CN1604589A - SIP crossing supported firewall implementing method - Google Patents
SIP crossing supported firewall implementing method Download PDFInfo
- Publication number
- CN1604589A CN1604589A CN 200410067564 CN200410067564A CN1604589A CN 1604589 A CN1604589 A CN 1604589A CN 200410067564 CN200410067564 CN 200410067564 CN 200410067564 A CN200410067564 A CN 200410067564A CN 1604589 A CN1604589 A CN 1604589A
- Authority
- CN
- China
- Prior art keywords
- sip
- message
- compartment wall
- fire compartment
- alg
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
It is a firewall implementation method that supports the session startup protocol crossover in the field of network security technique. The content is: the firewall analyses the IP division that enters the system. After the IP division enters the system through network interface, the firewall analyses the IP heading information, judges whether the data load is SIP signal information or voice division; the SIP ALG processes the SIP message, SIP ALG analyses SIP message heading to make sure this message belongs to which calling connection. The SIP ALG uses one calling connection state table to track all the calling connection state and modify the content of SIP message heading and/or SDP message according to the information of state table; the firewall processes the down-transferred SIP message from SIP ALG, or performs the instruction issued by SIP ALG, and returns the result to the SIP ALG; according to the result of instruction performing by firewall, the SIP ALG sets or modifies the calling connection table, and sends the SIP message to the firewall, or performs the clearing of calling connection table.
Description
Technical field
The present invention relates to a kind of implementation method of fire compartment wall, specifically, is a kind of fire compartment wall implementation method of supporting that session initiation protocol passes through.Be used for the network security technology field.
Background technology
For solving network security and IP address depletion problem, many enterprises and institutions network has all adopted the privately owned address of RFC1918 regulation, inserts public network by the fire compartment wall that has NAT (Network Address Translation, network address translation) function.If no special instructions, hereinafter described fire compartment wall all is meant the fire compartment wall that has nat feature.
Common fire compartment wall does not possess the ability of application layer protocol knowledge and analysis and modification data load.To using the fixedly application such as the HTTP of TCP/UDP port, address, port content that fire compartment wall only need be revised the IP/TCP/UDP head just can realize penetrating of fire compartment wall.SIP) or H.323/H.248/MGCP (SessionInitiation Protocol, the VoIP of agreement (Voice over IP) uses, and passing fire wall but to have certain difficulty but for dialogue-based startup agreement.
In the VoIP communication of using Session Initiation Protocol, the SIP signaling is used fixing TCP/UDP port to set up and is called out and connects, but determines address and the port numbers that Media Stream uses in the mode of dynamic negotiation.In setting up call connection process, Session Initiation Protocol embeds information such as IP address, signaling side slogan at the head of sip message, at the sip message body is the communication port that nested IP address and Media Stream use among the SDP (Session Description Protocol, Session Description Protocol).After having set up the calling connection, SIP UA (User Agent, user agent) uses { address, the port } of dynamic negotiation to the transmitting-receiving Media Stream.
Because common fire compartment wall can only be revised the address and the port of TCP/UDP/IP head, can not revise the data of application layer.Therefore, the A after being positioned at fire compartment wall makes a call when connecting to the B of Internet, and A nested privately owned address and port numbers in sip message head and message body will intactly send B to.B is set to the privately owned address of A and the port numbers that A is used for receiving media respectively with destination address and destination slogan when sending voice flow.But private IP address can not route on public network, and the Internet router will abandon the packets of voice that mails to A from B.Outwardly, A has set up to call out with B and has been connected.But in fact, A can't receive the voice that B sends forever.So for the telephone terminal that uses private IP address, because the restriction of address translation feature, common fire compartment wall is based on the obstacle that the VoIP communication of Session Initiation Protocol is passed through.
Find by prior art documents, the Chinese patent publication number is: CN1440172A, name are called the patent of " the firewall package filtering dynamic switch is the method for protocol communication channel H.323 ", a kind of fire compartment wall implementation method has been proposed, but this method is only supported H.323 agreement, and this method is operated in data link layer and network layer, is difficult to expansion to support agreement such as SIP.
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, a kind of fire compartment wall implementation method of supporting that session initiation protocol passes through is provided, make it be easy to realize, can realize supporting the fire compartment wall that H.323 waits other application layer protocols to pass through easily.
The present invention is achieved by the following technical solutions, comprises the steps:
Step (1): fire compartment wall is resolved the IP grouping of the system that enters.
After the IP grouping enters system by network interface, according to address transition, the filtering rule of configuration, source address, destination address, UDP or the tcp port number of fire compartment wall analyzing IP head, whether judgment data load is SIP signaling message or packets of voice.
Step is 1.: if data load is the SIP signaling, fire compartment wall sends to sip message SIP ALG (Application Layer Gateway, ALG) earlier and handles.
