acting server 30 is the call signaling address in public network of this call distribution.The UDP/TCP header of this message is the UDP/TCP head of Softswitch and proxy server communication agreement.The UDP/TCP message load of this message is the signaling message content that SoftX40 responds.The technical staff who is familiar with field of the present invention will appreciate that, acting server 30 also can directly directly send to the opposite end packet user terminal with the call signaling message, obtain the signaling message of response then from the opposite end packet user terminal, this does not influence the spirit and scope of the invention.
After this enter step 160, when acting on behalf of the signaling message that server 30 receives that SoftX40 responds, earlier the load content of this message is resolved, call signaling transmitting-receiving address in this message is modified as ticket call signaling receiving and transmission address, the transmitting-receiving address of medium RTP/RTCP is modified as the transmitting-receiving address of the RTP/RTCP of record, then amended message is inserted in the load of a newly-built channel message, IP header, the UDP/TCP information in the tunnel of record send to NAT/FW20 then before increasing.The IP of this a message source address is the IP/ well-known port of acting server 30, and the destination address of this message is the mapping IP/ port that NAT/FW20 is done address, agent client 50 tunnel.The UDP/TCP header of this message is a tunnel UDP/TCP head.The UDP/TCP message load of this message is that the signaling message content that SoftX40 responds has been carried out response signaling message after the relative address conversion, or respond certain variation of signaling message, for example increase some proprietary protocol fields or this message is encrypted in the beginning of this message.
After this enter step 170, NAT/FW20 makes conventional NAT address transition to the channel message of receiving to receiving, according to the content in the address mapping table of NAT/FW20, the destination address of this channel message is become the private net address/port of the agent client 50 of record from public network address/port translation, and be transmitted to the agent client 50 in the private network.The IP of this a message source address is the IP/ well-known port of acting server 30, and the destination address of this message is the IP/ tunnel port of agent client 50.The UDP/TCP header of this message is a tunnel UDP/TCP head.The UDP/TCP message load of this message is that the signaling message content that SoftX40 responds has been carried out response signaling message after the relative address conversion, or responds certain variation of signaling message.
After this enter step 180, agent client 50 solves the response signaling message from the load of the channel message received, this back message using is sent to packet user terminal 10.The IP of this a message source address is the IP/ well-known port of acting server 30, and the destination address of this message is the IP/ port of packet user terminal 10.The UDP/TCP header of this message is the UDP/TCP head that agent client 50 E-Packets to packet user terminal 10.The UDP/TCP message load of this message is the response signaling message content after the signaling message content of SoftX40 response has been carried out the relative address conversion.
The technical staff who is familiar with field of the present invention will appreciate that, the handling process of Media Stream RTP/RTCP message the and H.323 processing of the realization of calling procedure and above-mentioned call signaling is similar.
The agreement in tunnel both can adopt an above-mentioned simple mode or a self-defined cover proprietary protocol between acting server 30 and the agent client 50 simultaneously, also can adopt the agreement of some standards, as generic route encapsulation (Generic Route Encapsulation, abbreviation " GRE ") agreement, Internet Protocol Security (InternetProtocol Security is called for short " IPSec ") agreement etc.For ensuring information security, can also adopt the mode of information encryption, encrypt etc. according to encryption standard (3DES) such as data encryption standard (Data EncryptionStandard, be called for short " DES "), triple, no matter and control signaling or Media Stream can encrypt.In order to prevent that illegal agent client from inserting, agent client and acting server can authenticate mutually and data encryption when setting up the tunnel and be connected, and authentication method can adopt MD5 or SHA-1 etc.
In addition, if enterprise router/NAT/FW/BAS equipment all support GRE agreement or ipsec protocol or other tunnel protocols, then can not increase agent client, and directly realize similar above-mentioned tunnel scheme by gre tunneling on these equipment and the acting server or ipsec tunnel, solve the inconsistent problem that causes of above-mentioned transmitting-receiving port.But router/NAT/FW/BAS equipment is not necessarily supported tunnel protocols such as GRE or IPSec, and network planning meeting bothers relatively, so this is a kind of alternative technical solution, does not recommend to use.
Though by reference some preferred embodiment of the present invention, the present invention is illustrated and describes, but those of ordinary skill in the art should be understood that, can do various changes to it in the form and details, and the spirit and scope of the present invention that do not depart from appended claims and limited.