Step is 2.: if data load is not a sip message, but the data of other types, such as the speech data that is RTP/RTCP carrying, fire compartment wall or abandon grouping, after perhaps revising the source address or destination address in the IP head, will divide into groups to send from transmission interface.
Step (2): SIP ALG treatment S IP message.
After SIP ALG received the SIP signaling message that the fire compartment wall transmission comes up, it determined that by analyzing order in the sip message head or fields such as response, Call-ID which this message belongs to and call out and connect.1. 2. 3. 4. it change step respectively according to the type of message.
SIP ALG uses a calling connection status table to follow the tracks of all calling connection status.Each list item is described one and is called out the state that connects in the state table, write down caller, called IP address, Call-ID, the RTP/RTCP port numbers of caller, called RTP/RTCP port numbers, and fire compartment wall is the information such as RTP/RTCP port numbers that inner UA distributes.SIP ALG revises the sip message head or/and the content of SDP message according to these information.
Step is 1.: if sip message is the 1st message of a calling, that is to say the 1st INVITE of a calling, SIP ALG will create a new list item in state table, Call-id, caller IP address, called IP address are recorded in the table, and its call state is set is Calling.If what fields such as message header via were used is the IP address, SIPALG creates a map addresses, map addresses is recorded in calls out in the connection table.Afterwards, SIP ALG revises the nested IP address of sip message head according to this mapping.
If do not comprise SDP message in the sip message, SIP ALG passes to fire compartment wall downwards with sip message after revising IP address nested in the sip message head according to this mapping.
If sip message comprises SDP message, change step 5..
Step is 2.: if sip message is affirmation (ACK) message to OK message, SIP ALG call state is set to Completed.
If comprise SDP message in the sip message, then change step 5..
If do not comprise SDP message in the sip message, SIP ALG sends control command according to the port that writes down in the state table, address information to NAT, the purpose of this instruction is that the request fire compartment wall is created PNAT (port network address transition) rule, thereby allows the voice flow passing fire wall.This instruction is the instruction that punches.Afterwards, after SIP ALG revises sip message according to map addresses,, wait for the result who returns after the fire compartment wall execution command with message buffering.
Step is 3.: if sip message is affirmation (ACK) message to BYE message, SIP ALG call state is set to Terminated, and send control command to fire compartment wall, the purpose of this instruction is the PNAT rule that the deletion of notice fire compartment wall has been created, thereby forbids the voice flow passing fire wall.This instruction is for closing the hole instruction.
After SIP ALG revises sip message according to map addresses,, wait for the result who returns after the fire compartment wall execution command with message buffering.
Step is 4.: if other SIP signaling messages, SIPALG searches its relevant list item at state table, revise the state that connects of calling out, and, again sip message is sent to fire compartment wall according to contents such as IP address nested among the IP address in the map addresses modification message header specific fields of having set up, the modification SDP and port numbers.
Step is 5.: if carried SDP message in the SIP signaling message, then SIP ALG will resolve SDP message, particularly analyze " c " among the SDP, " m " location, therefrom extract caller, the called address/udp port that is used to receive, send the RTP/RTCP voice flow number, they are recorded in call out in the connection table.For the voice communication of full duplex, each side will use two pairs of udp ports number to be respectively applied for to send and receive packets of voice, and the every pair of udp port number should be continuous.
Simultaneously, SIP ALG can judge according to network configuration whether the network address nested among the SDP is the address of the UA in the fire compartment wall, and whether has applied for two pairs of continuous udp ports number for this UA in the inspection record table.These two udp ports number are the firewall system internal distribution.
If no, then need to send control command to fire compartment wall, the purpose of this instruction is that the indication fire compartment wall distributes two continuous udp ports number.This instruction is the assignment of port numbers instruction.Afterwards, after SIP ALG revises the sip message head,, wait for the result who returns after the fire compartment wall execution command with message buffering.
If applied for port numbers, after SIP ALG revises sip message head, SDP message, message sent out pass to fire compartment wall, send out processing by fire compartment wall again.
Step (3): the sip message that fire compartment wall treatment S IP ALG transmits downwards, perhaps carry out the instruction that SIP ALG sends, and the result is returned to SIP ALG.1. 2. 3. 4. fire compartment wall according to circumstances changes step.
Step is 1.: fire compartment wall receives the sip message that SIP ALG transmits downwards, and its will divide into groups to send from network interface after revising the IP address of packet header.
Step is 2.: after fire compartment wall receives the instruction that punches that SIP ALG sends, the information creating PNAT that it provides according to SIP ALG (port network address transition) rule, allow the RTP/RTCP voice flow of this call setup to pierce fire compartment wall more, promptly on fire compartment wall, dynamically " punch " by this.Afterwards, send a piece of news to SIP ALG, this message is used for whether successful result returns to SIP ALG with punching.
Step is 3.: after fire compartment wall received hole, the pass instruction that SIP ALG sends, deletion was called out corresponding PNAT rule with this, and prevention voice flow subsequently passes through fire compartment wall, promptly closes the hole on the fire compartment wall.Afterwards, send a piece of news to SIP ALG, this message is used for Jiang Guandong, and whether successful result returns to SIP ALG.
Step is 4.: fire compartment wall is carried out the assignment of port numbers instruction that SIP ALG sends, and searches idle udp port number, if two pairs of two continuous idle ports number are arranged, then by a piece of news 4 port numbers is passed to SIP ALG.
Step (4): SIP ALG is provided with or revises and call out the connection table according to the result of fire compartment wall execution command, and sip message is sent to fire compartment wall, perhaps carries out to call out to connect the cleaning work of showing.1. 2. 3. the result that SIP ALG will return according to the state and the fire compartment wall of calling connection changes step.
Step is 1.: if SIP ALG receives the message of the success that punches, the sip message of buffer memory is passed to fire compartment wall, fire compartment wall sends after the IP head of this message is handled.Otherwise SIP ALG abandons this sip message.
Step is 2.: SIP ALG receives the message that fire compartment wall closes the hole success, the calling linkage record in the deletion state table.Otherwise SIP ALG will send to fire compartment wall once more and close the hole instruction, until closing the hole success.
So far, fire compartment wall is closed media channel fully, will block the RTP/RTCP voice flow and pass through fire compartment wall.
Step is 3.: SIP ALG receives the message of assignment of port numbers success, and at first the udp port that application is obtained number records in the list item of calling out connection table correspondence, sends the instruction that punches to fire compartment wall again.If receive the assignment of port numbers failure, SIP ALG will abandon the sip message of buffer memory, the deletion linkage record.
The fire compartment wall that adopts the inventive method to realize, its core part are the firewall entity that is positioned at the SIP ALG entity of application layer and is positioned at IP network layer.The major function of SIP ALG functional entity is parsing, treatment S IP signaling, follows the tracks of call state, and creates and the deletion processing rule according to result control fire compartment wall.The function of firewall entity is to create and the deletion mapping table according to processing rule, filter packets or the NAT operation is carried out in grouping according to mapping table.Under the control of SIP ALG, fire compartment wall is that the RTP/RTCP voice flow dynamically punches or closes the hole.
The fire compartment wall that adopts method of the present invention to realize, consistent with the hierarchical structure of ICP/IP protocol bunch, SIPALG is operated in application layer, and fire compartment wall is operated in network layer, and therefore, clear layer is easy to realize.Adopt and use the same method, can realize supporting the fire compartment wall that H.323 waits other application layer protocols to pass through easily, therefore, the expansion of application layer is not subjected to the restriction of fire compartment wall.
Description of drawings
SIP of Fig. 1 calls out example
Fig. 2 firewall logic structure chart of the present invention
The operation principle of Fig. 3 SIP passing fire wall
Embodiment
As shown in Figure 1, the course of work of Session Initiation Protocol is as follows:
Caller A sends an INVITE to the UDP of called B 5060 ports, and this message has been carried SDP message, the udp port of coded system, reception and the transmission speech data that is used to illustrate that caller A supports number.
After called B receives INVITE, send prompt tone (for example ring) to the called subscriber, notifying calledly has phone to squeeze into.Simultaneously returning a code name to the UDP5060 of caller A port is 180 ring-back message.
After caller A receives ring-back message, send the ring-back prompt tone to the calling subscriber, the notice caller is calledly replied.
The called subscriber is ready to accept this calling, off-hook, thereby make B to one of the transmission of A " 200 Ok " message, wherein carried SDP, this SDP message semantic definition the udp port that uses of the supported coded format of phone B and acceptance, transmission packets of voice number.
After A receives OK message, send an ACK acknowledge message to B, notice B can converse.The user just talks by these two phones afterwards.
During end of conversation, called subscriber's on-hook, called B sends a BYE order to caller A.After A receives this order, send an OK response message, thereby remove the calling between A and the B to B.
As shown in Figure 2, the core of fire compartment wall of the present invention comprises two logical functional entities and a cover communication protocol:
The NAT/ fire compartment wall
SIP?ALG
Be used for the proprietary protocol of communicating by letter between SIP ALG and the NAT/ fire compartment wall.
(1) firewall entity
The NAT/ fire compartment wall be operated in network layer and transport layer and common fire compartment wall as broad as long basically, can discern and revise the information of IP head, ICMP head, UDP head and TCP head, but can not discern and revise the data of application layer.It safeguards the set of an address transition and packet filtering rule.This rule is by user configured.Fire compartment wall supports VoIP, user should dispose available udp port number and tcp port number, the port numbers that configuration SIP monitors if desired.In running, the NAT/ fire compartment wall will according to regular collection dynamically and signal intelligence be created a movable conversion table, be used to write down the address transition of handling.