Claims (9)
1. the method that the multimedia service network address transition is passed through is characterized in that, comprises following steps:
When the A agent client is received from the service message of packet user terminal, described service message is encapsulated in the load content of channel message, the transfer of this channel message by network address translation services device or fire compartment wall sent to acting server;
The described acting server of B solves described service message from the load content of the channel message received, load content to described service message is resolved, revise address and port information in the load content of this service message, amended service message is sent to Softswitch or opposite end packet user terminal;
When the described acting server of C is received from the back message using of described Softswitch or opposite end packet user terminal, load content to this back message using is resolved, revise address and port information in the load content of this back message using, amended back message using is encapsulated in the load content of channel message, the transfer of this channel message by described network address translation services device or fire compartment wall sent to described agent client;
The described agent client of D solves described back message using from the load content of the channel message received, and described back message using is transmitted to described packet user terminal.
2. the method that multimedia service network address transition according to claim 1 is passed through is characterized in that, described service message is the call signaling message;
The address among the described step B in the load content of the described service message of modification and the step of port information comprise following substep:
Write down call signaling address and port in the described load content, and the call signaling address in the described load content is become the call signaling address and the port in public network of the call distribution that described acting server asked for this call signaling message with port modifications;
The address among the described step C in the load content of the described back message using of modification and the step of port information comprise following substep:
Become described call signaling address and the port that is recorded with port modifications with responding the signaling address in the described load content of back message using.
3, the multimedia service network address transition according to claim 1 method of passing through is characterized in that described service message is specially media stream real-time host-host protocol or RTCP Real-time Transport Control Protocol message;
The address among the described step B in the load content of the described service message of modification and the step of port information comprise following substep:
Write down described media stream real-time host-host protocol or RTCP Real-time Transport Control Protocol address and port, media stream real-time host-host protocol in the described load content or RTCP Real-time Transport Control Protocol address are become address in public network and the port of described acting server for this media stream real-time host-host protocol or the pairing allocated for media streams of RTCP Real-time Transport Control Protocol message with port modifications;
The address among the described step C in the load content of the described back message using of modification and the step of port information comprise following substep:
The media stream real-time host-host protocol that the described load content of back message using is entrained or RTCP Real-time Transport Control Protocol address and port are modified as the described media stream real-time host-host protocol that is recorded or RTCP Real-time Transport Control Protocol address and port.
4. the method for passing through according to claim 2 or 3 described multimedia service network address transition is characterized in that, also comprises following steps:
Described acting server is encrypted the load content of described channel message earlier before described agent client sends described channel message;
When described agent client is received from the described channel message of described acting server, the load content of described channel message is decrypted;
Described agent client is encrypted the load content of described channel message earlier before described acting server sends described channel message;
When described acting server is received from the described channel message of described agent client, the load content of described channel message is decrypted.
5. the method for passing through according to claim 2 or 3 described multimedia service network address transition is characterized in that, also comprises following steps:
Described acting server and described agent client authenticate when setting up the tunnel and be connected mutually.
6. the system that the multimedia service network address transition is passed through is characterized in that, comprises packet user terminal, agent client, network address translation services device or fire compartment wall, acting server and Softswitch;
Described packet user terminal is positioned at private network, is used to initiate service message and receives back message using;
Described agent client is positioned at private network, be used for the load content that is encapsulated into channel message from the service message of described packet user terminal, this channel message is sent to described acting server, and from load content, solve back message using, this back message using is sent to described packet user terminal from the channel message of described acting server;
Described network address translation services device or fire compartment wall are used to described packet user terminal to provide to insert the service of public network, and transmit channel message mutually for described agent client and described acting server;
Described acting server is positioned at public network, be used for solving service message from channel message from described agent client, load content to described service message is resolved, revise address and port information in the load content of this service message, amended service message is sent to Softswitch or opposite end packet user terminal, and the load content from the back message using of described Softswitch or opposite end packet user terminal is resolved, revise address and port information in the load content of this back message using, amended back message using is encapsulated in the load content of channel message, this channel message that has encapsulated amended back message using is sent to described agent client;
Described Softswitch is used to provide integrated service and calls out control, when receiving that the message of described packet user terminal is given in response, transmits described response and gives described acting server to the message of described packet user terminal.
7. the system that multimedia service network address transition according to claim 6 is passed through is characterized in that, is based on the tunnel of User Datagram Protoco (UDP) or transmission control protocol between described acting server and the described agent client.