The port numbers that the SIP signaling is used defaults to UDP 5060, also may be other udp ports number or tcp port.Should so that the NAT/ fire compartment wall can be discerned the SIP signaling message, allow the sip message passing fire wall, and send sip message to SIP ALG according to the address translation rule of the port numbers configuring firewalls of the actual use of SIP signaling.
(2) SIP ALG entity
SIP ALG job applications layer, its major function comprises two aspects, 1) treatment S IP signaling message.Reception is from the sip message of NAT/ fire compartment wall, call out connection status according to Session Initiation Protocol and SDP protocal analysis, use the call state table to follow the tracks of and call out connection status, after revising the address and port numbers be nested in sip message head and the message body according to the call state table, sip message is sent to fire compartment wall, by fire compartment wall amended sip message is sent again.2) follow the tracks of the calling connection status, the control fire compartment wall opens or closes media channel.
(3) communication protocol
Communication protocol between SIP ALG and the NAT/ fire compartment wall is a MS master-slave communication protocol.At running, SIP ALG treatment S IP message is followed the tracks of and is called out connection status, sends indication to the NAT/ fire compartment wall.Set up in the call connection process at calling and called, SIP ALG indication NAT/ fire compartment wall provides available udp port number.After the NAT/ fire compartment wall receives this indication, search available udp port number, available port numbers is returned to SIP ALG, and revise number tabulation of its available udp port.
When the calling connection was set up, SIP ALG indication NAT/ fire compartment wall was dynamically created address translation rule.According to this indication, SIP ALG creates the port translation rule.After packets of voice entered fire compartment wall, fire compartment wall activity of constructing conversion table will send after the source IP address of packet header or the purpose IP address transition.
When calling out connection termination, deletion of SIP ALG indication NAT/ fire compartment wall and the location transformation rule of calling out join dependency.
(4) key step of SIP passing fire wall
Be example with the call external call in the fire compartment wall in the network shown in Figure 3 below, the process of SIP passing fire wall is described.
Among the figure, the network address of IP phone A is 192.168.122.3; The internal network interface address of fire compartment wall is 192.168.122.254, and the external network interface address is 2.2.2.2; The address of external call B is 202.101.1.1.Configure firewall system as required.
In the 1st step, A sends the calling of an INVITE sip message initiation to B, and this message comprises SDP.After the internal network interface of the IP grouping slave firewall that has carried this sip message entered fire compartment wall, fire compartment wall was resolved this grouping and is determined that it is the grouping of carrying the SIP signaling.For this reason, it sends to SIP ALG with this grouping, simultaneously this signaling is sent to SIP ALG from information such as which network interfaces.At this moment, this message comes from the internal network interface of fire compartment wall.
SIP ALG resolves sip message, analyzes message header and can judge that this message is an INVITE, and it is from message header To-for example, and From-collects in the Call-ID field and calls out connection state information.SIPALG creates a list item in calling out the connection status table, state information is inserted in the table.
If SIP ALG determines to comprise in the sip message SDP, also to analyze " c " among the SDP, " m " field.It resolves SDP, therefrom extracts address/udp port number that A is used to receive the RTP/RTCP voice flow, to two continuous udp ports of fire compartment wall application number.If apply for successfully, SIP ALG is filled into address and 4 port numbers in the table, otherwise SIP ALG abandons sip message.
SIP ALG inserts external network interface address 2.2.2.2 in the table according to configuration information, then, and with the address 192.168.122.3 in the address 2.2.2.2 replacement sip message, with the port numbers among the udp port of applying for the obtaining number replacement SDP.Afterwards, be provided with and call out the state that connects, message is sent to NAT.
After NAT is 2.2.2.2 with the source address modification of IP head, create a conversion table earlier, recording address is right, will divide into groups to send from network interface 2.2.2.2 again
In the 2nd step, after Proxy received INVITE, it sent " 100 trying " response message to A.This message enters fire compartment wall through external network interface.NAT checks the port numbers of UDP head in the IP grouping, judges that it is a sip message, sends to SIP ALG with message.
SIP ALG resolves response message, To-from message header, From-, the Call-ID field is taken out related content, and search in calling out the connection status table whether relevant calling connection is arranged, if having, then revise the address that is embedded in the message header, 2.2.2.2 is revised as 192.168.122.3 with the address, sends message to NAT again.Otherwise this message is abandoned.
According to the conversion table of having created, after NAT revised the destination address of IP head, network interface sent to A internally.
In the 3rd step, B receives behind INVITE, sends " 180 Ringing " message to A.This message slave firewall external network interface enters fire compartment wall.NAT checks the port numbers of UDP head in the IP grouping, judges that it is a sip message, sends to SIP ALG with message.
SIP ALG resolves response message, To-from message header, From-, the Call-ID field is taken out related content, and search in calling out the connection status table whether relevant calling connection is arranged, if having, then revise the address that message embeds message header, 2.2.2.2 is revised as 192.168.122.3 with the address, sends message to NAT again.If no, then this message is abandoned.
According to the conversion table of having created, after NAT revised the destination address of IP head, network interface sent to A internally.
In the 4th step, B sends " 200 OK " response message to A.This message comprises SDP.
This message slave firewall external network interface enters fire compartment wall.NAT checks the port numbers of UDP head in the grouping, judges that it is a sip message, sends to SIP ALG with message.
SIP ALG resolves response message, To-from message header, From-, the Call-ID field is taken out related content, and search in calling out the connection status table whether relevant calling connection is arranged, if having, then revise the address that is embedded in message header, 2.2.2.2 is revised as 192.168.122.3 with the address, sends message to NAT again.If no, then this message is abandoned.
SIP ALG determines to comprise in the sip message SDP, and it resolves SDP, therefrom extracts address/udp port number that B is used to receive the RTP/RTCP voice flow, and address and port numbers are filled in the table.
In the 5th step, A sends " ACK " acknowledge message to B after receiving " 200 Ok " message that B sends.The internal network interface of this message slave firewall enters fire compartment wall.
NAT checks the port numbers of UDP head in the IP grouping, judges that it is a sip message, sends to SIP ALG with this message.
SIP ALG resolves response message, To-from message header, From-, the Call-ID field is taken out related content, and search in calling out the connection status table whether relevant calling connection is arranged, if having, then call out connection and be set to the Completed state, and sending indication to NAT, control NAT creates the PNAT mapping.
According to the conversion table of having created, NAT sends message from external network interface after the destination address of IP head is revised.
So far, set up a media session flows between A and the B, voice flow can pass through this fire compartment wall.
The 6th step, receive the BYE message that B sends when fire compartment wall, receive " 200 OK " response message that A sends afterwards again after, SIP ALG determines that the conversation between A and the B finishes, the PANT mapping that indication NAT deletion earlier is relevant, the relevant list item of deletion from call out the connection status table again.
The invention solves problem based on the VoIP passing fire wall of Session Initiation Protocol.In the inventive method, processing to signaling is finished by the SIP ALG that is positioned at application layer, processing to packets of voice is finished by the fire compartment wall that is positioned at network layer, therefore, compare with implementation method signaling and the processing of packets of voice on-line file layer, the efficient height of the inventive method is easier to realize and expansion.
Claims (5)
1, a kind of fire compartment wall implementation method of supporting that session initiation protocol passes through is characterized in that:
Step (1): fire compartment wall is resolved the IP grouping of the system that enters
After the IP grouping enters system by network interface, according to address transition, the filtering rule of configuration, source address, destination address, UDP or the tcp port number of fire compartment wall analyzing IP head, whether judgment data load is SIP signaling message or packets of voice;
Step (2): SIP ALG treatment S IP message
After SIP ALG receives the SIP signaling message that the fire compartment wall transmission comes up, it is by analyzing order or the response in the sip message head, the Call-ID field determines which this message belongs to and call out connection, SIP ALG uses a calling connection status table to follow the tracks of all calling connection status, each list item is described one and is called out the state that connects in the state table, write down caller, called IP address, Call-ID, the RTP/RTCP port numbers of caller, called RTP/RTCP port numbers, and fire compartment wall is the RTP/RTCP port numbers that inner UA distributes, and SIP ALG revises sip message heads or/and the content of SDP message according to these information;
Step (3): the sip message that fire compartment wall treatment S IP ALG transmits downwards, perhaps carry out the instruction that SIP ALG sends, and the result is returned to SIP ALG;
Step (4): SIP ALG is provided with or revises to call out to connect and show according to the result of the execution command of fire compartment wall, and sip message is sent to fire compartment wall, perhaps carries out and calls out the cleaning work that connects table.
2, the support session initiation protocol according to claim 1 fire compartment wall implementation method of passing through is characterized in that described step (1) is implemented as follows:
Step is 1.: if data load is the SIP signaling, fire compartment wall sends to sip message SIP ALG earlier and handles;
Step is 2.: if data load is the data of other types, fire compartment wall or abandon grouping, perhaps revise the source address or destination address in the IP head after, will divide into groups to send from transmission interface.