8. the system that multimedia service network address transition according to claim 6 is passed through is characterized in that, the tunnel between described acting server and the described agent client adopts Generic Routing Encapsulation or Internet Protocol Security agreement to communicate.
9. the system that multimedia service network address transition according to claim 6 is passed through is characterized in that, described network address translation services device or fire compartment wall are plural serial stages.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101210780A CN100440850C (en) | 2003-12-24 | 2003-12-24 | Method of multimedia service NAT traversing and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101210780A CN100440850C (en) | 2003-12-24 | 2003-12-24 | Method of multimedia service NAT traversing and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1633100A CN1633100A (en) | 2005-06-29 |
| CN100440850C true CN100440850C (en) | 2008-12-03 |
Family
ID=34844041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101210780A Expired - Fee Related CN100440850C (en) | 2003-12-24 | 2003-12-24 | Method of multimedia service NAT traversing and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100440850C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938492A (en) * | 2010-09-19 | 2011-01-05 | 深圳三石科技有限公司 | Service agent method and self-service intelligent agent platform |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100596120C (en) * | 2005-09-28 | 2010-03-24 | 华为技术有限公司 | Method for implementing signalling across network address translation apparatus in mobile IP network |
| CN100477636C (en) * | 2005-09-29 | 2009-04-08 | 腾讯科技(深圳)有限公司 | Device and method for telecommunicating between customer end application component and object server |
| CN101064712B (en) * | 2006-04-24 | 2013-04-24 | 上海信息安全基础设施研究中心 | System and method for realizing Linux inner core based dual-channel through multistage NAT and fireproof wall |
| DE102006030591A1 (en) | 2006-07-03 | 2008-01-10 | Siemens Ag | Method for managing communication links |
| CN101013937A (en) * | 2007-02-08 | 2007-08-08 | 华为技术有限公司 | Method and apparatus for preventing media proxy from hacker attack |
| CN100546285C (en) * | 2007-05-09 | 2009-09-30 | 华为技术有限公司 | Realize method, system and the Session Border Controller of Interworking gateway application layer route |
| CN101094159B (en) * | 2007-07-18 | 2010-06-09 | 中兴通讯股份有限公司 | Method for penetrating through private network of media stream |
| CN101399754B (en) * | 2007-09-28 | 2011-04-20 | 华为技术有限公司 | Method and device for passing through firewall by mobile IP |
| CN101465844B (en) * | 2007-12-18 | 2012-07-04 | 华为技术有限公司 | Method, system and equipment for traversing firewall |
| CN101677326B (en) * | 2008-09-16 | 2013-03-20 | 中兴通讯股份有限公司 | Method of transferring files by traversing network access translation (NAT) |
| CN101686467B (en) | 2008-09-28 | 2013-08-07 | 华为技术有限公司 | Allocation method and device of paging zone |
| CN101742692B (en) | 2008-11-07 | 2012-07-04 | 华为技术有限公司 | Paging processing and information display methods, and devices |
| CN102480530B (en) * | 2010-11-25 | 2015-07-22 | 华为技术有限公司 | Message sending method and device |
| CN102546657B (en) * | 2012-02-10 | 2015-02-11 | 浙江宇视科技有限公司 | Methods for passing through and assisting in passing through network isolation equipment in Internet protocol (IP) monitoring system, and node |
| CN102571814B (en) * | 2012-02-10 | 2015-09-09 | 浙江宇视科技有限公司 | Method and the agent equipment of xegregating unit is passed through in a kind of IP supervisory control system |
| CN102932461B (en) * | 2012-11-06 | 2016-08-03 | 深信服网络科技(深圳)有限公司 | Network acceleration transmission method and device |
| CN103152254A (en) * | 2013-02-01 | 2013-06-12 | 汉柏科技有限公司 | Generic route encapsulation tunnel message forwarding method and system |
| CN104219589B (en) * | 2013-06-03 | 2017-10-03 | 福达新创通讯科技(厦门)有限公司 | Image transfer method, system and its record media |
| CN104468625B (en) * | 2014-12-26 | 2018-07-13 | 浙江宇视科技有限公司 | Dialing tunnel agent device, the method for utilizing the tunnel pass through NAT that dials |
| CN106453272B (en) * | 2015-10-30 | 2020-01-07 | 远江盛邦(北京)网络安全科技股份有限公司 | IP address restoring method under transparent reverse proxy mode |
| CN105577850B (en) * | 2015-12-25 | 2019-02-19 | 协同通信技术有限公司 | A kind of methods, devices and systems realizing VOIP business and passing through |