3, the support session initiation protocol according to claim 1 fire compartment wall implementation method of passing through is characterized in that described step (2) is implemented as follows:
Step: if sip message is the 1st message of a calling, that is to say the 1st INVITE of a calling, SIP ALG will create a new list item in state table, Call-id, caller IP address, called IP address are recorded in the table, and its call state is set is Calling, if what fields such as message header via were used is the IP address, SIP ALG creates a map addresses, map addresses is recorded in the calling connection table, afterwards, SIP ALG revises the nested IP address of sip message head according to this mapping; If do not comprise SDP message in the sip message, SIP ALG after revising IP address nested in the sip message head according to this mapping passes to sip message to fire compartment wall downwards; If sip message comprises SDP message, change step 5.;
Step is 2.: if sip message is the affirmation message to OK message, SIP ALG call state is set to Completed, if comprise SDP message in the sip message, then changes step 5.; If do not comprise SDP message in the sip message, SIP ALG sends control command according to the port that writes down in the state table, address information to NAT, the purpose of this instruction is that the request fire compartment wall is created the PNAT rule, thereby allow the voice flow passing fire wall, this instruction is the instruction that punches, afterwards, and after SIP ALG revises sip message according to map addresses, with message buffering, wait for the result who returns after the fire compartment wall execution command;
Step is 3.: if sip message is the affirmation message to BYE message, SIP ALG call state is set to Terminated, and send control command to fire compartment wall, the purpose of this instruction is the PNAT rule that the deletion of notice fire compartment wall has been created, thereby forbid the voice flow passing fire wall, this instruction is for closing the hole instruction, after SIPALG revises sip message according to map addresses, with message buffering, wait for the result who returns after the fire compartment wall execution command;
Step is 4.: if other SIP signaling messages, SIP ALG searches its relevant list item at state table, revise the state that connects of calling out, and, again sip message is sent to fire compartment wall according to nested IP address and port numbers among the IP address in the map addresses modification message header specific fields of having set up, the modification SDP;
Step is 5.: if carried SDP message in the SIP signaling message, then SIP ALG will resolve SDP message, particularly analyze " c " among the SDP, " m " location, therefrom extract caller, called being used for receives, send the address/udp port number of RTP/RTCP voice flow, they are recorded in the calling connection table, voice communication for full duplex, each side will use two pairs of udp ports number to be respectively applied for and send and receive packets of voice, the every pair of udp port number should be continuous, simultaneously, SIP ALG judges according to network configuration whether the network address nested among the SDP is the address of the UA in the fire compartment wall, and in the inspection record table whether for this UA has applied for two pairs of continuous udp ports number, these two udp ports number are the firewall system internal distribution;
If no, then need to send control command to fire compartment wall again, the purpose of this instruction is that the indication fire compartment wall distributes two continuous udp ports number, this instruction is the assignment of port numbers instruction, after SIP ALG revises the sip message head,, wait for the result who returns after the fire compartment wall execution command with message buffering; If applied for port numbers, after SIP ALG revises sip message head, SDP message, message sent out pass to fire compartment wall, send out processing by fire compartment wall again.
4, the support session initiation protocol according to claim 1 fire compartment wall implementation method of passing through is characterized in that described step (3) is implemented as follows:
Step is 1.: fire compartment wall receives the sip message that SIP ALG transmits downwards, and its will divide into groups to send from network interface after revising the IP address of packet header;
Step is 2.: fire compartment wall receives the instruction that punches that SIP ALG sends and shows, the information creating PNAT rule that it provides according to SIP ALG, allow the RTP/RTCP voice flow of this call setup to pierce fire compartment wall more by this, promptly on fire compartment wall, dynamically " punch ", afterwards, send a piece of news to SIP ALG, this message is used for whether successful result returns to SIP ALG with punching;
Step is 3.: after fire compartment wall receives hole, the pass instruction that SIP ALG sends, deletion is called out corresponding PNAT rule with this, stop voice flow subsequently to pass through fire compartment wall, promptly close the hole on the fire compartment wall, afterwards, send a piece of news to SIP ALG, this message is used for Jiang Guandong, and whether successful result returns to SIP ALG;
Step is 4.: fire compartment wall is carried out the assignment of port numbers instruction that SIP ALG sends, and searches idle udp port number, if two pairs of two continuous idle ports number are arranged, then by a piece of news 4 port numbers is passed to SIP ALG.
5, the support session initiation protocol according to claim 1 fire compartment wall implementation method of passing through is characterized in that described step (4) is implemented as follows:
Step is 1.: if SIP ALG receives the message of the success that punches, the sip message of buffer memory is passed to fire compartment wall, fire compartment wall sends after the IP head of this message is handled, otherwise SIP ALG abandons this sip message;
Step is 2.: SIP ALG receives the message that fire compartment wall closes the hole success, calling linkage record in the deletion state table, otherwise, SIP ALG will send to fire compartment wall once more and close the hole instruction, until closing the hole success, so far, fire compartment wall is closed media channel fully, will block the RTP/RTCP voice flow and pass through fire compartment wall;
Step is 3.: SIP ALG receives the message of assignment of port numbers success, at first the udp port that application is obtained number records in the list item of calling out connection table correspondence, send the instruction that punches to fire compartment wall again, if receive the assignment of port numbers failure, SIP ALG will abandon the sip message of buffer memory, the deletion linkage record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410067564 CN1604589A (en) | 2004-10-28 | 2004-10-28 | SIP crossing supported firewall implementing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410067564 CN1604589A (en) | 2004-10-28 | 2004-10-28 | SIP crossing supported firewall implementing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1604589A true CN1604589A (en) | 2005-04-06 |
Family
ID=34666648
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410067564 Pending CN1604589A (en) | 2004-10-28 | 2004-10-28 | SIP crossing supported firewall implementing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1604589A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006122446A1 (en) * | 2005-05-19 | 2006-11-23 | Utstarcom Telecom Co., Ltd. | A method of processing multiple ringback tone in voice service application based on sip fork |
| WO2008154850A1 (en) * | 2007-06-15 | 2008-12-24 | Huawei Technologies Co., Ltd. | Method, entity and system of realizing network address transfer |
| CN101827029A (en) * | 2010-04-21 | 2010-09-08 | 烽火通信科技股份有限公司 | Method for dynamically marking RTP flow by Linux network equipment |
| CN1913533B (en) * | 2006-09-05 | 2011-01-12 | 北京天地互连信息技术有限公司 | Remote video monitoring system based on session initialize protocol and its implementing method |
| US7904954B2 (en) | 2005-11-30 | 2011-03-08 | Huawei Technologies Co., Ltd. | Method, device and security control system for controlling communication border security |
| CN101621342B (en) * | 2008-06-30 | 2011-05-11 | 中兴通讯股份有限公司 | Method for realizing network TV program carousel based on real-time transport protocol |
| CN101631174B (en) * | 2009-08-14 | 2012-01-11 | 苏州普适通科技有限公司 | Network telephone real-time identification and filtering method based on session initiation protocol |
| CN102377834A (en) * | 2010-08-20 | 2012-03-14 | 鸿富锦精密工业(深圳)有限公司 | Network address translation equipment and communication method |
| CN103404106A (en) * | 2011-03-04 | 2013-11-20 | 三星Sds株式会社 | SIP message transmission and receiving system and method |
| CN104717315A (en) * | 2005-12-19 | 2015-06-17 | 艾利森电话股份有限公司 | Method for establishing a unicast media session |
| CN105306453A (en) * | 2007-01-16 | 2016-02-03 | 艾利森电话股份有限公司 | Evaluation of initial filtering standard |
| US9736316B2 (en) | 2014-04-17 | 2017-08-15 | Institute For Information Industry | Network address translation traversal system and method for real-time communications |
| CN109510838A (en) * | 2018-12-20 | 2019-03-22 | 北京明朝万达科技股份有限公司 | Port starts method and apparatus |
| CN111541691A (en) * | 2020-04-22 | 2020-08-14 | 北京盛德远景科技有限公司 | SIP call boundary control system based on SIP call |
| CN112217766A (en) * | 2019-07-10 | 2021-01-12 | 诺基亚通信公司 | Method and device for forwarding RTP data packet |
-
2004
- 2004-10-28 CN CN 200410067564 patent/CN1604589A/en active Pending
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006122446A1 (en) * | 2005-05-19 | 2006-11-23 | Utstarcom Telecom Co., Ltd. | A method of processing multiple ringback tone in voice service application based on sip fork |
| CN101180866B (en) * | 2005-05-19 | 2010-11-10 | Ut斯达康通讯有限公司 | Method of processing multiple ringback tone in voice service application based on SIP FORK |
| US7904954B2 (en) | 2005-11-30 | 2011-03-08 | Huawei Technologies Co., Ltd. | Method, device and security control system for controlling communication border security |
| CN104717315A (en) * | 2005-12-19 | 2015-06-17 | 艾利森电话股份有限公司 | Method for establishing a unicast media session |
| CN104717315B (en) * | 2005-12-19 | 2018-06-19 | 艾利森电话股份有限公司 | For establishing the method for unicast media session |