| CN105635338B (en) * | 2015-12-31 | 2019-03-05 | 迈普通信技术股份有限公司 | A kind of data transmission method and device |
| CN109819067A (en) * | 2019-03-12 | 2019-05-28 | 赛特斯信息科技股份有限公司 | The method for realizing the NAT penetration management based on VXLAN tunneling technique using Simple Traversal of UDP Through Network Address Translators |
| CN110636140B (en) * | 2019-10-16 | 2022-01-04 | 浙江大学软件学院(宁波)管理中心(宁波软件教育中心) | Cross-network-domain data control system and method for engraving manufacturing execution system |
| CN112714201A (en) * | 2019-10-24 | 2021-04-27 | 普天信息技术有限公司 | Network address translation penetration method and device in public private network convergence cluster communication system |
| CN112751946B (en) * | 2019-10-31 | 2023-11-24 | 中国移动通信有限公司研究院 | Tunnel establishment method, device, equipment and computer readable storage medium |
| CN114301968B (en) * | 2021-12-31 | 2024-03-08 | 苏州科达特种视讯有限公司 | Access method, system, equipment and storage medium of server |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002071717A2 (en) * | 2000-12-14 | 2002-09-12 | Vocaltec Communications Ltd. | Traversing firewalls and nats |
| CN1411220A (en) * | 2001-10-04 | 2003-04-16 | 华为技术有限公司 | Method and system of realizing IP speech service of private network |
| CN1439213A (en) * | 2000-10-21 | 2003-08-27 | 英诺媒迪亚Pte有限公司 | Method for comunicating audio data in a packet switched network |
-
2003
- 2003-12-24 CN CNB2003101210780A patent/CN100440850C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1439213A (en) * | 2000-10-21 | 2003-08-27 | 英诺媒迪亚Pte有限公司 | Method for comunicating audio data in a packet switched network |
| WO2002071717A2 (en) * | 2000-12-14 | 2002-09-12 | Vocaltec Communications Ltd. | Traversing firewalls and nats |
| CN1411220A (en) * | 2001-10-04 | 2003-04-16 | 华为技术有限公司 | Method and system of realizing IP speech service of private network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938492A (en) * | 2010-09-19 | 2011-01-05 | 深圳三石科技有限公司 | Service agent method and self-service intelligent agent platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1633100A (en) | 2005-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100440850C (en) | Method of multimedia service NAT traversing and system thereof | |
| CN100399768C (en) | Method for implementing NAT traversing and system thereof | |
| US7694127B2 (en) | Communication systems for traversing firewalls and network address translation (NAT) installations | |
| EP1065858B1 (en) | Label switched media gateway and network | |
| US6674758B2 (en) | Mechanism for implementing voice over IP telephony behind network firewalls | |
| AU2002218404B2 (en) | Communications system | |
| EP2048832B1 (en) | Method and system for connecting a media stream | |
| US8646065B2 (en) | Method for routing bi-directional connections in a telecommunication network by means of a signalling protocol via an interposed firewall with address transformation device and also a telecommunication network and security and tunnel device for this | |
| US10484435B2 (en) | Call set-up systems | |
| US7114005B2 (en) | Address hopping of packet-based communications | |
| US8811162B2 (en) | Network element for allocating at least one payload data connection to at least one multiplex connection | |
| CN101119270A (en) | Network boundary treatment method | |
| JP2008541675A (en) | Method and system for translating network address translation or firewall equipment | |
| WO2007000089A1 (en) | A method for transfering content in media gateway control protocol calling | |
| US20070192844A1 (en) | Network security system and the method thereof | |
| CA2352911A1 (en) | Method and system for providing anonymity in an ip telephony network | |
| AU2006243577B2 (en) | Method, system and device for implementing interconnection between IP domains | |
| CN1783877B (en) | Method for passing through network address switching device and fire-proof wall of real time communication data stream | |
| CN1319351C (en) | Method for realizing realtime multimedia bi-directional communication by NAT | |
| CN100452769C (en) | System of soft exchange network passing through firewall based on ALG+MP and its method | |
| JP2007318707A (en) | Interconnection technique of ip communication | |
| JP2006340260A (en) | Call control method of internet telephone |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081203 Termination date: 20151224 |
|
| EXPY | Termination of patent right or utility model |