| CN1913533B (en) * | 2006-09-05 | 2011-01-12 | 北京天地互连信息技术有限公司 | Remote video monitoring system based on session initialize protocol and its implementing method |
| CN105306453B (en) * | 2007-01-16 | 2020-04-14 | 艾利森电话股份有限公司 | Evaluating initial filter criteria |
| CN105306453A (en) * | 2007-01-16 | 2016-02-03 | 艾利森电话股份有限公司 | Evaluation of initial filtering standard |
| WO2008154850A1 (en) * | 2007-06-15 | 2008-12-24 | Huawei Technologies Co., Ltd. | Method, entity and system of realizing network address transfer |
| CN101621342B (en) * | 2008-06-30 | 2011-05-11 | 中兴通讯股份有限公司 | Method for realizing network TV program carousel based on real-time transport protocol |
| CN101631174B (en) * | 2009-08-14 | 2012-01-11 | 苏州普适通科技有限公司 | Network telephone real-time identification and filtering method based on session initiation protocol |
| CN101827029B (en) * | 2010-04-21 | 2013-01-02 | 烽火通信科技股份有限公司 | Method for dynamically marking RTP flow by Linux network equipment |
| CN101827029A (en) * | 2010-04-21 | 2010-09-08 | 烽火通信科技股份有限公司 | Method for dynamically marking RTP flow by Linux network equipment |
| CN102377834A (en) * | 2010-08-20 | 2012-03-14 | 鸿富锦精密工业(深圳)有限公司 | Network address translation equipment and communication method |
| CN102377834B (en) * | 2010-08-20 | 2014-02-19 | 鸿富锦精密工业(深圳)有限公司 | Network address translation equipment and communication method |
| CN103404106A (en) * | 2011-03-04 | 2013-11-20 | 三星Sds株式会社 | SIP message transmission and receiving system and method |
| CN103404106B (en) * | 2011-03-04 | 2016-11-09 | 三星Sds株式会社 | Sip message receive-transmit system and method |
| US9736316B2 (en) | 2014-04-17 | 2017-08-15 | Institute For Information Industry | Network address translation traversal system and method for real-time communications |
| CN109510838A (en) * | 2018-12-20 | 2019-03-22 | 北京明朝万达科技股份有限公司 | Port starts method and apparatus |
| CN109510838B (en) * | 2018-12-20 | 2020-08-28 | 北京明朝万达科技股份有限公司 | Port starting method and device |
| CN112217766A (en) * | 2019-07-10 | 2021-01-12 | 诺基亚通信公司 | Method and device for forwarding RTP data packet |
| CN112217766B (en) * | 2019-07-10 | 2023-03-17 | 诺基亚通信公司 | Method and device for forwarding RTP data packet |
| CN111541691A (en) * | 2020-04-22 | 2020-08-14 | 北京盛德远景科技有限公司 | SIP call boundary control system based on SIP call |
| CN111541691B (en) * | 2020-04-22 | 2022-04-01 | 北京盛德远景科技有限公司 | SIP call boundary control system based on SIP call |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1604589A (en) | SIP crossing supported firewall implementing method | |
| US20060007864A1 (en) | Method and system of teleservice interworking of broadband heterogeneous networks | |
| CN1716941A (en) | Method and call server for establishing a bi-directional peer-to-peer communication link | |
| KR100527343B1 (en) | Media-gateway controller for setting a call and method therefor | |
| AU2005201075A1 (en) | Apparatus and method for voice processing of voice over internet protocol (VOIP) | |
| CN1659921A (en) | Control of the transport of a signalling packet by specifics directives from an application in order to optimise the transport to a wireless network | |
| CN1516409A (en) | Method for making medium stream pass through network address converter | |
| CN1925525A (en) | Method for realizing bridged collection of IP multimedia subsystem | |
| CN101064712A (en) | System and method for realizing Linux inner core based dual-channel through multistage NAT and fireproof wall | |
| CN1897622A (en) | Method for inspecting and releasing abnormal realtime transmission protocol source of medium gateway | |
| CN1553676A (en) | Method for holding common audio-video meeting via various protocol terminals | |
| CN101018229A (en) | A method and firewall for the media service to penetrate the firewall | |
| CN1897720A (en) | Method for controlling wireless one-key mode speak-right in packet system | |
| CN1581872A (en) | Method for realizing signaling agency based on MEGACO protocol | |
| CN1902889A (en) | Call set-up systems | |
| CN1317873C (en) | Signal agent realizing method based on medium gateway control protocol | |
| US8005099B2 (en) | Selecting transport addresses to route streams between endpoints | |
| CN1863138A (en) | Method for implementing multimedia service NAT transition | |
| CN101036342B (en) | Selecting a routing mode for a call session | |
| CN1849808A (en) | Interworking of hybrid protocol multimedia networks | |
| CN1764172A (en) | Multimedia communication proxy system and method capable of crossing network address conversion and firewall | |
| CN1551569A (en) | Transmission method of multimedia data over a network | |
| CN1901539A (en) | Method for multimedia service tunnel pass through NAT | |
| CN1838790A (en) | PTT service realizing system and method based on VoIP technique | |
| CN1870609A (en) | Comprehensive media gateway equipment and method of data exchange |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |